RU2740544C1 - Method and system for monitoring data integrity - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: invention relates to protection of information from unauthorized access. Disclosed solution relates to a method of monitoring the integrity of data on the state of the automatic control system of a gas turbine engine, transmitted from aircraft to the manufacturer, for implementation of which process time series are compared, which characterize behavior of parameters of automatic control system of gas turbine engine installed on aircraft, and the gas turbine engine automatic control system model, installed in the manufacturing enterprise, calculating a determination coefficient, an average percentage of deviation and Euclidean distance, determining to which of the formed seven types of consistency the given vector relates, determining, in which of two operating modes is a system for automatic control of a gas turbine engine: transient or steady-state, and in accordance with the generated fuzzy logic rules, based on the control system signal, operating mode and consistency parameters, a decision is made on presence of attack of intruder on received data, their integrity and estimating probability with which this decision is made.

EFFECT: disclosed solution is aimed at increasing the level of protection of information from unauthorized modification.

2 cl, 13 dwg, 10 tbl

Description

The invention relates to the field of information protection from unauthorized access.

The known method (RF patent No. 2560810, IPC G06F 21/31, H04L 9/32, publ. 08/20/2015), in which to create a secure environment to protect information from unauthorized use, encrypt information using a cryptographic processor and a private cryptographic key stored in the user's device, form and send a data packet containing a one-time user authentication code to the service person's server, decrypt the data packet on the service person's server and check the one-time user authentication code and a verification code on the server; in case of a positive verification result, the server sends the data packet to the user , a one-time user authentication code obtained when decrypting the user's data packet, then the user's device generates a new data packet characterized by a new one-time user authentication code, the data packet consists of encrypted and unencrypted parts, and the unencrypted part of the data It contains a verification code designed to check the integrity of the entire data packet and a user ID.

The known method (RF patent No. 2704268, IPC H04L 9/08 H04W 12/06, publ. 10/25/2019), which uses key carriers equipped with cryptographic functions, mutual authentication schemes for an unmanned aerial vehicle (UAV) and a ground control station (NSU ) based on asymmetric cryptographic keys, combined with a scheme for calculating a common symmetric key, and a scheme for generating a session master key and encryption keys and calculating an imitation insert for the subsequent formation of a secure wireless communication channel between the UAV and the NSO, which ensures encryption of transmitted information and control of its integrity, when The schemes of mutual authentication, calculation of a common symmetric key and generation of session keys are designed taking into account the specifics of the use of UAVs and the formation of wireless communication channels between the UAV and the NSO.

A common drawback of these methods is the need for additional secret keys, which are used to confirm the integrity of the transmitted information. The presence of such a key will not be able to prevent an internal attacker from faking information about the state of the aircraft (AC) at the information receiving points. In addition, both on board the aircraft and at the enterprise receiving information, it is necessary to have appropriate cryptographic equipment and software, which can negatively affect the computing capabilities of the onboard computer.

Thus, a common drawback of the considered methods is the possibility of substituting or modifying data received from the aircraft on the state of the automatic control system of a gas turbine engine, by an internal intruder.

The closest analogue of the claimed method and system is chosen (Guzairov M.V. Frid AI, Vulfin AM, Berkholts VV The concept of integrity of telemetric information about the state of an aircraft power plant monitoring // Proceedings of 2019 International Conference on Electrotechnical Complexes and Systems ( ICOECS) Electronic resource https://ieeexplore.ieee.org/document/8950020). Monitoring the integrity of the data received from the aircraft on the state of the automatic control system of the gas turbine engine transmitted from the aircraft to the manufacturer is based on a comparison of technological time series characterizing the behavior of the parameters of the automatic control system of a gas turbine engine (ACS GTE) installed on the aircraft, and the model of the automatic control system for a gas turbine engine installed at the manufacturer, according to the indicators: correlation and determination coefficients and the average percentage of deviation, on the signal of the health monitoring system of the automatic control system of the gas turbine engine and the operating mode of the automatic control system of the gas turbine engine.

An analogue of the proposed system consists of the following blocks:

1. Block of windowed analysis of technological time series (TVR), which forms multidimensional TVR, received from the ACS of the GTE and generated by the model, to determine the current type of dynamics of the ACS of the GTE and further analysis of the consistency of TVR.

2. A group of blocks that implements the classifier to determine the current operating mode of the automatic control system of a gas turbine engine using cluster analysis of the state of the ACS GTE to select the operating modes of the ACS GTE and implements the classifier of the ACS GTE states

5. A block that constructs a vector of estimates of the consistency of multidimensional TBR in the current analysis window using a set of metrics: correlation coefficient, determination coefficient and average percent deviation.

6. Block intended for clustering of TBP consistency parameters.

7. Block, which is an ensemble of neuro-fuzzy classifiers and a neural network that determines which type of consistency the current vector of consistency parameters belongs to.

8. Resulting block that implements decision making on the current state of the system; allows you to assess the presence of one of the states of consistency between the model and gas turbine engine data: "Failure of the automatic control system of a gas turbine engine", "Normal operation", "Integrity violation"

The disadvantage of the prototype is the low probability of detecting an intruder's interference, due to the fact that the clustering algorithm is used to determine the operating mode of the object. Automatic classification into more than two classes does not allow determining the operating mode of the object with high accuracy, which can lead to a decrease in the probability of detecting an intruder's interference, and the complex implementation of the clustering algorithm of the operating modes of the object requires additional computing resources. An additional factor that reduces the likelihood of detecting intruders is that the correlation and determination coefficients both illustrate the proportion of variance, so that the consistency of TBP is actually determined by only two parameters: the proportion of variance and the average percentage of deviation, which leads to a worse estimate of the consistency of TBR.

The problem to be solved by the claimed method and system is to increase the likelihood of making a correct decision to establish the fact of an attack on data integrity.

The technical result is an increase in the level of protection against unauthorized modification.

The solution to the problem and the technical result is achieved by the fact that the method for monitoring the integrity of data on the state of the automatic control system of a gas turbine engine transmitted from the aircraft to the manufacturer, for the implementation of which the technological time series are compared, characterizing the behavior of the parameters of the automatic control system of the gas turbine engine, installed on the aircraft, and the model of the automatic control system of the gas turbine engine installed at the manufacturer, for comparison, the indicators are calculated: the coefficient of determination and the average percentage of deviation, determine the signal of the health monitoring system of the automatic control system of the gas turbine engine and the operating mode of the automatic control system of the gas turbine engine, according to invention for comparing technological time series based on calculating the vector of consistency parameters, additionally used in the calculation of the Euclidean distance, determine which of the formed seven types of consistency this vector belongs to, determine in which of the two operating modes the automatic control system of the gas turbine engine is located: transient or steady-state, and in accordance with the developed fuzzy steady-state rules based on the signal of the control system , operating mode and consistency parameters, make a decision on the presence of an attacker attack on the received data, their integrity and assess the probability with which this decision is made.

The solution to the problem and the technical result is achieved by the fact that the System for monitoring the integrity of data on the state of the automatic control system of a gas turbine engine, transmitted from the aircraft to the manufacturer, containing a block that performs window analysis and forms multidimensional technological time series of the automatic control system and its model , the outputs of which are directed to the block that implements the classifier for determining the current operating mode of the automatic control system of the gas turbine engine, and to the block that constructs the vector of estimates of the consistency of multidimensional technological time series in the current window using a set of metrics: the coefficient of determination, the average percentage of deviation, the output of which directed to the block designed for clustering the consistency parameters of technological time series, the outputs of the block that implements the clustering of consistency parameters into consistency types, and the block, you completing the construction of the vector of consistency estimates are directed to the block, which is an ensemble of neural fuzzy classifiers and a neural network, which determines which type of consistency the current vector of consistency parameters belongs to, the output of which is directed to the resulting decision block, to which the result of the block classifying the operation mode is also fed automatic control system of a gas turbine engine and the output of the control system of the automatic gas turbine engine system, which implements the final decision on the current state of the system and allows to determine the presence of one of the states of consistency between the model data and the automatic control system of the gas turbine engine: "Failure of the automatic control system of the gas turbine engine", "Normal work "," Violation of integrity ", and to assess the probabilities of such a state, according to the invention in the block that determines the mode of operation of the automatic control system of gas turbine engine, classification into two modes of operation, steady-state and transient, is implemented on the basis of the derivative of the high-pressure rotor speed, the signal from the output of the minimum value selector and comparing them with the threshold values, the block performing the construction of technological time series additionally evaluates the consistency in terms of the Euclidean distance metric.

The proposed method for monitoring the integrity of data obtained from the operated ACS of a GTE aircraft is based on the selection of features in the signals in an automatic mode. Signal analysis requires the identification of fragments associated with individual events, and the study of the corresponding events by segmentation of the original technological time series (TBR) and [Yarushkina N.G. Intellectual analysis of time series: a tutorial / N.G. Yarushkina, T.V. Afanasyeva, I.G. Perfil'eva-Ulyanovsk: UlSTU, 2010 - 320 p.] Subsequent analysis of the signal using characteristics such as amplitude, waveform (morphology), duration, intervals between events, energy distribution, frequency content, etc. The block for making decisions on the state of the transmission channel from the aircraft to the manufacturer ensures the processing of TVRs generated by the ACS of the GTE on the operated aircraft, namely, it determines the operating mode of the ACS of the GTE (steady-state or transient) and compares these data with the data generated by the model at the enterprise manufacturer. [Golberg F.D. Mathematical models of aircraft gas turbine engines as a control object /. Golberg F.D., Batenin A.V. - Moscow: MAI publishing house, 1999 - 82 p.] Such division of all modes of operation of the ACS GTE into two groups will eliminate errors of the first kind in the process of making a decision on unauthorized modification of data on transient modes of operation of ACS GTE, since the parameters of ACS GTE in transient modes and the parameters of the model may be less consistent than on the established ones, which may entail making a false decision about the presence of an integrity violation. The introduction of different rules for the steady-state and transient modes of the ACS GTE makes it possible to exclude such errors. The invention is illustrated by drawings:

FIG. 1 shows a block diagram of a method for monitoring the integrity of data received from onboard aircraft systems.

FIG. 2 shows a block diagram of a system that implements a method for monitoring the integrity of the telemetry information (TMI) of the ACS of a gas turbine engine, received from the model and from the aircraft.

FIG. 3 shows a block diagram of the classifier of the ACS GTE operating mode.

FIG. 4 shows a generalized block diagram of a protected system for collecting, storing and processing TMI.

FIG. 5A, 5B, 5B, 5D and 5D show possible variants of TVR consistency.

FIG. 6A, 6B, 6C and 6D show the attacker's attack options

A block diagram of the method for monitoring the integrity of the parameters of the ACS of a GTE aircraft is shown in Fig. one.

The control system of the ACS GTE 1 enters the vector F, which characterizes the properties of the external environment, such as the parameters of atmospheric air: temperature outside the aircraft, pressure, etc. The vector E indicates additional operational factors [Golberg F.D. Mathematical models of aircraft gas turbine engines as a control object /. Golberg F.D., Batenin A.V. - Moscow: publishing house MAI, 1999 - 82 p.]. The vectors Y and X are outgoing from the control object 2. The vector Y includes the control parameters, such as: rotor speed, air pressure behind the compressor, gas temperature behind the turbine, etc. Vector X includes the following characteristics of the ACS GTE: thrust, rate of change, specific fuel consumption, and so on. The ACS of the GTE receives a vector of control actions U generated by the control system. The control system of the ACS GTE generates a signal (K) about the state (serviceable K = 1 / malfunctioning K = 0) ACS GTE.

The vectors X, Y, K, F, E and the position of the motor control lever (αORUD) are sent via data link 3 to the manufacturer. The channel is exposed to external factors and noise, the impact of which is indicated by the vector N.

The signal of the control system of the ACS GTE is transmitted to the manufacturer. In the event of a failure, the signal is displayed on the aircraft dashboard to notify the aircraft crew about the failure. According to (FAP "Preparation and performance of flights in civil aviation of the Russian Federation" (clause 3.117 as amended by Order of the Ministry of Transport of Russia dated November 22, 2010 N 263)), the crew, as soon as possible, informs the Air Traffic Management (ATM), if necessary, with application of the urgency signal of a malfunction.

A failure on board an aircraft is a special case. When transmitting data from the aircraft to the manufacturer, including such a signal, the manufacturer contacts the ATM authorities to exclude the possibility of such a signal forgery by an intruder.

If the manufacturer received data indicating the normal operation of the ACS of the gas turbine engine (K = 1), but the attacker modified the signal of the control system, and there were malfunctions, the comparison of TBR and the assessment of the consistency parameters will reveal an integrity violation.

A tuple of vectors (X, Y, K, F, E, αOE) arrives at the manufacturer. On the PI model of the ACS GTE 4, according to the flight parameters (vectors E and F), it generates signals Y _M (analog of vector Y), X _M (analog of vector X), emanating from the model of the control object 5, and the UM-vector of regulating effects of the ACS GTE model.

The vectors X, Y, Y _M , X _{M are} sent to the decision block 6, where they are compared, and the state of the signal of the control system (K) is checked, after which a decision (R) is made about whether an attack was made on the system, equipment failure has occurred or the work continues in a normal mode and the probability of the correctness of the decision made is estimated (P).

The claimed method for monitoring the integrity of data received from the aircraft includes the following main steps:

1. A set of parameters of the ACS of the gas turbine engine is allocated for the analysis of the discrepancies between the data obtained from the model and the data obtained from the aircraft;

,

- наборы ТВР, сгенерированные моделью и полученные с ЛА, помещенные в одно временное окно;2. A sliding window is selected for the analysis of multidimensional vectors X, Y, Y _M , X _M.

,

- sets of TVRs generated by the model and received from the aircraft, placed in one time window;

3. A multidimensional time series (BP) P ^W is built - parameters of TBP consistency for each of the analysis windows W _S ;

4. The mode of operation of the ACS GTE U _H (steady or transient) is determined in the selected time window;

5. The calculation of the parameters of the consistency of TVR, received from the aircraft, and TVR, generated by the model;

6. Based on the calculated parameters of the mismatch, the type of mismatch of TBR is determined;

7. Based on the type of ACS GTE dynamics, the type of BP mismatch and the control system signal, a decision is made on the integrity of the data received from the aircraft;

TMI integrity control is based on the analysis of the consistency of the behavior of the parameters obtained using the model of a complex technical product and received from the onboard systems of the aircraft. The output of the monitoring system is to assess the probability of data integrity violation events.

2. A system that implements a method for monitoring the integrity of data received from the aircraft

A block diagram of a system that implements a method for monitoring the integrity of data obtained from a model of an automatic control system of a gas turbine engine and an aircraft is shown in Fig. 2 and contains the following blocks:

,

признаков для определения текущего типа динамики САУ ГТД и дальнейшего анализа согласованности ТВР. Размер скользящего временного окна равен 100 временным отсчетам. Размер был подобран экспериментально.The block of window analysis TBR 7 using a sliding window of length WS with a step S forms a set of matrices from the original multidimensional TBR x _M and x

,

signs for determining the current type of dynamics of the ACS GTE and further analysis of the consistency of TVR The size of the sliding time window is 100 time samples. The size was chosen experimentally.

An example of a TBR matrix is presented in Table 1:

Block (8) implements the classifier of the states of the ACS GTE model. At the output of the block, a decision is formed about the state of the ACS GTE model: steady state or transitional. A detailed block diagram (8) is shown in Fig. 3.

The designations in FIG. 3 are as follows:

n ₁ - low pressure rotor speed

n ₂ - high pressure rotor speed

- температура газа за турбиной

- gas temperature behind the turbine

n ₁₀ - set value of the low pressure rotor speed

n ₂₀ - set value of the high pressure rotor speed

- уставочное значение температуры газа за турбиной

- set value of gas temperature behind the turbine

Δn ₁ - difference between the setpoint and actual values of the low pressure rotor speed

Δn ₂ - the difference between the setpoint and actual values of the high pressure rotor speed

- разность между уставочным и действительным значениями температуры газа за турбиной

- the difference between the setpoint and actual values of the gas temperature behind the turbine

G _t - fuel consumption

Δх - output of the sector of the minimum

- производная частоты вращения ротора высокого давления

- derivative of the high pressure rotor speed

The input of the classifier 15 receives the derivative of the rotation frequency 13 of the high-pressure rotor and the signal from the output of the selector of the minimum value 14 of the mismatch of the controlled parameters of the engine 2, which is an element of the ACS GTE [Gurevich, OS, Golberg, FD, Selivanov OD. Integrated control of the power plant of a multi-mode aircraft / Under total. ed. O.S. Gurevich. - M. Mechanical Engineering, 1993. - 304 S.], calculate the absolute values of these quantities and compare them with the threshold values. The mode is considered steady if the following condition is met:

where Δх is the output of the minimum sector,

x ₀ = 0.2% of the currently adjusted parameter,

- это производная частоты вращения ротора высокого давления,

is the derivative of the high pressure rotor speed,

в секунду.

per second.

If the condition is not met, then the ACS GTE mode is considered to be transient. If both transient and steady-state are encountered in the selected time window, it is considered that in this window the ACS GTE is in a transient state.

,

с помощью набора метрик (коэффициент детерминации, средний процент отклонения (МАРЕ) [J.S. Armstrong, F. Collopy, Error measures for generalizing about forecasting methods: Empirical comparisons, International Journal of Forecasting 8 (1) (1992) 69-80.] и евклидово расстояние [Загоруйко Н.Г. Прикладные методы анализа данных и знаний. - Новосибирск: ИМ СО РАН, 1999. - 270 с].Block (9) constructs the vector PW of estimates of the consistency of multidimensional TBR in the current analysis window

,

using a set of metrics (coefficient of determination, average percentage of deviation (MAPE) [JS Armstrong, F. Collopy, Error measures for generalizing about forecasting methods: Empirical comparisons, International Journal of Forecasting 8 (1) (1992) 69-80.] and Euclidean distance [Zagoruiko NG Applied methods of data and knowledge analysis. - Novosibirsk: IM SB RAS, 1999. - 270 s].

The correlation coefficient is calculated using the formula:

where n is the sample size,

- это выборочные средние величин,

are sample averages,

S _x and S _{y are} sample standard deviations.

The coefficient of determination is calculated by the formula:

Since the determination coefficient is derived from the correlation coefficient, the presence of both coefficients in the BDP is redundant. The coefficient of determination will be used for the BPR.

MAPE is calculated according to the formula:

The Euclidean distance is calculated using the following formula

Since the Euclidean distance itself is unrepresentative on data having different units of measurement, for various parameters of the automatic control system of a gas turbine engine, it is necessary to use the formula for calculating the Euclidean distance on the normalized data x _n and y _n :

- это выборочные средние величинWhere

are sample averages

This vector of consistency estimates allows to draw a conclusion about the current type of consistency of the parameters of the model and the real ACS of the gas turbine engine for subsequent decision-making on the possible reasons for the identified discrepancies in the decision making block.

. В результате формируется совокупность кластеров {С*} типов согласованности методом к - средних (k - means) [Steinhaus Н. (1956). Sur la division des corps materiels en parties. Bull. Acad. Polon. Sci., C1. III vol IV: 801-804], в ходе анализа которой выполняется переход к системе классов типов согласованности {Cq}. Метод k-средних стремится минимизировать суммарное квадратичное отклонение точек кластеров от центров этих кластеров:Block (10) is intended for automatic classification of TBR consistency parameters

... As a result, a set of clusters {С *} of types of consistency is formed by the method k - means (k - means) [Steinhaus N. (1956). Sur la division des corps materiels en parties. Bull. Acad. Polon. Sci. C1. III vol IV: 801-804], during the analysis of which the transition to the system of classes of types of consistency {Cq} is performed. The k-means method seeks to minimize the total square-law deviation of cluster points from the centers of these clusters:

where k is the number of clusters,

S _i - the resulting clusters,

μ _i - centers of mass of all vectors x from cluster S _i .

The k-means clustering method splits a set of elements into a known number of clusters k.

In the course of the TBP consistency analysis, 7 clusters were identified, after which an automatic classification of consistency types was performed.

Block (11) allows you to build a consistency type classifier based on the available data P ^W. To make a decision about the class of the current vector of TBR consistency parameters, it becomes necessary to construct a heterogeneous ensemble of neuro-fuzzy classifiers (NNC) with the ANFTS architecture [Jang, Jyh-Shing R (1991). “Fuzzy Modeling Using Generalized Neural Networks and Kalman Filter Algorithms in Proceedings of the 9th National Conference on Artificial Intelligence, Anaheim, CA, USA, July 14-19. 2: 762-767], each of which is designed to detect only one of the dedicated consistency types. An adaptive network-based fuzzy inference system, ANFIS is an artificial neural network based on a fuzzy inference system. Each of the NOC committee takes the TBP consistency metrics and decides whether this vector of metrics belongs to the consistency type on which it is trained, and outputs the value of the probability with which this vector belongs to its consistency type. U _C - probability of the current vector of consistency parameters belonging to consistency classes (types).

After training individual NNCs in the one-vs-all mode, it becomes possible to estimate the probability U _R that the current vector of signs PW of consistency belongs to each of the classes C * and the final selection of the most probable type of consistency in the voting mode using a neural network (NN ) type with activation function SOFTMAX [Hinton G., Vinyals O., Dean J. Distilling knowledge in a neural network // Proc. NIPS 2014 Deep Learning Workshop. Montreal, Canada, 2014. arXiv: 1503.02531].

The Softmax activation function looks like this:

where z _i is the value of the output of the i-th neuron before activation,

N is the total number of neurons in the layer.

K - number of classes

The input of this neural network is the probabilities of belonging of the consistency metrics vector TBR to each of the consistency types. The NN decides which of the types is most likely. Thus, when the probabilities of the block pass through the final NN, the problem of classifying the types of mismatch between the data obtained from the model and the data obtained directly from the aircraft is solved.

The resulting block (12) is based on the ANFIS type neural network [Jang, J.-S.R. ANFIS: adaptive-network-based fuzzy inference system // IEEE Transactions on Systems, Man and Cybernetics: journal. - 1993. - Vol. 23, no. 3.], which allows you to deploy a decision-making mechanism for the operator when it is necessary to conduct an investigation procedure for incidents of violation of the integrity of the TMI and implements the final decision-making Ro of the current state of the system and allows you to evaluate the probability of the correctness of the decision P about the presence of one of the states of consistency between the model data and the ACS : "Failure of ACS GTE", "Normal operation", "Violation of integrity." NS works on the rules of the form "IF ..., THEN ...". The rules are presented in table 4.

FIG. 4 shows a generalized block diagram of a protected system for collecting, storing and processing TMI from an aircraft (16, 17); data from the aircraft is read at service stations 18 and is transmitted to the corporate information network (CIS) 20 via the Internet connection 18. Then the TMI enters the integration module of the CIS 21 subsystems. Internal intruders who can make modifications to the system under consideration may be administrators of the corporate information system. systems 20, storage subsystems 22, processing subsystems 23, databases and business processes of PI 24, as well as maintenance personnel (TO) at TO stations 18. Dots ⊗ mark the places of possible attack by an intruder.

Testing of the presented method was carried out on a sample consisting of two types of technological time series: TBR obtained from the model, and TBR obtained from the aircraft. Noise was superimposed on TVRs received from the aircraft, and various cases of violation of the integrity by an intruder were simulated. In general, such effects can be described by the following expression:

x {t) = ε (t) * (ϕ (x '(t))

where x (t) is the value of the received parameter of the ACS GTE at the t moment of time,

ε (t) is the noise imposed on the signal at time t,

x '(t) is the transmitted value of the ACS GTE parameter at the t moment of time, ϕ (x' (t)) is the attacker's influence on the transmitted value of the ACS GTE parameter at t - the moment in time.

The offender can carry out the following actions to violate the integrity of the TMI [Vasiliev V.I., Vulfin A.M., Berholts V.V., Kirillova A.D., Velsky SM. Risk analysis of ensuring the integrity of telemetric information using cognitive technology http://journal.ugatu.ac.ru/index.php/Vestnik/article/view/2216 (date of access: 03/15/2020).]:

1) substitution of the base and / or subscriber radio station - suppression of the signal of the base / subscriber radio station and radio exchange using the intruder's own radio station transmitting fake information;

2) sending fake information to the radio channel - creating a data packet with fake telemetry information and sending it to the base / subscriber radio station;

3) re-sending of information previously intercepted in the radio channel - interception of a legitimate message transmitted over the radio channel and its re-sending to the traffic participant after a certain period of time.

FIG. 5A, 5B, 5C, 5D and 5D show examples of analysis of the consistency of TMI and model data.

To describe the rules for deciding on data integrity, linguistic variables were introduced that characterize each of the consistency parameters presented in Table 2.

In addition, the coefficient of determination can also take the value NaN ("Not a number", "not a number") - a non-existent value with a constant value of the parameter in the current window of the time series.

5A1. In this case, an attacker does not occur, but equipment failure or signal transmission from the aircraft is interrupted. Starting from the 85th iteration, the values of the data obtained from the aircraft changed sharply, and the value of their average value decreased relative to the average value of the previous values obtained from the model. The drop in the value of the received signal occurred almost at the last iterations in the current analysis time window, however, the values of the consistency parameters indicate the unreliability of the received data, but the signal from the control system indicates a malfunction on board. The situation "Equipment failure" was simulated.

5A2. In this example, an attack by an attacker “2B. Substitution of data for data unlike the original at the end of the time window. " At iteration 57, the average value of the transmitted signal changed sharply compared to the previous data. Distortion of the signal occurs at later iterations, which reduces the sensitivity of the determination coefficient. However, the values of the coefficient and determination, the value of MAPE and the Euclidean distance are low, the control system shows that everything is in order on the aircraft, and the parameters of TBR consistency are low for the steady-state operation of the automatic control system of the gas turbine engine. Data integrity has been compromised.

5B1. In this example, an attack by the attacker “2B. Substitution of data for data similar to genuine, in the middle of the time window. " This example illustrates the situation when the TBR consistency parameters take low values, the ACS of the GTE is in a transient mode of operation, the control system indicates the normal operation of the ACS of the GTE on the aircraft. Such low consistency parameters indicate a breach of data integrity.

5B2. There is no attacker attack. Here, the ACS of the GTE operates in a steady state, which means that the TBR consistency parameters should have high values, which are reflected in the values of the determination coefficient, MAPE and the Euclidean distance. Data integrity is not compromised. There is no attack.

5B1. The ACS of the GTE is in a transient mode of operation, which means that the window for the mismatch of the parameters is wider and some of the parameters of the consistency can take an average level of values, namely the coefficient of determination, as well as the Euclidean distance, however, MAPE has a high value. Data integrity is not compromised. There is no attack.

5B2. The ACS of the GTE is in a transient mode of operation, and, despite the low value of MAPE, the coefficient of determination is high, the Euclidean distance is small. Data integrity is not compromised. No attack

5B3. In this case, in the time window, the parameter of the ACS GTE took on a constant value, therefore it is impossible to calculate the coefficient of determination, they are assigned the value NaN (Not-a-Number), however, MAPE and the Euclidean distance take low values, the operating mode of the ACS GTE is static, the control system indicates normal operation. Data integrity is not compromised. There is no attack.

5G1. The attack of the attacker “3A. Increase (decrease) in the parameters of the ACS GTE while maintaining the behavior of the parameters during the entire time window. " Steady state ACS GTE. Control signal - normal operation. Due to the fact that the behavior of the parameters is preserved, the coefficients and determinations take on a high value, however, MAPE and the Euclidean distance are low, therefore, the data integrity is violated.

5G2. The attack of the attacker “1A. Noise overlay on transmitted data throughout the entire time window. " Steady state ACS GTE. Control signal - normal operation. All matching parameters take low values. Data integrity has been compromised.

5D. The attack of the attacker “4A. Forgery of controllers and external influences during the entire time window. " Steady state ACS GTE. Control signal - normal operation. All matching parameters take low values. The data generated by the model does not correspond to the data obtained from the ACS of the GTE. Data integrity has been compromised.

Based on the integrity violations listed above and examples of TBP consistency analysis, we can formulate the following types of attacker attacks (Fig. 6A, 6B, 6C and 6D): attacks aimed at falsifying data generated by the sensors of the ACS GTE, i.e. the parameters of the automatic control system of the gas turbine engine (high and low pressure rotor speeds, fuel consumption, gas temperature and pressure, etc.), and attacks aimed at forging control and external influences (αOUT, flight altitude, Mach number, etc.) ). When falsifying control and external influences, the model will generate signals from the ACS GTE that do not correspond to the actual values of the flight parameters. Similar attack options are shown in Figure 6D. With such an attack, the consistency parameters take on low values, which makes it possible to unambiguously indicate the presence of an attack, as shown in Experiment 5D.

When solving the clustering problem for the types of consistency, 7 types of consistency were identified, presented in Table 3

BPR implements the following set of rules, on the basis of which a decision is made on the integrity of the transmitted TMI. These rules are presented in Table 4, where RRS is the operating mode of the ACS of the engine (steady-state and transient), SK is the control system. If the signal K = 1, the ACS of the GTE is operational, otherwise K = 0. When the control system signal K = 0, the data received from the aircraft will be considered invalid. This is highlighted in a special event for the BPR "Failure of the ACS GTE".

The operation of these rules can be compared with that of FIG. 5 experiment. The application of the rules is presented in Table 5.

The algorithm was tested on 2500 test TBRs. Each pair of TBRs (TBR from the model and TBR generated by the ACS of the GTE) represented a time window consisting of 100 TBR samples in a time window. Some of the data obtained from the ACS of the GTE were attacked by an intruder, described in Table 6 to obtain different types of TBR matching. Further, for each pair, the TBR matching parameters were calculated.

Examples of test set of matching parameters and the corresponding type of matching are presented in the table

The final protocol of experiments on the classification of the type of agreement is presented in Table 7.

The final protocols for assessing the integrity of the information transmitted from the aircraft are presented in Tables 8, 9, 10. Table 8 is the experiment protocol for the data transmitted from the ACS of the gas turbine engine, which was in the steady flight mode. Table 9 is the experiment protocol for the information transmitted from the ACS of the GTE, which was in the transient flight mode. Table 10 is the final protocol of the experiment.

Thus, as can be seen from Table 10, the estimate of the probability of the correctness of the decision made on the type of TVR consistency, and, consequently, on the integrity of the data received from the aircraft, was 0.85.

So, the inventive method and system make it possible to detect unauthorized influences on the data on the state of the ACS of the gas turbine engine and thereby increase the level of information protection during its transfer from the aircraft to the manufacturer.

Claims (2)

1. A method for monitoring the integrity of data on the state of the automatic control system of a gas turbine engine, transmitted from the aircraft to the manufacturer, for the implementation of which the technological time series characterizing the behavior of the parameters of the automatic control system of the gas turbine engine installed on the aircraft and the model of the automatic control system are compared. control system of a gas turbine engine installed at the manufacturer, for comparison, the indicators are calculated: the coefficient of determination and the average percentage of deviation, determine the signal of the health monitoring system of the automatic control system of the gas turbine engine and the operating mode of the automatic control system of the gas turbine engine, characterized in that for comparison of technological time series on the basis of calculating the vector of consistency parameters, the calculation of the Euclidean distance is additionally used, it is determined to which of the formed x seven types of consistency, this vector refers, determine which of the two operating modes the automatic control system of the gas turbine engine is in: transient or steady-state, and in accordance with the developed rules of fuzzy logic based on the control system signal, operating mode and consistency parameters, make a decision on the presence of an attacker on the received data, their integrity and assess the probability with which this decision is made. 2. A system for monitoring the integrity of data on the state of the automatic control system of a gas turbine engine, transmitted from the aircraft to the manufacturer, containing a block that performs window analysis and forms multidimensional technological time series of the automatic control system and its model, the outputs of which are directed to the block that implements a classifier for determining the current operating mode of the automatic control system of a gas turbine engine, and into a block that constructs a vector of estimates of the consistency of multidimensional technological time series in the current window using a set of metrics: determination coefficient, average deviation percentage, the output of which is directed to a block designed for clustering parameters the consistency of technological time series, the outputs of the block that implements the clustering of consistency parameters into consistency types, and the block that constructs the vector of consistency estimates are directed to bl ok, which is an ensemble of neural fuzzy classifiers and a neural network that determines what type of consistency the current vector of consistency parameters belongs to, the output of which is directed to the resulting decision block, which also receives the result of the block that classifies the operation mode of the automatic control system for a gas turbine engine and the output control system of the automatic control system of a gas turbine engine, which implements the final decision-making on the current state of the system and allows one to determine the presence of one of the states of consistency between the model data and the automatic control system of the gas turbine engine: "Failure of the automatic control system of a gas turbine engine", "Normal operation", "Integrity violation ", And to assess the probabilities of such a state, characterized in that in the block that determines the mode of operation of the automatic control system of the gas turbine engine, the classification into two modes of operation is set transient and transient, is implemented on the basis of the derivative of the high-pressure rotor speed, the signal from the output of the minimum value selector and their comparison with the threshold values, a block that builds technological time series additionally evaluates the consistency by the Euclidean distance metric.

Images