ACAS Xu: how adversarial pixel injection defeats formally verified collision avoidance in autonomous UAS

There is a significant gap between a formally verified AI and a safe AI system. Reluplex, the SMT-based verification framework developed by Katz et al. at Stanford and Carnegie Mellon in 2017, proved ten safety properties over the ACAS Xu deep neural network policy — a genuine mathematical landmark, the first formal verification of a safety-critical deep learning system at operational scale. The proof established, with certainty, that the trained network obeys specific input-output constraints over bounded regions of its six-dimensional state space.

The gap is in the premise. The ten Reluplex properties are conditional: they hold given correct values of the six state variables — range (ρ), bearing from ownship heading (θ), intruder heading relative to ownship (ψ), ownship vertical rate (ḣ₀), intruder vertical rate (ḣ₁), and time to loss of horizontal separation (τ). In crewed aviation, these values come from calibrated TCAS II transponder radar — a hardened radio frequency system with no camera-based processing and a multi-decade operational record. In autonomous UAS Detect and Avoid implementations, particularly for the non-cooperative intruder case required by BVLOS operations, these values increasingly come from a deep learning object detector running on EO/IR camera frames — a system that Reluplex says nothing about, and that inherits all the adversarial vulnerabilities of deep learning vision models.

An adversarial pixel injection into that EO/IR pipeline corrupts the upstream state estimate before it reaches the verified network. The ACAS Xu DNN receives wrong values of ρ or τ within its valid input domain, produces a wrong Resolution Advisory that is formally correct given those wrong inputs, and the autonomous UAS autopilot executes the wrong maneuver. The Reluplex guarantees are not violated — they were simply never applicable to the actual physical situation.

What ACAS Xu is and how it reached formal verification

ACAS Xu (Airborne Collision Avoidance System X for Unmanned Aircraft Systems) is a collision avoidance advisory system developed at MIT Lincoln Laboratory, derived from the broader ACAS X family that includes ACAS Xa for commercial aviation and ACAS Xo for special operations. The ACAS X family replaced the Bayesian lookup table architecture of earlier TCAS systems with a Markov Decision Process formulation: the optimal collision avoidance policy is computed offline by solving a continuous-state MDP over a model of encounter geometry, intruder behaviour uncertainty, and regulatory coordination logic. For ACAS Xa, this produces a 400MB lookup table indexed on six state variables. For ACAS Xu, the same MDP solution was compressed into a set of 45 feedforward neural networks — one for each of 40 altitude-separated flight levels plus supplementary networks — each with six ReLU-activation hidden layers and approximately 13,000 parameters. This is the policy compression work by Julian, Kochenderfer, and Owen published in 2016.

The motivation for using neural networks rather than the lookup table was not performance: the neural networks were designed to replicate the lookup table's policy as closely as possible, not to exceed it. The motivation was operational: neural networks can be evaluated on embedded processors aboard a UAS without the 400MB memory footprint of the full lookup table, enabling ACAS Xu to run on the weight- and power-constrained hardware typical of Group 2–3 UAS platforms (25–1,320 lbs MTOW). The neural network policy is not learned from flight data; it is a compressed representation of a policy computed analytically from the MDP — a distinction that matters for the verification approach.

Reluplex verified the 45 ACAS Xu networks against ten safety properties formulated as constraints on the network's output given specific geometric conditions on the input state vector. Property 1 states that if ρ ≥ 55,947 feet and τ = 0, the output advisory is always COC (Clear of Conflict) — a large geometric separation at zero time-to-separation means no avoidance maneuver is warranted. Property 4 states that if the ownship is not descending (ḣ₀ ≥ 0) and the intruder is ascending (ḣ₁ ≥ 0) and τ = 0, the network never issues a strong downward advisory — because descending when the intruder is ascending and separation is large would be geometrically perverse. The ten properties are not exhaustive safety proofs; they are spot-checks on the most critical geometric configurations where an incorrect advisory would be immediately dangerous.

The Reluplex verification took approximately 11 hours of computation per property per network on 2017 hardware — a non-trivial engineering achievement that required developing an entirely new SMT solver capable of handling ReLU-activation constraints. The result was the first formal guarantee that a deployed deep neural network in a safety-critical system obeys its design intent over bounded input regions. It remains, in 2026, one of the most significant achievements in applied neural network verification.

The EO/IR state estimation pipeline for non-cooperative DAA

ACAS Xu requires the six state variables as inputs. For cooperative intruders — aircraft equipped with ADS-B Out transponders, Mode C TCAS transponders, or FLARM — range and bearing can be derived from RF sensor data that is adversarially distinct from the EO/IR pipeline (spoofing ADS-B is a separate attack class). For non-cooperative intruders, no RF-based state data is available, and the state estimation pipeline must construct ρ, θ, ψ, ḣ₀, ḣ₁ from passive sensor data.

The FAA's 2020 Detect and Avoid system minimum performance standards (SC-228 MOPS, RTCA DO-365) require that DAA systems detect non-cooperative intruders within a well clear volume defined by the Horizontal Miss Distance Function — a separation standard that requires intruder track establishment at ranges of 1 nautical mile or more under VMC conditions. At these ranges, an intruder aircraft subtends an apparent angular size of approximately 0.02–0.2 degrees in the camera frame — 5–50 pixels on a typical 1280×720 EO sensor with 30-degree horizontal field of view. Object detection at this apparent size is a hard problem even in nominal conditions; it is exactly the problem that drove the adoption of deep learning detectors over classical edge-detection approaches in DAA research programs including the FAA-funded ACAS Xu integration studies at MIT LL and the NASA UAS in the NAS program.

The operational EO/IR pipeline for a Group 2–3 BVLOS UAS typically runs a lightweight YOLO-architecture detector (YOLOv8n or similar, chosen for inference speed on Nvidia Jetson Orin at 5–15fps) producing bounding box detections for aircraft-class objects in the forward camera field of view. Range is estimated from the detector's bounding box width using a stored prior on intruder wingspan distribution (the ACAS Xu encounter model assumes intruder aircraft drawn from the GA fleet distribution, with median wingspan approximately 36 feet). Bearing is computed from the bounding box centroid position in the calibrated camera frame using the camera intrinsic matrix. Vertical position — and by differentiation, vertical rate ḣ₁ — is estimated from bounding box vertical position under a flat-earth approximation corrected for ownship altitude. These estimates are assigned to Kalman track objects keyed on detection identity; the Kalman filter propagates the track between detections and smooths range-rate and bearing-rate estimates. The track outputs are then fused with ADS-B data where available (cooperative and non-cooperative tracks may refer to the same intruder, resolved by position proximity matching) and fed to ACAS Xu as the state vector.

This pipeline runs entirely in the pixel domain for the non-cooperative case. The first element of the pipeline — the deep learning object detector — has the same adversarial vulnerability as any deep learning vision model. The adversarial attack surface is the frame buffer between the EO/IR camera sensor and the object detector's inference engine.

Two adversarial attack variants on the DAA state estimation pipeline

Adversarial injection into the EO/IR DAA pipeline takes two distinct forms, producing opposite failure modes in the ACAS Xu advisory output.

Variant 1: Intruder suppression — eliminating a real intruder from the state estimate

The suppression attack crafts a pixel perturbation applied to the EO/IR camera frame at the point where a real non-cooperative intruder is detectable. The perturbation reduces the detector's confidence for the aircraft class at that bounding box location below its detection threshold, causing the detection to be dropped. A single-frame suppression would be filtered by the Kalman track's coasted prediction (the track continues to propagate for 2–5 frames after a detection dropout before being flagged as lost). A sustained suppression — applied across a sequence of frames during an approaching intruder's close-geometry phase — causes the Kalman track to be marked lost, removing the intruder's state estimate from the ACAS Xu input. ACAS Xu, receiving no intruder state, issues no RA. The non-cooperative intruder continues its approach without any avoidance maneuver from the UAS.

The suppression perturbation targets the spatial location in the camera frame corresponding to the intruder's projected position. At 1 nautical mile range, the intruder occupies a 5–15 pixel region — a small, geometrically predictable target given the intruder's bearing and known approach geometry. The perturbation magnitude required to suppress a confident (IoU ≥ 0.5) YOLO detection is well-characterized in the adversarial ML literature for small-object detection tasks: an L-infinity perturbation of ε = 4–8 pixel intensity units (out of 255) is typically sufficient for modern YOLO architectures on aircraft detection, below the threshold of visual detectability at normal display brightness. The suppression perturbation does not need to be invisible to the camera sensor log — it needs to be invisible in the composite situational awareness display used by the remote pilot in command (RPIC) viewing the downlinked video, which is typically compressed at 4–8:1 before transmission and rendered at lower resolution on the ground station display.

Variant 2: Phantom intruder injection — fabricating a non-existent intruder

The phantom injection attack adds adversarially crafted pixel patterns at locations in the EO/IR frame where no real aircraft is present, causing the detector to produce false-positive aircraft detections at fabricated positions. The fabricated position is chosen to produce a specific set of state vector values — ρ, θ, ψ — when processed through the range and bearing estimation pipeline, generating a phantom intruder state estimate that feeds ACAS Xu and triggers an RA against a non-existent threat.

The consequence of a phantom RA in an autonomous UAS depends on the advisory type. A phantom COC (no avoidance advisory) for a fabricated intruder that is placed geometrically far away in the state space has no operational consequence. The dangerous phantom is one designed to trigger a strong avoidance advisory — Climb or Descend — by fabricating an intruder in a close, dangerous geometric configuration (small ρ, small τ, adverse relative altitude). The UAS autopilot executes the strong RA, climbing or descending into airspace that may contain actual aircraft not currently tracked by the DAA system — trading a phantom collision risk for a real one.

The phantom injection attack also functions as a denial-of-service in high-traffic airspace: fabricating multiple phantom intruders in conflicting geometries forces ACAS Xu into a continuous RA-issuing state, causing the UAS to maneuver repeatedly and preventing it from proceeding on its planned route. This exploits the ACAS X coordination logic, which is designed to issue RAs for all tracked intruders simultaneously in multi-intruder encounters — a feature that becomes an availability vulnerability when the intruder population can be fabricated at will.

Why the closed-loop reaction time eliminates pilot intervention

In crewed aviation, TCAS II Resolution Advisories are classified as a pilot action requirement: DO-185B (the TCAS II MOPS) mandates that the pilot must begin the required maneuver within 5 seconds of the RA display. This 5-second window was established empirically from studies of pilot reaction time to auditory-visual alerts in high-workload cockpit conditions. Within this window, the pilot can deviate from the RA if they have independent visual confirmation that the RA is wrong — the "traffic in sight" exception permits the pilot to disregard an ACAS RA when they can see the intruder and determine that no avoidance maneuver is needed.

In an autonomous BVLOS UAS, neither of these safety mechanisms exists. There is no pilot in the aircraft to react within 5 seconds, exercise traffic-in-sight judgment, or override an incorrect RA. The RPIC on the ground receives a compressed video downlink at 1–4 second latency over the command-and-control link, views the ground station display, and may not be monitoring the DAA advisory output as their primary attention is on mission execution. The autopilot executes the RA immediately and automatically upon receipt from the ACAS Xu logic module — the pipeline from camera frame to autopilot trajectory command completes in approximately 150–350ms.

The 150–350ms figure breaks down as follows: EO/IR detector inference at 67–200ms (at 5–15fps), Kalman track update at ~5ms, ACAS Xu DNN evaluation at ~2ms on embedded GPU, autopilot RA translation and trajectory command at ~10ms. The 5-second human reaction window that exists in crewed aviation collapses to a computational pipeline with no human decision point. At 100 knots closure rate, 350ms of pipeline latency corresponds to 30 feet of closure — a distance at which the encounter geometry is already in the near-miss regime. This places autonomous UAS DAA in the same category as the da Vinci 5 surgical robotics AI and the ATC radar AI systems described in the Glyphward framework: closed-loop AI systems where adversarial AI output translates to physical action faster than any human can intervene.

The eVTOL urban air mobility DAA implementations reviewed in our earlier analysis face the same latency structure — the autonomous DAA pipeline is architecturally identical whether the platform is a fixed-wing Group 3 UAS or an eVTOL delivery vehicle. Both use EO/IR camera feeds, both run deep learning detectors on embedded hardware, and both feed ACAS Xu (or compatible advisory logic) to an autopilot that executes without pilot intervention in the loop.

The formal verification gap: what Reluplex proves and what it does not

Understanding the scope of the Reluplex guarantee is essential for understanding why adversarial pixel injection defeats it without technically violating it.

Reluplex's ten safety properties are stated over the input domain of the ACAS Xu DNN — the six-dimensional state space (ρ, θ, ψ, ḣ₀, ḣ₁, τ). Each property is a bounded-domain specification: "for all inputs (ρ, θ, ψ, ḣ₀, ḣ₁, τ) in region R_i, the output advisory is in set O_i." The regions R_i are defined by inequality constraints on the state variables — for example, Property 1's region is ρ ≥ 55,947 feet and τ = 0 (or equivalently τ very large). The proof establishes that the DNN's actual input-output mapping satisfies these constraints over these regions. This is a property of the DNN's parameter matrix — it cannot be violated by any input within the specified domain, by construction of the proof.

An adversarial pixel injection attack does not place inputs outside the ACAS Xu DNN's input domain. It places wrong inputs inside the domain. If a real intruder is at ρ = 0.3 nm and the adversarial injection corrupts the range estimate to ρ = 2.5 nm, the ACAS Xu DNN receives a state vector (2.5 nm, θ, ψ, ḣ₀, ḣ₁, τ) that is entirely within its valid input domain and within the regions covered by the Reluplex proof. The network produces a COC advisory — the correct output for a state vector representing a distant, non-threatening intruder. The Reluplex proof for that geometric region is satisfied. The physical situation — a real intruder at 0.3 nm closing at 100 knots — receives no avoidance advisory, and the UAS continues on its trajectory toward collision.

The gap between the formal verification and the physical safety guarantee is not a deficiency in the Reluplex approach — it is an inherent property of any formal verification of an AI policy in isolation from its sensing system. Formal verification proves properties of mathematical objects (the DNN). Physical safety depends on the correspondence between those mathematical objects and the physical world, which is mediated by sensors whose outputs can be corrupted. The security-relevant question is not whether ACAS Xu's DNN policy is formally correct — it provably is — but whether the pipeline that assembles the DNN's state vector inputs is adversarially robust. That question is in the domain of adversarial ML security, not formal verification.

Regulatory requirements: DO-326A, FAA SC-228, and the DAA cybersecurity evidence gap

The airworthiness security framework for autonomous UAS DAA systems is established by DO-326A (Airworthiness Security Process Specification, RTCA 2014) and DO-356A (Airworthiness Security Methods and Considerations, RTCA 2018), adopted by the FAA through Advisory Circular 119-1 and referenced in the FAA's UAS type certification guidance under 14 CFR Part 23 Amendment 64. For BVLOS operational approvals under Part 107 Section 107.41, applicants must demonstrate that their DAA system meets the SC-228 MOPS performance requirements and address cybersecurity under the applicable advisory circulars.

DO-326A Section 4 establishes the Security Risk Assessment process. For a DAA system incorporating an EO/IR deep learning object detector feeding ACAS Xu, the SRA must identify the EO/IR detector as a security-relevant function (SRF) with a direct path to aircraft operational safety — the most critical security assurance level under DO-326A's five-level classification. DO-356A Section 4.3 provides attack trees for avionics data systems, and adversarial image injection against an AI-based object detector falls within the intentional unauthorized data modification threat class covered by the DO-356A framework.

The FAA SC-228 MOPS (DO-365, published 2017) defines detection performance requirements for the DAA system but does not address adversarial robustness — the document predates the widespread availability of adversarial ML attacks on aviation-domain object detectors and does not include adversarial robustness as a tested performance dimension. This creates a certification evidence gap: current MOPS compliance testing validates DAA performance under nominal sensor conditions, but does not validate that the deep learning object detector is adversarially robust. An ACAS Xu implementation that passes all DO-365 performance requirements may still be trivially defeated by adversarial pixel injection if the object detector's adversarial robustness has not been evaluated.

The FAA 2024 UAM and BVLOS integration rulemaking is expected to address AI/ML in DAA systems, with staff drafting guidance that references the DO-178C Data Coupling / Control Coupling framework for verifying AI component inputs — a framework that stops at the camera calibration boundary and does not address adversarial perturbation of pixel content. The runtime monitoring approach recommended by Glyphward — a continuous EO/IR frame scan gate that detects adversarial input characteristics before the frame reaches the object detector — is architecturally consistent with the monitoring DAL (Design Assurance Level) concept in DO-178C and with DO-326A's operational security monitoring requirements. See our analysis of autonomous vehicle perception AI for how the same EO/IR adversarial detection architecture applies to ground-based autonomous systems with similar sensor configurations.

EO/IR frame scan gate for DAA pipeline integrity

The Glyphward scan gate for EO/IR DAA pipelines deploys at the frame buffer between the EO/IR camera sensor and the deep learning object detector. It operates asynchronously on a parallel processing thread, evaluating sampled frames for adversarial injection characteristics without blocking the real-time detection pipeline. Detection latency target is under 500ms at 15fps detector throughput, achieved by sampling 1-in-5 frames during normal cruise and 1-in-2 frames during active intruder track periods (when the Kalman tracker is maintaining a live track for a non-cooperative intruder).

import asyncio, base64, hashlib, time
from collections import deque
from dataclasses import dataclass, field

import httpx

GLYPHWARD_API_KEY     = "YOUR_GLYPHWARD_API_KEY"
GLYPHWARD_SCAN_URL    = "https://glyphward.com/v1/scan"
DAA_THRESHOLD         = 35      # closed-loop safety-critical; lowest threshold
CRUISE_SAMPLE_RATE    = 5       # 1-in-5 frames during cruise (no active track)
TRACK_SAMPLE_RATE     = 2       # 1-in-2 frames when non-cooperative track is live

@dataclass
class DAAFrameGate:
    api_key: str
    track_active: bool = False
    _frame_counter: int = 0
    _recent_hashes: deque = field(default_factory=lambda: deque(maxlen=30))
    _client: httpx.AsyncClient = field(default_factory=httpx.AsyncClient)

    def _sample_rate(self) -> int:
        return TRACK_SAMPLE_RATE if self.track_active else CRUISE_SAMPLE_RATE

    async def check_frame(self, frame_bgr: bytes, frame_id: int) -> dict | None:
        self._frame_counter += 1
        if self._frame_counter % self._sample_rate() != 0:
            return None

        frame_hash = hashlib.sha256(frame_bgr).hexdigest()
        if frame_hash in self._recent_hashes:
            return None
        self._recent_hashes.append(frame_hash)

        payload = {
            "image": base64.b64encode(frame_bgr).decode(),
            "context": "daa_eoir_frame",
            "frame_id": frame_id,
            "track_active": self.track_active,
        }
        try:
            r = await self._client.post(
                GLYPHWARD_SCAN_URL,
                json=payload,
                headers={"Authorization": f"Bearer {self.api_key}"},
                timeout=3.0,
            )
            result = r.json()
            if result.get("score", 0) >= DAA_THRESHOLD:
                await self._trigger_daa_fallback(result, frame_id)
            return result
        except Exception:
            return None

    async def _trigger_daa_fallback(self, result: dict, frame_id: int):
        # Drop EO/IR track; fall back to ADS-B-only state estimation
        # Alert RPIC via C2 link; log detection event for DO-326A evidence
        print(f"[GLYPHWARD] DAA adversarial injection detected "
              f"frame={frame_id} score={result['score']:.1f} — "
              f"switching to ADS-B-only state estimation")

On detection above threshold 35, the scan gate triggers two actions: (1) the EO/IR non-cooperative track is dropped from the ACAS Xu state vector input — the system falls back to ADS-B-only state estimation, which is conservative (ADS-B covers cooperative intruders only, so the UAS adopts increased well-clear margins per SC-228 anomaly procedures); and (2) a detection event is logged with timestamp, frame hash, Glyphward score, and track state — generating the DO-326A operational security monitoring evidence that documents the adversarial injection attempt in the UAS's maintenance record. The full technical architecture for image-domain adversarial detection is described in our multimodal prompt injection threat model, including the statistical detection approach for small-object suppression perturbations in sparse, structured image domains analogous to the NIR channel analysis described in our surgical robotics NIR fluorescence post.

The gap in the formal safety argument

The ACAS Xu program represents what is currently possible at the intersection of formal methods and aviation AI: rigorous offline policy computation from a principled MDP formulation, compressed into efficiently evaluable neural networks, with formal verification of safety properties over the policy's input domain. This is as thorough as AI safety engineering has gotten in any operational domain.

The gap is structural. The formal safety argument for ACAS Xu terminates at the DNN's input boundary — at the six state variables ρ, θ, ψ, ḣ₀, ḣ₁, τ. What happens upstream of those inputs — how the physical world's geometry is converted into those six numbers — is outside the scope of the formal argument. In the TCAS II context this gap was benign: radar-derived range and bearing from a certified transponder system was a mature, well-characterized input source with known error bounds. In the autonomous UAS context, the same inputs come from an EO/IR deep learning object detector with no formal robustness guarantees and a known, exploitable adversarial vulnerability.

Formal verification of the ACAS Xu DNN without adversarial robustness assurance for the EO/IR state estimation pipeline creates a security argument with a verified core and an unverified perimeter. An adversary who cannot defeat Reluplex's formal proof directly can defeat the composite system by attacking the perimeter. The ten safety properties are intact. The aircraft is in danger.

Runtime adversarial monitoring at the EO/IR frame boundary — detecting adversarial injection before it corrupts the state estimate — is the operational complement to the formal verification. It does not extend the formal proof; it defends the perimeter that the formal proof cannot reach. Glyphward's DAA scan gate provides this monitoring for BVLOS UAS operators integrating EO/IR non-cooperative detection with ACAS Xu advisory logic, generating the security evidence log required by DO-326A operational security monitoring and enabling fallback to ADS-B-only state estimation on detection — a degraded but formally safe operating mode while the EO/IR pipeline integrity is restored.

Frequently asked questions