DIGITAL COMMUNICATIONS AND INFORMATION
MANAGEMENT
Tuesday 29th May 2017
DETECTION OF AIS HACKING AND RESULTING RISKS:
DEAIS PROJECT
Cyril RAY/ Associate Professor
ECOLE NAVALE - France
Aldo NAPOLI/ Ressercher
MINES ParisTech - France
Pierre-Yves MARTIN/ Radionavigation Engineer
Cerema EMF / DAM - France
Michel COUSQUER/ Head of Aids to Navigation Department
Cerema EMF / DAM - France
SUMMARY
Maritime environment is experiencing a growing
activity, which has led to the use of new services for
localization of vessels such as the Automatic
Identification System (AIS), which allows real-time
surveillance of maritime traffic and provides aids to
navigation. Recent works have shown that falsification
of AIS messages was possible, and therefore could lead
to illegals actions and new maritime risks. This way,
some ships have been hijacked without the knowledge
of their crew or surveillance centers. DéAIS project
proposes a methodological approach for modelling,
analyzing and detecting these new maritime risks. The
objective is to detect when a ship’s AIS system is
undergoing an attack. For this purpose, real-time AIS
information is analyzed and compared to historical,
expected or predicted information.
RESUME
Le transport maritime qui est soumis à une activité
grandissante a favorisé l’apparition de systèmes
internationaux de localisation de navires tel que
l’Automatic Identification System (AIS), ceci afin
d’accroitre la sécurité de la navigation et de permettre
une surveillance du trafic maritime en temps-réel.
Cependant il a été démontré que la falsification des
informations émises par ces systèmes de
positionnement était possible et que cela pouvait
induire des actes illégaux et engendrer de nouveaux
risques maritimes (e.g. détournement de route de
navigation à l’insu du personnel à bord).
Le projet DéAIS propose une méthodologie de
modélisation, d’analyse et de détection pour signaler
les cas de messages AIS non authentiques et fournir
une évaluation des risques maritimes associés. En
analysant le signal et les informations AIS temps-réel
et en les confrontant avec celles archivées, prévues ou
prédites, l’objectif est de détecter si un navire falsifie
ou fait face à une attaque de son système AIS.
CONTENTS
1. DeAIS Project.................................................................................................................................... 3
2. Objectives......................................................................................................................................... 3
2.1. Postulate:................................................................................................................................... 3
2.2. Assumption:............................................................................................................................... 3
2.3. Main objectives ......................................................................................................................... 3
3. AIS Vulnerabilities ............................................................................................................................ 3
3.1. A variety of ais messages........................................................................................................... 3
3.2. New risks identified ................................................................................................................... 4
3.3. Potential failures and hackings ................................................................................................. 5
3.4. Understanding and modelling ais vulnerabilities and risks ....................................................... 6
4. DeAIS system description ................................................................................................................. 7
4.1. AIS data...................................................................................................................................... 7
4.2. Treatment flow .......................................................................................................................... 7
4.3. From detected flags to risk assesment...................................................................................... 8
5. Evaluation....................................................................................................................................... 10
5.1. Scenarios ................................................................................................................................. 10
5.1.1. Identity ................................................................................................................................................. 10
5.1.2. Position ................................................................................................................................................ 10
5.1.3. Messages #22 and #23 ......................................................................................................................... 10
5.1.4. Overloading .......................................................................................................................................... 10
5.2. Practical implementation ........................................................................................................ 11
5.3. Some results ............................................................................................................................ 11
6. Conclusion ...................................................................................................................................... 12

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 2
1. DEAIS PROJECT
DEAIS is a French national project:
 Funded by the French National Research Agency (ANR) and the French General Directorate for
Armament (DGA)
 Labelled by Pôle Mer Bretagne-Atlantique and Pôle Mer Mediterranée (French Industrial and
Academic Cluster)
The project belongs to the call “Freedom and Protection of Citizens and Residents”. The project
began in November 2014 and lasted 36 months.
The partners of DEAIS project are:

2. OBJECTIVES

2.1. POSTULATE:

The Automatic Identification System (AIS) is vulnerable to attacks and frauds, this leads to many risks
in navigation, masking illegal activities, impairment of surveillance, border control…

2.2. ASSUMPTION:

It is possible to ascertain the truth in a message by analysing its data and signal through the scope of
the quality of its inner information.

2.3. MAIN OBJECTIVES

DEAIS project proposes a methodological approach for modelling, analysing and detecting errors and
falsifications of AIS messages in order to:
 Define anomalies, abnormal behaviors and risks
 Formalize, implement, improve algorithms able to discriminate between normality, errors, and
falsification of AIS (signal and data level)
 Ensure efficient data management and processing: real-time AIS information is analyzed and
compared to historical, expected or predicted information

3. AIS VULNERABILITIES

3.1. A VARIETY OF AIS MESSAGES

With 27 different messages, each having between 6 and 20 different fields, the structure of AIS data
is complex. Data fields in AIS messages are numerous and various:

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 3
 Numeric repr. an ID
Numeric repr. a quantity
Numeric repr. a choice
Textual
Date
Binary

Table 1 – Types of AIS messages

AIS messages can be classified by kind of sender, by type and nature of data:
Image 1 – Variety of AIS messages
Different kind of senders Variety of AIS messages Main messages families

3.2. NEW RISKS IDENTIFIED

Maritime transport represents more than 90% of trade between Europe and the rest of the world. It
has increased by 80% during the last 30 years. In the same time, the number of leisure boat doubled.
Many papers relative to cybersecurity and especially AIS failure have been published recently:
 In 2014, the port of Antwerp had been hijacked by a drug cartel (Le Marin)
 In 2012, a meadle east country falsified AIS data to conceal ship movement of an oil
supertanker (Reuters)

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 4
Several researches have demonstrated misconfigurations, errors, wrong uses and attacks of the AIS
(spoofing online providers, frequency hopping, fake closest point of approach, and D-GPS and timing
attacks, man-in-water spoofing, flooding,…).
Image 2 – Windward report, 2014

3.3. POTENTIAL FAILURES AND HACKINGS

The following figure shows a non-exhaustive list of potential failures and hacking of AIS.
Image 3 – Failures and hackings chart

 (1) GNSS failures/hacking

 (1) Atmospheric disturbances
 (2) AIS transponder configuration

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 5
 (2) VHF interferences
 (2) Intentional erroneous inputs/outputs
 (3) AIS channel overload
 (3) Intentional interferences
 (4) Virtual ships/AtoN generation
 (4) Hacking of AtoN telemaintenance
 (5) Misinformation on real position
 (5) Hacking of onboard AIS transponders
 (5) Wrong differential positioning corrections
 (5) Affect database and information systems
Which can lead to:
 Risks of collision/groundings
 Masking of ship presence
 Masking of illegal activities…
 Impairment of surveillance, border control
 Risks for SAR operations
 Disturbance of economic activities…

3.4. UNDERSTANDING AND MODELLING AIS VULNERABILITIES AND RISKS

A risk assessment with the EBIOS method had been conducted.
EBIOS is a national risk assessment method created by the French National Agency for the Security of
Information Systems (ANSSI), compliant with ISO 27001, 27005 and 31000 norms.
Image 4 – EBIOS principle

1. Identification of the system

2. Clarification of the potential risks that could affect the goods
of the system
3. Inventory of the threats according to the specifications of the
Information System
4. Evaluation of the security needed for the identified threats
5. Specification of the advised measures, planning of the
implementation and evaluation of benefits

All known information about AIS has been gathered and compiled with the help of a naval officer
leading to 334 risks of different levels:

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 6
 Image 5 – EBIOS tables

This overview of the risks linked to the use of AIS must then be strengthened by the discovery of
behaviors, anomalies and falsifications in actual data.

4. DEAIS SYSTEM DESCRIPTION

4.1. AIS DATA

The DeAIS Project used 6 month of data (October 1st, 2015 to March 31st, 2016):
 24.033.893 messages
 27 types of messages: only 14 > 0.01% freq
 6.4 % are not compliant with the ITU technical specifications
 Geolocated messages = 93.6% of all messages
 Message 1 = 64% of all messages
Image 6 – Number of messages per family type

4.2. TREATMENT FLOW

AIS messages are defined by:
 A number of field, depending on the type of message
 Similar or quasi-similar fields in different messages

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 7
 A field in a message can have the same name that a field in another message
 The three first fields are the same for all messages
Considering these points, DeAIS project defined a specific classification for AIS messages,
represented by a three-character ID “XXY”; “XX” for the message number (01 to 27) and “Y”, a letter.

Table 2 – Classification of AIS messages

This classification leads to 935 different items which were implemented and analysed in three steps,
using the logic applied to first order predicates:
 Level 1 : Integrity Assessment
 Level 2 : Falsification Scenario
 Level 3 : Risk Assessment
Image 7 – Treatment Flow

This treatment leads to the apparition of flags which are then considered to assess the risk.

4.3. FROM DETECTED FLAGS TO RISK ASSESMENT

The next step of this analysis consisted in the determination of typologies describing the
environment of marine traffic and an ontological frame linking the stakes, the actors, the anomalies
and the maritime environment.

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 8
 Image 8 – Ontologic Diagram

Finally, flags are combined for risk determination and associated to a level of risk:
 Selected associated risks:
• Boarding / Collision
• Grounding
• Illegal Fishing
• Piracy / Terrorism
• Illegal Transportation
 Selected risk levels:
• 1 : Weak
• 2 : Moderate
• 3 : High
• 4 : Critical
 Selected risk dimensions:
• H : Human
• I : Infrastructure
• E : Environmental
For each message, risk levels are assessed for all three dimension:
 The risk(s) determined for the given situation (flags)
 The type of vessel (given by AIS messages) : T/C = Tankers and Cargos, T/C – H = Tankers and
Cargoes carrying hazardous goods, P = Passengers, Pl/F/S = Pleasance, Fishing and Service
Image 8 – Selected associated risks and risks levels

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 9
5. EVALUATION

5.1. SCENARIOS
In order to test this system, some scenarios has been defined.

5.1.1. IDENTITY
 S1.1.a : incorrect MMSI
 S1.1.b : MMSI with no country code
 S1.2.a : identity not referenced or different from the UE database
 S1.2.b : identity not referenced or different from the French database
 S1.3.a : identity change on [MMSI, callsign, n° OMI, name]
 S1.4 : same MMSI at several place at the same time
 S1.5 : change on the signal signature
Image 9 – Example of S1.3.a

5.1.2. POSITION
 S2.1a : incorrect coordinates
 S2.1.b : appearance of a ship on shore
 S2.2 : loss of a ship and reappearance after a significant time with a different position
 S2.3 : spontaneous appearance of a ship in an area of "low probability of occurrence"

5.1.3. MESSAGES #22 AND #23

 S3.1 : detection of a message #22
 S3.2 : detection of a message #23

5.1.4. OVERLOADING
 S4.1 : abnormal occupation of the AIS frame
 S4.2 : an MMSI (or a type of message) transmits too often
 S4.3 : « white » saturation

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 10
 Image 10 – Overloading of the AIS frame

5.2. PRACTICAL IMPLEMENTATION

DeAIS algorithms should now be able to detect abnormal AIS messages or behaviour.
For that purpose, a specific software has been designed during the project. This software allows the
user to simulate a ship AIS frame and to include in that frame the different scenarios above.
The result of those simulations can be added to the project database or directly broadcasted in real-
time.
The DeAIS System is either able to run its algorithms (apparition of flags):
 on AIS data previously stored on a database
 on a real-time stream
Image 11 – Real-Time Scenario Implementation

5.3. SOME RESULTS

All the tests were conducted in a laboratory, broadcasting low power AIS messages, in order to
preserve the safety of the local maritime traffic.
13/16 presented scenarios were successfully tested. The experimental setup didn’t allow to generate
scenarios 1.5; 3.1 and 3.2.

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 11
 Image 12 – Result of an Identity scenario 1.2.b

6. CONCLUSION
Vulnerabilities, attacks but also fraudulent uses on AIS has been assessed and demonstrated during
the project.
DeAIS aims at providing detection techniques based on message analysis and data mining in real
time.
This approach could usefully be completed in order to improve the tools, make them compliant to all
situation and easier to use. The challenge is to include this methodology in a more general concern:
cyber security at sea.

DETECTION OF AIS HACKING AND RESULTING RISKS: DEAIS PROJECT

P. 12