Anomaly Detection for the MIL-STD-1553B Multiplex Data Bus Using an LSTM Autoencoder

Due to the modernization of commercial and military aircraft, real-time systems and their connectivity to ground based networks, including the Internet, that were thought to be "air-gapped", are becoming more susceptible to cyber-attack. Most real-time systems that communicate using the Military Standard 1553B Multiplex data bus (MIL-STD-1553B) protocol do not have the ability to detect cyber-attacks. These systems were originally developed with safety and redundancy in mind, not security. These two factors introduce attack vectors to MIL-STD-1553B communication buses and expose associated avionics systems to exploitation. Recent approaches to anomaly detection for the MIL-STD-1553B data bus have leveraged statistical analysis, Markov Chain modelling, remote terminal fingerprinting and signature-based detection. However, their comparative effectiveness is unknown. Regarding the statistical analysis technique, the lack of accuracy and precision in detecting the start and stop time of anomalous events are not ideal for conducting investigations due to the sheer volume of messages still required to be manually analysed. Deep learning techniques offer an effective means of anomaly detection and applying these techniques to the MIL-STD-1553B data bus could provide more accurate and precise detection times when anomalies or attacks are present, when compared to known statistical analysis, leading to more efficient forensic investigations of anomalous events. The aim of this research is to improve the time-related performance metrics when detecting attacks on the MIL-STD-1553B data bus traffic using a Long Short-Term Memory (LSTM) autoencoder. In order to accomplish this aim, an LSTM autoencoder detector was developed and tested on two separate datasets from different MIL-STD-1553B network architectures, totalling 15 threat instances over 5 scenarios. The detector was then compared to the MIL-STD-1553B Anomaly-Based Intrusion Detection System (MAIDENS) detector, a statistical-based intrusion detection system. The LSTM autoencoder detected every threat instance with no false positive or false negative results and significantly improved the time-related performance metrics when compared to the MAIDENS detector. The results demonstrated this deep learning technique as an effective method for identifying anomalies on a MIL-STD-1553B data bus and significantly reducing the overall number of frames to be analysed during the investigation of identified anomalies.