Picking a Needle in a Haystack: Detecting Drones via Network Traffic Analysis

We propose PiNcH, a methodology to detect the presence of a drone and its current status leveraging just the communication traffic exchanged between the drone and its Remote Controller (RC). PiNcH is built applying standard classification algorithms to the eavesdropped traffic, analyzing features such as packets inter-arrival time and size. PiNcH does not require either any special hardware or to transmit any signal. Indeed, it is fully passive and it resorts to cheap and general purpose hardware. To evaluate the effectiveness of our solution, we collected real communication measurements from the 3DR SOLO drone, being the most popular open-source hardware, running the widespread ArduCopter open-source firmware, mounted on-board on a wide range of commercial amateur drones. Then, we test our solution against different publicly available wireless traces. The results prove that PiNcH can efficiently and effectively: (i) identify the presence of the drone in several heterogeneous scenarios; (ii) identify the current state of a powered-on drone, i.e., flying or lying on the ground; (iii) discriminate the movement of the drone; and, finally, (iv) estimate a lower bound on the time required to identify a drone with the requested level of assurance. The quality and viability of our solution do prove that network traffic analysis can be successfully adopted for drone identification and pave the way for future research in the area.