Urban Air Mobility (UAM) is a new air transportation system for passengers and cargo in urban environments performed by electric aircraft that take-off and land vertically [1]. UAM has a complex ecosystem which makes it vulnerable to cyber-threats putting network security of transportation system at risk [2]. Cellular-connected UAV [3] is a promising technology to achieve the essential UAM requirements of high-capacity, low-latency and ultra-reliable wireless communications between UAVs and their associated ground entities. 4G long-term evolution (LTE) is an example and can be used together by unmanned aerial system traffic management (UTM) and Automatic Dependent Surveillance Broadcast (ADS-B) ensuring safety and security of the UAV operation [4]. However security threats could lead to a loss of confidentiality (e.g. access and disclosure of restricted information), integrity (e.g. message tampering, service supplier spoofing), or availability (e.g. reliability of GPS) of the data exchanged or stored across the UAM ecosystem [5].

Network security is a field of application for pattern mining algorithms. Buczak et al. [6] survey methods of machine learning and data mining that can be successfully applied to intrusion detection. Sequence mining is one of them. Li et al. [7] use sequential pattern mining in real time to find out the frequency and sequence features of multi-stage attacks. In [8], the authors construct attack graph from transaction database using sequential pattern mining. Husák et al. [9] use sequential pattern mining and rule mining in the analysis of cyber security alert sharing SABU. Whereas sequence mining is widely explored in network security, the Contrast Sequential Pattern Mining (CSPM) task [10] has not been addressed so far in this application domain to the best of our knowledge. In this discussion paper, we address the problem of detecting patterns of attacks to 4G-LTE network security in UAM by relying on the CSPM task.

Our approach, described in depth in a paper accepted for presentation at ECAI 2024 [11], leverages the declarative framework of Answer Set Programming (ASP) [12], thus positioning in the research stream called Declarative Pattern Mining (DPM). The first proposal of an ASP-based approach to sequence mining is described by Guyet et al. [13] and compared with a dedicated algorithm. Gebser et al. [14] use ASP for extracting condensed representations of sequential patterns. Guyet et al. [15] introduce ASP encodings for two representations of embeddings (fill-gaps vs skip-gaps) in sequence mining. Lisi and Sterlicchio present the first ASP encoding for the CSPM problem in [16] which we will refer to as Mining with Answer Set Solving -Contrast Sequential Patterns (MASS-CSP) hereafter. To address the challenges of DPM in the context of network security, in [11] we have improved the efficiency and the effectiveness of the sequence mining phase in MASS-CSP by adding span and gap constraints.

The paper is organized as follows. In Section 2 and 3 we briefly describe our ASP-based approach to the problem in hand, and report some experimental results obtained on sets of traces for two kinds of attacks. Section 4 concludes the paper with final remarks.

We start with a couple of observations about the limits of MASS-CSP. For illustrative purposes, let us consider the pattern ⟨𝑎, 𝑏⟩ and the sequences ⟨𝑎, 𝑏, 𝑐⟩ and ⟨𝑎, 𝑐, 𝑐, 𝑏⟩. First, they do not deal with the number of gaps between one embedding and another. In other words, two consecutive items of a sequential pattern can be 𝑛 gaps apart within a sequence, in the example 0 and 2 respectively. Secondly, ⟨𝑎, 𝑏⟩ has support in both sequences but with different span, namely 1 and 3 respectively. Our work develops on the basis of these two observations because in various application domains, patterns that reflect certain characteristics are more informative. In [17] there were defined many types of constraints on patterns and embeddings for sequence mining, among which the ones based on the notion of gap and span that are detailed below.

The span constraint specifies the minimum/maximum length allowed for a sequential pattern. As illustrated in Figure 1, it is the difference between its last item timestamp that is 8 and its first item timestamp, i.e. 3, and thus ⟨𝑎, 𝑏, 𝑐⟩ has span 5 in that sequence. It requires that the pattern duration should be longer or shorter than a given time period. By setting a span constraint, we can focus on identifying shorter or longer sequences of events based on our specific requirements. The gap constraint controls the minimum/maximum gap allowed between consecutive occurrences of items within a sequence. In Figure 1, the gap between 𝑎 and 𝑏 is 1 while 2 between 𝑏 and 𝑐. It specifies how many time units may intervene before an item is observed again. Gap constraints are essential for capturing temporal relationships between events. Setting appropriate gap values helps identify patterns where there might be delays or interruptions between related events but still maintain their significance.

According to [15], we have encoded these constraints as choices rules instead of using ASP denials, thus implementing them in the generate stage for pruning the search space earlier. The full encoding with other details can be found in [18]. The result is an increase in efficiency and effectiveness of the final output as described in the following section.

CSPM can be particularly useful to 4G-LTE for different reasons, e.g., optimizing network performance by analyzing contrast patterns and making informed decisions on network configurations, resource allocations, and traffic management strategies and ensuring quality of services requirements. Since our focus is on security, anomalies or unusual behavior in the network traffic can be detected by mining contrast sequential patterns, thus helping in identifying potential security threats. Contrast sequential patterns are those that characterize normal and attack behaviour given different traces. Our work considers a couple of attacks -namely authentication failure attack and the numb attack [19] -as a case study and we used the traces made available by [20] 1 . Listing 1 shows example patterns for both attacks. More precisely they are the longest contrast sequential patterns found having 30% support across all sequences. They describe the timeline of events that leads to the attack. Interestingly, both attacks share common behavior with the exception of the authentication_failure event that occurs always in subsequence ⟨. . . ,authentication_request, authetication_failure, authentication_request, . . . ⟩ in (a) but not in (b). ( a ) < a t t a c h _ r e q u e s t , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ f a i l u r e , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ r e s p o n s e , security_mode_command , s e c u r i t y _ m o d e _ c o m p l e t e , a t t a c h _ a c c e p t , a t t a c h _ c o m p l e t e , d e t a c h _ r e q u e s t , d e t a c h _ a c c e p t , a t t a c h _ r e q u e s t , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ f a i l u r e , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ r e s p o n s e , security_mode_command , s e c u r i t y _ m o d e _ c o m p l e t e , a t t a c h _ a c c e p t , a t t a c h _ c o m p l e t e , d e t a c h _ r e q u e s t , d e t a c h _ a c c e p t > ( b ) < a t t a c h _ r e q u e s t , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ r e s p o n s e , security_mode_command , s e c u r i t y _ m o d e _ c o m p l e t e , a t t a c h _ a c c e p t , a t t a c h _ c o m p l e t e , d e t a c h _ r e q u e s t , d e t a c h _ a c c e p t , a t t a c h _ r e q u e s t , a u t h e n t i c a t i o n _ r e q u e s t , a u t h e n t i c a t i o n _ r e s p o n s e , security_mode_command , s e c u r i t y _ m o d e _ c o m p l e t e , a t t a c h _ a c c e p t , a t t a c h _ c o m p l e t e >

The main goal is to show the feasibility of a declarative approach to CSPM in the context of network security. Also, experiments have been designed in order to provide a comparative evaluation between the basic ASP encoding reported in [16] and the ASP encodings proposed that implement the span/gap constraints. We empirically show what are the advantages of adding new constraints on pattern embeddings. Figure 2 makes a comparison between the basic ASP encoding (dotted lines) and the improved one with the span/gap constraints (continuous lines) that for space reasons we only report the authentication failure attack. First, with the gap constraint we have control over the type of pattern we want thanks to the minimum and maximum gap. The pattern output set is considerably reduced, extracting only those actually useful for our purpose with an advantage on time and memory as we act directly in the pattern generation phase, having a smaller ground program than the previous one. Using the span constraint, we are able to reduce the number of patterns and the execution time without memory improvement. The gap constraint is the one that brings the best advantages in terms of overall performance.

This discussion paper addresses the problem of detecting attack patterns to the network security in the context of UAM, and focuses on a couple of attacks to 4G LTE, namely the authentication failure and the numb attack. We have suggested that CSPM can be helpful and presented an ASP-based approach to mine contrast sequential patterns from 4G-LTE traces characterizing normal and attack behavior for different types of attacks. The patterns found with our approach may be useful for post-attack analysis in order to understand the steps of the immediate attack and implement defensive mechanisms. Experiments have shown that applying a declarative approach is feasible. Also, results have highlighted the benefits of adding constraints to embeddings. In particular, the span and gap constraints allow pruning the set of patterns found, thus decreasing the memory consumption and the execution time. Finally, since the only input is the set of execution traces, the approach applies also to other attacks on the same network or even on other networks such as 5G.