Typical cyber security protections and intrusion detection systems base their processes from two main methods: heuristic based detection and signature based detection. However, the problem with heuristic and signature based detection methods is that current processes (or a combination of them) do not transition smoothly onto airplane networks because many aircraft network communications are time sensitive and typical systems do not catch attack chains that start off valid. Therefore, there is a need for an intrusion detection system for aircraft that accounts for expected dataflows between avionic endpoints, takes into account the time sensitive nature of aircraft network communications, and continually monitors network traffic regardless of prior attack chain activity.
In addition, current avionics cyber security protections and intrusion detection systems are intended to statically prevent malicious activity from occurring. For example, typical cyber security protections for aircraft networks are based off of static tables that allow for specific dataflows between avionics endpoints. One problem with these protections is the lack of granularity and options provided and a second is that when a security measure is breached there is no method to dynamically detect and track the exploit for further analysis. Therefore, there is also a need for an intrusion detection system that can analyze malicious activity and respond according to the real-time data.