This paper proposes a robust controller / observer for anomaly estimation inside UAV networks. This method is based on both Lyapunov Krasovkii functional and dynamic behavior of TCP (Transmission Control Protocol). This observer considers, as a preliminary step, a statistical signature of the traffic exchanged in the network. Both observer and spectral signature provide an accurate estimation of the traffic which is used to detect and characterize the different anomalies that can be observed in the UAV network. Consequently, the different signatures that we can process, based on the different types of intrusion we generate in the network, are used to select the accurate model for robust control estimation. This selection is conducted by choosing a specific controller / observer among a dedicated bank of models. The first statistical signature extraction of the analyzed traffic is run with a multi-fractal analysis. This solution based on wavelet analysis has been selected because it offers a wide spectral characterization of the entire traffic process. The wavelet-based analysis methodology has been widely used for the last decade for Internet traffic characterization but this is the first time that this tool has been used on a UAV ad hoc network traffic. Moreover, several research studies on network anomaly estimation have been carried out using automatic control techniques. These studies provide methods for designing both observer and command laws dedicated to time delay problems while estimating the anomaly or intrusion in the system. As a first result, the designed controller / observer system has been successfully applied to some relevant practical problems such as ad hoc networks for aerial vehicles and the effectiveness is illustrated by using real traffic traces including Distributed Denial of Service (DDoS) attacks. Our first results show promising perspectives for Intrusion Detection System (IDS) in a fleet of UAVs. Indeed, different types of anomaly have been considered and they are all accurately detected by the intrusion detection process we propose in this paper.