Sang Seo,Jaeyeon Lee,Byeongjin Kim,Woojin Lee and Dohoon Kim

1Solution Laboratory,NSHC Co.,Ltd.,Seoul-si,186,Korea

2Cyber Battlefield Team,Hanwha Systems Co.,Ltd.,Seongnam-si,Pangyoyeok-ro,188,Korea

3Department of Computer Science,Kyonggi University,Suwon-si,16227,Korea

ABSTRACT Moving-target-defense(MTD)fundamentally avoids an illegal initial compromise by asymmetrically increasing the uncertainty as the attack surface of the observable defender changes depending on spatial-temporal mutations.However,the existing naive MTD studies were conducted focusing only on wired network mutations.And these cases have also been no formal research on wireless aircraft domains with attributes that are extremely unfavorable to embedded system operations,such as hostility,mobility,and dependency.Therefore,to solve these conceptual limitations,this study proposes normalized drone-type MTD that maximizes defender superiority by mutating the unique fingerprints of wireless drones and that optimizes the period-based mutation principle to adaptively secure the sustainability of drone operations.In addition,this study also specifies MF2-DMTD(model-checkingbased formal framework for drone-type MTD),a formal framework that adopts model-checking and zero-sum game,for attack-defense simulation and performance evaluation of drone-type MTD.Subsequently,by applying the proposed models,the optimization of deceptive defense performance of drone-type MTD for each mutation period also additionally achieves through mixed-integer quadratic constrained programming(MIQCP)and multiobjective optimization-based Pareto frontier.As a result,the optimal mutation cycles in drone-type MTD were derived as(65,120,85)for each control-mobility,telecommunication,and payload component configured inside the drone.And the optimal MTD cycles for each swarming cluster,ground control station(GCS),and zone service provider(ZSP)deployed outside the drone were also additionally calculated as(70,60,85),respectively.To the best of these authors’knowledge,this study is the first to calculate the deceptive efficiency and functional continuity of the MTD against drones and to normalize the trade-off according to a sensitivity analysis with the optimum.

KEYWORDS Moving-target-defense(MTD);drone;formal methods;game theory

1 Introduction

In recent years,as the scope of modernization coverage expands in embedded platforms,heterogeneous wireless systems such as unmanned aircraft and sensors are being rapidly applicated across mission-critical system domains like the battlefield,where both the safety and cybersecurity of the organization should be continuously guaranteed.However,as the existing closed communication regulations remain,although the composition of a dedicated countermeasure is not standardized,the issue of cyber uncertainty,which is attacker-dominant owing to the inherently vulnerable surfaces of applied embedded systems,is also on the rise [1-4].Thus,to satisfy these security requirements,the cybersecurity research community affiliated with national defense and critical systems has fully adopted MTD [5,6].MTD is a proactive cybersecurity technology that asymmetrically maximizes defense superiority and attack complexity according to a cyber mobility-based mutation to minimize the effects of illegal compromises.

However,most existing MTD studies for the replacement of conventional security have concentrated on the unique specifications of wired networks and related sub-protocols with low volatility and relatively easy employment of security resources,such as smart grids,smart factories,and industrial control systems (ICS).That is,only a few official studies have independently reduced the potential vulnerabilities [7,8] of wireless drones with attributes [9] that are extremely unfavorable for rapid operation(i.e.,passivity and heterogeneity,decision-making dependency,and environmental hostility).In addition,related wireless cases also only maximized cyber agility[10]based on the micro-air vehicle link(MAVLink)protocol standard.And resilient definitions and verifications to ensure the availability of unmanned wireless drone platforms as mission-critical systems in reported research have not been also formalized with MTD.

Accordingly,when the configuration of the MTD specialized to ensure high levels of both cyber agility and resiliency [11,12] of wireless drones is not preemptively accompanied,it will not only be impossible to protect the cybersecurity vulnerabilities of the unmanned drone,but it will also be impossible to continuously guarantee the operational stability of the target drone.To alleviate these limitations,it is necessary to achieve proactive defense based on active avoidance and to specify the dedicated MTD [13],which can secure cyber resilience based on both the internal and external structures of the rugged drone,detailed attack surface [14],and recognized vulnerabilities.And,to calculate the quantitative defense performance of the MTD for each proposition based on the formal specifications of an unmanned drone,formal verification with added mathematical proofs should be also performed in parallel.Thus,this study aims to minimize the compromise success rate of attackers by mutating unique fingerprint information groups with drone-type MTD related to the internal functions of unmanned drones and external communication.This study also proposes MF2-DMTD,a formal framework with model-checking-based formalism and an iterative zero-sum equilibrium logic-based competitive game,to simulate and validate an optimized drone-type MTD that adaptively determines the calculated mutation periods through decision trees with automata and the Markov decision process(MDP)[15].Finally,as a formal verification according to the specifications in MF2-DMTD,the trade-off optimization of the drone-type MTD is achieved by further plotting the normalized Pareto frontier with MIQCP [16],detailed constraints,and multi-objective genetic optimization(MOGO)[17].

The main contributions of this study are as follows:

■First,the deceptive defense efficiency (cyber agility),functional continuity(cyber resilience),and interoperability of drone-type MTD,which have not been considered in previous MTD studies from the research domain perspective,can be specified and evaluated in terms of threat modeling.

■Second,through this study,the zero-sum game-based combat model can more realistically assume a competitive relationship in cyberspace related to the structural/functional correlation of drones.To embed cyber deception into this model,the decision-making flow for each actor can be standardized so that it is not highly dependent on prior knowledge such as the attacker’s ability,motivation,and kill chain for drone vulnerability.This model can be also additionally configured to force an inferior judgment that was not optimized based on subjective beliefs,differences of information and view,and misperception established according to information uncertainty.

■Third,formal specifications for wireless unmanned drone threat modeling can be achieved by structuring conceptualized two decision trees based on the priced-timed Markov decision process (PTMDP) [18] according to automata states such as vulnerabilities,threats,and countermeasures.

■Fourth,through zero-sum game logic based on perfect Bayesian Nash equilibrium (PBNE)[19] and Bayesian Stochastic Stackelberg (BSS) [20],and formalism embedded with Uppaal Stratego [21],the performance of drone-type MTD can be verified while achieving Pareto optimization.

■Fifth,based on the analyzed optimal results of drone-type MTD’s performance,along with the formal specification and verification,the adaptive configuration of the operational strategy considering both the cyber agility and resiliency of the unmanned drone placed in the missioncritical system domain can be advanced in the form of an actual tactical prototype.

The remainder of this paper is organized as follows.Chapter 2 examines and analyzes previous research cases related to the existing MTD.Chapter 3 presents MF2-DMTD,which is a formal framework that additionally specifies internal and external drone threat modeling that reflects both transitivity and causality as a decision tree structure.In addition,the competition logic related to the zero-sum game is determined using regularized equations.Chapter 4 derives the drone-type MTD performance inference results owing to MIQCP and multi-objective genetic optimization in the form of Pareto frontier,and performs sensitivity analysis.Chapter 5 discusses the results.Finally,Chapter 6 concludes the study.

2 Related Works

Here,this section classifies studies that served as major inspirations when proposing the MF2-DMTD.

2.1 Background of MTD and Conceptual Limitations

Since 2011,“Trustworthy Cyberspace: Strategic Plan for The Federal Cybersecurity Research and Development Program”[22],MTD has emerged as a key deceptive security technology that can effectively replace existing conventional security based on the great interest of various cybersecurity research communities in critical systems and national defense.However,most of the reported previous studies on MTD were limited to performing performance evaluations only for heterogeneous platforms placed in stable wired networks,or limited the design of software-defined network(SDN)-based testbeds virtualized as controllers and testing them with detailed communication protocol standards[23].Related cases of wireless communication have also been reported as limited simulations focusing only on the variation in the radio frequency (RF)-based received signal strength indicator (RSSI)[24].In addition,studies that determined and verified lightweight MTD sequences for embedded domains mainly studied only the Internet of Things(IoT),which is characterized by the uniqueness of an arbitrary domain [25],such as industrial IoT (IIoT) and Internet-of-Vehicles (IoV).That is,the specification and evaluation of maneuvering platforms that maximize mobility and heterogeneity owing to six degrees of freedom(6DOF),such as drones,and the optimization of trade-offs to maintain seamless availability are insufficient[26].

Accordingly,to solve all limitations of previous studies,formal specifications based on formalism that considers all the internal/external configurations of drones,authorized vulnerabilities,and countermeasure strategies are required.In addition,formal verification of security and availability according to the MTD application should be additionally preempted as optimization owing to iterative game simulation.Thus,to research the trade-off between the drone-type MTD optimized based on formalism and repetitive games,and to receive differentiated inspiration,this study analyzes studies preceded by game theory or formalism.

2.2 Analysis of the Existing MTD with Game Theory

The key to previous studies that evaluated MTD performance using game theory was to optimize reward,utility,and effort to achieve imperfect goals based on prior knowledge possessed by each competing cyber actor,such as attack surfaces,vulnerable points,and kill chain steps.That is,the optimization of MTD is calculated in the direction of minimizing the attacker’s advantage by providing responsiveness and adaptability to the mutation mechanism,regularizing the overall parameters for the mutation period,mutation target,and mutation sampling to maximize the expected gain of the defending actor,or quantitatively introducing thresholds that detect the loss of initiative according to system faults and failures due to an attacker’s compromise.Representative examples include the general game-theoretic literature based on Nash theory,Stackelberg game-theoretic literature based on Bayes’theorem and Stackelberg’s solution,and stochastic game-theoretic literature based on probabilistic transitions.

2.2.1 General Game Theoretic Literature

Here,this subsection describes previous MTD studies by adopting general game theory based on the Nash equilibrium.Zhu et al.[27]first demonstrated a trade-off between enhanced security and reduced functional availability of MTD-applied proactive defense actors by determining mathematical game metrics and parameters related to the MTD principle and quantitatively simulating them in the form of a two-player game.Ge et al.[28]simulated an incentive-compatible MTD game framework based on migration-type communication mapping to continuously provide the stability of organization services to legitimate users,even within a wired topology with MTD applied,and formalize proactive agility elements that ensure functional availability with an upper threshold.Neti et al.[29]constructed an MTD guide framework based on an anti-coordination game for quantifying deceptive metrics by mobility attributes and dynamically inferring the mutual feedback relationship between actors by episode.To minimize the side effect caused by actors of sophisticated distributed denial-of-service(DDoS)attacks,Wright et al.[30]designed a heuristic two-player game framework that optimizes all pre-conditions,mutation factors,and stability and security criteria for each design principle required for the construction of an adaptive MTD strategy.Carter et al.[31]further specified the MTD game architecture to optimize migration tactics that ensure a seamless connection of services available to legitimate internal users while maintaining the cognitive bias of illegal attackers induced in the defender-dominant container environment as much as possible.Colbaugh et al.[32] amplified the mathematical counterevidence of MTD sampling in a follow-up counter-example study.

2.2.2 Stackelberg Game Theoretic Literature

Here,this subsection describes previous MTD studies that simulated a causal relationship in which the follower’s scope of judgment and decision-making flow was limited according to the actions of the leader by adopting the Stackelberg game theory.Through the proposed co-resident attack mitigation and prevention architecture,Hasan et al.[33]detected co-resident attacks based on anomaly detection thresholds within a virtualized operating network that shares limited resources and formalized an MTD strategy that minimizes the invasion impact of lateral movement.Feng et al.[34] presented an MTD sequence that causes the disturbance,misleading,and confusion of attacker’s decisionmaking according to artificial disinformation by establishing an information disclosure framework that mathematically applies both the signal game and the Stackelberg game,which performs reactive mutual feedback.In a follow-up study,Zhu et al.[35] designed an advanced adaptive MTD model to maximize the induction efficiency of an attacker who bypasses the defense scheme and initially penetrates it by further expanding the scope of the attacker’s cognitive bias in units of routing protocols and packets.Sengupta et al.[36]developed a zero-sum game framework that optimizes the MTD to maximize proactive avoidance according to the mutation target and detailed sampling schemes,and simulated this for each decision tactic while minimizing the negative availability issue of the defender owing to side effects when these MTD are available in a wired-type simple topology that operates web applications,operating systems,and cloud services.In addition,a study on the optimization of MTD considering general sum game-based competition [37] was conducted to achieve robust mutationbased avoidance against advanced persistent threat attacks in the cloud network.In a related followup study,Li et al.[16]further amplified the hydraulic properties of the spatial-temporal attack surface that changed with MTD mutation by formalizing the Markov Stackelberg model optimized based on the average-cost semi-Markov decision process and discrete-time Markov decision process.Finally,Seo et al.[38]added an adaptive cognitive disturbance scheme to the existing MTD and constructed a deceptive game considering the continuous operability of the organization by combining this with a layered social engineering decoy.Also,in this work,a general sum game-based testbed was proposed to improve the proactive defense of the IoT-based sub-farm network cluster further.

2.2.3 Stochastic Game Theoretic Literature

Here,this subsection describes previous MTD studies that adopted stochastic game theory,considering probabilistic correlation.Manadhata [39] formalized a game model that adaptively reflects the three principles of MTD,which change in real-time,based on probabilistic transitions according to the decision-making flow,to determine each optimized MTD strategy according to the potential attack surface characterized by each domain.Zhang et al.[40]quantified the trade-off relationship resulting from the calculation of the MTD-based mutation factor in the form of sensitivity analysis and designed a nash-Q game framework based on the attacker’s strategy selection frequency and distribution to analyze the performance of each decision tactic concerning the rule of sharing incomplete information.

2.3 Analysis of the Existing MTD Literature with Formalism

Here,based on attack-defense trees and directed acyclic graph (DAG),structural diagrams,and propositional semantics derived from priced timed automata (PTA) interpretation,the key to previous studies that perform MTD performance inference by introducing formalism is to optimize the activation frequency of the three conceptualized MTD principles.

Hong et al.[41] first designed an MTD mechanism by integrating it into a hierarchical attack representation model(HARM)as an attack graph-based study to quantitatively evaluate and compare the deceptive defense effectiveness of the MTD applied to proactively protect various communication domains,such as virtualized and wireless sensor networks.In a follow-up study [42],they utilized a temporal graph-based graphical security model (T-HARM) to present dynamic security metrics to evaluate the overall performance of the MTD related to cyber mobility attributes,such as granularity,flexibility,and elasticity,and to capture dynamic attack surface changes according to the MTD application.To optimize the MTD trade-offs that significantly mitigate the damaging impact of DDoS cost-effectively,Zhou et al.[43]proposed a multi-objective Markov decision process(MOMDP)that incorporates detailed interactions among attackers,defenders,and users based on trilateral game logic.They also demonstrated practical differentiation by designing and simulating the MOMDP within the SDN.Rahim et al.[44] proposed a formal methodology that can be formally verified based on Uppaal,an open model checker,for a formally specified MTD mechanism.Additionally,they performed a comparative evaluation of the mutation quality,mutation stability,and cost of the random host mutation technique based on repeated experiments.Finally,Ballot et al.[18],in state-ofthe-art research on the formalism of MTD,formalized PTMDP based on the DAG and PTA.They first proposed the PTMDP by structuring it as a decision tree based on threat modeling with attack vectors,subgoals,and MTD-based mitigation.Using Uppaal Stratego for formal verification,they mathematically performed a proof-of-concept by normalizing the optimal activation frequency set of each modeled MTD tactic in the form of a Pareto frontier.

3 MF2-DMTD,Reasoning Formal Framework of Drone-Type MTD

Here,this study formalizes the main modules in the proposed MF2-DMTD and defines formal specifications based on probabilistic PTMDP and decision trees,and all methods,metrics,attributes,and equations for formal verification based on model checking and feedback-type iterative zero-sum games.

3.1 Design Principle

As shown in Fig.1,the MF2-DMTD,which is proposed to cause deceptive defense and resilient availability of the drone-type MTD by adopting formalism,a zero-sum-based competition game,and meta-heuristic optimization,is designed by focusing on three main modules.

In MF2-DMTD,first,the knowledge-based preprocessing module(1)adopts all the elements of functional components(communication,payload,control,and mobility units)within a single rugged drone and external communication entities that collaborate with target drones(swarming drone cluster,GCS,and ZSP),related state and goals,transition considering the prior-post probability according to Bayes’theorem,and interoperable sequences to define threat modeling containing the attack-defense tree concept and then specify it mathematically.In addition,formal metrics to apply the dronetype MTD’s feedback behavior for each identified drone internal and external vulnerability element are determined,and main parameters related to three MTD principles (‘what-to-move’,‘when-tomove’,‘how-to-move’) are also configured in detail,and used in the dynamic decision-based game competition simulation module(2)and the normalized model checker-based verification module(3).

Next,the threat modeling specified according to the Common Vulnerabilities and Exposures(CVE)vulnerability in(1)is detailed as a PTMDP-based decision tree in the dynamic decision-based game competition simulation module,which is calculated to contribute to the decision of the optimum for each mutation period of the drone-type MTD by structuring mutually competitive relationships between actors based on continuous ratchet-type causality and normalizing zero-sum game with PBNE,BSS,and MIQCP.

Figure 1:A main overview of MF2-DMTD for formalism and game-based reasoning with MTD

Finally,the normalized model checker-based verification module in MF2-DMTD is evaluated using Uppaal Stratego,a state-of-art model checker,and a feedback-type repetitive engagement model to evaluate drone-type MTD performance based on PTMDP-based drone internal and external decision trees specified in(1)and(2).Additionally,along with(4),the comparison results of analyzing the performance of the drone-type MTD are finally derived in the form of Pareto frontier with multiobjective optimization such as non-dominated sorting genetic Algorithm II (NSGAII) and pareto archived evolution strategy(PAES).

3.2 Formalization of Decision Tree

Next,drone threat modeling [45] configured to specify all major assets,attack surfaces,threat vectors,and MTD-based countermeasures within this MF2-DMTD is computed as a PTMDP-based decision tree structure that includes all concepts of action,goal,relationship,and continuous causality based on the attack-defense tree,as shown in Figs.2 and 3.These specified decision trees are used as conceptual templates within the model checking and zero-sum game accompanying the formal verification process,supporting the calculation of the payoff between actors related to the cyber-killchain(CKC).

The decision tree in Fig.2 is formalized for each of the four internal components to conceptualize continuous operational behaviors such as communication with MAVLink [46] of a single rugged drone armed with multiple antennas,payload-based sensing,control via bus traffic,and threedimensional maneuvering to ensure line-of-sight (LoS) and non-LoS (NLoS) propagations.The control-maneuvering unit was structured with a focus on the correlation between Pixhawk4,a flight controller,and Zubax equipment,an electronic speed controller,whereas the communication unit was also configured according to the dependency of the MAVLink telemetry independently configured in the Pixhawk4 controller and the sub-wireless communication sensors(RF,WiFi,LTE,mmWave)mounted on the wireless mobile antenna modules.As the payload unit is also conceptualized based on a lightweight mission companion computer to operate additional sub-party functions of a single drone,such as Raspberry Pi,both the spatial-temporal recognition function through RF and the real-time video transmission function through mobile communication were additionally determined.

Figure 2:Threat modeling-based detailed decision tree by drone internal functional components

Figure 3:Threat modeling-based detailed decision tree by drone external communication entities

To simulate the interoperable behaviors of any external communication entities cooperating with rugged drones deployed on a battlefield for intelligence,surveillance,and reconnaissance(ISR)after belonging to the space-air-ground integrated network[47],the decision tree in Fig.3 is also composed of three types of drone external communication entities: swarming tactical drone cluster,GCS,and ZSP[48].Based on NLoS-based wireless communication relay and adaptive situational awareness,the swarming tactical drone network was clustered according to the dependency between the master drone that controls the clustered fleet in the form of star topology and the slave drone subordinated based on C2 (command &control).Inspired by the uplink-based remote control of a random swarming drone network deployed on the battlefield,the GCS entity operated under the presence of a senior commander was detailed as an RF uplink communication sensor performing flight control and a wireless mobile communication sensor performing packet transportation.As the ZSP entity is also conceptualized to contain a beacon-type wireless communication sensor hub that transmits useful regional status information to rugged drones on the mission,it was decided to improve the operational efficiency of drones by providing real-time states such as weather,geographic information system(GIS),and air traffic management(ATM)data regularly.

In the detailed decision trees based on PTMDP in Figs.2 and 3,the subgoal state and attack surface element are formalized in the form of graph nodes in complex systems,and drone-type MTD-based countermeasure tactics are formalized in detail according to Tables 1-3.Accordingly,to conceptualize the subgoals related to rugged drones in competitive engagements by actors,Table 1 shows the functional internal components and external communication entities that are subdivided and correlated.

Next,the attack surface elements defined to simulate the main vulnerabilities and penetration vectors inside and outside the drone are quantified based on both the recognized CVEs that were potentially related to the communication vulnerability of the rugged drone and the related Common Vulnerability Scoring System (CVSS),as shown in Table 2.To perform incursion using specific vulnerabilities,the proposition that should be achieved preemptively formally determines the penetration difficulty and damage impact for each type of cyber threat specialized for the target drone by quantifying atomic attack metrics such as attack time (time),attack success probability (aprob),pre-cost for launching an attack(accost),and post-cost for continuing an attack(pcost).

Table 2: Table of attributes by attack surface-based element in MF2-DMTD

Finally,the propositions of MTD tactics dedicated to each drone’s internal and external configuration were also further quantified as atomic defense metrics such as defense success probability(dprob) and defense cost (cost) owing to the multi-layered multitenancy structure dedicated to each associated attack surface element,as shown in Table 3.To realize proactive defense in terms of communication and operation within the drone targeting all physical,host,data link,and network layers,normalization is performed for the optimal trade-off required at the minimum.

Table 3: Table of attributes by drone-type MTD-based counter-measure in MF2-DMTD

3.3 Configuration of Dynamic Zero-Sum Game Model

Modeling a game competition simulation module based on dynamic decision-making that performs a zero-sum-based competitive engagement simulation along with a model checker within the proposed MF2-DMTD contributes to the probabilistic formal verification of the drone-type MTD.Thus,the zero-sum attack-defense competition between actors configured within the module is schematized based on a multistage evolutionary repetitive game tree,as shown in Fig.4.

To determine the randomized spatial-temporal entropy within this game tree,the PBNE,which has a privatized asymmetric judgment relation and a rule of sharing incomplete information according to the Dirac delta function and the Boltzmann probability distribution is adopted to maximize the defender’s payoff per episode.In addition,the additional application of BSS within the game tree optimizes the quantitative sequential relationship for micro-macro rewards for each actor by structurally forming a dependent ratchet-type causality between an active leader and a passive follower.It is also conceptualized to maintain the mutation initiative by forcing the attacker’s priori belief and confusion to a high level with the defender’s dominance.

It is also shown that the game tree is adaptively configured according to the development ofn,an engagement step in an arbitrary episodek.First,attackerAselectsASn,which is the most optimized set of invasion strategies within a certainn,to attempt an initial incursion or maintain the previous occupation,performing preliminary actions related to the reconnaissance,weaponization,and lateral movement phases within the CKC.Thereafter,,dynamically determined stochastic components,as shown in Eq.(1),are used mathematically according to the quantitative state information(reward,revenue,and cut-off solution of equilibrium)conserved by attacker A through the previous engagement,attack surface-based approximate intelligence to predict and selectand the elements that define attack tactics and techniques inASn.In this case,ω,the exploration factor of actors,determines the scope of the subjective judgment regarding the intelligence that competitors radiate to the outside.

Figure 4:Conceptual overview of the zero-sum-based multistage game in MF2-DMTD

And,through these (1),(2),binary valuesγfor the representation of competition results,the game tree-based workflow of multistage competition in Fig.4 is embodied as Algorithm 1.Algorithm 1 determines the payoff ofAandDby changing the reward ofnaccording toβ,γ,and the inherentxandy,and also defines the initial reward ofn+1.IfDsucceeds in deceptive defense againstA‘sASthroughDS,positive revenue is added toDSand negative revenue is applied toAS.IfDfails to enter the defensive state by the expiration of CKC,negative revenue is applied to theDSand positive revenue is added to theAS.

At this point,within the game tree and Algorithm 1 containing this repeated feedback sequence,the endpoint of an engagement episode between actors is determined by whether a cutoff solution of the equilibrium can be calculated through the zero-sum game calculated according to the normalized PBNE and BSS.Therefore,the payoff optimization of defenderDusing the drone-type MTD is defined in detail as a Bellman value iteration[49]based Q-value scheme that performs adaptation according to behavioral changes,as in Eq.(3)related to(1)and(2).Skin(3)is a finite state calculated based onGSkandSSk,TSkconfigured within episode k and contains multiple levels to stochastically define the structural state-transition in PTMDP.In addition,axandaydenote the finite actions based on the half-duplex transition of attackerAforSkand the full-duplex transition of defenderD,respectively.In this case,GSk=is a set of strategies dynamically determined according toDSkof defenderDandASkof attackerA,whereasSSk=is a set of BSS-based decision tactics that are asymmetrically activated according to the coercive feedback signaling initiative.In addition,TSk=is a set of intelligence elements unique to each actor.For attackerA,it is a private information element group based on the attack surface effective thresholdρ,and for defenderD,it is configured as a threat modeling-based element group identified to apply the MTD inside and outside the drone.

Additionally,Ris a function that calculates the payoff that can be obtained within episodekwhen attackerAand defenderDperform actionsaxanday,respectively,inSk,and it is used to maximize as the key constraint until defenderD,taking this into account,calculates a solution of equilibrium.If the actions ofaxandayare performed inθorSk,the probability of reaching the next state,Sk+1,is defined as a probability distribution function calculated based on the Dirac delta function and the Boltzmann probability distribution in the PBNE.U,zero-sum-based discount factor function,is used to calculate an approximated solution of the equilibrium considering meta-heuristic optimization,as it cuts off the scope of factor judgment for each actor within [0,1].CUis also defined as a utility function that imposes effort and cost on each actor within the zero-sum model.OPT,which is finetuned from defenderD’s point of view,also calculates an optimized reward by reflecting all availableSSk+1inSk+1,as in Eq.(4)related to(3).

Finally,payoff optimization normalized according to the drone’s internal functional components and external communication entities was determined according to Eqs.(5)-(6) based on (3) and(4),respectively.Thereafter,(5) adjusts the optimized payoff by addingSMF,which is a [0,1]threshold considering the security state inside the drone.To reflect the unique wireless communication characteristics outside the drone,(6) also amplifies all ofPrx=-10×nlog10D+Ptx,an indicator of the received signal strength related to trilateration (Ptxis the transmission strength,n is the Friis propagation loss model-based constant of path loss),D=|Drx-Dtx|,which is the relative distance value,andPL(D)=(10×log(Ptx/1mW))-(10×log(Prx/1mW)),which is a power density function.

4 Experiments and Results

Next,the node-based state and edge-based transition concepts specified in Figs.2 and 3 and Tables 1-3 were used to compare and simulate the performance inference of the drone-type MTD.

4.1 Construction of Experimental Testbed

The main simulation parameters required to optimize the Pareto solutions related to the security and functionality of the drone-type MTD were determined as listed in Table 4.

Table 4: Major simulation parameters in MF2-DMTD

First,in the case of the drone-type MTD,the three main concepts (‘what-to-move’,‘whento-move’,and ‘how-to-move’) based on mutation sets,mutation periods,and mutation tactics are determined for each argument.In addition,unique internal and external drone specifications and correlations are considered to ensure that the mutation target range,genetic sampling scheme,and periodic selection methodology are amplified in the detailed optimal parameter standard.Next,for a zero-sum-based two-player game logic that determines competitive engagement modeling for each attack-defense actor,the MIQCP model adopting a Lagrange multiplier associated with entering the equilibrium state through PBNE and BSS is mainly used to contribute to the Pareto frontier computation via NSGA2 and PAES.In addition,the dynamic entropy rule for the continuity simulation of the acts of engagement in an episode is randomized by applying the Boltzmann probability distribution and Dirac delta function.In addition,the metrics (state,transition,episode,step,effort,and time)for each PTMDP and the repetitive game logic introduced to achieve formal specification and formal verification were also calculated to formulate them for statistical comparative analysis based on the Monte Carlo method in the MF2-DMTD.

At this time,MIQCP and MOGO schemes adopted to perform mutation cycle-based Pareto optimization for drone-type MTD are defined as a value iteration mechanism considering bilevel optimization problems like Algorithm 2.In Algorithm 2,MCis the mutation configuration set,|MC|is the number of mutation configuration set,and?is initialized to 0.1 as the convergence threshold.αis the mutation time slot length of the drone-type MTD,where ?αdenotes the supremum and ?αdenotes the infimum.Andθdenotes the time loss required until the drone-type MTD responds,andπdenotes the probability distribution based on the Boltzmann and Dirac delta functions.Additionally,PVis defined as the near-optimal policy value associated with Algorithm 2,andVis defined as the decision vector of MTD.

4.2 Results 1-Sensitivity Analysis for MTD Performance for Drone Interior

Next,the calculated decision-tree-based threat-modeling structure,feedback-type competition relationship,constraints per actor,state-transition proposition,and fine-tuned related parameters were all formally specified to simulate performance inference for the drone-type MTD.In addition,a formal verification to optimize the security-functional Pareto frontier was performed in parallel using normalized model checking.Considering the volume in this study,these results limit the scope of the analysis by performing a final comparative analysis by cutting off the space of the solution within a fixed mutation period of 140 s or less after classifying the Pareto optimization results of dedicated MTD-based mitigations independently applied for each internal and external element,which is a mutation set.

Thus,the performance inference results of the MTD normalized to the functional components inside the drone were formalized as shown in Figs.5-10.In this case,‘Expected compromise time’on the X-axis is determined to mean the expected attack time(s)required as a minimum for an attacker to successfully achieve penetration into the drone,whereas ‘Expected compromise effort’on the Y-axis is determined to mean the expected attack cost required as a minimum.The legend axis is also configured to represent the fixed mutation period(s)of the drone-type MTD corresponding to each internal component.

Fig.5 shows the final convergence of the best Pareto optimum solution of theddkrtactic,which mutates public key cryptography information within the communication channel to (200,5000),targeting the internal communication components that perform MAVLink-based RF telemetry and wireless mobile communication(WiFi,LTE,mmWave).It can be further confirmed that the deceptive defense efficiency ofddkralso continuously decreases in the form of behaviors of the log graph with a positive gradient and base whenever the fixed mutation period increases every 5 s within the range of[95,120],and an attacker-dominant Pareto frontier is formed so that it gradually approaches even based on the ideal point of the drone attacker.This can be proven to be a quantitative reflection of the spatial-temporal asymmetry characteristics in which the weaponization success rate of an attacker within a certain time inevitably increases linearly as the frequency of the MTD mutation cycle gradually decreases.

Figure 5: Pareto frontier-based comparison results of defense performance by mutation periods(telecommunication component inside the drone,ddkr,95-120 s)

Figure 6: Pareto frontier-based comparison results of defense performance by mutation periods(telecommunication component inside the drone,ddkr,125-140 s)

Figure 7: Pareto frontier-based comparison results of defense performance by mutation periods(payload component inside the drone,ddsr,35-60 s)

Figure 8: Pareto frontier-based comparison results of defense performance by mutation periods(payload component inside the drone,ddsr,65-90 s)

However,Fig.6 shows that when the deceptive defense effectiveness of theddnmtactics that mutate network/datalink layer information related to wireless mobile communication and theddmmtactics that mutate MAVLink information inherent in the physical layer is secured naively above a certain level,increasing the frequency ofddkr’s mutation cycle conversely contributes to attenuating the attack success rate contrary to the defender’s prediction.This aspect,unlike other MTD tactics,shows a relatively high amount of resources for the defender required for theddkrtactic that periodically mutates the public key encryption information itself.Therefore,these overhead-based factors of side effects can be analyzed as deeply spread into the total defense efficiency measurement.Thus,it can be finally derived that the optimal mutation period of theddkrtactic for the drone’s internal communication component is 120 s or less.

Figure 9: Pareto frontier-based comparison results of defense performance by mutation periods(control-mobility component inside the drone,dcdc,35-60 s)

Figure 10: Pareto frontier-based comparison results of defense performance by mutation periods(control-mobility component inside the drone,dcdc,65-90 s)

Figs.7 and 8,like LiDAR-based collision avoidance and FPV-based image processing,calculate the Pareto frontier of theddsrtactic that mutates real-time video payloads,targeting an internal payload component that additionally provides various sub-party functions within a single drone.Fig.7 shows a pattern that whenever the mutation period increases by 5 s within the range of[35,60],ddsr’s deceptive defense efficiency decreases in the form of a linear function containing a positive gradient for 45 s compared to the previous period,and then becomes stagnant after 45 s.Similarly,Fig.8 shows thatddsr’s deceptive defense efficiency decreases significantly based on the behaviors of the exponential graph until the fixed mutation period of 85 s within the range of[65,90],but solutions are fixed within specific Pareto frontier after 85 s.Thus,it can be finally confirmed that the Pareto optimum solution ofddsrfor Fig.7 converges to (315,15000),whereas the Pareto optimum solution ofddsrfor Fig.8 converges to(135,17250).

The aspects of Figs.7 and 8 can be analyzed as a theoretical reflection of an asymmetric dominance relationship that the effectiveness of the defender intelligence available to the attacker within a certain time inevitably increases exponentially as the frequency of the MTD mutation period gradually decreases.In addition,unlike the MTD tactics available in Figs.5 and 6,the operating ranges of theddsrandddrrtactics of the internal payload target are completely divided hierarchically and conceptualized,proving that the overhead impact owing to the overlapping application of other tactics to the target component is configured relatively low.Thus,it can be finally derived that the optimal mutation period of theddsrtactic for the drone’s internal payload component results in 45 and 85 s,respectively.

Finally,Figs.9 and 10 calculate the Pareto frontier of thedcdctactic that mutates the UAVCAN payload for each target device fingerprint targeting Pixhawk4-based internal control-maneuvering components responsible for both six DOF flight function and central control function.Fig.9 shows a pattern that whenever the fixed mutation period changes within the range of[35,60],the deceptive defense efficiency slightly decreases in the form of a log graph with a positive base for 55 s compared to the previous one,and then changes to a linear function form after 55 s and decreases.

Fig.10 shows a pattern that a momentum issue occurs in a form that does not stably converge to a practical random Pareto optimal value;however,it spreads to a random local minimum extremal value based on a specific saddle point from a fixed transition period of 65 s or more.Unlike other internal components,the fact itself that it adaptively engages an attacker who has penetrated even into the most hidden control maneuvering component inside the drone is because the part of thedcdctactic’s avoidance concept is already incapacitated.Therefore,it can be analyzed that the global gradient problem of multi-objective genetic function related to MIQCP-based Pareto optimization cannot be mitigated,unless the frequency of the mutation period ofdcdcis increased to overcome these negative issues.

Thus,it can be finally derived that the optimal mutation period of thedcdctactic gradually applied to the drone internal control-maneuvering component is 65 s or less,and the Pareto optimum solutions all converge to(390,17500).

4.3 Results 2-Sensitivity Analysis for MTD Performance for Drone Outerior

Figs.11-16 show the performance inference results of the drone-type MTD normalized for the full-duplex communication environment established outside the drone so that sub-drones belonging to a random swarming cluster network are remotely controlled based on a command and control(C2) entity,such as a commander and GCS,and are additionally provided with real-time tactical information related to weather,geographic information,and air traffic control from auxiliary objects deployed in battlefield such as ZSP.

Figure 11: Pareto frontier-based comparison results of defense performance by mutation periods(swarming cluster entity outside the drone,dder,5-60 s)

Figure 12: Pareto frontier-based comparison results of defense performance by mutation periods(swarming cluster entity outside the drone,dder,65-120 s)

‘Expected compromise time’on the X-axis in Figs.11-16 denotes the expected attack time(seconds) required as a minimum for an attacker to successfully achieve invasion for each communication entity independently deployed outside the drone,whereas ‘Expected compromise effort’on the Y-axis denotes the expected attack cost required as a minimum.In addition,the legend axis calculates the fixed mutation period(seconds)of the drone-type MTD corresponding to each external communication entity.

Figure 13:Pareto frontier-based comparison results of defense performance by mutation periods(GCS entity outside the drone,ddmm,5-60 s)

Figure 14:Pareto frontier-based comparison results of defense performance by mutation periods(GCS entity outside the drone,ddmm,65-120 s)

To transmit and receive both battlefield information based on the MAVLink format and spatialtemporal location information based on the GPS format,Figs.11 and 12 first calculate the Pareto frontier of theddertactic that mutates the host fingerprint information uniquely exposed by the attached drone entities by targeting the swarming tactical drone network,which has an inherent interdependency between the upper master drone entity and the lower slave drone entity performing a non-line-of-sight communication relay.Fig.11 shows a pattern in which whenever the mutation period increases by 5 s within the range of[5,60],dder’s deceptive defense efficiency continues to decrease in the form of behaviors of a log graph with a positive base up to 25 s,compared to the previous one.After 25 s,the deceptive defense efficiency was significantly reduced as an exponential function with a positive gradient,and this change was derived.When the MTD mutation period frequency is high(25 s or less),unlikedder,the ripple effect of the proactive defense of theddmmtactic,which performs MAVLink information mutation by being applied together to the data link-network-based upper communication layer,and theddnmtactic,which performs wireless mobile communication payload mutation,is higher than that ofdder.Therefore,the side effect of the decrease in the frequency ofdder’s mutation period is also a quantitative reflection of the hierarchical characteristics,which are inevitably lower than those of other tactics.When the mutation period frequencies of the commonly applied MTD tactics were all lowered (after 25 s),the defense efficiencies ofddmmandddmmtactics,which were preemptively avoided in the network and data link-based upper layers,exponentially decreased.Therefore,it is further confirmed that the importance of theddertactic,which is operated to suboptimally avoid invasion by an attacker who succeeds in bypassing the wireless communication domain,has become relatively high.

Figure 15:Pareto frontier-based comparison results of defense performance by mutation periods(ZSP entity outside the drone,ddsr,5-60 s)

Fig.12 configured to determine the mutation period ofdderwithin the range of [65,120] additionally calculated that similar to Fig.11.The deceptive defense efficiency decreases in the form of an exponential function for 70 s;however,a momentum issue that causes it to not stably converge to the practical Pareto frontier after 70 s occurs.Similar to Fig.10,this is also an unfavorable situation in which the attacker engaging with the defender at that point has already bypassed and neutralizedddmmandddnmconsiderably and maliciously occupied the drone communication area.Therefore,the attacker’s dominance cannot be lowered unless the frequency of theddermutation period increases significantly within the current game state.Therefore,it can be finally derived that the Pareto optimum solution of theddertactic in Fig.11 converges to (2350,59500),and the Pareto optimum solution in Fig.12 converges to(55,1300).In addition,it can be calculated that the optimal mutation periods of theddertactic used for the drone external swarming tactical drone network also result in 25 and 70 s,respectively.

Figure 16:Pareto frontier-based comparison results of defense performance by mutation periods(ZSP entity outside the drone,ddsr,65-120 s)

Figs.13 and 14 calculate the Pareto frontier of theddmmtactic that mutates the MAVLink payload within an uplink session by targeting the upper GCS in charge of real-time remote control processing of multiple drones used with multiplexed uplink communication channels.Fig.13 shows that whenever the fixed mutation period changes every 5 s within the range of[5,60],the deceptive defense efficiency ofddmmcompared to the previous one continuously decreases in the form of a log function.Conversely,as shown in Fig.14,it can be further confirmed thatddmm’s deceptive defense efficiency within the range of[65,120]is extremely reduced in the form of behaviors of a linear graph with a low amount of gradient.

The aspect of Figs.13 and 14 is analyzed to be closely related to the bypass possibility of an attacker who tries to preemptively infiltrate early using static data link layer information in GCS.That is,as the effectiveness of the defender intelligence adaptively available to the attacker increases exponentially before 60 s,the degree of success of weaponization-based exploit also increases.From 65 s or above,however,effective weaponization is already completed before mutation,proving that the deceptive defense efficiency determined by each mutation cycle cannot change significantly.Therefore,it can be derived that the optimal mutation period of theddmmtactic applied to the GCS target outside the drone is 60 s or less,and it can be finally confirmed that the Pareto optimal solution is also determined as(175,3650).

Finally,Figs.15 and 16 calculate the Pareto front of theddsrtactic that mutates the payload in the mobile communication packet transmitted by the wireless sensor targeting ZSP that resiliently supports the sustainability of tactical missions of drones by transmitting changing environmental information such as weather and geographic sensing data and air traffic control information in realtime to tactical drones in the battlefield under the presence of an arbitrary centralized command center.Fig.15,similar to Fig.13,shows the continuous decrease in deceptive defense efficiency in the form of behaviors of a logarithmic graph with a positive base whenever the fixed mutation period changes within the range of [5,60].This can be analyzed as reflecting the fact that independent avoidance performance for the target object is guaranteed for each tactic applied because theddsrtactic is conceptualized to be operated hierarchically completely divided from the accompanyingddertactic for the mutation of specification information of the equipment.That is,the scope of spatialtemporal application betweendderandddsrtactics does not overlap;therefore,an asymmetric zerosum relationship in which the attacker’s weaponization efficiency increases exponentially when the mutation cycle frequency linearly decreases is always reflected in a naive way.

Fig.16,which is the result for[65,120],derives the pattern in which the deceptive defense efficiency decreases slightly in the form of a linear graph with a positive gradient until the fixed mutation period of 85 s,and solutions are fixed within a specific Pareto front after 85 s.Thus,it can be derived that the optimal mutation periods of theddsrtactic progressively available to ZSP outside the drone are 85 s or less,respectively,and it can be finally derived that the Pareto optimal solution also converges to(115,2800).

4.4 Summary of Experimental Results and Comparison

Finally,the optimal periodic mutation cycle of drone-type MTD and the related solution value of MIQCP-MOGO-based Pareto frontier,which was proof-of-concept (PoC) with MF2-DMTD in Sections 4.1 and 4.2,are all summarized in Table 5.Both of these optimal mutation cycles and Pareto solution set support wireless drones performing drone-type MTD in formalism-based experimental testbed to achieve maximum proactive defense performance with minimum defense cost.

Table 5:Comparative summary of optimal results related to performance verification of drone-type MTD(mutation cycle with rough MTD between 60-120 s,Pareto frontier with attack time and effort)

In addition,based on the optimized quantitative measures specified in Table 5,the differences in this study are also presented separately for each major conceptual attribute in Table 6.This study,which is different from previous studies,specified real-time system architecture that combines game theory and formalism for the internal and external communication structure of tactical rugged drones,and also verified the optimal variation period of drone-type MTD by introducing the model checker.In addition,the formal feedback flow of the mutation scheme was also normalized to suit the drone-type MTD designed to meet the continuity and compatibility of tactical drones operated on the battlefield.

Table 6: Conceptual taxonomy table between previous major studies and this study

5 Discussion and Threat-to-Validity

This study extended the scope of adaptation of mutation principles as‘what-to-move,’‘when-tomove,’‘how-to-move’and the scope of a configuration of the MTD mechanisms selected to provide high attenuation of the spatial-temporal asymmetry of attacker dominance over the potential attack surface of mission-critical systems that must be highly secure and safe to unmanned wireless embedded maneuvering platforms such as tactical drones.Based on a Pareto solver that considers both cyberagility and resilience,to reason and prove the adaptive deception performance of the proposed dronetype MTD based on a formal method,this study integrated and performed a structural specification based on diversified decision trees according to PTMDP-based formalism,and verification based on zero-sum games and model checking.

This allowed us to calculate the optimized tradeoff between the drone-type MTD mutation period and mutation cost in the form of a Pareto frontier,according to each correlation between the internal functional components and external communication entities of the rugged drone determined based on the de facto standard.This study can also compare and analyze changes in the Pareto critical point with a multivariate real-valued function based on metaheuristic optimization according to the finetuning of key indicators,such as the mutation period,by classifying them into each component and entity.

However,all the calculated drone-type MTD-based sensitivity analysis results simulated only the mutation period and mutation target among the MTD principles,and the mutation tactic that determines the priority of the mutation target at the next time point,considered only a limited uniform random scheme.Therefore,a conceptualization of more reinforced random-sampling-based mutation tactics is required.Moreover,despite the regulation of the decision boundary of actors to subjectively recognize the asymmetric information currently available to avoid relying on prior knowledge,the issue remains that the decision-making flow is limited to the range of dedicated drone invasion scenarios according to the decision trees inside and outside the drone configured statically.Thus,the definition of a new probability index in the PTMDP is required to materialize the precalculated engagement process,similar to the concept of an attack graph.In addition,as the internal and external vulnerabilities of drones abstracted within the decision-tree-type threat modeling are attributed only to single CVE vulnerability-based CVSS quantitative scores,they are different from the standards,unique policies,and interoperable rules considered by organizations that operate drones based on critical systems.Therefore,the actualization of the proposed formal framework will be conducted by applying all technical requirements and security controls in the Cybersecurity Framework (CSF) and Risk Management Framework (RMF) standards of the National Institute of Standards and Technology(NIST).

6 Conclusion and Future Work

To protect the unmanned wireless tactical drone,which was not reflected in previous studies that calculated MTD principles by focusing only on operational strategies for wired communication fingerprints and manned-type non-embedded systems,this study proposes a drone-type MTD that performs adaptive mutation on the unique fingerprint of critical system-based rugged drones.This article also presents MF2-DMTD,a formal framework that can simultaneously reason,evaluate,and optimize cyber agility and resilience,which fluctuate according to the application of this MTD.

To this end,this study realized formalism by normalizing the drone’s internal and external threat modeling based on a PTMDP-based decision tree that contains unique vulnerability vectors,attack types,countermeasures,and sub-goals.Additionally,this paper specified conflict modeling for decisions to simulate intentionally non-optimized mutual competition based on information uncertainty according to PBNE and BSS-based zero-sum game logic.In addition,Pareto optimization for the drone-type MTD was achieved by performing both game simulation and model checking based on the MIQCP for formal verification according to preemptive formal specifications.

Consequently,this study can mathematically prove the proactive avoidance efficiency,postresponse function continuity,and independent operation of wireless drones,which are unmanned critical systems.Additionally,this research can calculate the causal relationship associated with privatized asymmetric cognitive judgments for each actor based on incompleteness,subjectivity,perturbation,and a priori belief.

To simultaneously realize the optimization performance improvement and domain expansion of the proposed drone-type MTD in the future,these authors plan to advance the drone-type MTD and MF2-DMTD by applying a decoy that performs induction and isolation and hyper game theory,an unbalanced meta-game.To apply and operate these ideas practically in the mission-critical system domain,these authors also plan to upgrade the testbed in the form of a prototype [50] that can be placed on a trial basis within the space-air-ground integrated network based on combat net radio with aerial telemetry sensor[51].

Acknowledgement:The authors thankfully acknowledge support by the Challengeable Future Defense Technology Research and Development Program through the Agency For Defense Development(ADD)funded by the Defense Acquisition Program Administration(DAPA)in 2023.And,the authors also gratefully acknowledge the helpful comments and valuable suggestions of the reviewers,which have improved the academic contributions.

Funding Statement:This research was received external funding by the Challengeable Future Defense Technology Research and Development Program through the Agency For Defense Development(ADD)funded by the Defense Acquisition Program Administration(DAPA)in 2023(No.915024201).

Author Contributions:Conceptualization,S.S.;methodology,S.S.;software,S.S.;validation,S.S.and D.K.;formal analysis,S.S.and D.K.;investigation,S.S.B.K.and W.L;resources,S.S.J.L.B.K.W.L.and D.K.;data curation,S.S.and D.K.;writing—original draft preparation,S.S.and D.K.;writing—review and editing,S.S.and D.K.;visualization,S.S.;supervision,J.L.and D.K.;project administration,S.S.J.L.and D.K;funding acquisition,J.L.and D.K.All authors have read and agreed to the published version of the manuscript.

Availability of Data and Materials:Please contact the corresponding author at karmy01@kyonggi.ac.kr.

Conflicts of Interest:The authors declare that they have no conflicts of interest to report regarding the present study.