AeronautiCal Cyber INtrusion dEtection mechanism

Air-Ground datalink communication has gained importance in the last mandates of civil aeronautics. Text messages exchanged between aircraft and ground improve the efficiency of common procedures by reducing errors and misunderstandings caused by poor voice connection and solve the issue of congested VHF. Both communications; exchanged between controllers and pilots or automatically generated signals from the aircraft to the ground are vulnerable to multiple types of cyberattacks that can cause at least distress, and at most, catastrophic consequences. There is very little knowledge regarding the frequency of attacks or attempts of attacks already suffered using datalink communication, but the knowledge regarding the vulnerabilities of aircraft security is increasingly popular. Modern trends in avionic communication increase aircraft connectivity, raising, with the benefits, the exposure to cyber threats.
vACCINE’s objective is the development of an anomaly detection monitor for datalink messages onboard the aircraft. The monitor will be based on machine learning models, developed from real datalink packages and will detect anomalies caused deliberately (security) or not (safety). The data analysis, intrinsic to the model development, can produce invaluable insights regarding the messages, the systems, and the procedures for refining, not only our detector but also the standards applied to the security of air-ground communication. The use of artificial intelligence algorithms in the analysis and classification of the data can identify the features most relevant for security provision in light of the threat vectors associated with the datalink messages.
The project produced a extremely complete security model for ground-to-air communication and has demonstrated that AI-based approaches can in fact detect intrusions and potential risks. Unfortunately the initial plan, of producing a security filter to embedded in aircraft had to be discarded due to a reduced number of training datasets. This reduced availability of data, however, highlights the criticality of pursuing the research area, as the implications of such intrusions and potential attacks are clearly not fully known. The consortium sees a clear need to reinforce the criticality of this endeavor to stakeholders in order to improve the security levels of ground-to-air communication channels contributing to a more secure and stable air traffic environment within the EU and for EU-based airlines.

During the first reporting period, the standards applicable to currently used datalink messages have been assessed as well as the procedures and protocols associated with them. Security standards addressing avionic systems applicable to the project have been reviewed in light of the detector’s objectives. Research on available technical publications has been performed on the areas of aircraft datalink communications, intrusion detection, anomaly detection, avionic systems security, and the machine learning techniques applicable to the kind of data addressed by vACCINE to establish the state of the art on the topics of intrusion detection in avionics applying artificial intelligence. Preparation of the specifications of the security challenges to be addressed and the characteristics and attributes of the communication channel data flow for purposes of security anomaly detection have been defined. Work has also progressed in designing the model for describing the nature of the security threats, which in turn will be used to drive the development of the tools for the learning and validation phases.

Further progress in the development tasks has been substantially diminished due to the lack of expected datasets, this difficulty was further exacerbated by the outbreak of COVID-19.

During the final reporting period the consortium was able to address the dataset availabilty challenges identified in the previous reporting with the inclusion of a new partner, Linkoping University, which allowed the dataset dependent work within the project to proceed. The following elements are the highlights of the work carried out during this period:
• Datasets were acquired, analysed and the data were applied in both model refinements and prototyping for validation;
• Formalisation of the Security Model was completed, taking into consideration the datasets and deeper analysis of the operational context of the communications and protocols usage in actual practice;
• Machine Learning models were developed and open source tools were utilised by the partners to validate the capabilities of different Machine Learning algorithms to provide intrusion detection capabilities and assess their accuracy;
• Conclusion were drawn after a lengthy analysis of the datasets and algorithms and it was concluded that it would not be possible to produce and industrially feasible filtering module using the available data – alternative approaches were considered to increase accuracy and address the identified industrial challenges of deploying a Machine Learning based solution;
• Dissemination and next steps were drawn to prepare for the sharing of the results and setting up future partnerships and projects that can allow the continuation of the research path initiated with vACCINE.

Followup activities are planned by the consortium for sharing the results and to try and demonstrate both the promise of the approach and gain stakeholder interest in a new approach: focusing the intrusion detection learning mechanisms on the ground segment first. These efforts are planned for the following months.

vACCINE aimed to develop one of the first onboard machine learning based anomaly detector applied to air-ground communication. The detector design would address currently applicable certification standards and will be validated at Thales testbed by the end of the project.
vACCINE would introduce a powerful and increasingly ubiquitous technology into the avionics security service and integrate the expertise of data scientists and artificial intelligence engineers into the aeronautic domain. The analysis of datalink datasets – part of the process of creating the machine learning models – emphasizes the most relevant features to be addressed as indicators of anomalies and consolidates reports that could be used as evidence of intrusion as well as indicators of malfunction, enforcing the trust on the system mainly by pilots and controllers.

While the initial results could not be achieved in the scope of the project, a robust and complete security model for ground.to-air communication was produced. Moreover, the unavailability of datasets demonstrates how little understanding there is regarding potential vulnerabilities and exploitation possibilities for CPDLC communication. Therefore the more relevant results of the project are the production of the security model and the aggregation of the lessons learned, which will be disseminated by the consortium in the following months to try and garner more interest among stakeholders to continue pursuing this research area that could have far reaching implications on the stability and security of air traffic within the EU.