Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Yajie Song,Bing Bu,Li Zhu

DOI: https://doi.org/10.3390/electronics9010181

IF: 2.9

2020-01-01

Electronics

Abstract:Security is crucial in cyber-physical systems (CPS). As a typical CPS, the communication-based train control (CBTC) system is facing increasingly serious cyber-attacks. Intrusion detection systems (IDSs) are vital to protect the system against cyber-attacks. The traditional IDS cannot distinguish between cyber-attacks and system faults. Furthermore, the design of the traditional IDS does not take the principles of CBTC systems into consideration. When deployed, it cannot effectively detect cyber-attacks against CBTC systems. In this paper, we propose a novel intrusion detection method that considers both the status of the networks and those of the equipment to identify if the abnormality is caused by cyber-attacks or by system faults. The proposed method is verified on a hardware-in-the-loop simulation platform of CBTC systems. Simulation results indicate that the proposed method has achieved 97.64% true positive rate, which can significantly improve the security protection level of CBTC systems.

Xueqian Chen,Bing Bu,Xuetao Yang

DOI: https://doi.org/10.1007/978-981-15-2866-8_29

2019-01-01

Abstract:With the application of advanced network and computer technologies, communication-based train control (CBTC) systems are facing increasingly serious security risks. Intrusion detection can help detect attacks of CBTC systems and avoid major accidents. The traditional intrusion detection systems (IDS) do not consider the characteristics of CBTC systems, so they cannot be applied to CBTC systems directly. In this paper, we analyze the characteristics of network data of CBTC systems and propose an IDS based on network traffic and packets to detect typical attacks of CBTC systems, such as the denial of service (DoS) and data tempering attacks. The self-organizing maps (SOM) neural networks are used to improve the density-based spatial clustering of applications with noise (DBscan) method since DBscan only can detect anomalies offline with low detection rate. By testing on a simulation platform of CBTC systems, it is verified that the designed IDS is suitable for CBTC systems for its great detection performance and real-time performance.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Bing Gao,Bing Bu,Wei Zhang,Xiang Li

DOI: https://doi.org/10.1109/tits.2021.3058553

IF: 8.5

2022-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The communication-based train control (CBTC) system is a typical cyber physical system in urban rail transit. The train-ground communication system is a very important subsystem of the CBTC system and uses the wireless communication protocols to transmit control commands. However, it faces some potential information security risks. To ensure information security of the train-ground communication system, an intrusion detection method based on machine learning and state observer is proposed to detect and recognize various attacks in this paper. The detection system not only detects the anomalies of the wireless network data, but also detects the anomalies of the train physical states. This method includes two layers. The first layer is used to detect and identify wireless network attacks based on machine learning algorithms, such as the random forest algorithm and the gradient boosted decision tree algorithm. The second layer is used to detect the abnormal physical state of train operation based on a state observer. By combining the results of the above two layers, a comprehensive intrusion detection result is given. The simulation results show that the proposed method is effective and practical.

Liru Hu,Bing Bu

DOI: https://doi.org/10.1109/itsc48978.2021.9564592

2021-01-01

Abstract:The existing intrusion detection system (IDS) does not consider the security and credibility problem of its own. An IDS captured by cyber attackers may generate lots of malicious alarms which will seriously impact the operation of communication-based train control (CBTC) systems. In this paper, we analyze the information exchange characteristics of CBTC systems and propose an IDS based on distributed trusted infrastructure. The method of relative entropy is adopted for intrusion detection. In addition, a trust evaluation model is developed based on the fuzzy theory to evaluate the credibility of IDSs. Simulation results show that the proposed IDS can effectively detect the malicious alarms and eliminate their effects on the operation of CBTC systems. The detection rate can reach over 95%.

Wei Zhang,Bing Bu,Hongwei Wang

DOI: https://doi.org/10.1109/itsc.2019.8917488

2019-01-01

Abstract:Communication-based train control (CBTC) technologies are widely applied in order to improve the efficiency and safety of urban rail transit systems. With the increase of informatization and automation through utilization of communication, computer and control technologies, amounts of potential security vulnerabilities are introduced into CBTC systems, where malicious attacks could be implemented. Some attacks, such as data tampering attacks cannot be efficiently detected by traditional intrusion detection systems (IDS), which can affect the safety operation of CBTC systems, e.g., rear-end collisions. Based on the operation principles and information exchange characteristics of CBTC systems, the paper firstly proposes a model to measure the effects of data tampering attacked on trains, and an intrusion detection method is developed based on the running status of the train through Kalman filter and χ 2 detector. The method improves the χ 2 detector to detect data tampering attacks and continuously output alarms during the attack. The improved method has higher accuracy and a lower false negative rate.

Wei Li,Zengwei Yan,Renwei He,Liming Zong,Fan Zhang,Yanjun Zhan

DOI: https://doi.org/10.1109/iwcmc55113.2022.9824972

2022-01-01

Abstract:Wireless communication is the basis for ensuring the safe and efficient operation of rail transit trains. The advantages of 5G technology such as high reliability, high speed and low latency make it a very broad application prospect in the field of rail transit. However, 5G networks also face corresponding security threats in application, such as various network attacks. The communication-based train control (CBTC) systems are vulnerable to network attacks, which can easily lead to emergency braking or collision of trains when it was attacked. In order to protect network security, the intrusion detection systems (IDS) can be used. The IDS currently applied to the CBTC systems have problems such as low detection rate and high false rate. Therefore, this paper proposes an intrusion detection system based on machine learning, and simulates the real network environment by using KDD99 data. First, the data is preprocessed and feature extracted. Then two methods of decision tree and neural network are used to train the classifiers. In addition, the multiple classifiers are trained on the basis of the binary classifiers. Finally, we test the performance of the classifiers. The results show that the classifiers have a good detection accuracy of network traffic.

Binyu Yin,Bing Bu,Bing Gao,Qichang Li

DOI: https://doi.org/10.1109/itsc55140.2022.9921964

2022-01-01

Abstract:With the wide application of information technolo-gies in communication based train control (CB TC) systems, the information security risks it confronts to are ever increasing. It is very difficult to design an intrusion detection system (IDS) which can detect both known and unknown cyber attacks with high true positive rate (TPR) and low false positive rate (FPR), simultaneously. In this paper, we propose a hybrid intrusion detection system (RIDS) which is composed of a signature-based intrusion detection system (SIDS) and an anomaly-based intrusion detection system (AIDS). An improved stacking ensemble algorithm (ISEA) is proposed to enhance the TPR of the SIDS which uses weighted classification probabilities outputted by base-classifiers to generate meta-features for the meta-classifier. The FPR of the AIDS is significantly reduced through adopting the proposed false positive elimination strategy (FPES). In addition, a Bayesian optimization algorithm is used for hyper-parameters adjustment to optimize the overall performance of the RIDS. The proposed RIDS is evaluated using both a KDD99 dataset and a CBTC dataset collected on a hardware-in-the-Ioop simulation platform. For the KDD99 dataset, the TPR and FPR of the proposed RIDS are 98.6% and 1.3%, respectively. For the CBTC dataset, the TPR and FPR are 98.1% and 1.1 %, respectively. Based on the performance comparison among different RIDSs, it is can be concluded that the proposed RIDS is superior to the existing RIDS in both TPR and FPR.

Shengwei Yi,Hongwei Wang,Yangyang Ma,Feng Xie,Puhan Zhang,Liqing Di

DOI: https://doi.org/10.1109/icccn.2018.8487464

2018-01-01

Abstract:Due to the wide application of computer, communication and control technologies in urban rail transit systems, amount of security threat are introduced, which can increase the security risks. Based on the safety- critical features of urban rail transits systems, lots of redundancy, fault-tolerant architectures are adopted, and fail-safe principles are also embedded into the operation mechanisms of the urban rail transit signalling systems. As a result, determining effects of security risks on safety of signalling systems is an urgent task. In the paper, based on the similarities and differences between the propagation principles of security risks and safety risks, the extended fault tree is proposed to perform the safety-security assessment for urban rail transit signalling systems, where security events could be taken as one kind of hazard of fault tree describing the evolution of safety risks. Considering some critical scenarios of signalling systems, the proposed approach demonstrates that security risks could significantly affect the operation efficiency of signalling systems due to the fail-safe designs while safety can be guaranteed based on the same fail-safe designs.

Jie Yang,Xin Chen,Xudong Xiang,Jianxiong Wan

DOI: https://doi.org/10.1109/cmc.2010.73

2010-01-01

Abstract:A hybrid intrusion detection approach combing both misuse detection and anomaly detection can detect newly discovered attacks while maintaining a relatively high detection rate. This paper presents a novel hybrid intrusion detection system based on protocol analysis and decision tree algorithms. Performance evaluation of the proposed system is conducted using Generalized Stochastic Petri Nets (GSPN). Simulation results show that this hybrid system can reach a high detection rate.

Ruiming Lu,Huiyu Dong,Hongwei Wang,Dongliang Cui,Li Zhu,Xi Wang

DOI: https://doi.org/10.1155/2021/2175780

IF: 2.3

2021-01-01

Complexity

Abstract:With the rapid development of urban rail transit systems, large amounts of information technologies are applied to increase efficiency of train control systems, such as general computers, communication protocols, and operation systems. With the continuous exposure of information technology vulnerabilities, security risks are increasing, and information is easy to use by malicious attackers, which can bring huge property and economic losses. The communication-based train control (CBTC) system is the most important subsystem of urban rail transit. The CBTC system ensures safe and efficient operation of trains, so the quantitative assessment of cyber security is quite necessary. In this paper, a resilience-based assessment method is proposed to analyze the security level of CBTC systems based on indicators of both the cyber domain and the physical domain. The proposed method can demonstrate the robustness and recovery ability of CBTC systems under different security attacks. Based on the structural information entropy, the fusion of different indicators is achieved. Two typical attacking scenarios are analyzed, and the simulation results illustrate the effectiveness of the proposed assessment approach.

Bowen Wang,Yuance Zhang,Zhaojing Zhang,Hongxing Hu,Geguang Pu

DOI: https://doi.org/10.4271/2023-01-0044

2023-01-01

Abstract:Intrusion Detection Systems (IDS), technically speaking, is to monitor the network, system, and operation status according to certain security policies, and try to find various attack attempts, attacks or attack results to ensure the confidentiality, integrity and availability of network system resources. Automotive intrusion detection systems can identify and alert by analyzing in-vehicle traffic and log when software applications or devices with malicious activity exist, or the in-vehicle network is tampered and injected. But unfortunately, automotive cybersecurity researchers hardly produce a comprehensive detection method due to the confidential nature of Controller Area Network (CAN) DBC format files, which is a standard long maintained by car manufacturers.In this paper, an enhanced intrusion detection method is proposed based on the double-decision-tree to classify different attack models for in-vehicle CAN network without the need to obtain complete DBC files. Unlike the existing method that is using data from the simulated CAN traffic traces, we construct three attack models based on real CAN bus traffic collected from Pentium T99. A totally new data split method is provided to divide training set, validation set and test dataset. Three experiments are set to verify this new data split method and the results show that we have achieved high accuracy in the recognition of the three types of attacks, and the model has high operating efficiency.

Bing Gao,Bing Bu,Xiaoxuan Wang

DOI: https://doi.org/10.1109/tits.2022.3192510

IF: 8.5

2022-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:In recent years, intelligent transportation systems and automatic train control technologies have been developed rapidly. The communication-based train control (CBTC) system through train-to-train communications is very important in the intelligent transportation system and it uses wireless communication links to transmit the train control commands. However, the CBTC system is sensitive to information security attacks. Therefore, a comprehensive resilient control strategy is proposed for the CBTC system under Denial of Service (DoS) attacks. As a cyber physical system, the CBTC system includes two layers. In the communication layer, a strongly robust train-to-train communication topology is proposed which adopts a bidirectional communication strategy and a three times communication protocol to achieve the goal of resisting multi-channel DoS attacks. In the physical layer, an observer-based distributed intrusion detection method is firstly proposed to detect the attack. Further, a resilient control method based on a distributed state observer of the leader train is proposed to avoid triggering the train safety protection mechanism frequently. Finally, simulation results prove that the proposed comprehensive resilient control algorithm is effective in the CBTC system.

He Lu,Yanan Zhao,Yajing Song,Yang Yang,Guanjie He,Haiyang Yu,Yilong Ren

DOI: https://doi.org/10.1007/s10586-024-04376-9

2024-04-14

Cluster Computing

Abstract:Communication-based train control (CBTC) system is a typical cyber-physical system with open wireless communication that is vulnerable to attacks. To protect the security of wireless communication in the CBTC system, machine learning-based intrusion detection system (IDS) has been extensively researched. However, the performance of a machine learning-based IDS highly depends on feature design, and the spatial and temporal correlation of network data attributes makes it difficult to design features manually. Meanwhile, this type of IDS can only detect known attacks that are contained in the training dataset and fail to detect new attacks (i.e., zero-day attacks). To cope with the above issue, we propose a novel IDS based on transfer learning for the CBTC system. The proposed IDS leverages an optimized one-dimensional convolutional neural network block and long short-term memory to automatically extract spatial and temporal features from the original data. Furthermore, a knowledge transfer method is utilized to transfer the features to enable zero-day attack detection. We evaluate the proposed IDS on a dataset representing the CBTC system network data. The results show that the proposed IDS can achieve 99.32% accuracy for known attacks and 93.21% average F1-Score for zero-day attacks.

computer science, information systems, theory & methods

Huiyu Dong,Hongwei Wang,Tao Tang

DOI: https://doi.org/10.1109/cac.2017.8243932

2017-01-01

Abstract:With the enhancement of informatization and automation, the capacity and efficiency of CBTC systems are increasing. However, the wide application of information technologies brings serious security threats on CBTC systems. Due to inherent characteristics of railway services, obtaining the security situation of CBTC systems is necessary. The methodlogy in this paper to evaluate the vulnerability of systems adopts attack tree modelling based on the functional architecture of CBTC systems. Assessments cover the current security states, port auditing, password policies and communication protocols of systems with the advantages of simplicity and operability. Based on the attack tree, leaf vulnerability, scenario vulnerability and system vulnerability are defined. During this assessment process, a typical scan tool, Nessus, and a vulnerability scoring system, CVSS, are used to achieve the port auditing. Moreover, a method to calculate the password strength and a piecewise linear function to normalize password strength are proposed. In the end, this approach is applied to a CBTC test-bed, and the assessment results show the difference of the vulnerability between the system with or without the improved countermeasures.

Yang Li,Li Zhu,Hongwei Wang,F. Richard Yu,Shichao Liu

DOI: https://doi.org/10.1109/tits.2020.3030496

IF: 8.5

2020-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:While communication-based train control (CBTC) systems play a crucial role in the efficient and reliable operation of urban rail transits, its high penetration level of communication networks opens doors to Man-in-the-Middle (MitM) attacks. Current researches regarding MitM attacks do not consider the characteristics of CBTC systems. Particularly, the limited computing capability of the on-board computers prevents the direct implementation of most existing intrusion detection and defense algorithms against the MitM attack. In order to tackle this dilemma, in this article, we first introduce edge intelligence (EI) into CBTC systems to enhance the computing capability of the system. A cross-layer defense scheme, which includes the detection and defense stages, are proposed next. For the cross-layer detection stage, we propose a Long Short-Term Memory (LSTM) and Support Vector Machine (SVM) based detection method to combine the detection probability calculated from the train control parameter sequence and operation log files. For the cross-layer defense stage, we construct a Bayesian game based defense model to derive the optimal defense policy against MitM attacks. To further improve the accuracy of the defense scheme as well as optimize the communication resource allocation scheme, we propose an optimal communication resource allocation scheme based on the Asynchronous Advantage Actor-Critic (A3C) algorithm at last. Extensive simulation results show that the proposed scheme achieves excellent performance in defending against MitM attacks.

Wenhao Wu,Bing Bu

DOI: https://doi.org/10.3390/electronics8090991

IF: 2.9

2019-01-01

Electronics

Abstract:Communication-based train controls (CBTC) systems play a major role in urban rail transportation. As CBTC systems are no longer isolated from the outside world but use other networks to increase efficiency and improve productivity, they are exposed to huge cyber threats. This paper proposes a generalized stochastic Petri net (GSPN) model to capture dynamic interaction between the attacker and the defender to evaluate the security of CBTC systems. Depending on the characteristics of the system and attack–defense methods, we divided our model into two phases: penetration and disruption. In each phase, we provided effective means of attack and corresponding defensive measures, and the system state was determined correspondingly. Additionally, a semiphysical simulation platform and game model were proposed to assist the GSPN model parameterization. With the steady-state probability of the system output from the model, we propose several indicators for assessing system security. Finally, we compared the security of the system with single defensive measures and multiple defensive measures. Our evaluations indicated the significance of the defensive measures and the seriousness of the system security situation.

Qi Qiao,Daojing He,Yun Gao,Sencun Zhu,Jiahao Gao,Sammy Chan

DOI: https://doi.org/10.1109/secon48991.2020.9158421

2020-01-01

Abstract:While integrated electronic systems (IESs) are widely used in military and civilian applications, their security issues are barely studied. By analyzing the architecture of the system and the characteristics of bus communication, this paper proposes an intrusion detection method based on the message sequence and behavioral rules of subsystems. According to the bus protocol, messages are divided into periodic and aperiodic messages. For the previous, we adopt sequence analysis and propose an algorithm that extract the sequence intelligently to determine if there are anomalies. For aperiodic messages, we detect the anomalies by modeling the system behaviors as decision trees. Through implementing experiments on our simulation system, we demonstrate that the proposed detection is more accurate than the existing schemes while incurring both lower false negative rate and lower false positive rate.

Wenhao. Wu,Bing. Bu,Wei. Zhang

DOI: https://doi.org/10.1109/itsc.2019.8917082

2019-01-01

Abstract:Communication-based train control (CBTC) are automated train control systems using information communication technologies to ensure the safe operation of rail vehicles. With the development of information technology, massive commercial software, hardware products and standard communication equipment are applied to urban rail transit systems, which introduces a crowd of security threats to CBTC systems. This paper proposes a generalized stochastic Petri net model to simulate dynamic interaction between the attacker and defender to evaluate the security of CBTC systems. According to the characteristics of the system and attack-defense methods, we divide our model to the penetration phase and the disruption phase. In each phase, we provide effective means of attack and corresponding defensive measures, and the system state is determined correspondingly. The model parameters are obtained by conducting attack and defense exercises on the semi-physical simulation platform. The system transition probability is derived with the model parameter and the Nash equilibrium of the game between the attacker and defender. The system availability is obtained by calculating the steady probability of each state which can be derived from the GSPN model solution. Our analytic results reveal the seriousness of the system security situation and the significance of defensive measures for system security.