Electronic device and method for securing data exchange(s) via an artificial intelligence algorithm within a communication installation, aircraft and associated computer program

The use of a fuzzy logic decision tree and RBFN neural network in avionics communication systems addresses the limitations of existing cybersecurity algorithms, providing a secure and certifiable data exchange solution.

FR3171099A1Pending Publication Date: 2026-07-10THALES SA

Patent Information

Authority / Receiving Office
FR · FR
Patent Type
Applications
Current Assignee / Owner
THALES SA
Filing Date
2025-01-08
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing cybersecurity systems, such as NIDS, NIPS, HIDS, and HIPS, rely on algorithms like k-NN, SVM, RF, and DT that are not suitable for certification and lack explainability and predictability, making them unsuitable for secure data exchange in certified security devices.

Method used

An electronic device and method using an artificial intelligence algorithm comprising a fuzzy logic decision tree and a radial basis function neural network (RBFN) for securing data exchanges, with functional rules that are auditable, explainable, and certifiable, implemented in an aircraft's avionics communication system.

Benefits of technology

The solution provides a secure and certifiable data exchange system by using AI algorithms that are auditable and explainable, enhancing the security and reliability of avionics communication systems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 00000000_0000_ABST
    Figure 00000000_0000_ABST
Patent Text Reader

Abstract

Electronic device and method for securing data exchange(s) via an artificial intelligence algorithm within a communication installation, aircraft and associated computer program. This electronic device (25) for securing data exchange(s) within an avionics communication installation (10) comprises: a module (42) for acquiring at least one data message; a module (44) for processing at least one message via the implementation of at least one function from among a message filtering function, a function for detecting malicious behavior and a function for reacting to malicious behavior; a rendering module (46) for performing at least one action associated with a result obtained via the at least one function.Each function comprises a set of functional rule(s) obtained through the implementation of an artificial intelligence algorithm including a fuzzy logic decision tree or a radial basis function neural network; each functional rule is configured to associate an output value with several discretized input values. See Figure 1 for the abbreviation.
Need to check novelty before this filing date? Find Prior Art

Description

Title of the invention: Electronic device and method for securing data exchange(s) via an artificial intelligence algorithm within a communication system, aircraft and associated computer program

[0001] The present invention relates to an electronic device for securing data exchange(s) within an electronic communication installation; as well as an aircraft comprising an electronic communication installation and such an electronic security device.

[0002] The invention also relates to a method of securing data exchange(s) within an electronic communication installation, implemented by such an electronic security device; as well as a computer program, comprising software instructions which, when executed by a computer, implement such a security method.

[0003] The invention relates to the field of cybersecurity, in particular in the avionics field.

[0004] This applies in particular to several types of security measures, namely filtering mechanisms; network intrusion detection and prevention mechanisms, also called NIDS (Network Intrusion Detection System) and NIPS (Network Intrusion Prevention System); and local intrusion detection and prevention mechanisms for a system, also called HIDS (Host-based Intrusion Detection System) and HIPS (Host-based Intrusion Prevention System).

[0005] An IDS (Intrusion Detection System) is an intrusion detection system. It can be based on a host (Host-Based - HIDS) or on network elements (Network - NIDS).

[0006] Regarding NIDS, this is software designed to monitor and analyze activity at the interfaces of a system. It compares observed activities with predefined models of normal behavior or known attack patterns and generates an alert characterizing the events encountered. If a reaction function is associated with this detection mechanism and allows for the containment of an attack (typically a filtering function), it is then referred to as NIPS.

[0007] Regarding HIDS, it is software designed to monitor and analyze the activity of a single computer or computer system. HIDS monitors events on the host computer, compares observed activities with predefined patterns of normal behavior or known attack patterns, and generates an alert. characterizing the events encountered. If a reaction function is associated with this detection mechanism and makes it possible to contain an attack, it is then called a HIPS.

[0008] The article "A comprehensive review of AI based intrusion detection System" by T. Sowmya and EA Mary Anita, published in 2023, compare existing work on artificial intelligence-based classification engines for intrusion detection mechanisms. These typically rely on the following algorithms or models: k-Nearest Neighbors (k-NN), Support Vector Machine (SVM), Naive Bayes (NB), Random Forest (RF), Decision Tree (DT), and Stochastic Gradient Descent (SGD).

[0009] These various algorithms or models are generally quite accurate and / or efficient, but are not well-suited for implementation in security systems requiring certification.

[0010] For security devices that are to be certified, it is known to use sets, or bases, of rule(s) written in the form of detection equation(s), and these equations are made manually by a cybersecurity designer.

[0011] The aim of the invention is therefore to propose an electronic device and a method for securing data exchange(s) within an electronic communication installation, which are more suitable for certification.

[0012] To this end, the invention relates to an electronic device for securing data exchange(s) within an avionics communication system installed on board an aircraft, the security device being configured to be installed on board the aircraft and comprising: - an acquisition module configured to acquire at least one data message within the communication installation; - a processing module configured to process at least one message acquired via the implementation of at least one function chosen from the group including: a message filtering function, a malicious behavior detection function, and a malicious behavior reaction function; - a feedback module configured to perform at least one action associated with a result obtained through the implementation of at least one function and chosen from the group including: displaying the result on a display device; recording the result for later analysis; issuing an alert related to the result; and generating a control instruction for a system based on the result;

[0013] each function comprising a set of functional rule(s) obtained via the implementation of an artificial intelligence algorithm chosen from among an artificial intelligence algorithm comprising a fuzzy logic decision tree and an artificial intelligence algorithm comprising a radial basis function neural network, known as a RBFN network; each functional rule being respectively a filtering rule for the filtering function, a detection rule for the detection function, and a reaction rule for the reaction function; each functional rule being an association rule configured to associate an output value with several discretized input values.

[0014] With the security device according to the invention, the artificial intelligence algorithm implemented to obtain the set of functional rule(s) is not based on a statistical approach, but on a basis of association rule(s) learned beforehand, and allows verification of the different parameters by an auditor and thus makes the set of functional rule(s) auditable and certifiable.

[0015] This artificial intelligence algorithm also makes it possible to make the set of functional rule(s) explainable and predictable.

[0016] On the contrary, the aforementioned deep learning techniques of the state of the art, such as SVM or RF, are based on black box artificial intelligence techniques which allow the desired detection to be carried out, but are not explainable, nor deterministic.

[0017] Furthermore, the aforementioned article by T. Sowmya and EA Mary Anita describes in section "3.1.2.2 Fuzzy C means clustering algorithm" an unsupervised approach that allows data points to be assigned to one or more clusters. The algorithm assigns membership degrees based on the distance between the cluster centers and the data points. The model aims to provide better classification accuracy and stability when tested and trained with the KDD 99 Cup dataset. The algorithm is a fuzzy clustering approach, assigning each data sample to a cluster based on a probability score. The principle of fuzzy clustering for intrusion detection is to identify and categorize different types of attacks.This article also does not aim to provide a set of explainable and predictable functional rule(s), where each functional rule is configured to associate an output value with several discretized input values.

[0018] The security device according to the invention is thus much more suitable than the NIDS, NIPS, HIDS and HIPS systems of the prior art for being subject to certification.

[0019] According to other advantageous aspects of the invention, the electronic security device comprises one or more of the following features, taken individually or in any technically possible combination:

[0020] - the fuzzy logic decision tree includes at least one inference system fuzzy, each fuzzy inference system being configured to receive as input at least one value of a quantity relative to the message and to deliver as output an evaluation value; for each fuzzy inference system, a correspondence between input(s) and output being established by a fuzzy transformation of the inputs, to select the functional rule configured to associate an output value corresponding to several discretized input values;

[0021] - the RBFN network includes an input layer of N input node(s), each input node receiving a value of a quantity relative to the message, a single intermediate layer of H neuron(s) and an output layer of S output node(s), each output node providing an evaluation value; N, H and S being integers greater than or equal to 1, each neuron of the intermediate layer being characterized by a radial activation function centered on a center ch and of radius rh, h being an integer between 1 and N;

[0022] - the artificial intelligence algorithm is trained via preliminary learning based on training data;

[0023] preliminary learning being preferably supervised learning;

[0024] - the preliminary learning of the fuzzy logic decision tree is carried out via the implementation of a genetic algorithm;

[0025] - the preliminary learning of the RBFN network is carried out via the implementation of a gradient descent; and

[0026] - the preliminary learning process further comprises, for each functional rule, an indication of the number of occurrences of implementation of said rule during preliminary learning.

[0027] The invention also relates to an aircraft comprising an electronic communication installation and an electronic device for securing the exchange(s) of data within said communication installation, the security device being as defined above.

[0028] The invention also relates to a method for securing data exchange(s) within an avionics communication system installed on board an aircraft, the security method being implemented by an electronic security device installed on board the aircraft and comprising the following steps: - acquire at least one data message within the communication installation; - process at least one message acquired via the implementation of at least one function chosen from the group including: a message filtering function, a malicious behavior detection function, and a malicious behavior reaction function; - perform at least one action associated with a result obtained through the implementation of at least one function and chosen from the group including: displaying the result on a display device; recording the result for later analysis; issuing an alert relating to the result; and generating a control instruction for a system based on the result;

[0029] each function comprising a set of functional rule(s) obtained via the implementation of an artificial intelligence algorithm chosen from among an artificial intelligence algorithm comprising a fuzzy logic decision tree and an artificial intelligence algorithm comprising a radial basis neural network, known as a RBFN network; each functional rule being respectively a filtering rule for the filtering function, a detection rule for the detection function, and a reaction rule for the reaction function; each functional rule being an association rule configured to associate an output value with several discretized input values.

[0030] The invention also relates to a computer program comprising software instructions which, when executed by a computer, implement a security method as defined above.

[0031] These features and advantages of the invention will become clearer upon reading the following description, given solely by way of non-limiting example, and made with reference to the accompanying drawings, in which:

[0032] [Fig-1] [Fig.1] is a schematic representation of an aircraft according to the invention comprising a communication installation compartmentalized into an avionics domain and an open domain external to the avionics domain; the communication installation comprising several avionics systems belonging to the avionics domain, one or more electronic devices belonging to the open domain, an electronic device for securing data exchange(s) within the installation, and an electronic communication gateway connected between the electronic device(s) and the avionics systems, the security device being configured to implement a set of functional rule(s) obtained through the implementation of an artificial intelligence algorithm; and

[0033] [Fig.2] [Fig.2] is a schematic representation of a supervisory system communication resulting from another example of implementation of the invention;

[0034] [Fig.3] [Fig.3] is a schematic view representing membership functions for two respective message parameters, according to a first embodiment of the invention in which the artificial intelligence algorithm includes a fuzzy logic decision tree;

[0035] [Fig.4] [Fig.4] is a schematic view representing a membership function for an evaluation value, according to the first embodiment; and

[0036] [Fig.5] [Fig.5] is a flowchart of a method, according to the invention, for securing the exchange(s) of data within the avionics communication installation of [Fig.1], the method being implemented by the security device.

[0037] The expressions "approximately equal to" and "of the order of" define a relationship of equality to plus or minus 20%, preferably to plus or minus 10%, and preferably still to plus or minus 5%.

[0038] In [Fig.1], an aircraft 5 includes a communication installation 10 compartmentalized into an avionics domain 15 and an open domain 18, external to the avionics domain 15.

[0039] The communication installation 10 includes several avionics systems 20 belonging to the avionics domain 15; as well as one or more electronic devices 22, external to the avionics domain 15 and belonging to the open domain 18.

[0040] The communication installation 10 also includes an electronic device 25 for securing data exchange(s).

[0041] In the example of [Fig.1], the communication installation 10 includes an electronic communication gateway 30 connected between the electronic device(s) 22 and the avionics systems 20. In the example of [Fig.1], the communication installation 10 includes several electronic devices 22, each belonging to the open domain 18. In this example of [Fig.1], the security device 25 is included in the electronic communication gateway 30.

[0042] In addition, the communication installation 10 further includes a communication server 35 communicating via a communication link 38 with at least one electronic device 40, external to the aircraft 5.

[0043] The avionics domain 15 is a domain corresponding to the highest level of safety on board the aircraft 5, in particular the highest required level of safety of the communication installation 10 of the aircraft 5.

[0044] The avionics domain 15 is then a domain to limit a risk of disruption - by at least one communication with an external electronic device or apparatus to the avionics domain 15 - of function(s) implemented by at least one avionics system 20 of the avionics domain 15. The avionics domain 15 includes the avionics system(s) 20.

[0045] Avionics domain 15 is typically the ACD (Aircraft Control Domain) according to ARINC 811 standard of December 20, 2005.

[0046] The open domain 18 is a domain which corresponds to a lower level of security than the level of security of the avionics domain 15. The open domain 18 includes the electronic device(s) 22.

[0047] Each avionics system 20 is on board the aircraft 5 and belongs to the avionics domain 15. Each avionics system 20 is known in itself, also called an avionics computer, and is configured to implement one or more respective avionics functions.

[0048] Each avionics system 20 is for example chosen from the group consisting of: a flight management system, also called FMS (Flight Management System); a guidance system, or FG (Flight Guidance); a flight control system, or FCS (Flight Control System); a GNSS (Global Navigation Satellite System) satellite positioning system, such as a GPS (Global Positioning System); an inertial reference system, also called 1RS (Inertial Reference System); an ILS (Instrument Landing System) or MLS (Microwave Landing System); an active runway overrun prevention system, also called ROPS (Runway Overrun Prevention System); and a radio altimeter, also denoted RA (Radio Altimeter).

[0049] Each electronic device 22 belonging to the open domain 18 does not implement a respective avionics function, and therefore generally does not require specific certification.

[0050] The electronic security device 25 is configured to secure data exchanges within the communication avionics installation 10, and includes an acquisition module 42, a processing module 44 and a rendering module 46.

[0051] The electronic security device 25 includes, for example, an information processing unit 50 typically formed of a memory 52 and a processor 54 associated with the memory 52.

[0052] According to this example, the acquisition module 42, the processing module 44, and the playback module 46 are each implemented as a software program, or a software component, executable by the processor 54. The memory 52 of the security device 25 is then capable of storing acquisition software, processing software, and playback software. The processor 54 of the security device 25 is then capable of executing each of the following software programs: acquisition software, processing software, and playback software.

[0053] In an alternative not shown, the acquisition module 42, the processing module 44 and the rendering module 46 are each made in the form of a programmable logic component, such as an FPGA (Field Programmable Gate Array), or an integrated circuit, such as an ASIC (Application Specified Integrated Circuit).

[0054] When the electronic security device 25 is implemented in the form of one or more software programs, i.e., in the form of a computer program, also called a computer program product, it is further capable of being stored on a computer-readable medium, not shown. The computer-readable medium is, for example, a medium capable of storing electronic instructions and being connected to a bus of a computer system. By way of example, the readable medium is an optical disc, a magneto-optical disc, a ROM, a RAM, any type of non-volatile memory (e.g., EPROM, EEPROM, FLASH, NVRAM), a magnetic card, or an optical card. A computer program comprising software instructions is then stored on the readable medium.

[0055] The electronic communication gateway 30, hereafter referred to as communication gateway 30 or gateway 30, is an interface between the open domain 18 and the avionics domain 15. A data message transmitted between the open domain 18 and the avionics domain 15, that is, from the open domain 18 to the avionics domain 15, or vice versa from the avionics domain 15 to the open domain 18, necessarily passes through the communication gateway 30.

[0056] The communication server 35 is configured to communicate via the communication link 38 with at least one external electronic device 40, said at least one external electronic device 40 being, for example, a ground station or a cloud computing device. The communication server 35 is preferably connected to the communication gateway 30. The communication server 35 typically belongs to the open domain 18.

[0057] The communication server 35 is known per se, and includes in particular a transceiver, not shown, compatible with the communication link 38. The communication link 38 is typically a radio link, that is to say a link by radio waves, such as a satellite link. The transceiver is then a radio transceiver.

[0058] The external electronic equipment 40 is typically connected to the computer infrastructure of an operational control center, also known as an OCC. The external electronic equipment 40 is then advantageously configured to transmit data, such as a plan flight data of aircraft 5 and information relating to aircraft 5, such as its mass, configuration, balance, or identifier.

[0059] The acquisition module 42 is configured to acquire at least one data message within the communication facility 10.

[0060] The acquisition module 42 is configured for example to acquire, from an electronic device 22 belonging to the open domain 18, at least one data message destined for a respective avionics system 20, belonging to the avionics domain 15. The electronic device 22, from which the message is acquired, is typically the communication server 35, if the message is sent from the external electronic equipment 40.

[0061] The acquisition module 42 is configured, for example, to acquire each message according to a respective avionics communication protocol.

[0062] The avionics communication protocol is for example chosen from the group consisting of: a protocol conforming to the ARINC 702 standard; a protocol conforming to the ARINC 739 standard; a protocol conforming to the ARINC 619 standard; a protocol conforming to the ARINC 429 standard; and a protocol conforming to the FANS (Future Air Navigation System) N standard associated with EUROCAE ED-100.

[0063] The messages are messages coming from outside the security device 25, such as messages exchanged between the avionics domain 15 and the open domain 18.

[0064] Alternatively, the messages are messages originating from any internal information source within a software application and / or hardware that is monitored by the security device 25. For example, the messages are messages originating from one or more software probes of the software application itself. Alternatively, the messages are error messages from an operating system (OS) of a computer system hosting the security device 25, said computer system then forming the information processing unit 50.

[0065] The processing module 44 is configured to process at least one message acquired via the implementation of a message filtering function F and / or a malicious behavior detection function D and / or a malicious behavior reaction function R, the filtering functions F, detection function D and reaction function R being illustrated in [Fig.2], described in more detail below.

[0066] According to the invention, each filtering function F, detection function D, and / or reaction function R comprises a set of functional rule(s) obtained through the implementation of an artificial intelligence algorithm. Each functional rule is respectively a filtering rule for the filtering function F, a detection rule for the detection function D, and a reaction rule for the reaction function R. Each functional rule is an association rule configured to associate a value of an output variable, also called an output value, with several discretized values ​​of input variables, also called input values.

[0067] The artificial intelligence algorithm is pre-trained via preliminary learning from training data. The preliminary learning is advantageously supervised learning.

[0068] As an optional addition, the preliminary learning includes, for each functional rule, an indication of the number of occurrence(s) of implementation of said rule during the preliminary learning.

[0069] A person skilled in the art will understand that each set of functional rule(s) is obtained via an inference by the artificial intelligence algorithm, the inference typically being performed dynamically during the implementation of the security device 25, and that prior to this inference, the artificial intelligence algorithm was trained during preliminary learning using the training data. The training of the artificial intelligence algorithm is preferably performed solely in a static manner.

[0070] The output module 46 is configured to perform at least one action associated with a result, obtained via the implementation of at least one filtering function F, detection function D and / or reaction function R, the action being chosen from among the display of the result on a display device, not shown; the recording of the result for later analysis, the result being for example recorded in memory 52; the issuing of an alert relating to the result; and the generation of a control instruction for a system, such as a respective avionics system 20, and this depending on the result.

[0071] The input variables taken into account to obtain the set of functional rule(s) are, for example, variables corresponding to information from the hardware, and / or variables corresponding to information from the operating system and / or the application software, and / or variables corresponding to information from a communication network within the avionics installation 10.

[0072] The information derived from the hardware and capable of forming input variables is typically the following:

[0073] - memory errors: parity errors or ECC (Error-Correcting) errors Codes on RAM may indicate hardware problems or attempts to corrupt memory;

[0074] - Disk failures: frequent read / write errors, sectors increasing defectiveness, or SMART (Self-Monitoring, Analysis and Reporting Technology) messages indicating an imminent hard drive failure;

[0075] - Temperature problems: abnormally high temperatures of Components such as the CPU, GPU, or hard drives can signal an overload, a cooling system failure, or an attack resulting in excessive power consumption at the hardware level;

[0076] - voltage variations: fluctuations or anomalies in voltages power supply issues may indicate an electrical problem or malicious hardware manipulation;

[0077] - controller errors: anomalies in controllers, such as controllers of disk or network controllers, can report hardware failures or attacks aimed at disabling these components;

[0078] - Device failures: devices that disconnect or malfunction Intermittent failures, such as with network cards, graphics cards, or even USB devices, can be a sign of hardware problems or compromise;

[0079] - hardware diagnostic alerts: the integrated hardware diagnostic tools which Reporting frequent or unusual errors may also indicate material anomalies;

[0080] - Abnormal BIOS / EFI events: Unauthorized or repeated modifications BIOS / EFI settings, or failures in the integrity or authenticity check (secure boot) at startup may indicate firmware-level attack attempts;

[0081] - performance anomalies: abnormally slow operation or an Excessive use of hardware resources without a clear reason can also signal a hardware problem or resource-consuming malware;

[0082] - Network performance problems: anomalies in hardware components network devices (such as switches, hubs, internal routers) may indicate attempts to intercept or manipulate network traffic;

[0083] - Physical intrusions: detection of openings or forced modifications to the chassis or shielded components may indicate attempts at physical intrusion;

[0084] - CPU hardware logs: monitoring of CPU error messages, including Violations of privileges or illegal instructions may indicate suspicious activity;

[0085] - attacks on TPM (Trusted Platform Module) modules: activity abnormal or errors originating from the TPM module, which may indicate attempts to bypass hardware security measures;

[0086] - abnormal interruptions of an internal bus: unexpected disturbances or interruptions on internal communication buses, such as PCIe or SATA, can signal attempts at electronic intrusion.

[0087] Information from the operating system and / or application software that can form input variables is typically the following:

[0088] - Unauthorized modifications to system files: any unexpected modification of Critical system files (such as system files, kernel executables, configuration files, etc.) may indicate a compromise;

[0089] - Repeated authentication failures: a series of successive authentication failures may signal an attempt to brute-force access to the system;

[0090] - abnormal use of system resources: excessive and unusual use of System resources such as CPU, RAM, or disk I / O may indicate malware or an unwanted process;

[0091] - Suspicious process: execution of unexpected processes, or hidden processes which are not typically present on the system may signal an intrusion;

[0092] - modifications to safety rules: unauthorized changes in the firewall configurations, SELinux / AppArmor rules, or other security policies;

[0093] - unexpected creation or deletion of users: the creation or deletion Unexpected changes to user accounts, or modifications to user privileges, may indicate an attempt to take control of the system;

[0094] - abnormal network connections: unusual outgoing or incoming connections, especially when coming from or going to non-standard ports or unexpected geographical locations;

[0095] - System service errors: repeated failures or services restarting frequently can indicate attempts to exploit service vulnerabilities;

[0096] - Modifications in system logs: modification or deletion of system logs to try to cover up malicious actions;

[0097] - Execution of Unauthorized Scripts / Programs / Processes: software executed in Unauthorized background activity may indicate the presence of malware or remote control scripts;

[0098] - Code injection: attempts to inject code into legitimate processes using techniques such as DLL Injection or Code Cavitation;

[0099] - Scheduled Task activities: monitoring of tasks planned to detect suspicious additions or abnormal behavior;

[0100] - Anomalies in access rights: Unexpected changes to permissions critical files and folders;

[0101] - Abnormal file system behavior: changes in the file systems such as excessive read / write activity, file corruption, or files appearing out of nowhere;

[0102] - Abnormal boot sequences: changes in the boot sequence or modifications to boot configurations (such as EFI or MBR boot partitions); and

[0103] - anomalies in user sessions: user sessions opened during hours of inactivity, rapid session changes, or unexpected simultaneous connections from different IP addresses.

[0104] The information from the communication network that can form input variables is typically the following:

[0105] - frame frequency: monitor for abnormally high or low frame frequency transmission of frames over the network; a higher than usual frequency may indicate malicious behavior, such as a denial-of-service (DDoS) attack or a data exfiltration attempt; an abnormally low frequency may signal network or hardware performance problems;

[0106] - Stream syntax: check if the packets comply with the protocols and formats of expected data; anomalies in packet syntax may indicate the presence of malicious packets or an attempt to exploit protocol vulnerabilities;

[0107] - time between two frames: detect abnormal variations in time between the successive frames; abnormally short interval times could indicate an attempt to overload the network, while longer intervals could signal latency problems or packet-dropping attacks;

[0108] - frame size: monitor anomalies in the size of transmitted frames; Abnormally large or small frames may be a sign of malicious fragmentation attempts, tunneling techniques, or bypassing detection systems;

[0109] - Frame semantics: analyzing the content of frames to detect anomalies in the transmitted data; for example, requests or responses that do not correspond to the expected context may indicate command injection or data manipulation attacks;

[0110] - Frame order: monitor the order of transmitted frames; a sequence of frames that does not correspond to the expected order (indicating retransmissions or rearranged packets) may signal a "man-in-the-middle" attack, where the attacker intercepts and modifies frames during their transmission.

[0111] The sanctions, or reactions, that may be implemented in the event of detection of malicious behavior are typically the following:

[0112] - access blocking: block incoming or outgoing connections from suspicious addresses or malicious, thus preventing the attacker from accessing the host;

[0113] - Process interruption: If a malicious or suspicious process is detected, the stop immediately in order to resume the activity in a state of confidence;

[0114] - Firewall rule modification: dynamically adjust firewall rules to block specific ports or protocols associated with a threat;

[0115] - Host isolation: Isolate a compromised host from the network to prevent propagation attacking other systems;

[0116] - Reduction of access privileges: if an anomaly is detected, reduce temporarily restrict the access privileges of a user or process, thereby preventing potentially harmful actions; and

[0117] - Logging and alerting: record all events and send alerts to administrators, allowing for a quick response.

[0118] Those skilled in the art will understand that the input variables indicated above can be used for the filtering function F, the detection function D, or the reaction function R. The input variables can then each be used as respective inputs of a fuzzy inference system, with optionally also as input the output of another fuzzy inference system when several fuzzy inference systems are cascaded within a corresponding fuzzy logic decision tree (as described in more detail later), and the output variable of each fuzzy inference system is likely to contribute to the filtering function F and / or the detection function D and / or the reaction function R.

[0119] By way of example, reaching a predefined threshold by the output variable of a respective fuzzy inference system can be used to reject a frame, or to block access, this corresponding to the filtering function F.

[0120] As a further example, reaching the predefined threshold by the output variable of a respective fuzzy inference system can be used to start the recording of a log (from the English word log), corresponding then to the detection function D.

[0121] As a further additional example, reaching the predefined threshold by the output variable of a respective fuzzy inference system can be used to restart a software and / or hardware partition, corresponding to the reaction function R.

[0122] A person skilled in the art will also observe that the reaction function R generates more background processing (stopping a process, restarting a partition), the filtering function F targets more the element that transmits the attack (the attacking frame for example), and the detection function D is useful in particular for aspects of intelligent recording.

[0123] It should also be noted that output variables of the detection function D can form input variables of the reaction function R; that the variables output variables of the filtering function F can form input variables of the detection function D and / or the reaction function R; and / or that the output variables of the detection function D and / or the reaction function R can form input variables of the filtering function F.

[0124] In [Fig. 2], the invention is implemented within a 60 supervisory system communication(s) or data exchange(s) comprising first interfaces 62, also called untrusted interfaces, connected to one or more first devices 64; and second interfaces 66, also called trusted interfaces, connected to one or more second devices 68.

[0125] The supervision system 60 includes a first manager 70 configured to manage the first interfaces 62, i.e. of non-trust, and in particular to recover potentially malicious data, and a second manager 72 configured to manage the second interfaces 66, i.e. of trust, and in particular to transfer sanitized data to a trusted domain, such as the avionics domain 15.

[0126] To this end, the monitoring system 60 includes the filtering function F, interconnected between the first manager 70 and the second manager 72, in order to filter the potentially malicious data retrieved by the first manager 70 and provide the filtered, i.e., sanitized data, to the second manager 72 for transmission to the trusted domain. The filtering function F thus corresponds to a NIPS-type functionality. In the example in [Fig. 2], the filtering function F is associated with a rule generation engine (MGR) to generate the filtering rule(s) associated with the filtering function F, which are obtained according to the invention through the implementation of the artificial intelligence algorithm.

[0127] In addition, the supervision system 60 includes the detection function D, configured in particular to detect intrusions or attempted intrusions and / or the reaction function R, configured in particular to react to one or more intrusions or attempted intrusions detected by the detection function D.

[0128] The detection function D is based on the elements observed by the other functions of the monitoring system 60, and is configured to implement the detection rule(s) to determine if one or more malicious events occur within the monitoring system 60. In the example of [Fig.2], the detection function D is associated with the rule generation engine MGR to generate the detection rule(s) associated with the detection function D, the latter being obtained according to the invention via the implementation of the artificial intelligence algorithm.

[0129] The reaction function R is configured to implement the reaction rule(s), to apply one or more sanctions relating to a behavior observed by the detection function D. In the example of [Fig.2], the reaction function R is associated with the rule generation engine MGR to generate the reaction rule(s) associated with the reaction function R, the latter being obtained according to the invention via the implementation of the artificial intelligence algorithm.

[0130] The detection functions D and reaction R then typically correspond to a HIPS type functionality and / or a NIDS type functionality.

[0131] In the example of [Fig. 2], to train the artificial intelligence algorithm implemented by the rule generation engine MGR, an intelligent router, or a simulation of this intelligent router, and one or more real devices, or their simulation, are connected to the supervisory system 60 as the first devices 64. The intelligent router, or its simulation, is then implemented according to various successive scenarios, namely nominal scenarios, as well as attack scenarios designed to cover all desired use cases; indicating, for each scenario, the expected behavior to the artificial intelligence algorithm. During this training, the intelligent router communicates with each rule generation engine R via a respective link 75, also called a training link.

[0132] The artificial intelligence algorithm is, for example, in ONNX format (Open Neural Network Exchange), which allows the MGR rule generation engine to also be in ONNX format. ONNX is an open standard designed to represent machine learning models. It enables interoperability between different deep learning tools, frameworks, and platforms. Alternatively, the artificial intelligence algorithm is in a proprietary format.

[0133] According to a first embodiment of the invention, the artificial intelligence algorithm implemented to obtain the set of functional rule(s) comprises a fuzzy logic decision tree, also known as a GFT (Genetic Fuzzy Tree). The fuzzy logic decision tree has the advantage of making the set of functional rule(s) explainable and predictable.

[0134] The fuzzy logic decision tree includes at least one fuzzy inference system, and each fuzzy inference system is configured to receive as input at least one value of a quantity related to the message and to output an evaluation value. For each fuzzy inference system, a mapping between input(s) and output is established by a fuzzy transformation of the inputs, to select the functional rule, also called the GFT rule, configured to associate an output value corresponding to several discretized input values.

[0135] The preliminary learning of the fuzzy logic decision tree is carried out via the implementation of a genetic algorithm.

[0136] Each fuzzy inference system is characterized by three successive phases:

[0137] - a first phase, called the fuzzy value conversion or fuzzy generation phase, or even fuzzification (from the English / unification) corresponding to the process of converting precise values ​​into fuzzy values, by associating them with fuzzy sets using membership functions;

[0138] - a second phase, called the inference phase, or implementation of the inference engine, in which one or more rules are applied to features, or adjectives, representing the inputs (fuzzy operators) to create new features, or new adjectives, images of said rules; and

[0139] - a third phase, known as conversion to precise values, or fuzzy resolution, or even defuzzification (from the English efuzzificatiori) in which a fuzzy decision, typically with a value between 0% and 100%, is deduced from the values ​​of the new adjectives inferred by the rules.

[0140] An example of obtaining a fuzzy rule will now be described for a use case associated with a computer firewall (from the English word firewall).

[0141] The purpose of the fuzzy rule is to estimate a DDoS attack level, as an evaluation value, i.e., as an output variable of the fuzzy rule, from two quantities, or parameters, relating to the data message, which form the input variables of the fuzzy rule. For this example, the quantities relating to the message are a data frame sending frequency and a size of the data frame sent.

[0142] Optionally, a normalization preprocessing is performed on the input data, in order to normalize them, for example between 0 and 1. The size normalization preprocessing then typically consists of dividing a current frame size by a predefined maximum size, such as 8192 bytes, to obtain a normalized size between 0 and 1. Similarly, the frequency normalization preprocessing typically consists of dividing a current frequency by a predefined maximum frequency, such as 1 kHz, to obtain a normalized frequency between 0 and 1.

[0143] In the above example, for the first phase, the inputs are for example of the form {Frequency, Size] = {0,2 ; 0,5}.

[0144] The fuzzy inference system will measure the membership of each of these two variables, in the input adjectives: Frequency: {LOW, MEDIUM, HIGH}; and Size: {LOW, MEDIUM, HIGH}.

[0145] The belonging functions of these adjectives are, for example, triangular functions qualified by their centers, and each extending from the preceding center to the next center. This allows us to have, according to a stochastic process, the sum of all membership functions equal to 1 for a given fixed value on the abscissa.

[0146] The membership functions of this example are then represented in [Fig. 3], where view PI, with first parameter PI, corresponds to Frequency, and view P2, with second parameter P2, corresponds to Size. In this example, the centers of the membership functions for Frequency are {0; 0.5; 1], and those of the membership functions for Size are {0; 0.7; 1}. In [Fig. 3], the adjective LOW corresponds to the letter L, the adjective MEDIUM corresponds to the letter M, and the adjective HIGH corresponds to the letter H.

[0147] The first fuzzy generation phase then allows the input variable(s) to be qualified according to several adjectives.

[0148] In the example, the associated function F is as follows: F: real triplet in [0;1]3, with:

[0149] F: (Frequency: 0.2) {LOW: 60%, MEDIUM: 40%, HIGH: 0%}

[0150] F: (Size: 0.5) {LOW: 25%, MEDIUM: 75%, HIGH: 0%}

[0151] During the second inference phase, the rules allow the adjectives used to qualify the output variable to be inferred from the adjectives associated with the input variables. The inference engine then takes as input the output of the first fuzzy generation phase, that is, the qualification of the initial input variables.

[0152] In the example, the input to the inference engine is then: Frequency {LOW: 60%, MEDIUM: 40%, HIGH: 0%} and Size {LOW: 25%, MEDIUM: 75%, HIGH: 0%}.

[0153] Since there are three adjectives qualifying each of the two input variables, this gives in this example nine different combinations, or nine rules.

[0154] The inference engine is configured from said rules.

[0155] In the example, these nine unit rules are assumed to be, for example, the following: 1. IF {Frequency} LOW & {Size} LOW, THEN {DDoS LEVEL} VERY_VERY_LOW 2. IF {Frequency} LOW & {Size} MEDIUM, THEN {DDoS LEVEL} VERY_LOW 3. IF {Frequency} HIGH & {Size} LOW, THEN {DDoS LEVEL} LOW 4. IF {Frequency} LOW & {Size} HIGH, THEN {DDoS LEVEL} VERY_VERY_MEDIUM 5. IF {Frequency} MEDIUM & {Size} LOW, THEN {DDoS LEVEL} VERY_MEDIUM 6. IF {Frequency} MEDIUM & {Size} MEDIUM, THEN {DDoS LEVEL} MEDIUM 7. IF {Frequency} MEDIUM & {Size} HIGH, THEN {DDoS LEVEL} HIGH 8. IF {Frequency} HIGH & {Size} MEDIUM, THEN {DDoS LEVEL} VERY HIGH 9. IF {Frequency} HIGH & {Size} HIGH, THEN {DDoS LEVEL} VERY_VERY_HIGH

[0156] In this example, only the logical AND operator (from the English AND), symbolized by the sign &, is used for simplification reasons, and is interpreted as the product operator.

[0157] The nine preceding rules can then be mathematically translated into the form next: 1. VERY VERY LOW DDoS LEVEL = LOW Frequency * Size_SMALL 2. VERY LOW DDoS LEVEL = LOW Frequency * MEDIUM Size 3. LOW_DDoS_LEVEL = HIGH_Frequency * LOW_Size 4. VERY VERY MEDIUM DDoS LEVEL = LOW Frequency* Size_PLUS 5. VERY MEDIUM DBS LEVEL = MEDIUM Frequency * Size_SMALL 6. AVERAGE DDoS_LEVEL = AVERAGE_Frequency * AVERAGE_Size 7. STRONG_DOS_LEVEL = MEDIUM_Frequency * STRONG_Size 8. VERY SEVERE BACK_PAIN LEVEL = STRONG_Frequency * MEDIUM_Size 9. VERY STRONG_DOS_LEVEL = STRONG_Frequency * Size_PLUS

[0158] Following the inference phase, we then obtain the adjectives induced by the rules, as well as the membership of the output variable in these.

[0159] In the example, for the output variable DDoS_LEVEL, we then obtain:

[0160] DDoS_LEVEL = {

[0161] VERY_TRES_FAIBLE: 0.6*0.25 = 0.15

[0162] VERY_LOW: 0.6*0.75 = 0.45

[0163] LOW: 0.0*0.25 = 0

[0164] VERY_VERY_MEDIUM: 0.6*0.0 = 0

[0165] VERY_AVERAGE: 0.4*0.25 = 0.1

[0166] AVERAGE: 0.4 * 0.75 = 0.3

[0167] STRONG: 0.4*0.0 = 0

[0168] VERY_STRONG: 0.0*0.75 = 0

[0169] VERY_TRES_STRONG: 0.0*0.0 = 0

[0170] }

[0171] During the third fuzzy resolution phase, the inputs in this way consist of the output variable belonging to the adjectives induced by the rules of the inference engine. In the example, the adjectives are as follows: VERY_VERY_WEAK, VERY_WEAK, WEAK, VERY_VERY_MEDIUM, VERY_MEDIUM, MEDIUM, STRONG, VERY_STRONG, VERY_VERY_STRONG, and they qualify the output variable DDoS_LEVEL.

[0172] The belonging functions of these adjectives are, for example, triangular functions qualified by their centers, and each extending from the previous center to the next center.

[0173] The membership functions of this example are then represented in [Fig. 4], where view 80 shows the nine membership functions for each of the nine aforementioned adjectives, corresponding to nine successive levels, referenced NI to N9 in [Fig. 4]. A first level NI corresponds to the adjective VERY_VERY_WEAK, then a second level N2 to VERY_WEAK, a third level N3 to WEAK, a fourth level N4 to VERY_VERY_MEDIUM, a fifth level N5 to VERY_MEDIUM, a sixth level N6 to MEDIUM, and a seventh level N7 to STRONG. In the example in [Fig. 4], the centers of the nine membership functions are as follows: {0; 0.1; 0.2; 0.3; 0.5; 0.6; 0.7; 0.8; 1}.

[0174] To calculate the final output value of the fuzzy inference system, the center of gravity method is used, for example, according to the following equations:

[0175] Y,r{glJweight^ifAreaparte^ Output = ----—t------------r--- Lrfyies\Areaaffiliationrigie)

[0176] O*0'1-5)+(0.l*0.45)R0.2^M0.3 W0.5^,W 0.045+ 0.05+ 0.18 ~ 0.15+0.45+0+0+0.1+0.3+0+0+0 ~ 1 *0.275*27.5%

[0177] The third fuzzy resolution phase then amounts to deducing the value of the output variable based on its characterization in the form of adjectives, and their underlying membership function, and it then involves a deterministic decision within a fuzzy description.

[0178] In the example, the value obtained for the DDoS attack level corresponding to the output variable DDoS_LEVEL is then estimated to be 27.5%, and this estimated value is then used by the rendering module 46 to perform an action, such as launching a security response.

[0179] A person skilled in the art will observe that learning the fuzzy inference system then amounts to teaching the centers of the membership functions for the first fuzzy generation phase to characterize the inputs by the adjectives, to teach the centers of the membership functions for the third fuzzy resolution phase to estimate an output value from the adjectives induced by the rules, and to teach the best rules for the inference engine.

[0180] In other words, in the preceding example, the elements learned during training are shown below in underlined form, and are therefore the centers of the membership functions, i.e. for frequency: 10 0 5 ; 1}, for size: {0 : 0.7 : JJ and for DDoS level: 10:0.1 :0.2:0.3 : 0.5 : 0.6 : 0.7 : 0.8 ; 1), as well as the following rule base: 1. IF {Frequency} LOW & {Size} LOW. THEN {DDoS LEVEL} VERY VERY LOW 2. IF {Frequency} LOW & {Size} MEDIUM. THEN {DDoS LEVEL} VERY LOW 3. IF {Frequency} HIGH & {Size} LOW. THEN {DDoS LEVEL} LOW 4. IF {Frequency} LOW & {Size} HIGH. THEN {DDoS LEVEL} VERY VERY MEDIUM 5. IF {Frequency} MEDIUM & {Size} LOW. THEN {DDoS LEVEL} VERY MEDIUM 6. IF {Frequency} MEDIUM & {Size} MEDIUM. THEN {DDoS LEVEL} MEDIUM 7. IF {Frequency} MEDIUM & {Size} HIGH. THEN {DDoS LEVEL} HIGH 8. IF {Frequency} HIGH & {Size} MEDIUM. THEN {DDoS LEVEL} VERY HIGH 9. IF {Frequency} HIGH & {Size} HIGH. THEN {DDoS LEVEL} VERY VERY HIGH

[0181] These learned elements, such as the centers of the membership functions and the rule base, are then typically recorded in a database associated with the rule generation engine, to be subsequently executed during the inference of the artificial intelligence algorithm.

[0182] The preceding example is relatively simple, and those skilled in the art will understand that the invention makes it possible to create fuzzy decision trees by chaining several fuzzy inference systems in a nested manner, in order to create a more complex intelligence. The fuzzy inference systems are particularly likely to be interconnected by layers of depth, to increase the level of intelligence of the artificial intelligence algorithm, notably with one or more intermediate variables between two successive fuzzy inference systems.

[0183] According to a second embodiment of the invention, the artificial intelligence algorithm implemented to obtain the set of functional rule(s) comprises a radial based function network (RBFN), hereafter referred to as an RBFN. The RBFN also has the advantage of making the set of functional rule(s) explainable and predictable, or at least of simulating the behavior of a fuzzy logic decision tree.

[0184] The RBFN network includes an input layer of N input node(s), each input node receiving a value of a quantity relative to the message, a single intermediate layer of H neuron(s) and an output layer of S output node(s), each output node providing an evaluation value; N, H and S being integers greater than or equal to 1. Each neuron of the intermediate layer is characterized by a radial activation function centered on a center ch and of radius rh, h being an integer between 1 and N.

[0185] The preliminary learning of the RBFN network is carried out via the implementation of a gradient descent.

[0186] For the implementation of the invention according to the second embodiment, the RBFN network is for example transformed into a fuzzy inference system via a transformation method as described in application FR 24 12499 filed on November 15, 2024.

[0187] The method described in this application makes it possible in particular to design an RBFN network while respecting some modern architectural constraints, and then to transform the RBFN network into a fuzzy variant of the RBFN, also called FRBFN (from the English Fuzzy Radial Basis Function Network), in order to be functionally equivalent to a fuzzy logic decision tree, which itself is convertible to a polynomial function.

[0188] This transformation of the RBFN network into an FRBFN network involves a rule identification corresponding to the second phase mentioned above during the generation of a fuzzy inference system, this rule identification resulting from the connection pruning of a layer of the RBFN network.

[0189] A person skilled in the art will also observe that the equivalence of the GFT rule base results from the presence or absence of a link between radially based neurons.

[0190] The operation of the electronic security device 25 will now be explained, in particular with the help of [Fig.5] representing a flowchart of the process, according to the invention, of securing the exchange(s) of data within the avionics communication installation 10 on board the aircraft 5.

[0191] During an initial step 100, the electronic security device 25 acquires, via its acquisition module 42, one or more data messages within the communication installation 10.

[0192] At the end of the acquisition step 100, the electronic security device 25 processes, via its processing module 44 and during a subsequent processing step 110, at least one message acquired during the acquisition step 100.

[0193] The processing module 44 processes each acquired message via the implementation of the filtering function F and / or the detection function D and / or the reaction function R. The type of function implemented for the processing of each acquired message depends in particular on a desired type of protection to be implemented, for example among NIPS, HIPS and NIDS.

[0194] In the example of [Fig.2], the processing module 44 implements, for example, the filtering function F for NIPS protection, and / or the detection function D and the reaction function R for HIPS or NIDS protection.

[0195] According to the invention, during processing step 110, each implemented function F, D, R comprises a respective set of functional rule(s), which is obtained through inference by the artificial intelligence algorithm. In the first embodiment, the artificial intelligence algorithm comprises a fuzzy logic decision tree. In the second embodiment, the artificial intelligence algorithm comprises a radial basis neural network, also known as a RBFN network.

[0196] At the end of the processing step 110, the electronic security device 25 performs, via its restitution module 46 and during a subsequent restitution step 120, at least one action associated with the result obtained via the implementation of the filtering function F and / or the detection function D and / or the reaction function R.

[0197] The action performed is, for example, the display of the result on the display device, or the recording of the result for later analysis, or the issuing of an alert relating to the result, or the generation, based on the result, of a control instruction for a respective system, such as a respective avionics system 20.

[0198] At the end of the restitution step 120, the electronic security device 25 typically returns to the acquisition step 100 to acquire one or more new data messages within the communication installation 10.

[0199] Thus, with the electronic security device 25 according to the invention, the artificial intelligence algorithm makes it possible to generate more efficiently the respective set of functional rule(s) to be implemented to perform each respective processing function among the message filtering function F, the malicious behavior detection function D, and the reaction function R malicious behavior, while allowing each set of functional rule(s) to be explainable and predictable. This then makes each set of rule(s) functional, auditable, and certifiable in an avionics context.

[0200] It is thus understood that the electronic security device 25 and the security method according to the invention are more suitable than the devices and methods of security of the prior art for being subject to avionics certification.

Claims

1. Demands Electronic device (25) for securing data exchange(s) within an avionics communication system (10) installed on board an aircraft (5), the security device (25) being configured to be installed on board the aircraft (5) and comprising: - an acquisition module (42) configured to acquire at least one data message within the communication installation (10); - a processing module (44) configured to process at least one message acquired via the implementation of at least one function chosen from the group comprising: a function (F) for filtering the message, a function (D) for detecting malicious behavior, and a function (R) for reacting to malicious behavior; - a feedback module (46) configured to perform at least one action associated with a result obtained through the implementation of at least one function (F, D, R) and chosen from the group including: displaying the result on a display device; recording the result for later analysis; issuing an alert relating to the result; and generating a control instruction for a system (20) based on the result; characterized in that each function (F, D, R) comprises a set of functional rule(s) obtained via the implementation of an artificial intelligence algorithm chosen from among an artificial intelligence algorithm comprising a fuzzy logic decision tree and an artificial intelligence algorithm comprising a radial basis function neural network, known as a RBFN network; each functional rule being respectively a filtering rule for the filtering function (F), a detection rule for the detection function (D), and a reaction rule for the reaction function (R); each functional rule being an association rule configured to associate an output value with several discretized input values.

2. Device (25) according to claim 1, wherein the fuzzy logic decision tree includes at least one fuzzy inference system, each fuzzy inference system being configured to receive as input at least one value of a quantity related to the message and to deliver as output an evaluation value; for each fuzzy inference system, an input-output correspondence being established by a fuzzy transformation of the inputs, to select the functional rule configured to associate an output value corresponding to several discretized input values.

3. Device (25) according to claim 1, wherein the RBFN network includes an input layer of N input node(s), each input node receiving a value of a quantity relative to the message, a single intermediate layer of H neuron(s) and an output layer of S output node(s), each output node providing an evaluation value; N, H and S being integers greater than or equal to 1, each neuron of the intermediate layer being characterized by a radial activation function centered on a center ch and of radius rh, h being an integer between 1 and N.

4. Device (25) according to any one of the preceding claims, wherein the artificial intelligence algorithm is trained via preliminary learning from training data; the preliminary learning preferably being supervised learning.

5. Device (25) according to claim 4, wherein the preliminary learning of the fuzzy logic decision tree is carried out via the implementation of a genetic algorithm.

6. Device (25) according to claim 4, wherein the preliminary learning of the RBFN network is carried out via the implementation of a gradient descent.

7. Device (25) according to any one of claims 4 to 6, wherein the preliminary learning further comprises, for each functional rule, an indication of the number of occurrence(s) of implementation of said rule during the preliminary learning.

8. Aircraft (5) comprising a communications avionics installation (10) and an electronic device (25) for securing data exchange(s) within said installation

9.

10. communication (10), the security device (25) being according to any one of the preceding claims. Method for securing data exchange(s) within an avionics communication system (10) installed on board an aircraft, the security method being implemented by an electronic security device (25) installed on board the aircraft (5) and comprising the following steps: - acquire (100) at least one data message within the communication facility (10); - process (110) at least one message acquired via the implementation of at least one function chosen from the group comprising: a function (F) for filtering the message, a function (D) for detecting malicious behavior, and a function (R) for reacting to malicious behavior; - perform (120) at least one action associated with a result obtained through the implementation of at least one function (F, D, R) and chosen from the group including: displaying the result on a display device; recording the result for later analysis; issuing an alert relating to the result; and generating a control instruction for a system (20) based on the result; characterized in that each function (F, D, R) comprises a set of functional rule(s) obtained via the implementation of an artificial intelligence algorithm chosen from among an artificial intelligence algorithm comprising a fuzzy logic decision tree and an artificial intelligence algorithm comprising a radial basis neural network, known as a RBFN network; each functional rule being respectively a filtering rule for the filtering function (F), a detection rule for the detection function (D), and a reaction rule for the reaction function (R); each functional rule being an association rule configured to associate an output value with several discretized input values. Computer program, comprising software instructions which, when executed by a computer, implement a process according to the preceding claim.