Method for analyzing suspicious activity on an aircraft network

What is claimed is: 1. A method for analyzing a suspicious activity on an aircraft network, comprising the steps of: creating a sandbox network in communication with the aircraft network, the sandbox network simulating the aircraft network and comprising a plurality of sandbox nodes corresponding to a plurality of nodes of the aircraft network, a first set of sandbox links corresponding to a plurality of links of the aircraft network that provide communication between a subset of the plurality of nodes of the aircraft network, and a second set of sandbox links providing communication between sandbox nodes not in communication via the first set of sandbox links; generating network traffic over the sandbox network such that the sandbox network models a behavior of the aircraft network; routing the suspicious activity from the aircraft network to the sandbox network, wherein the suspicious activity originates from a node on the aircraft network or a user interface to an avionics system; and analyzing the suspicious activity as the suspicious activity traverses through the sandbox network, wherein analyzing the suspicious activity comprises collecting forensic data about the suspicious activity. 2. The method of claim 1 , wherein at least a portion of the plurality of nodes comprise line replaceable units. 3. The method of claim 1 , wherein routing the suspicious activity is transparent to source of the suspicious activity. 4. The method of claim 1 , wherein the forensic data comprises at least one of communications traffic, attack chains, tendencies, and geographical location of the source of the suspicious activity. 5. The method of claim 1 , further comprising the step of creating, adapting, or updating a cyber-security procedure based on the collected forensic data. 6. A method for analyzing a suspicious activity on an aircraft network, comprising the steps of: identifying the suspicious activity originating from a node on the aircraft network or a user interface to an avionics system; routing the suspicious activity from the aircraft network to a sandbox network; and analyzing the suspicious activity as the suspicious activity traverses through the sandbox network; wherein the sandbox network simulates the aircraft network and includes a plurality of sandbox nodes corresponding to a plurality of nodes of the aircraft network, a first set of sandbox links corresponding to a plurality of links of the aircraft network between a subset of the plurality of nodes, and a second set of sandbox links providing communication between sandbox nodes not in communication via the first set of sandbox links; and analyzing the suspicious activity comprises collecting forensic data about the suspicious activity. 7. The method of claim 6 , wherein at least a portion of the plurality of nodes of the aircraft network comprise line replaceable units. 8. The method of claim 6 , wherein routing the suspicious activity is transparent to source of the suspicious activity. 9. The method of claim 6 , wherein the forensic data comprises at least one of communications traffic, attack chains, tendencies, and geographical location of the source of the suspicious activity. 10. The method of claim 6 , further comprising the step of creating, adapting, or updating a cyber-security procedure based on the collected forensic data. 11. An aircraft, comprising: an aircraft network comprising a plurality of nodes and a plurality of links providing communication between a subset of the plurality of nodes; a sandbox network in communication with the aircraft network, the sandbox network simulating the aircraft network and comprising a plurality of sandbox nodes corresponding to the plurality of nodes of the aircraft network, a first set of sandbox links corresponding to the plurality of links of the aircraft network, and a second set of sandbox links providing communication between sandbox nodes not in communication via the first set of sandbox links; and computer executable instructions that, when executed by a processor, perform the steps of: generating network traffic over the sandbox network such that the sandbox network models a behavior of the aircraft network; identifying a suspicious activity on the aircraft network, the suspicious activity originating from one of the plurality of nodes on the aircraft network or a user interface to an avionics system; routing the suspicious activity from the aircraft network to the sandbox network; and analyzing the suspicious activity as the suspicious activity traverses through the sandbox network, wherein analyzing the suspicious activity comprises collecting forensic data about the suspicious activity. 12. The aircraft of claim 11 , wherein the aircraft network comprises an Ethernet. 13. The aircraft of claim 11 , wherein at least a portion of the plurality of nodes comprise line replaceable units. 14. The aircraft of claim 11 , wherein routing the suspicious activity is transparent to source of the suspicious activity. 15. The aircraft of claim 11 , further comprising the step of creating, adapting, or updating a cyber-security procedure based on the collected forensic data.