Movatterモバイル変換

[0]ホーム
URL:

CN118432937A - Method and system for protecting information safety of civil airliner - Google Patents

Method and system for protecting information safety of civil airlinerDownload PDF

Info

Publication number
CN118432937A
CN118432937ACN202410762972.8ACN202410762972ACN118432937ACN 118432937 ACN118432937 ACN 118432937ACN 202410762972 ACN202410762972 ACN 202410762972ACN 118432937 ACN118432937 ACN 118432937A
Authority
CN
China
Prior art keywords
communication data
intrusion behavior
data packet
airborne communication
airborne
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202410762972.8A
Other languages
Chinese (zh)
Other versions
CN118432937B (en
Inventor
邹松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Xunsheng Electronic Technology Co ltd
Original Assignee
Chengdu Xunsheng Electronic Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Xunsheng Electronic Technology Co ltdfiledCriticalChengdu Xunsheng Electronic Technology Co ltd
Priority to CN202410762972.8ApriorityCriticalpatent/CN118432937B/en
Publication of CN118432937ApublicationCriticalpatent/CN118432937A/en
Application grantedgrantedCritical
Publication of CN118432937BpublicationCriticalpatent/CN118432937B/en
Activelegal-statusCriticalCurrent
Anticipated expirationlegal-statusCritical

Links

Classifications

Landscapes

Abstract

The application provides a civil airliner airborne information safety protection method and system, which adopts a first intrusion behavior characterization vector and a second intrusion behavior characterization vector which are corresponding to a first airborne communication data packet and a plurality of alternative intrusion behavior data classifications, and performs intrusion behavior data classification reasoning based on the first intrusion behavior characterization vector and the second intrusion behavior characterization vector to determine intrusion behavior data classifications. And when the intrusion behavior data is classified and inferred, determining the intrusion behavior type of the first airborne communication data packet based on the correlation between the first airborne communication data packet and the intrusion behavior data classification and the correlation between the first airborne communication data packet and the approximate data packet. When the number of samples is insufficient, if an intrusion data classification is not in the debugging sample of the intrusion detection algorithm, the intrusion detection algorithm can infer a support coefficient of the first airborne communication data packet corresponding to the intrusion data classification based on determining the approximate data packet of the first airborne communication data packet as the extension information so as to increase the accuracy of classification inference.

Description

Translated fromChinese
一种民用客机机载信息安全防护方法及系统A method and system for protecting information security on board a civil aircraft

技术领域Technical Field

本申请涉及数据处理领域,具体而言,涉及一种民用客机机载信息安全防护方法及系统。The present application relates to the field of data processing, and more specifically, to a method and system for protecting the security of onboard information of a civil passenger aircraft.

背景技术Background technique

随着信息技术的迅猛发展,现代民用客机越来越依赖机载网络系统来实现各种功能和服务。然而,这也给飞机带来了潜在的网络安全威胁。由于飞机内部网络连接到地面网络和互联网,黑客入侵、恶意软件感染和数据泄露等风险变得可能。这些网络攻击可能对飞机的安全性、可靠性和操作性造成严重影响,危及乘客和机组人员的生命安全。为了应对这些威胁,航空业制定了相关的法规和标准,如联合航空电子协会(ARINC)、国际民航组织(ICAO)和欧洲航空安全局(EASA)的指南和要求。根据这些要求,飞机机载网络安全防护采取了一系列措施。防火墙和入侵检测系统(即机载网络安全防护系统)被设置在飞机内部网络中。这些系统能够监控网络流量,及时发现潜在的攻击行为,并阻止其进一步侵入飞机系统。目前,入侵检测系统中结合人工智能算法对网络流量进行入侵检测,已经成为趋势,如何确保AI算法能准确检测入侵行为,是AI算法不断优化的方向。With the rapid development of information technology, modern civil airliners are increasingly relying on onboard network systems to realize various functions and services. However, this also brings potential cybersecurity threats to aircraft. Since the internal network of the aircraft is connected to the ground network and the Internet, risks such as hacker intrusion, malware infection and data leakage become possible. These cyber attacks may have a serious impact on the safety, reliability and operability of the aircraft, endangering the lives of passengers and crew members. In order to deal with these threats, the aviation industry has formulated relevant regulations and standards, such as the guidelines and requirements of the Joint Avionics Association (ARINC), the International Civil Aviation Organization (ICAO) and the European Aviation Safety Agency (EASA). According to these requirements, a series of measures have been taken for aircraft onboard network security protection. Firewalls and intrusion detection systems (i.e., airborne network security protection systems) are set up in the internal network of the aircraft. These systems can monitor network traffic, detect potential attack behaviors in a timely manner, and prevent them from further intruding into the aircraft system. At present, it has become a trend to combine artificial intelligence algorithms in intrusion detection systems to detect intrusions on network traffic. How to ensure that AI algorithms can accurately detect intrusions is the direction of continuous optimization of AI algorithms.

发明内容Summary of the invention

本申请的目的在于提供一种民用客机机载信息安全防护方法及系统,以确保入侵行为的准确检测。The purpose of this application is to provide a method and system for protecting the security of onboard information of a civil passenger aircraft to ensure accurate detection of intrusion behavior.

本申请的其他特性和优点将通过下面的详细描述变得显然,或部分地通过本申请的实践而习得。Other features and advantages of the present application will become apparent from the following detailed description, or may be learned in part by the practice of the present application.

根据本申请实施例的一个方面,提供一种民用客机机载信息安全防护方法,应用于机载网络安全防护系统,所述方法包括:According to one aspect of an embodiment of the present application, a method for protecting airborne information security in a civil passenger aircraft is provided, which is applied to an airborne network security protection system, and the method includes:

获取第一机载通信数据包和多个备选入侵行为数据分类,所述第一机载通信数据包是拟在所述多个备选入侵行为数据分类中确定入侵行为类型的通信数据包;Acquire a first airborne communication data packet and a plurality of candidate intrusion behavior data classifications, wherein the first airborne communication data packet is a communication data packet for determining an intrusion behavior type among the plurality of candidate intrusion behavior data classifications;

获取所述多个备选入侵行为数据分类各自对应的第二机载通信数据包,所述第二机载通信数据包与所述第一机载通信数据包之间的共性度量结果满足预设的度量条件;Acquire second airborne communication data packets corresponding to each of the plurality of candidate intrusion behavior data classifications, wherein a commonality measurement result between the second airborne communication data packet and the first airborne communication data packet satisfies a preset measurement condition;

挖掘所述第一机载通信数据包和所述多个备选入侵行为数据分类对应的第一入侵行为表征向量,所述第一入侵行为表征向量用于表征所述多个备选入侵行为数据分类分别与所述第一机载通信数据包之间的关联性;Mining first intrusion behavior characterization vectors corresponding to the first airborne communication data packet and the plurality of candidate intrusion behavior data classifications, wherein the first intrusion behavior characterization vector is used to characterize the associations between the plurality of candidate intrusion behavior data classifications and the first airborne communication data packet respectively;

挖掘所述第一机载通信数据包和多个第二机载通信数据包对应的第二入侵行为表征向量,所述第二入侵行为表征向量用于表征所述多个第二机载通信数据包分别与所述第一机载通信数据包之间的关联性;Mining second intrusion behavior characterization vectors corresponding to the first airborne communication data packet and a plurality of second airborne communication data packets, wherein the second intrusion behavior characterization vectors are used to characterize the associations between the plurality of second airborne communication data packets and the first airborne communication data packet respectively;

依据所述第一入侵行为表征向量和所述第二入侵行为表征向量进行入侵行为数据分类推理,从所述多个备选入侵行为数据分类中确定所述第一机载通信数据包对应的第一入侵行为数据分类,所述第一入侵行为数据分类用于表示所述第一机载通信数据包对应的所述入侵行为类型。Intrusion behavior data classification inference is performed based on the first intrusion behavior characterization vector and the second intrusion behavior characterization vector, and a first intrusion behavior data classification corresponding to the first airborne communication data packet is determined from the multiple alternative intrusion behavior data classifications, wherein the first intrusion behavior data classification is used to represent the intrusion behavior type corresponding to the first airborne communication data packet.

在一些可能的设计中,所述依据所述第一入侵行为表征向量和所述第二入侵行为表征向量进行入侵行为数据分类推理,从所述多个备选入侵行为数据分类中确定所述第一机载通信数据包对应的第一入侵行为数据分类,包括:In some possible designs, performing intrusion behavior data classification reasoning based on the first intrusion behavior characterization vector and the second intrusion behavior characterization vector to determine the first intrusion behavior data classification corresponding to the first airborne communication data packet from the multiple candidate intrusion behavior data classifications includes:

基于入侵行为检测算法中的第一入侵行为映射算子对所述第一入侵行为表征向量进行入侵行为数据分类推理,得到所述多个备选入侵行为数据分类各自对应的第一支持系数;Based on the first intrusion behavior mapping operator in the intrusion behavior detection algorithm, the first intrusion behavior characterization vector is subjected to intrusion behavior data classification reasoning to obtain first support coefficients corresponding to each of the plurality of candidate intrusion behavior data classifications;

基于所述入侵行为检测算法中的第二入侵行为映射算子对所述第二入侵行为表征向量进行入侵行为数据分类推理,得到多个备选入侵行为数据分类各自对应的第二支持系数;Based on the second intrusion behavior mapping operator in the intrusion behavior detection algorithm, the second intrusion behavior characterization vector is subjected to intrusion behavior data classification reasoning to obtain second support coefficients corresponding to respective ones of a plurality of candidate intrusion behavior data classifications;

对所述第一支持系数和所述第二支持系数进行整合,得到所述多个备选入侵行为数据分类各自对应的分类支持系数;Integrate the first support coefficient and the second support coefficient to obtain classification support coefficients corresponding to each of the plurality of candidate intrusion behavior data classifications;

依据所述多个备选入侵行为数据分类各自对应的分类支持系数,从所述多个备选入侵行为数据分类中确定所述第一机载通信数据包对应的所述第一入侵行为数据分类。The first intrusion behavior data classification corresponding to the first airborne communication data packet is determined from the multiple candidate intrusion behavior data classifications according to the classification support coefficients corresponding to each of the multiple candidate intrusion behavior data classifications.

在一些可能的设计中,所述对所述第一支持系数和所述第二支持系数进行整合,得到所述多个备选入侵行为数据分类各自对应的分类支持系数,包括:In some possible designs, the first support coefficient and the second support coefficient are integrated to obtain the classification support coefficients corresponding to the multiple candidate intrusion behavior data classifications, including:

确定所述入侵行为检测算法的学习样例集中包含的多个机载通信数据包学习样例,所述多个机载通信数据包学习样例对应的入侵行为数据分类属于所述多个备选入侵行为数据分类中的一个或多个;Determine a plurality of airborne communication data packet learning samples included in the learning sample set of the intrusion behavior detection algorithm, wherein the intrusion behavior data classifications corresponding to the plurality of airborne communication data packet learning samples belong to one or more of the plurality of candidate intrusion behavior data classifications;

获取所述多个备选入侵行为数据分类中各自对应的机载通信数据包学习样例的第一数目;Obtaining a first number of airborne communication data packet learning samples corresponding to each of the plurality of candidate intrusion behavior data classifications;

根据所述第一数目确定所述第一支持系数对应的第一影响因子以及所述第二支持系数对应的第二影响因子,所述第一数目与所述第一影响因子正向关联,所述第一数目与所述第二影响因子反向关联;Determine a first impact factor corresponding to the first support coefficient and a second impact factor corresponding to the second support coefficient according to the first number, the first number being positively correlated with the first impact factor, and the first number being negatively correlated with the second impact factor;

依据所述第一影响因子和所述第二影响因子,对所述第一支持系数和所述第二支持系数进行整合,得到所述多个备选入侵行为数据分类各自对应的分类支持系数。The first support coefficient and the second support coefficient are integrated according to the first influencing factor and the second influencing factor to obtain the classification support coefficients corresponding to the multiple candidate intrusion behavior data classifications.

在一些可能的设计中,所述多个备选入侵行为数据分类中包括第一备选入侵行为数据分类;所述获取所述多个备选入侵行为数据分类各自对应的第二机载通信数据包,包括:In some possible designs, the multiple candidate intrusion behavior data classifications include a first candidate intrusion behavior data classification; and obtaining second airborne communication data packets corresponding to each of the multiple candidate intrusion behavior data classifications includes:

获取所述第一备选入侵行为数据分类对应的多个备选机载通信数据包;Acquire a plurality of candidate airborne communication data packets corresponding to the first candidate intrusion behavior data classification;

确定所述多个备选机载通信数据包分别与所述第一机载通信数据包之间的通信数据包共性度量结果,并将所述多个备选机载通信数据包中与所述第一机载通信数据包之间的通信数据包共性度量结果最大的p个备选机载通信数据包确定为所述第一备选入侵行为数据分类对应的第二机载通信数据包;其中,p≥1。Determine communication data packet commonality measurement results between the multiple candidate airborne communication data packets and the first airborne communication data packet, and determine p candidate airborne communication data packets with the largest communication data packet commonality measurement results between the multiple candidate airborne communication data packets and the first airborne communication data packet as second airborne communication data packets corresponding to the first candidate intrusion behavior data classification; wherein p≥1.

在一些可能的设计中,所述确定所述多个备选机载通信数据包分别与所述第一机载通信数据包之间的通信数据包共性度量结果,并将所述多个备选机载通信数据包中与所述第一机载通信数据包之间的通信数据包共性度量结果最大的p个备选机载通信数据包确定为所述第一备选入侵行为数据分类对应的第二机载通信数据包,包括:In some possible designs, determining communication data packet commonality measurement results between the multiple candidate airborne communication data packets and the first airborne communication data packet, and determining p candidate airborne communication data packets having the largest communication data packet commonality measurement results with the first airborne communication data packet among the multiple candidate airborne communication data packets as second airborne communication data packets corresponding to the first candidate intrusion behavior data classification, includes:

获取所述第一机载通信数据包对应的多个组成数据簇,并确定所述多个备选机载通信数据包各自对应的组成数据簇关联性,所述组成数据簇关联性用于表征所述多个组成数据簇分别与所述备选机载通信数据包之间的关联性;Acquire multiple component data clusters corresponding to the first airborne communication data packet, and determine the association of the component data clusters corresponding to each of the multiple candidate airborne communication data packets, wherein the component data cluster association is used to characterize the association between the multiple component data clusters and the candidate airborne communication data packets respectively;

依据所述组成数据簇关联性,确定所述多个备选机载通信数据包各自对应的共性度量结果;Determining, according to the association of the constituent data clusters, commonality measurement results corresponding to each of the plurality of candidate airborne communication data packets;

获取所述多个备选机载通信数据包中与所述第一机载通信数据包之间的共性度量结果最大的p个备选机载通信数据包确定为所述第一备选入侵行为数据分类对应的第二机载通信数据包。The p candidate airborne communication data packets having the largest commonality measurement results with the first airborne communication data packet among the multiple candidate airborne communication data packets are obtained and determined as the second airborne communication data packets corresponding to the first candidate intrusion behavior data classification.

在一些可能的设计中,所述确定所述多个备选机载通信数据包分别与所述第一机载通信数据包之间的通信数据包共性度量结果,并将所述多个备选机载通信数据包中与所述第一机载通信数据包之间的通信数据包共性度量结果最大的p个备选机载通信数据包确定为所述第一备选入侵行为数据分类对应的第二机载通信数据包,包括:In some possible designs, determining communication data packet commonality measurement results between the multiple candidate airborne communication data packets and the first airborne communication data packet, and determining p candidate airborne communication data packets having the largest communication data packet commonality measurement results with the first airborne communication data packet among the multiple candidate airborne communication data packets as second airborne communication data packets corresponding to the first candidate intrusion behavior data classification, includes:

获取所述第一机载通信数据包对应的第一数据包表征向量,以及获取所述多个备选机载通信数据包各自对应的备选数据包表征向量;Acquire a first data packet characterization vector corresponding to the first airborne communication data packet, and acquire a candidate data packet characterization vector corresponding to each of the plurality of candidate airborne communication data packets;

基于预设特征划簇策略,将所述多个备选数据包表征向量所处的特征域划分为多个子特征域,所述多个子特征域各自对应有划簇代表表征向量;Based on a preset feature clustering strategy, the feature domain where the multiple candidate data packet representation vectors are located is divided into multiple sub-feature domains, each of the multiple sub-feature domains corresponds to a cluster representative representation vector;

确定多个划簇代表表征向量分别与所述第一数据包表征向量之间的空间相似度;Determine spatial similarities between a plurality of cluster representative representation vectors and the first data packet representation vector respectively;

获取所述多个划簇代表表征向量中与所述第一数据包表征向量之间的空间相似度最大的u个划簇代表表征向量,其中,u≥1;Obtaining u clustering representative representation vectors having the largest spatial similarity with the first data packet representation vector from among the plurality of clustering representative representation vectors, where u≥1;

确定所述第一数据包表征向量和所述u个划簇代表表征向量对应的u个子特征域中的备选数据包表征向量之间的空间相似度;Determine the spatial similarity between the first data packet representation vector and candidate data packet representation vectors in u sub-feature domains corresponding to the u cluster representative representation vectors;

将所述u个子特征域中的备选数据包表征向量中与所述第一数据包表征向量之间的空间相似度最大的p个备选数据包表征向量对应的备选机载通信数据包确定为所述第二机载通信数据包。The candidate airborne communication data packets corresponding to the p candidate data packet representation vectors having the greatest spatial similarity with the first data packet representation vector among the candidate data packet representation vectors in the u sub-feature domains are determined as the second airborne communication data packet.

在一些可能的设计中,所述挖掘所述第一机载通信数据包和多个第二机载通信数据包对应的第二入侵行为表征向量,包括:In some possible designs, mining the second intrusion behavior characterization vector corresponding to the first airborne communication data packet and the plurality of second airborne communication data packets includes:

将所述第一机载通信数据包分别与所述多个备选入侵行为数据分类进行数据组合处理,得到多个第一组合通信数据;Classify and combine the first airborne communication data packet with the multiple candidate intrusion behavior data to obtain multiple first combined communication data;

基于入侵行为检测算法中的第一特征嵌入算子挖掘所述多个第一组合通信数据各自对应的第一入侵行为子表征向量,将多个第一入侵行为子表征向量作为所述第一入侵行为表征向量,其中,一个第一入侵行为子表征向量用于表征一个备选入侵行为数据分类与所述第一机载通信数据包之间的关联性。Based on the first feature embedding operator in the intrusion behavior detection algorithm, the first intrusion behavior sub-characterization vectors corresponding to each of the multiple first combined communication data are mined, and the multiple first intrusion behavior sub-characterization vectors are used as the first intrusion behavior characterization vector, wherein a first intrusion behavior sub-characterization vector is used to characterize the correlation between an alternative intrusion behavior data classification and the first airborne communication data packet.

在一些可能的设计中,所述挖掘所述第一机载通信数据包和多个第二机载通信数据包对应的第二入侵行为表征向量,包括:In some possible designs, mining the second intrusion behavior characterization vector corresponding to the first airborne communication data packet and the plurality of second airborne communication data packets includes:

将所述第一机载通信数据包分别与所述多个第二机载通信数据包进行数据组合处理,得到所述多个第二组合通信数据;Performing data combination processing on the first airborne communication data packet and the plurality of second airborne communication data packets respectively to obtain the plurality of second combined communication data;

基于入侵行为检测算法中的第二特征嵌入算子挖掘所述多个第二组合通信数据各自对应的第二入侵行为子表征向量,将多个第二入侵行为子表征向量作为所述第二入侵行为表征向量,其中,一个第二入侵行为子表征向量用于表征一个第二机载通信数据包与所述第一机载通信数据包之间的关联性。Based on the second feature embedding operator in the intrusion behavior detection algorithm, the second intrusion behavior sub-characterization vectors corresponding to each of the multiple second combined communication data are mined, and the multiple second intrusion behavior sub-characterization vectors are used as the second intrusion behavior characterization vector, wherein a second intrusion behavior sub-characterization vector is used to characterize the correlation between a second airborne communication data packet and the first airborne communication data packet.

根据本申请实施例的另一个方面,提供一种安全防护装置,包括:According to another aspect of an embodiment of the present application, there is provided a safety protection device, comprising:

目标数据获取模块,用于获取第一机载通信数据包和多个备选入侵行为数据分类,所述第一机载通信数据包是拟在所述多个备选入侵行为数据分类中确定入侵行为类型的通信数据包;A target data acquisition module, used to acquire a first airborne communication data packet and a plurality of candidate intrusion behavior data classifications, wherein the first airborne communication data packet is a communication data packet for determining an intrusion behavior type among the plurality of candidate intrusion behavior data classifications;

参考数据获取模块,用于获取所述多个备选入侵行为数据分类各自对应的第二机载通信数据包,所述第二机载通信数据包与所述第一机载通信数据包之间的共性度量结果满足预设的度量条件;A reference data acquisition module, configured to acquire second airborne communication data packets corresponding to each of the plurality of candidate intrusion behavior data classifications, wherein a commonality measurement result between the second airborne communication data packet and the first airborne communication data packet satisfies a preset measurement condition;

第一特征挖掘模块,用于挖掘所述第一机载通信数据包和所述多个备选入侵行为数据分类对应的第一入侵行为表征向量,所述第一入侵行为表征向量用于表征所述多个备选入侵行为数据分类分别与所述第一机载通信数据包之间的关联性;A first feature mining module is used to mine first intrusion behavior characterization vectors corresponding to the first airborne communication data packet and the multiple candidate intrusion behavior data classifications, wherein the first intrusion behavior characterization vector is used to characterize the associations between the multiple candidate intrusion behavior data classifications and the first airborne communication data packet respectively;

第二特征挖掘模块,用于挖掘所述第一机载通信数据包和多个第二机载通信数据包对应的第二入侵行为表征向量,所述第二入侵行为表征向量用于表征所述多个第二机载通信数据包分别与所述第一机载通信数据包之间的关联性;A second feature mining module is used to mine second intrusion behavior characterization vectors corresponding to the first airborne communication data packet and multiple second airborne communication data packets, and the second intrusion behavior characterization vector is used to characterize the association between the multiple second airborne communication data packets and the first airborne communication data packet respectively;

入侵行为分类模块,用于依据所述第一入侵行为表征向量和所述第二入侵行为表征向量进行入侵行为数据分类推理,从所述多个备选入侵行为数据分类中确定所述第一机载通信数据包对应的第一入侵行为数据分类,所述第一入侵行为数据分类用于表示所述第一机载通信数据包对应的所述入侵行为类型。An intrusion behavior classification module is used to perform intrusion behavior data classification reasoning based on the first intrusion behavior characterization vector and the second intrusion behavior characterization vector, and determine a first intrusion behavior data classification corresponding to the first airborne communication data packet from the multiple alternative intrusion behavior data classifications, wherein the first intrusion behavior data classification is used to represent the intrusion behavior type corresponding to the first airborne communication data packet.

根据本申请实施例的又一个方面,提供一种机载网络安全防护系统,包括:According to another aspect of an embodiment of the present application, there is provided an airborne network security protection system, comprising:

处理器;processor;

以及存储器,用于存储所述处理器的可执行指令;and a memory for storing executable instructions for the processor;

其中,所述处理器被配置为经由执行所述可执行指令来执行以上所述的方法。The processor is configured to perform the above method by executing the executable instructions.

本申请具有的有益效果:The beneficial effects of this application are:

本申请实施例提供的一种民用客机机载信息安全防护方法及系统,基于挖掘第一机载通信数据包和多个备选入侵行为数据分类对应的第一入侵行为表征向量以及挖掘第一机载通信数据包和多个第二机载通信数据包(各备选入侵行为数据分类下第一机载通信数据包的近似数据包)对应的第二入侵行为表征向量,并依据第一入侵行为表征向量和第二入侵行为表征向量对第一机载通信数据包进行入侵行为数据分类推理,确定第一机载通信数据包的入侵行为数据分类。对第一机载通信数据包进行入侵行为数据分类推理时,基于第一机载通信数据包和入侵行为数据分类之间的关联性以及第一机载通信数据包和近似数据包之间的关联性一起确定第一机载通信数据包的入侵行为类型。在样本数量不足时调试得到的入侵行为检测算法中,如果一入侵行为数据分类不在入侵行为检测算法的调试样例中,入侵行为检测算法可基于将第一机载通信数据包的近似数据包确定为扩展信息推理第一机载通信数据包对应该入侵行为数据分类的支持系数,以增加对机载通信数据包进行入侵行为数据分类推理的精确性。The embodiment of the present application provides a method and system for protecting airborne information security of a civil passenger aircraft, which is based on mining a first intrusion behavior characterization vector corresponding to a first airborne communication data packet and a plurality of alternative intrusion behavior data classifications and mining a second intrusion behavior characterization vector corresponding to a first airborne communication data packet and a plurality of second airborne communication data packets (approximate data packets of the first airborne communication data packet under each alternative intrusion behavior data classification), and performing intrusion behavior data classification reasoning on the first airborne communication data packet based on the first intrusion behavior characterization vector and the second intrusion behavior characterization vector to determine the intrusion behavior data classification of the first airborne communication data packet. When performing intrusion behavior data classification reasoning on the first airborne communication data packet, the intrusion behavior type of the first airborne communication data packet is determined based on the correlation between the first airborne communication data packet and the intrusion behavior data classification and the correlation between the first airborne communication data packet and the approximate data packet. In the intrusion behavior detection algorithm debugged when the number of samples is insufficient, if an intrusion behavior data classification is not in the debugging sample of the intrusion behavior detection algorithm, the intrusion behavior detection algorithm can infer the support coefficient of the first airborne communication data packet corresponding to the intrusion behavior data classification based on determining the approximate data packet of the first airborne communication data packet as the extended information, so as to increase the accuracy of the intrusion behavior data classification reasoning for the airborne communication data packet.

应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It should be understood that the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the present application.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本申请的实施例,并与说明书一起用于解释本申请的原理。显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。The drawings herein are incorporated into the specification and constitute a part of the specification, illustrate embodiments consistent with the present application, and together with the specification are used to explain the principles of the present application. Obviously, the drawings described below are only some embodiments of the present application, and for ordinary technicians in this field, other drawings can be obtained based on these drawings without creative work.

图1是本申请实施例提供的一种民用客机机载信息安全防护方法的流程图。FIG1 is a flow chart of a method for protecting information security on a civil aircraft provided in an embodiment of the present application.

图2是本申请实施例提供的安全防护装置的功能模块架构示意图。FIG2 is a schematic diagram of the functional module architecture of the safety protection device provided in an embodiment of the present application.

图3是本申请实施例提供的一种机载网络安全防护系统的组成示意图。FIG3 is a schematic diagram of the composition of an airborne network security protection system provided in an embodiment of the present application.

具体实施方式Detailed ways

现在将参考附图更全面地描述示例实施方式。然而,示例实施方式能够以多种形式实施,且不应被理解为限于在此阐述的范例;相反,提供这些实施方式使得本申请将更加全面和完整,并将示例实施方式的构思全面地传达给本领域的技术人员。Example embodiments will now be described more fully with reference to the accompanying drawings. However, example embodiments can be implemented in a variety of forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this application will be more comprehensive and complete and fully convey the concept of the example embodiments to those skilled in the art.

此外,所描述的特征、结构或特性可以以任何合适的方式结合在一个或更多实施例中。在下面的描述中,提供许多具体细节从而给出对本申请的实施例的充分理解。然而,本领域技术人员将意识到,可以实践本申请的技术方案而没有特定细节中的一个或更多,或者可以采用其它的方法、组元、装置、步骤等。在其它情况下,不详细示出或描述公知方法、装置、实现或者操作以避免模糊本申请的各方面。In addition, described feature, structure or characteristic can be combined in one or more embodiments in any suitable manner. In the following description, many specific details are provided to provide a full understanding of the embodiments of the present application. However, those skilled in the art will appreciate that the technical scheme of the present application can be put into practice without one or more of the specific details, or other methods, components, devices, steps, etc. can be adopted. In other cases, known methods, devices, realizations or operations are not shown or described in detail to avoid blurring the various aspects of the application.

附图中所示的方框图仅仅是功能实体,不一定必须与物理上独立的实体相对应。即,可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。The block diagrams shown in the accompanying drawings are merely functional entities and do not necessarily correspond to physically independent entities. That is, these functional entities may be implemented in software form, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.

附图中所示的流程图仅是示例性说明,不是必须包括所有的内容和操作/步骤,也不是必须按所描述的顺序执行。例如,有的操作/步骤还可以分解,而有的操作/步骤可以合并或部分合并,因此实际执行的顺序有可能根据实际情况改变。The flowcharts shown in the accompanying drawings are only exemplary and do not necessarily include all the contents and operations/steps, nor must they be executed in the order described. For example, some operations/steps can be decomposed, and some operations/steps can be combined or partially combined, so the actual execution order may change according to actual conditions.

请参照图1,本申请实施例提供的民用客机机载信息安全防护方法包括以下步骤:Referring to FIG. 1 , the civil aircraft airborne information security protection method provided in the embodiment of the present application includes the following steps:

步骤S110,获取第一机载通信数据包和多个备选入侵行为数据分类。Step S110, obtaining a first airborne communication data packet and a plurality of candidate intrusion behavior data classifications.

本申请实施例中,第一机载通信数据包是拟在多个备选入侵行为数据分类中确定入侵行为类型的通信数据包。作为一种实施方式,第一机载通信数据包是对飞机(民用客机)的机载网络进行监听采集(可以理解,该过程是在法律法规允许范围内进行的,且在网络使用前经过了乘客允许默认)得到的数据流。其中可以包括协议类型、源IP地址、目标IP地址、端口号、服务类型等数据,可以理解,为了便于本申请后续的机器学习网络对数据进行处理,本申请实施例可以对这些数据中不能直接处理的数据(如离散数据)转换为计算机可以识别的数值数据(例如二进制数据),具体可以采用独热编码(One-Hot Encoding)处理分类特征,然后对编码后的数据进行归一化处理,以确保不同特征之间的数值范围一致。这可以使用各种归一化方法,如最大-最小缩放、Z-score标准化等。基于此,得到处理后的机载通信数据包。In the embodiment of the present application, the first airborne communication data packet is a communication data packet intended to determine the type of intrusion behavior in multiple candidate intrusion behavior data classifications. As an implementation method, the first airborne communication data packet is a data stream obtained by monitoring and collecting the airborne network of the aircraft (civilian passenger aircraft) (it can be understood that the process is carried out within the scope permitted by laws and regulations, and the passengers have allowed the default before the network is used). It can include data such as protocol type, source IP address, target IP address, port number, service type, etc. It can be understood that in order to facilitate the subsequent machine learning network of this application to process the data, the embodiment of the present application can convert the data that cannot be directly processed (such as discrete data) in these data into numerical data (such as binary data) that can be recognized by the computer. Specifically, the classification features can be processed by one-hot encoding (One-Hot Encoding), and then the encoded data is normalized to ensure that the numerical ranges between different features are consistent. This can use various normalization methods, such as maximum-minimum scaling, Z-score standardization, etc. Based on this, the processed airborne communication data packet is obtained.

作为一种实施方式,多个备选入侵行为数据分类是预设的多个入侵行为数据分类。一个备选入侵行为数据分类包含对应一入侵行为的通信数据。其中,获取多个备选入侵行为数据分类及获取多个备选入侵行为数据分类各自对应的入侵通信数据。As an implementation method, the multiple candidate intrusion behavior data classifications are multiple preset intrusion behavior data classifications. One candidate intrusion behavior data classification includes communication data corresponding to an intrusion behavior. Among them, multiple candidate intrusion behavior data classifications are obtained and the intrusion communication data corresponding to each of the multiple candidate intrusion behavior data classifications are obtained.

步骤S120,获取多个备选入侵行为数据分类各自对应的第二机载通信数据包。Step S120: obtaining second airborne communication data packets corresponding to each of a plurality of candidate intrusion behavior data categories.

其中,第一机载通信数据包和第二机载通信数据包之间的共性度量结果满足预设的度量条件。作为一种实施方式,从机载网络通信数据库中获取多个备选入侵行为数据分类各自对应的第二机载通信数据包,机载网络通信数据库为机载网络防护系统中保存的机载网络通信数据库,该机载网络通信数据库中保存有多个备选入侵行为数据分类对应的多个备选机载通信数据包,机载网络通信数据库中保存的多个备选机载通信数据包为已进行入侵行为识别的机载通信数据包。Among them, the commonality measurement result between the first airborne communication data packet and the second airborne communication data packet meets the preset measurement condition. As an implementation mode, a second airborne communication data packet corresponding to each of a plurality of candidate intrusion behavior data classifications is obtained from an airborne network communication database, the airborne network communication database is an airborne network communication database stored in an airborne network protection system, and a plurality of candidate airborne communication data packets corresponding to a plurality of candidate intrusion behavior data classifications are stored in the airborne network communication database, and the plurality of candidate airborne communication data packets stored in the airborne network communication database are airborne communication data packets for which intrusion behavior identification has been performed.

作为一种实施方式,第二机载通信数据包中包含的通信数据包数量目可以为一个或多个。可选地,多个备选入侵行为数据分类各自对应有多个备选机载通信数据包;多个备选入侵行为数据分类中包括第一备选入侵行为数据分类,从第一备选入侵行为数据分类对应的多个备选机载通信数据包中确定与第一机载通信数据包满足共性度量结果条件的第二机载通信数据包。As an implementation mode, the number of communication data packets included in the second airborne communication data packet may be one or more. Optionally, each of the multiple candidate intrusion behavior data classifications corresponds to a plurality of candidate airborne communication data packets; the multiple candidate intrusion behavior data classifications include a first candidate intrusion behavior data classification, and a second airborne communication data packet that meets the commonality measurement result condition with the first airborne communication data packet is determined from the multiple candidate airborne communication data packets corresponding to the first candidate intrusion behavior data classification.

作为一种实施方式,获取第一备选入侵行为数据分类对应的多个备选机载通信数据包;确定多个备选机载通信数据包分别与第一机载通信数据包之间的通信数据包共性度量结果,并将多个备选机载通信数据包中与第一机载通信数据包之间的通信数据包共性度量结果最大的p个备选机载通信数据包确定为第二机载通信数据包,p≥1。As an implementation method, multiple alternative airborne communication data packets corresponding to a first alternative intrusion behavior data classification are obtained; communication data packet commonality measurement results between the multiple alternative airborne communication data packets and the first airborne communication data packet are determined, and the p alternative airborne communication data packets with the largest communication data packet commonality measurement results between the multiple alternative airborne communication data packets and the first airborne communication data packet are determined as second airborne communication data packets, p≥1.

作为一种实施方式,数据包的共性度量结果表示两个机载通信数据包之间的相似程度,其确定方式可以依据空间相似度计算实现,空间相似度即基于计算特征空间中的两个向量之间的距离来评估对应的特征相似度的算法,具体地,获取数据包对应的数据包表征向量(表征通信数据包特征的向量),计算数据包表征向量之间的空间相似度得到通信数据包之间的共性度量结果,数据包表征向量之间的距离越小,空间相似度越大,通信数据包之间的共性度量结果越大。作为一种实施方式,空间相似度可以通过计算欧几里得距离得到,或者其他距离计算方式得到。As an implementation method, the commonality measurement result of the data packet indicates the similarity between two airborne communication data packets, and the determination method can be implemented based on the spatial similarity calculation. Spatial similarity is an algorithm that evaluates the corresponding feature similarity based on the distance between two vectors in the feature space. Specifically, the data packet characterization vector corresponding to the data packet is obtained (a vector that characterizes the characteristics of the communication data packet), and the spatial similarity between the data packet characterization vectors is calculated to obtain the commonality measurement result between the communication data packets. The smaller the distance between the data packet characterization vectors, the greater the spatial similarity, and the greater the commonality measurement result between the communication data packets. As an implementation method, the spatial similarity can be obtained by calculating the Euclidean distance, or other distance calculation methods.

步骤S130,挖掘第一机载通信数据包和多个备选入侵行为数据分类对应的第一入侵行为表征向量。Step S130: mining a first intrusion behavior representation vector corresponding to a first airborne communication data packet and a plurality of candidate intrusion behavior data classifications.

其中,第一入侵行为表征向量用于表征多个备选入侵行为数据分类分别与第一机载通信数据包之间的关联性。作为一种实施方式,将第一机载通信数据包分别与多个备选入侵行为数据分类进行数据组合处理,得到多个第一组合通信数据;基于入侵行为检测算法中的第一特征嵌入算子挖掘多个第一组合通信数据各自对应的第一入侵行为子表征向量,将多个第一入侵行为子表征向量作为第一入侵行为表征向量,其中,第一入侵行为子表征向量用于表征一个备选入侵行为数据分类与第一机载通信数据包之间的关联性。Among them, the first intrusion behavior characterization vector is used to characterize the correlation between multiple candidate intrusion behavior data classifications and the first airborne communication data packet. As an implementation method, the first airborne communication data packet is respectively processed with multiple candidate intrusion behavior data classifications to obtain multiple first combined communication data; based on the first feature embedding operator in the intrusion behavior detection algorithm, the first intrusion behavior sub-characterization vectors corresponding to each of the multiple first combined communication data are mined, and the multiple first intrusion behavior sub-characterization vectors are used as the first intrusion behavior characterization vector, wherein the first intrusion behavior sub-characterization vector is used to characterize the correlation between an alternative intrusion behavior data classification and the first airborne communication data packet.

作为一种实施方式,入侵行为检测算法中包括第一特征嵌入算子,该第一特征嵌入算子中包含第一低维映射网络(即嵌入网络embedding)和第一注意力网络(attention);基于第一低维映射网络对多个第一组合通信数据进行低维映射,完成编码,得到多个第一编码向量。得到多个第一编码向量后,将多个第一编码向量输入到第一注意力网络中,依据第一注意力网络中的注意力策略挖掘多个第一编码向量各自对应的第一编码子向量。As an implementation method, the intrusion behavior detection algorithm includes a first feature embedding operator, which includes a first low-dimensional mapping network (i.e., embedding network embedding) and a first attention network (attention); based on the first low-dimensional mapping network, a plurality of first combined communication data are low-dimensionally mapped to complete encoding and obtain a plurality of first encoding vectors. After obtaining the plurality of first encoding vectors, the plurality of first encoding vectors are input into the first attention network, and the first encoding sub-vectors corresponding to the plurality of first encoding vectors are mined according to the attention strategy in the first attention network.

例如,第一编码向量包括每一组成数据簇的数据簇表征向量,其由组成数据簇的组成编码向量和组成数据簇位置的位置编码向量进行向量相加得到;将得到的组成数据簇表征数组输入第一注意力网络,得到第一编码子向量,组成数据簇表征数组为一个二维数组,其中每一行为一个组成数据簇的数据簇表征向量。For example, the first encoding vector includes a data cluster representation vector for each constituent data cluster, which is obtained by vector addition of the constituent encoding vector of the constituent data cluster and the position encoding vector of the constituent data cluster position; the obtained constituent data cluster representation array is input into the first attention network to obtain the first encoding sub-vector, and the constituent data cluster representation array is a two-dimensional array, in which each row is a data cluster representation vector of a constituent data cluster.

步骤S140,挖掘第一机载通信数据包和多个第二机载通信数据包对应的第二入侵行为表征向量。Step S140: mining second intrusion behavior characterization vectors corresponding to the first airborne communication data packet and a plurality of second airborne communication data packets.

第二入侵行为表征向量用于表征多个第二机载通信数据包分别与第一机载通信数据包之间的关联性。作为一种实施方式,将第一机载通信数据包分别与多个第二机载通信数据包进行数据组合处理,得到多个第二组合通信数据;基于入侵行为检测算法中的第二特征嵌入算子挖掘多个第二组合通信数据各自对应的第二入侵行为子表征向量,将多个第二入侵行为子表征向量作为第二入侵行为表征向量,其中,第二入侵行为子表征向量表征一个第二机载通信数据包与第一机载通信数据包之间的关联性。The second intrusion behavior characterization vector is used to characterize the correlation between multiple second airborne communication data packets and the first airborne communication data packet. As an implementation method, the first airborne communication data packet is respectively combined with multiple second airborne communication data packets to obtain multiple second combined communication data; based on the second feature embedding operator in the intrusion behavior detection algorithm, the second intrusion behavior sub-characterization vectors corresponding to each of the multiple second combined communication data are mined, and the multiple second intrusion behavior sub-characterization vectors are used as the second intrusion behavior characterization vector, wherein the second intrusion behavior sub-characterization vector characterizes the correlation between a second airborne communication data packet and the first airborne communication data packet.

作为一种实施方式,入侵行为检测算法中还包括第二特征嵌入算子,第二特征嵌入算子中包含第二低维映射网络和第二注意力网络;基于第二低维映射网络对多个第二组合通信数据进行低维映射,完成编码,获得多个第二编码向量。As an implementation method, the intrusion behavior detection algorithm also includes a second feature embedding operator, which includes a second low-dimensional mapping network and a second attention network; based on the second low-dimensional mapping network, low-dimensional mapping is performed on multiple second combined communication data to complete encoding and obtain multiple second encoding vectors.

第一注意力网络和第二注意力网络为不同的注意力网络,第一低维映射网络和第二低维映射网络为不同的低维映射网络。The first attention network and the second attention network are different attention networks, and the first low-dimensional mapping network and the second low-dimensional mapping network are different low-dimensional mapping networks.

作为一种实施方式,对于第一备选入侵行为数据分类,如果第二机载通信数据包包含多个机载通信数据包,本申请将第一机载通信数据包与多个机载通信数据包按序进行数据组合后,得到第二组合通信数据。获得多个第二编码向量后,将多个第二编码向量输入第二注意力网络,依据第二注意力网络中的注意力策略挖掘多个第二编码向量各自对应的第二编码子向量。可以参考第一编码子向量的获取过程。As an implementation method, for the first candidate intrusion behavior data classification, if the second airborne communication data packet contains multiple airborne communication data packets, the present application combines the first airborne communication data packet with the multiple airborne communication data packets in sequence to obtain second combined communication data. After obtaining multiple second coding vectors, the multiple second coding vectors are input into the second attention network, and the second coding sub-vectors corresponding to each of the multiple second coding vectors are mined according to the attention strategy in the second attention network. The acquisition process of the first coding sub-vector can be referred to.

步骤S150,依据第一入侵行为表征向量和第二入侵行为表征向量进行入侵行为数据分类推理,从多个备选入侵行为数据分类中确定第一机载通信数据包对应的第一入侵行为数据分类。Step S150, performing intrusion behavior data classification reasoning based on the first intrusion behavior characterization vector and the second intrusion behavior characterization vector, and determining a first intrusion behavior data classification corresponding to the first airborne communication data packet from a plurality of candidate intrusion behavior data classifications.

其中,第一入侵行为数据分类可以表示第一机载通信数据包对应的入侵行为类型。基于入侵行为检测算法中的第一入侵行为映射算子对第一入侵行为表征向量进行入侵行为数据分类推理,得到多个备选入侵行为数据分类各自对应的第一支持系数;基于入侵行为检测算法中的第二入侵行为映射算子对第二入侵行为表征向量进行入侵行为数据分类推理,得到多个备选入侵行为数据分类各自对应的第二支持系数;对第一支持系数和第二支持系数进行整合,例如进行加权融合,得到多个备选入侵行为数据分类各自对应的分类支持系数;依据多个备选入侵行为数据分类各自对应的分类支持系数,从多个备选入侵行为数据分类中确定第一机载通信数据包对应的第一入侵行为数据分类。Among them, the first intrusion behavior data classification can represent the intrusion behavior type corresponding to the first airborne communication data packet. Based on the first intrusion behavior mapping operator in the intrusion behavior detection algorithm, the first intrusion behavior characterization vector is subjected to intrusion behavior data classification reasoning to obtain the first support coefficients corresponding to each of the multiple candidate intrusion behavior data classifications; based on the second intrusion behavior mapping operator in the intrusion behavior detection algorithm, the second intrusion behavior characterization vector is subjected to intrusion behavior data classification reasoning to obtain the second support coefficients corresponding to each of the multiple candidate intrusion behavior data classifications; the first support coefficient and the second support coefficient are integrated, for example, weighted fusion is performed to obtain the classification support coefficients corresponding to each of the multiple candidate intrusion behavior data classifications; based on the classification support coefficients corresponding to each of the multiple candidate intrusion behavior data classifications, the first intrusion behavior data classification corresponding to the first airborne communication data packet is determined from the multiple candidate intrusion behavior data classifications.

作为一种实施方式,入侵行为检测算法中包括第一入侵行为映射算子和第二入侵行为映射算子,其中,第一入侵行为映射算子中包括第一前馈神经单元(FFN)、第二入侵行为映射算子中包括第二前馈神经单元;将多个第一入侵行为子表征向量即第一入侵行为表征向量输入第一前馈神经单元中,输出多个备选入侵行为数据分类各自对应的第一支持系数,即基于第一机载通信数据包和多个备选入侵行为数据分类之间的关联性确定的第一机载通信数据包属于多个备选入侵行为数据分类的支持系数;将第二入侵行为表征向量输入第二前馈神经单元中,输出多个备选入侵行为数据分类各自对应的第二支持系数,即根据第一机载通信数据包和多个第二机载通信数据包之间的关联性确定的第一机载通信数据包属于多个备选入侵行为数据分类的支持系数。本申请实施例中,支持系数可以为概率或者置信度。As an implementation method, the intrusion behavior detection algorithm includes a first intrusion behavior mapping operator and a second intrusion behavior mapping operator, wherein the first intrusion behavior mapping operator includes a first feedforward neural unit (FFN), and the second intrusion behavior mapping operator includes a second feedforward neural unit; multiple first intrusion behavior sub-characterization vectors, i.e., first intrusion behavior characterization vectors, are input into the first feedforward neural unit, and the first support coefficients corresponding to multiple candidate intrusion behavior data classifications are output, i.e., the support coefficients of the first airborne communication data packet belonging to multiple candidate intrusion behavior data classifications determined based on the correlation between the first airborne communication data packet and the multiple candidate intrusion behavior data classifications; the second intrusion behavior characterization vector is input into the second feedforward neural unit, and the second support coefficients corresponding to multiple candidate intrusion behavior data classifications are output, i.e., the support coefficients of the first airborne communication data packet belonging to multiple candidate intrusion behavior data classifications determined based on the correlation between the first airborne communication data packet and the multiple second airborne communication data packets. In the embodiment of the present application, the support coefficient can be a probability or a confidence level.

作为一种实施方式,确定第一支持系数对应的第一影响因子和第二支持系数对应的第二影响因子;基于第一影响因子和第二影响因子,确定第一支持系数和第二支持系数的融合系数(例如计算加权平均结果),将融合系数确定为分类支持系数。本申请实施例中,影响因子可以表征为权重。As an implementation method, a first influencing factor corresponding to the first support coefficient and a second influencing factor corresponding to the second support coefficient are determined; based on the first influencing factor and the second influencing factor, a fusion coefficient of the first support coefficient and the second support coefficient is determined (for example, a weighted average result is calculated), and the fusion coefficient is determined as the classification support coefficient. In the embodiment of the present application, the influencing factor can be characterized as a weight.

作为一种实施方式,第一影响因子和第二影响因子可以是通过事先确定的或为算法调试得到,影响因子本质为一个权重。例如,如果第一影响因子和第二影响因子为事先确定,例如设第一影响因子和第二影响因子均为0.5,则对于一个备选入侵行为数据分类,得到备选入侵行为数据分类对应的第一支持系数和第二支持系数后,获取第一支持系数和第二支持系数的均值,将其确定为该备选入侵行为数据分类的分类支持系数。As an implementation method, the first influencing factor and the second influencing factor may be determined in advance or obtained through algorithm debugging, and the influencing factor is essentially a weight. For example, if the first influencing factor and the second influencing factor are determined in advance, for example, the first influencing factor and the second influencing factor are both 0.5, then for an alternative intrusion behavior data classification, after obtaining the first support coefficient and the second support coefficient corresponding to the alternative intrusion behavior data classification, the average of the first support coefficient and the second support coefficient is obtained, and it is determined as the classification support coefficient of the alternative intrusion behavior data classification.

可选地,第一影响因子和第二影响因子是根据入侵行为检测算法的训练数据确定的影响因子;确定入侵行为检测算法的学习样例集中包含的多个机载通信数据包学习样例,多个机载通信数据包学习样例对应的入侵行为数据分类属于多个备选入侵行为数据分类中的一个或多个;获取多个备选入侵行为数据分类中各自对应的机载通信数据包学习样例的第一数目;根据第一数目确定第一支持系数对应的第一影响因子以及第二支持系数对应的第二影响因子,第一数目与第一影响因子正向关联,即正相关,第一数目与第二影响因子反向关联,即反相关;依据第一影响因子和第二影响因子,对第一支持系数和第二支持系数进行整合,得到多个备选入侵行为数据分类各自对应的分类支持系数。其中,入侵行为检测算法的学习样例集中的多个机载通信数据包学习样例为入侵行为检测算法在调试过程拟合的学习样例。Optionally, the first influencing factor and the second influencing factor are influencing factors determined based on the training data of the intrusion behavior detection algorithm; multiple airborne communication data packet learning samples included in the learning sample set of the intrusion behavior detection algorithm are determined, and the intrusion behavior data classifications corresponding to the multiple airborne communication data packet learning samples belong to one or more of the multiple alternative intrusion behavior data classifications; the first number of airborne communication data packet learning samples corresponding to each of the multiple alternative intrusion behavior data classifications is obtained; the first influencing factor corresponding to the first support coefficient and the second influencing factor corresponding to the second support coefficient are determined based on the first number, the first number is positively correlated with the first influencing factor, that is, positively correlated, and the first number is negatively correlated with the second influencing factor, that is, anti-correlated; the first support coefficient and the second support coefficient are integrated based on the first influencing factor and the second influencing factor to obtain the classification support coefficients corresponding to each of the multiple alternative intrusion behavior data classifications. Among them, the multiple airborne communication data packet learning samples in the learning sample set of the intrusion behavior detection algorithm are learning samples fitted by the intrusion behavior detection algorithm during the debugging process.

比如,若第一支持系数初始的影响因子为0.5,第二支持系数初始的影响因子为0.5,如果第一数目较大,则代表入侵行为检测算法对于备选入侵行为数据分类已完成了足够样例的拟合,基于此,若第一数目在第一数目范围内,将第一支持系数初始的影响因子从0.5修改成0.7,将第二支持系数初始的影响因子从0.5修正为0.3。For example, if the initial impact factor of the first support coefficient is 0.5, and the initial impact factor of the second support coefficient is 0.5, if the first number is larger, it means that the intrusion behavior detection algorithm has completed the fitting of sufficient samples for the alternative intrusion behavior data classification. Based on this, if the first number is within the first number range, the initial impact factor of the first support coefficient is modified from 0.5 to 0.7, and the initial impact factor of the second support coefficient is modified from 0.5 to 0.3.

基于备选入侵行为数据分类的拟合数据数目调节第一支持系数和第二支持系数各自对应的影响因子,可以缓解结构近似但目的不同的数据在算法推理时的影响。By adjusting the influencing factors corresponding to the first support coefficient and the second support coefficient based on the number of fitting data of the alternative intrusion behavior data classification, the influence of data with similar structures but different purposes during algorithm reasoning can be alleviated.

获得多个备选入侵行为数据分类各自对应的分类支持系数后,将其中分类支持系数的支持系数最大的m个备选入侵行为数据分类作为第一入侵行为数据分类,m≥1。After obtaining the classification support coefficients corresponding to the multiple candidate intrusion behavior data classifications, m candidate intrusion behavior data classifications with the largest classification support coefficients are taken as the first intrusion behavior data classification, where m≥1.

比如,设置入侵行为数据分类集合,其中包括多个备选入侵行为数据分类,每个入侵行为数据分类对应一个入侵行为数据分类标签;机载通信数据包数量集合中包括每个备选入侵行为数据分类对应的备选机载通信数据包,该备选机载通信数据包即保存在机载网络通信数据库中的机载通信数据包;在对获取到的最新机载通信数据包入侵行为数据分类推理完成后,基于识别到的入侵行为数据分类更新对应的机载通信数据包数量量,并保存更新时间。For example, an intrusion behavior data classification set is set, which includes multiple alternative intrusion behavior data classifications, and each intrusion behavior data classification corresponds to an intrusion behavior data classification label; the airborne communication data packet quantity set includes alternative airborne communication data packets corresponding to each alternative intrusion behavior data classification, and the alternative airborne communication data packets are airborne communication data packets stored in the airborne network communication database; after the intrusion behavior data classification inference of the latest acquired airborne communication data packet is completed, the corresponding airborne communication data packet quantity is updated based on the identified intrusion behavior data classification, and the update time is saved.

作为一种实施方式,在将第一机载通信数据包保存到机载网络通信数据库中,更新机载网络通信数据库前,可以获取第一入侵行为数据分类对应的多个备选机载通信数据包,其中,多个备选机载通信数据包属于第一入侵行为数据分类,然后确定多个备选机载通信数据包分别与第一机载通信数据包之间的共性度量结果,在多个备选机载通信数据包中存在目标备选机载通信数据包与第一机载通信数据包之间的共性度量结果不小于共性度量结果阈值时,不将第一机载通信数据包保存至机载网络通信数据库中。比如,如果在多个备选机载通信数据包中包含目标备选机载通信数据包与第一机载通信数据包之间的共性度量结果不小于共性度量结果阈值,代表目标备选机载通信数据包与第一机载通信数据包完全相同,则不用重复保存,减少机载网络通信数据库中的噪声。As an implementation method, before saving the first airborne communication data packet into the airborne network communication database and updating the airborne network communication database, multiple candidate airborne communication data packets corresponding to the first intrusion behavior data classification can be obtained, wherein the multiple candidate airborne communication data packets belong to the first intrusion behavior data classification, and then the commonality measurement results between the multiple candidate airborne communication data packets and the first airborne communication data packet are determined. When the commonality measurement result between the target candidate airborne communication data packet and the first airborne communication data packet is not less than the commonality measurement result threshold value among the multiple candidate airborne communication data packets, the first airborne communication data packet is not saved into the airborne network communication database. For example, if the commonality measurement result between the target candidate airborne communication data packet and the first airborne communication data packet is not less than the commonality measurement result threshold value among the multiple candidate airborne communication data packets, which means that the target candidate airborne communication data packet is exactly the same as the first airborne communication data packet, it does not need to be saved repeatedly, thereby reducing the noise in the airborne network communication database.

综上,本申请实施例提供的民用客机机载信息安全防护方法基于挖掘第一机载通信数据包和多个备选入侵行为数据分类对应的第一入侵行为表征向量以及挖掘第一机载通信数据包和多个第二机载通信数据包(各个备选入侵行为数据分类下第一机载通信数据包的近似数据包)对应的第二入侵行为表征向量,并依据第一入侵行为表征向量和第二入侵行为表征向量对第一机载通信数据包进行入侵行为数据分类推理,确定第一机载通信数据包的入侵行为数据分类。在对第一机载通信数据包进行入侵行为数据分类推理时,基于第一机载通信数据包和入侵行为数据分类之间的关联性以及第一机载通信数据包和近似数据包之间的关联性一起确定第一机载通信数据包的入侵行为类型;那么,在样本数量不足时调试得到的入侵行为检测算法中,如果一入侵行为数据分类不在入侵行为检测算法的调试样例中,入侵行为检测算法可基于将第一机载通信数据包的近似数据包确定为扩展信息推理第一机载通信数据包对应该入侵行为数据分类的支持系数,以增加对机载通信数据包进行入侵行为数据分类推理的精确性。In summary, the method for protecting airborne information security of civil passenger aircraft provided in the embodiment of the present application is based on mining the first intrusion behavior characterization vector corresponding to the first airborne communication data packet and multiple alternative intrusion behavior data classifications, and mining the second intrusion behavior characterization vector corresponding to the first airborne communication data packet and multiple second airborne communication data packets (approximate data packets of the first airborne communication data packet under each alternative intrusion behavior data classification), and performing intrusion behavior data classification inference on the first airborne communication data packet based on the first intrusion behavior characterization vector and the second intrusion behavior characterization vector to determine the intrusion behavior data classification of the first airborne communication data packet. When performing intrusion behavior data classification inference on the first airborne communication data packet, the intrusion behavior type of the first airborne communication data packet is determined based on the correlation between the first airborne communication data packet and the intrusion behavior data classification and the correlation between the first airborne communication data packet and the approximate data packet; then, in the intrusion behavior detection algorithm debugged when the number of samples is insufficient, if an intrusion behavior data classification is not in the debugging sample of the intrusion behavior detection algorithm, the intrusion behavior detection algorithm can be based on determining the approximate data packet of the first airborne communication data packet as the extended information to infer the support coefficient of the first airborne communication data packet corresponding to the intrusion behavior data classification, so as to increase the accuracy of the intrusion behavior data classification inference on the airborne communication data packet.

本申请提供的方法中,采取分开推理确保推理获得的第一支持系数和第二支持系数的准确性,然后基于加权融合第一支持系数和第二支持系数,得到分类支持系数后确定第一机载通信数据包的入侵行为数据分类,调节两个支持系数对最终推理结果的影响,从而提高对入侵行为数据分类推理的精确性。In the method provided in the present application, separate reasoning is adopted to ensure the accuracy of the first support coefficient and the second support coefficient obtained by reasoning, and then the intrusion behavior data classification of the first airborne communication data packet is determined after obtaining the classification support coefficient based on the weighted fusion of the first support coefficient and the second support coefficient, and the influence of the two support coefficients on the final reasoning result is adjusted, thereby improving the accuracy of the intrusion behavior data classification reasoning.

本申请基于计算第一机载通信数据包和各个备选入侵行为数据分类各自对应的备选机载通信数据包之间的通信数据包共性度量结果,从机载网络通信数据库中获取各备选入侵行为数据分类下的第一机载通信数据包对应的近似数据包,算法可以基于近似数据包和第一机载通信数据包之间的关联性,确定第一机载通信数据包属于近似数据包对应的入侵行为数据分类的支持系数,克服了指定入侵行为数据分类的样本数不足时,算法对指定入侵行为数据分类的分类精确性的精度不足的问题。The present application is based on calculating the communication data packet commonality measurement results between the first airborne communication data packet and the alternative airborne communication data packets corresponding to each alternative intrusion behavior data classification, and obtaining the approximate data packet corresponding to the first airborne communication data packet under each alternative intrusion behavior data classification from the airborne network communication database. The algorithm can determine the support coefficient of the first airborne communication data packet belonging to the intrusion behavior data classification corresponding to the approximate data packet based on the correlation between the approximate data packet and the first airborne communication data packet, thereby overcoming the problem of insufficient classification accuracy of the algorithm for the specified intrusion behavior data classification when the number of samples of the specified intrusion behavior data classification is insufficient.

本申请基于数据组合第一机载通信数据包与备选入侵行为数据分类,挖掘该组合通信数据对应的入侵行为表征向量后,进行分类推理,充分挖掘第一机载通信数据包与备选入侵行为数据分类之间的关联性;基于数据组合第一机载通信数据包与第二机载通信数据包,挖掘该组合通信数据对应的入侵行为表征向量后进行分类推理,充分挖掘了第一机载通信数据包与第二机载通信数据包之间的关联性,提高了算法的嵌入效果,从而增加分类推理的精确性。The present application is based on a data combination of a first airborne communication data packet and an alternative intrusion behavior data classification, and after mining the intrusion behavior characterization vector corresponding to the combined communication data, performs classification reasoning, and fully mines the correlation between the first airborne communication data packet and the alternative intrusion behavior data classification; based on a data combination of a first airborne communication data packet and a second airborne communication data packet, after mining the intrusion behavior characterization vector corresponding to the combined communication data, performs classification reasoning, and fully mines the correlation between the first airborne communication data packet and the second airborne communication data packet, improves the embedding effect of the algorithm, and thus increases the accuracy of classification reasoning.

作为另一种实施例,本申请提供的方法包括以下步骤:As another embodiment, the method provided in the present application includes the following steps:

步骤S210,获取第一机载通信数据包和多个备选入侵行为数据分类。Step S210, obtaining a first airborne communication data packet and a plurality of candidate intrusion behavior data classifications.

第一机载通信数据包是拟在多个备选入侵行为数据分类中确定入侵行为类型的通信数据包。作为一种实施方式,多个备选入侵行为数据分类为开发人员预设的多个入侵行为数据分类。The first airborne communication data packet is a communication data packet intended to determine the intrusion behavior type from a plurality of candidate intrusion behavior data classifications. As an implementation method, the plurality of candidate intrusion behavior data classifications are a plurality of intrusion behavior data classifications preset by developers.

步骤S220,从机载网络通信数据库中获取多个备选机载通信数据包。Step S220, obtaining a plurality of candidate airborne communication data packets from an airborne network communication database.

作为一种实施方式,机载网络通信数据库为机载网络安全防护系统中保存的机载网络通信数据库,该机载网络通信数据库中保存有多个备选机载通信数据包,机载网络通信数据库中保存的多个备选机载通信数据包为已进行入侵行为检测的机载通信数据包。其中,机载网络通信数据库中的多个备选机载通信数据包被划分为多个备选入侵行为数据分类,每个备选入侵行为数据分类对应有多个备选机载通信数据包。As an implementation method, the airborne network communication database is an airborne network communication database stored in the airborne network security protection system, and the airborne network communication database stores multiple candidate airborne communication data packets, and the multiple candidate airborne communication data packets stored in the airborne network communication database are airborne communication data packets that have been subjected to intrusion behavior detection. Among them, the multiple candidate airborne communication data packets in the airborne network communication database are divided into multiple candidate intrusion behavior data categories, and each candidate intrusion behavior data category corresponds to multiple candidate airborne communication data packets.

步骤S230,获取第一机载通信数据包对应的多个组成数据簇,并确定第一备选入侵行为数据分类对应的多个备选机载通信数据包各自对应的组成数据簇关联性。Step S230, obtaining a plurality of constituent data clusters corresponding to the first airborne communication data packet, and determining the association of constituent data clusters corresponding to each of a plurality of candidate airborne communication data packets corresponding to the first candidate intrusion behavior data classification.

其中,组成数据簇关联性表征多个组成数据簇分别与备选机载通信数据包之间的关联性。比如,可以通过对第一机载通信数据包进行组成数据簇拆分处理,得到第一机载通信数据包对应的多个组成数据簇,组成数据簇即机载通信数据包中的一个个数据组成单元,其中包括至少一个数据项;获得多个组成数据簇后,对指定备选机载通信数据包,确定每个组成数据簇在指定备选机载通信数据包中的出现率;确定指定备选机载通信数据包的数据包容量以及确定多个备选机载通信数据包的平均容量,依据组成数据簇出现率、数据包容量和平均容量,确定每个组成数据簇与指定备选机载通信数据包之间的关联性。Among them, the composition data cluster relevance characterizes the relevance between multiple composition data clusters and the candidate airborne communication data packets. For example, the first airborne communication data packet can be split into composition data clusters to obtain multiple composition data clusters corresponding to the first airborne communication data packet, and the composition data clusters are data composition units in the airborne communication data packet, which include at least one data item; after obtaining multiple composition data clusters, for the specified candidate airborne communication data packet, the occurrence rate of each composition data cluster in the specified candidate airborne communication data packet is determined; the data packet capacity of the specified candidate airborne communication data packet is determined, and the average capacity of multiple candidate airborne communication data packets is determined, and the relevance between each composition data cluster and the specified candidate airborne communication data packet is determined based on the composition data cluster occurrence rate, data packet capacity and average capacity.

步骤S240,依据组成数据簇关联性,确定多个备选机载通信数据包各自对应的共性度量结果。Step S240, determining commonality measurement results corresponding to each of the plurality of candidate airborne communication data packets according to the association of the constituent data clusters.

其中,共性度量结果表征备选机载通信数据包与第一机载通信数据包之间的通信数据包共性度量结果。作为一种实施方式,确定得到多个组成数据簇对应的组成数据簇关联性后,对多个组成数据簇关联性对应的关联性值进行融合,例如进行加权求和,将结果确定为备选机载通信数据包与第一机载通信数据包之间的共性度量结果。其中,对多个组成数据簇关联性对应的关联性值进行融合时,各个组成数据簇对应的影响系数(权重)包括数据库影响系数和数据包影响系数中的一个或多个。Among them, the commonality measurement result represents the communication data packet commonality measurement result between the alternative airborne communication data packet and the first airborne communication data packet. As an implementation mode, after determining the component data cluster correlation corresponding to the multiple component data clusters, the correlation values corresponding to the multiple component data cluster correlations are fused, for example, weighted summation is performed, and the result is determined as the commonality measurement result between the alternative airborne communication data packet and the first airborne communication data packet. Among them, when the correlation values corresponding to the correlation of the multiple component data clusters are fused, the influence coefficient (weight) corresponding to each component data cluster includes one or more of the database influence coefficient and the data packet influence coefficient.

作为一种实施方式,数据库影响系数表征组成数据簇对于整个机载网络通信数据库的影响。比如,数据库影响系数的计算方式可以为:As an implementation method, the database influence coefficient represents the influence of the constituent data cluster on the entire airborne network communication database. For example, the database influence coefficient can be calculated as follows:

Wb=log(M/H)Wb=log(M/H)

其中,M为整个机载网络通信数据库中,包含的机载通信数据包的数量,H为包含该组成数据簇的机载通信数据包的数量。Wherein, M is the number of airborne communication data packets contained in the entire airborne network communication database, and H is the number of airborne communication data packets that contain the constituent data cluster.

作为一种实施方式,数据包影响系数用于表征组成数据簇对于第一机载通信数据包的影响。比如,依据第一机载通信数据包中各个组成数据簇的出现率,确定第一机载通信数据包中各个组成数据簇的数据包影响系数。数据包影响系数的计算方式可以为:As an implementation method, the data packet influence coefficient is used to characterize the influence of the constituent data cluster on the first airborne communication data packet. For example, based on the occurrence rate of each constituent data cluster in the first airborne communication data packet, the data packet influence coefficient of each constituent data cluster in the first airborne communication data packet is determined. The calculation method of the data packet influence coefficient can be:

Wc=(N/K)Wc=(N/K)

其中,N为数据包中包含该组成数据簇的数量,K为机载通信数据包中组成数据簇的总数。Wherein, N is the number of the constituent data clusters contained in the data packet, and K is the total number of constituent data clusters in the airborne communication data packet.

步骤S250,获取第一备选入侵行为数据分类对应的多个备选机载通信数据包中与第一机载通信数据包之间的共性度量结果最大的第一备选机载通信数据包。Step S250: obtaining a first candidate airborne communication data packet having the largest commonality measurement result with the first airborne communication data packet among a plurality of candidate airborne communication data packets corresponding to the first candidate intrusion behavior data classification.

换言之,获取多个备选机载通信数据包中与第一机载通信数据包之间的共性度量结果最大的p个备选机载通信数据包确定为第一备选入侵行为数据分类对应的第二机载通信数据包,其中,第一备选机载通信数据包为第二机载通信数据包中的一个通信数据包。In other words, p alternative airborne communication data packets with the largest commonality measurement results with the first airborne communication data packet among multiple alternative airborne communication data packets are determined as the second airborne communication data packets corresponding to the first alternative intrusion behavior data classification, wherein the first alternative airborne communication data packet is a communication data packet in the second airborne communication data packets.

比如,将多个备选机载通信数据包中与第一机载通信数据包之间的共性度量结果最大的第一备选机载通信数据包确定为在第一备选入侵行为数据分类下,与第一机载通信数据包满足共性度量结果要求的一个近似数据包。For example, the first candidate airborne communication data packet having the largest commonality measurement result with the first airborne communication data packet among multiple candidate airborne communication data packets is determined as an approximate data packet that meets the commonality measurement result requirements with the first airborne communication data packet under the first candidate intrusion behavior data classification.

步骤S260,获取第一机载通信数据包对应的第一数据包表征向量,以及获取第一备选入侵行为数据分类对应的多个备选机载通信数据包各自对应的备选数据包表征向量。Step S260, obtaining a first data packet characterization vector corresponding to the first airborne communication data packet, and obtaining candidate data packet characterization vectors corresponding to each of a plurality of candidate airborne communication data packets corresponding to the first candidate intrusion behavior data classification.

比如,依据共性度量结果匹配库来获取与第一机载通信数据包满足共性度量结果要求的近似数据包。再次之前,需将第一备选入侵行为数据分类对应的多个备选机载通信数据包和第一机载通信数据包进行量化表征,得到对应的多个备选数据包表征向量和第一数据包表征向量。For example, a commonality measurement result matching library is used to obtain an approximate data packet that meets the commonality measurement result requirements of the first airborne communication data packet. Prior to this, the multiple candidate airborne communication data packets and the first airborne communication data packet corresponding to the first candidate intrusion behavior data classification need to be quantitatively characterized to obtain the corresponding multiple candidate data packet representation vectors and the first data packet representation vector.

步骤S270,基于预设特征划簇策略,将多个备选数据包表征向量所处的特征域划分为多个子特征域。Step S270: based on a preset feature clustering strategy, the feature domain where the multiple candidate data packet representation vectors are located is divided into multiple sub-feature domains.

作为一种实施方式,预设特征划簇策略是将相似备选机载通信数据包对应的备选数据包表征向量归集到一类的方式,又可以称为聚类策略,即在特征域(即数据量化后的空间)中将空间相似度大于相似度阈值的备选数据包表征向量所处的特征域划分为一个子特征域。多个子特征域各自对应有划簇代表表征向量,划簇代表表征向量为代表对应子特征域中全部备选数据包表征向量的向量,即一个簇的质心。As an implementation method, the preset feature clustering strategy is a method of grouping candidate data packet representation vectors corresponding to similar candidate airborne communication data packets into one category, which can also be called a clustering strategy, that is, in the feature domain (i.e., the space after data quantization), the feature domain where the candidate data packet representation vectors with spatial similarity greater than the similarity threshold are located is divided into a sub-feature domain. Multiple sub-feature domains each correspond to a cluster representative representation vector, and the cluster representative representation vector is a vector representing all candidate data packet representation vectors in the corresponding sub-feature domain, that is, the centroid of a cluster.

作为一种实施方式,划簇代表表征向量可以事先进行确定,即确定多个备选数据包表征向量所处的特征域后,均匀设置多个划簇代表表征向量,对第一划簇代表表征向量,将多个备选数据包表征向量中与第一划簇代表表征向量之间的空间相似度大于相似度阈值的备选数据包表征向量划分到第一划簇代表表征向量所属子特征域。可以理解,在确定设定划簇代表表征向量和其对应的相似度阈值时,确保划分得到的多个子特征域可以包括全部备选数据包表征向量。As an implementation method, the cluster representative characterization vector can be determined in advance, that is, after determining the feature domains where multiple candidate data packet characterization vectors are located, multiple cluster representative characterization vectors are evenly set, and for the first cluster representative characterization vector, the candidate data packet characterization vectors among the multiple candidate data packet characterization vectors whose spatial similarity with the first cluster representative characterization vector is greater than the similarity threshold are divided into the sub-feature domain to which the first cluster representative characterization vector belongs. It can be understood that when determining to set the cluster representative characterization vector and its corresponding similarity threshold, it is ensured that the multiple sub-feature domains obtained by division can include all the candidate data packet characterization vectors.

作为一种实施方式,划簇代表表征向量是划分完成多个子特征域后确定的,也就是划分得到子特征域后,将子特征域的中心向量确定为划簇代表表征向量;或将与子特征域中备选数据包表征向量之间的空间相似度的和最小的向量确定为划簇代表表征向量,或将子特征域中与备选数据包表征向量之间的空间相似度小于设定值最多的向量,换言之,子特征域中备选数据包表征向量最密集的范围中的向量确定为划簇代表表征向量。As an implementation method, the clustering representative characterization vector is determined after the division into multiple sub-feature domains is completed, that is, after the sub-feature domains are divided, the central vector of the sub-feature domain is determined as the clustering representative characterization vector; or the vector with the smallest sum of spatial similarities with the candidate data packet characterization vectors in the sub-feature domain is determined as the clustering representative characterization vector, or the vector in the sub-feature domain with the most spatial similarities with the candidate data packet characterization vectors less than a set value, in other words, the vector in the range with the densest candidate data packet characterization vectors in the sub-feature domain is determined as the clustering representative characterization vector.

步骤S280,确定多个划簇代表表征向量分别与第一数据包表征向量之间的空间相似度。Step S280: determining spatial similarities between the plurality of cluster representative characterization vectors and the first data packet characterization vector.

比如,确定每个子特征域的划簇代表表征向量和第一数据包表征向量之间的空间相似度。For example, the spatial similarity between the cluster representative characterization vector of each sub-feature domain and the characterization vector of the first data packet is determined.

步骤S290,获取多个划簇代表表征向量中与第一数据包表征向量之间的空间相似度最大的u个划簇代表表征向量,其中,u≥1。Step S290: Obtain u clustering representative representation vectors having the largest spatial similarity with the first data packet representation vector from among the plurality of clustering representative representation vectors, where u≥1.

步骤S310,从u个划簇代表表征向量对应的u个子特征域中的备选数据包表征向量对应的备选机载通信数据包中确定第二备选机载通信数据包。Step S310: determining a second candidate airborne communication data packet from the candidate airborne communication data packets corresponding to the candidate data packet representation vectors in the u sub-feature domains corresponding to the u cluster representative representation vectors.

也即,确定第一数据包表征向量和u个划簇代表表征向量对应的u个子特征域中的备选数据包表征向量之间的空间相似度,将u个子特征域中的备选数据包表征向量中与第一数据包表征向量之间的空间相似度最大的p个备选数据包表征向量对应的备选机载通信数据包确定为第二机载通信数据包,其中,第二备选机载通信数据包为第二机载通信数据包中的其中一个,p=1。也就是在第一备选入侵行为数据分类下,与第一机载通信数据包满足共性度量结果条件的另一近似数据包。That is, determine the spatial similarity between the first data packet representation vector and the candidate data packet representation vectors in the u sub-feature domains corresponding to the u cluster representative representation vectors, and determine the candidate airborne communication data packets corresponding to the p candidate data packet representation vectors with the largest spatial similarity with the first data packet representation vector among the candidate data packet representation vectors in the u sub-feature domains as the second airborne communication data packet, wherein the second candidate airborne communication data packet is one of the second airborne communication data packets, and p = 1. That is, under the first candidate intrusion behavior data classification, another approximate data packet that meets the commonality measurement result condition with the first airborne communication data packet.

步骤S311,依据第一备选机载通信数据包和第二备选机载通信数据包,确定第二机载通信数据包。Step S311, determining a second airborne communication data packet according to the first candidate airborne communication data packet and the second candidate airborne communication data packet.

比如,基于从机载网络通信数据库中确定两个在第一备选入侵行为数据分类下与第一机载通信数据包满足共性度量结果要求的近似数据包,将两个近似数据包按序进行数据组合,例如直接拼接在一起,得到第二机载通信数据包。作为一种实施方式,确定第一备选机载通信数据包和第二备选机载通信数据包之间的通信数据包共性度量结果;如果第一备选机载通信数据包和第二备选机载通信数据包之间的通信数据包共性度量结果不小于共性度量结果阈值,则将第一备选机载通信数据包或者第二备选机载通信数据包确定为第二机载通信数据包。比如,假设共性度量结果阈值为1,也就是第一备选机载通信数据包和第二备选机载通信数据包完全一致,仅确定其中的一个为第二机载通信数据包就可以,比如随机确定一个或者按照内容共性度量的方式确定一个。按照内容共性度量的方式确定时,可以依据内容共性度量结果计算,确定第二机载通信数据包和第一备选机载通信数据包之间第一内容共性度量结果;获取第二机载通信数据包和第二备选机载通信数据包之间第二内容共性度量结果;在第一内容共性度量结果大于第二内容共性度量结果时,将第一备选机载通信数据包确定为第二机载通信数据包;在第一内容共性度量结果小于第二内容共性度量结果时,将第二备选机载通信数据包确定为第二机载通信数据包;在第一内容共性度量结果等于第二内容共性度量结果时,将第一备选机载通信数据包或者第二备选机载通信数据包确定为第二机载通信数据包。For example, based on determining from the airborne network communication database two approximate data packets that meet the commonality measurement result requirements with the first airborne communication data packet under the first alternative intrusion behavior data classification, the two approximate data packets are sequentially combined, for example, directly spliced together, to obtain a second airborne communication data packet. As an implementation method, the communication data packet commonality measurement result between the first alternative airborne communication data packet and the second alternative airborne communication data packet is determined; if the communication data packet commonality measurement result between the first alternative airborne communication data packet and the second alternative airborne communication data packet is not less than the commonality measurement result threshold, the first alternative airborne communication data packet or the second alternative airborne communication data packet is determined as the second airborne communication data packet. For example, assuming that the commonality measurement result threshold is 1, that is, the first alternative airborne communication data packet and the second alternative airborne communication data packet are completely consistent, it is sufficient to determine only one of them as the second airborne communication data packet, such as randomly determining one or determining one according to the content commonality measurement method. When determined in accordance with the content commonality measurement method, a first content commonality measurement result between the second airborne communication data packet and the first alternative airborne communication data packet can be determined based on the content commonality measurement result; a second content commonality measurement result between the second airborne communication data packet and the second alternative airborne communication data packet is obtained; when the first content commonality measurement result is greater than the second content commonality measurement result, the first alternative airborne communication data packet is determined as the second airborne communication data packet; when the first content commonality measurement result is less than the second content commonality measurement result, the second alternative airborne communication data packet is determined as the second airborne communication data packet; when the first content commonality measurement result is equal to the second content commonality measurement result, the first alternative airborne communication data packet or the second alternative airborne communication data packet is determined as the second airborne communication data packet.

步骤S312,挖掘第一机载通信数据包和多个备选入侵行为数据分类对应的第一入侵行为表征向量。Step S312: mining a first intrusion behavior representation vector corresponding to the first airborne communication data packet and a plurality of candidate intrusion behavior data classifications.

作为一种实施方式,将第一机载通信数据包分别与多个备选入侵行为数据分类进行数据组合处理,得到多个第一组合通信数据;作为一种实施方式,入侵行为检测算法中包括第一特征嵌入算子,该第一特征嵌入算子中包含第一低维映射网络和第一注意力网络;基于第一低维映射网络对多个第一组合通信数据进行编码,得到多个第一编码向量;将多个第一编码向量输入到第一注意力网络中,依据第一注意力网络中的自注意力机制挖掘多个第一编码向量各自对应的第一编码子向量,将多个第一编码子向量作为第一入侵行为表征向量,其中,第一编码子向量用于表征一个备选入侵行为数据分类与第一机载通信数据包之间的关联性。As an implementation mode, a first airborne communication data packet is respectively combined with a plurality of candidate intrusion behavior data classifications to obtain a plurality of first combined communication data; as an implementation mode, an intrusion behavior detection algorithm includes a first feature embedding operator, and the first feature embedding operator includes a first low-dimensional mapping network and a first attention network; based on the first low-dimensional mapping network, the plurality of first combined communication data are encoded to obtain a plurality of first encoding vectors; the plurality of first encoding vectors are input into the first attention network, and the first encoding sub-vectors corresponding to the plurality of first encoding vectors are mined according to the self-attention mechanism in the first attention network, and the plurality of first encoding sub-vectors are used as first intrusion behavior representation vectors, wherein the first encoding sub-vector is used to represent the correlation between an alternative intrusion behavior data classification and the first airborne communication data packet.

步骤S313,挖掘第一机载通信数据包和多个第二机载通信数据包对应的多个第二入侵行为表征向量。Step S313: mining a plurality of second intrusion behavior characterization vectors corresponding to the first airborne communication data packet and the plurality of second airborne communication data packets.

作为一种实施方式,将第一机载通信数据包分别与多个第二机载通信数据包进行数据组合后,得到多个第二组合通信数据;作为一种实施方式,入侵行为检测算法中还包括第二特征嵌入算子,该第二特征嵌入算子中包含第二低维映射网络和第二注意力网络;基于第二低维映射网络对多个第二组合通信数据进行编码,得到多个第二编码向量;将多个第二编码向量输入到第二注意力网络中,依据第二注意力网络中的注意力策略(attention)挖掘多个第二编码向量各自对应的第二编码子向量,将多个第二编码子向量作为第二入侵行为表征向量,其中,第二编码子向量表征一个第二机载通信数据包与第一机载通信数据包之间的关联性。As an implementation mode, a first airborne communication data packet is respectively combined with a plurality of second airborne communication data packets to obtain a plurality of second combined communication data packets; as an implementation mode, the intrusion behavior detection algorithm also includes a second feature embedding operator, and the second feature embedding operator includes a second low-dimensional mapping network and a second attention network; the plurality of second combined communication data packets are encoded based on the second low-dimensional mapping network to obtain a plurality of second encoding vectors; the plurality of second encoding vectors are input into the second attention network, and the second encoding sub-vectors corresponding to the plurality of second encoding vectors are mined according to the attention strategy (attention) in the second attention network, and the plurality of second encoding sub-vectors are used as second intrusion behavior representation vectors, wherein the second encoding sub-vector represents the correlation between a second airborne communication data packet and the first airborne communication data packet.

步骤S314,依据第一入侵行为表征向量和第二入侵行为表征向量进行入侵行为数据分类推理,从多个备选入侵行为数据分类中确定第一机载通信数据包对应的第一入侵行为数据分类。Step S314: perform intrusion behavior data classification reasoning based on the first intrusion behavior characterization vector and the second intrusion behavior characterization vector, and determine a first intrusion behavior data classification corresponding to the first airborne communication data packet from a plurality of candidate intrusion behavior data classifications.

其中,第一入侵行为数据分类表示第一机载通信数据包对应的入侵行为类型。The first intrusion behavior data classification indicates the intrusion behavior type corresponding to the first airborne communication data packet.

基于入侵行为检测算法依据第一入侵行为表征向量进行入侵行为数据分类推理,确定多个备选入侵行为数据分类各自对应的第一支持系数;基于入侵行为检测算法依据第二入侵行为表征向量进行入侵行为数据分类推理,得到多个入侵行为备选类型各自对应的第二支持系数;对第一支持系数和第二支持系数进行整合,得到多个备选入侵行为数据分类各自对应的分类支持系数;依据多个备选入侵行为数据分类各自对应的分类支持系数,从多个备选入侵行为数据分类中确定第一机载通信数据包对应的第一入侵行为数据分类。Based on the intrusion behavior detection algorithm, intrusion behavior data classification reasoning is performed according to the first intrusion behavior characterization vector to determine the first support coefficients corresponding to each of the multiple alternative intrusion behavior data classifications; based on the intrusion behavior detection algorithm, intrusion behavior data classification reasoning is performed according to the second intrusion behavior characterization vector to obtain the second support coefficients corresponding to each of the multiple alternative intrusion behavior types; the first support coefficient and the second support coefficient are integrated to obtain the classification support coefficients corresponding to each of the multiple alternative intrusion behavior data classifications; based on the classification support coefficients corresponding to each of the multiple alternative intrusion behavior data classifications, the first intrusion behavior data classification corresponding to the first airborne communication data packet is determined from the multiple alternative intrusion behavior data classifications.

综上,本申请实施例提供的民用客机机载信息安全防护方法基于挖掘第一机载通信数据包和多个备选入侵行为数据分类对应的第一入侵行为表征向量以及挖掘第一机载通信数据包和多个第二机载通信数据包(各个备选入侵行为数据分类下第一机载通信数据包的近似数据包)对应的第二入侵行为表征向量,并依据第一入侵行为表征向量和第二入侵行为表征向量对第一机载通信数据包进行入侵行为数据分类推理,确定第一机载通信数据包的入侵行为数据分类。在对第一机载通信数据包进行入侵行为数据分类推理时,基于第一机载通信数据包和入侵行为数据分类之间的关联性以及第一机载通信数据包和近似数据包之间的关联性一起确定第一机载通信数据包的入侵行为类型;那么,在样本数量不足时调试得到的入侵行为检测算法中,如果一入侵行为数据分类不在入侵行为检测算法的调试样例中,入侵行为检测算法可基于将第一机载通信数据包的近似数据包确定为扩展信息推理第一机载通信数据包对应该入侵行为数据分类的支持系数,以增加对机载通信数据包进行入侵行为数据分类推理的精确性。In summary, the method for protecting airborne information security of civil passenger aircraft provided in the embodiment of the present application is based on mining the first intrusion behavior characterization vector corresponding to the first airborne communication data packet and multiple alternative intrusion behavior data classifications, and mining the second intrusion behavior characterization vector corresponding to the first airborne communication data packet and multiple second airborne communication data packets (approximate data packets of the first airborne communication data packet under each alternative intrusion behavior data classification), and performing intrusion behavior data classification inference on the first airborne communication data packet based on the first intrusion behavior characterization vector and the second intrusion behavior characterization vector to determine the intrusion behavior data classification of the first airborne communication data packet. When performing intrusion behavior data classification inference on the first airborne communication data packet, the intrusion behavior type of the first airborne communication data packet is determined based on the correlation between the first airborne communication data packet and the intrusion behavior data classification and the correlation between the first airborne communication data packet and the approximate data packet; then, in the intrusion behavior detection algorithm debugged when the number of samples is insufficient, if an intrusion behavior data classification is not in the debugging sample of the intrusion behavior detection algorithm, the intrusion behavior detection algorithm can be based on determining the approximate data packet of the first airborne communication data packet as the extended information to infer the support coefficient of the first airborne communication data packet corresponding to the intrusion behavior data classification, so as to increase the accuracy of the intrusion behavior data classification inference on the airborne communication data packet.

本申请实施例提供的方法,基于计算组成数据簇共性度量结果,从机载网络通信数据库中确定满足共性度量结果条件的通信数据包,使得确定得到的近似数据包的精确性得到提升。本申请实施例基于获取第一机载通信数据包和多个质心之间的空间相似度,确定满足空间相似度条件的质心后,在对满足条件的质心中的备选通信数据包进行空间相似度计算,获取满足共性度量结果条件的通信数据包,防止对机载网络通信数据库的整体空间相似度进行运算,引起额外的运算开销。The method provided in the embodiment of the present application determines the communication data packets that meet the commonality measurement result conditions from the airborne network communication database based on the calculation of the commonality measurement results of the constituent data clusters, so that the accuracy of the determined approximate data packets is improved. The embodiment of the present application is based on obtaining the spatial similarity between the first airborne communication data packet and multiple centroids, and after determining the centroid that meets the spatial similarity conditions, the spatial similarity of the candidate communication data packets in the centroid that meets the conditions is calculated to obtain the communication data packets that meet the commonality measurement result conditions, thereby preventing the calculation of the overall spatial similarity of the airborne network communication database, which causes additional calculation overhead.

下面介绍本申请实施例提供的入侵行为检测算法的调试流程,具体包括:The following describes the debugging process of the intrusion behavior detection algorithm provided in the embodiment of the present application, which specifically includes:

步骤S410,从机载网络通信数据样本库中获取第一机载通信数据包学习样例和第一机载通信数据包学习样例对应的参考入侵行为数据分类,以及获取多个备选入侵行为数据分类。Step S410, obtaining a first airborne communication data packet learning sample and a reference intrusion behavior data classification corresponding to the first airborne communication data packet learning sample from an airborne network communication data sample library, and obtaining a plurality of candidate intrusion behavior data classifications.

其中,第一机载通信数据包学习样例是拟在多个备选入侵行为数据分类中确定入侵行为类型的通信数据包。第一机载通信数据包学习样例对应的参考入侵行为数据分类是标注的第一机载通信数据包学习样例的实际入侵行为数据分类。The first airborne communication data packet learning sample is a communication data packet intended to determine the intrusion behavior type among multiple candidate intrusion behavior data classifications. The reference intrusion behavior data classification corresponding to the first airborne communication data packet learning sample is the actual intrusion behavior data classification of the marked first airborne communication data packet learning sample.

作为一种实施方式,机载网络通信数据样本库中包括多个机载通信数据包学习样例,第一机载通信数据包学习样例为多个机载通信数据包学习样例中,任一个没有进行算法调试的机载通信数据包学习样例。As an implementation manner, the airborne network communication data sample library includes multiple airborne communication data packet learning samples, and the first airborne communication data packet learning sample is any airborne communication data packet learning sample among the multiple airborne communication data packet learning samples that has not been algorithmically debugged.

作为一种实施方式,多个备选入侵行为数据分类为预设的多个入侵行为数据分类,或多个备选入侵行为数据分类为机载网络通信数据样本库中包含的入侵行为数据分类。As an implementation manner, the plurality of candidate intrusion behavior data classifications are a plurality of preset intrusion behavior data classifications, or the plurality of candidate intrusion behavior data classifications are intrusion behavior data classifications included in the airborne network communication data sample library.

可选地,在从机载网络通信数据样本库中获取第一机载通信数据包学习样例之前,包括:获取备选机载网络通信数据库,对备选机载网络通信数据库中的多个机载通信数据包学习样例进行数据增强;依据对多个机载通信数据包学习样例进行增强结果对备选机载网络通信数据库进行扩展,获得机载网络通信数据样本库。数据增强的方式例如是基于人工进行数据改变、增加、删减等操作。Optionally, before obtaining the first airborne communication data packet learning sample from the airborne network communication data sample library, the method includes: obtaining an alternative airborne network communication database, performing data enhancement on multiple airborne communication data packet learning samples in the alternative airborne network communication database; and expanding the alternative airborne network communication database according to the enhancement results of the multiple airborne communication data packet learning samples to obtain the airborne network communication data sample library. The data enhancement method is, for example, based on manual data change, addition, deletion and other operations.

可选地,在从机载网络通信数据样本库中获取第一机载通信数据包学习样例之前,方法还包括:获取备选机载网络通信数据库,备选机载网络通信数据库中包括多个备选机载通信数据包,多个备选机载通信数据包分别标注有备选入侵行为数据分类;基于目标入侵行为检测算法对多个备选机载通信数据包进行入侵行为数据分类推理,得到多个备选机载通信数据包各自对应的目标入侵行为数据分类;确定多个备选机载通信数据包中备选入侵行为数据分类和目标入侵行为数据分类不同的目标备选机载通信数据包;更新目标备选机载通信数据包对应的入侵行为分类标注,以及更新备选机载网络通信数据库,将更新后的备选机载网络通信数据库作为机载网络通信数据样本库。其中,目标入侵行为检测算法例如是上一次调试获得的入侵行为检测算法。Optionally, before obtaining the first airborne communication data packet learning sample from the airborne network communication data sample library, the method also includes: obtaining an alternative airborne network communication database, the alternative airborne network communication database includes multiple alternative airborne communication data packets, and the multiple alternative airborne communication data packets are respectively annotated with alternative intrusion behavior data classifications; performing intrusion behavior data classification reasoning on the multiple alternative airborne communication data packets based on the target intrusion behavior detection algorithm to obtain the target intrusion behavior data classifications corresponding to the multiple alternative airborne communication data packets; determining the target alternative airborne communication data packets with different alternative intrusion behavior data classifications and target intrusion behavior data classifications among the multiple alternative airborne communication data packets; updating the intrusion behavior classification annotations corresponding to the target alternative airborne communication data packets, and updating the alternative airborne network communication database, and using the updated alternative airborne network communication database as the airborne network communication data sample library. Among them, the target intrusion behavior detection algorithm is, for example, the intrusion behavior detection algorithm obtained in the last debugging.

步骤S420,在机载网络通信数据样本库中获取多个备选入侵行为数据分类各自对应的第二机载通信数据包学习样例。Step S420: obtaining second airborne communication data packet learning samples corresponding to each of a plurality of candidate intrusion behavior data classifications in the airborne network communication data sample library.

其中,第一机载通信数据包学习样例和第二机载通信数据包学习样例之间的共性度量结果满足预设的度量条件。Among them, the commonality measurement result between the first airborne communication data packet learning sample and the second airborne communication data packet learning sample meets the preset measurement condition.

具体可以参照以上步骤S220~S311在机载网络通信数据库中获取第二机载通信数据包的介绍。For details, please refer to the introduction of obtaining the second airborne communication data packet in the airborne network communication database in the above steps S220 to S311.

步骤S430,基于备选入侵行为检测算法挖掘第一机载通信数据包学习样例和多个侯选入侵行为数据分类对应的第一入侵行为样本表征向量,以及挖掘第一机载通信数据包学习样例和多个第二机载通信数据包学习样例对应的第二入侵行为样本表征向量。Step S430, based on the alternative intrusion behavior detection algorithm, mine the first intrusion behavior sample representation vector corresponding to the first airborne communication data packet learning sample and multiple candidate intrusion behavior data classifications, and mine the second intrusion behavior sample representation vector corresponding to the first airborne communication data packet learning sample and multiple second airborne communication data packet learning samples.

作为一种实施方式,将第一机载通信数据包学习样例分别与多个备选入侵行为数据分类进行数据组合处理,得到多个第一组合通信数据样本;基于备选入侵行为检测算法对多个第一组合通信数据样本进行嵌入编码,获得多个第一样本编码向量;基于备选入侵行为检测算法挖掘多个第一样本编码向量各自对应的第一子入侵行为样本表征向量,将多个第一子入侵行为样本表征向量作为第一入侵行为样本表征向量。其中,第一子入侵行为样本表征向量表征一个备选入侵行为数据分类与第一机载通信数据包学习样例之间的关联性。As an implementation method, the first airborne communication data packet learning sample is respectively combined with multiple candidate intrusion behavior data classifications to obtain multiple first combination communication data samples; the multiple first combination communication data samples are embedded and encoded based on the alternative intrusion behavior detection algorithm to obtain multiple first sample encoding vectors; the first sub-intrusion behavior sample representation vectors corresponding to each of the multiple first sample encoding vectors are mined based on the alternative intrusion behavior detection algorithm, and the multiple first sub-intrusion behavior sample representation vectors are used as the first intrusion behavior sample representation vector. The first sub-intrusion behavior sample representation vector represents the correlation between an alternative intrusion behavior data classification and the first airborne communication data packet learning sample.

作为一种实施方式,将第一机载通信数据包学习样例分别与多个第二机载通信数据包学习样例进行数据组合处理,得到多个第二组合通信数据样本;基于备选入侵行为检测算法对多个第二组合通信数据样本进行嵌入编码,获得多个第二样本编码向量;基于备选入侵行为检测算法挖掘多个第二样本编码向量各自对应的第二子入侵行为样本表征向量,将多个第二子入侵行为样本表征向量作为第二入侵行为样本表征向量。其中,第二子入侵行为样本表征向量表征一个第二机载通信数据包学习样例与第一机载通信数据包学习样例之间的关联性。As an implementation method, a first airborne communication data packet learning sample is respectively combined with a plurality of second airborne communication data packet learning samples to obtain a plurality of second combined communication data samples; multiple second combined communication data samples are embedded and encoded based on an alternative intrusion behavior detection algorithm to obtain a plurality of second sample encoding vectors; second sub-intrusion behavior sample representation vectors corresponding to each of the plurality of second sample encoding vectors are mined based on the alternative intrusion behavior detection algorithm, and the plurality of second sub-intrusion behavior sample representation vectors are used as second intrusion behavior sample representation vectors. The second sub-intrusion behavior sample representation vector represents the correlation between a second airborne communication data packet learning sample and a first airborne communication data packet learning sample.

比如,备选入侵行为检测算法中包括特征嵌入算子,用于将第一机载通信数据包学习样例与指定入侵行为数据分类、指定入侵行为数据分类对应的第二机载通信数据包学习样例输入后进行嵌入编码,挖掘数据特征。备选入侵行为检测算法具体为一个双塔架构,特征嵌入算子包含第一低维映射网络和第一注意力网络,用于对第一机载通信数据包学习样例与指定入侵行为数据分类编码,以及基于第一注意力网络表示第一机载通信数据包学习样例与指定入侵行为数据分类之间的关联性;同时,作为另一个“塔”,特征嵌入算子包括第二低维映射网络和第二注意力网络,用于对第一机载通信数据包学习样例与指定入侵行为数据分类对应的第二机载通信数据包学习样例编码,以及基于第二注意力网络表示第一机载通信数据包学习样例与指定入侵行为数据分类对应的第二机载通信数据包学习样例之间的关联性。For example, the alternative intrusion behavior detection algorithm includes a feature embedding operator, which is used to embed and encode the first airborne communication data packet learning sample and the specified intrusion behavior data classification, and the second airborne communication data packet learning sample corresponding to the specified intrusion behavior data classification, and mine data features. The alternative intrusion behavior detection algorithm is specifically a dual-tower architecture, and the feature embedding operator includes a first low-dimensional mapping network and a first attention network, which are used to encode the first airborne communication data packet learning sample and the specified intrusion behavior data classification, and to represent the association between the first airborne communication data packet learning sample and the specified intrusion behavior data classification based on the first attention network; at the same time, as another "tower", the feature embedding operator includes a second low-dimensional mapping network and a second attention network, which are used to encode the first airborne communication data packet learning sample and the second airborne communication data packet learning sample corresponding to the specified intrusion behavior data classification, and to represent the association between the first airborne communication data packet learning sample and the second airborne communication data packet learning sample corresponding to the specified intrusion behavior data classification based on the second attention network.

步骤S440,依据第一入侵行为样本表征向量和第二入侵行为样本表征向量进行入侵行为数据分类推理,在多个备选入侵行为数据分类中确定第一机载通信数据包学习样例对应的推理入侵行为数据分类。Step S440, performing intrusion behavior data classification reasoning based on the first intrusion behavior sample representation vector and the second intrusion behavior sample representation vector, and determining the reasoned intrusion behavior data classification corresponding to the first airborne communication data packet learning sample from multiple candidate intrusion behavior data classifications.

其中,基于备选入侵行为检测算法依据第一入侵行为样本表征向量进行入侵行为数据分类推理,确定多个备选入侵行为数据分类各自对应的第一样本支持系数;基于备选入侵行为检测算法依据第二入侵行为样本表征向量进行入侵行为数据分类推理,得到多个备选入侵行为数据分类各自对应的第二样本支持系数;对第一样本支持系数和第二样本支持系数进行整合,得到多个备选入侵行为数据分类各自对应的推理分类支持系数;依据多个备选入侵行为数据分类各自对应的推理分类支持系数,从多个备选入侵行为数据分类中确定第一机载通信数据包学习样例对应的推理入侵行为数据分类。Among them, based on the alternative intrusion behavior detection algorithm, intrusion behavior data classification reasoning is performed according to the first intrusion behavior sample representation vector to determine the first sample support coefficient corresponding to each of the multiple alternative intrusion behavior data classifications; based on the alternative intrusion behavior detection algorithm, intrusion behavior data classification reasoning is performed according to the second intrusion behavior sample representation vector to obtain the second sample support coefficient corresponding to each of the multiple alternative intrusion behavior data classifications; the first sample support coefficient and the second sample support coefficient are integrated to obtain the inference classification support coefficient corresponding to each of the multiple alternative intrusion behavior data classifications; based on the inference classification support coefficients corresponding to each of the multiple alternative intrusion behavior data classifications, the inference intrusion behavior data classification corresponding to the first airborne communication data packet learning sample is determined from the multiple alternative intrusion behavior data classifications.

比如,备选入侵行为检测算法包括分类映射算子,其包括第一前馈神经单元,第一前馈神经单元用于推理第一机载通信数据包学习样例和指定入侵行为数据分类之间的关联性分值;分类映射算子还包括第二前馈神经单元,第二前馈神经单元用于推理第一机载通信数据包学习样例和指定入侵行为数据分类对应的第二机载通信数据包学习样例之间的关联性分值,将分值的均值确定为指定入侵行为数据分类的关联性分值,如此得到指定入侵行为数据分类的推理分类支持系数。For example, the alternative intrusion behavior detection algorithm includes a classification mapping operator, which includes a first feedforward neural unit, and the first feedforward neural unit is used to infer the correlation score between the first airborne communication data packet learning sample and the specified intrusion behavior data classification; the classification mapping operator also includes a second feedforward neural unit, and the second feedforward neural unit is used to infer the correlation score between the first airborne communication data packet learning sample and the second airborne communication data packet learning sample corresponding to the specified intrusion behavior data classification, and the mean of the scores is determined as the correlation score of the specified intrusion behavior data classification, thereby obtaining the inference classification support coefficient of the specified intrusion behavior data classification.

作为一种实施方式,基于对全部入侵行为数据分类对应的关联性分值排序,获得关联性最大的入侵行为数据分类(即推理入侵行为数据分类),以完成第一机载通信数据包学习样例入侵行为类型的识别。As an implementation method, based on sorting the correlation scores corresponding to all intrusion behavior data classifications, the intrusion behavior data classification with the greatest correlation (i.e., the inferred intrusion behavior data classification) is obtained to complete the identification of the intrusion behavior type of the first airborne communication data packet learning sample.

步骤S450,依据参考入侵行为数据分类和推理入侵行为数据分类之间的差异对备选入侵行为检测算法进行调试,得到入侵行为检测算法。Step S450: debugging the candidate intrusion behavior detection algorithm according to the difference between the reference intrusion behavior data classification and the inferred intrusion behavior data classification to obtain an intrusion behavior detection algorithm.

其中,入侵行为检测算法用于推理机载通信数据包的入侵行为数据分类以确定机载通信数据包的入侵行为类型,作为一种实施方式,可基于交叉熵函数调试备选入侵行为检测算法,在算法的调试次数达到预设的最大次数,或者算法的检测误差小于预设的最小误差时,停止调试,得到得到入侵行为检测算法。Among them, the intrusion behavior detection algorithm is used to infer the intrusion behavior data classification of the airborne communication data packet to determine the intrusion behavior type of the airborne communication data packet. As an implementation method, the alternative intrusion behavior detection algorithm can be debugged based on the cross entropy function. When the number of debugging times of the algorithm reaches a preset maximum number of times, or the detection error of the algorithm is less than the preset minimum error, the debugging is stopped to obtain the intrusion behavior detection algorithm.

应当注意,尽管在附图中以特定顺序描述了本申请中方法的各个步骤,但是,这并非要求或者暗示必须按照该特定顺序来执行这些步骤,或是必须执行全部所示的步骤才能实现期望的结果。附加的或备选的,可以省略某些步骤,将多个步骤合并为一个步骤执行,以及/或者将一个步骤分解为多个步骤执行等。It should be noted that although the steps of the method in the present application are described in a specific order in the drawings, this does not require or imply that the steps must be performed in this specific order, or that all the steps shown must be performed to achieve the desired results. Additionally or alternatively, some steps may be omitted, multiple steps may be combined into one step, and/or one step may be decomposed into multiple steps, etc.

以下介绍本申请的装置实施例,可以用于执行本申请上述实施例中的民用客机机载信息安全防护方法。图2示意性地示出了本申请实施例提供的安全防护装置的结构框图。如图2所示,安全防护装置200包括:The following describes an embodiment of the device of the present application, which can be used to implement the civil aircraft airborne information security protection method in the above embodiment of the present application. FIG2 schematically shows a structural block diagram of the security protection device provided in the embodiment of the present application. As shown in FIG2, the security protection device 200 includes:

目标数据获取模块210,用于获取第一机载通信数据包和多个备选入侵行为数据分类,所述第一机载通信数据包是拟在所述多个备选入侵行为数据分类中确定入侵行为类型的通信数据包;The target data acquisition module 210 is used to acquire a first airborne communication data packet and a plurality of candidate intrusion behavior data classifications, wherein the first airborne communication data packet is a communication data packet for determining an intrusion behavior type among the plurality of candidate intrusion behavior data classifications;

参考数据获取模块220,用于获取所述多个备选入侵行为数据分类各自对应的第二机载通信数据包,所述第二机载通信数据包与所述第一机载通信数据包之间的共性度量结果满足预设的度量条件;A reference data acquisition module 220 is used to acquire second airborne communication data packets corresponding to each of the plurality of candidate intrusion behavior data classifications, wherein a commonality measurement result between the second airborne communication data packet and the first airborne communication data packet satisfies a preset measurement condition;

第一特征挖掘模块230,用于挖掘所述第一机载通信数据包和所述多个备选入侵行为数据分类对应的第一入侵行为表征向量,所述第一入侵行为表征向量用于表征所述多个备选入侵行为数据分类分别与所述第一机载通信数据包之间的关联性;A first feature mining module 230 is used to mine first intrusion behavior characterization vectors corresponding to the first airborne communication data packet and the multiple candidate intrusion behavior data classifications, wherein the first intrusion behavior characterization vector is used to characterize the associations between the multiple candidate intrusion behavior data classifications and the first airborne communication data packet respectively;

第二特征挖掘模块240,用于挖掘所述第一机载通信数据包和多个第二机载通信数据包对应的第二入侵行为表征向量,所述第二入侵行为表征向量用于表征所述多个第二机载通信数据包分别与所述第一机载通信数据包之间的关联性;A second feature mining module 240 is used to mine second intrusion behavior characterization vectors corresponding to the first airborne communication data packet and multiple second airborne communication data packets, wherein the second intrusion behavior characterization vector is used to characterize the association between the multiple second airborne communication data packets and the first airborne communication data packet respectively;

入侵行为分类模块250,用于依据所述第一入侵行为表征向量和所述第二入侵行为表征向量进行入侵行为数据分类推理,从所述多个备选入侵行为数据分类中确定所述第一机载通信数据包对应的第一入侵行为数据分类,所述第一入侵行为数据分类用于表示所述第一机载通信数据包对应的所述入侵行为类型。The intrusion behavior classification module 250 is used to perform intrusion behavior data classification reasoning based on the first intrusion behavior characterization vector and the second intrusion behavior characterization vector, and determine the first intrusion behavior data classification corresponding to the first airborne communication data packet from the multiple alternative intrusion behavior data classifications, and the first intrusion behavior data classification is used to represent the intrusion behavior type corresponding to the first airborne communication data packet.

本申请各实施例中提供的安全防护装置的具体细节已经在对应的方法实施例中进行了详细的描述,此处不再赘述。The specific details of the safety protection device provided in each embodiment of the present application have been described in detail in the corresponding method embodiments and will not be repeated here.

图3示意性地示出了用于实现本申请实施例的机载网络安全防护系统的计算机系统结构框图。FIG3 schematically shows a block diagram of a computer system structure for implementing an airborne network security protection system according to an embodiment of the present application.

需要说明的是,图3示出的机载网络安全防护系统的计算机系统300仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。It should be noted that the computer system 300 of the airborne network security protection system shown in FIG. 3 is merely an example and should not bring any limitation to the functions and scope of use of the embodiments of the present application.

如图3所示,计算机系统300包括中央处理器301(Central Processing Unit,CPU),其可以根据存储在只读存储器302(Read-Only Memory,ROM)中的程序或者从存储部分308加载到随机访问存储器303(Random Access Memory,RAM)中的程序而执行各种适当的动作和处理。在随机访问存储器303中,还存储有系统操作所需的各种程序和数据。中央处理器301、在只读存储器302以及随机访问存储器303通过总线304彼此相连。输入/输出接口305(Input/Output接口,即I/O接口)也连接至总线304。As shown in FIG3 , the computer system 300 includes a central processing unit (CPU) 301, which can perform various appropriate actions and processes according to the program stored in the read-only memory (ROM) 302 or the program loaded from the storage part 308 to the random access memory (RAM) 303. Various programs and data required for system operation are also stored in the random access memory 303. The central processing unit 301, the read-only memory 302 and the random access memory 303 are connected to each other through a bus 304. An input/output interface 305 (input/output interface, i.e., I/O interface) is also connected to the bus 304.

以下部件连接至输入/输出接口305:包括键盘、鼠标等的输入部分306;包括诸如阴极射线管(Cathode Ray Tube,CRT)、液晶显示器(Liquid Crystal Display,LCD)等以及扬声器等的输出部分307;包括硬盘等的存储部分308;以及包括诸如局域网卡、调制解调器等的网络接口卡的通信部分309。通信部分309经由诸如因特网的网络执行通信处理。驱动器310也根据需要连接至输入/输出接口305。存储介质311,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器310上,以便于从其上读出的计算机程序根据需要被安装入存储部分308。The following components are connected to the input/output interface 305: an input section 306 including a keyboard, a mouse, etc.; an output section 307 including a cathode ray tube (CRT), a liquid crystal display (LCD), etc., and a speaker; a storage section 308 including a hard disk, etc.; and a communication section 309 including a network interface card such as a LAN card, a modem, etc. The communication section 309 performs communication processing via a network such as the Internet. A drive 310 is also connected to the input/output interface 305 as needed. A storage medium 311, such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, etc., is installed on the drive 310 as needed so that a computer program read therefrom is installed into the storage section 308 as needed.

特别地,根据本申请的实施例,各个方法流程图中所描述的过程可以被实现为计算机软件程序。例如,本申请的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分309从网络上被下载和安装,和/或从存储介质311被安装。在该计算机程序被中央处理器301执行时,执行本申请的系统中限定的各种功能。In particular, according to an embodiment of the present application, the process described in each method flow chart can be implemented as a computer software program. For example, an embodiment of the present application includes a computer program product, which includes a computer program carried on a computer readable medium, and the computer program contains a program code for executing the method shown in the flow chart. In such an embodiment, the computer program can be downloaded and installed from the network through the communication part 309, and/or installed from the storage medium 311. When the computer program is executed by the central processor 301, various functions defined in the system of the present application are executed.

需要说明的是,本申请实施例所示的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是但不限于电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(Erasable Programmable Read Only Memory,EPROM)、闪存、光纤、便携式紧凑磁盘只读存储器(Compact Disc Read-Only Memory,CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本申请中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本申请中,计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:无线、有线等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium shown in the embodiment of the present application can be a computer-readable signal medium or a computer-readable storage medium or any combination of the above two. The computer-readable storage medium can be, for example, but not limited to, a system, device or device of electricity, magnetism, light, electromagnetic, infrared, or semiconductor, or any combination of the above. More specific examples of computer-readable storage media can include, but are not limited to: an electrical connection with one or more wires, a portable computer disk, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (Erasable Programmable Read Only Memory, EPROM), a flash memory, an optical fiber, a portable compact disk read-only memory (Compact Disc Read-Only Memory, CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the above. In the present application, a computer-readable storage medium can be any tangible medium containing or storing a program, which can be used by an instruction execution system, device or device or used in combination with it. In the present application, a computer-readable signal medium can include a data signal propagated in a baseband or as a part of a carrier wave, wherein a computer-readable program code is carried. Such propagated data signals may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the above. Computer readable signal media may also be any computer readable medium other than computer readable storage media, which may send, propagate, or transmit programs for use by or in conjunction with an instruction execution system, apparatus, or device. The program code contained on the computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the above.

附图中的流程图和框图,图示了按照本申请各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flow chart and block diagram in the accompanying drawings illustrate the possible architecture, function and operation of the system, method and computer program product according to various embodiments of the present application. In this regard, each box in the flow chart or block diagram can represent a module, a program segment or a part of a code, and the above-mentioned module, program segment or a part of a code contains one or more executable instructions for realizing the specified logical function. It should also be noted that in some alternative implementations, the functions marked in the box can also occur in a different order from the order marked in the accompanying drawings. For example, two boxes represented in succession can actually be executed substantially in parallel, and they can sometimes be executed in the opposite order, depending on the functions involved. It should also be noted that each box in the block diagram or flow chart, and the combination of the boxes in the block diagram or flow chart can be implemented with a dedicated hardware-based system that performs a specified function or operation, or can be implemented with a combination of dedicated hardware and computer instructions.

应当注意,尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元,但是这种划分并非强制性的。实际上,根据本申请的实施方式,上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之,上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。It should be noted that, although several modules or units of the equipment for action execution are mentioned in the above detailed description, this division is not mandatory. In fact, according to the embodiments of the present application, the features and functions of two or more modules or units described above can be embodied in one module or unit. On the contrary, the features and functions of one module or unit described above can be further divided into being embodied by multiple modules or units.

通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本申请实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、触控终端、或者网络设备等)执行根据本申请实施方式的方法。Through the description of the above implementation methods, it is easy for those skilled in the art to understand that the example implementation methods described here can be implemented by software, or by software combined with necessary hardware. Therefore, the technical solution according to the implementation method of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.) or on a network, including several instructions to enable a computing device (which can be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the implementation method of the present application.

本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。Those skilled in the art will readily appreciate other embodiments of the present application after considering the specification and practicing the invention disclosed herein. The present application is intended to cover any modification, use or adaptation of the present application, which follows the general principles of the present application and includes common knowledge or customary technical means in the art that are not disclosed in the present application.

应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求来限制。It should be understood that the present application is not limited to the precise structures that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present application is limited only by the appended claims.

Claims (10)

CN202410762972.8A2024-06-132024-06-13 A method and system for protecting information security onboard a civil passenger aircraftActiveCN118432937B (en)

Priority Applications (1)

Application NumberPriority DateFiling DateTitle
CN202410762972.8ACN118432937B (en)2024-06-132024-06-13 A method and system for protecting information security onboard a civil passenger aircraft

Applications Claiming Priority (1)

Application NumberPriority DateFiling DateTitle
CN202410762972.8ACN118432937B (en)2024-06-132024-06-13 A method and system for protecting information security onboard a civil passenger aircraft

Publications (2)

Publication NumberPublication Date
CN118432937Atrue CN118432937A (en)2024-08-02
CN118432937B CN118432937B (en)2025-09-26

Family

ID=92316311

Family Applications (1)

Application NumberTitlePriority DateFiling Date
CN202410762972.8AActiveCN118432937B (en)2024-06-132024-06-13 A method and system for protecting information security onboard a civil passenger aircraft

Country Status (1)

CountryLink
CN (1)CN118432937B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN102461118A (en)*2009-06-112012-05-16松下航空电子公司 Systems and methods for providing security on mobile platforms
CN113468604A (en)*2021-08-022021-10-01东莞市慧学慧玩教育科技有限公司Big data privacy information analysis method and system based on artificial intelligence
CN115206040A (en)*2021-04-122022-10-18南方科技大学 Biological invasion early warning method, device and terminal for nuclear power water intake
US20230107731A1 (en)*2021-10-012023-04-06Samsung Electronics Co., Ltd.Method, apparatus, and system for user plane security in communicaiton system
CN118101324A (en)*2024-04-162024-05-28天津睿翼云科技有限公司Network service safety protection method and system based on artificial intelligence

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication numberPriority datePublication dateAssigneeTitle
CN102461118A (en)*2009-06-112012-05-16松下航空电子公司 Systems and methods for providing security on mobile platforms
CN115206040A (en)*2021-04-122022-10-18南方科技大学 Biological invasion early warning method, device and terminal for nuclear power water intake
CN113468604A (en)*2021-08-022021-10-01东莞市慧学慧玩教育科技有限公司Big data privacy information analysis method and system based on artificial intelligence
US20230107731A1 (en)*2021-10-012023-04-06Samsung Electronics Co., Ltd.Method, apparatus, and system for user plane security in communicaiton system
CN118101324A (en)*2024-04-162024-05-28天津睿翼云科技有限公司Network service safety protection method and system based on artificial intelligence

Also Published As

Publication numberPublication date
CN118432937B (en)2025-09-26

Similar Documents

PublicationPublication DateTitle
Vinayakumar et al.Robust intelligent malware detection using deep learning
US11108817B2 (en)SQL injection interception detection method and device, apparatus and computer readable medium
US11580222B2 (en)Automated malware analysis that automatically clusters sandbox reports of similar malware samples
CN116232673B (en) Covert channel identification method, device, computer equipment and storage medium
US20250061196A1 (en)Pattern similarity measures to quantify uncertainty in malware classification
US12229277B2 (en)Source code clustering for automatically identifying false positives generated through static application security testing
CN115221516B (en)Malicious application program identification method and device, storage medium and electronic equipment
WO2020165610A1 (en)Systems and methods for conducting a security recognition task
US11941115B2 (en)Automatic vulnerability detection based on clustering of applications with similar structures and data flows
CN112134862A (en) A method and device for anomaly detection of coarse and fine-grained hybrid network based on machine learning
Haojie et al.Vulmg: A static detection solution for source code vulnerabilities based on code property graph and graph attention network
CN119449452A (en) A network threat deduction system and method based on Transformer and graph attention network model
CN118573455B (en)Deep learning-based power system network security prediction method and device
Qi et al.Research on Malicious Software Detection Based on CNN-LSTM Hybrid Model
CN109547496B (en) A deep learning-based detection method for host malicious behavior
US12332943B2 (en)Data classification technology
US11868473B2 (en)Method for constructing behavioural software signatures
WO2025031380A1 (en)Abnormal behavior test method, abnormal behavior test device, electronic device, non-transitory computer-readable storage medium, and computer program product
CN118432937A (en)Method and system for protecting information safety of civil airliner
CN118862086A (en) A method for detecting container vulnerabilities in power Internet of Things systems based on deep learning
CN118194306A (en)Binary program safety analysis system based on static homology
CN117014205A (en)Malicious code detection method based on graph convolution neural network
US20240064170A1 (en)Suspicious domain detection for threat intelligence
CN114241246A (en) Malware classification method, apparatus, device and medium
CN111935137A (en)Communication information processing method based on big data and artificial intelligence and cloud computing platform

Legal Events

DateCodeTitleDescription
PB01Publication
PB01Publication
SE01Entry into force of request for substantive examination
SE01Entry into force of request for substantive examination
GR01Patent grant
[8]ページ先頭
©2009-2025 Movatter.jp