CN114118790A

CN114118790A - Security analysis method and system based on SysML civil communication navigation system

Info

Publication number: CN114118790A
Application number: CN202111412624.0A
Authority: CN
Inventors: 冯晓波; 周兵; 刘佳鑫; 刘宇翔; 杨林川
Original assignee: CETC Avionics Co Ltd
Current assignee: CETC Avionics Co Ltd
Priority date: 2021-11-25
Filing date: 2021-11-25
Publication date: 2022-03-01

Abstract

The invention discloses a security analysis method and a system of a civil communication navigation system based on SysML, wherein the method comprises the steps of carrying out system modeling on a certain management system in a civil aviation communication navigation system by adopting SysML to obtain a source model of the civil communication navigation system based on SysML; fault modeling is carried out on the corresponding management system by adopting a fault tree analysis method, and a target meta-model of the civil communication navigation system based on the fault tree FT is obtained; according to the source model and the target meta model, a safety analysis Fault Tree (FTA) is automatically generated between the source model and the target meta model through intermediate model conversion; according to the safety analysis fault tree FTA, carrying out safety analysis on a certain management system of the civil communication navigation system, judging whether the safety requirement is met, and if the safety requirement is met, accepting the safety solution; otherwise, design modification is carried out on the management system. The invention avoids the omission of failure states.

Description

Security analysis method and system based on SysML civil communication navigation system

Technical Field

The invention relates to the technical field of avionics, in particular to a security analysis method and system of a civil communication navigation system based on SysML.

Background

Functional Hazard Assessment (FHA), which refers to systematic and comprehensive hierarchical inspection of aircraft and its system functions, typically with reference to aircraft functions as defined by the Air Transport Association (ATA), identifies potential failure conditions and determines the severity of the failure condition based on the severity of the hazardous event resulting from the Functional failure. The severity level of the failure condition is a discontinuous severe type division which can be divided into 5 levels of No safety influence (No impacts), mild (minor), major (major), dangerous (hazard) and disaster (catastrophic).

The communication navigation system is an important subsystem of a civil aircraft avionics system and realizes navigation of the aircraft during near and remote navigation; the airplane carries out two-way communication among different stations in the airplane and between the airplane and a ground station in the whole flying process; and monitoring the warning information by the aircraft group. The method specifically comprises the following steps:

VHF voice/data communication function, HF voice/data communication function, VHF/HF selective call function, L-band satellite voice/data communication function, DME/VOR/ADF/LOC/GS/MB navigation function, GPS positioning function, radio altitude ranging function, built-in talk/broadcast function, navigation tone/warning tone listening function, etc.

In the initial design stage of the civil aviation communication navigation system, initial system safety evaluation is developed while a system architecture is developed, and recommended system architecture and safety requirements are used as input, so that analysis is carried out and an architecture decision suggestion is given. Evaluation of design solutions using analytical methods such as Fault Tree (FTA)/fault mode and impact analysis (FMEA) is expected to reasonably meet safety requirements. Therefore, aiming at the civil aviation communication navigation system architecture, establishing a corresponding fault tree is the key for performing preliminary system safety evaluation. At present, fault tree analysis of a civil aviation communication navigation system mainly depends on artificial engineering experience of a system engineer, is limited by personal cognitive ability, cannot predict all possible behaviors (normal conditions or fault conditions) in the communication navigation system, and is easy to ignore certain lost or misleading failure states in the communication navigation system.

Disclosure of Invention

The invention aims to solve the technical problem that the fault tree analysis of the existing civil aviation communication navigation system mainly depends on artificial engineering experience of a system engineer, is limited by personal cognitive ability, cannot predict all possible behaviors (normal conditions or fault conditions) in the communication navigation system, and is easy to ignore certain lost or misleading failure states in the communication navigation system.

The invention aims to provide a security analysis method and a security analysis system for a civil communication navigation system based on SysML, which are used for carrying out system modeling on a certain management system (such as an audio management system) in a civil aviation communication navigation system by using a standard system modeling language SysML, automatically realizing a Fault Tree (FTA) through model conversion and finally finishing security evaluation. The invention analyzes all states of the communication navigation system by an algorithm and avoids the omission of failure states by utilizing a computer tool algorithm.

The invention is realized by the following technical scheme:

in a first aspect, the present invention provides a security analysis method for a civil communication navigation system based on SysML, the method comprising:

performing system modeling on a certain management system (such as an audio management system) in the civil aviation communication navigation system by adopting a standard system modeling language SysML to obtain a source model of the civil communication navigation system based on SysML;

fault modeling is carried out on a corresponding management system (such as an audio management system) by adopting a fault tree analysis method, and a target meta-model of the civil communication navigation system based on the fault tree FT is obtained;

according to the source model of the civil communication navigation system based on SysML, the target meta model of the civil communication navigation system based on the fault tree FT and the SysMLS system structure diagram, the safety analysis fault tree FTA is automatically generated through the conversion of an intermediate model between the source model and the target meta model;

according to the safety analysis fault tree FTA, safety analysis is carried out on a certain management system of the civil communication navigation system, whether safety requirements are met or not is judged, and if the safety requirements are met, the safety solution is accepted; otherwise, design modification is carried out on the management system.

Further, the step of performing system modeling on a certain management system in the civil aviation communication navigation system by adopting the standard system modeling language SysML comprises the following steps:

acquiring the requirement of a preset management system, and establishing a preset management system architecture according to the requirement of the preset management system;

modeling the preset management system architecture by adopting a standard system modeling language SysML, and generating a SysML BDD diagram of the preset management system;

modeling the internal structure of the preset management system by adopting a standard system modeling language SysML to generate an AMS IBD graph; modeling the preset management system behavior by adopting a standard system modeling language SysML to obtain a state machine model (SMD);

and adding the safety behavior annotation into the component behavior specified in the state machine model SMD to obtain a SysML behavior structure diagram.

Further, modeling the preset management system architecture by adopting a standard system modeling language SysML, wherein the preset management system is an audio management system; the method specifically comprises the following steps:

determining an AMS block of an audio management system, and interacting with other systems/subsystems through four proxy ports: the first agent port is used for receiving a received voice signal AMSIn (SignalFromPilot) sent by the VHF communication system, the second agent port is used for receiving a sent voice signal AMSI (Audio frequency synchronous FromVHF) which needs to be sent to the ground by a cockpit flight unit, the third agent port is used for providing a call signal AMSOut (SignalToPilot) of a ground VHF radio station for the flight unit, and the fourth agent port is used for providing a sent voice signal AMSOut (Audio frequency ToVHF) which needs to be sent out by the VHF communication system;

the AMS block comprises an audio control panel ACP and an audio management unit AMU, wherein the audio control panel ACP is used for receiving voice audio sent by the aircraft unit, collecting control operation data of the aircraft unit and distributing the sent voice audio and the control operation data to the components of the connecting component; it may be interconnected with other blocks/components by receiving the transmit voice audio and control operation data at proxy port ACPIn SignalFromPilot and passing it to another proxy port ACPOut InternalSignalSend;

the audio management unit AMU is responsible for receiving the voice audio and the control operation data sent by the flight unit and judging through which communication channel the voice audio sent by the flight unit is sent out according to the control operation data; and communicating with other blocks/components when the aircraft set sends voice audio at the proxy port AMUIn, InternalSignalSend, and transferring the voice audio to another proxy port AMUOut, AudioSinaltToVHF.

Further, the standard system modeling language SysML is adopted to model the internal structure of the preset management system, and the standard system modeling language SysML is utilized to model a group of interfaces and possible flows of the internal structure of the component through composition and interaction among specified component instances in the preset management system; modeling the internal structure of the AMS block by using SysML IBD to obtain an AMS IBD graph; the method specifically comprises the following steps:

there are three interconnections in the AMS IBD from the flight crew end to the VHF transmitter end, depending on the direction of communication, each interconnection using a connector to implement the flow of items; the first interconnect is from AMS ISIn SignalFromPilot port to ACP ACPIn SignalFromPilot port; the second interconnect is from ACPOut, InternalSignalSend port to AMU AMUIn, InternalSignalSend port; the third interconnect is from the AMU AMUout, AudioSeignnalToVHF port to the AMS AMSOut, AudioSeignnalToVHF port;

from the VHF receive end to the flight crew end, there are three interconnections in the AMS IBD, each using a connector to implement the flow of items; the first interconnect is from AMS AMSIn: AudioSinaFromVHF port to AMU AMUIn: AudioSinaFromVHF port; the second interconnect is from AMUOut InternalSignalRevd port to ACP ACPIN InternalSignalRevd port; the third interconnect is from ACPOut SignalToPilot port to AMS AMSOut SignalToPilot port.

Further, a standard system modeling language SysML is adopted to model the preset management system behavior, and a state machine model SMD is obtained: an audio control panel state machine diagram and an audio management unit state machine diagram.

Further, according to the source model of the civil communication navigation system based on the SysML, the target meta model of the civil communication navigation system based on the fault tree FT and the SysMLS architecture diagram, the safety analysis fault tree FTA is automatically generated through the conversion of an intermediate model between the source model and the target meta model of the civil communication navigation system based on the fault tree FT; the method specifically comprises the following steps:

performing component-level fault tree model conversion, converting the fault behaviors of the system component level into component-level fault tree models according to the SysML behavior structure diagram, and obtaining component-level fault trees with different top failure events possibly corresponding to each failure mode;

and performing system-level fault tree model conversion, realizing according to the combination of the component-level fault tree models, and generating an analysis model representing system-level safety behaviors according to the interconnection of corresponding component instances.

Further, the performing of the security analysis on a certain management system of the civil communication navigation system according to the security analysis fault tree FTA is to analyze the generated system-level security behavior analysis model by using the existing fault data tool.

In a second aspect, the invention further provides a security analysis system of the civil communication navigation system based on the SysML, which supports the security analysis method of the civil communication navigation system based on the SysML; the system comprises:

the system source model building unit is used for carrying out system modeling on a certain management system (such as an audio management system) in the civil aviation communication navigation system by adopting a standard system modeling language SysML to obtain a civil communication navigation system source model based on the SysML;

the system target meta-model building unit is used for performing fault modeling on a corresponding management system (such as an audio management system) by adopting a fault tree analysis method to obtain a civil communication navigation system target meta-model based on a fault tree FT;

the conversion automatic generation fault tree unit is used for automatically generating a safety analysis fault tree FTA through intermediate model conversion according to the source model of the civil communication navigation system based on the SysML, the target meta model of the civil communication navigation system based on the fault tree FT and the SysMLS architecture diagram;

the safety analysis unit is used for executing safety analysis on a certain management system of the civil communication navigation system according to the safety analysis fault tree FTA, judging whether the safety requirement is met, and if the safety requirement is met, receiving the safety solution; otherwise, design modification is carried out on the management system.

Further, the system source model building unit executes the following processes:

Further, the conversion automatic generation fault tree unit comprises a component-level fault tree model conversion subunit and a system-level fault tree model conversion subunit;

the component-level fault tree model conversion subunit is used for performing component-level fault tree model conversion, converting the fault behaviors of the system component level into component-level fault tree models according to the SysML behavior structure diagram, and obtaining component-level fault trees with different top failure events possibly corresponding to each failure mode;

and the system-level fault tree model conversion subunit is used for performing system-level fault tree model conversion, is realized according to the combination of the component-level fault tree models, and generates an analysis model representing system-level safety behavior according to the interconnection of corresponding component instances.

Compared with the prior art, the invention has the following advantages and beneficial effects:

the invention is based on the security analysis method and system of SysML civil communication navigation system, carry on the systematic modeling to a certain management system (such as the audio frequency management system) in the civil aviation communication navigation system through using the standard system modeling language SysML, according to the civil communication navigation system source model based on SysML, civil communication navigation system target meta-model based on fault tree FT, turn into the fault tree FTA of security analysis automatically through the middle model between the two; and according to the safety analysis fault tree FTA, carrying out safety analysis on a certain management system of the civil communication navigation system. The invention analyzes all states of the communication navigation system by an algorithm and avoids the omission of failure states by utilizing a computer tool algorithm.

Drawings

The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. In the drawings:

FIG. 1 is a flow chart of the security analysis method of the civil communication navigation system based on SysML.

Fig. 2 is a BDD diagram of an audio management system according to an embodiment of the invention.

Fig. 3 is an internal block diagram of an audio management system according to an embodiment of the present invention.

FIG. 4 is a state machine diagram of an audio control panel according to an embodiment of the present invention.

FIG. 5 is a state machine diagram of an audio management unit according to an embodiment of the present invention.

FIG. 6 is a diagram of a system level fault tree meta-model according to an embodiment of the present invention.

FIG. 7 is a component level fault tree meta-model diagram according to an embodiment of the present invention.

FIG. 8 is a diagram illustrating a model transformation process according to an embodiment of the present invention.

FIG. 9 is a mapping diagram of SysML and component level FT according to an embodiment of the present invention.

FIG. 10 is a mapping of component level FTs to system level FTs according to an embodiment of the present invention.

Fig. 11 is a structural diagram of the security analysis system of the civil communication navigation system based on the SysML.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to examples and accompanying drawings, and the exemplary embodiments and descriptions thereof are only used for explaining the present invention and are not meant to limit the present invention.

Example 1

As shown in fig. 1, the present embodiment takes an audio management system in a civil airborne communication navigation system as an example, and proposes a safety analysis method for a civil communication navigation system based on SysML; the invention relates to a civil communication navigation system security analysis method based on SysML, which comprises the following steps:

carrying out system modeling on an audio management system in the civil aviation communication navigation system by adopting a standard system modeling language SysML to obtain a source model of the civil communication navigation system based on SysML;

fault modeling is carried out on the audio management system by adopting a fault tree analysis method, and a target meta-model of the civil communication navigation system based on the fault tree FT is obtained;

according to the safety analysis fault tree FTA, carrying out safety analysis on an audio management system of the civil communication navigation system, judging whether the safety requirement is met, and if the safety requirement is met, accepting the safety solution; otherwise, the design modification is carried out on the audio management system so as to improve the system safety; add redundancy to existing components or introduce new components into the architecture.

In this embodiment, the step of performing system modeling on the audio management system in the civil aviation communication navigation system by using the standard system modeling language SysML includes:

acquiring the requirement of an audio management system, and establishing an audio management system architecture according to the requirement of the audio management system;

modeling the audio management system architecture by adopting a standard system modeling language SysML to generate a SysML BDD diagram of the audio management system;

modeling the internal structure of the audio management system by adopting a standard system modeling language SysML to generate an AMS IBD graph; modeling the behavior of the audio management system by adopting a standard system modeling language SysML to obtain a state machine model (SMD);

Specifically, the requirements of the audio management system (including security requirements) are considered as follows:

for civil aircraft avionics systems, the capture and analysis of demand is a very important loop. The capture of security requirements is particularly important.

In the process of capturing the requirements of the audio management system, the requirements of the audio management system such as safety, function, performance, interface, physics and installation, reliability, maintainability, environmental adaptability and the like need to be captured from communication navigation system level requirements, airworthiness regulations, standard specifications and the like.

Safety requirements of various levels of systems of civil aircraft include minimum performance constraints on availability and integrity, and each safety requirement requires a safety analysis and evaluation process to determine and verify.

Specifically, a standard system modeling language SysML is adopted to carry out system modeling on an audio management system in the civil aviation communication navigation system, and a civil communication navigation system source model based on the SysML is obtained so as to carry out security assessment on the source model. In modeling an audio management system, a Block Definition Diagram (BDD), an Internal Block Diagram (IBD), and a State Machine Diagram (SMD) are used. Wherein:

a Block Definition Diagram (BDD) is a structural diagram that mainly describes the structural components of a communication system module and the relationships between the constituent elements.

An Internal Block Diagram (IBD) is used to specify the connectivity between the components of a communication system module.

A state machine map (SMD) is used to model the behavior of an individual object, indicating the order in which the object performs related events in response to different events throughout its lifecycle.

1) Audio management system block definition map (BDD)

Firstly, modeling an audio management system in a civil airborne communication navigation system from the beginning of the architecture, and generating a SysML BDD diagram of the audio management system, as shown in FIG. 2. The first block determined is an "audio Management system ams (audio Management system)" block, which is a system to be subjected to security analysis. The AMS is a subsystem in an airborne communication navigation system, interacting with other systems/subsystems through four proxy ports: the first agent port is used for receiving a received voice signal AMSIn (SignalFromPilot) sent by the VHF communication system, the second agent port is used for receiving a sent voice signal AMSI (Audio frequency synchronous FromVHF) which needs to be sent to the ground by a cockpit flight unit, the third agent port is used for providing a call signal AMSOut (SignalToPilot) of a ground VHF radio station for the flight unit, and the fourth agent port is used for providing a sent voice signal AMSOut (Audio frequency ToVHF) which needs to be sent out by the VHF communication system;

the AMS block contains: an Audio Control Panel (ACP) and an Audio Management Unit (AMU). The audio control panel AudioControlPanel block is a component responsible for receiving voice audio sent by the aircraft unit, collecting control operation data of the aircraft unit, and distributing the sent voice audio and the control operation data to the connecting component. It may be interconnected with other blocks/components by receiving the transmit voice audio and control operation data at a proxy port ACPIn: SignalFromPilot and passing it to another proxy port ACPOut: internetnalsignalsend.

The audio management unit block is used for receiving the voice audio and the control operation data sent by the flight unit and judging through which communication channel the voice audio sent by the flight unit is sent out according to the control operation data. The AudioManagementUnit block communicates with other blocks/components when the flight crew sends voice audio at proxy port AMUIn: interpronalsend and passes it to another proxy port AMUOut: audioligntovhf.

2) Internal block diagram of audio management system block (IBD)

After completing the SysML BDD map of the AMS, the internal structure of the AMS is modeled using SysML IBD, which shows the interconnections between the block instances that make up the AMS, as shown in FIG. 3.

From the aircraft crew end to the VHF transmitter end, there are three interconnections in the AMS IBD, each using a connector to implement a flow of items, depending on the direction of communication. The first is from AMSSIN SignalFromPilot port to ACP ACPIn SignalFromPilot port; the second is from ACPOut, InternalSignalSend port to AMU AMUIn, InternalSignalSend port; the third is from the AMU AMUout: AudioSeignaltToVHF port to the AMS AMSOut: AudioSeignaltToVHF port.

From the VHF receive end to the flight crew end, there are three interconnections in the AMS IBD, each using a single connector to implement the flow of items. The first is from AMS AMSIn: AudioSinaFromVHF port to AMU AMUIn: AudioSinaFromVHF port; the second port is from AMUOut to InternalSignalRevd port to ACP ACPIN to InternalSignalRevd port; the third is from ACPOut SignalToPilot port to AMS AMSOut SignalToPilot port.

3) Audio Management System (AMS) behavior modeling (State machine diagram SMD)

Each block/component of the AMS has its own behavior, specified by the SysML state machine, which represents normal behavior and failure behavior. Behavioral modeling of the AMS system produces two state machine diagrams: one for AudioControlPanel and the other for AudioManagementUnit block types, for their regular behavior. Both state machine diagrams are similar in construction, having a state where a component accepts input signals on a designated port and then executes specific logic for each component. Finally, it will provide an output to a designated port to which some other component/system is connected.

Consider now the failure behavior of each component. An Audio Control Panel (ACP) has been determined to have a failure problem that is added to its state machine diagram when the ACP fails and enters a failed state. For the audio management unit, component failures are considered and added, which may be caused by a failure of the component itself or by a failure signal received on the input port. The audio management unit has another security problem, namely data corruption that can lead to false data failure states. The state machine diagram with the additional fault behavior is shown in fig. 4 and 5.

Next, the security-related model elements are annotated with fault information. Reliability information is added to the model elements it extends. For example, 1) threats to reliability (i.e., failures, errors, failures, and dangers) associated with extended elements; 2) the probability of occurrence.

Fig. 4 and 5 depict two state machine diagrams resulting from this activity.

Specifically, fault modeling is carried out on the audio management system by adopting a fault tree analysis method, and a target meta-model of the civil communication navigation system based on the fault tree FT is obtained;

the method utilizes Fault Tree Analysis (FTA) to perform security analysis on the security critical system. FTA is a top-down failure-based analysis technique represented in a tree structure called the "Fault Tree (FT) model".

1) System level fault tree

The system level fault tree model is developed based on a meta-model of the EMFTA tool. The system level fault tree meta-model is shown in fig. 6 and includes:

fault tree analysis model: the top element in the model is the container for other model elements, events and gates. The constituent elements are event and logic gates.

Event: the state used for describing system and element, part failure, the class attribute of the event includes:

basic events are as follows: the most basic cause events in the fault tree cannot be analyzed further down, which is at the bottom of the fault tree.

External: a commonly occurring event.

Undeployed event: events that are not analyzed due to unavailability of information or lack of influence.

Conditional events: events describing specific limitations of the functioning of logic gates. I.e. specifying conditions or restrictions that affect the logic gates.

Intermediate events: all events in the fault tree except the bottom event and the top event.

The logic gates tie events together to represent the logical relationship between events.

And gate: when n inputs all occur, an output event occurs.

Or gate: an output event occurs when at least one of the n input events occurs.

An exclusive-or gate: an output event occurs only if one input event occurs.

Priority and gate: an output event occurs when all n input events occur in a particular order.

Door forbidding: an input event can only trigger the occurrence of an output event when a conditional event occurs.

1) Component level FT

The conversion method of the present invention uses an intermediate model, namely the component level fault tree (CFT) shown in fig. 7.

This meta-model reuses the definition of the target analysis model in fig. 6. The system is the main container for all components and their CFTs. Each block/component defined in the system is added as a component that may contain other components and ports and their fault tree failure behavior. The port is included in the assembly and has a directional attribute.

In this embodiment, the safety analysis fault tree FTA is automatically generated by switching an intermediate model according to the source model of the civil communication navigation system based on the SysML, the target meta model of the civil communication navigation system based on the fault tree FT, and the SysMLS architecture diagram;

specifically, the method comprises the following steps: the conversion means that: the SysML-based civil communication navigation system source model is converted into a classical fault tree model of the fault tree FT-based civil communication navigation system target meta-model in order to perform security analysis on the system. The conversion is divided into two consecutive steps, which may also be allowed to be performed as two consecutive steps or as one single step, the conversion process being illustrated in fig. 8.

1) Performing component level fault tree model conversion

Converting the fault behaviors of the system component level into a component level fault tree model according to the SysML behavior structure diagram to obtain component level fault trees, wherein each failure mode possibly corresponds to different top failure events;

a component may fail in different ways, modeled in a state machine as multiple failure states. Each failure mode may correspond to a component level fault tree with a different top failure event.

For example, FIG. 9 provides a behavioral mapping of an AMU component model to a component-level fault tree model. The results show that the two failure states in the SysML model are mapped as two top events, which are two component-level fault trees synthesized for the components.

2) Performing system level fault tree model conversion

Implemented according to a combination of the component-level fault tree models, an analytical model representing system-level security behavior is generated according to the interconnection of their respective component instances.

In this step of the conversion, a system level fault tree is synthesized representing the fault behavior of the system of interest.

The "system level fault tree" transformation first generates a system FT model that will model the fault behavior of the system. In this conversion, the internal structure is targeted, that is, how the modules/components interact and the impact on system failures. This is accomplished by specifying the block types, block instances, and their implementation connections in IBD, and modeling the interactions between the instances. If the failure of the component-level failure tree has propagated, the top event at the component level may become an intermediate event in the system level FT.

FIG. 10 shows a mapping from a component level fault tree to a system level fault tree. The figure shows three nested views: FIG. 10(1) shows the CFT of an ACP component; FIG. 10(2) component level FT of AMU; FIG. 10(3) System level FT.

The fault tree model generated by the conversion is shown in fig. 10 (3). The results show that the system has two fault trees, indicating that the system has two possible failure modes.

Fault tree analysis can provide valuable information about system security. The fault tree analysis mainly provides critical qualitative values, but can also be extended to quantitative values. The key qualitative information provided by fault tree analysis is a set of basic events, called "cutsets," whose simultaneous occurrence also results in the occurrence of the most undesirable events. A FT may have one or more cutsets. A basic event is an event that cannot be further decomposed due to its nature or limited information available.

The EMFTA tool is used to automatically generate the cutting set of the system level fault tree shown in fig. 10 (3). Table 1 contains the identified cut sets for two system level fault trees. Each column contains a cut set of specific top events/faults, where the audio management system has two system level fault trees, one for top event out of control (LossoOfControl) and the other for top event error data (ErroneoursData).

TABLE 1 audio management System level Fault Tree min cut set

For the top event LossOfControl, it contains two cut sets, one for each cut set, which means that either of these events is sufficient for LossOfControl to occur. As for the ErronousData event, it contains a single cut set with a single event, i.e., the occurrence of this event will cause ErronousData to occur.

Based on these cutsets, some design decisions may be made to prevent the occurrence of identified faults. One decision may be to add a redundant Audio Control Panel (ACP) instance to prevent it from being a single point of failure, or to make the Audio Management Unit (AMU) more resilient to failure. After making the decision, the modified model may be analyzed based on design modifications to assess its impact on the system, with reference to the general activities shown in FIG. 1.

The method carries out system modeling on an audio management system in the civil aviation communication navigation system by using a standard system modeling language SysML, and automatically generates a safety analysis fault tree FTA (fault tree analysis) between a source model of the civil communication navigation system based on the SysML and a target meta model of the civil communication navigation system based on the fault tree FT through intermediate model conversion; and according to the safety analysis fault tree FTA, carrying out safety analysis on a certain management system of the civil communication navigation system. The invention analyzes all states of the communication navigation system by an algorithm and avoids the omission of failure states by utilizing a computer tool algorithm.

Example 2

As shown in fig. 11, the present embodiment is different from embodiment 1 in that the present embodiment provides a security analysis system for a civil communication navigation system based on SysML, which supports the security analysis method for the civil communication navigation system based on SysML; in the embodiment, an audio management system in a civil airborne communication navigation system is taken as an example, and a safety analysis system of the civil communication navigation system based on SysML is provided; the system comprises:

the system source model building unit is used for carrying out system modeling on an audio management system in the civil aviation communication navigation system by adopting a standard system modeling language SysML to obtain a civil communication navigation system source model based on SysML;

the system target meta-model building unit is used for carrying out fault modeling on the audio management system by adopting a fault tree analysis method to obtain a civil communication navigation system target meta-model based on a fault tree FT;

the safety analysis unit is used for carrying out safety analysis on an audio management system of the civil communication navigation system according to the safety analysis fault tree FTA, judging whether the safety requirement is met, and if the safety requirement is met, accepting the safety solution; otherwise, design modification is performed on the audio management system.

In this embodiment, the execution process of the system source model building unit is as follows:

In this embodiment, the automatic fault tree conversion unit includes a component-level fault tree model conversion subunit and a system-level fault tree model conversion subunit;

The execution processes of other units are executed according to the flow steps of the method for analyzing the security of the civil communication navigation system based on the SysML in embodiment 1, and are not described in detail in this embodiment.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims

1. The civil communication navigation system security analysis method based on SysML is characterized by comprising the following steps:

performing system modeling on a certain management system in the civil aviation communication navigation system by adopting a standard system modeling language SysML to obtain a source model of the civil communication navigation system based on SysML;

fault modeling is carried out on the corresponding management system by adopting a fault tree analysis method, and a target meta-model of the civil communication navigation system based on the fault tree FT is obtained;

according to the source model of the civil communication navigation system based on SysML and the target meta model of the civil communication navigation system based on the fault tree FT, a safety analysis fault tree FTA is automatically generated between the source model and the target meta model through intermediate model conversion;

2. The method for analyzing the security of the civil communication and navigation system based on the SysML as claimed in claim 1, wherein the step of performing the system modeling on a certain management system in the civil aviation communication and navigation system by using the standard system modeling language SysML comprises the steps of:

3. The SysML-based security analysis method for civil communication and navigation systems according to claim 2, wherein the preset management system architecture is modeled using a standard system modeling language SysML, wherein the preset management system is an audio management system; the method specifically comprises the following steps:

the AMS block comprises an audio control panel ACP and an audio management unit AMU, wherein the audio control panel ACP is used for receiving voice audio sent by the aircraft unit, collecting control operation data of the aircraft unit and distributing the sent voice audio and the control operation data to the components of the connecting component; by receiving the transmit voice audio and control operation data at proxy port ACPIn signalfromppilot and passing it to another proxy port ACPOut lnnalsignalsend, which interconnects with other blocks/components;

4. The SysML-based security analysis method for civil communication and navigation systems as recited in claim 3, wherein the SysML adopts a standard system modeling language to model the internal structure of the predetermined management system, and the SysML is used to model a set of interfaces and possible flows of the internal structure of the component by specifying the composition and interaction between component instances in the predetermined management system; modeling the internal structure of the AMS block by using SysML IBD to obtain an AMS IBD graph; the method specifically comprises the following steps:

5. The SysML-based security analysis method for civil communication and navigation systems according to claim 4, wherein the Standard System modeling language SysML is used to model the behavior of the pre-defined management system, resulting in a state machine model SMD: an audio control panel state machine diagram and an audio management unit state machine diagram.

6. The SysML-based civil communication and navigation system security analysis method according to claim 1, wherein the security analysis fault tree FTA is automatically generated by intermediate model transformation between the SysML-based civil communication and navigation system source model and the fault tree FT-based civil communication and navigation system target meta-model; the method specifically comprises the following steps:

performing component-level fault tree model conversion, converting the fault behaviors of the system component level into component-level fault tree models according to the SysML behavior structure diagram, and obtaining component-level fault trees with different top failure events corresponding to each failure mode;

7. The SysML-based security analysis method for civil communication and navigation systems according to claim 6, wherein the performing of the security analysis on a certain management system of the civil communication and navigation system according to the security analysis fault tree FTA is to analyze the generated analysis model of the system level security behavior by using a fault data tool.

8. The security analysis system of the civil communication navigation system based on SysML, which is characterized in that the system supports the security analysis method of the civil communication navigation system based on SysML as in any one of claims 1 to 7; the system comprises:

the system source model building unit is used for carrying out system modeling on a certain management system in the civil aviation communication navigation system by adopting a standard system modeling language SysML to obtain a civil communication navigation system source model based on SysML;

the system target meta-model building unit is used for fault modeling of the corresponding management system by adopting a fault tree analysis method to obtain a civil communication navigation system target meta-model based on a fault tree FT;

the conversion automatic generation fault tree unit is used for automatically generating a safety analysis fault tree FTA through intermediate model conversion according to the source model of the civil communication navigation system based on SysML and the target meta model of the civil communication navigation system based on the fault tree FT;

9. The SysML-based civil communication and navigation system security analysis system according to claim 8, wherein the system source model construction unit is implemented by:

10. The SysML-based civil communication navigation system security analysis system according to claim 8, wherein the transition auto-generated fault tree unit includes a component level fault tree model transition sub-unit and a system level fault tree model transition sub-unit;

the component-level fault tree model conversion subunit is used for performing component-level fault tree model conversion, converting the fault behaviors of the system component level into component-level fault tree models according to the SysML behavior structure diagram, and obtaining component-level fault trees with different top failure events corresponding to each failure mode;