AI-Related Survivability: A Proposed Methodology for Aircraft Designers

It’s no secret that today’s rapid advancements in artificial intelligence (AI) technologies are promising to radically transform the way the U.S. military prepares for and conducts a wide range of military operations. These advancements are enabling the expedited analysis of large volumes of intelligence data, the planning and execution of intricate missions with unprecedented speed and precision, and the automated operation of both manned and unmanned vehicles in high-risk areas.

In the field of combat aircraft, system developers are likewise increasingly intrigued by the countless ways in which AI can be potentially leveraged and applied. It’s also increasingly important, however, to remember that AI is not a one-size-fits-all solution. Its implementation in military contexts—and specifically aircraft development and operations—demands careful consideration, strategic planning, and a clear understanding of the potential costs and risks. Accordingly, this article discusses the crucial role of air system designers and engineers in comprehensively assessing the effectiveness of AI in challenging situations, such as combat environments.

Background—Aircraft Combat Survivability

Since the first use of planes for military applications, aviators have employed various tactics and design elements to ensure the aircraft could survive in combat. It was not until the unexpected heavy losses in Vietnam, however, that the discipline known as aircraft combat survivability (ACS) became an integral part of military aircraft design [1]. In 1985, Dr. Robert Ball published the first book on the Fundamentals of Aircraft Survivability Analysis and Design [2], providing a comprehensive overview of aircraft survivability and exploring the design principles that influence an aircraft’s ability to withstand hostile environments. Dr. Ball’s book also breaks down the complex interactions between aircraft systems, potential threats, and associated defense mechanisms into a series of probabilities related to specific events. The use of probabilities to describe events thus serves as the foundation for the discussion herein.

Introduction to AI Survivability for Military Applications

There are many ways to define AI, but a common definition focuses on systems that are designed to perform tasks that typically require human intelligence [3, 4]. These complex systems are becoming increasingly integrated into our daily lives as algorithms improve and powerful microelectronics become more accessible to industry. For instance, from 2013 to 2023 the United States invested more than $335 billion in private AI development alone [5]. And as AI availability and capabilities continue to grow, the military is increasingly collaborating with the commercial sector to incorporate AI technology into military applications, such as advanced aircraft and weapons systems.

As with other aircraft systems, designers and engineers need to evaluate the effectiveness of AI systems within aircraft. Simultaneously, designers must establish AI requirements that engineers and the industry are expected to meet. A general description of the AI development life cycle is essential to facilitate this establishment. Though no formal development model is used consistently in academia or industry, a quick literature review reveals some common areas for AI development. For this research, the AI development process was assembled into five generalized areas—formation, training, compression, deployment, and utilization [6–9].

1. Formation – AI formation identifies problems and analyzes requirements. One can think of this formation as requirements gathering and generation for a systems engineering problem.
2. Training – AI training is broadly defined as the process of teaching AI models to perform a task by providing data and allowing the AI model to learn and improve over time.
3. Compression – Compression refers to reducing AI models, making them smaller in size and more efficient for storage, transmission, and processing.
4. Deployment – Deployment refers to implementing the AI model to complete the task it was trained to accomplish on the intended hardware.
5. Utilization – Utilization represents the ability of the AI system to accomplish the intended task with human-like attributes.

Now with a generalized description of the AI development life cycle, the following definitions examine AI survivability in terms of the common taxonomy with the ACS design discipline.

Defining AI Survivability

Given the planned importance of AI in future military systems, such as the Collaborative Combat Aircraft (CCA), military system designers and engineers must ensure that AI is trustworthy for military applications. AI researchers and developers generally divide the problem into two phases. In the first phase, which occurs before deployment, developers focus on protecting the AI software. During this phase, AI developers often discuss methodologies in the training phase to ensure secure and/or trusted data for this process. They also work to isolate the model from other systems to prevent inadvertent or unauthorized access in the training and compression phases [6].

In the second phase, developers focus on securing the operating environment during deployment testing and the AI utilization phase. This step involves protecting against intrusions and monitoring suspicious activities through network channels or input vectors, such as user prompts. Additionally, developers maintain the AI system during the utilization phase to ensure the AI adaptations are consistent with the design intent [6].

In both phases of AI protection, the terminology and processes resemble those used for securing software in cyber operations, which is logical. An AI model comprises complex algorithms delivered to the end-user as software or software-based services. However, there is one AI attribute unlike traditional software—the AI software is designed to learn from its environment, adjust its algorithms, and adapt to complete the intended tasks. This is one of the reasons why AI survivability differs from cyber survivability or cyber-domain security. The other reason is the need for trusted, secure training data unique to AI applications.

Nevertheless, the language and processes for defending and securing AI can be cumbersome in military contexts, given that many AI security firms use cybersecurity terminologies designed to determine if an intrusion has occurred in the system. These terms, however, often do not provide the straightforward answers that military planners and operators need to fulfill their missions. They want to understand how effective a military system’s hardware and software will operate in combat situations. Moreover, military designers and engineers want to know how the system will perform in combat. To examine AI in military environments, this work draws upon previous research from the ACS community to define AI survivability as the capability that the AI system can avoid or withstand a hostile environment. This definition follows the definition of survivability and provides the ability to determine how the AI system functions in a military environment.

The traditional kill chain equation can be adapted for AI survivability, with the probability of kill now defined as:

P = P_D P_T|D P_E|T P_I|E P_H|I P_K|H ,

where

P = probability of kill,

P_D = probability of AI detection,

P_T|D = probability of track given AI detection,

P_E|T = probability of engage given track,

P_I|L = probability of intrusion given engage,

P_H|I = probability of hit given intrusion, and

P_K|H = probability of kill given hit.

The nomenclature presented follows the ACS guidelines as referenced by Ball, along with adaptations from the cybersecurity community and previous work in aircraft cyber combat survivability (ACCS) research. Namely,

• P_D refers to the probability that an adversary can detect the use of AI in a battlespace, which includes both the digital domain and real-world applications, such as AI-powered aircraft.
• P_T|D represents the probability of tracking given detect, meaning the adversary’s ability to identify the AI’s source or the location where it is being processed.
• P_E|T indicates the adversary’s capability to launch an attack on a specific AI system using cyber operations or electronic warfare methods.
• P_I|E refers to the adversary’s potential to bypass an AI system’s defenses—such as firewalls, encryption, or shielding—to intrude into the system.
• P_H|I is defined as the probability of successfully impacting the AI system after gaining unauthorized access.
• P_K|H denotes the probability that the AI system becomes disabled and can no longer complete its intended mission.

The proposed AI kill chain illustrates the similarities among these elements while also highlighting some inherent differences from the traditional kill chain. Future research may provide a more refined kill chain for the AI survivability discipline. For now, the complementary relationship between lethality and survivability is applied, and the above equation becomes:

P = 1–P .

The equation now provides a framework for a systemic approach to analyzing and enhancing AI survivability on military aircraft. Moreover, the definition of AI survivability and kill chain equation uncover attack pathways for AI threats, which military designers and engineers can use to focus defensive efforts. Using the ACS framework, the definition of AI survivability provides the context for the follow-on definition of susceptibility and vulnerability, allowing designers to separate the problem into its attributes.

AI Susceptibility

Using context from Ball’s work, analogous susceptibility and vulnerability definitions are similarly derived. For example, AI susceptibility refers to the inability of AI to avoid malicious mechanisms when providing the expected response or action in pursuit of the mission. In general, three factors impact the level of AI susceptibility: the type of threat, the AI complexity, and the mission the AI is attempting to complete. The AI threat types are generally segregated in association with the previously discussed five phases of AI development (formation, training, compression, deployment, and utilization). In each phase, the level of AI susceptibility depends on the characteristics of the threat and its effectiveness on the AI model at that phase. Next, the complexity of the AI model factors into the level of AI susceptibility. Simple AI models may not have robust training data. Thus, minor corruption in the training data set could influence the AI model more during deployment. The mission type also affects the level of AI susceptibility. For example, the mission may require a swarm-type formation where a single system may not affect the overall effectiveness of the swarm during the utilization phase.

Several reduction methodologies apply to AI systems following ACS principles and the definition of AI susceptibility. While there are various types of AI, the following are some general principles:

1. Signature Management – the reduction of detectability by obfuscating communication traffic or using distributed processing to disguise the AI processing footprint to minimize detection.
2. Deception – the use of decoys to mislead the attacker’s efforts to track the AI source or processing location.
3. Threat Suppression – the employment of countermeasures to prevent monitoring tools from finding AI processing or other databases.
4. Tactical Positioning – the strategic placement of critical AI components, such as training data and model repositories, to prevent intrusions.

AI Vulnerability

In conjunction with the susceptibility definition, AI vulnerability refers to an AI’s inability to withstand malicious attacks and deliver the expected responses or actions aimed at achieving its objectives. The vulnerability of AI models is influenced by various factors, including how these models are developed. Generally, the level of vulnerability affects the AI’s capabilities in learning, reasoning or decision making, problem solving, and perception. Therefore, the vulnerability of an AI model depends on when a threat is introduced during the development cycle and which specific capability the threat is targeting.

Using the kill chain analogy as a basis for further research in vulnerability reduction methodologies is effective. Similar to the mitigation strategies described by Ball, there are several examples applied to AI:

1. Redundancy – implementing parallel systems for critical functions.
2. Damage Tolerance – operating with degraded capabilities.
3. Self-Repair – restoring capabilities or functions after an attack.
4. Passive Hardening – strengthening critical components against specific attacks.

This research, of course, only begins to explore the field of susceptibility and vulnerability reduction strategies for AI. However, it provides researchers with a framework to implement future mitigation techniques.

Specific AI Threats

It is important to note that AI survivability differs from cyber survivability due to the unique nature of AI development and the threats it faces. For instance, AI requires large amounts of properly structured and labeled data to train its algorithms. Depending on the AI model’s complexity, the training set’s size can reach several terabytes of data [10]. Given the large quantity of data, attackers may use a technique known as data poisoning, which covertly contaminates the training data [11]. The most common form of this AI threat is introducing false data labels on the training data set. The large data set makes this technique very difficult to detect.

Another unique AI threat is the use of an AI evasion attack. This technique modifies the input with subtle changes to defeat intrusion detection or spam filters, causing the AI to misclassify or make incorrect predictions. Examples of this technique include hiding malicious content in an image to bypass spam filtering or antivirus software. Another example is in self-driving cars, where the use of small or subtle stickers strategically placed on road signs forces the image recognition systems to misinterpret the information [12]. Researchers often incorporate data with known subtle changes or deviations during AI training to address these threats. This helps to “immunize” the AI against evasion attacks. Similarly, developers often include examples of known false data to combat false data labels during training. This provides the AI with counter-examples to improve its accuracy [6].

AI Design Trades and Analysis for Military Applications

The discussion has focused on applying AI survivability to describe operational capability to support mission analysis and has advocated for a methodology to convey how an AI system would perform in a hostile environment in reaching the mission objective. However, using AI survivability can also aid in designing complex military weapon systems. Akin to the origins of the aircraft survivability discipline itself, the resulting definitions of AI survivability, susceptibility, and vulnerability can be described as conditional probabilities. These probabilities provide design requirements that AI developers should use to measure the performance of their AI systems to deliver military utility or operational capability.

As with all decisions, using AI in a weapons system will ultimately come down to tradeoffs. AI will affect the size, weight, power, and cost (SWaP-C) budget more than traditional software algorithms. The principal driver may include the requirement for the AI system to continuously learn from the environment, which drives the need for more advanced onboard processing. Regardless, using the ACS design principle may allow military designers and engineers to better quantify AI requirements in the operational environment—for example, the trade for more onboard processing vs. the reliability of communications in a contested environment to achieve a specified level of AI survivability. In this case, designers must weigh the cost of onboard SWAP-C vs. the likelihood of secure communications for AI offboard processing.

Summary

Integrating AI in future aircraft is not just likely; it is inevitable, especially with the development of CCAs and the growing emphasis on human-machine teaming in future aircraft programs. Therefore, military system designers and engineers must consider how to ensure that AI operates effectively and is protected in hostile environments. One approach to achieving this requirement is to adopt the design principles of ACS, which define survivability in terms of susceptibility and vulnerability while emphasizing the need for AI systems to operate in hostile environments.

Although AI fundamentally consists of algorithms implemented as software, traditional cybersecurity measures do not fully address AI’s unique ability to learn and adapt over time. More research is needed in this area, and the approach outlined here allows for further exploration of AI survivability—like ACS and ACCS—ensuring that aircraft can complete their missions effectively.

Finally, the need for secure training data and for AI systems to continuously learn during deployment and throughout utilization highlights the necessity for a new design discipline. Military planners and designers must also incorporate AI survivability assessments into the design and development of military systems to ensure that AI remains functional and reliable under combat conditions. By applying a structured framework based on ACS principles, military system designers can better understand the limitations and potential of AI in modern warfare.

About the Authors

Col. David Liu is the Senior Materiel Leader for the Mission Systems Architecture and Systems Engineering (MS ASE) Group at the Air Force Life Cycle Management Center. He has more than 20 years of experience in the Air Force and has led major weapon acquisition programs. In addition, he has deployed to Afghanistan as a Joint Combat Assessment Team (JCAT) member and has taught weapon design, rocket propulsion, and aircraft combat survivability at the Air Force Institute of Technology (AFIT). Col. Liu holds a B.S. and M.S. in aerospace engineering from the University of Texas at Austin, a Master of Strategic Studies from the Air War College, and a Ph.D. in astronautical engineering from AFIT.

Lt. Col. Craig Porter is the Program Element Monitor (PEM) for Advanced Aircraft Survivability in the Office of the Assistant Secretary of the Air Force for Acquisition, Technology, and Logistics (SAF/AQ). He has 15 years of experience in test and acquisition, with a specialized focus in survivability testing. Lt. Col. Porter holds a B.S. in aeronautical engineering from the U.S. Air Force Academy, an M.S. in aeronautical engineering from AFIT, an M.S. in flight test engineering from the Air Force Test Pilot School, an MBA from Oklahoma State University, and a Master of Military Operational Art and Science from the Air Command and Staff College.

References

1. Ball, Robert, and Dale Atkinson. “A History of the Survivability Design of Military Aircraft.” https://apps.dtic.mil/sti/tr/pdf/ADA351434.pdf, 19 August 1998.
2. Ball, Robert. The Fundamentals of Aircraft Combat Survivability Analysis and Design. Second edition, American Institute of Aeronautics and Astronautics, Reston, VA, pp. 1–44, 2003.
3. National Aeronautics and Space Administration. “What Is Artificial Intelligence?” https://www.nasa.gov/what-is-artificial-intelligence/, accessed April 2025.
4. Stryker, Cole, and Eda Kavlakoglu. “What Is Artificial Intelligence (AI)?” IBM, https://www.ibm.com/think/topics/artificial-intelligence, 9 August 2024.
5. Bomey, Nathan. “Charted: U.S. Is the Private Sector AI Leader.” Axios, https://www.axios.com/2024/07/09/us-ai-global-leader-private-sector, 9 July 2024.
6. Vassilev, Apostol, Alina Oprea, Alie Fordyce, and Hyrum Anderson. “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations.” National Institute of Standards and Technology, https://doi.org/10.6028/NIST.AI.100-2e2023, 4 January 2024.
7. Government Services Administration. “Understanding and Managing the AI Lifecycle.” IT Modernization Centers of Excellence, https://coe.gsa.gov/coe/ai-guide-for-government/understanding-managing-ai-lifecycle/, accessed March 2025.
8. De Silva, Daswin, and Damminda Alahakoon. “An Artificial Intelligence Life Cycle: From Conception to Production.” Patterns, volume 3, no. 6, 100489, https://doi.org/10.1016/j.patter.2022.100489, 10 June 2022.
9. Georgievski, Ilche. “Software Development Life Cycle for Engineering AI Planning Systems.” Proceedings of the 18th International Conference on Software Technologies, vol. 1, https://doi.org/10.5220/0012149100003538, 2023.
10. Roded, Tal, and Peter Slattery. “What Drives Progress in AI? Trends in Data.” MIT FutureTech, https://futuretech.mit.edu/news/what-drives-progress-in-ai-trends-in-data, accessed March 2025.
11. Bajema, Natasha. “Will Even the Most Advanced Subs Have Nowhere to Hide?” IEEE Spectrum, https://spectrum.ieee.org/submarine-stealth, January 16, 2024.
12. IBM. “Evasion Attack Risk for AI.” https://www.ibm.com/docs/en/watsonx/saas?topic=atlas-evasion-attack, 7 February 2025.