Integrity control algorithms in the system for telemetry data collecting, storing and processings V V Berkholts1, A I Frid1, M B Guzairov1 and A D Kirillova1 1 Ufa State Aviation Technical University, K. Marks st., 12, Ufa, Russia, 450008 e-mail:, Abstract. The issues of improving the security of the modular system for collecting, storing and processing telemetric information on the state of the onboard subsystems of the aircraft in automatic mode are considered. It is based on an analysis of the use of modern technologies for the protection and processing of telemetric information to ensure certain aspects of the guaranteeability of the system as a whole. 1. Introduction Emerging malfunctions and pre-failure states of the onboard equipment of the aircraft can be diagnosed based on telemetric information (TMI). This allows the specialists of ground technical services to plan repair and preventive measures based on an assessment of the current state of the equipment. Accumulated and processed TMI will allow specialists of the manufacturer to provide reasonable support to engineers of ground services in making decisions in case of technical failure of the blocks and modules of the aircraft. TMI analysis will improve the operational efficiency of the aircraft in case of any malfunctions and attacks by intruders. The aim of the study is to increase the security of the system for collecting, storing and processing TMI on the state of the onboard aircraft subsystems in automatic mode. It is based on an analysis of the use of modern (including intellectual) technologies for the protection and processing of TMI. To achieve this goal, a structural diagram of a protected system for collecting, storing and processing telemetric information on the state of the aircraft subsystems on the basis of a modular principle has been developed. 2. Analysis of the problem of secure collection, storage and processing of TMI in a geographically distributed information system The proposed automated information system (AIS) of ground maintenance services is a set of software and hardware. They are necessary for the reception, storage and processing of information about the parameters of the state of complex technical products (CTP) on the aircraft. AIS is a geographically distributed system that combines the infrastructure of the information systems of ground-based maintenance stations and the information system of the manufacturer through secure communication channels. Preparation TMI realized by reading a status log for CTP aircraft during inspection and maintenance at ground stations via wireless and / or wired sensor networks. For example, a jet airliner demonstrated at the Bombardier Paris Air Show, whose engine is equipped with more than 5,000 sensors that generate up to 10 GB of data per second. One twin-engine aircraft can generate up to 844 TB of data average in 12-hour flight [2]. The ability to transfer TMI about the actual state of individual modules during operation and the entire A/C equipment complex in real time to the manufacturer of aeronautical engineering components will improve the operational efficiency of the aircraft in its normal state and in the event of malfunctions and attacks by intruders when investigating incidents. Thus, a study of ground-to-air communication systems showed that ACARS, despite its versatility and widespread use, is vulnerable, and if hacked in conjunction with ADS-B, an attacker can gain access to the flight control system, download flight plans and detailed commands [3]. Ensuring the availability of telemetry information on the state of the aircraft An automated information system (AIS) of ground maintenance services is a set of software and hardware. They are necessary for receiving, storing and processing information on the technological parameters of complex technical products (CTP) on board the aircraft. A review of the main approaches to the relevance of the problem of ensuring the reliability of such systems is considered in the works of the authors [4, 5, 6]. AIS solves the main problems associated with the reception of TMI on the state of the onboard aircraft systems. The main methods of obtaining data are presented in the figure (Figure 1): 1. Directly from the CTP 2. By means of reading devices of the event log from the sensors of modules CTP. When carrying out technical inspection and maintenance, devices of this type read and store data on the state of the modules throughout the entire previous period of operation [5]. 3. Entering events into the database manually. The operator processes the information and enters the information through the WEB application [4]. Figure 1. Methods for obtaining TMI. In the first case, telemetry information is transmitted from the aircraft through a radio channel. To create a transmission channel, the following approaches can be used: • Communication satellites (IRIDIUM, SATCOM). Existing telemetry data transmission technologies use satellite communications. For example, the GE Aviation concern, producing aircraft engines, transmits telemetry from the aircraft in this way. The obvious disadvantage of such way of transfer is its high cost. Streaming telemetry information involves the transfer of significant amounts (gigabytes) of data sent. The second disadvantage is the low noise immunity of the satellite communication channel. Incorrectly transmitted data can serve as a signal for a false alarm, or there is a chance to miss a system failure. ACARS does not allow to transfer a large amount of accumulated data, satellite communication is too expensive, and LTE-A is still at the development and implementation stage, and in the future it will cover only the continental part of flights. Moreover, the current TMI transmission and processing systems demonstrate vulnerabilities that allow an attacker to gain access not only to passenger and airline data, but also to significantly affect flight parameters. In the second and third cases, the information enters the database through a WEB application, which is an insulating layer between external networks and the internal structure of the AIS, since access from the external network is one of the most vulnerable points of the system. Improving the security of access to the database (DB) containing critical information about the product in use is based on the development of the architecture of a secure WEB application that acts as an insulating layer for external AIS clients, which allows for the possibility of transferring and analyzing ground- based service points from the aircraft and provide the ability to remotely access the necessary data. The architecture of this solution is presented in [5]. Preventing the appearance of vulnerabilities in the WEB application was carried out by implementing measures to develop secure software established by GOST R ISO / IEC 12207. Modeling security threats and identified vectors of possible attacks, as well as analyzing them, made it possible to formulate countermeasures for each of the vectors at different architectural levels WEB- applications. However, the analysis of the security of the entire TMI transmission system requires advanced modeling and the construction of a detailed model of interaction between the onboard information system of the aircraft and the ground-based AIS. The growth of telemetry information forces the aviation industry to consider new approaches to the collection and analysis of a large amount of data on the state of individual components and elements of the aircraft. The concept of the industrial Internet of Things is being actively developed - an expanded network consisting of a large number of devices equipped with a set of sensors that communicate with each other through low-power and short-term wireless connections. The first step is to collect data from the sensors. One of the most promising solutions is a protocol with low power consumption and small radius of IEEE 802.15.4 IEEE 802.15.4e transmission. Short range is sufficient for data transmission within the ground service station. The IEEE 802.15.4 and IEEE 802.15.4e protocols and their architecture layers comply with IETF standards. The question of analyzing the security of the system for collecting, transmitting and receiving telemetry information about the state of individual elements of the onboard aircraft systems during data transmission over the first two channels remains open. The decomposition of the TMI transfer in the form of a hierarchical model of interacting levels of collecting, transmitting and analyzing information with the corresponding protocol stack is the basis for analyzing and building a system for analyzing the transmission system security (Figure 2). In recent years, satellite communication systems in accordance with the Regulations of the International Telecommunication Union (ITU) are switching to a higher-frequency Ka-band (15.40- 26.50 and 27.00-30.20 GHz). The main methods for ensuring the security of telemetry information transmission in a wireless satellite channel is the use of software and hardware means of information protection. Widely used standards for secure protocols IPsec. IPsec protocol (set of protocols) provides: • integrity of the virtual connection, authentication of the source of information using the AH protocol (Authentication Header); • encryption of information transmitted via the ESP (Encapsulating Security Payload) protocol; • initial connection setup, mutual authentication and confidential key exchange. Figure 2. Extended scheme of data transmission from the aircraft. At present, modern bilateral satellite communication networks use coding systems at the software and hardware level, which makes the interception and decoding of information over the radio channel almost impossible. All data transmitted via satellite channel pass through a multi-stage system of transformation and encryption. The result of this: • application of proprietary data encryption algorithms; • terminal authentication when it is registered on the operator’s network (hardware key); • encryption of both the entire session (software key) and each session separately (session keys); • application of proprietary algorithms for converting source data into internal data formats (structures), which are then transmitted via satellite channel; thus, the tasks of additional protection of information, delivery of service information and error correction are solved; • in the created virtual channels, source data in TCP sessions are grouped, compressed, and prioritized. Satellite channels in the direction from A/C to TMI processing centers are reverse satellite channels. Currently, the most common ways of functioning of transmitters in such channels are the principles of access with time-frequency division of TDMA / FDMA channels. In order for the aircraft board to operate in the transmission network, the information in the key database must match the hardware onboard key. Telecommunications systems using the UMTS (Universal Mobile Telecommunications System) standards are third-generation mobile communication systems - 3G. For mobile communication of the third generation, the decimeter frequency band is used (about 2 GHz), and data transmission is provided at a speed of 2 Mbit / s. All information security threats in the UMTS network can be distributed depending on the location of the impact of their respective attacks: • on the radio access area (radio interface); • on other parts of the network. The radio section between the aircraft and the service network is one of the most vulnerable points of attack in UMTS. The threats related to this site and described below are divided into the following categories: • unauthorized access to data; • threats to data integrity; • “denial of service”; • unauthorized access to services. Table1. Describes some of the threats to unauthorized access to data on the radio site. Threat Threat name Threat description designation Т1а Interception of user traffic Violators can intercept user traffic Т1b Interception of alarm and Violators can intercept alarm data and control data control data Т1с Masking as a participant Violators can be disguised as a network element Т1d Passive traffic analysis Violators can monitor the characteristics of messages Т1е Active traffic analysis Violators can actively initiate a connection and then access information Table 2. Threats to the integrity of information. Threat Threat name Threat description designation Т2а User traffic manipulation Violators can modify, insert, repeat or destroy user traffic. The accepted designations of the threat TAn correspond to: T - the first letter of the English word "threat" (threat): A - the number corresponds to the number of the threat group (table number); n - the letter corresponds to the ordinal number of the threat in the threat group (in accordance with the list of threats in the ETSI document. Table 4. Threat of unauthorized access to services. Threat Threat name Threat description designation Т4а Masking as another user The intruder is disguised as another network user. First, the intruder is disguised as a base station with respect to the user. 3. Threats related to attacks on other parts of the system Although attacks on a radio channel represent the most serious threats, attacks on other parts of the system also require analysis from the point of view of information security. Table 5. Threats to unauthorized access to data. Threat Threat name Threat description designation T5e Unauthorized access to data Violators (by physical influence or logical control) on the system object can gain access to local or remote data. T5f Compromising information A legitimate user of a UMTS service may obtain about the location information about the location of other users of the system T6с Manipulation of masking as a Violators can be disguised as a network element in communication partner order to modify, insert, repeat or destroy traffic T6f Manipulation of data on the Violators can modify, insert, destroy data that is objects of the system contained in the objects of the system. T7а Physical intervention Violators may interfere with transmission on any system interface (wired or wireless). For example, the physical method of an obstacle on a wired interface could be a broken wire. T7b Protocol intervention Violators can interfere with the transmission of user traffic or signaling data on any interface of the system (wired or wireless) or by signaling the protocol to fail. T7с Denial of service by masking Violators can deny service to users by impeding the communication partners transmission of user traffic and signaling data, controlling them by blocking as a result of masking as a network element. T7d Incorrect use of emergency Violators can interfere with access to the services of services other users and at the same time cause disruption of the equipment to perform functions in emergency situations. T8а Disagreement with the Disagreement with the submitted invoice. This may be submitted invoice expressed in the refusal of the service or in the refusal that the service was actually provided. T8b Failure of user traffic source The user can refuse to send traffic. T9е Incorrect use of serving Service networks may misuse their priorities to gain network priorities unauthorized access to services. Table 6. Threats related to attacks on the terminal and UICC / USIM. Threat Threat name Threat description designation T10h Masking to receive data on Violators can be disguised as USIM or a terminal in the UICC interface - terminal. order to intercept data on the interface of a UICC terminal. T10j Confidentiality of certain user Violators may wish to gain access to personal user data in the terminal and UICC data stored in the terminal or UICC, for example, the / USIM telephone book of interacting subscribers. T4а, It must be possible to prevent Requirements for security access to service. Т9а, unauthorized access to 3G Т9с services by disguising themselves as legitimate users. T4а, An alarm should be provided Security Requirements Т8а, to the provider informing him Т9d, of the security event. Development of a block diagram of a secure system for collecting, storing and processing telemetric information on the state of the aircraft subsystem The generalized structure of a geographically distributed hierarchical system for the collection, storage and processing of TMIs arriving from airplanes based on ground maintenance stations is presented in Figure 4. Figure 4. Generalized structural diagram of a protected system for collecting, storing and processing TMI (1 – level of TMI collection from wired and wireless sensors of ground-based aircraft servicing systems; 2 – level of primary surveillance and preparation of TMI for transmission to the AIS of the manufacturer’s enterprise (AIS EM); 3 – level of data transmission over secure channels through global data networks in the AISEM; 4 – level of organization of reception and distribution of TMI on EM; 5 – level of storage and processing of TMI in the CIS). The creation of a secure channel through global communication networks and the transfer of TMI to a part of the AIS EM is realized at the transmission level of accumulated data. Organization levels of reception and distribution of information at the enterprise are realized according to the three-layer CISCO model. There is a level in the corporate information network of EM. It includes subsystems for storage and processing of TMI. Also, there is a segment designed to support and implement the business processes of the enterprise. 5. Development of the structure of the collection and storage subsystem TMI at the ground stations of aircraft maintenance The vast majority of Industrial Ethernet protocols do not have built-in security mechanisms. Consequently, the actual problem is the security of industrial networks. To ensure the security of subsystems that implement the first two levels of the proposed structure, it is necessary to be guided by the normative documents of the international and federal standards. When designing the wireless sensor network collection subsystem of the TMI, take into account the requirements of GOST R ISO / IEC 27033-1-2011 and GOST R ISO / IEC 27033-3-2014. The physical architecture of the TMI collection and storage subsystem at the ground is presented in Figure 5. Mechanisms for collecting and storing a large amount of TMI on the state of individual components and elements of aircraft should take into account the actively developing concepts of the industrial Internet of things (IIoT). It is proposed to use heterogeneous wired (physical RS-485 interface) and wireless sensor networks (IEEE 802.15.4, IEEE 802.15.4e) to collect protocol-based TMI using embedded Modbus over TCP mechanisms to ensure the protection of transmitted data (streaming encryption). The IEEE 802.15.4 and IEEE 802.15.4e protocols and their architecture levels follow the IETF standards. V International Conference on "Information Technology and Nanotechnology" (ITNT-2019) 494 Data Science V V Berkholts, A I Frid, M B Guzairov and A D Kirillova Figure 5. The subsystem of data collection and storage at aircraft service stations. 6. Development of the structure of the subsystem for receiving, storing and processing TMI in AIS The organizations for receiving and distributing TMIs on PIs are implemented according to the three- tier CISCO model and Security Architecture for Enterprise (SAFE) design methodology, which allows to take into account modern experience in deploying secure networks based on the deep-echelon defense against external and internal attacks. The main element of the TMI distributed processing system is the distributed file system HDFS. Additional measures to ensure the confidentiality of stored data is encryption at the level of individual database columns. To audit access to big data, you need to apply Database Activity Monitoring class solutions. 7. The concept of data integrity and verification of data sources The actual problem is the security of industrial networks, which is not solved by existing approaches, since the attacker's intervention is possible not only at the network level from outside or inside, but also at the level of the data sources themselves. The main hardware and software part of the CTP is free from possible "bookmarks", which is guaranteed by the manufacturer, but it is necessary to comprehensively analyze the progress of the object, identifying abnormal situations not related to equipment breakdowns or failure of individual components and assemblies, but potentially caused by the intervention of an attacker. It is necessary to improve the monitoring system of CTP as an element of the intrusion detection system, considering the complexity of the control object, the nonlinearity of the processes and the possible conditions of the equipment that lead to emergency or catastrophic situations. The system of monitoring the condition of CTP, implemented as a component of the intrusion detection system, involves continuous monitoring of the parameters of CTP to identify significant deviations from the" normal behavior", which in turn will indicate possible malicious intentions. This approach is a development of the concept of Data Centric Security [7], which implies the security of the data itself. Using the proposed concept of monitoring the CTP comparing the fixed state of the object with the real model is a tool that allows you to control the presence of hardware and software interventions in the infrastructure of the information system. The algorithm is based on a comparison of the characteristics of time series arriving from the aircraft, and time series generated by the gas turbine engine (GTE) model which is simulating the same mode and the same flight conditions in which the GTE operates in real time. Information receiving from A/C is the result of GTE and its ACS operation. Figure 6. Method of analyzing the consistency parameter of model and field data. Figure 7 shows the block diagram of the monitoring system of GTE A/C TMI parameters. The AIS of the manufacturer receives the vector of specified values of the controlled coordinates of the object Y0, the vector of perturbing factors F and the vector of measured perturbing factors F’. The control object receives the vector of control actions U generated by the control system. Data from the monitoring system via a communication channel is sent to the manufacturer. The communication channel can be exposed both to an attacker (the Z vector) and to the external environment that generates noise (the N vector). Similar control signals are received in a model that simulates signals from A/C sensors. A set of GTE parameters was selected to analyze the data discrepancies obtained from the model and data obtained from the aircraft. The k-means clustering method was performed on the training sample, during which nine types of GTE behavior dynamics were identified. For carrying out preliminary experiments and learning the decision block for each type of dynamics, its own neural network NARX model was built. For real-time integrity monitoring, a multidimensional time series (TS) of the mismatch parameters of model data and TMI indicators for a sliding window is constructed [9]. To make a final decision on the state of the data transmission system from the aircraft and the presence or absence of intruder interventions into the data channel, a decision block was built that takes into account not only the type of data mismatch from the aircraft and the data generated by the model, but also the signal control systems about the state of the GTE, obtained from the aircraft in real time, as well as the type of dynamics of the GTE at a given time. All these three parameters are taken into account for the block to make a decision on the state of the data transmission channel ("break", "normal operation", "integrity violation", etc.). For an additional test of this data, the MAP coefficient was calculated: 𝑀𝐴𝑃𝐸 = 11,88% Check the value of the MAPE coefficient before the jump: 𝑀𝐴𝑃𝐸 = 4.6% As can be seen, the MAPE coefficient has changed, but not critically. Such a small change in the level of MAPE error and the average value of the correlation and determination coefficients is due to the late signal jump in the time window. Experiment 2. In this example, the signal transmission is also interrupted. At about 77 iterations, the average value of the transmitted signal has changed dramatically in comparison with previous data. As in the previous example, in the current time series, signal distortion occurs at late iterations, which will reduce the sensitivity of the coefficients of determination and correlation. Figure 9. Simulation experiment №2 of hardware failure. This experiment also illustrates problems with signal transmission or equipment failure. The fall in the average value occurs in the time window fairly early, at about 37 iterations. When calculating the correlation and determination coefficients, the following results were obtained: 𝑟𝑥𝑦 = 0,36 𝑅 = 0.11 The values of both coefficients are too low, which indicates a serious problem with the received data. Calculate the coefficient MAPE: MAPE=41.81% The MAPE error rate is high, which confirms the hypothesis that there are problems in the data transmission channel. Calculate the MAPE coefficient before the start of problems with the signal: MAPE = 4.61% Figure 10. Simulation experiment №3 of hardware failure. Figure 11. Simulation experiment №4 of hardware failure. The correlation coefficient is not too different from the previous example, but the MAPE error rate is very high. Such a large value is due to the early appearance of signal distortion in the time window. Experiment 4. Calculate the MAPE coefficient before the start of problems with the signal: MAPE = 5.01% As shown by calculations, the coefficients of determination and correlation take a very high value. However, when paired with a high MAPE, the values obtained should raise suspicions. There may be problems with the equipment, as well as falsification of the transmitted data. Experiment 5. This experiment is a case where nothing happened to the data and it is transmitted normally. Figure 12. Simulation experiment №5 of hardware failure. When calculating the correlation and determination coefficients, the following results were obtained: 𝑟𝑥𝑦 = 0.94 𝑅 = 0.90 Calculate the coefficient MAPE: MAPE=4.72% The combination of these three factors indicates that there are no problems with the signal. The resulting data can be trusted. Experiment 6. This example is similar to the previous one. Here the data obtained from the aircraft is just noisy and not distorted in any way. The rule base for decision making For the decision block, the following set of rules was developed, on the basis of which the decision on the integrity of the transmitted TMI was made. CMS is the channel monitoring system. In case if CMS = 1, everything is normal with the channel, otherwise - CMS = 0; Rule 1. �𝑟𝑥𝑦 =′ middle′ �𝐴𝑁𝐷(𝑅 =′ middle′ )𝐴𝑁𝐷 (𝑀𝐴𝑃𝐸 =′ middle′ ) AND(CMS=0) THEN signal breakage occurred; Rule 2. �𝑟𝑥𝑦 =′ low ′ �𝐴𝑁𝐷(𝑅 =′ low′)𝐴𝑁𝐷(𝑀𝐴𝑃𝐸 =′ high′)AND (CMS=0) THEN signal breakage occurred; Rule 3. �𝑟𝑥𝑦 =′ low ′ �𝐴𝑁𝐷(𝑅 =′ low′)𝐴𝑁𝐷(𝑀𝐴𝑃𝐸 =′ high′)AND (CMS=0) THEN signal breakage occurred; Rule 4. (𝑟𝑥𝑦 =′ high′)𝐴𝑁𝐷 (𝑅 =′ high′ )𝐴𝑁𝐷(𝑀𝐴𝑃𝐸 = ′high′) 𝐴𝑁𝐷 (CMS=1) THEN data fraud is possible; Rule 5. (𝑟𝑥𝑦 =′ high′)𝐴𝑁𝐷( 𝑅 =′ high′)𝐴𝑁𝐷 (𝑀𝐴𝑃𝐸 = ′high′) AND (CMS=1) THEN normal operation; Rule 6. (𝑟𝑥𝑦 =′ средний′)И(𝑅 =′ средний′)И(𝑀𝐴𝑃𝐸 = ′низкий′) И (CMS=1) THEN normal operation; Rule 7. (𝑟𝑥𝑦 =′ low′) 𝐴𝑁𝐷(𝑅 =′ low′)𝐴𝑁𝐷 (𝑀𝐴𝑃𝐸 = ′low′) AND (CMS=1) THEN normal operation. 10. Conclusion A block diagram of a protected system for collecting, storing and processing telemetric information on the state of aircraft subsystems based on the modular principle is proposed. The difference of the proposed solution is that it contains rather large subsystems with a high degree of connectivity of the components inside and a sufficient degree of autonomy at the level of interaction of the subsystems themselves. Each subsystem is built on the basis of organizational principles specific to the specifics of the problem being solved, and is governed by existing regulatory documents to ensure specific aspects of the system's reliability. An algorithm for monitoring the integrity of the TMI on the state of the GTE in service has been developed, which determines the type of TS dynamics coming not only from the aircraft, but also the type of the TS model and GTE mismatch dynamics, which allows evaluating the actual state of the GTE ACS and detecting intrusion interference. 11. References Acknowledgments
This work is partially supported by the Russian Science Foundation under grants № 17-07-00351. 