Wei Zhang,Bing Bu,Hongwei Wang

DOI: https://doi.org/10.1109/itsc.2019.8917488

2019-01-01

Abstract:Communication-based train control (CBTC) technologies are widely applied in order to improve the efficiency and safety of urban rail transit systems. With the increase of informatization and automation through utilization of communication, computer and control technologies, amounts of potential security vulnerabilities are introduced into CBTC systems, where malicious attacks could be implemented. Some attacks, such as data tampering attacks cannot be efficiently detected by traditional intrusion detection systems (IDS), which can affect the safety operation of CBTC systems, e.g., rear-end collisions. Based on the operation principles and information exchange characteristics of CBTC systems, the paper firstly proposes a model to measure the effects of data tampering attacked on trains, and an intrusion detection method is developed based on the running status of the train through Kalman filter and χ 2 detector. The method improves the χ 2 detector to detect data tampering attacks and continuously output alarms during the attack. The improved method has higher accuracy and a lower false negative rate.

Yajie Song,Bing Bu,Xuetao Yang

DOI: https://doi.org/10.1007/978-981-15-2914-6_16

2020-01-01

Abstract:Communication-based train control (CBTC) is considered as the main organ of urban rail transit systems, which is facing increasingly serious security threats. Intrusion detection systems (IDS) are crucial for security protection. This paper reports the design principles and evaluation results of a novel hybrid intrusion detection system which is suitable for CBTC systems. This hybrid method combines the advantages of the high true positive rate of network-based IDS (NIDS) and the ability of host-based IDS (HIDS) to monitor system behavior, where decision tree and critical state analysis are used, respectively. The proposed method is verified on a semi-physical simulation platform of CBTC and the experiments show that the designed scheme can detect intrusions accurately with a 97.8% detection rate.

Haonan Peng,Chunming Wu,Yanfeng Xiao

DOI: https://doi.org/10.3390/app132111629

2023-01-01

Applied Sciences

Abstract:The importance of network security has become increasingly prominent due to the rapid development of network technology. Network intrusion detection systems (NIDSs) play a crucial role in safeguarding networks from malicious attacks and intrusions. However, the issue of class imbalance in the dataset presents a significant challenge to NIDSs. In order to address this concern, this paper proposes a new NIDS called CBF-IDS, which combines convolutional neural networks (CNNs) and bidirectional long short-term memory networks (BiLSTMs) while employing the focal loss function. By utilizing CBF-IDS, spatial and temporal features can be extracted from network traffic. Moreover, during model training, CBF-IDS applies the focal loss function to give more weight to minority class samples, thereby mitigating the impact of class imbalance on model performance. In order to evaluate the effectiveness of CBF-IDS, experiments were conducted on three benchmark datasets: NSL-KDD, UNSW-NB15, and CIC-IDS2017. The experimental results demonstrate that CBF-IDS outperforms other classification models, achieving superior detection performance.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Yajie Song,Bing Bu,Li Zhu

DOI: https://doi.org/10.3390/electronics9010181

IF: 2.9

2020-01-01

Electronics

Abstract:Security is crucial in cyber-physical systems (CPS). As a typical CPS, the communication-based train control (CBTC) system is facing increasingly serious cyber-attacks. Intrusion detection systems (IDSs) are vital to protect the system against cyber-attacks. The traditional IDS cannot distinguish between cyber-attacks and system faults. Furthermore, the design of the traditional IDS does not take the principles of CBTC systems into consideration. When deployed, it cannot effectively detect cyber-attacks against CBTC systems. In this paper, we propose a novel intrusion detection method that considers both the status of the networks and those of the equipment to identify if the abnormality is caused by cyber-attacks or by system faults. The proposed method is verified on a hardware-in-the-loop simulation platform of CBTC systems. Simulation results indicate that the proposed method has achieved 97.64% true positive rate, which can significantly improve the security protection level of CBTC systems.

Liru Hu,Bing Bu

DOI: https://doi.org/10.1109/itsc48978.2021.9564592

2021-01-01

Abstract:The existing intrusion detection system (IDS) does not consider the security and credibility problem of its own. An IDS captured by cyber attackers may generate lots of malicious alarms which will seriously impact the operation of communication-based train control (CBTC) systems. In this paper, we analyze the information exchange characteristics of CBTC systems and propose an IDS based on distributed trusted infrastructure. The method of relative entropy is adopted for intrusion detection. In addition, a trust evaluation model is developed based on the fuzzy theory to evaluate the credibility of IDSs. Simulation results show that the proposed IDS can effectively detect the malicious alarms and eliminate their effects on the operation of CBTC systems. The detection rate can reach over 95%.

Bing Gao,Bing Bu,Wei Zhang,Xiang Li

DOI: https://doi.org/10.1109/tits.2021.3058553

IF: 8.5

2022-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The communication-based train control (CBTC) system is a typical cyber physical system in urban rail transit. The train-ground communication system is a very important subsystem of the CBTC system and uses the wireless communication protocols to transmit control commands. However, it faces some potential information security risks. To ensure information security of the train-ground communication system, an intrusion detection method based on machine learning and state observer is proposed to detect and recognize various attacks in this paper. The detection system not only detects the anomalies of the wireless network data, but also detects the anomalies of the train physical states. This method includes two layers. The first layer is used to detect and identify wireless network attacks based on machine learning algorithms, such as the random forest algorithm and the gradient boosted decision tree algorithm. The second layer is used to detect the abnormal physical state of train operation based on a state observer. By combining the results of the above two layers, a comprehensive intrusion detection result is given. The simulation results show that the proposed method is effective and practical.

Wei Li,Zengwei Yan,Renwei He,Liming Zong,Fan Zhang,Yanjun Zhan

DOI: https://doi.org/10.1109/iwcmc55113.2022.9824972

2022-01-01

Abstract:Wireless communication is the basis for ensuring the safe and efficient operation of rail transit trains. The advantages of 5G technology such as high reliability, high speed and low latency make it a very broad application prospect in the field of rail transit. However, 5G networks also face corresponding security threats in application, such as various network attacks. The communication-based train control (CBTC) systems are vulnerable to network attacks, which can easily lead to emergency braking or collision of trains when it was attacked. In order to protect network security, the intrusion detection systems (IDS) can be used. The IDS currently applied to the CBTC systems have problems such as low detection rate and high false rate. Therefore, this paper proposes an intrusion detection system based on machine learning, and simulates the real network environment by using KDD99 data. First, the data is preprocessed and feature extracted. Then two methods of decision tree and neural network are used to train the classifiers. In addition, the multiple classifiers are trained on the basis of the binary classifiers. Finally, we test the performance of the classifiers. The results show that the classifiers have a good detection accuracy of network traffic.

He Lu,Yanan Zhao,Yajing Song,Yang Yang,Guanjie He,Haiyang Yu,Yilong Ren

DOI: https://doi.org/10.1007/s10586-024-04376-9

2024-04-14

Cluster Computing

Abstract:Communication-based train control (CBTC) system is a typical cyber-physical system with open wireless communication that is vulnerable to attacks. To protect the security of wireless communication in the CBTC system, machine learning-based intrusion detection system (IDS) has been extensively researched. However, the performance of a machine learning-based IDS highly depends on feature design, and the spatial and temporal correlation of network data attributes makes it difficult to design features manually. Meanwhile, this type of IDS can only detect known attacks that are contained in the training dataset and fail to detect new attacks (i.e., zero-day attacks). To cope with the above issue, we propose a novel IDS based on transfer learning for the CBTC system. The proposed IDS leverages an optimized one-dimensional convolutional neural network block and long short-term memory to automatically extract spatial and temporal features from the original data. Furthermore, a knowledge transfer method is utilized to transfer the features to enable zero-day attack detection. We evaluate the proposed IDS on a dataset representing the CBTC system network data. The results show that the proposed IDS can achieve 99.32% accuracy for known attacks and 93.21% average F1-Score for zero-day attacks.

computer science, information systems, theory & methods

Bing Gao,Bing Bu,Xiaoxuan Wang

DOI: https://doi.org/10.1109/tits.2022.3192510

IF: 8.5

2022-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:In recent years, intelligent transportation systems and automatic train control technologies have been developed rapidly. The communication-based train control (CBTC) system through train-to-train communications is very important in the intelligent transportation system and it uses wireless communication links to transmit the train control commands. However, the CBTC system is sensitive to information security attacks. Therefore, a comprehensive resilient control strategy is proposed for the CBTC system under Denial of Service (DoS) attacks. As a cyber physical system, the CBTC system includes two layers. In the communication layer, a strongly robust train-to-train communication topology is proposed which adopts a bidirectional communication strategy and a three times communication protocol to achieve the goal of resisting multi-channel DoS attacks. In the physical layer, an observer-based distributed intrusion detection method is firstly proposed to detect the attack. Further, a resilient control method based on a distributed state observer of the leader train is proposed to avoid triggering the train safety protection mechanism frequently. Finally, simulation results prove that the proposed comprehensive resilient control algorithm is effective in the CBTC system.

Yang Li,Li Zhu,Hongwei Wang,F. Richard Yu,Shichao Liu

DOI: https://doi.org/10.1109/tits.2020.3030496

IF: 8.5

2020-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:While communication-based train control (CBTC) systems play a crucial role in the efficient and reliable operation of urban rail transits, its high penetration level of communication networks opens doors to Man-in-the-Middle (MitM) attacks. Current researches regarding MitM attacks do not consider the characteristics of CBTC systems. Particularly, the limited computing capability of the on-board computers prevents the direct implementation of most existing intrusion detection and defense algorithms against the MitM attack. In order to tackle this dilemma, in this article, we first introduce edge intelligence (EI) into CBTC systems to enhance the computing capability of the system. A cross-layer defense scheme, which includes the detection and defense stages, are proposed next. For the cross-layer detection stage, we propose a Long Short-Term Memory (LSTM) and Support Vector Machine (SVM) based detection method to combine the detection probability calculated from the train control parameter sequence and operation log files. For the cross-layer defense stage, we construct a Bayesian game based defense model to derive the optimal defense policy against MitM attacks. To further improve the accuracy of the defense scheme as well as optimize the communication resource allocation scheme, we propose an optimal communication resource allocation scheme based on the Asynchronous Advantage Actor-Critic (A3C) algorithm at last. Extensive simulation results show that the proposed scheme achieves excellent performance in defending against MitM attacks.

Chuan Yue,Lide Wang,Dengrui Wang,Ruifeng Duo,Haipeng Yan

DOI: https://doi.org/10.1155/2021/3913515

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The train communication Ethernet (TCE) of modern intelligent trains is under an ever-increasing threat of serious network attacks. Denial of service (DoS) and man in the middle (MITM), the two most destructive attacks against TCE, are difficult to detect by conventional methods. Aiming at their highly time-correlated properties, a novel dynamic temporal convolutional network-based intrusion detection system (DyTCN-IDS) is proposed in this paper to detect these temporal attacks. A semiphysical TCE testbed that is capable of simulating real situations in TCE-based trains is first built to generate an effective dataset for training and testing. DyTCN-IDS consists of two phases, and in the first phase, systematic feature engineering is designed to optimize the dataset. In the second phase, a basic detection model that is good at dealing with temporal features is first built by utilizing the temporal convolutional network with several architectural optimizations. Then, in order to decrease the computational consumption waste on network packet sequences with different lengths of inner temporal relationships, dynamic neural network technology is further adopted to optimize the basic detection model. Diverse experiments were carried out to evaluate the proposed system from different angles. The experimental results indicate that our system is easy to train, converges fast, costs less computational resources, and achieves satisfying detection performance with a macro false alarm rate of 0.09%, a macro F-score of 99.39%, and an accuracy of 99.40%. Compared to some canonical DL-based IDS and some latest IDS, our system acquires the best overall detection performance as well.

Laisen Nie,Zhaolong Ning,Xiaojie Wang,Xiping Hu,Jun Cheng,Yongkang Li

DOI: https://doi.org/10.1109/tnse.2020.2990984

IF: 6.6

2020-01-01

IEEE Transactions on Network Science and Engineering

Abstract:As an industrial application of Internet of Things (IoT), Internet of Vehicles (IoV) is one of the most crucial techniques for Intelligent Transportation System (ITS), which is a basic element of smart cities. The primary issue for the deployment of ITS based on IoV is the security for both users and infrastructures. The Intrusion Detection System (IDS) is important for IoV users to keep them away from various attacks via the malware and ensure the security of users and infrastructures. In this paper, we design a data-driven IDS by analyzing the link load behaviors of the Road Side Unit (RSU) in the IoV against various attacks leading to the irregular fluctuations of traffic flows. A deep learning architecture based on the Convolutional Neural Network (CNN) is designed to extract the features of link loads, and detect the intrusion aiming at RSUs. The proposed architecture is composed of a traditional CNN and a fundamental error term in view of the convergence of the backpropagation algorithm. Meanwhile, a theoretical analysis of the convergence is provided by the probabilistic representation for the proposed CNN-based deep architecture. We finally evaluate the accuracy of our method by way of implementing it over the testbed.

Ruiming Lu,Huiyu Dong,Hongwei Wang,Dongliang Cui,Li Zhu,Xi Wang

DOI: https://doi.org/10.1155/2021/2175780

IF: 2.3

2021-01-01

Complexity

Abstract:With the rapid development of urban rail transit systems, large amounts of information technologies are applied to increase efficiency of train control systems, such as general computers, communication protocols, and operation systems. With the continuous exposure of information technology vulnerabilities, security risks are increasing, and information is easy to use by malicious attackers, which can bring huge property and economic losses. The communication-based train control (CBTC) system is the most important subsystem of urban rail transit. The CBTC system ensures safe and efficient operation of trains, so the quantitative assessment of cyber security is quite necessary. In this paper, a resilience-based assessment method is proposed to analyze the security level of CBTC systems based on indicators of both the cyber domain and the physical domain. The proposed method can demonstrate the robustness and recovery ability of CBTC systems under different security attacks. Based on the structural information entropy, the fusion of different indicators is achieved. Two typical attacking scenarios are analyzed, and the simulation results illustrate the effectiveness of the proposed assessment approach.

Daxin Tian,Yuzhou Li,Yunpeng Wang,Xuting Duan,Congyu Wang,WenYang Wang,Rong Hui,Peng Guo

DOI: https://doi.org/10.1007/978-3-319-74176-5_25

2018-01-01

Abstract:The CAN-Bus is currently the most widely used vehicle bus network technology, but it is designed for needs of vehicle control system, having massive data and lacking of information security mechanisms and means. The Intrusion Detection System (IDS) based on machine learning is an efficient active information security defense method and suitable for massive data processing. We use a machine learning algorithm-Gradient Boosting Decision Tree (GBDT) in IDS for CAN-Bus and propose a new feature based on entropy as the feature construction of GBDT algorithm. In detection performance, the IDS based on GBDT has a high True Positive (TP) rate and a low False Positive (FP) rate.

Wenhao Wu,Bing Bu

DOI: https://doi.org/10.3390/electronics8090991

IF: 2.9

2019-01-01

Electronics

Abstract:Communication-based train controls (CBTC) systems play a major role in urban rail transportation. As CBTC systems are no longer isolated from the outside world but use other networks to increase efficiency and improve productivity, they are exposed to huge cyber threats. This paper proposes a generalized stochastic Petri net (GSPN) model to capture dynamic interaction between the attacker and the defender to evaluate the security of CBTC systems. Depending on the characteristics of the system and attack–defense methods, we divided our model into two phases: penetration and disruption. In each phase, we provided effective means of attack and corresponding defensive measures, and the system state was determined correspondingly. Additionally, a semiphysical simulation platform and game model were proposed to assist the GSPN model parameterization. With the steady-state probability of the system output from the model, we propose several indicators for assessing system security. Finally, we compared the security of the system with single defensive measures and multiple defensive measures. Our evaluations indicated the significance of the defensive measures and the seriousness of the system security situation.

Bowen Wang,Yuance Zhang,Zhaojing Zhang,Hongxing Hu,Geguang Pu

DOI: https://doi.org/10.4271/2023-01-0044

2023-01-01

Abstract:Intrusion Detection Systems (IDS), technically speaking, is to monitor the network, system, and operation status according to certain security policies, and try to find various attack attempts, attacks or attack results to ensure the confidentiality, integrity and availability of network system resources. Automotive intrusion detection systems can identify and alert by analyzing in-vehicle traffic and log when software applications or devices with malicious activity exist, or the in-vehicle network is tampered and injected. But unfortunately, automotive cybersecurity researchers hardly produce a comprehensive detection method due to the confidential nature of Controller Area Network (CAN) DBC format files, which is a standard long maintained by car manufacturers.In this paper, an enhanced intrusion detection method is proposed based on the double-decision-tree to classify different attack models for in-vehicle CAN network without the need to obtain complete DBC files. Unlike the existing method that is using data from the simulated CAN traffic traces, we construct three attack models based on real CAN bus traffic collected from Pentium T99. A totally new data split method is provided to divide training set, validation set and test dataset. Three experiments are set to verify this new data split method and the results show that we have achieved high accuracy in the recognition of the three types of attacks, and the model has high operating efficiency.

Ruifeng Duo,Xiaobo Nie,Ning Yang,Chuan Yue,Yongxiang Wang

DOI: https://doi.org/10.1109/access.2021.3055209

IF: 3.9

2021-01-01

IEEE Access

Abstract:Real-time Ethernet has been applied to train control and management system (TCMS) of 250km/h Fuxing Electric Multiple Units (EMUs) and some urban rail vehicles. The openness of the Ethernet communication protocol poses a risk of intrusion attacks on the train communication network. It is, therefore, necessary that a safety protection technology is introduced to the train communication network based on real-time Ethernet. In this paper, a train communication network intrusion detection system based on anomaly detection and attack classification is proposed. Firstly, the paper built an anomaly detection model based on support vector machines (SVM). The particle swarm optimization-support vector machines (PSO-SVM), and genetic algorithm-support vector machines (GA-SVM) optimization algorithms are used to optimize the kernel function parameters of SVM. Secondly, the paper built two attack classification models based on random forest. They are iterative dichotomiser3 (ID3) and classification and regression tree (CART). And then, the built intrusion detection and attack classification model is tested by using the public data set knowledge discovery and data mining-99(KDD-99) and the data set of the simulation train real-time Ethernet test bench. PSO-SVM improves the intrusion detection accuracy from 90.3% to 95.75%, GA-SVM improves the detection accuracy from 90.3% to 95.85%. The training time of the PSO-SVM algorithm was higher than that of the GA-SVM algorithm, and much higher than that of the SVM, without optimization. Both ID3 and CART models are verified valid in the attack classification, while the ID3 algorithm obtained 100% accuracy on the training set, and only 32.89% accuracy on the test set, ID3 has a poor classification accuracy of the data outside of the training set. Also, the classification time is very long for ID3 compared with CART. So the comprehensive experimental results show that the intrusion detection system of train real-time Ethernet can use the GA-SVM model for detection of abnormal data. After passing the normal data, the CART model can be used to distinguish between the types of attacks to better complete subsequent responses and operations. Compared with the anomaly detection model based on SVM, the proposed model improves intrusion detection accuracy. And the proposed attack classification algorithm based on CART can improve the computing speed while ensuring the precision of classification.

Wenhao. Wu,Bing. Bu,Wei. Zhang

DOI: https://doi.org/10.1109/itsc.2019.8917082

2019-01-01

Abstract:Communication-based train control (CBTC) are automated train control systems using information communication technologies to ensure the safe operation of rail vehicles. With the development of information technology, massive commercial software, hardware products and standard communication equipment are applied to urban rail transit systems, which introduces a crowd of security threats to CBTC systems. This paper proposes a generalized stochastic Petri net model to simulate dynamic interaction between the attacker and defender to evaluate the security of CBTC systems. According to the characteristics of the system and attack-defense methods, we divide our model to the penetration phase and the disruption phase. In each phase, we provide effective means of attack and corresponding defensive measures, and the system state is determined correspondingly. The model parameters are obtained by conducting attack and defense exercises on the semi-physical simulation platform. The system transition probability is derived with the model parameter and the Nash equilibrium of the game between the attacker and defender. The system availability is obtained by calculating the steady probability of each state which can be derived from the GSPN model solution. Our analytic results reveal the seriousness of the system security situation and the significance of defensive measures for system security.

Binyu Yin,Bing Bu,Bing Gao,Qichang Li

DOI: https://doi.org/10.1109/itsc55140.2022.9921964

2022-01-01

Abstract:With the wide application of information technolo-gies in communication based train control (CB TC) systems, the information security risks it confronts to are ever increasing. It is very difficult to design an intrusion detection system (IDS) which can detect both known and unknown cyber attacks with high true positive rate (TPR) and low false positive rate (FPR), simultaneously. In this paper, we propose a hybrid intrusion detection system (RIDS) which is composed of a signature-based intrusion detection system (SIDS) and an anomaly-based intrusion detection system (AIDS). An improved stacking ensemble algorithm (ISEA) is proposed to enhance the TPR of the SIDS which uses weighted classification probabilities outputted by base-classifiers to generate meta-features for the meta-classifier. The FPR of the AIDS is significantly reduced through adopting the proposed false positive elimination strategy (FPES). In addition, a Bayesian optimization algorithm is used for hyper-parameters adjustment to optimize the overall performance of the RIDS. The proposed RIDS is evaluated using both a KDD99 dataset and a CBTC dataset collected on a hardware-in-the-Ioop simulation platform. For the KDD99 dataset, the TPR and FPR of the proposed RIDS are 98.6% and 1.3%, respectively. For the CBTC dataset, the TPR and FPR are 98.1% and 1.1 %, respectively. Based on the performance comparison among different RIDSs, it is can be concluded that the proposed RIDS is superior to the existing RIDS in both TPR and FPR.