Anomaly Based Intrusion Detection for an Avionic Embedded System 2018-01-1941
The threat surface of an aircraft has always been very reduced thanks to strong safety requirements, design isolation of critical cockpit functions, and limited connectivity. The fault-tolerant hardware platforms were mainly dedicated for each avionic function, with specific operating systems, preventing them from standard malware attacks. However, the trend nowadays is to make aircraft systems connected and less expensive, for example by providing the capacity to update the weather data in flight or by installing several functions with multiple levels of criticality on the same platform, increasing the threat surface.
Considering these recent evolutions and the increasing malicious threats targeting embedded systems, what would happen if a function is maliciously modified to exploit a vulnerability of the hardware platform? What about the impact of an insider attack breaking the organizational security measures to insert a malicious function on-board?
Various solutions can be investigated to provide enhanced protection against these types of threats. Intrusion detection techniques are well suited to cope with such threats, providing hardware platforms the capacity to detect malicious behaviors at runtime, potential attacks exploiting unknown vulnerabilities, or vulnerabilities introduced during the exploitation or the maintenance phases.
This paper firstly describes the challenges raised by the introduction of such techniques in avionics systems. In particular, we discuss the specificities of such systems and the advantages and limitations of signature-based and anomaly-based techniques in an avionics context. Based on this analysis, a framework is proposed to integrate a Host-based Intrusion Detection System (HIDS) in the general Integrated Modular Avionics (IMA) development process which fits avionics systems constraints.
The proposed HIDS architecture is composed of three modules : anomaly detection, attack confirmation, and alert sending. To demonstrate the efficiency of this HIDS, an attack injection module has also been developed. The overall approach is implemented on an IMA platform running a cockpit display function, to be representative of embedded avionics systems. This testbench will help validating this avionic HIDS as a proof of concept.
Alienor Damien, Marc Fumey, Eric Alata, Mohamed Kaâniche, Vincent Nicomette