Mitigation of ADS-B Spoofing Attack Impact on Departure Sequencing Through Modulated Synchronous Taxiing Approach

Apart from delay to flight arrivals, occurrence of ghost aircraft from ADS-B message injection attack will also cause delay to the departure operations. Moreover, if attacks are designed meticulously, departure operations can suffer substantially with extensive flight delays and cancellations. To mitigate this incident, we propose a custom method for taxiing-out which encompasses three key components. First is by establishing situational awareness based on pivotal information about the taxiway and spoofing conditions. Next is application of dedicated algorithms to quickly capitalize available time to initiate aircraft clusters taxiing-out after temporal suspension. Lastly is the function to alternately switching clusters to recommence taxiing-out depending on changes in spoofing pattern. We simulated our proposed ‘Modulated Synchronous Taxiing Approach’ under several attack scenarios coupled with various taxiing-out schedules using a specially built discrete events model. Through a model that is formed based on integrated queues driven by a taxiing-out algorithm, experiment results show that our proposed approach fares better than other conventional taxiing-out approaches with more aircraft managed to get into the runway or closer to the runway. Overall, our proposed approach enhances departure operations resiliency whilst constantly maintaining safety first principle as the utmost priority amid uncertainties caused by cyberattack.


I. INTRODUCTION
M OVE to mandate the use of Automatic Dependent Surveillance-Broadcast (ADS-B) as additional air navigation surveillance method by Air Navigation Service Providers (ANSP) is growing worldwide [1].The introduction of ADS-B around fifteen years ago in complementing the legacy air traffic surveillance and tracking instruments for the use by the Air Traffic Control (ATC) have enhanced the accuracy and timeliness in determining position of aircraft flying over regulated airspace [2].Benefiting from simple deployment and the advancement in satellite tracking technology [3], advancement to ADS-B is not confined to the The review of this article was arranged by Associate Editor Hyunbum Kim.civil aviation domain as shown in [4], [5].Apart from that, number of researches that focus on improvements to its core features [6], [7] have also been steadily growing since its inception.
Like other electronic automation systems, ADS-B also is not spared from cyber attacks [8].The potential risks from such attacks are more concerning when there are attack types which are relatively unsophisticated and yet require minimal technical capability and knowledge to launch such as ghost aircraft spoofing message injection attack [9].This type of attack aims to confuse ATC and increase their work burden in identifying which aircraft is legit and which one is ghost.Recent survey [10] that analyzed risk severity of several possible attacks on Air Traffic Management (ATM), categorized ADS-B based cyber attacks as high in risk, while [11] particularly categorized ghost injection spoofing attack targeting ground station as attack type that could bring high negative impact based on the defined scale level of low, medium, and high.Impact level in both researches were referring to consequences in terms of tangible losses such as mid-air collisions or service deficiencies such as flight delays and cancellations.These continuous degrading conditions would eventually lead to tarnished organizational reputation and public mistrust in the safety and reliability of air transportation medium.
Although numerous studies such as [12] and [13] have shown how ghost aircraft spoofing attack bring chaos to ATC's surveillance system, studies that explored the problem from the context of aircraft ground movement dynamics, such as taxiing for departure in particular are still lacking.Even though there were studies done on occurred perturbations during aircraft movement on taxiway in [14] and [15], the studied disruptions were not caused by cyber attack.Therefore we took the initiative to analyze the gap in the knowledge to find measures to mitigate disruptive impact caused by ghost aircraft spoofing in the ADS-B-In system.For this purpose, we collaborated with Civil Aviation Authority of Malaysia (CAAM) in formulating a taxiing approach for departure operations at a medium sized airport, which is the Kuala Lumpur International Airport (KLIA).
As a result of the collaboration with CAAM, we have successfully come out with the Modulated Synchronous Taxiing Approach (MSTA) [16].The outcome of the research was encouraging as our proposed approach managed to bring more aircraft to the Pre-Runway Queue (PRQ) compared to conventional First Come First Serve (FCFS) sequencing technique during the ongoing spoofing incidence.Therefore, we have decided to extend the simulation and analysis in this article by testing our approach with publicly available departure sequencing schedules in strengthening our proposal with different type of aircraft sequencing schedule during spoofing attacks.
The foundation of this proposal is explained in this article beginning with the relevant underpinning academic works as referred in Section II.The characteristics of high-impact ghost aircraft spoofing attack and problems it may cause to departure operations are detailed out in Section III.Next, Section IV explains our proposed algorithm and the coupled formulated Discrete Events Model (DEM) to mitigate the situation.Besides that, the conventional techniques that are currently being used by the ATC for departure sequencing are also briefly explained in this section.Section V explains the simulation parameters and data from departure schedules that were simulated using the DEM, while Section VI explains the simulation results.This article then continues with Section VII which is the analysis of the simulation results and discussions on common driving principles of today's civil aviation industry in terms of management of departures.Next, Section VIII discusses adoptability and flexibility of our proposed technique in different airports and dynamics.The conclusion comes at Section IX and then followed by the Appendix section -containing attack parameter tables, tested data from two schedules, and tables/figures displaying our proposed approach and simulation results of the conventional sequencing techniques.Our article ends with acknowledgement section.

II. RELATED WORKS A. CYBERATTACK MITIGATION IN TRANSPORTATION SYSTEMS
Mitigating cyberattack has become a challenging task in transportation systems planning as attack types are becoming more sophisticated and highly catastrophic across all transportation sectors such as discussed by [17].In this research, the authors proposed novel risk assessment framework for blockchain technology that supports smart mobility features.Based on analysis, they found flaws which could potentially compromise privacy and integrity in parts of the systems interfacing customers.Meanwhile, [18] is an example how cyber attacks on road sign displays were able to induce certain habits or misjudgements in certain road users that eventually posed risks of committing traffic offences and endangerment to themselves and other users.
Recent research trends in securing ADS-B mostly are preventive in nature, focusing on detecting anomalies in the data broadcast for possible intrusion attempt by adopting machine learning algorithms such as done by [19] and [20].Besides detecting intrusions, researchers are also exploring encryption techniques that will be able to secure ADS-B from transmitter to receiver by establishing an authentication framework, preventing unauthorized broadcasts.Reference [21] is an example of a highly important study that demonstrated how encryption of the entire broadcast through a customized end-to-end authentication framework managed to secure ADS-B.Despite numerous research venturing into preventive techniques, our research took another path which is also relevant to departure operations resiliency by formulating a mitigation technique to reduce departure delay in case of successful spoofing attacks.Responsiveness towards perturbations and uncertainties is the explored key element which distinguishes our research from the preventive ones.

B. COLLISION RISK MODELING
To begin analyzing the attack behavior and its impact to the ground movement dynamics, especially on the taxiing-out phase, we identified the risk variable in our model as the risk for aircraft collision during mid-air.In the field of aviation safety, numerous studies have proposed risk assessment frameworks to assess hazards in air traffic flow.One of the notable frameworks is the Collision Risk Model (CRM) [22] that assesses probability of collisions during mid-air through consideration of multiple factors such as flight trajectories, ground speed and traffic in the surrounding airspace.
In other literature such as [23] and [24], both provided detailed analysis of the state of dependent covariance over the state-space samples.The authors introduced the measured 'Probabilistic Reachable Sets (PRS)' that encompassed uncertainty in the surrounding parts of their simulated near-collision scenarios.In general, the quantifiable results demonstrated how the traversal risks were propagated then due to the maneuvering of the threatening aircraft.The authors defined key events regarding mid-air collision which are the Look Ahead Time (LAT), the involved aircraft identifier, Closest Point of Approach (CPA) between the two aircraft and the time to CPA.
We share the same premise and objectivity of CRM and the identification of CPA, which is the incident of midair collision that must be averted at the soonest.Based on this premise, spoofing attacks can also be perceived as real intrusion due to anonymity of the spoofed ghost aircraft in the beginning.In a ghost aircraft spoofing attack scenario such as depicted in Fig. 1, possibility of collision with a spoofed ghost aircraft still warrants a safe separation due to the ghost aircraft unknown identity.In the beginning, the identity of the intruder is unverifiable as it is made of fake ADS-B messages.Thus, every aircraft that appears in the ATC's screen would be treated as a real aircraft.On top of the risk assessment method, [22] also discussed the time evolution prior collision and related safety measures that are put in place.
We acknowledged that [22] reflected on the risk posed by form of unidentified air space intrusion and the anticipated responses that we tried to demonstrate in our research.Any departure scheduling actions on airport ground must reflect with what is happening in the airspace.Traffic and weather conditions might be the most common factors in planning flights and arranging the schedule but spoofing events as in an unidentified aircraft flying over the airspace really pose serious threat amounting to airspace closure.These circumstances require special scheduling approach that able to cope with uncertainties.A air side and land side operations are significantly correlated, therefore mitigation for ground problems should be strategic, far sighted and inclusive of the developments pertaining ATM so that the solution would be robust and inline with the evolution in air transportation operations.

C. STUDIES ON TAXIWAY AND RUNWAY OPTIMIZATION
In general, recent studies on taxiway and runway optimization focuses on the throughput rate and delay minimization using modified and enhanced algorithms.This can be clearly found in [25] whereby the authors analyzed the total time taken for a makespan against the operation time on runway of a group of aircraft.The optimization proposed by this study is through the branch and bound technique using best first search that aims to minimize each makespan.Best first search is quite similar with the approach that we used in our research.The difference between our research and [26] is the deployment technique and the output of the approach in quantifying the properties for justifying the reliability and efficiency of the proposed solution.
Another approach that looks similar with ours but uses greedy and dynamic programming approach has been explored by [27].In general, the study applied purely mathematical formulations to compute optimized solutions based on early simulations using inputs of unequal ready-times, target times and deadlines.The scenario seemed straightforward with considerations given to heavy traffic volume.Although the algorithmic approach is quite similar with the one used in our research, the dynamics were far different as our spoofing incident causes different type of perturbations and the applied parameters were totally different.
In brief, the above studies on taxiway optimization explicitly discussed different problems compared to ours.Even though concepts such as 'best first search' and usage of 'shortest task first' technique are transpired in our research, we analyzed our set of problems using methods and techniques that exclusively singled out perturbations to the ground movement caused by ADS-B ghost aircraft spoofing attacks in the airspace region and how factor of uncertainties within a short time span should be treated with a technique that can provide relieve to the airport ground movement situation which has already been plagued by uncertainties.

D. EFFECTS OF UNCERTAINTIES
Among the major influential factors of a taxiway rescheduling operation is the existence of uncertainties which was described in depth in [28].Considering heuristics principles, the authors computed the proposed solution using the FCFS approach to obtain clear and fast solution.Meanwhile, [29] studied elements of uncertainties in depth by defining several objective functions beginning as early as an aircraft is under pushback and begins movement on the taxiway.In our crafted scenario, this phase is explicitly being plagued with perturbations and uncertainties delaying the target time to reach certain points along the taxiway up to the runway.However, our scenario's spoofing attack perturbations are exclusively crafted to demonstrate impact on the ground departures with logical time scale and magnitude.We carefully defined the attack parameters as close as they would be in the context of real aircraft departure operations based on inputs from a civil aviation authority.There is also a study which was brief but meaningful in determining the state of taxiway at certain time points, as explored by [30].Simulation results clearly showed physical location of aircraft along the taxiway at certain time points.However, no objectives for optimization were defined as the study only provided supporting information for decision makers in coming out with robust flight plans.

III. GHOST AIRCRAFT SPOOFING ATTACK SCENARIO: HIGHLY DISRUPTIVE ATTACKS FROM ATC'S PERSPECTIVE
The notably changing pattern of spoofing over several time periods create prolonged confusion and broaden uncertainties experienced by the ATC.Whenever emergency situations affecting approaching flights occur, priorities will absolutely be given to the airport inbound flights to ensure safe landing.Therefore, arrangements on the ground will need to accommodate this objective to the extent of departure suspension and allocation of specific runway and taxiway for smooth landing and arrival.Inspired by the hostility of such situations and at the same time trying to apply immersive thinking on how a cyber attacker would launch a high-impact attack, we crafted attack scenarios to test our approach with multiple aircraft taxiing-out sequence scheduler.This is vital so that we could analyze the results by comparing simulation outcomes of the tested schedules discretely to determine the effectiveness of our approach.
Fig. 2 depicts the occurred perturbations that disrupted the aircraft taxiing-out movement.At specified time steps, certain aircraft might be able to proceed and reach the runway while others might have to wait for the spoofed ghost aircraft to cease off.As the situation evolves, previously stalled clusters are now allowed to recommence taxiing-out as the airspace regions that those aircraft intended to fly through are already free from spoofed ghost aircraft.This turn of events are taking place periodically during the whole simulation run time at defined time steps.We have carefully designed and imitated this entire scenario including the dynamic changes of the state of the taxiing-out procedure in a specially built DEM.
We discussed further with CAAM and tried to assimilate into the mind of an attacker which has sole objective of disrupting the ATM at the worst level.A thoughtful attacker who knows how ATC would respond would pose high level threat.A previous study by [31] predicts the decision making process carried out by an attacker targeting a Cyber-Physical System (CPS) through attack tree analysis and its probable consequences.Even though the study did not specifically touch on any kinds of aviation CPS, the main takeaway is that a well prepared attacker might craft a devastating attack on ADS-B system through actions in series of events.Each event leads to another and as the stages progress, the consequences of disruption to the ATM escalates.Attack on Aviation CPS has high likelihood due to existence of extensive level of sophistication throughout the systems to enable communications, navigation and surveillance such as demonstrated in [32].
In a closely connected technical area, studies such as [33] and [34] have proven whilst radar jamming technologies are being improved for security purposes, it also can be manipulated for malicious goals.This proves that the risks posed by cyber attackers are valid and real.Meanwhile, Fig. 3 depicts concept of an integrated attack that can create a high impact attack scenario as a basis to our analysis.Upon radar system jamming, fusion localization capability degrades substantively while synchronously, false ADS-B messages (ghost spoofing) are being injected or broadcast into the ADS-B ground receiver and linked to the ATC surveillance system.When this happen, radar sensing would not be visible on the screen and with only ADS-B link is available, the ATC would be relying totally on this sole surveillance system whilst trying to observe the entire situation as best as possible.The situational awareness that existed up to this level will be the basis for determining the type of departure realignment technique that would be able to mitigate the attack.Expected response by the ATC's based on emergency procedures would be to monitor vigilantly while trying to verify the authenticity of the anonymous aircraft through radio checks and other available means.This entire chain of events beginning from attack detection through ADS-B as sole surveillance system, until deciding for suspension of departure and later on recommencement of departure amid uncertainties are depicted as in Fig. 4.
Based on CAAM's ATC expert opinion, we explored characteristics of a high-impact ghost aircraft spoofing attacks that would disrupt ATM tremendously.An integrated attack may amplify the impact severity depending on the level of situational knowledge possessed by the attacker and amount of technical preparations.Today, there are available open sources of ADS-B data, enabling live tracking of flights across the globe.Open access information could somehow nurture understanding on the frequently used routes, and how a normal flight profile should look like when flying over certain air space.The established knowledge can be used negatively by anyone with ill intent.An attacker capability was demonstrated in [35] through the structural attack launch with the objective of maximum damage infliction to the air traffic management.
Considering the criticality of possible impacts that can be caused by ghost aircraft spoofing attacks, we adopted the primary criteria of our attack scenario based on the tangible impacts analyzed in [36] to the Arrival-Ground Movement-Departure (AGMOD) operations and also in [37] that probed impact to en-route aircraft.In another study on tactical flight diversion for mitigating risks of ADS-B ghost aircraft spoofing done by us recently [38], we refined the criteria which are: 1) Location of ghost spoofing 2) Ghost aircraft behavior 3) Attack magnitude or density As per [38], location of spoofing incident determines the type of response that should be taken by the ATC.Through series of consultations with CAAM, a busy airspace especially the terminal airspace such as the Lumpur Terminal Maneuvering Area (TMA) in Fig. 5 is most likely to experience the highest impact from irregular flying activities or noncompliance to the enforced local rules and regulations as listed on [40].However ghost aircraft spoofing activities within TMA itself can be extremely disruptive in the early stage but could only last for just a brief period.This is due to the ability of independent optical verification by the ATC tower or from situational updates by landing or passing by aircraft.In contrary, spoofing attacks at the outer side but near to TMA borders takes more time to be verified.
Besides location, [38] briefly explained on behavioral affection of a ghost aircraft in the ATC responses.A skillful attacker would launch a ghost aircraft that resembles an aircraft with a legit flying profile in terms of its trajectory, speed and altitude that correlates with its current location or flying phase.Ghost aircraft that merely are just trying to disrupt the airspace without proper disruptive trajectories for example, random movements at unnatural flying routes and frequent changes in heading could be identified sooner as spoofing.This can be detrimental to the objective of the attack in maximizing the disruption to inbound flights.The third criteria mentioned by [38] that is vital in creating high impact attack is the magnitude or density of the attack.Occurrence of more than just one ghost aircraft that exhibit characteristics as discussed above will cause more serious repercussions than a single ghost aircraft.However appearance of excessive ghost aircraft might be unrealistic.CAAM is of the opinion that the right combination of number and frequency will determine the impact and looks more real.The direct impact to the ATM are duration of flight delays and number of affected real aircraft, as demonstrated by [37].Fig. 6 shows how the three discussed criteria becomes highly disruptive in a major attack scenario.In the context of the climbing phase by aircraft originating from KLIA through standard departure instrument of KLIA, appearance of ghost aircraft with trajectory profile resembling a legit aircraft in approach would cause serious confusion to ATC and disrupt smooth climbing phase of departed aircraft.
Confusion experienced by the ATC might gets deeper if spoofed ghost aircraft trajectories are purportedly crafted to look like an aircraft in descent phase, heading towards KLIA for landing but of course they are not responding to communications initiated by ATC and neglecting traffic rules and safety regulations.Moreover, if the attack incidents persist in a time range that is neither too short, nor too long, for example within a period of 30 to 40 minutes, it is within the time period which ATC would still be scrambling to verify legitimacy of the ghost aircraft.These type of attacks will consume ATC's time and trigger their huge effort trying to resolve the incidents.Critical developments would reach peak during this period.Successful alleviation by the ATC could bear some results right after this time period passes.Higher impact can be anticipated when two ghost aircraft are detected, for example in the case of multiple ghost aircraft spoofing attack which occurs in the eastern airspace region.Continuous or subsequent attacks within the critical time period would create longer disruption to the departures for aircraft heading towards this airspace region.However, according to CAAM, too many spoofed ghost aircraft might be verified as false targets sooner and would jeopardize the entire attack.

IV. SYNCHRONOUS TAXIING APPROACH AND DISCRETE EVENTS MODELLING
During emergencies including in ADS-B based spoofing attack incident, ATC's priority is to ensure airport approaching aircraft to safely land.The ATM would be full of uncertainties that requires impromptu decision making.As [37] has modeled the ATC's response and the cascading effects that have occurred, movements on the ground were limited to arrivals and taxiing-in while pushback, taxiing-out and takeoff were put on hold.This particular incident is actually directly caused by the degradation of other surveillance systems such as radar failure.When the attacks have subsided or the situation has started to improve and gradually getting back to normal, the ATC at this point may decide to resume departure.However, if there are still ongoing attacks, a special procedure is required to ensure unaffected aircraft can takeoff safely and smoothly without experiencing further delay and avoiding possibility of a long waiting time, stalled at the taxiway during the taxiing-out.
In mitigating the above problem, we laid out our proposed taxiing approach primary objective as to assist the ATC in resuming departure amid ongoing ADS-B spoofing incidence.It is carried out through three key components or phases which are the establishment of situational awareness of the current spoofing pattern and the aircraft sequencing jobs in hand, selection of aircraft cluster for taxiing-out, and cluster switching while taxiing-out.The entire approach is modeled based on discrete events progression which is comprised of set of events that would alter the dynamics on the taxiway through inducement of perturbations and disruptions to the flow of the taxiing-out process.

A. FORMATION OF CONCURRENT QUEUES
We view the standard time taken to progress to the runway at KLIA from a specific gate as a variable that can represent the current state of the entire departure queue.The departure queue is a composition of sequence from 7 concurrent queues formed for each minute from six minutes till two minutes distance to the runway, the Pre-Runway Entrance Queue (PreQ) and the runway server.This sequence can be indicated as; The total number of aircraft filling a specific queue at a designated zone can be noted as x q n with x refers to the current number of aircraft in the particular queue, which at a normal capacity, x ≤ M n M is the maximum capacity of queue n.Thus, the state function to represent the number of aircraft attempting to taxi out for departure at KLIA's taxiway is Queues for taxiing-out are being reassessed each time the spoofing attack changes into another airspace region.This dynamically interchanging patterns fits with the queue formation as discussed in several researches on intelligent transportation systems such as [41] and [42].
To gauge the performance of a taxiing-out approach, we applied a customized zonal queuing mechanism to demonstrate the statistical formation during the entire taxiing process till simulation end time.As shown in Fig. 7, the 7 specified queues in designated zones are formed through the standard progression time to the runway.In our simulation, these queues are also programmed to record the number of aircraft that have entered and passed through them.At the end of the simulation, the statistics recorded by these queues formed parts of the entire statistics for measuring the performance of the taxiing-out approach.

B. ALGORITHMIC FLOW
Fig. 8 describes the three core components of our proposed synchronous movement approach.The first component is the assessment of vital information about location of parked aircraft, standard time that would be taken by each aircraft to reach the runway and ghost aircraft spoofing pattern attack.Spoofing attacks behavior will determine which aircraft cluster may proceed with departure and which should wait at their respective gates.After a period of observation and departure suspension, the ATC may arrive to decision to recommence departure operations.Information gathered since the beginning of the incident and reaching the tolerable risk level might allow the departures to resume.In relation, the middle section in Fig. 8 are the applied algorithms for departures, which aircraft are released synchronously with Shortest Job First (SJF) leading the clusters to the runway.Fig. 9 explains the flow of our model in administering the departure sequence amid the ongoing spoofing attack.First and foremost, the cyber-attack incident is assessed by ATC and which air space sector is affected.At the same time ATC establishes pivotal information regarding aircraft on the ground and at where they are located.This step will provide rough picture which aircraft would not be able to proceed to takeoff due to the spoofing activities in the airspace that these aircraft have to fly through.Unaffected aircraft will be allowed to get into taxiway out and head to the runway for takeoff.As these aircraft move towards the runway, the sequencer driving algorithm guides iterative checks for change in spoofing pattern and if there is a change of affected air space, the sequencer would only allow the unaffected aircraft to proceed while the affected ones remain at their gates or temporarily halted at the taxiway, allowing other aircraft to bypass.
Meanwhile the middle flow on the right side is the part which the modulation is being executed by making the 'Algorithm Execution' phase responsive and adaptive to the perturbations.The changes are tracked and monitored by the model and updates the synchronous movement based on affected airspace region of aircraft clusters as per the current ongoing spoofing patterns.We name it as the 'Algorithm Modulation' phase which describes its adaptability with changes in the spoofing scenario.The modulation is confined to the algorithm that is being used to guide departure operations.For instance, changes in spoofing pattern, magnitude and time will make the current algorithm to allow progression of clusters on the taxiway only if the airspace is free of ghost spoofing.
Among the existing practices by the ATC in sequencing taxiing for departure is based on the original time schedule before the occurrence of delaying events.The flow in Fig. 10 represents two types of conventional sequencing which is the Time-Prioritization (T-P) and Location-Prioritization (LP) approach.T-P is a practice whereby the ATC prioritizes aircraft takeoff by allocating next available departure time as per the order in the original schedule.It is also normal for the ATC to allocate a separation time between 1 to 1.5 minutes for aircraft to start taxi and heads to the runway, depending on traffic flow of the surrounding airspace.The separation time to start taxiing is usually prescribed as a mean to avoid congestion at the Pre-Runway Entrance Queue (PReQ) and to prevent possibility of idling during taxiing-out.
In the case of uncertainties arising from perturbation events caused by ghost spoofing, the ATC would execute the time-prioritization schedule during this incident with the current available knowledge of which airspace region is clear and safe for takeoff.Aircraft that intend to fly through affected airspace will still be put on hold at their respective gates.However while taxiing takes place, a sudden change in the attacked air space region would see the affected aircraft to be halted at their current locations, whether at the gates or on the taxiway.The ATC then needs to revise the time-prioritization schedule once again to identify which aircraft in line that are able to proceed for taxiing.The ranking based on original schedule remains although sequence is being revised.Aircraft clusters that are allowed to proceed for taxiing are getting switched over and over again based on the spoofing conditions, until the attacks are clearly resolved.
Besides the T-P schedule for recommencing departures, the ATC may also opt for Location-Prioritization (L-P) departure under certain circumstances.One possible situation that this approach is used for recommencing departure is due to the long waiting time experienced by certain clusters of aircraft which have moved from their originating gates.Any delaying events which could also include our cyber attack scenario, aircraft recommencement might be done based on their current position to facilitate quicker takeoffs.
The flow of L-P differs from T-P from the beginning.Sequence for takeoff is built based on 'shortest job first' criterion in order to assure little waiting time for aircraft which are located close to the runway.Whenever the spoofing attack changes as per in our crafted attack scenario, alternate clusters will be selected for taxiing and the ones which are closer to the runway continue to be given priority to move first.The separation of 1.5 minutes between aircraft would also take effect in order to avoid congestion.This approach aims to expedite takeoffs by simply choosing aircraft which are already close to the runway.

V. ATTACK BASED SIMULATION OF MSTA, T-P AND L-P
Based on consultation with CAAM, in general there are three designated airspace region for climbing after takeoff at KLIA, which are Northern (N), Eastern (E) and Southern (S).In our crafted attack scenario, these airspace regions are being alternately attacked with ghost aircraft spoofing.The first attack instance spans for 3 minutes, from T = 0 minute (m) till T = 2.9 m.This attack targeted the S airspace region.Next, the attack shifts to E region beginning at T = 3.0 m till T = 5.9 m.Lastly the attack focused on N region and it is defined a bit longer from T = 6.0 m till T = 10.0 m.In accordance with the discussed attack qualities of a high-impact scenario, occurrence of a single ghost aircraft spoofing attack is already enough to coerce the ATC to suspend departures.Thus, our simulation is designed based on a single ghost aircraft spoofing, occurring during the designated time period in a specified airspace region.We assume movement speed is always consistent for all aircraft and no other traffic intervention on taxiway except for this taxiing-out simulation.According to CAAM, the earlier stage when the ATC has decided to recommence departure is the period with the highest volatility.A slight perturbation will trigger effect of uncertainties.This is the reason why we change the attacked airspace regions throughout the simulation by creating three attack periods.The entire attack duration and the affected air space regions are summarized as in Table 3 as in Appendix 1A.

A. ATTACK DURING PEAK TIMES
We adopted the departure schedule on October 18 2022, from 0900 till 0950 hours at KLIA 1 as per Table 5 in Appendix 2A to simulate attack during a busy departure period.This schedule is among the schedules that contains most number of departures within an hour time frame.We limit the number of aircraft to total number which have been delayed for the past one hour as based of CAAM's feedback, the ATC would supposedly take up to an hour before deciding on using MSTA.This schedule in particular consists of 17 aircraft's allocated time of departure.Next we simulated the data using our model of discrete events of perturbations on the taxiing-out during departure.Besides MSTA, we also computed the reshuffled sequence of the peak time schedule using the conventional T-P and L-P approaches for performance comparison.

1) DISCRETE EVENTS MODEL FOR MSTA
Fig. 14 in Appendix 3A is our proposed MSTA model for simulating the peak schedule as in Appendix 2A.The model which is developed using MATLAB Simulink's SimEvents R , replicate the entire taxiing-out sequence comprise of the 'Farthest', 'Middle', 'Nearest' and 'PRQ' zones including the perturbations caused by ghost aircraft spoofing attacks that occur during the taxiing-out simulation run time of T = 10.0 minutes.Changes to the state of the system dynamics are statistically recorded across the model.

2) T-P AND L-P SCHEDULING SIMULATION
Sequencing approach order for T-P is based on whichever aircraft that is listed first in the original schedule.This condition is similar as in 'First In First Out (FIFO) scheme.Table as in Appendix 5A shows the simulated results of the sequencing.We deliberately keep the simulation in tabular form to highlight the order in the schedule and to demonstrate which aircraft was prioritised over others.The ATC will assess the entire job in whole and determine the planned time for each aircraft to enter the runway.Time for an aircraft to begin movement depends on the time it is expected to reach the runway from its current position.
We adopted a color-coded scheme to visualize the aircraft movements and to mark spoofing event occurrences.Red columns representing spoofing events mean no movement.Aircraft that were allowed to proceed for taxiing-out during the first attack period are columns in light yellow.Aircraft that began movement during the second attack period are assigned with blue color while for aircraft that began to move during the third attack period is in purple column.The specific color code which represents an aircraft progression is maintained till the end of the simulation, unless the particular aircraft has managed to enter runway, which it will turn into green column.For blanks with dashes, these were the aircraft that were not selected for taxiing even though the airspace region that they intended to fly through were not affected by the ongoing spoofing incident.On top of that, there are colorless columns with dashes that supersedes the green ones horizontally, meaning that no movement required as the aircraft had reached the runway.Some aircraft theoretically were allowed to move but their respective 'Time to begin movement' and 'Planned time to enter runway' details were not disclosed as the changes in the spoofing attack period made the projected sequence obsolete and requires a revision by the ATC.The movement column for these aircraft are also blank with dashes.The same color-coded procedure was also applied in L-P simulation as in Appendix 5B.
In L-P, prioritization of aircraft that is closest to the runway make the sequence predictable from the beginning of every attack period.Despite its difference with T-P in aircraft selection, both approaches practice the commencement of concurrent movement for aircraft that have non-conflicting 'Planned time to enter the runway'.Its selection basis may see major changes of aircraft location, starting from the area close to runway and gradually followed by aircraft in the subsequent zones.

B. ATTACK DURING NON-PEAK TIMES
We adopted a schedule for departure from 1800 till 1850 hours on the same date and airport which is as in Appendix 2B.We built a model as in Appendix 3B similar to the Peak-Time DEM but way simpler as it comprises only 47 percent load of the peak schedule entities.Farthest Zone comprises of 3 aircraft located 6 minutes from the PRQ Zone.In Middle Zone, one aircraft is parked 5 minutes from the PRQ Zone, while in the Nearest Zone, one aircraft is located 3 minutes from the PRQ Zone and there are two aircraft which are 2 minutes from PRQ Zone.We maintained the attack scenario and pattern of three periodic attacks but swapped S airspace with N as the first airspace to experience spoofing attacks.E airspace came second while S airspace was attacked in the last period.Total simulation run time remains 10.0 minutes.The entire attack duration coupled with the affected airspace are as per Appendix 1B.
After we run our MSTA model for the non-peak schedule, we computed the non peak sequence using aircraft movement diagram because of the limited number of aircraft enabled us to plot the movement of related aircraft directly, guided by the respective algorithms.Simulated movement diagrams for T-P approach and L-P approach are in Appendix 4A and Appendix 4B respectively.Both figures show numbered sequences, tracks for each aircraft that moved, delimiter dashed lines representing border of the zones on taxiway and time from there to reach the PRQ and recorded time for aircraft that entered runway.

A. PEAK SCHEDULE 1) RUNWAY
First, we evaluate the performance of the three simulated approaches based on number of progressive aircraft at four different zones and the runway.As in Fig. 11, MSTA records five aircraft in the runway, starting from the first one at t = 3.5 seconds (s), while the following four aircraft consistently arrived within 1.5 minutes (m) intervals.This shows the Shortest Job First (SJF) algorithm by selecting aircraft that are close to the runway has taken advantage of the available time and airspace.The same result can also be seen with the location-prioritization scheme, whereby this approach adopts sjf too.Identical results were recorded in MSTA and L-P in.Meanwhile, number of aircraft entered the runway is slightly lower with T-P approach as only two aircraft recorded within the same simulation run time.At the end of the simulation, the closest aircraft to enter runway is at the runway server, finishing its final checks with remaining preparation time of 0.5 m before entering the runway.

2) PRE-RUNWAY QUEUE
Before getting into the runway, there are two locations where aircraft are queued which is the runway server -a place where the next aircraft that gets into the runway would be; and Pre-Runway entrance Queue (PReQ) -the final queue before the runway.In our model, we name the combination of these two short consecutive queues as the Pre-Runway Queue (PRQ).The total number of aircraft that made their way into PRQ is our second performance evaluation zone.Fig. 12 contains charts of PRQ showing at most times, the runway server in all three simulated approaches is fully occupied as it functions to hold a single aircraft before letting it into the runway.However in PReQ, MSTA and time-prioritization produced similar results with two aircraft remain at the end of simulation, while for location-prioritization, no aircraft in the PReQ at the end of simulation.

3) AIRCRAFT RATIO OF FARTHEST-MIDDLE-NEAREST-PRQ (EXCLUDING RUNWAY) ZONES
Moving deeper into the taxiway zones, movement of aircraft within the three zones plus the PRQ is a significant factor in determining the performance of the taxiing approaches.Performance is determined by difference between the ratios of aircraft within the three zones and PRQ at startup against the ratios at the end of simulation run time.For instance, statistical data by MSTA in Fig. 12 notably can be represented in progression ratio.By comparing the ratios, we can identify and differentiate the rate of aircraft progression of all the three approaches: Ratio, R = Farthest : Middle : Nearest : PRQ R = F : M : N : P Thus, ratio at start is while ratio at the end is Based on the simulation results, the following Table 1 summarizes the situations of prior and after for each approach.
It is clearly shown that MSTA managed to bring all aircraft into the Nearest Zone.Meanwhile, between T-P and L-P, the former fared better as it had enabled more aircraft to progress into Middle and Nearest Zone compared to the latter.

B. NON-PEAK SCHEDULE 1) RUNWAY
For Non-Peak simulation, the discrete events that took place were less complex due to lesser aircraft involved.Using the number of aircraft that successfully entered the runway during the simulation run time of T = 10m as the primary performance index, MSTA recorded five aircraft, beginning at T = 3.5m while the last one entered at T = 9.5m.Meanwhile L-P recorded similar statistic with the same number of aircraft that entered runway and time intervals.For T-P, it only managed to fare sixty percent of the performance shown by the earlier two approaches with only three aircraft managed to get into the runway, specifically at T = 3.5m, T = 7.5m and T = 9m.This was mainly due to the dual factor of occurred perturbation and the aircraft physical location.Progression charts for all three approaches can be viewed in the Aircraft Entering Runway charts as per Fig. 13.

2) PREQ
For the non-peak schedule, MSTA had this queue at the maximum capacity with two aircraft waiting to be allocated with the runway for takeoff at the end of simulation run time.For T-P, one aircraft is recorded in the queue while in L-P, PReQ records two aircraft.

TABLE 2. Start and end ratio of farthest-middle-nearest zone (non-peak).
3) ZONAL RATIOS Aircraft ratios within the three zones at the beginning and end of the simulation are as per the following Table 2.

VII. ANALYSIS AND DISCUSSIONS
In general, the situational state of the taxiing can be denoted as total aircraft, α in its state of distribution according to the zones of the taxiway, S n .For α = w + x + y + z w = total number of aircraft in farthest zone x = total number of aircraft in middle zone y = total number of aircraft in nearest zone z = total number of aircraft in PRQ The state of taxiing at the beginning of simulation (before perturbation) is: Based on the above starting distribution ratio, the state of taxiing at a particular instance (upon a perturbation) can be derived as: S n = w n : x n : y n : z n for 3 attack instance in our simulation, 0 < n < 3 Thus, the end state, S end of distribution ratio of the simulation is: Based on series of simulation run of our proposed MSTA, it is learnt that the factor of concurrent movement on the taxiway has enabled more aircraft to progress from their gates of origin under the period of perturbations caused by the cyber attacks.Both simulations for peak and non-peak schedule displayed similar traits.In the peak schedule simulation, five aircraft managed to enter runway and the remaining at least are within the nearest zone of KLIA taxiway.The results of the non-peak schedule simulation echoes the impressive performance in the peak schedule with all aircraft successfully entered the PRQ zone and five managed to enter the runway.
Different than MSTA, T-P and L-P approach does not fully practice concurrent movement of aircraft towards the runway.However these two approaches adopt concurrent movement for aircraft that are located quite a distance from each other and with their projected time of arrival at the PReQ will not compromise 1.5 minutes of separation rule -the rule which is of the essence for both T-P and L-P to conveniently prevent idling and long queues on taxiway.

A. PRINCIPLE OF FAIRNESS AND EQUALITY
In L-P, aircraft which are located near the runway will benefit from the bias on preferential of this location based cluster.Similar as shortest job first, this cluster only requires short period of time to get into the PRQ.This is the main reason why L-P managed to record number of aircraft entered the runway, similar to our proposed MSTA.However, L-P performance peaks mostly with proportionate number of aircraft within the nearest zone against the total simulation run time.Too many aircraft within nearest zone but with limited duration of simulation run time will not bear the same impressive results for majority of the aircraft.As more aircraft located within the nearest zone, the required time for all aircraft to progress increases directly.
Mediocre or the least performance is shown by T-P approach in our series of simulations.The least number of aircraft that entered the runway and with ratios of significant number of aircraft left especially in the farthest and middle zone shows that time prioritization practices require more time on top of the separation time in abiding by the scheduled sequence.Fairness to aircraft which were scheduled to depart first would be served by T-P approach.However this situation is not always true when concurrent movements are allowed for aircraft with non contradicting time of arrival at PReQ.The reason is no other than to facilitate immediate progression during perturbations.

B. CLOSE MONITORING AND INCREASED WORKLOAD FOR THE ATC
It is apparent that every time perturbation occurs (in case of our ghost spoofing attack), the taxiing sequence is disrupted and the impact lies with the characteristics of the attack.Each time the attack pattern changes or another airspace region is affected, the ATC have to recalibrate its schedule to reflect the emergency situation and to follow suit planned mitigation.The workload increase is the most with T-P approach sequencing as it aims to achieve fairness, uphold First In First Out (FIFO) selection based on the original schedule prior perturbation and  prevent idling and long queues before the runway.Meeting these three primary criteria requires thorough assessment especially if rescheduling depends solely on manual effort and non-automated recommended decision making.
In L-P approach, the workload is a bit lesser when it comes to calibration, as the focus of the schedule is towards the cluster located at the nearest zone.Coupled with SJF, the ATC was able closely monitor with ease this particular cluster's progression while being aware of the possibility of concurrent moves by aircraft that are located towards bottom of the schedule.
As for the least workload for the ATC, MSTA only requires the ATC to closely monitor the dynamics of the taxiway based on synchronous movements of aircraft.The ATC will definitely have to actively communicate with the involved aircraft to maintain safety especially when traffic are coming from multiple directions.However they are cut short of the tedious schedule recalibrating task.Traffic on the ground would progress according on the defined queues leading to the PRQ.

C. FLEXIBILITY AND VERSATILITY
Throughout the entire simulation runs for both peak and non-peak schedule, the distribution of aircraft can be considered as ideally proportionate with more aircraft were located at the farthest zone in the peak schedule simulation while in the non peak, most aircraft were located in the nearest zone.Apart from the unique attributes of the schedule, our proposed approach stands out in terms of flexibility in managing high and low aircraft volume within a particular zone on the taxiway.This feature is not available in L-P approach as it only emphasizes cluster which is close to the runway while in T-P, time centered approach has little regards to number of aircraft in particular zone or which zone is more dense than others.This is why certain aircraft which were located deep within the middle and farthest zone suffer from continuous halt in both T-P and L-P approach.Based on Fig. 12, this circumstance did not occur in MSTA  as all aircraft are progressing constantly based on spoofing situations.This shows how MSTA manages to facilitate the dynamics of the taxiway and capitalizing on the available time and queue capacity, enabling MSTA to bring forward 10 aircraft into the nearest zone.

VIII. ENHANCING IMPLEMENTATION OF MSTA
Among possible innovations in the future that could be explored in order to add value into MSTA are those that can promote its effective implementation.

A. TECHNICAL CHANGES
Addition of more significant variables into the simulation parameters, for example traffic pattern during emergency  either in the air or on the airport ground will widen the scope of the modeled environment.Simulating a close to real system has always been a challenge to any system developer as it requires adequate amount of meaningful and reliable data.
As our approach is made up of several queues as the engine of our discrete events analysis, changes in queuing strategies in the future may work well in boosting the system dynamics of the taxiing-out process due to physical changes on the airport ground.This is more relevant when more variables are introduced into the operational environment and if there are infrastructural expansions or renovations to the current ones.Noting that the current MSTA theoretically assumes that constant speed is observed by all aircraft during taxiing-out, congestion and longer queues may exist in MSTA when aircraft are heading towards the runway in droves especially in a scenario of a large size airports.However with time-defined queues and segmentation of zones by breaking Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.them into smaller zones might model the dynamics better.Besides a deep analysis on systems behavior during emergency need to be carried out, data representing taxiing movement dynamics at larger airport is required so that future studies on operational resiliency derived from this angle could offer better optimization.

B. POLICY HARMONIZATION AND INTEGRATED COMMUNICATIONS 1) COMPLEMENTING REGIONAL COLLABORATION FRAMEWORK
The concept of Airport Collaborative Decision Making (ACDM) is becoming more popular as more airports besides in Europe where it was established, have been embracing the concept of data sharing for optimizing airport operations.The primary objective of ACDM is to foster information sharing between airports for making pre-departure and the turn-around time processes more efficient and resilient.In support of the implementation of ACDM in terms of safety assessments, our proposed MSTA will fit as the local mitigation technique in dealing with delays due to systems failure.Reference [46] highlights the assessment flow of generic and local failure case analysis.ACDM recognizes local mitigation techniques in lessening the overall impact to the flight operations.Manual of ACDM [46] indicates that technical failure experienced by the ATC may force the traffic control to be reverted to manual, or even worse, closure of the airport.Thus, we strongly believe that output from MSTA in the context of reducing departure delay time is inline with ACDM data sharing protocol and its objective.

2) SERVICE LEVEL FULFILLMENT
Each airline has its own policy in handling delays and cancellations.Some countries such as The United States does not regulate the outcomes of any delays or cancellations of flights.Reference [46] However countries like Malaysia through Malaysian Aviation Commission (MAVCOM) that acts as the mediation body between the air transportation users and the aviation service providers tend to create more conducive customer-driven air transportation sector through aviation customer's code of protection (MACPC(amendment)2019).The code emphasizes the service quality in delivering punctual services in terms of flight departure and arrival [46].The airline's policy also reflects their course of action whenever their aircraft is involved in incident as laid out in this study.

3) INTEGRATION IN AUTOMATION
In situations especially during emergency, the ATC has full discretion to manage and mitigate the situation to lessen the impact.However with a structured automated recommendation for projecting aircraft taxiing scenario, our approach can be integrated as part of systems that facilitate compliance with the Standard Instrument of Departure (SID).The automation should recommend how specific taxiing approach such as MSTA should be executed in order to maintain compliance with SID and its objectives due to extraordinary events and unplanned changes to the inbound or outbound air traffic flow.

IX. CONCLUSION
As a novel taxiing approach for mitigating ghost aircraft spoofing attacks, MSTA outperforms the conventional T-P and L-P in terms of number of aircraft that managed to enter the runway and with more aircraft progressed from farthest

FIGURE 1 .
FIGURE 1. Example of CPA Between Real and Ghost Aircraft based on adaptation of [17].

FIGURE 2 .
FIGURE 2. Disruption to the Taxiing-Out Movement due to ADS-B Ghost Spoofing.

FIGURE 3 .
FIGURE 3. Integrated Attack in a High Impact Attack Scenario.

FIGURE 7 .
FIGURE 7. Example of Perturbations and Queue Formation.

FIGURE 8 .
FIGURE 8. Three Phase Process in the Modulated Synchronous Taxiing Approach.

FIGURE 9 .
FIGURE 9. Algorithmic flow chart our proposed Modulated Synchronous Taxiing Approach.

FIGURE 10 .
FIGURE 10.Algorithmic flow chart for the time-prioritization/location prioritization taxiing approach.

FIGURE 11 .
FIGURE 11.Comparison of 'Aircraft entering runway' between three simulated approaches.

TABLE 7 .
T-P sequencing results for T = 10 m (peak schedule).

FIGURE 16 .
FIGURE 16.T-P sequencing results for non-peak schedule.