Anomaly detection of aviation data bus based on SAE and IMD

To detect remote terminal (RT) spoofing attacks on MIL-STD-1553B data bus and prevent the network paralysis of integrated avionics system (IAS) caused by misjudgment, an anomaly detection method of aviation data bus based on the combination of sparse autoencoder (SAE) and integrated mahalanobis distance (IMD) is proposed. Aiming at the communication traffic training set with only normal data, an unsupervised learning algorithm SAE is used to train a model that only represents normal behavior. To combine the feature information of each layer within SAE, the IMD, which can measure the similarity between data characteristics, is used to obtain the anomaly score of test data, and the comprehensive anomaly score (CAS) is obtained by considering the reconstruction error between SAE input and output. To solve the problem that data distribution and detection requirements were not considered in a single threshold, a heuristic multi-threshold selection method is proposed, which maximizes the performance of the classifier by considering the accuracy, youden index (YI), and F1. The experimental results demonstrate the effectiveness and feasibility of the method.