In view of the increasingly prominent information security risks faced by the urban rail train control system, an artificial immune system-based situation assessment (AIS-SA) method is proposed. Combined with the data characteristics of urban rail train control system, the mature mechanism of the detector and the cyber attack detection method are designed to sense the cyber attacks suffered by the urban rail train control system in real time. The mechanism of detector cloning and mutation is designed to further enrich the detector population and improve the ability of urban rail train control system to perceive cyber attacks. The simulation experiments simulate that the urban rail train control system is subjected to different intensity of identity authentication Dos attacks and TCP SYN Flood attacks. AIS-SA method is used to perceive the cyber attacks and quantify the security situation of the system in real time. The results show that AIS-SA method has a strong ability to perceive cyber attacks. When the detector evolves for 25 generations, the detection rate of identity authentication Dos attack is 96.81%, the false alarm rate is 0.25%, and the detection rate of TCP SYN Flood attack is 98.46%, and the false alarm rate is 1.32%. Compared with other methods, AIS-SA method has both high detection rates and low false positive rates. In addition, AIS-SA method can characterize the security situation of the urban rail train control system under different attack intensity. When the intensity of attack increases, the real time situation quantification value increases, and vice versa. Simulation results verify the effectiveness and accuracy of AIS-SA method.
生物免疫机制通常分为3个阶段,即免疫细胞从未成熟到成熟的进化过程(自体耐受阶段)、抗体抗原识别与匹配的过程(免疫应答阶段)、产生免疫记忆和免疫进化的过程(免疫反馈阶段)[12]。在人工免疫系统中,检测器能够模拟抗体的主要功能,需要经历检测器成熟、检测器检测攻击以及检测器变异进化的过程。因此,提出基于人工免疫的信息安全态势评估(Artificial Immunity System based Situation Assessment,AIS-SA)方法,使城轨列控系统遭受网络攻击时,不仅能够感知到网络攻击,且能够表征列控系统信息安全态势的实时变化。
另外,在模拟城轨列控系统遭受网络攻击时,攻击目标主要聚焦在AP与VOBC间的通信链路,既包括对无线接入的网络攻击,即通过身份认证拒绝服务(Authentication Dos)攻击消耗AP验证请求资源,使其无法响应正常通信请求;还包括对有线骨干网络攻击,即通过TCP拒绝服务(TCP SYN Flood)攻击挤占服务连接队列,使得报文丢失、通信中断。因此仿真试验中,利用Mdk3(Murder Death Kill 3)无线攻击工具,发起Authentication Dos攻击,模拟随机产生的MAC地址,向目标AP发送大量验证请求,使其停止对正常通信请求的响应;利用LOIC DOS攻击工具,模拟TCP SYN Flood攻击,模拟TCP数据包以洪水的方式形成拒绝服务攻击,使设备响应中断,造成系统服务中断,影响列车正常运行。先通过人为设定上述攻击,以验证系统感知攻击的准确性;再设定攻击的时长和强度,以验证城轨列控系统安全态势的动态变化情况。
由图6可知:TCP SYN Flood攻击下,检测器进化代数较低时,误报率较低,平均计算时间较短,随着检测器进化代数的增加,检测率逐步升高,但误报率随之升高,且平均计算时间增加,整体变化趋势同Authentication Dos攻击下结果类似;当检测器进化代数为25代时,检测率为98.46%、误报率为1.32%、平均计算时间为427 s,此时具有较高的检测率、较低的误报率和较少的平均计算时间,因此,同样可以认为进化25代时的检测器为性能最优检测器。
利用相同的城轨列控系统信息安全特征数据集,引入不同方法对攻击检测能力进行比较,得到AIS-SA方法与单类支持向量机(One-class SVM)、随机森林(Random Forest)、K均值聚类算法(K-means)等无监督学习方法在Authentication Dos攻击和TCP SYN Flood攻击下的检测率和误报率及平均计算时间对比结果分别见表2和表3。
由表2和表3可知:不同方法对Authentication Dos攻击和TCP SYN Flood攻击的检测效果不同,其中AIS-SA方法具有最高的检测率和较低的误报率,其原因是该方法不仅能够自学习城轨列控系统数据特性,还能够通过克隆变异机制,进一步优化检测器种群,提升检测率并降低误报率;较高的检测率会增加检测器产生误报的概率,但AIS-SA方法能够将误报率维持在较低范围,表明其综合检测效果突出。
3.5.2 仿真试验2
在该试验中,验证100 s观测周期内发动Authentication Dos和TCP SYN Flood网络攻击下城轨列控系统信息安全态势的变化。
试验2中引入的Authentication Dos攻击、TCP SYN Flood攻击,2种攻击强度变化曲线如图7所示。其中,Authentication Dos攻击的每秒攻击强度范围为0.6~2.0 Mb,TCP SYN Flood攻击每秒攻击强度范围为2.9~3.8 Mb。
Authentication Dos攻击、TCP SYN Flood攻击2种攻击造成的系统安全态势变化,如图8所示。由图8可知:采用AIS-SA方法,可得到系统在不同攻击下的实时态势量化值;当网络攻击强度增大时,实时安全态势量化值升高;当网络攻击强度减小时,实时态势量化值下降;并且,安全态势量化曲线与攻击强度曲线变化趋势相似,表明安全态势评估结果可以实时反映城轨列控系统在网络攻击下的态势变化;且由于记忆检测器的存在,当相同的攻击持续发生时态势量化曲线的实时变化幅度更大,AIS-SA方法能够更强烈地表征安全态势变化。
(2)由仿真试验可知,当检测器进化代数为25代时,AIS-SA方法对于Authentication Dos攻击具有96.81%的检测率和0.25%的误报率,对于TCP SYN Flood攻击具有98.46%的检测率和1.32%的误报率,且平均计算时间较短,为最优进化代数。与其他方法相比,AIS-SA方法在具有高检测率的同时,能够保持较低的误报率,感知网络攻击的能力较强。
ZHANGYadong, WANGShuo, LIYa, et al. Hazard Analysis and Simulation Verification Method of Train Control Operation Scenarios Based on STPA and Multi-Agent [J]. China Railway Science, 2021, 42 (1): 147-155. in Chinese
LIQichang, BUBing, ZHAOJunyi, et al. Research on Situation Awareness of Train Control System Based on SVD Entropy and SVM Joint Algorithm [J]. Journal of the China Railway Society, 2021, 43 (1): 100-106. in Chinese
YAOHonglei, LIUGuoliang, XIEChenhui, et al. Risk Assessment Method of CTCS System Network Security Based on AHP [J]. China Railway Science, 2023, 44 (4): 241-250. in Chinese
ZHAOXiaojun, HUANGTiantian, MAJinxin. Information Security Risk Analysis and Protection Technology of Chinese Train Control System [J]. Railway Signalling & Communication Engineering, 2022, 19 (9): 46-50. in Chinese
[9]
罗珍珍. 铁路信号系统信息安全态势评估方法研究[D].北京:北京交通大学,2018.
[10]
LUOZhenzhen. Research on Information Security Situation Assessment Method of Railway Signaling System [D]. Beijing: Beijing Jiaotong University, 2018. in Chinese
[11]
李国杰. 列控系统信息安全态势感知关键技术研究[D].北京:北京交通大学,2019.
[12]
LIGuojie. Key Technologies of Cyber Security Situation Awareness for Train Control Systems [D]. Beijing:Beijing Jiaotong University, 2019. in Chinese
[13]
ZHANGK H, WANGH W, CUID L. A Quantitative Situation Awareness Approach for CBTC Systems Based on Multi-Dimensional Gaussian Hidden Markov Model [C]// 2020 Chinese Automation Congress (CAC). Shanghai, China. New York: IEEE Press, 2020: 3488-3492.
[14]
TABATABAEFARM, MIRIESTAHBANATIM, GREGOIREJ C. Network Intrusion Detection through Artificial Immune System [C]// 2017 Annual IEEE International Systems Conference (SysCon). Montreal, Canada. New York: IEEE Press, 2017: 1-6.
[15]
YANGB, YANGM F. Data-Driven Network Layer Security Detection Model and Simulation for the Internet of Things Based on an Artificial Immune System [J]. Neural Computing and Applications, 2021, 33 (2): 655-666.
[16]
宁滨,刘朝英.中国轨道交通列车运行控制技术及应用[J].铁道学报,2017,39(2):1-9.
[17]
NINGBin, LIUChaoying. Technology and Application of Train Operation Control System for China Rail Transit System [J]. Journal of the China Railway Society, 2017, 39 (2): 1-9. in Chinese
[18]
GAOB, BUB, ZHANGW, et al. An Intrusion Detection Method Based on Machine Learning and State Observer for Train-Ground Communication Systems [J]. IEEE Transactions on Intelligent Transportation Systems, 2021, 23(7): 6608-6620.
[19]
SUOG W, DUJ W, ZHOUY, et al. Construction of Quantitative Model for Network Security Situation Assessment Based on Intelligent Immunity [J]. IOP Conference Series: Materials Science and Engineering. Nanjing, China. IOP Publishing, 2018, 466 (1): 012105.
[20]
SHARAFALDINI, HABIBIL A, GHORBANIA A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization [C]// Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018). Funchal, Portugal. ICISSP, 2018, 1: 108-116.
[21]
ZHANGW, BUB, WANGH W. An Intrusion Detection Method of Data Tampering Attack in Communication-Based Train Control System [C]// 2019 IEEE Intelligent Transportation Systems Conference (ITSC). Auckland, New Zealand. New York: IEEE Press, 2019: 345-350.
[22]
LIQ C, BUB, ZHAOJ Y. A Novel Hierarchical Situation Awareness Model for CBTC Using SVD Entropy and GRU with PRD Algorithms [J]. IEEE Access, 2021, 9: 132290-132300.
[23]
FARZADNIAE, SHIRAZIH, NOWROOZIA. A Novel Sophisticated Hybrid Method for Intrusion Detection Using the Artificial Immune System [J]. Journal of Information Security and Applications, 2021, 58: 102721.
[24]
SHIY Q, LIT, LIR F, et al. An Immunity-Based IOT Environment Security Situation Awareness Model [J]. Journal of Computer and Communications, 2017, 5 (7): 182-197.