Search

US-12619726-B2 - Cyber resilience integrated security inspection system (CRISIS) against false data injection attacks

US12619726B2US 12619726 B2US12619726 B2US 12619726B2US-12619726-B2

Abstract

A method for detecting false data injection attacks (FDIAs) on a condition-based predictive maintenance (CBPM) system includes: collecting sensor data from sensors monitoring components of a system maintained by the CBPM system to extract features for a cyberattack detection model and gathering historical data of the system to build a cyberattack knowledge base about the system; combining the sensor data and the historical data to train the cyberattack detection model; using a graphical Bayesian network model to capture domain knowledge and condition-symptom relationships between the sensor-monitored components and the sensors; and based on the cyberattack detection model and the Bayesian network model, detecting the FDIAs on the CBPM system.

Inventors

  • SIXIAO WEI
  • Genshe Chen
  • Kuochu CHANG
  • Thomas M. CLEMONS, III

Assignees

  • Intelligent Fusion Technology, Inc.

Dates

Publication Date
20260505
Application Date
20220329

Claims (20)

  1. 1 . A method for detecting false data injection attacks (FDIAs) on a condition-based predictive maintenance (CBPM) system, comprising: collecting sensor data from sensors that monitor components of a system maintained by the CBPM system to extract features for a cyberattack detection model and gathering historical data of the system to build a cyberattack knowledge base about the system; combining the sensor data and the historical data to train the cyberattack detection model; using a graphical Bayesian network model to capture domain knowledge and condition-symptom relationships between the components monitored by the sensors and the sensors; based on the cyberattack detection model and the Bayesian network model, detecting the FDIAs on the CBPM system, wherein the FDIAs include injection of the sensor data for both normal operation and abnormal operation; and computing, by the graphical Bayesian network model, a health condition index for each of the components and identifying potential defective components, wherein: the CBPM system includes a Kafka module, a software-in-the-loop (SITL) module and a hardware-in-the-loop (HITL) module to support multiple tasks; the cyberattack detection model and the graphical Bayesian network model are between the SITL module and the HITL module; the Kafka module streams data of the detected FDIAs to the SITL module; and the cyberattack detection model, the graphical Bayesian network model, and the Kafka module are integrated by a Raspberry Pi for real-time data acquisition and cyberattack detection.
  2. 2 . The method according to claim 1 , wherein: the system includes a navy ship or a submarine; and the components of the system include at least a compressor and a turbine engine.
  3. 3 . The method according to claim 2 , wherein: the sensor data includes readings of one or more of an accelerometer, a strain gauge, and a thermometer; and the historical data is unstructured text data including one or more of a system operator log, hardware information, and software information.
  4. 4 . The method according to claim 3 , wherein gathering the historical data of the system to build the cyberattack knowledge base about the system includes: performing natural language processing to convert the unstructured text data into concepts and relationships to build the cyberattack knowledge base about the system.
  5. 5 . The method according to claim 1 , wherein: the cyberattack detection model includes a long short-term memory (LSTM) model or a gated recurrent unit (GRU) model.
  6. 6 . The method according to claim 1 , further comprising: separately training one cyberattack detection model for each sensor using the sensor data from the corresponding sensor; and determining which sensor is attacked based on the separately trained cyberattack detection model.
  7. 7 . The method according to claim 1 , wherein: the domain knowledge includes technical manuals and mathematical engine models that describe the components of the system, how the components are connected, which characteristics of the system are measured by the sensors; and how the system works; the domain knowledge provides a topological structure for the graphical Bayesian network model; and the condition-symptom relationships determine weights of links between nodes of the graphical Bayesian network model.
  8. 8 . The method according to claim 1 , further comprising: integrating with the CBPM system to display each sensor being attacked by the FDIAs, detect global navigation satellite system (GNSS) and automatic identification system (AIS) spoofing, detect channel access attacks on the CBPM system, and predict effect of the FDIAs on remaining useful life (RUL) of the system and make maintenance recommendation.
  9. 9 . A condition-based predictive maintenance (CBPM) system, comprising: sensors that monitor components of a system maintained by the CBPM system; a memory storing computer programs; and a processor configured to execute the computer programs to: collect sensor data from the sensors to extract features for a cyberattack detection model and gather historical data of the system to build a cyberattack knowledge base about the system; combine the sensor data and the historical data to train the cyberattack detection model; use a graphical Bayesian network model to capture domain knowledge and condition-symptom relationships between the components monitored by the sensors and the sensors; based on the cyberattack detection model and the Bayesian network model, detect false data injection attacks (FDIAs) on the CBPM system, wherein the FDIAs include injection of the sensor data for both normal operation and abnormal operation; and use the graphical Bayesian network model to compute a health condition index for each of the components and identify potential defective components, wherein: the CBPM system further includes a Kafka module, a software-in-the-loop (SITL) module and a hardware-in-the-loop (HITL) module to support multiple tasks; the cyberattack detection model and the graphical Bayesian network model are between the SITL module and the HITL module; the Kafka module streams data of the detected FDIAs to the SITL module; and the cyberattack detection model, the graphical Bayesian network model, and the Kafka module are integrated by a Raspberry Pi for real-time data acquisition and cyberattack detection.
  10. 10 . The CBPM system according to claim 9 , wherein: the system includes a navy ship or a submarine; and the components of the system include at least a compressor and a turbine engine.
  11. 11 . The CBPM system according to claim 10 , wherein: the sensor data includes readings of one or more of accelerometers, a strain gauge, and a thermometer; and the historical data is unstructured text data including one or more of a system operator log, hardware information, and software information.
  12. 12 . The CBPM system according to claim 11 , wherein when gathering the historical data of the system to build the cyberattack knowledge base about the system, the processor is further configured to: perform natural language processing to convert the unstructured text data into concepts and relationships to build the cyberattack knowledge base about the system.
  13. 13 . The CBPM system according to claim 9 , wherein: the cyberattack detection model includes a long short-term memory (LSTM) model or a gated recurrent unit (GRU) model.
  14. 14 . The CBPM system according to claim 9 , wherein the processor is further configured to: separately train one cyberattack detection model for each sensor using the sensor data from the corresponding sensor; and determine which sensor is attacked based on the separately trained cyberattack detection model.
  15. 15 . The CBPM system according to claim 9 , wherein: the domain knowledge includes technical manuals and mathematical engine models that describe the components of the system, how the components are connected, which characteristics of the system are measured by the sensors; and how the system works; the domain knowledge provides a topological structure for the graphical Bayesian network model; and the condition-symptom relationships determine weights of links between nodes of the graphical Bayesian network model.
  16. 16 . The CBPM system according to claim 9 , wherein the processor is further configured to: integrate with the CBPM system to display each sensor being attacked by the FDIAs, detect global navigation satellite system (GNSS) and automatic identification system (AIS) spoofing, detect channel access attacks on the CBPM system, and predict effect of the FDIAs on remaining useful life (RUL) of the system and make maintenance recommendation.
  17. 17 . A non-transitory computer-readable storage medium storing a computer program for detecting false data injection attacks (FDIAs) on a condition-based predictive maintenance (CBPM) system, when being executed by a processor, the computer program causing the processor to perform: collecting sensor data from sensors that monitor components of a system maintained by the CBPM system to extract features for a cyberattack detection model and gathering historical data of the system to build a cyberattack knowledge base about the system; combining the sensor data and the historical data to train the cyberattack detection model; using a graphical Bayesian network model to capture domain knowledge and condition-symptom relationships between the components monitored by the sensors and the sensors; based on the cyberattack detection model and the Bayesian network model, detecting the FDIAs on the CBPM system, wherein the FDIAs include injection of the sensor data for both normal operation and abnormal operation; and using the graphical Bayesian network model to compute a health condition index for each of the components and identify potential defective components, wherein: the CBPM system includes a Kafka module, a software-in-the-loop (SITL) module and a hardware-in-the-loop (HITL) module to support multiple tasks; the cyberattack detection model and the graphical Bayesian network model are between the SITL module and the HITL module; the Kafka module streams data of the detected FDIAs to the SITL module; and the cyberattack detection model, the graphical Bayesian network model, and the Kafka module are integrated by a Raspberry Pi for real-time data acquisition and cyberattack detection.
  18. 18 . The non-transitory computer-readable storage medium according to claim 17 , wherein: the system includes a navy ship or a submarine; and the components of the system include at least a compressor and a turbine engine.
  19. 19 . The non-transitory computer-readable storage medium according to claim 18 , wherein: the sensor data includes readings of one or more of accelerometers, a strain gauge, and a thermometer; and the historical data is unstructured text data including one or more of a system operator log, hardware information, and software information.
  20. 20 . The non-transitory computer-readable storage medium according to claim 19 , wherein when gathering the historical data of the system to build the cyberattack knowledge base about the system, the processor is further configured to perform: performing natural language processing to convert the unstructured text data into concepts and relationships to build the cyberattack knowledge base about the system.

Description

GOVERNMENT RIGHTS The present disclosure was made with Government support under Contract No. N68335-20-C-0792, awarded by Naval Sea Systems Command (NAVSEA). The U.S. Government has certain rights in the present disclosure. FIELD OF THE DISCLOSURE The present disclosure generally relates to the field of data security and, more particularly, relates to a method and a system for cyber resilience integrated security inspection against false data injection attacks. BACKGROUND Modern US Navy ships and submarines are configured with an ever-increasing level of automation, including state-of-the-art embedded wireless sensors that monitor vital system functions. One potential use of this network of sensors is Condition-based Predictive Maintenance (CBPM), the prediction of faults in a component or system powered by advanced machine learning (ML) algorithms to reduce vessel downtime and increase readiness. However, this network of sensor nodes is vulnerable to cybersecurity attacks and susceptible to corruption through accidental or malicious events. To address these shortfalls and minimize vulnerabilities of CBPM systems, the present disclosure provides a defense system that includes both data-driven and model-based techniques to build an extensible cybersecurity layer for CBPM applications to provide enhanced cyber resiliency. The defense system is also called a cyber resilience integrated security inspection system (CRISIS) against false data injection attacks. Specifically, a deep learning algorithm based on long short-term memory (LSTM) and gated recurrent unit (GRU) is used to detect abnormal features of generalized false data injection attacks (FDIAs) on wireless sensors of a turbofan engine simulated by NASA's C-MAPSS simulator. The dynamic nature of the turbofan engine is represented by a graphical physics-informed Bayesian Network model and is used to predict health conditions accordingly. The model characterizes the condition-symptom relationships of different engine components and sensors. The present disclosure also provides a hybrid software-in-the-loop and hardware-in-the-loop system to evaluate the effectiveness of defense mechanisms of the CRISIS system. BRIEF SUMMARY OF THE DISCLOSURE One aspect or embodiment of the present disclosure includes a method for detecting false data injection attacks (FDIAs) on a condition-based predictive maintenance (CBPM) system. The method includes: collecting sensor data from sensors monitoring components of a system maintained by the CBPM system to extract features for a cyberattack detection model and gathering historical data of the system to build a cyberattack knowledge base about the system; combining the sensor data and the historical data to train the cyberattack detection model; using a graphical Bayesian network model to capture domain knowledge and condition-symptom relationships between the sensor-monitored components and the sensors; and based on the cyberattack detection model and the Bayesian network model, detecting the FDIAs on the CBPM system. Another aspect or embodiment of the present disclosure includes a cyberattack detection system. The cyberattack detection system includes sensors monitoring components of a system maintained by a condition-based predictive maintenance (CBPM) system; a memory storing computer programs; and a processor configured to execute the computer programs to: collect sensor data from the sensors to extract features for a cyberattack detection model and gather historical data of the system to build a cyberattack knowledge base about the system; combine the sensor data and the historical data to train the cyberattack detection model; use a graphical Bayesian network model to capture domain knowledge and condition-symptom relationships between the sensor-monitored components and the sensors; and based on the cyberattack detection model and the Bayesian network model, detect false data injection attacks (FDIAs) on the CBPM system. Another aspect or embodiment of the present disclosure includes a computer-readable storage medium storing a computer program for detecting false data injection attacks (FDIAs) on a condition-based predictive maintenance (CBPM) system. The computer program performs: collecting sensor data from sensors monitoring components of a system maintained by the CBPM system to extract features for a cyberattack detection model and gathering historical data of the system to build a cyberattack knowledge base about the system; combining the sensor data and the historical data to train the cyberattack detection model; using a graphical Bayesian network model to capture domain knowledge and condition-symptom relationships between the sensor-monitored components and the sensors; and based on the cyberattack detection model and the Bayesian network model, detecting the FDIAs on the CBPM system. Other aspects or embodiments of the present disclosure can be understood by those skilled in the art in light of the desc