AI-Enhanced Intrusion Detection for UAV Systems: A Taxonomy and Comparative Review

Abstract

The diverse usage of Unmanned Aerial Vehicles (UAVs) across commercial, military, and civil domains has significantly heightened the need for robust cybersecurity mechanisms. Given their reliance on wireless communications, real-time control systems, and sensor integration, UAVs are highly susceptible to cyber intrusions that can disrupt missions, compromise data integrity, or cause physical harm. This paper presents a comprehensive literature review of Intrusion Detection Systems (IDSs) that leverage artificial intelligence (AI) to enhance the security of UAV and UAV swarm environments. Through rigorous analysis of recent peer-reviewed publications, we have examined the studies in terms of AI model algorithm, dataset origin, deployment mode: centralized, distributed or federated. The classification also includes the detection strategy: online versus offline. Results show a dominant preference for centralized, supervised learning using standard datasets such as CICIDS2017, NSL-KDD, and KDDCup99, limiting applicability to real UAV operations. Deep learning (DL) methods, particularly Convolutional Neural Networks (CNNs), Long Short-term Memory (LSTM), and Autoencoders (AEs), demonstrate strong detection accuracy, but often under ideal conditions, lacking resilience to zero-day attacks and real-time constraints. Notably, emerging trends point to lightweight IDS models and federated learning frameworks for scalable, privacy-preserving solutions in UAV swarms. This review underscores key research gaps, including the scarcity of real UAV datasets, the absence of standardized benchmarks, and minimal exploration of lightweight detection schemes, offering a foundation for advancing secure UAV systems.

1. Introduction

Intrusion attacks targeting Unmanned Aerial Vehicles (UAVs) are becoming a critical concern. These systems are increasingly utilized in sensitive environments, including military operations, urban infrastructure, delivery logistics, and disaster response. UAVs rely heavily on wireless communication protocols, onboard sensors, and automated control loops. Unfortunately, these components also create multiple attack surfaces for adversaries.

Malicious actors can exploit these vulnerabilities to launch attacks like GPS spoofing, command injection, data-link jamming, or denial-of-service (DoS). These intrusions can lead to disrupted missions, privacy breaches, or even physical harm. The risks are especially severe when UAVs operate autonomously or work alongside ground or cloud-based control systems.

To combat these threats, many researchers have turned their attention to developing intrusion detection Systems (IDS) specifically designed for UAV environments. These systems are built to detect abnormal behaviors, recognize both known and unknown attack patterns, and respond accordingly. Artificial Intelligence (AI), Machine Learning (ML), and Deep Learning (DL) techniques such as decision trees, support vector machines (SVM), recurrent neural networks (RNN), convolutional neural networks (CNN), and autoencoders—have become central tools in UAV IDS development [1,2,3,4,5]. These techniques promise the ability to recognize complex threats and adapt to new types of attacks as they emerge.

However, despite growing research interest, the current state of UAV IDS is fragmented and inconsistent, particularly in terms of methodology and evaluation. One major problem is that most studies propose IDS models, report results on selected datasets, and present accuracy metrics often in isolation. Comparing these results across studies is extremely difficult. This is due to key differences in model architectures, hyperparameter settings, computing environments, and the preprocessing of datasets and the engineering of features.

As a result, it becomes hard to conclude whether one system actually outperforms another, or whether reported metrics truly reflect UAV-specific scenarios. Our analysis also found that many studies claim their IDS models are UAV-focused, yet they rely on outdated or generic datasets. These datasets often lack flight telemetry, UAV-relevant attack types, or realistic mission conditions.

The primary aim of this study is to critically evaluate how intrusion detection systems (IDS) designed for unmanned aerial vehicle (UAV) environments employ artificial intelligence (AI) models, and to determine whether their model performance is influenced by limitations in dataset selection, evaluation methodology, and deployment assumptions. Toward this goal, we pursue the following specific questions:

• RQ1: Are the results of recent UAV-related IDS studies potentially biased due to outdated or non-UAV-specific datasets and inconsistencies in the evaluation methodology?
• RQ2: What are the primary security threats faced by UAV systems, and what strategies have been proposed to mitigate them in various deployment contexts?
• RQ3: What types of intrusion detection techniques are most suitable for UAV deployment, considering limitations in computational resources, communication bandwidth, and energy consumption? How do centralized, distributed, and hybrid approaches compare in this regard?

These research questions lead to the formulation of the following research objectives:

• Identify prevailing trends, methodologies, and gaps in UAV-specific IDS research, with a focus on AI-driven approaches.
• Assess the suitability of various machine learning models in light of UAV operational constraints, such as limited compute resources and latency requirements.
• Evaluate the relevance and limitations of existing datasets, especially those that are outdated, synthetic, or not practical to UAV scenarios.
• Investigate the inconsistencies in IDS evaluation practices across studies, including variations in experimental design, preprocessing, and feature selection.
• Guide future research by highlighting promising directions in lightweight model design, data fusion techniques, and deployment strategies tailored to UAV networks.

This paper provides a detailed analysis of over 70 recent studies to help answer these questions (RQ1–RQ3). It builds a strong foundation for understanding the current landscape of AI-driven IDS in UAV environments and supports the creation of more robust, scalable, and practical detection systems. This work contributes to the field in several key ways.

• First, we present a taxonomy and comparative review of UAV intrusion detection research. To our knowledge, this is one of the most comprehensive and up-to-date reviews in this fast-moving area. Our taxonomy organizes existing IDS approaches based on data type, learning paradigm, and deployment strategy. This makes the landscape clearer and helps identify important trends, such as the dominance of supervised learning and the rise of federated methods.
• Second, we conducted experimental evaluations to highlight generalization issues that were previously assumed but rarely measured. By replicating multiple IDS models and testing them across different datasets, we showed how their performance can change when evaluated under new conditions. These findings serve as an important warning: reported high accuracy may not generalize across various deployment scenarios. We argue that cross-dataset validation should become a standard practice.
• Third, drawing on insights from both the literature review and our experiments, we propose several future research directions. These include improving dataset quality, building more efficient models, exploring collaborative learning, and enhancing robustness.

Together, these contributions deepen our understanding of UAV IDS and offer a roadmap for building systems that are more reliable in real-world conditions. The rest of the paper is organized as follows. Section 2 details the methodology used to address RQ1–RQ3. Section 3 provides a detailed overview of different UAV attack types with an accompanying taxonomy. It also lists publicly available benchmark datasets–both UAV-specific and general-purpose, followed by a review of commonly adopted intrusion detection systems and a comprehensive literature survey of recent AI techniques applied to UAV IDS. This section also summarizes their performance metrics, deployment strategies, and detection methods. Section 4 presents the results analysis, including a comparison of recent IDS models proposed in the literature and the outcomes of our model reproduction experiments. Section 5 discusses the trends and implications of the findings. Section 6 outlines potential avenues for future research and provides recommendations. Finally, Section 7 provides the concluding remarks.

2. Research Methodology

This section details our search strategy, selection criteria, data extraction schema, and analysis plan designed to answer RQ1–RQ3 defined in Section 1. This article presents a comprehensive comparative review of AI/ML-based intrusion detection for UAVs. We use PRISMA 2020 [6] solely as a reporting guide for transparency in identification, screening, eligibility, and inclusion; no review protocol was preregistered. The search covered English-language publications from 1 January 2020 to 31 May 2025. This framing keeps the focus on our core contributions– the detailed taxonomy, dataset critique, and experimental replication rather than the procedural requirements of a formal SLR. The process, as illustrated in Figure 1, consisted of the following key phases:

• Study Identification: We searched six major digital libraries—IEEE Xplore, ACM Digital Library, Elsevier ScienceDirect, MDPI, Scopus, and SpringerLink—for English-language publications from 1 January 2020 to 31 May 2025. Queries were frozen prior to screening, and results were de-duplicated by DOI/title. To minimize omission risk, we also cross-checked hits via Google Scholar for missing peer-reviewed counterparts. Database-specific query strings were:
  • IEEE Xplore (All Metadata): (“UAV” OR “drone” OR “unmanned aerial vehicle” OR “internet of drones”) AND (intrusion OR anomaly) AND (“machine learning” OR “deep learning” OR AI OR “artificial intelligence”) AND (“intrusion detection” OR IDS OR cybersecurity) AND (dataset OR “data set” OR benchmark)
  • ACM Digital Library (Anywhere): (“UAV” OR drone OR “unmanned aerial vehicle” OR “internet of drones”) AND (intrusion OR anomaly) AND (“machine learning” OR “deep learning” OR AI OR “artificial intelligence”) AND (“intrusion detection” OR IDS OR cybersecurity) AND (dataset OR “data set” OR benchmark)
  • Scopus (TITLE-ABS-KEY): TITLE-ABS-KEY(“UAV” OR drone OR “unmanned aerial vehicle” OR “internet of drones”) AND TITLE-ABS-KEY(intrusion OR anomaly) AND TITLE-ABS-KEY(“machine learning” OR “deep learning” OR AI OR “artificial intelligence”) AND TITLE-ABS-KEY(“intrusion detection” OR IDS OR cybersecurity) AND TITLE-ABS-KEY(dataset OR “data set” OR benchmark) AND PUBYEAR > 2019 AND LANGUAGE(English) AND DOCTYPE(ar OR cp)
  • ScienceDirect (All fields; simplified due to Boolean limits): (“UAV” OR drone) AND (intrusion OR anomaly) AND (“machine learning” OR “deep learning” OR AI) AND (“intrusion detection” OR IDS) AND (dataset OR benchmark)
  • SpringerLink (Full text): (“UAV” OR “unmanned aerial vehicle” OR drone OR “internet of drones”) AND (“intrusion detection” OR IDS OR intrusion OR anomaly) AND (“machine learning” OR “deep learning” OR AI OR “artificial intelligence”) AND (dataset OR “data set” OR benchmark)
  • MDPI (All fields): (“UAV” OR “unmanned aerial vehicle” OR drone OR “internet of drones”) AND (“intrusion detection” OR IDS OR intrusion OR anomaly) AND (“machine learning” OR “deep learning” OR AI OR “artificial intelligence”) AND (dataset OR “data set” OR benchmark)
• Screening and Inclusion Criteria: To ensure relevance and quality, we applied the following criteria:
  • Peer-reviewed journal, conference, or early-access articles, written in English.
  • Published between 1 January 2020 and 31 May 2025 (inclusive).
  • Proposes or evaluates an AI/ML-based intrusion detection system (IDS) for UAV or UAV swarm environments.
  • Reports experimental results with performance metrics (for instance, accuracy, F1-score) and dataset details.
• Exclusion Criteria: Studies were excluded if they met any of the following:
  • Non-peer-reviewed publications (such as preprints, theses, technical reports, blogs).
  • Works focused solely on non-AI security measures (purely cryptographic/firewall solutions without AI/ML).
  • No experimental validation (missing performance metrics, dataset description, or implementation details).
  • Addressed only hardware vulnerabilities/attack surfaces without proposing or evaluating an IDS.
• Data Extraction and Structuring: For each included paper, we recorded:
  • Classifier/model type and AI/ML paradigm (supervised, unsupervised, hybrid, etc.).
  • Dataset name, source, structure, and UAV specificity.
  • Deployment strategy (centralized, distributed, federated/hybrid).
  • Detection timing (online/real-time, offline, hybrid).
  • Attack types covered; key findings and limitations.
  • Performance metrics (accuracy, precision, recall, F1-score, AUC/AUROC; and, when reported, latency, model size, or energy).
  Attribute extraction was performed by one author and independently reviewed by a second author; given the largely objective fields (model, dataset, metrics), we did not compute inter-rater statistics such as Cohen’s κ). Any discrepancies would have been resolved by discussion; none occurred as the literature clearly mentions the model, dataset, and metrics they use.
• Methodological Quality and Risk of Bias: We did not use a formal risk-of-bias checklist. Instead, we looked for common problems that could skew results: unrealistic or poorly labeled datasets, reusing train/test splits, or leaking information. When we found these issues, we noted them and explained how they might limit generalization.
• Synthesis and Analysis: We synthesized the literature to identify trends, inconsistencies, and research gaps, with emphasis on dataset reuse, attack-type coverage, deployment realism, and cross-dataset generalizability. Reported performance was interpreted in light of dataset relevance and methodological transparency.

Positioning of Our Survey in the Context of Prior Work

In recent years, a wide range of surveys have been published on UAV security and intrusion detection systems (IDS). While these works provide important insights, many of them tend to focus on either taxonomic organization, technology-specific perspectives (for instance, blockchain, deep learning), or general cybersecurity frameworks. However, few evaluate existing IDS approaches in terms of their deployment readiness, dataset realism, cross-dataset generalizability, or learning strategy diversity.

To clearly identify the novelty of our study, we conducted a detailed comparison with 13 UAV-related surveys published between 2020 and 2025, as summarized in Table 1. Each survey was assessed against seven key dimensions critical for practical IDS research, and this comparison revealed several common gaps in the literature that our work aims to address. First, we introduce a practical attack taxonomy in Figure 2 that is specifically designed for building an IDS by connecting different types of UAV attacks. Second, we gather all the important UAV IDS datasets and Non-UAV datasets into detailed Table 2 and Table 3, making it easy for researchers to see the strengths and weaknesses of each and choose the right one for their work. Third, we provide a strong focus on real-world deployment, analyzing how an IDS can be implemented—whether centralized, distributed on the drones, or using federated learning—and discussing how these choices affect practical issues like response time, privacy, and battery life. Finally, and most importantly, our review is the first to perform standardized experiments testing different IDS models across multiple datasets. This unique analysis reveals that the high accuracy scores reported in many studies are not sustained when the models are presented with unfamiliar data, providing a much-needed reality check on their true performance and ability to generalize.

Figure 2. Proposed UAV Attack Classification.

Figure 2. Proposed UAV Attack Classification.

Table 1. Comparison of UAV IDS Surveys (2020–2025) Across Seven Technical Dimensions.

Survey Ref.	Attack Taxonomy	Cross-Dataset Validation	Dataset Critique	Deployment Strategy	Detection Feasibility	AI Paradigm Analysis	Perfor- mance Metrics
[7]	√	×	Δ	Δ	√	√	Δ
[8]	√	×	×	Δ	Δ	Δ	×
[9]	√	×	√	×	×	√	√
[10]	√	×	Δ	×	×	Δ	×
[11]	√	×	×	Δ	×	√	×
[12]	√	×	×	Δ	Δ	Δ	×
[13]	√	×	Δ	×	√	√	×
[14]	Δ	×	×	×	×	√	Δ
[15]	Δ	×	Δ	×	×	Δ	Δ
[16]	Δ	×	×	Δ	Δ	Δ	×
[17]	√	×	√	Δ	√	√	√
[18]	√	×	×	×	Δ	√	Δ
[19]	√	×	Δ	×	√	√	×
Proposed	√	√	√	√	√	√	√

√ = Thoroughly Addressed; Δ = Partially Discussed; × = Not Addressed. Quantitative summary across prior surveys (n = 13): Attack Taxonomy $10\surd /3\Delta /0\times$; Cross-Dataset Validation $0\surd /0\Delta /13\times$; Dataset Critique $2\surd /5\Delta /6\times$; Deployment Strategy $0\surd /6\Delta /7\times$; Detection Feasibility $4\surd /4\Delta /5\times$; AI Paradigm Analysis $8\surd /5\Delta /0\times$; Performance Metrics $2\surd /4\Delta /7\times$.

Table 1. Comparison of UAV IDS Surveys (2020–2025) Across Seven Technical Dimensions.

Survey Ref.	Attack Taxonomy	Cross-Dataset Validation	Dataset Critique	Deployment Strategy	Detection Feasibility	AI Paradigm Analysis	Perfor- mance Metrics
[7]	√	×	Δ	Δ	√	√	Δ
[8]	√	×	×	Δ	Δ	Δ	×
[9]	√	×	√	×	×	√	√
[10]	√	×	Δ	×	×	Δ	×
[11]	√	×	×	Δ	×	√	×
[12]	√	×	×	Δ	Δ	Δ	×
[13]	√	×	Δ	×	√	√	×
[14]	Δ	×	×	×	×	√	Δ
[15]	Δ	×	Δ	×	×	Δ	Δ
[16]	Δ	×	×	Δ	Δ	Δ	×
[17]	√	×	√	Δ	√	√	√
[18]	√	×	×	×	Δ	√	Δ
[19]	√	×	Δ	×	√	√	×
Proposed	√	√	√	√	√	√	√

√ = Thoroughly Addressed; Δ = Partially Discussed; × = Not Addressed. Quantitative summary across prior surveys (n = 13): Attack Taxonomy $10\surd /3\Delta /0\times$; Cross-Dataset Validation $0\surd /0\Delta /13\times$; Dataset Critique $2\surd /5\Delta /6\times$; Deployment Strategy $0\surd /6\Delta /7\times$; Detection Feasibility $4\surd /4\Delta /5\times$; AI Paradigm Analysis $8\surd /5\Delta /0\times$; Performance Metrics $2\surd /4\Delta /7\times$.

• Taxonomy of Attacks: Whether the survey categorizes threats using structured taxonomies.
• Cross-Dataset Validation: Whether it evaluates or discusses the generalization of IDS models across multiple datasets.
• Dataset Critique: Whether it critically assesses the suitability and limitations of commonly used datasets.
• Deployment Strategy: Whether it accounts for how IDS systems are implemented (for instance, centralized, distributed, federated).
• Detection Feasibility: Whether it considers latency, compute limits, or practical usability in real-world UAV scenarios.
• AI Paradigm Analysis: Whether the survey organizes and compares works based on learning strategy (for instance, supervised, RL, hybrid).
• Performance Metrics Analysis: Whether it reviews or compares models using standard metrics like accuracy, F1-score, or FAR.

Table 1 presents this comparative analysis. Rather than asserting comprehensive coverage, this survey aims to provide a holistic comparative perspective across seven technical dimensions; to ground this, we report a quantitative tally of prior surveys’ coverage alongside our own.

As the table demonstrates, only our survey offers comprehensive coverage across all seven technical and practical dimensions. In contrast to existing works, our contribution goes beyond summarization by providing a full taxonomy of threats categorized by learning methods and deployment contexts; replicating experimental results and evaluating model generalization across multiple datasets; offering a critical analysis of public datasets with respect to realism, attack diversity, and applicability; assessing comparative deployment strategies such as centralized, distributed, and federated IDS architectures; systematically classifying prior work by AI paradigms including supervised, unsupervised, reinforcement learning, and hybrid approaches; and consolidating performance evaluations using standard metrics such as accuracy, F1-score, and false alarm rate (FAR). This broader and empirically grounded perspective distinguishes our work as a holistic and system-aware survey for UAV IDS research.

3. Literature

3.1. Taxonomy of UAV Attack Types Based on UAV-Specific Characteristics

To provide a structured understanding of diverse UAV threats, Figure 2 presents our attack taxonomy, which is organized by UAV-specific operational surfaces into five classes. This framework structures the analysis that follows: (1) Resource Exhaustion and Availability Attacks, which deplete compute, energy, or bandwidth resources through vectors like DoS and channel saturation; (2) Communication Channel Attacks, which include radio-level disruptions like spectrum jamming that corrupt or block telemetry and command traffic; (3) Mobility and Navigation Attacks, which are threats that mislead or degrade positioning, such as GPS spoofing or inducing high-latency conditions; (4) Network Topology and Routing Attacks, which manipulate multi-hop connectivity and trust through methods like sinkhole, wormhole, and Sybil attacks; and (5) Application-level and Payload Attacks, which violate integrity at the service layer via data tampering, insider threats, or impersonation. We use this taxonomy as the backbone for the following subsections, where each class is defined and illustrated with examples relevant to UAVs.

3.1.1. Resource Exhaustion and Availability Attacks

Resource exhaustion and availability attacks target the limited computational power and communication resources inherent to UAV systems. These attacks disrupt UAV operations by overwhelming computational or communication capabilities.

• Denial-of-Service (DoS): Denial-of-Service (DoS) attacks flood UAV nodes or communication channels with excessive packets, rendering them unresponsive by depleting their limited processing power and bandwidth. SYN Flood, a specific form of DoS, abuses TCP’s handshake process by flooding UAVs with SYN packets, exhausting system resources and causing disruption or crashes [20].
• Flooding Attack: Flooding attacks overwhelm UAVs with excessive data packets, consuming memory buffers and processing capacity, degrading communication reliability, and delaying legitimate data transfers critical for UAV missions [21].
• Collisions: Collisions occur when multiple UAV nodes transmit simultaneously on the same frequency channel, causing packet loss and necessitating retransmissions. High mobility and dynamic topology in FANETs significantly increase collision likelihood [12].
• Single Point of Failure (SPOF): Single Point of Failure arises when a crucial UAV or ground control node fails or is compromised, leading to operational breakdown and disrupting entire UAV missions. This vulnerability is heightened in centralized UAV network architectures.

3.1.2. Communication Channel Attacks

Communication channel attacks aim to intercept, manipulate, or disrupt data transmission between UAV nodes or ground control systems, compromising the confidentiality, integrity, or availability of transmitted data.

• Jamming (Active Interfering): Jamming involves intentionally transmitting signals to interfere with legitimate UAV communication channels, causing significant disruption of control signals and real-time data exchange crucial for UAV operations [22].
• Eavesdropping: Eavesdropping attacks intercept UAV communication to gather sensitive or classified data, violating confidentiality and potentially enabling further attacks, such as replay or impersonation [12].
• Replay Attack: Replay attacks involve capturing legitimate packets and retransmitting them fraudulently at later stages to mislead UAV or control stations, enabling unauthorized access or system manipulation [12].
• Man-in-the-Middle (MITM): MITM attacks intercept and potentially alter UAV communications in real time, compromising message confidentiality, integrity, and authenticity, significantly affecting UAV mission reliability [23].
• De-authentication Attack: Attackers disrupt UAV network communications by sending falsified de-authentication packets, forcibly disconnecting legitimate UAV nodes or control stations, and creating operational instability [12].

3.1.3. Mobility and Navigation Attacks

Mobility and navigation attacks specifically target UAV positioning and movement controls, affecting flight trajectory, path planning, and collision avoidance.

• GPS Spoofing: Attackers send false GPS signals to mislead UAV navigation systems, causing incorrect location reporting or complete navigational failure, critically compromising UAV safety and operational effectiveness [24].
• Rushing Attack: Rushing attacks involve rapidly forwarding route discovery packets to establish unauthorized control over network routing, disrupting legitimate navigation paths, and degrading the reliability of UAV network routing protocols [12]
• Low Link Quality and High Latency (LLQ and HL): LLQ and HL occur due to intentional interference or network congestion, causing high communication latency and poor signal quality, critically impacting real-time navigation and coordination among UAVs [12].

Table 2. Overview of UAV-Specific IDS Datasets.

Dataset Name	Ref.	Dataset Characteristics	Attack Types and Applicability
MAVLINK IDS	[25]	Simulated UAV telemetry using MAVLink protocol	GPS spoofing, navigation manipulation, telemetry injection.
PX4 IDS	[26]	Flight logs from PX4-based UAVs across diverse missions	Sensor faults, control anomalies, software misbehavior.
DJI IDS	[26]	Visual simulation of DJI drone missions with injected faults	Visual inconsistencies, flight path anomalies, spoofed sensor input.
UAVCAN IDS	[27]	UAVCAN protocol logs captured from internal UAV buses	Flooding, replay, and fuzzing of internal message traffic.
CADIA IDS	[27]	Network traffic from simulated UAV missions under attack	DDoS, spoofing, and packet manipulation
ALFA IDS	[9]	Fixed-wing UAV test flights with cyber-attack injections	GPS spoofing, jamming, denial-of-service.
WSN-DS	[26]	Simulated UAV swarm behavior with compromised nodes	Blackhole, grayhole, and packet flooding attacks.
UAV Attack IDS	[9]	Synthetic UAV telemetry with targeted GPS and RF attacks	GPS spoofing, signal jamming, position falsification.

Table 2. Overview of UAV-Specific IDS Datasets.

Dataset Name	Ref.	Dataset Characteristics	Attack Types and Applicability
MAVLINK IDS	[25]	Simulated UAV telemetry using MAVLink protocol	GPS spoofing, navigation manipulation, telemetry injection.
PX4 IDS	[26]	Flight logs from PX4-based UAVs across diverse missions	Sensor faults, control anomalies, software misbehavior.
DJI IDS	[26]	Visual simulation of DJI drone missions with injected faults	Visual inconsistencies, flight path anomalies, spoofed sensor input.
UAVCAN IDS	[27]	UAVCAN protocol logs captured from internal UAV buses	Flooding, replay, and fuzzing of internal message traffic.
CADIA IDS	[27]	Network traffic from simulated UAV missions under attack	DDoS, spoofing, and packet manipulation
ALFA IDS	[9]	Fixed-wing UAV test flights with cyber-attack injections	GPS spoofing, jamming, denial-of-service.
WSN-DS	[26]	Simulated UAV swarm behavior with compromised nodes	Blackhole, grayhole, and packet flooding attacks.
UAV Attack IDS	[9]	Synthetic UAV telemetry with targeted GPS and RF attacks	GPS spoofing, signal jamming, position falsification.

3.1.4. Network Topology and Routing Attacks

These attacks specifically compromise the integrity and reliability of routing protocols and UAV network topology, often exploiting vulnerabilities within decentralized UAV architectures.

• Blackhole Attack: Malicious nodes advertise falsely optimal routes to attract network traffic, subsequently dropping all packets, thus disrupting UAV network reliability and operational performance.
• Grayhole Attack: Similar to blackhole attacks, grayhole attackers selectively forward or drop packets unpredictably, complicating detection and causing significant routing instability and uncertainty [28].
• Wormhole Attack: Attackers create a covert communication tunnel between malicious nodes, secretly intercepting and redirecting packets, disrupting UAV network operations, and potentially leading to severe data breaches [29].
• Sybil Attack: In Sybil attacks, an attacker creates multiple fake UAV identities within the network, undermining trust mechanisms, routing decisions, and collaborative mission integrity [30].
• Selfishness (Selfish Node): Selfish nodes intentionally limit their packet forwarding to conserve resources, disrupting network cooperation and decreasing overall UAV network performance [31].

3.1.5. Application-Level and Payload Attacks

These attacks compromise UAV payload or application-layer services, affecting data integrity, confidentiality, and operational trustworthiness.

• Data Tampering and Modification Attack: Attackers manipulate transmitted payload data or application messages to mislead UAV operations, degrading mission accuracy and reliability [32].
• Insider Threat: Authorized insiders intentionally misuse their legitimate access to leak sensitive information or manipulate UAV operations, posing severe internal security threats [33].
• Impersonation Attack: Attackers disguise their identity as legitimate UAV nodes or ground stations to gain unauthorized access, manipulate data exchanges, or mislead operational decisions [34].

Table 3. Overview of Generic (Non-UAV) IDS Datasets.

Dataset Name	Ref.	Dataset Characteristics	Attack Types and Applicability
UNSW-NB15	[35]	Captured network traffic from hybrid normal/attack scenarios	DoS, brute force, and generic probing attacks (not UAV-specific).
DARPA	[36]	Synthetic network traffic for intrusion detection benchmarks	Simulated intrusion patterns from early cybersecurity studies.
KDD Cup 99	[9]	Derived from DARPA dataset with labeled network flows	Traditional attacks: DoS, U2R, R2L (outdated, low UAV relevance).
NSL-KDD	[9]	Improved version of KDD with reduced redundancy	Similar to KDD, lacks UAV or modern protocol coverage.
Kyoto 2006+	[36]	Real-world honeypot traffic over multiple years	General anomaly patterns, limited drone protocol representation.
CICIDS2017	[37]	Emulated enterprise traffic with labeled attack flows	Web and DDoS attacks, limited UAV applicability
ISCX 2012	[37]	Simulated user behavior in enterprise networks	Enterprise-focused threats, no UAV-specific telemetry
CSE-CIC-IDS2018	[9]	Labeled enterprise logs for multiple cyber-attacks	Malware, infiltration, botnet attacks in office-like environments.
AWID2	[37]	Wireless network logs from WiFi environments	Deauthentication, injection, and WiFi DoS (not UAV-specific).
UKM-IDS20	[37]	Traffic captured in university network environment	Education network threats; lacks UAV-relevant telemetry.
DEFCON-10	[38]	Capture-the-flag competition data	Artificial competition scenarios, non-representative of UAV use.
BoT-IoT	[38]	Simulated IoT botnet behaviors with labeled traffic	IoT-centric botnet/DDoS attacks; limited relevance to aerial systems.
ToN-IoT	[9]	Cross-domain IIoT traffic logs with diverse devices	Data poisoning, ransomware, lateral movement (not UAV-focused).
Edge-IIoTset	[9]	Edge/cloud IIoT simulation with cyber-physical flows	Industrial attack vectors (data tampering, denial of edge services).
MQTT-IoT-IDS2020	[9]	MQTT protocol logs from IoT smart environments	Broker flooding, message tampering (not applicable to UAV stacks).
CICIOT2023	[25]	IoT topology-based attacks in smart grid simulations	Topology spoofing, DDoS, MQTT manipulation

Table 3. Overview of Generic (Non-UAV) IDS Datasets.

Dataset Name	Ref.	Dataset Characteristics	Attack Types and Applicability
UNSW-NB15	[35]	Captured network traffic from hybrid normal/attack scenarios	DoS, brute force, and generic probing attacks (not UAV-specific).
DARPA	[36]	Synthetic network traffic for intrusion detection benchmarks	Simulated intrusion patterns from early cybersecurity studies.
KDD Cup 99	[9]	Derived from DARPA dataset with labeled network flows	Traditional attacks: DoS, U2R, R2L (outdated, low UAV relevance).
NSL-KDD	[9]	Improved version of KDD with reduced redundancy	Similar to KDD, lacks UAV or modern protocol coverage.
Kyoto 2006+	[36]	Real-world honeypot traffic over multiple years	General anomaly patterns, limited drone protocol representation.
CICIDS2017	[37]	Emulated enterprise traffic with labeled attack flows	Web and DDoS attacks, limited UAV applicability
ISCX 2012	[37]	Simulated user behavior in enterprise networks	Enterprise-focused threats, no UAV-specific telemetry
CSE-CIC-IDS2018	[9]	Labeled enterprise logs for multiple cyber-attacks	Malware, infiltration, botnet attacks in office-like environments.
AWID2	[37]	Wireless network logs from WiFi environments	Deauthentication, injection, and WiFi DoS (not UAV-specific).
UKM-IDS20	[37]	Traffic captured in university network environment	Education network threats; lacks UAV-relevant telemetry.
DEFCON-10	[38]	Capture-the-flag competition data	Artificial competition scenarios, non-representative of UAV use.
BoT-IoT	[38]	Simulated IoT botnet behaviors with labeled traffic	IoT-centric botnet/DDoS attacks; limited relevance to aerial systems.
ToN-IoT	[9]	Cross-domain IIoT traffic logs with diverse devices	Data poisoning, ransomware, lateral movement (not UAV-focused).
Edge-IIoTset	[9]	Edge/cloud IIoT simulation with cyber-physical flows	Industrial attack vectors (data tampering, denial of edge services).
MQTT-IoT-IDS2020	[9]	MQTT protocol logs from IoT smart environments	Broker flooding, message tampering (not applicable to UAV stacks).
CICIOT2023	[25]	IoT topology-based attacks in smart grid simulations	Topology spoofing, DDoS, MQTT manipulation

3.2. UAV IDS Datasets

The development of effective intrusion detection systems (IDS) for UAV communication networks critically depends on datasets that are realistic for UAV-specific scenarios, attack patterns, and operational characteristics. This section reviews nine datasets that are related to UAV IDS, focusing on their UAV attributes, scenarios, and applicability for intrusion detection.

• MAVLINK IDS Dataset: The MAVLINK dataset provides detailed simulation data using the PX4 autopilot and Gazebo robotics simulator, specifically focusing on MAVLINK protocol interactions. It contains normal operational parameters alongside GPS spoofing scenarios, capturing critical anomalies relevant to UAV navigation security. This dataset is instrumental in testing anomaly detection systems aimed at identifying navigation-related attacks in UAV networks [25].
• PX4 IDS Dataset: This dataset includes flight logs collected from various UAV platforms equipped with Pixhawk controllers running the open-source PX4 autopilot software. The logs provide sensor data, control commands, and flight statuses from diverse scenarios. The dataset is valuable for assessing IDS performance across various UAV hardware platforms and flight conditions [26].
• DJI IDS Dataset: The DJI dataset consists of simulated visual data derived from models of popular DJI UAV platforms such as Phantom and Mavic. Rendered using computer-generated imagery to emulate realistic UAV flight conditions, this dataset supports the detection of visual and sensor-based anomalies in drone operations, making it suitable for visual IDS implementations [26].
• UAVCAN IDS Dataset: Composed of log files capturing communications within UAVCAN protocol networks, this dataset includes various internal message exchanges, command flows, and sensor communications. It supports training machine learning models and rule-based systems to identify unusual internal communications or cyber-attacks targeting the UAV’s internal network bus systems [27].
• CADIA IDS Dataset: CADIA focuses on intrusion detection for Distributed Denial-of-Service (DDoS) and other network attacks, featuring both normal and attack traffic scenarios. The dataset enables researchers to develop and validate intrusion detection methods that require robust differentiation between benign and malicious network traffic patterns [9].
• ALFA IDS Dataset: ALFA provides data specifically targeting failure and anomaly detection in fixed-wing UAVs, including various sudden engine failures and actuator faults scenarios. It supports both anomaly detection and fault diagnosis systems, crucial for real-time monitoring and response mechanisms in UAV operations [27].
• WSN-DS Dataset: WSN-DS contains simulated network traffic representative of swarm UAV operations under multiple attack scenarios, including blackhole, grayhole, and flooding attacks. This dataset is particularly relevant for studying IDS in swarm UAV environments, capturing unique challenges posed by cooperative UAV networks [26].
• UNSW-NB 15 Dataset: Originally developed for broader network intrusion detection, UNSW-NB15 includes realistic network traffic and various cyber-attack types like DoS and probing attacks. While not UAV-specific, its comprehensive range of network behaviors makes it useful for preliminary training and validation of network-based IDS frameworks that can later be specialized for UAV contexts [35].
• UAV Attack IDS Dataset: This dataset specifically simulates GPS spoofing and jamming attacks across multiple UAV simulation environments. It addresses critical threats to UAV positional integrity and communication reliability, providing targeted scenarios for assessing intrusion detection systems designed to protect UAVs from navigation-related cyber threats [26].

The datasets in Table 2 represent growing efforts to create UAV-specific IDS resources that address the distinct operational and cyber-physical aspects of drone systems. These datasets collectively represent a broad spectrum of UAV-specific scenarios and attack patterns, serving as valuable resources for developing, testing, and benchmarking intelligent intrusion detection systems suitable for UAV communication environments. Datasets like MAVLink IDS, PX4 IDS, DJI IDS, and UAVCAN IDS provide telemetry records, MAVLink message sequences, internal bus communications, and simulated sensor anomalies that closely replicate actual drone operations and vulnerabilities. For instance, MAVLink IDS records protocol-level attacks, including navigation spoofing and command injection, while UAVCAN IDS contains low-level bus attacks like flooding and replay attempts.

Datasets such as ALFA IDS and PX4 IDS broaden intrusion detection research to include actuator malfunctions and embedded system irregularities, supporting both fault detection and network intrusion studies. CADIA IDS and UAV Attack IDS supply labeled attack scenarios from controlled drone mission simulations, covering threats like GPS spoofing, signal jamming, and distributed denial-of-service attacks. WSN-DS and similar datasets enable testing of swarm-specific threats through simulations of compromised nodes in multi-drone networks. While these UAV-focused datasets offer greater realism than conventional alternatives, they still face constraints.

• Class imbalance: We often see UAV datasets where attack samples are few and far between—sometimes making up less than 10% of the total data. This uneven spread can trick IDS models into mostly recognizing normal behavior while missing actual threats. Researchers typically fix this by either balancing the dataset or adjusting how the model weighs different classes. On the flip side, some papers use datasets like CICIDS2017, where attacks are overrepresented through artificial generation. While this makes models look good on paper, they usually fail when faced with real drone networks.
• Attack labeling quality: Most UAV datasets do not label attacks the way security experts would—by carefully examining network packets or system responses. Instead, they rely on automated scripts or simulation triggers that might mark something as an attack when it is not, or miss real intrusions. This labeling problem worsens in virtual test environments like Gazebo, where there is no physical drone to confirm what is happening. When labels are unreliable, it is challenging to trust the detection metrics that models produce.
• Simulation fidelity: Some UAV datasets are just computer simulations that do not capture how drones communicate in the real world. They miss the radio frequency quirks, timing inconsistencies, and hardware feedback (like motor current changes) that occur during actual flights. These simulated datasets might include basic attacks like GPS spoofing, but they completely miss more complex threats that target groups of drones or exploit multiple vulnerabilities in sequence.

The datasets in Table 3 (NSL-KDD, CICIDS2017, UNSW-NB15, BoT-IoT) remain popular for general intrusion detection but were not created for UAV applications. Standard network datasets like CIC-IDS2017 and NSL-KDD lack drone-specific features—they do not include MAVLink/UAVCAN protocols, 5GHz control signals, or critical timing data such as GPS epochs and PWM periods, all of which are essential for detecting UAV-related attacks. This results in serious limitations: one study showed that models trained on NSL-KDD misclassified 46% of GPS spoofing attempts when evaluated on real PX4 drone logs, demonstrating that general-purpose datasets often fail to address drone security requirements [9,39]. Although these datasets offer a wide range of attack types, including DoS, port scans, botnets, and malware, they omit crucial UAV-specific data such as flight telemetry, control commands, and mission execution patterns. As a result, while they are useful for benchmarking baseline detection performance, they fall short in capturing critical UAV dimensions like real-time constraints, sensor anomalies, and cyber-physical system interactions.

Some researchers adapt these generic datasets by correlating network flows with simulated UAV traffic or using them for preliminary model training. However, as discussed in the Result analysis, such approaches frequently show substantial performance drops when applied to UAV-specific contexts, underscoring generalization challenges. Legacy datasets like KDD Cup 99 and NSL-KDD, despite their historical significance, contain obsolete or artificially balanced samples that limit their utility for modern drone networks.

In summary, UAV-specific datasets remain essential for developing practical IDS solutions, particularly when detection requires coordination across flight control, physical states, and communication patterns. However, these resources need expansion in scope, variety, and threat coverage to match the comprehensiveness of general-purpose datasets.

3.3. AI-Based Intrusion Detection Approaches

To further organize the literature, we divided the surveyed IDS papers into five taxonomy groups: ML-based, DL-based, Mixed ML+DL, RL-based, and Specialized/Other (see

Table 4. Taxonomyof UAV IDS Approaches.

Category	References	Description (Key Characteristics)
ML-based Approaches	[40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55]	Classical machine learning models such as Decision Trees, Random Forests, SVMs, Logistic Regression, Naïve Bayes, Gradient Boosting (XGBoost, LightGBM), and Ensembles. These approaches are computationally efficient, interpretable, and well-suited for tabular UAV traffic data, but they often fail to capture temporal or spatial dependencies.
DL-based Approaches	[2,3,4,5,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70]	Includes deep neural models such as CNNs, LSTMs, RNNs, ConvLSTMs, DBNs, and hybrid deep frameworks. These capture complex temporal and spatial dependencies in UAV telemetry and network data. They achieve high accuracy and robustness but require more computation and are harder to deploy on resource-limited UAV platforms.
Mixed ML + DL Approaches	[71,72,73,74]	Papers that combine both classical ML and DL models. Examples include RF+CNN+DNN, SVM+FNN+LSTM, and LSTM+DT. Such approaches aim to leverage the interpretability of ML and the representational power of DL, balancing efficiency and accuracy.
RL-based Approaches	[75,76,77,78]	Includes Reinforcement Learning methods such as Deep Deterministic Policy Gradient (DDPG), DQN, DRL-BWO, and cooperative Q-learning. These are adaptive and dynamic, suitable for evolving UAV environments, but computationally intensive and mostly validated in simulation.
Specialized / Other Approaches	[69,79,80,81,82,83,84,85,86,87]	Encompasses approaches outside standard ML/DL/RL categories. These include model-based observers, graph neural networks, cross-layer attention frameworks, fuzzy/neuro-fuzzy systems (ANFIS), evolutionary rule-based systems (EBRB), bio-inspired immune-system IDS, autoencoders in unsupervised mode, and GAN-based anomaly detection. These often target UAV-specific constraints or novel attack scenarios.

). ML-based approaches include traditional algorithms such as decision trees, random forests, SVMs, boosting methods, and other classical machine learning techniques. DL-based approaches cover architectures such as CNNs, LSTMs, RNNs, ConvLSTMs, DBNs, and related neural models. Mixed ML+DL approaches combine both classical and deep methods within the same study to balance interpretability and representation power. RL-based approaches apply reinforcement learning methods such as DQN, DRL, and Q-learning to intrusion detection in UAVs. Finally, Specialized/Other approaches encompass observer-based frameworks, fuzzy and bio-inspired systems, graph neural networks, and cross-layer attention mechanisms that do not fit neatly into ML, DL, or RL categories. This taxonomy helps readers navigate the different families of IDS approaches more directly and provides a clearer roadmap for comparing UAV IDS research.

3.3.1. Supervised Learning IDS Approaches for UAV Networks

Supervised learning approaches play a crucial role in the design of IDS for UAV networks due to their proven effectiveness in accurately identifying and classifying known attack patterns [2,40]. These methods rely on labeled datasets containing annotated examples of normal and malicious behaviors, enabling algorithms to learn distinct patterns and accurately predict future incidents [4,41]. Usually, the supervised models such as Random Forests [40,41], Deep Neural Networks [56], Convolutional Neural Networks (CNN), and Recurrent Neural Networks (RNN) like LSTM [2,4] are utilized due to their ability to handle complex feature interactions and temporal dynamics inherent to UAV data. A detailed overview of representative supervised IDS approaches, their datasets, methodology, and performance is presented in Table 5.

As supervised IDS models require extensive and carefully labeled datasets that clearly distinguish between benign and malicious traffic scenarios, these datasets often must include diverse attack types such as Denial-of-Service (DoS), GPS spoofing, and command injection to ensure robust detection across various threat vectors [42,43,88]. Furthermore, these datasets must be continuously updated to include emerging attack behaviors, which pose significant challenges related to data collection, labeling, and feature selection [41,71].

Despite their high accuracy and robust detection capabilities, supervised approaches show some clear limitations. Firstly, their effectiveness heavily depends on the quality and representativeness of labeled datasets. Any bias or inadequacy in data labeling directly affects the model’s ability to generalize to unseen scenarios [4,44]. Secondly, supervised methods generally face challenges in detecting novel or zero-day attacks due to their reliance on previously encountered patterns [5]. Lastly, training deep learning models can be done offline using powerful computers or cloud servers. However, when these models are used on drones (during inference), they need to be lightweight. On the other hand, many unsupervised anomaly detection systems do heavy computations in real time while the drone is flying, which can be too demanding for drones with limited processing power [2,40]. Therefore, the literature shows that supervised learning approaches remain indispensable in UAV IDS development, offering high detection accuracy and precise threat categorization. However, overcoming dataset quality issues, enhancing detection of novel attacks, and managing computational demands continue to be key areas for ongoing research and improvement [2,41,44].

3.3.2. Unsupervised Learning and Hybrid IDS Approaches for UAV Networks

Unsupervised and hybrid intrusion detection approaches have been used frequently in UAV network security (see Table 6) due to their capacity to address challenges faced by supervised learning models. Supervised learning models depend on labeled data and are unable to detect novel attacks [1,57]. Unsupervised learning methods, including autoencoders [57,89], isolation forests, and one-class SVMs [1,90], identify anomalies by learning normal operational patterns, thus effectively detecting previously unseen attacks or anomalies in UAV operations.

Hybrid approaches integrate multiple detection paradigms or combine learning strategies to improve resilience and accuracy. For example, observer-based hybrid models with Bi-LSTM and SVM demonstrated robust real-time detection [91], while ML-RL hybrids such as decision tree combined with reinforcement learning achieved perfect accuracy on UAV ad hoc networks [45]. Spectral traffic analysis has also been explored to enhance detection in dynamic UAV environments [92]. By combining anomaly detection with adaptive or rule-based components, these systems broaden coverage against diverse threats and improve adaptability in real-world UAV operations.

Both unsupervised and hybrid IDS methods typically utilize datasets capturing realistic UAV operational scenarios and attacks, such as GPS spoofing, command injection, and denial-of-service (DoS) attacks [1,57,89,93]. However, the effectiveness of these methods largely depends on the representativeness of the training datasets. For instance, GAN-augmented models significantly improved spoofing detection robustness [80], while federated learning with stacked autoencoders allowed UAV swarms to collaboratively train anomaly detectors while preserving privacy [51]. This shows that while unsupervised and hybrid IDS are powerful for handling novel threats, their generalizability relies on realistic datasets and deployment-aware designs.

Table 5. Overview of Supervised IDS Approaches in UAV Networks.

Ref.	Model/ Algorithms	Dataset Used	Main Idea/Methodology	Key Findings	Performance Metrics
[2]	LSTM	UAVCAN dataset, UAV attacks dataset, and Kitsune network attack dataset	Proposes E-DIDS, a fully distributed anomaly detection framework for UAV networks. The framework uses LSTM models trained on combined datasets to detect anomalies in real time, facilitating robust, distributed monitoring of UAV operations.	-Distributed IDS (E-DIDS) -Real-time capability -High accuracy demonstrated	Accuracy (Acc): 98.6%, loss of 0.091
[40]	Optimized RF	NSL-KDD	Proposes a hierarchical IDS framework tailored for military UAV operations. It utilizes an optimized Random Forest classifier through Randomized Search Cross-Validation to effectively detect intrusions across multiple operational levels.	-Hierarchical design -Military UAV suitable -Optimized via random search	Multiclass: Acc: 97.24%, F1: 96.38%, Recall: 95.93%, Precision: 96.54%
[4]	LSTM-RNN	kDDCup 99, NSL-KDD, UNSW-NB15, Kyoto, CICIDS2017,and TON_IoT.	Introduces a distributed intrusion detection system leveraging LSTM-RNN models. The system emphasizes lightweight computational load, enabling deployment across various UAV platforms while maintaining high detection accuracy.	-Multi-dataset validation -Lightweight implementation -Distributed	Acc: Almost 99%
[41]	Random Forest	Framework dataset generated from network traces of FPV drones, IoT cameras, VoIP apps, background traffic, and public Wi-Fi.	Presents a real-time detection framework focused on identifying drone-related threats through WiFi traffic analysis. It employs Random Forest classifiers and a two-phase feature selection process for enhanced performance.	-Real-time detection -High accuracy (WiFi features)	Detection Acc: Upto 99%
[5]	Deep Belief Network, Particle Swarm Optimization (DBN-PSO)	KDD Cup 99	Introduces an intrusion detection system utilizing Deep Belief Networks optimized through Particle Swarm Optimization (PSO). The approach enhances DBN performance, demonstrating improved detection rates over traditional methods.	-PSO optimization -Deep learning approach -Moderate performance	Acc: 92.44%, Detection rate: 91.20%, Precision: 99.82%, False alarm rate: 0.68%
[42]	XGBoost	Cyber-Physical	Develops an IDS targeted for UAV applications within Intelligent Transport Systems (ITS). Utilizing XGBoost and comparative algorithms, it achieves superior performance and robustness against UAV-specific cyber threats.	-High precision IDS -UAV-focused dataset -Comparative evaluation	Acc: 98% Recall: 98.1% P: 98.1% F1: 98.1%
[43]	DT, KNN, RF	CSE-CIC-IDS2018	Explores the efficacy of various supervised machine learning models, including Decision Trees, KNN, and Random Forests, for detecting intrusions. Highlights the exceptional performance of Decision Trees on specific attacks such as DoS.	-Decision tree best -Diverse ML models -High performance on DoS	Acc: 99.99%, FNR Rate 0%
[71]	RF, Suffix Tree and Fourier transformation	Contagio Malware Database	Introduces DNS-based detection mechanisms for Advanced Persistent Threats (APT) and malware within UAV IoT environments. The Random Forest classifier effectively identifies anomalies and malicious DNS behaviors.	-IoT-centric method -DNS anomaly detection -Effective malware detection	Acc: 94.88%, F1-score: 96%, AUC: 94.11%
[44]	RF, DT, NB, KNN	NSL-KDD	Proposes a cybersecurity framework integrating multiple classifiers for IoT-enabled UAV networks. The Random Forest classifier emerges as the best model, demonstrating high accuracy in identifying intrusions.	-RF best performer -IoT-enabled IDS	RF Accuracy: 97%
[47]	RF, KNN, SVM	CIC-IDS2018	Presents an IDS simulation testbed specifically designed for UAV scenarios. Evaluates Random Forest Classifier and SVM, demonstrating RFC’s superior accuracy and robustness under diverse cyber-attack conditions.	-RF superior to SVM -UAV simulation testbed	RF, Acc: 96.2%, DR: 98.11%
[56]	DNN	UAV Intrusion Detection Dataset	Proposes a hybrid UAV security framework utilizing deep neural networks combined with ICMetric feature extraction for enhanced security of UAV communications.	-ICMetric-based IDS -High accuracy (DL) -Secure UAV applications	Accuracy: 99.99%, False Negative: 1.24%, False Positive: 0%
[72]	RF, DNN, CNN	UNSW-NB15	Proposes a methodology for characterizing IDS performance by benchmarking various classifiers, showing Random Forest as the most effective model for intrusion detection tasks.	-RF highest accuracy -IDS characterization	Acc: upto 81.59%, Weighted Avg F1: 82.83%
[48]	Gaussian Processes, Linear Regression, Logistic, Multilayer Perceptron, SGD	Dataset not reported	Evaluates supervised ML classifiers to secure UAV WiFi communications. The study identifies MLP as the most effective in accuracy and response speed.	-MLP highest accuracy -WiFi-based dataset	MLP Accuracy: 72.7%
[49]	Optimized RF	CICIDS2017	Introduces a cyber-edge IDS framework that employs optimized Random Forest for high-performance real-time detection in UAV communications.	-Edge computing IDS -Randomized optimization	Acc: 99.87%, Prec: 99.32%, Recall = 98.81%, F1: 99.06%
[62]	Hybrid CNN-LSTM	CICIDS2017	Evaluates deep learning and machine learning models, demonstrating CNN + LSTM superiority in accuracy, precision, and recall metrics on large datasets.	-CNN + LSTM superior -Large dataset evaluation -High precision and recall	Acc: 99.06%, Precision: 99.07%, Recall 99.06%, F1: 99.065%
[50]	RF, LR, KNN, SVM, XGBoost	Generated Dataset	Develops an IDS using side-channel analysis data from UAV testbeds, showing XGBoost’s effectiveness in identifying real-time Hardware Trojan (HT) intrusions.	-Side-channel analysis -XGBoost effectiveness -Real UAV testbed	Yields ROC and Acc: up to 99.5% and 98%
[60]	Feedforward convolutional neural network (FFCNN)	UAVIDS Dataset	Proposes UAV-CIDS, a collaborative IDS framework employing convolutional neural networks to effectively identify intrusions in UAV operations.	-Collaborative approach -Convolutional NN -High accuracy and precision	Acc: 98.23%, Detection Rate: 99%
[61]	MLP	CSE-CIC-IDS2018	Demonstrates a proof-of-concept deep learning-based intrusion detection model with MLP, achieving outstanding detection results.	-Proof-of-concept -High F1 scores	Acc: 96.3%

Table 5. Overview of Supervised IDS Approaches in UAV Networks.

Ref.	Model/ Algorithms	Dataset Used	Main Idea/Methodology	Key Findings	Performance Metrics
[2]	LSTM	UAVCAN dataset, UAV attacks dataset, and Kitsune network attack dataset	Proposes E-DIDS, a fully distributed anomaly detection framework for UAV networks. The framework uses LSTM models trained on combined datasets to detect anomalies in real time, facilitating robust, distributed monitoring of UAV operations.	-Distributed IDS (E-DIDS) -Real-time capability -High accuracy demonstrated	Accuracy (Acc): 98.6%, loss of 0.091
[40]	Optimized RF	NSL-KDD	Proposes a hierarchical IDS framework tailored for military UAV operations. It utilizes an optimized Random Forest classifier through Randomized Search Cross-Validation to effectively detect intrusions across multiple operational levels.	-Hierarchical design -Military UAV suitable -Optimized via random search	Multiclass: Acc: 97.24%, F1: 96.38%, Recall: 95.93%, Precision: 96.54%
[4]	LSTM-RNN	kDDCup 99, NSL-KDD, UNSW-NB15, Kyoto, CICIDS2017,and TON_IoT.	Introduces a distributed intrusion detection system leveraging LSTM-RNN models. The system emphasizes lightweight computational load, enabling deployment across various UAV platforms while maintaining high detection accuracy.	-Multi-dataset validation -Lightweight implementation -Distributed	Acc: Almost 99%
[41]	Random Forest	Framework dataset generated from network traces of FPV drones, IoT cameras, VoIP apps, background traffic, and public Wi-Fi.	Presents a real-time detection framework focused on identifying drone-related threats through WiFi traffic analysis. It employs Random Forest classifiers and a two-phase feature selection process for enhanced performance.	-Real-time detection -High accuracy (WiFi features)	Detection Acc: Upto 99%
[5]	Deep Belief Network, Particle Swarm Optimization (DBN-PSO)	KDD Cup 99	Introduces an intrusion detection system utilizing Deep Belief Networks optimized through Particle Swarm Optimization (PSO). The approach enhances DBN performance, demonstrating improved detection rates over traditional methods.	-PSO optimization -Deep learning approach -Moderate performance	Acc: 92.44%, Detection rate: 91.20%, Precision: 99.82%, False alarm rate: 0.68%
[42]	XGBoost	Cyber-Physical	Develops an IDS targeted for UAV applications within Intelligent Transport Systems (ITS). Utilizing XGBoost and comparative algorithms, it achieves superior performance and robustness against UAV-specific cyber threats.	-High precision IDS -UAV-focused dataset -Comparative evaluation	Acc: 98% Recall: 98.1% P: 98.1% F1: 98.1%
[43]	DT, KNN, RF	CSE-CIC-IDS2018	Explores the efficacy of various supervised machine learning models, including Decision Trees, KNN, and Random Forests, for detecting intrusions. Highlights the exceptional performance of Decision Trees on specific attacks such as DoS.	-Decision tree best -Diverse ML models -High performance on DoS	Acc: 99.99%, FNR Rate 0%
[71]	RF, Suffix Tree and Fourier transformation	Contagio Malware Database	Introduces DNS-based detection mechanisms for Advanced Persistent Threats (APT) and malware within UAV IoT environments. The Random Forest classifier effectively identifies anomalies and malicious DNS behaviors.	-IoT-centric method -DNS anomaly detection -Effective malware detection	Acc: 94.88%, F1-score: 96%, AUC: 94.11%
[44]	RF, DT, NB, KNN	NSL-KDD	Proposes a cybersecurity framework integrating multiple classifiers for IoT-enabled UAV networks. The Random Forest classifier emerges as the best model, demonstrating high accuracy in identifying intrusions.	-RF best performer -IoT-enabled IDS	RF Accuracy: 97%
[47]	RF, KNN, SVM	CIC-IDS2018	Presents an IDS simulation testbed specifically designed for UAV scenarios. Evaluates Random Forest Classifier and SVM, demonstrating RFC’s superior accuracy and robustness under diverse cyber-attack conditions.	-RF superior to SVM -UAV simulation testbed	RF, Acc: 96.2%, DR: 98.11%
[56]	DNN	UAV Intrusion Detection Dataset	Proposes a hybrid UAV security framework utilizing deep neural networks combined with ICMetric feature extraction for enhanced security of UAV communications.	-ICMetric-based IDS -High accuracy (DL) -Secure UAV applications	Accuracy: 99.99%, False Negative: 1.24%, False Positive: 0%
[72]	RF, DNN, CNN	UNSW-NB15	Proposes a methodology for characterizing IDS performance by benchmarking various classifiers, showing Random Forest as the most effective model for intrusion detection tasks.	-RF highest accuracy -IDS characterization	Acc: upto 81.59%, Weighted Avg F1: 82.83%
[48]	Gaussian Processes, Linear Regression, Logistic, Multilayer Perceptron, SGD	Dataset not reported	Evaluates supervised ML classifiers to secure UAV WiFi communications. The study identifies MLP as the most effective in accuracy and response speed.	-MLP highest accuracy -WiFi-based dataset	MLP Accuracy: 72.7%
[49]	Optimized RF	CICIDS2017	Introduces a cyber-edge IDS framework that employs optimized Random Forest for high-performance real-time detection in UAV communications.	-Edge computing IDS -Randomized optimization	Acc: 99.87%, Prec: 99.32%, Recall = 98.81%, F1: 99.06%
[62]	Hybrid CNN-LSTM	CICIDS2017	Evaluates deep learning and machine learning models, demonstrating CNN + LSTM superiority in accuracy, precision, and recall metrics on large datasets.	-CNN + LSTM superior -Large dataset evaluation -High precision and recall	Acc: 99.06%, Precision: 99.07%, Recall 99.06%, F1: 99.065%
[50]	RF, LR, KNN, SVM, XGBoost	Generated Dataset	Develops an IDS using side-channel analysis data from UAV testbeds, showing XGBoost’s effectiveness in identifying real-time Hardware Trojan (HT) intrusions.	-Side-channel analysis -XGBoost effectiveness -Real UAV testbed	Yields ROC and Acc: up to 99.5% and 98%
[60]	Feedforward convolutional neural network (FFCNN)	UAVIDS Dataset	Proposes UAV-CIDS, a collaborative IDS framework employing convolutional neural networks to effectively identify intrusions in UAV operations.	-Collaborative approach -Convolutional NN -High accuracy and precision	Acc: 98.23%, Detection Rate: 99%
[61]	MLP	CSE-CIC-IDS2018	Demonstrates a proof-of-concept deep learning-based intrusion detection model with MLP, achieving outstanding detection results.	-Proof-of-concept -High F1 scores	Acc: 96.3%

Table 6. Overview of Unsupervised and Hybrid IDS Approaches in UAV Networks.

Ref.	Model/ Algorithms	Dataset Used	Main Idea/Methodology	Key Findings	Performance Metrics
[1]	One-Class Support Vector Machine, Isolation Forest, Local Outlier Factor, Denoising Autoencoder, Convolutional Autoencoder, LSTM Autoencoder	UAV ATTACK DATASET	Digital-twin-based unsupervised detection architecture for UAV resilience.	Enhanced spoofing detection; high resilience	Conv AE best performing with Acc: 99.75%, Precision: 97.65% Recall: 99.50% F1: 98.51 % AUC: 1.000
[91]	Bi-LSTM, SVM, Observer	Custom UAV datasets	Hybrid IDS with observer mechanism for UAV real-time threats.	Robust; real-time detection	High precision and recall
[51]	Stacked AE, OC-SVM, LOF, Isolation Forest	UAV Attack Dataset	Unsupervised one-class classifiers trained on benign UAV flight data detect GPS jamming and spoofing by modeling normal behavior.	Avoids attack labeling, works across hardware, and detects novel threats	Stacked autoencoder scored highest (92.9%), followed by LOF (87.1%), Isolation Forest (83.6%), and OC-SVM (<80%)
[92]	Spectral Traffic Analysis	Hybrid UAV network	Spectral IDS for UAV dynamic threat detection.	Real-time UAV traffic analysis	Qualitative only
[45]	Decision Tree	CICIDS2017	Hybrid ML-RL IDS for UAV ad hoc networks.	Adaptive learning; high accuracy	Acc: 100%, FP 0%, FN 0%
[57]	Linear Autoencoder	MAVLINK dataset	Unsupervised anomaly detection using reconstruction loss.	DoS and GPS spoofing detection	High Reconstruction Loss During Attack else < 0.05
[93]	One-class Classifier- OC-SVM, LOF, Autoencoder	Generated Flight Log Dataset	Lightweight spoofing IDS for onboard UAV use.	Lightweight and GPS effective	GPS spoofing and jamming macro averaged F1: 90.57% and 94.3%
[89]	One-Class Support Vector Machine, Autoencoder Neural Network, and Local Outlier Factor	UAV ATTACK DATASET	Novelty-based UAV IDS for PX4 logs.	PX4 suitability; good detection	AE average F1 score of 94.81%, followed by OC-SVM (81.17%) and LOF (58.93%)
[90]	One-Class SVM, Isolation Forest, Local Outlier Factor	Generated via Hardware-in-the-loop simulation	PWM signal anomaly detection using unsupervised learning.	Embedded UAV detection; moderate accuracy	LOF achieved 75.87% accuracy, 88.66% precision, 63.80% recall, and an F1-score of 74.20%
[80]	Adversarial GAN, InfoGAN, WGAN	UAV Attack Dataset	GAN-augmented autoencoder IDS for spoofing defense.	Improved robustness via GAN	Detection rate for improved IDS 93.78% and 99.39%, Accuracy of 99.57% against GPS spoofing
[51]	FedAvg, FedAvgM, FedAdagrad, FedYogi, FedAdam	UAV Attack Dataset	Federated learning enables UAV swarms to collaboratively train anomaly detection models while preserving data privacy.	Each UAV trains a local stacked autoencoder; only parameters are shared for aggregation.	Best approach Fed Yogi F1: 90.4%

Table 6. Overview of Unsupervised and Hybrid IDS Approaches in UAV Networks.

Ref.	Model/ Algorithms	Dataset Used	Main Idea/Methodology	Key Findings	Performance Metrics
[1]	One-Class Support Vector Machine, Isolation Forest, Local Outlier Factor, Denoising Autoencoder, Convolutional Autoencoder, LSTM Autoencoder	UAV ATTACK DATASET	Digital-twin-based unsupervised detection architecture for UAV resilience.	Enhanced spoofing detection; high resilience	Conv AE best performing with Acc: 99.75%, Precision: 97.65% Recall: 99.50% F1: 98.51 % AUC: 1.000
[91]	Bi-LSTM, SVM, Observer	Custom UAV datasets	Hybrid IDS with observer mechanism for UAV real-time threats.	Robust; real-time detection	High precision and recall
[51]	Stacked AE, OC-SVM, LOF, Isolation Forest	UAV Attack Dataset	Unsupervised one-class classifiers trained on benign UAV flight data detect GPS jamming and spoofing by modeling normal behavior.	Avoids attack labeling, works across hardware, and detects novel threats	Stacked autoencoder scored highest (92.9%), followed by LOF (87.1%), Isolation Forest (83.6%), and OC-SVM (<80%)
[92]	Spectral Traffic Analysis	Hybrid UAV network	Spectral IDS for UAV dynamic threat detection.	Real-time UAV traffic analysis	Qualitative only
[45]	Decision Tree	CICIDS2017	Hybrid ML-RL IDS for UAV ad hoc networks.	Adaptive learning; high accuracy	Acc: 100%, FP 0%, FN 0%
[57]	Linear Autoencoder	MAVLINK dataset	Unsupervised anomaly detection using reconstruction loss.	DoS and GPS spoofing detection	High Reconstruction Loss During Attack else < 0.05
[93]	One-class Classifier- OC-SVM, LOF, Autoencoder	Generated Flight Log Dataset	Lightweight spoofing IDS for onboard UAV use.	Lightweight and GPS effective	GPS spoofing and jamming macro averaged F1: 90.57% and 94.3%
[89]	One-Class Support Vector Machine, Autoencoder Neural Network, and Local Outlier Factor	UAV ATTACK DATASET	Novelty-based UAV IDS for PX4 logs.	PX4 suitability; good detection	AE average F1 score of 94.81%, followed by OC-SVM (81.17%) and LOF (58.93%)
[90]	One-Class SVM, Isolation Forest, Local Outlier Factor	Generated via Hardware-in-the-loop simulation	PWM signal anomaly detection using unsupervised learning.	Embedded UAV detection; moderate accuracy	LOF achieved 75.87% accuracy, 88.66% precision, 63.80% recall, and an F1-score of 74.20%
[80]	Adversarial GAN, InfoGAN, WGAN	UAV Attack Dataset	GAN-augmented autoencoder IDS for spoofing defense.	Improved robustness via GAN	Detection rate for improved IDS 93.78% and 99.39%, Accuracy of 99.57% against GPS spoofing
[51]	FedAvg, FedAvgM, FedAdagrad, FedYogi, FedAdam	UAV Attack Dataset	Federated learning enables UAV swarms to collaboratively train anomaly detection models while preserving data privacy.	Each UAV trains a local stacked autoencoder; only parameters are shared for aggregation.	Best approach Fed Yogi F1: 90.4%

Despite their strengths, unsupervised and hybrid methods face several challenges. Unsupervised approaches may yield higher false-positive rates due to the absence of labeled attack data during training [1,90]. Another reason Unsupervised IDS autoencoders often suffer from high false-positive rates because their thresholds drift over time. As UAV missions change—say, by turning on cameras or changing flight modes—telemetry characteristics like packet size or timing can shift. This leads to reconstruction errors rising unexpectedly, pushing false alert rates from around 1% up to 8–9% unless thresholds are regularly retrained or combined with rule-based checks. A recent study addressing this in UAV sensor data employs a stacked recurrent autoencoder with a dynamic thresholding mechanism; by adapting thresholds over time and using a weighted loss function, the false-positive rate is typically cut to near 2% while maintaining accurate detection [94,95].

Hybrid methods, while more effective, often require more complex architectures, leading to increased computational demands, which may pose deployment challenges for resource-constrained UAVs [58,79]. It is evident from Table 6 that unsupervised and hybrid IDS approaches offer significant advantages in detecting unknown and complex attacks in UAV networks. Therefore, continued research into improving dataset quality, reducing false positives, and optimizing resource utilization will be essential for enhancing the effectiveness and deployment of these methods in real-world UAV scenarios [1,45,89].

3.3.3. Reinforcement Learning IDS Approaches for UAV Networks

Reinforcement Learning (RL) approaches have emerged as effective methods for intrusion detection in UAV networks, particularly due to their adaptability, autonomous learning capabilities, and suitability for dynamic environments encountered in UAV operations [75,76]. RL methods, such as Deep Q-Networks (DQN) and Deep Deterministic Policy Gradient (DDPG), enable IDS to learn optimal detection policies directly from interactions within the network environment, without explicit prior knowledge of attack patterns [75,77]. Representative examples are presented in

Table 7. Reinforcement Learning IDS Approaches.

Ref.	Category	Model/ Algorithms	Dataset Used	Main Idea/Methodology	Performance Metrics
[75]	Reinforcement Learning	Deep Q-Network (DQN)	CICIDS2017	Proposes a lightweight RL-based intrusion detection and Prevention System (IDPS) framework for UAV networks.	Acc: 99.70%, Precision: 95%, Recall: 97%, F1: 96%
[76]	Reinforcement Learning	DRL with Deep Belief Network	NSL-KDD	Uses Deep Reinforcement Learning (DRL) combined with Deep Belief Networks to enhance UAV intrusion detection.	Precision: 98.5%, Recall: 99.3%, F-measure: 98.8%, Acc: 98.9%
[77]	Reinforcement Learning	Deep Deterministic Policy Gradient	Simulated from Environment	Introduces a DRL-based IDS for UAV aerial computing networks, focusing on continuous control and real-time defense.	More than 90% detection ratio over 1000 time slot
[78]	Reinforcement Learning	Q-learning-based two-layer cooperative IDS (Q-TCID)	Simulated IoD environment	Implements cooperative intrusion detection using a layered Q-learning model tailored for UAV swarm environments.	Accuracy: 90%+ under varying attack intensities

.

A typical RL-based IDS setup involves an agent interacting continuously with the UAV communication environment, where it makes detection decisions and receives feedback in the form of rewards or penalties based on detection accuracy [76,78]. These systems effectively handle scenarios involving evolving threats or unknown attacks, making them highly suitable for UAVs operating in unpredictable or adversarial conditions.

However, RL-based approaches often require extensive interaction with the environment, which can result in increased computational overhead and prolonged training periods [77]. Additionally, the performance of RL models depends significantly on the design of reward functions, the stability of the learning algorithms, and the realism of the simulation environments used during training [75,78]. These limitations can lead to unstable behavior or models that perform well only in the simulated settings they were trained in. More importantly, testing new actions in real UAV systems can pose safety risks, making it difficult to explore and learn in live environments. Due to these constraints, the majority of deep RL-based IDS research is still confined to simulation, with ongoing concerns around training efficiency, generalization to real-world scenarios, and ensuring safe deployment in the field [13].

Despite these challenges, recent studies demonstrated high effectiveness and accuracy of RL methods in detecting various UAV-specific cyber threats, including DoS and communication-related attacks, indicating their promising potential for future UAV security solutions [75,76]. Further research into reducing computational complexity, enhancing training efficiency, and improving environment feedback will enable the practical applicability and adoption of reinforcement learning-based IDS in UAV networks.

3.3.4. Bio-Inspired, Other Algorithms, and Mixed IDS Approaches

Beyond traditional supervised, unsupervised, hybrid, and reinforcement learning methods, alternative approaches such as bio-inspired algorithms, graph-based, fuzzy, and other specialized methodologies have also been explored for UAV intrusion detection systems, as discussed in Table 8. Bio-inspired methods, including AIS- and HIS-inspired models, mimic biological defense mechanisms to provide adaptive detection against diverse UAV threats [69,85,96]. These systems have demonstrated robustness and high detection rates in simulated UAV environments, confirming their applicability for dynamic operational contexts. Graph-based IDS approaches apply graph neural networks (GNN, GraphSAGE, GCNN, GAT, Graph Transformer) to UAV datasets for learning complex communication structures and detecting anomalies such as flooding and swarm-level communication attacks [81,82]. These methods have achieved very high accuracy (up to 99.9%), highlighting their strength in modeling UAV network-level interactions.

Other specialized frameworks include neuro-fuzzy systems such as ANFIS, which enable lightweight detection with low resource requirements while maintaining high recall [84], and belief rule-based (EBRB) models that provide interpretable yet highly accurate IDS solutions [83]. GAN-based techniques have also been applied, where adversarial variants such as InfoGAN and WGAN augment autoencoders to enhance spoofing detection robustness [80]. Similarly, the Cross-Layer Convolutional Attention Network (CLCAN) addresses both drone-to-drone and drone-to-base station communications with multi-scale attention and cross-stream fusion, delivering high accuracy and scalability for real-time UAV deployments [87].

Finally, observer-based methods [86] and timed probabilistic automata (TPA) [97] provide behavioral IDS frameworks that leverage UAV flight dynamics and normal operational patterns to detect sophisticated covert or dynamic attacks. While these specialized approaches have achieved strong detection performance across a variety of UAV datasets, they often face challenges such as higher computational complexity, specialized data requirements, or implementation overhead [98].

Overall, bio-inspired, graph-based, fuzzy, adversarial, and cross-layer IDS approaches complement mainstream ML, DL, and RL techniques, offering valuable solutions for scenarios where conventional methods may be insufficient or where UAV-specific challenges require novel designs [69,80,81,82,83,84,85,87,99].

Table 8. Specialized IDS Approaches (Bio-inspired, Other Algorithms, and Mixed Methods).

Ref.	Category	Model/ Algorithms	Dataset Used	Main Idea/Methodology	Performance Metrics
[85]	Bio-inspired	SUAS-HIS	Simulated from Enviroment	Proposes a bio-inspired IDS (SUAS-HIS) based on the human immune system.	Detection Rate: > 92.93%, Packet Delivery Ratio: > 64.41%, False Positive Rate: < 6.89%, False Negative Rate < 3.95%
[86]	Specialized	Model-based observer techniques	Live flight data (position and orientation) generated by 5 Drones and captured by a VICON motion capture system at 50 Hz.	Centralized/decentralized IDS observers for UAV anomaly detection.	Zero Dynamics attack detected from 3.22 s, 5.08 s and Covert Attack at 6.4 s
[69]	Hierarchical, Game based	Multilayer cooperative AIS-based UAV IDS	ALFA UAV Network Dataset, NSL-KDD	Combines AIS and game theory for a hierarchical IDS for UAVs.	Acc: 96.13%, Detection Rate: 99.05% in ALFA, NSL-KDD dataset Acc: 95.93%
[87]	Cross-Layer Attention	Cross-Layer Convolutional Attention Network (CLCAN)	Tokyo metropolitan drone network communications data	Unified IDS for D2D and D2BS UAV communications using multi-scale CNNs, hierarchical attention, and cross-stream fusion. Real-time, improve scalability, and efficiency.	Acc: 98.4%, Recall: 98.7%, and F1: 98.1%, AUC: 99.1%
[82]	Graph Based	Graph Transformer, GraphSAGE, GCNN, GAT	UAVCAN dataset	Graph-learning IDS using modern GNNs, Effective for flooding detection	GraphSAGE reached 99.7% Acc, Graph-Based Transformer achieved 99.9%
[81]	Graph Based	Graph Neural Network	Cyber-Physical	GNN-based IDS for swarm communication anomalies. Swarm-focused defense; network-level	Acc: 98.42%, Precision: 98.85%, Recall: 98.97%, F1: 98.91%
[84]	Neuro-Fuzzy	ANFIS, Type-2 Fuzzy Logic	UAV ATTACK DATASET	Lightweight fuzzy logic IDS for UAV GPS attacks. High recall; low resource use, Model size only 5kB	Benign F1:0.847, Attack F1:0.899, AUC:0.921, Inference Time: 3024 µs.
[83]	Belief Rule Based	EBRB-based model, Evidential Reasoning	UAV intrusion detection Dataset	Interpretable IDS using belief rule-based logic. Accurate and explainable UAV IDS	Acc: 99.95%, Precision: 99.90%, F1: 99.95%
[80]	Adversarial GAN, InfoGAN, WGAN	UAV Attack Dataset	GAN-augmented autoencoder IDS for spoofing defense.	Improved robustness via GAN	Detection rate for improved IDS 93.78% and 99.39%, Accuracy of 99.57% against GPS spoofing
[79]	Optimal stacked autoencoder	MFSOSAE-ID	UNSW-NB15	Stacked autoencoders enhanced with Firefly algorithm for hybrid IDS. Effective hybrid; high detection rate	Acc: 99.72%, Precision: 88.32%, Recall: 93.44%, F1: 90.31%

Table 8. Specialized IDS Approaches (Bio-inspired, Other Algorithms, and Mixed Methods).

Ref.	Category	Model/ Algorithms	Dataset Used	Main Idea/Methodology	Performance Metrics
[85]	Bio-inspired	SUAS-HIS	Simulated from Enviroment	Proposes a bio-inspired IDS (SUAS-HIS) based on the human immune system.	Detection Rate: > 92.93%, Packet Delivery Ratio: > 64.41%, False Positive Rate: < 6.89%, False Negative Rate < 3.95%
[86]	Specialized	Model-based observer techniques	Live flight data (position and orientation) generated by 5 Drones and captured by a VICON motion capture system at 50 Hz.	Centralized/decentralized IDS observers for UAV anomaly detection.	Zero Dynamics attack detected from 3.22 s, 5.08 s and Covert Attack at 6.4 s
[69]	Hierarchical, Game based	Multilayer cooperative AIS-based UAV IDS	ALFA UAV Network Dataset, NSL-KDD	Combines AIS and game theory for a hierarchical IDS for UAVs.	Acc: 96.13%, Detection Rate: 99.05% in ALFA, NSL-KDD dataset Acc: 95.93%
[87]	Cross-Layer Attention	Cross-Layer Convolutional Attention Network (CLCAN)	Tokyo metropolitan drone network communications data	Unified IDS for D2D and D2BS UAV communications using multi-scale CNNs, hierarchical attention, and cross-stream fusion. Real-time, improve scalability, and efficiency.	Acc: 98.4%, Recall: 98.7%, and F1: 98.1%, AUC: 99.1%
[82]	Graph Based	Graph Transformer, GraphSAGE, GCNN, GAT	UAVCAN dataset	Graph-learning IDS using modern GNNs, Effective for flooding detection	GraphSAGE reached 99.7% Acc, Graph-Based Transformer achieved 99.9%
[81]	Graph Based	Graph Neural Network	Cyber-Physical	GNN-based IDS for swarm communication anomalies. Swarm-focused defense; network-level	Acc: 98.42%, Precision: 98.85%, Recall: 98.97%, F1: 98.91%
[84]	Neuro-Fuzzy	ANFIS, Type-2 Fuzzy Logic	UAV ATTACK DATASET	Lightweight fuzzy logic IDS for UAV GPS attacks. High recall; low resource use, Model size only 5kB	Benign F1:0.847, Attack F1:0.899, AUC:0.921, Inference Time: 3024 µs.
[83]	Belief Rule Based	EBRB-based model, Evidential Reasoning	UAV intrusion detection Dataset	Interpretable IDS using belief rule-based logic. Accurate and explainable UAV IDS	Acc: 99.95%, Precision: 99.90%, F1: 99.95%
[80]	Adversarial GAN, InfoGAN, WGAN	UAV Attack Dataset	GAN-augmented autoencoder IDS for spoofing defense.	Improved robustness via GAN	Detection rate for improved IDS 93.78% and 99.39%, Accuracy of 99.57% against GPS spoofing
[79]	Optimal stacked autoencoder	MFSOSAE-ID	UNSW-NB15	Stacked autoencoders enhanced with Firefly algorithm for hybrid IDS. Effective hybrid; high detection rate	Acc: 99.72%, Precision: 88.32%, Recall: 93.44%, F1: 90.31%

3.4. Deployment Strategies of UAV Intrusion Detection Systems

The deployment strategy of intrusion detection systems (IDS) in UAV networks significantly influences their operational effectiveness, response time, scalability, and robustness against cyber threats. Deployment refers to the organizational and functional architecture that handles how intrusion detection tasks are distributed or centralized among UAV nodes and associated ground control stations (GCS). Proper deployment strategy selection is critical given the unique constraints of UAV systems, such as limited computational resources, real-time responsiveness requirements, and the need for robustness against diverse threat types.

3.4.1. Centralized Deployment

In centralized IDS deployment, intrusion detection operations, including analysis and decision-making processes, are primarily conducted at a single central location, usually a ground control station or dedicated central node. UAVs act mainly as data collection points, transmitting gathered data (for instance, flight data, sensor information, and communication packets) to the centralized node for comprehensive analysis, which is also more feasible for heavier deep learning models [100]. This approach simplifies data management and ensures that powerful computing resources can be employed, significantly enhancing analytical capability and accuracy. A detailed list of centralized IDS papers is provided in Table 9.

Several studies have explored centralized approaches for UAV IDS. For instance, CLCAN [87], GNN-based models [81], and GAN-augmented frameworks [80] achieved high accuracy in detecting GPS spoofing, flooding, and other communication anomalies using advanced deep learning techniques. Such centralized systems can benefit from sophisticated algorithms and large data storage capacities, significantly improving detection rates for complex and subtle attacks.

However, centralized deployments face some major limitations. Primary among these is latency, as transmitting data from UAVs to the central node for analysis introduces potential delays that may exceed real-time response thresholds critical for flight control. This latency can become particularly problematic in scenarios demanding immediate anomaly detection and response, such as rapid GPS spoofing attacks or coordinated drone swarm intrusions. Experiments have shown that using wireless networks like 4G/LTE may introduce 40–60 ms round-trip delays for command-and-control signals—values that can exceed the 50 ms latency budget required for stable UAV flight loops. This delay is particularly problematic in urgent scenarios, such as interrupting a spoofed “land” command, where even a brief lag can jeopardize mission safety. To address this, recent UAV IDS designs propose hybrid solutions incorporating lightweight onboard filters and edge (MEC) servers. These architectures offload latency-sensitive detection tasks closer to the UAV, substantially reducing round-trip delays and preserving real-time responsiveness. Additionally, centralized setups are vulnerable to single points of failure; compromising the central node could lead to complete IDS dysfunctionality, exposing the entire UAV operation to substantial risk. So, while centralized deployments offer strong analytical capabilities and high detection accuracy, their applicability may be constrained by latency concerns, single points of failure, and high reliance on robust and continuous communication links. Thus, this deployment strategy is most suitable for scenarios with less stringent real-time response requirements or in conjunction with complementary decentralized or federated strategies to mitigate inherent risks [59].

3.4.2. Decentralized (Distributed) Deployment

In decentralized or distributed IDS deployments, detection capabilities are dispersed across individual UAV nodes rather than concentrated at a single central point. Each UAV operates autonomously or semi-autonomously, performing local data analysis and anomaly detection. This architecture significantly reduces latency by enabling immediate detection and response to cyber threats directly at the UAV node level.

Table 9. Taxonomy of UAV IDS Deployment Strategies.

Deployment Type	References	Technical Analysis (Advantages and Challenges)
Centralized	[5,41,42,43,44,46,48,50,51,52,56,59,61,62,64,65,66,68,71,72,76,79,80,81,83,84,87,89,90]	Centralized deployment processes all intrusion detection at a single node, usually the ground control station (GCS). This allows for high-performance analysis and the use of powerful models. However, it introduces latency, dependency on communication links, and a single point of failure. Suitable where real-time decisions are not critical.
Distributed	[1,2,3,4,40,45,47,49,53,57,60,63,67,73,75,77,78,82,85]	Distributed deployment places IDS modules on individual UAVs, enabling local detection with minimal latency. It is more robust against failure and faster in response, but constrained by limited processing power onboard. Trade-offs include lower model complexity and challenges in synchronized decision-making.
Federated	[51,58]	Federated deployment allows each UAV to train locally while sharing only model updates with a global aggregator. It preserves data privacy and enhances collective learning. However, it introduces synchronization delays and communication overhead and requires efficient update mechanisms. Best suited for scalable and privacy-sensitive applications.
Hybrid	[69,86,93]	Hybrid deployment combines aspects of centralized and distributed architectures, allowing UAVs to perform preliminary detection locally and escalate uncertain cases to a central unit (for instance, ground control station) for further analysis. This approach balances responsiveness with detection accuracy, enabling real-time mitigation while leveraging more complex analytics when needed. However, it adds architectural complexity, requires robust communication protocols, and may face integration challenges. Best suited for missions with mixed criticality and dynamic threat landscapes.

Table 9. Taxonomy of UAV IDS Deployment Strategies.

Deployment Type	References	Technical Analysis (Advantages and Challenges)
Centralized	[5,41,42,43,44,46,48,50,51,52,56,59,61,62,64,65,66,68,71,72,76,79,80,81,83,84,87,89,90]	Centralized deployment processes all intrusion detection at a single node, usually the ground control station (GCS). This allows for high-performance analysis and the use of powerful models. However, it introduces latency, dependency on communication links, and a single point of failure. Suitable where real-time decisions are not critical.
Distributed	[1,2,3,4,40,45,47,49,53,57,60,63,67,73,75,77,78,82,85]	Distributed deployment places IDS modules on individual UAVs, enabling local detection with minimal latency. It is more robust against failure and faster in response, but constrained by limited processing power onboard. Trade-offs include lower model complexity and challenges in synchronized decision-making.
Federated	[51,58]	Federated deployment allows each UAV to train locally while sharing only model updates with a global aggregator. It preserves data privacy and enhances collective learning. However, it introduces synchronization delays and communication overhead and requires efficient update mechanisms. Best suited for scalable and privacy-sensitive applications.
Hybrid	[69,86,93]	Hybrid deployment combines aspects of centralized and distributed architectures, allowing UAVs to perform preliminary detection locally and escalate uncertain cases to a central unit (for instance, ground control station) for further analysis. This approach balances responsiveness with detection accuracy, enabling real-time mitigation while leveraging more complex analytics when needed. However, it adds architectural complexity, requires robust communication protocols, and may face integration challenges. Best suited for missions with mixed criticality and dynamic threat landscapes.

Decentralized deployments are exemplified by several recent works, such as UAV-CIDS [60], distributed LSTM models [2,3,4,63], and unsupervised AE/OC-SVM/LOF frameworks [1,57], which deploy lightweight intrusion detection modules directly across UAVs. These modules execute models such as LSTM, autoencoders, or SVM-based classifiers locally to perform real-time anomaly detection. Such setups achieve robust detection capabilities with minimal latency, crucial for detecting rapid and localized attacks like GPS spoofing, flooding, or interference [2,47,82]. A detailed list of decentralized IDS approaches is provided in Table 9.

Despite these advantages, decentralized deployments face challenges related to limited computational resources and energy constraints inherent in UAV nodes. Lightweight detection models deployed on UAVs may sacrifice some detection accuracy or recall for efficiency and real-time operation. Furthermore, coordination among multiple distributed IDS nodes can be challenging, as discrepancies between local detections and decisions might arise, complicating overall response coordination. Decentralized IDS deployment provides significant latency improvements, rapid response capabilities, and resilience against single points of failure. However, its effectiveness depends heavily on the computational constraints of UAVs and the complexity of ensuring coherent decision-making across multiple independent nodes [73,75,77,78,85].

3.4.3. Federated Deployment

Federated deployment combines aspects of centralized and decentralized architectures by enabling UAV nodes to collaboratively train intrusion detection models without sharing raw data. Each UAV node trains a local model using its own data, and periodic model updates are securely transmitted to a centralized aggregator, typically located at a ground control station. The aggregator then consolidates these updates into a global model and redistributes them back to individual UAVs [51].

In swarms with mixed ownership, such as when civilian drones operate near police units for news or disaster management, sharing raw video or flight data risks exposing sensitive or classified information, potentially violating EU GDPR and agency policies. Federated Learning (FL) solves this by training individual models on each drone and only sharing encrypted updates. Recent tests in drone networks show FL cuts bandwidth use by 34% and improves privacy protection compared to centralized methods [101]. Studies exploring federated learning for UAV IDS (see Table 9), such as the SP-IoUAV framework, highlight its benefits in maintaining high detection accuracy while preserving data privacy and security. This approach leverages collective learning from multiple UAVs, enhancing detection robustness against varied cyber threats without requiring direct data sharing [58].

However, federated deployment introduces its own set of challenges, including the complexity of managing secure and efficient model updates across unreliable communication channels. Furthermore, the iterative aggregation and redistribution process can introduce latency, potentially affecting real-time operational requirements. UAV nodes must also balance computational overhead related to model training and updating against their limited power resources.

As our focus is on IDS methodology, deploying FL-based IDS for UAVs brings practical limits that matter in the field. In practice, model sharing is bounded by privacy law (such as GDPR), export-control and IP constraints, and flight-safety certification, which together imply auditable update logs and strict version control. In multi-ownership swarms, non-IID data, asymmetric resources, and unclear accountability increase exposure to free-riding and byzantine/poisoning or backdoor risks. Compensatory measures—secure aggregation (to hide updates), client authentication/attestation, robust aggregation and differential privacy– improve confidentiality and integrity but add costs: extra client computation and communication, key management, and (for differential privacy) potential reductions in recall on rare attack classes as noise increases. Given UAV energy and latency constraints, FL privacy/security should be treated as a deployment constraint tuned to mission risk: a pragmatic baseline is secure aggregation + robust aggregation with per-client clipping; add differential privacy only when policy or regulation requires it, and report the privacy budget and any impact on detection. A full quantitative analysis of these mechanisms is beyond the scope of this IDS-focused review, but we flag these trade-offs to delineate realistic operating limits.

Overall, federated deployment provides an attractive balance by enhancing privacy, resilience, and accuracy. However, operational complexity, latency, and communication overhead remain significant considerations, necessitating careful optimization for real-world UAV applications.

3.5. Detection Methods in UAV IDS

Detection methods in UAV intrusion detection Systems (IDS) refer to the timing of how and when security threats are found. These methods are important because they affect how quickly a system can detect and respond to threats during UAV operations. Based on reviewed studies, there are three main types of detection methods, summarized in

Table 10. Taxonomy of UAV IDS Detection Methods.

Detection Type	References	Technical Analysis (Strengths and Limitations)
Real-time	[1,2,3,4,40,41,44,45,46,49,53,58,59,60,63,67,71,75,77,84,85,86,87,89,90,93]	Strengths: Real-time detection enables immediate reaction to threats during flight. These systems are critical for mission-critical UAV operations, enabling on-the-fly inference of GPS spoofing, jamming, or network intrusion. Lightweight models such as LSTM, decision trees for fast inference on constrained UAV hardware. Limitations: Sacrifices complexity and precision for speed. Also susceptible to communication loss or latency in swarm-based or distributed UAV environments.
Offline	[5,42,43,47,48,50,51,52,54,55,57,62,64,65,66,68,70,72,73,74,76,78,79,80,81,82,83]	Strengths: Allows application of heavy deep learning models (for instance, DNN, CNNs) for in-depth post-flight forensics. Can leverage stored logs for higher detection accuracy, anomaly analysis, or model retraining. Useful in secure settings or early-stage research environments. Limitations: Cannot respond to live threats, which limits use in autonomous or high-risk UAV missions requiring real-time intervention.
Hybrid	[56,61,69]	Strengths: Combines in-flight anomaly detection with post-flight training and evaluation. Many frameworks adopt this implicitly, using lightweight onboard classifiers and offline retraining for robustness. Offers better coverage and adaptability across missions. Limitations: Increases architectural and operational complexity. Requires proper synchronization between online inference and offline updates. Vulnerable to inconsistency or model drift if not carefully managed.

: real-time (also called online), offline (post-flight), and hybrid systems. Each method offers a different balance between immediate response capabilities, analytical depth, and computational cost, which is shaped by the operational context and the types of threats the system is designed to detect. The following subsections will explore each of these detection strategies in detail.

3.5.1. Real-Time or Online Detection

Real-time or online detection, as shown in Table 10, is the most common method used in UAV IDS research. This approach analyzes data and identifies threats as they happen during flight, enabling an immediate reaction to critical events like GPS spoofing or command injection. This type of detection works while the UAV is flying, allowing the system to respond to threats right away. Several real-time IDS frameworks illustrate this. CLCAN provides cross-layer anomaly detection across UAV communications using multi-scale CNNs and attention mechanisms [87]. Lightweight statistical and ML-based methods, such as one-class SVM, isolation forest, LOF, and autoencoder variants, have been employed for anomaly detection in flight data [1,89,90,93]. Deep models like LSTM and its variants (including LSTM-RNN, BiLSTM, and LSTM-IG-SVM) demonstrate effective sequence modeling for intrusion detection [2,3,4,63,67], while optimized Random Forests and DT-based approaches provide strong accuracy with low resource requirements [41,44,45,49]. Specialized models, such as ANFIS fuzzy systems [84], observer-based detection [86], and bio-inspired SUAS-HIS models [85], expand applicability to UAV-specific scenarios. Federated-oriented real-time schemes such as SP-IoUAV also show scalability across UAV swarms while retaining local efficiency [58]. The strength of real-time IDS is its ability to trigger immediate responses—such as evasive maneuvers or communication cutoffs—when anomalies are detected. However, this advantage is constrained by UAV hardware limitations, since flight controllers have restricted processing and energy resources. As a result, models must remain lightweight, which can reduce accuracy compared to heavier offline methods. Real-time systems are also vulnerable to communication delays, packet loss, or unreliable links, especially in swarm or contested environments [49].

3.5.2. Offline Detection

Offline detection, as shown in Table 10, works after the UAV finishes its flight. It processes collected data–such as logs, sensor readings, and command records– using more powerful resources on the ground. Offline IDS approaches have been widely applied, including graph-based methods [81,82], deep learning models such as CNN-LSTM and ConvLSTM [62,64,66,70], hierarchical attention-based LSTM (H-LSTM) [65], and modified CNN-BiLSTM [68]. Ensemble learning and traditional ML classifiers are also common, with examples including RF, SVM, KNN, DT, and boosting techniques [41,42,43,44,47,48,50,52,72]. Other specialized techniques include EBRB-based interpretable IDS [83], GAN-based spoofing defenses [80], and Firefly-optimized stacked autoencoders (MFSOSAE-ID) [79]. Federated strategies have also been evaluated offline with aggregation methods like FedAvg and FedYogi [51].

The strength of offline IDS is that it can employ heavier models such as DNNs, deep autoencoders, and GANs without being constrained by UAV onboard resources. These methods enable detailed forensics, anomaly analysis, and retraining of models to improve detection accuracy and robustness [64,79,80]. However, the major limitation is that offline systems cannot stop attacks while the UAV is in the air. This makes them unsuitable for scenarios where immediate responses are required, such as autonomous or military missions in contested environments. Instead, they are most useful for analysis, reporting, and model improvement after flights.

3.5.3. Hybrid Detection

Hybrid detection approaches for UAV intrusion detection systems combine lightweight, real-time anomaly detection performed onboard UAVs with more comprehensive analysis conducted after flights or at ground stations. This two-layer methodology provides immediate threat response during operation while preserving opportunities for detailed forensic investigation.

Recent studies, illustrate this design. For example, UAV-CIDS employs a feedforward convolutional neural network (FFCNN) in a collaborative framework, enabling in-flight detection while retaining post-flight analysis capabilities [69]. Other implementations apply neural architectures such as MLPs [61] and DNNs [56] in hybrid modes, where simplified versions run on UAVs during flight and complete models are executed on the ground for deeper analysis. These approaches demonstrate that hybrid IDS can effectively balance responsiveness with accuracy by leveraging both onboard detection and offline computation. While hybrid IDS solutions offer clear advantages, they also introduce technical challenges, including reliable data transmission, synchronization between UAV and ground components, and the risk of model drift if updates are not managed carefully. Nonetheless, their ability to deliver both timely responses and thorough analysis continues to drive adoption in UAV security research.

3.6. Performance Metrics for UAV Intrusion Detection Systems

Evaluating intrusion detection systems (IDS) for Unmanned Aerial Vehicles (UAVs) requires the careful selection of performance metrics since each metric emphasizes different dimensions of detection effectiveness [1]. UAV-specific constraints, such as limited onboard computational resources, real-time processing requirements, and distinctive cyber-attack patterns, further underscore the importance of appropriate metric selection [40]. This section highlights essential performance metrics utilized in UAV IDS research and discusses their operational implications.

3.6.1. Accuracy

Accuracy, the most commonly cited metric, calculates the proportion of correctly classified instances (network packets or flight behavior patterns) to the total number of instances evaluated [53]. While high accuracy levels (often ranging from 90 to 99% in reviewed literature [40,42]) are necessary, relying solely on accuracy is problematic because:

• Class Imbalance: UAV datasets frequently comprise over 90% benign instances [1], potentially inflating accuracy scores despite poor attack detection.
• Diverse Attack Patterns: Attacks like GPS spoofing or signal jamming require different detection sensitivities compared to typical network intrusions [2].

Accuracy is computed as follows:

$$\mathrm{Accuracy}={\displaystyle \frac{\mathrm{Correctly}\mathrm{classified}\mathrm{instances}}{\mathrm{Total}\mathrm{instances}}}\times 100\%$$

(1)

3.6.2. Precision

Precision is vital in UAV IDS evaluations, focusing on the reliability of attack alerts to minimize false positives [43]. High precision rates (≥95% in ideal scenarios [42]) are particularly critical for:

• Autonomous Response: False alarms might inadvertently trigger unnecessary safety actions or emergency maneuvers [1].
• Resource-Limited Environments: UAVs often have limited capabilities for follow-up investigations, necessitating reliable alerts [72].

Precision is defined as:

$$\mathrm{Precision}={\displaystyle \frac{\mathrm{True}\mathrm{Positives}}{\mathrm{True}\mathrm{Positives}+\mathrm{False}\mathrm{Positives}}}$$

(2)

3.6.3. Recall (Detection Rate)

Recall, or the detection rate, measures the system’s ability to correctly identify actual attacks. This metric is prioritized in UAV contexts as undetected intrusions can lead to catastrophic outcomes like drone hijacking or system failure [4]. Critical considerations include:

• Attack-Specific Thresholds: Higher recall thresholds (>98%) are essential for critical threats such as GPS spoofing [1], while network intrusions typically aim for 85–90% recall [44].
• Performance Trade-offs: Lightweight detection models might deliberately sacrifice some recall (around 5–10%) to achieve faster, real-time inference [49].

Recall calculation:

$$\mathrm{Recall}={\displaystyle \frac{\mathrm{True}\mathrm{Positives}}{\mathrm{True}\mathrm{Positives}+\mathrm{False}\mathrm{Negatives}}}$$

(3)

3.6.4. F1-Score

The F1-score, representing the harmonic mean of precision and recall, is particularly beneficial for UAV IDS evaluations because it:

• Balances the necessity of robust attack detection (recall) with the imperative of operational reliability and minimal false alarms (precision) [40].
• Facilitates comparative evaluation of IDS performance across diverse attack types and models [42].

The F1-score formula is:

$$\mathrm{F}1\text{-}\mathrm{score}=2\times {\displaystyle \frac{\mathrm{Precision}\times \mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}}$$

(4)

3.6.5. UAV-Specific Metrics

In addition to conventional metrics, UAV IDS research commonly employs metrics tailored specifically to operational constraints:

• Latency: Real-time detection latency must typically remain within 50–100 ms to ensure flight control responsiveness [49].
• Energy Consumption: Evaluated in joules per prediction to optimize onboard power utilization for extended UAV missions [72].
• Model Size: Crucial due to limited memory availability onboard UAV platforms, typically requiring models below 5 MB [47].

Comparative analyses from recent studies indicate that hybrid IDS models often achieve optimal balances across these metrics. Research shows that it is possible to achieve an F1-score of 0.98 at a latency of just 87 ms [40].

4. Result Analysis

In UAV environments, intrusion detection models are often benchmarked on narrow datasets with fixed attack types. While many such systems report high performance on their original evaluation datasets, our findings suggest that these numbers can be misleading when generalized across UAV-specific domains. To investigate this, we reproduced and re-evaluated a set of IDS models using consistent preprocessing, identical evaluation metrics, and controlled test environments. The results are shown in Figure 3, Figure 4, Figure 5, Figure 6, Figure 7, Figure 8, Figure 9, Figure 10, Figure 11, Figure 12, Figure 13, Figure 14 and Figure 15.

4.1. Replication Protocol

All experiments were run in Google Colab using TensorFlow–Keras, scikit-learn, and NumPy. We reimplemented baselines as described in their papers and applied a uniform, leakage-safe pipeline for comparability.

• Preprocessing. We removed identifier/administrative fields and columns with >50% missing values when present; remaining NAs were set to zero. Categorical features were label/ordinal encoded. Numerical features were normalized with either Min–Max scaling or Standardization as specified for each dataset. All transformers (encoders/scalers) were fit on the training split only and applied to the test split. We did not use synthetic resampling or feature engineering unless stated.
• Partitions, seeds, and validation. Unless papers mandated other splits, we used stratified partitions with a fixed seed of value (42). Dataset-specific splits are reported in Table 11.
• Balancing. When class balancing was used (Tokyo–CLCAN; Cyber merged), it was performed after the train/test split, on the training split only, to avoid duplicated samples crossing partitions.
• Author contact. We did not contact the original authors. When preprocessing or partition details were omitted, we followed the conservative practices above and documented all choices.
• Data-loss control and leakage checks. We de-duplicated records before splitting where applicable, fit all transformers on training only, and verified that session-like identifiers (when available) did not cross partitions. These controls guard against label or distribution leakage.

Table 11. Preprocessing and pipelines used per dataset.

Dataset	Pipeline	Dropped/Selected Columns	Split/Seed = 42	Scaling	Encoding/Target
UNSW-NB15	DCA (CNN + Attn)	Drop id, srcip, sport, dstip, dsport, attack_cat, proto, service, state	80/20 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; target = label (binary)
Tokyo Drone Comm.	DCA (CNN + Attn)	Drop Timestamp, GPS Coordinates	70/30 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; multi-class
Tokyo Drone Comm.	LSTM/1D-CNN	Drop Timestamp, GPS Coordinates	75/25 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; multi-class
Tokyo Drone Comm.	ConvLSTM2D	Drop Timestamp, GPS Coordinates	70/30 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; multi-class
Tokyo Drone Comm.	AE + classical (DT/RF/KNN/ MLP/SVM)	Drop frame.number, wlan.bssid, timestamp_c	75/25 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; AE bottleneck = {8,4}; binary (benign vs. attack)
Tokyo Drone Comm.	CLCAN (15 features)	Packet Size, Transmission Rate, Battery Level, Signal Strength etc.	70/30 (strat.)	StandardScaler	Upsample 8k/class on train only; one-hot
Cyber Merged	LSTM/1D-CNN (balanced)	Drop cols > 50% NA; remove remaining NA rows	75/25 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; upsample 3500/class on train only; 5-class
Cyber Merged	CLCAN (balanced)	Drop cols > 50% NA; remove remaining NA rows	70/30 (strat.)	StandardScaler	Upsample 8000/class on train only; one-hot
Cyber Merged (aligned)	AE + classical (DT/RF/KNN/ MLP/SVM)	Align across {benign, dos, replay, eviltwin, fdi}; drop frame.number, wlan.bssid, timestamp_c; fill NA = 0	75/25 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; 5-class and a binary view (benign vs. attack)
WSN-DS	CNN–LSTM; ConvLSTM2D	Drop cols > 50% NA; fill NA = 0	70/30 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; multi-class
UAVCAN CAN logs	RF/DT; LSTM	Features = can_id, dlc, data_0.12; exclude timestamp	70/30 (strat.)	Min–Max (fit on train; apply to test)	Labels = {benign, replay, fuzzy, flood, spoof} (5-class)

Table 11. Preprocessing and pipelines used per dataset.

Dataset	Pipeline	Dropped/Selected Columns	Split/Seed = 42	Scaling	Encoding/Target
UNSW-NB15	DCA (CNN + Attn)	Drop id, srcip, sport, dstip, dsport, attack_cat, proto, service, state	80/20 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; target = label (binary)
Tokyo Drone Comm.	DCA (CNN + Attn)	Drop Timestamp, GPS Coordinates	70/30 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; multi-class
Tokyo Drone Comm.	LSTM/1D-CNN	Drop Timestamp, GPS Coordinates	75/25 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; multi-class
Tokyo Drone Comm.	ConvLSTM2D	Drop Timestamp, GPS Coordinates	70/30 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; multi-class
Tokyo Drone Comm.	AE + classical (DT/RF/KNN/ MLP/SVM)	Drop frame.number, wlan.bssid, timestamp_c	75/25 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; AE bottleneck = {8,4}; binary (benign vs. attack)
Tokyo Drone Comm.	CLCAN (15 features)	Packet Size, Transmission Rate, Battery Level, Signal Strength etc.	70/30 (strat.)	StandardScaler	Upsample 8k/class on train only; one-hot
Cyber Merged	LSTM/1D-CNN (balanced)	Drop cols > 50% NA; remove remaining NA rows	75/25 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; upsample 3500/class on train only; 5-class
Cyber Merged	CLCAN (balanced)	Drop cols > 50% NA; remove remaining NA rows	70/30 (strat.)	StandardScaler	Upsample 8000/class on train only; one-hot
Cyber Merged (aligned)	AE + classical (DT/RF/KNN/ MLP/SVM)	Align across {benign, dos, replay, eviltwin, fdi}; drop frame.number, wlan.bssid, timestamp_c; fill NA = 0	75/25 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; 5-class and a binary view (benign vs. attack)
WSN-DS	CNN–LSTM; ConvLSTM2D	Drop cols > 50% NA; fill NA = 0	70/30 (strat.)	Min–Max (fit on train; apply to test)	Label-encode; multi-class
UAVCAN CAN logs	RF/DT; LSTM	Features = can_id, dlc, data_0.12; exclude timestamp	70/30 (strat.)	Min–Max (fit on train; apply to test)	Labels = {benign, replay, fuzzy, flood, spoof} (5-class)

For each model, we considered three scenarios: (1) reported performance in the original paper, (2) replicated performance using the same dataset and configuration, and (3) performance on a different UAV dataset with distinct but similar characteristics and attack types. Our results reflect a wide performance variance across these scenarios, revealing patterns that highlight limitations in generalizability.

We chose the models for our evaluation to represent the full variety of approaches used in drone security research today. Our selection includes: (1) Different types of deep learning systems—specifically CNN networks, RNN/LSTM models, ConvLSTM, and Autoencoders, (2) Traditional machine learning methods like Random Forest, SVM, Decision Trees and KNN, which give us simpler, more understandable baseline results, (3) Combined approaches such as tuned Autoencoders and CNN-LSTM hybrids that are becoming popular for drone security.

All models come from properly reviewed studies published in the last four years. We only included methods that either had open-source code available or were described enough to be accurately recreated. We also focused on models that were originally tested on drone-related datasets, as this makes our comparisons more realistic and meaningful.

Environment. All experiments were run on Google Colab’s current stable CPU-only runtime (no GPU/TPU; CUDA/cuDNN not used) in the May 2025 version, using the default environment with the latest releases available at execution time—Python version: 3.12.11 and TensorFlow–Keras (Colab defaults), together with NumPy and scikit-learn. We fixed the global pseudorandom seed to 42 across NumPy, scikit-learn, and TensorFlow. To avoid leakage, all preprocessing transformers (encoders/scalers) were fit on the training split only; where class balancing was used, it was applied to the training split only.

4.2. Experimental Results

The CSODAE-ID model [102] combines a stacked deep autoencoder with fully connected layers, originally evaluated on NSL-KDD and KDD-Cup. These datasets focus on legacy cyber-attacks such as DoS, Probe, and R2L, with well-structured feature sets. The original study claimed near-perfect accuracy (99.12%) and equally high precision and recall. When we replicated this model under the same dataset and similar hyperparameters, accuracy remained high (99.55%), but precision and recall dropped to 71% and 75%, respectively. This inconsistency suggests that the original evaluation may have been biased by class imbalance or overly optimistic validation. However, when applied to the Cyber UAV dataset—containing telemetry-aware drone attacks such as GPS spoofing and control injection—accuracy fell drastically to 73.6%. Interestingly, precision and recall improved (79% and 81%), indicating that while the model could still detect attacks, it struggled with high false alarm rates due to structural dissimilarity between datasets. This points to a key limitation: despite their learning capacity, autoencoder-based classifiers are highly sensitive to domain shifts unless they are trained with broader UAV-specific data.

Figure 3. Performance comparison of CSODAE-ID model [102] across reported, replicated, and cyber-only dataset experiments.

Figure 3. Performance comparison of CSODAE-ID model [102] across reported, replicated, and cyber-only dataset experiments.

Ref. [103] models were originally trained on a Cyber-Physical UAV dataset and designed to detect attacks at the network and control-command levels. Both the LSTM and 1D-CNN models were reported to achieve 96% accuracy. However, upon replication, LSTM performance dropped to 85% and CNN to 92%. This moderate drop may reflect better regularization in our replication pipeline or corrections in train/test splits.

When applied to the Tokyo Drone Communication dataset, both models suffered severe performance degradation. Accuracy fell to 70%, and precision for both models dropped to 50%. This suggests a major vulnerability to domain shift. Unlike attention-augmented networks, plain LSTMs and CNNs appear to tightly couple their learned representations to the frequency patterns and byte distributions of the training set. Without exposure to high-frequency telemetry or different packet encodings, their detection accuracy collapses.

Figure 4. Performance comparison of LSTM model [103] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 4. Performance comparison of LSTM model [103] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 5. Performance comparison of 1D-CNN model [103] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 5. Performance comparison of 1D-CNN model [103] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Autoencoders paired with classical classifiers (Decision Trees, Random Forests, K-Nearest Neighbors, SVM, and MLP) [42,55] performed surprisingly well in terms of replication. Originally evaluated on the Cyber-Physical dataset with attacks such as DoS, packet injection, and telemetry corruption, these models showed consistent performance in the 84–94% accuracy range.

Our replication also shows these findings. RF, KNN, and SVM particularly excelled, with replicated accuracies reaching or exceeding original benchmarks. This suggests that when the autoencoder’s latent representation is informative, even shallow classifiers can offer strong detection power.

However, domain transfer shows a significant drop in performance. DT and MLP showed steep drops when transferred to Tokyo data, with precision losses of up to 40%. This is likely because trees overfit to discrete boundaries in the original dataset and fail to generalize when input distributions changed. In contrast, RF, KNN, and SVM maintained nearly the same accuracy across datasets. Their robustness stems from ensemble averaging (RF) or distance-based decision boundaries (KNN, SVM), which are more tolerant of drift in feature space. This suggests an important finding: if training data are sparse or single-domain, combining autoencoders with KNN or SVM might result in a better generalization model than deeper networks.

The CLCAN architecture [87], which integrates convolutional and recurrent layers with attention mechanisms, was evaluated on a Tokyo-based drone dataset featuring packet-level anomalies like jamming, packet replay, and command spoofing. The original study reported an impressive 99.1% accuracy. However, an unusually low recall (5.8%) raises red flags about evaluation protocols—likely indicating that the model misclassified most attack classes or was overfit to benign data. In our replication, CLCAN’s performance dropped significantly to 65.77% accuracy, with precision and recall both at 59%. This could be due to more careful handling of class imbalance and cleaner validation splitting in our experiments.

Figure 6. Performance comparison of Autoencoder + Decision Tree (DT) model [42,55] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 6. Performance comparison of Autoencoder + Decision Tree (DT) model [42,55] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 7. Performance comparison of Autoencoder + Random Forest (RF) model [42,55] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 7. Performance comparison of Autoencoder + Random Forest (RF) model [42,55] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Interestingly, when evaluated on the Cyber dataset—structurally distinct from Tokyo in terms of telemetry frequency and communication patterns—CLCAN achieved 99% accuracy across all metrics. This unusual result may stem from the model’s architecture, which captures temporal and spatial patterns through attention and gated recurrent units. It suggests that while CLCAN may not generalize well to datasets with subtle attack signatures, it can adapt well to datasets with overt structural regularities.

On WSN-DS [104], which emulates smart grid and UAV sensor communications under adversarial scenarios (for instance, sinkhole, selective forwarding), CNN-LSTM and ConvLSTM models achieved 97.31% and 99.99% accuracy, respectively. These models utilize convolutional feature extraction followed by temporal modeling, which allows them to capture multi-scale time series anomalies.

Figure 8. Performance comparison of Autoencoder + K-Nearest Neighbors (KNN) model [42,55] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 8. Performance comparison of Autoencoder + K-Nearest Neighbors (KNN) model [42,55] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 9. Performance comparison of Autoencoder + Multilayer Perceptron (MLP) model [42,55] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 9. Performance comparison of Autoencoder + Multilayer Perceptron (MLP) model [42,55] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Replication showed small performance loss—CNN-LSTM dropped to 98%, ConvLSTM to 99%. However, when ConvLSTM was tested on the Tokyo dataset, accuracy fell sharply to 70%, and F1-score plummeted to 58%. Despite being spatio-temporally aware, ConvLSTM’s failure to maintain generalization underscores the severity of dataset dependency and the impact of adversarial samples. Tokyo Drone traffic includes variable packet lengths, bursty command patterns, and drone-specific control sequences, which are not modeled in WSN-DS. The results caution researchers against relying solely on high-layer temporal abstraction; input heterogeneity must also be addressed.

The DCA model [66], designed for the rich UNSW-NB15 dataset, achieved near-perfect metrics (99.7–99.8%) across accuracy, precision, recall, and F1-score. This model leveraged deep autoencoder features followed by spatial attention layers and CNN heads.

Figure 10. Performance comparison of CLCAN model [87] across reported, replicated, and cyber-only dataset (Cyber).

Figure 10. Performance comparison of CLCAN model [87] across reported, replicated, and cyber-only dataset (Cyber).

Figure 11. Performance comparison of Autoencoder + Support Vector Machine (SVM) model [42,55] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 11. Performance comparison of Autoencoder + Support Vector Machine (SVM) model [42,55] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Replication with identical training settings yielded 92% accuracy, hinting at either overfitting in the original study or poor randomization. Cross-dataset testing on Tokyo resulted in catastrophic degradation: 70% accuracy, 18% precision, and 21% F1-score. The failure highlights a deeper truth—models trained on protocol-centric intrusion data (as in UNSW) cannot identify UAV telemetry anomalies without retraining or adaptation. The learned filters and convolutional features in DCA are too tightly bound to TCP/UDP packet structures and do not transfer to the multi-rate, low-level command messages in UAV protocols.

In a few cases (Stacked Autoencoder + FC), our reproduced accuracy slightly exceeds the original report. We rechecked for leakage (fit transformers on training only; stratified splits; removal of identifier fields; balancing applied only to training data) and found none. The small gains are consistent with standardized cleaning and normalization across datasets rather than data loss or label leakage.

Figure 12. Performance comparison of CNN-LSTM model [104] across reported, replicated.

Figure 12. Performance comparison of CNN-LSTM model [104] across reported, replicated.

Figure 13. Performance comparison of ConvLSTM model [104] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 13. Performance comparison of ConvLSTM model [104] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 14. Performance comparison of DCA model [66] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 14. Performance comparison of DCA model [66] across reported, replicated, and cyber-only dataset (Tokyo Drone Communication).

Figure 15. Performance of RF and LSTM models [105] on UAVCAN dataset.

Figure 15. Performance of RF and LSTM models [105] on UAVCAN dataset.

These models [105] were evaluated on UAVCAN—a dataset simulating drone-to-drone and controller-to-drone messages structured like CAN-bus. Unlike high-layer network datasets, UAVCAN carries real-time signals like heartbeat, node status, and actuator commands. Random Forest reached a reasonable 76% accuracy, while LSTM lagged behind at 61%. This contrast reveals that traditional models can extract decision boundaries from tabular or feature-engineered versions of UAVCAN, whereas LSTM struggles due to a lack of long-term patterns or insufficient training depth.

Table 12. Performance of reproduced UAV-IDS models across three evaluation settings. Metrics are Accuracy/Precision/Recall/F1-score (%).

Model Architecture	Reported	Replicated	Cross-Dataset Evaluation
Stacked Autoencoder + FC [102]	99.12/98.25/98.24/98.24	99.55/71.00/75.00/73.00	73.60/79.00/81.00/80.00
LSTM [103]	96.00/95.00/96.00/96.13	85.00/86.00/85.00/85.00	70.00/50.00/70.00/58.00
1D-CNN [103]	96.00/95.00/96.00/96.13	92.00/92.00/92.00/92.00	70.00/50.00/70.00/58.00
Autoencoder + DT [42,55]	94.54/94.87/94.54/94.21	93.00/90.00/91.00/91.00	90.00/50.00/50.00/50.00
Autoencoder + RF [42,55]	91.45/92.31/91.45/91.23	95.00/91.00/93.00/92.00	95.00/91.00/95.00/93.00
Autoencoder + KNN [42,55]	88.61/88.27/88.61/88.78	94.00/91.00/92.00/91.00	95.00/91.00/95.00/93.00
Autoencoder + MLP [42,55]	91.19/93.22/91.19/92.54	92.00/87.00/89.00/88.00	95.00/91.00/95.00/93.00
CLCAN [87]	99.10/97.30/98.70/98.10	65.77/59.00/59.00/59.00	99.00/99.00/99.00/99.00
Autoencoder + SVM [42,55]	84.19/83.48/84.19/84.33	90.00/85.00/91.00/87.00	95.00/91.00/95.00/93.00
ConvLSTM [104]	99.99/99.99/99.99/99.99	99.00/92.00/92.00/92.00	70.00/50.00/70.00/58.00
DCA [66]	99.70/99.80/99.80/99.80	92.00/91.00/90.00/91.00	70.00/18.00/25.00/21.00

Note on reproduced vs. reported scores.

summarizes the reported, replicated, and cross-dataset performance of key UAV IDS models. The comparison highlights how detection accuracy and robustness can vary significantly when models are tested beyond their original datasets. Since these models were not tested cross-domain in this phase, we cannot yet comment on their portability, but their modest base performance indicates that specialized feature engineering may be essential to succeed on time-sensitive, low-level drone data.

5. Discussion and Key Findings

5.1. RQ1—Dataset Relevance and Model Generalizability

The analysis shows that dataset selection significantly impacts IDS performance and generalizability. Our survey of datasets (Table 2 and Table 3) reveals key differences between UAV-specific IDS datasets and generic network intrusion datasets. UAV datasets remain scarce and often focus narrowly on specific data types (for instance, MAVLink telemetry or sensor data), while many studies continue using inappropriate benchmarks like KDD’99 or CICIDS2017. This discrepancy frequently produces high lab accuracy but poor real-world performance.

Our experimental evidence strongly supports this finding. While models replicated from the literature generally maintained their reported accuracy on their original datasets, they showed substantial performance drops when evaluated on unfamiliar data. For instance, the ConvLSTM model from [104], which achieved 99% accuracy on its native CICIDS2017 dataset, dropped significantly when applied to UAV-specific data (Figure 13). A similar degradation occurred with the autoencoder+MLP approach [42,55] and the CNN-LSTM model [104], demonstrating that this failure to generalize is a consistent pattern across different architectures (Figure 9 and Figure 12).

This pattern demonstrates that many AI-based IDS overfit to specific data distributions. The conclusion is clear: dataset relevance directly determines model generalizability (RQ1). Our experimental findings align with broader trends observed in the literature. For example, models trained on CIC-IDS2017 and evaluated on CSE-CIC-IDS2018 exhibited a dramatic accuracy drop—from 98% to just 61%—highlighting poor cross-dataset generalization. A similar pattern was observed when transitioning from KDDCup99 to UNSW-NB15, indicating that strong performance on a single dataset often reflects overfitting to dataset-specific patterns rather than true learning of attack behaviors [106]. In contrast, IDS models trained on representative UAV-specific traffic consistently outperform those based on outdated or mismatched datasets [104]. These results underscore a critical point: over-reliance on legacy or synthetic datasets can yield overly optimistic detection rates that fail to translate to real-world UAV environments.

We also identify evaluation inconsistencies that compound these issues:

• Inconsistent data preprocessing and train-test splits obstruct proper comparisons.
• Feature selection and normalization choices significantly affect reported accuracy.
• Data augmentation methods (oversampling, synthetic attacks) may distort true performance.

The generalization challenges in UAV-based intrusion detection systems (IDS) stem from several factors, including covariate shift- differences in packet structure, telemetry frequency, or flight dynamics between training and deployment phases, along with class imbalance, overfitting to synthetic attacks as discussed, and lack of structural similarity across operating environments [107]. These issues often cause IDS models to achieve high accuracy in lab settings but perform poorly in real-world deployments. To tackle this, recent research has turned to domain adaptation techniques, such as Domain-Adversarial Neural Networks (DANN), which help models learn invariant representations across domains. These approaches significantly improve robustness when tested on unseen datasets with different distributions.

Complementary strategies have also emerged. Generative Adversarial Networks (GANs) have been used to generate realistic synthetic UAV telemetry and attack patterns. Federated learning (FL) has gained attention for enabling UAVs to collaboratively train IDS models without sharing raw data, preserving privacy while supporting continual model adaptation in dynamic environments. To better assess generalization performance, studies now recommend cross-dataset validation and leave-one-scenario-out training, which offer more realistic insights into a model’s ability to operate across varying real-world conditions. Together, these strategies represent a promising shift toward more robust and adaptable UAV security solutions [101].

In summary, addressing RQ1 reveals that:

• Domain-specific datasets provide better UAV threat detection
• Multi-dataset validation provides stronger generalizability evidence
• Standardized UAV IDS benchmarks are urgently needed for reliable model assessment

5.2. RQ2—Trade-Offs Between Real-Time and Offline Detection

Our analysis reveals a fundamental trade-off between detection speed and accuracy in UAV intrusion detection systems (RQ2). Real-time onboard detection imposes strict computational constraints, forcing design choices that prioritize efficiency over complexity. Lightweight models like decision trees or compact neural networks [41,45,46,87] are often preferred in these scenarios, as they provide sufficiently fast inference while maintaining reasonable accuracy. For instance, a decision-tree classifier could achieve sub-second detection suitable for onboard use with only a marginal accuracy penalty compared to heavier models.

In contrast, offline or ground-based detection systems can leverage more sophisticated analysis. By operating on the ground, these systems can employ complex architectures like deep CNNs and LSTMs and analyze a larger feature context to detect stealthy, multi-stage attacks, often achieving higher accuracy. For example, a cloud-edge DNN achieved 99% accuracy [49,66], though such a model would be impractical for real-time, onboard deployment.

Our experimental results illustrate this clearly. While an LSTM model outperformed Random Forest in detection accuracy (Figure 15), its inference latency made it unsuitable for real-time operation on embedded processors. The Random Forest alternative, while less accurate for complex attacks, provided instantaneous detection critical for time-sensitive responses.

The choice between these approaches is ultimately dictated by operational requirements. Safety-critical missions, for instance, demand real-time detection to respond to immediate threats, often accepting accuracy trade-offs for speed [2,58,60]. In situations where forensic analysis is the priority, offline deep inspection is favored for its thoroughness. Hybrid architectures represent a practical compromise, using lightweight onboard screening for immediate alerts while offloading comprehensive analysis to a ground station with more powerful deep learning capabilities [56,61,69].

Technical implementations reflect these priorities. Real-time systems employ optimizations like model pruning and hardware acceleration, while offline systems can afford computationally intensive methods. Ultimately, addressing RQ2 confirms that UAV intrusion detection requires careful balancing of latency and accuracy based on the specific operational context and available infrastructure.

5.3. RQ3—Suitability of Centralized, Distributed, and Federated Deployment

The findings show that deployment architecture strongly influences what an IDS can and cannot do (RQ3). A centralized IDS setup, summarized in Table 9, collects all data at a single node, usually a ground control station or cloud server [50,62,65,81,87,90] This approach has clear advantages: it provides access to powerful computing resources and a complete view of the UAV network. This allows the use of complex AI models and enables correlation of signals from multiple UAVs. Many early UAV IDS prototypes follow a centralized design [62,80,87], achieving high detection accuracy by analyzing all UAV traffic in one place. For example, one study showed that a centralized deep learning IDS could process telemetry from an entire UAV swarm and detect intrusions with over 98% accuracy.

However, centralized approaches also bring significant drawbacks. They depend heavily on maintaining communication with the base station. If the link is jammed or fails, the IDS may miss attacks or fail to send alerts [81,87]. There is also a risk of single points of failure—if the central node is compromised, the whole system could be blinded. Centralized IDS may still be effective in scenarios where stable connectivity is assured and immediate response on the UAV itself is not essential—for example, in post-flight analysis or high-bandwidth environments.

In contrast, distributed IDS architectures spread detection responsibilities across the UAV network. Each UAV (or edge device) runs its own IDS module and makes decisions independently or semi-independently. This increases resilience—if one UAV is compromised, others can still detect local threats. It also allows operation in communication-limited or ad hoc networks [1,2,40,60,82]. Some implementations use lightweight classifiers or rule-based systems onboard the UAVs themselves, enabling detection at the point of data collection. The downside is that each UAV has a limited view. Without coordination, a distributed IDS may miss large-scale or coordinated attacks that are only visible when data are aggregated. To improve this, some systems allow UAVs to share alerts or summaries with neighbors, creating a cooperative distributed IDS. This begins to overlap with federated systems.

Federated IDS has emerged as a promising middle ground between centralized and distributed models. Our review found that FL can perform comparably to centralized models in some cases, nearly matching the centralized version, but with better privacy and reduced data sharing [51,58]. Federated IDS is especially useful in scenarios with many UAVs owned by different entities or where privacy is critical. It also distributes computational load across the fleet. However, FL comes with its own challenges. It needs regular communication for model updates, which can be tough if UAV links are unstable. It is also vulnerable to threats like model poisoning if one UAV is compromised. Additionally, FL must deal with the fact that UAVs may have very different data—this makes global model training more difficult.

In summary, each deployment approach has its strengths. Centralized IDS can run complex models, but it depends on constant connectivity. Distributed IDSs are more resilient and faster at responding locally, but lack a global view. Federated IDS tries to offer the best of both worlds, enabling collaboration without raw data sharing. The right choice depends on the operational context. A small UAV fleet with strong connectivity might work best with centralized or federated IDS at the ground station. A swarm operating in contested areas would benefit from distributed or federated models to avoid single points of failure. Recent research is moving toward hybrid models, for example, a hierarchy where local detection is performed on groups of UAVs and only summaries or model updates are sent to a central coordinator [69,86,93]. These designs aim to balance detection quality, communication cost, and system resilience.

5.4. Evaluation of Different AI Paradigms

We also evaluated how different AI paradigms perform across the deployment models discussed above. Our review Table 5, Table 6, Table 7 and Table 8 shows that supervised learning dominates the current UAV IDS landscape. Supervised methods—like SVM, random forests, and deep neural networks [46,48,49,50,51,54,55,60,65,68] —use labeled data to train classifiers. They tend to perform well when attack types are clearly defined. These methods benefit from mature tools and access to labeled datasets from broader cybersecurity research. Many studies report 95–99% accuracy using supervised learning for multi-class classification of UAV intrusions.

However, supervised models have a major weakness—they cannot detect threats they have not been trained on. This is a problem in UAV contexts where new attack types continue to emerge, such as GPS spoofing variants or novel protocol exploits. To address this, researchers are exploring unsupervised and anomaly-based methods. These do not require labeled attack data. Instead, they learn what "normal" behavior looks like and flag deviations as potential threats.

In our review, unsupervised IDS included models like autoencoders, one-class SVMs, and clustering algorithms. For example, literature in Table 6 applies anomaly detection to UAV-specific data sources, such as MAVLink telemetry, simulated flight logs, and PWM signal patterns. All reported high true positive rates, above 98%. These results show that unsupervised methods can catch unknown attacks, which is essential for evolving threats. Our own experiments with an autoencoder-based IDS supported these findings; it could detect small deviations in UAV sensor data, even for attack types it had not seen before. However, fine-tuning the detection threshold was critical to avoid false alarms.

The main challenge with unsupervised approaches is keeping false positives low. UAV data are naturally variable; flight dynamics, weather, and mission profiles all cause fluctuations. Distinguishing malicious anomalies from harmless changes is tricky. Still, unsupervised methods improve generalizability by not depending on attack labels, directly addressing the gap noted in RQ1.

RL has the potential to create adaptive IDS models that learn defense strategies by interacting with the environment. Studies used deep RL [18] to train agents that observe UAV traffic and trigger alerts or responses, receiving rewards for stopping attacks. These systems could eventually learn to predict or outmaneuver attackers.

However, RL in UAV IDS is still in its early stages and mostly limited to simulation. Designing a suitable reward function is difficult; real intrusions do not always have clear or immediate indicators. Some studies simulate attack environments and reward agents for correct detection, but this training can be slow and may not capture real-world diversity. Safety is another concern—an RL-based IDS needs to explore different actions, which could be risky on a live UAV network unless it is first tested in simulation. So far, we have not found any RL-based IDS deployed in real UAV operations. Results vary as some studies show improvement over time, while others face stability issues and false alarms [82].

To summarize, supervised learning remains the go-to method because of its reliability and high performance on known attacks. Unsupervised learning helps detect novel threats and improves flexibility, though it needs careful tuning. Reinforcement learning is still experimental, but could enable more adaptive, autonomous IDS systems. The most effective IDS may combine these paradigms. For instance, a semi-supervised system could detect both known and unknown attacks, or a supervised model could use an RL module to decide when to trust its own output. The range of AI methods explored in the literature highlights that no single approach works for all situations. This reinforces the importance of evaluating IDS solutions on multiple fronts- accuracy, adaptability, and efficiency, as we have done in this study.

6. Recommendations and Future Work

Building on the above findings, we recommend several strategies and future research directions to enhance AI-driven IDS for UAV systems:

6.1. Improve Dataset Quality and Standardization

A clear priority is to develop realistic, representative UAV intrusion datasets. This involves collecting data from real UAV networks and simulating UAV-specific attacks (for instance, control signal spoofing, GPS manipulation, jamming) to reflect the unique characteristics of UAV traffic.

Efforts should be made to standardize datasets and evaluation benchmarks across studies. For example, a common reference dataset (or suite of datasets) for UAV IDS should be established, similar to how KDD’99 or UNSW-NB15 are used in general IDS research. Standard benchmarks would enable more appropriate comparisons of different IDS models and promote cumulative improvements.

Additionally, datasets should be updated regularly to reflect emerging attack types. A continuous dataset evolution program, with community contributions, could help ensure IDS models are trained on relevant threats rather than outdated ones.

We also recommend publishing open-source tools and testbeds, including hardware-in-the-loop UAV simulations. This would help researchers validate their IDS models under realistic conditions and allow for reproducible results.

Ultimately, better datasets with diverse scenarios, benign variations, and attack behaviors will lead to more robust and generalizable models. This directly addresses the gaps identified in RQ1.

6.2. Lightweight, Real-Time Models

To meet real-time detection requirements on resource-constrained UAVs, future work should focus on lightweight model architectures and techniques for model compression. This can include shallow neural networks, optimized tree-based models, or custom lightweight algorithms designed specifically for UAV telemetry.

Recent work has established concrete thresholds for “lightweight” operation in this context—for instance, models should stay under 5 MB in size and complete inference within 50ms when running on common flight controllers like the 1.5 W ARM Cortex-A53. The EDGS-YOLOv8 architecture achieves this at just 4.23 MB while meeting timing constraints [108]. Model pruning, quantization, knowledge distillation, and hardware acceleration (for instance, using NVIDIA Jetson or Google Edge TPU on drones) can significantly reduce inference time and power consumption for deep models. UAV-based IDS systems often rely on deep learning models such as CNN-LSTM or ConvLSTM, which can impose considerable computational burdens. For instance, stacked ConvLSTM architectures may require a load that translates to far exceeding the budget for micro-UAVs operating under strict power and latency constraints. Techniques such as model pruning and 8-bit quantization have proven effective, with studies like UAV-DiPNID showing a reduction in model size to just 4.2 MB and inference time to 22 ms, achieving a 3.6× energy saving with minimal accuracy degradation [95,109].

Researchers should aim to design IDS solutions that operate within the computational limits of typical UAV flight controllers without affecting flight performance. A promising direction is to develop adaptive IDS models that adjust their complexity during flight. For instance, the model could simplify itself by dropping certain features or subsystems during high-load moments, then resume full analysis when resources become available.

Such adaptability offers a good trade-off between vigilance and resource use. Our findings suggest that a slight accuracy trade-off is acceptable if it ensures timely detection, particularly in safety-critical missions. Therefore, configurable performance-versus-speed settings could be highly useful.

In summary, advancing energy-efficient, real-time-capable IDS models is essential. This includes algorithmic improvements as well as leveraging embedded AI hardware and software optimization for UAV platforms. These efforts can result in intrusion detectors that respond within milliseconds while consuming minimal battery life—enabling continuous in-flight protection as emphasized by RQ2.

6.3. Privacy-Preserving and Federated Learning Approaches

As UAV networks grow and involve multiple stakeholders (for instance, public drones, commercial drones, military units), privacy-preserving collaborative IDS models will become increasingly important.

We recommend further research into federated learning (FL) and distributed anomaly detection methods for UAV swarms. Federated learning has shown promise, but challenges remain. Future work should aim to reduce the communication overhead of FL, possibly through compressed model updates or event-driven synchronization.

Improving FL’s resilience to compromised nodes is also vital. Techniques like secure aggregation or blockchain can help prevent poisoned updates. Other privacy-enhancing methods like split learning or homomorphic encryption could further reduce the information shared with central aggregators, surpassing the privacy offered by basic FL.

Advancing these privacy-preserving methods can support scalable, network-wide defenses without compromising data confidentiality. This directly aligns with the federated and distributed IDS strategies discussed in RQ3 and helps address their current limitations.

6.4. Energy-Efficient and Resource-Aware IDS Architecture

UAVs face strict limits on both battery capacity and processing power, making efficiency just as crucial as accuracy for onboard intrusion detection systems. Studies focusing on Energy efficiency suggest that the model should consume under 1W during continuous monitoring—roughly 3% of a typical 30W UAV battery budget. Quantized Random Forest and ANFIS implementations on STM32-F7 microcontrollers have demonstrated that this is feasible [84].

To preserve flight endurance, future IDS designs must prioritize power efficiency. One promising approach uses low-power dormant states, activating full analysis only upon detecting anomalies—similar to interrupt-driven designs in embedded systems.

Computation offloading presents another optimization path. By performing initial filtering onboard and transmitting only suspicious packets for deeper ground station analysis, UAVs can significantly reduce energy expenditure during normal operations.

Emerging hardware like neuromorphic and analog AI processors may eventually provide ultra-efficient solutions for continuous onboard monitoring, though these technologies remain in development.

The energy trade-off between local processing versus wireless transmission also warrants consideration—optimal approaches will dynamically select the more efficient option based on current conditions.

Ultimately, practical UAV security demands solutions that protect without compromising flight time. As emphasized in our RQ2 discussion, efficiency represents an equally critical metric alongside detection accuracy for deployable IDS implementations.

6.5. Addressing Model Robustness and Explainability

A major gap identified in our study and related surveys is the lack of attention to adversarial robustness and explainability in current UAV IDS models. Future research should explore how to make AI-based IDS models resilient against adversarial attacks. This includes training with adversarial examples and using robust model architectures that maintain reliability even under intelligent attacks.

Explainability is equally important for security-critical systems. We recommend integrating eXplainable AI (XAI) techniques so that IDS alerts are understandable. For example, models should highlight which features or telemetry patterns triggered the alarm.

To make IDS models understandable, they should either use transparent methods like decision trees from the start or include tools to explain their decisions afterward. Techniques such as SHAP or LIME can show which flight data patterns triggered an alert—like highlighting suspicious sequences in telemetry data or converting neural network decisions into plain-language rules. These explanations help operators trust the system, catch more false alarms, and fix detection logic by revealing what the model actually learned [74].

Recent drone security projects prove these explanation methods work in practice. Researchers have used SHAP analysis to explain how SVM models classify encrypted drone WiFi traffic [110]. Others created readable rule-based systems using fuzzy logic that match how security experts think [84]. Some teams even built SHAP visualizations directly into flight control software, showing operators the key warning signs in real time. Recent tests on drone network data (UNSW-NB15) proved that XGBoost outperforms TabNet both in classification accuracy and explainability. XGBoost achieved 97.8% validation accuracy and produced more consistent interpretability results, with a Jaccard Index of 0.82 compared to TabNet’s 0.65. It also showed better explanation stability under input perturbations (0.89 vs. 0.72). These findings demonstrate that combining SHAP and LIME produces transparent and trustworthy AI systems that meet forensic standards for UAV intrusion detection and digital security investigations [111].

By following these directions, researchers can address many of the current limitations in UAV IDS. Many of these recommendations also align with open challenges noted in previous UAV security surveys and reflect the findings of this study.

7. Conclusions

In conclusion, this research has provided a comprehensive evaluation of AI-based intrusion detection systems in UAV networks. It has led to several important insights and contributions. Firstly, we systematically investigated three key aspects: dataset relevance (RQ1), the trade-off between real-time and offline detection (RQ2), and IDS deployment strategies (RQ3). This was achieved through an extensive literature survey and empirical experimentation. Key findings include: (1) dataset choice greatly affects IDS accuracy and generalizability, with UAV-specific data yielding more reliable performance; (2) accuracy-latency trade-offs show that while complex algorithms perform better, simpler models are preferable for real-time, onboard detection; and (3) comparison of centralized, distributed, and federated IDS architectures reveals varied strengths and weaknesses.

These findings answer the initial research questions and offer an overall view of how AI can support UAV intrusion detection. Therefore, bridging the gap between research and real-world deployment is essential. Our analysis highlights current weaknesses and promising solutions like federated learning and lightweight models. As UAV use grows across sectors, so must defenses against emerging threats. The insights from this research emphasize that effective UAV IDS must be accurate, fast, adaptable, and resilient. Looking forward, we aim to develop open platforms for benchmarking IDS models in UAV scenarios. By pursuing the future work outlined here, researchers can overcome today’s challenges and build next-generation IDS systems that keep up with evolving attack strategies.

This work confirms the feasibility of AI-enhanced IDS for UAVs and will inform future innovations—ultimately leading to safer UAV operations in the years ahead.