An Intrusion Detection Method Based On Multiple Models And Hidden Markov Model For CBTC Systems

Communication Based Train Control(CBTC)systems are critical facilities to the safe and efficient operation of trains.CBTC uses a large number of commercial information components,which bring serious threats to CBTC.Intrusion detection can identify attacks and provide an important basis for the security strategy formulation.However,attacks may trigger the fault-security mechanism of CBTC.Since it is difficult to distinguish between attacks and faults,the performance of CBTC intrusion detection is reduced.This paper focuses on the intrusion detection method of CBTC based on multiple detection models and Hidden Markov Model(HMM).The multiple models are built based on communication and device states.HMM is adopted for the information fusion of different detection models.As a result,the distinction between attacks and faults is realized.The performance of the intrusion detection system is improved.In this paper,Exponentially Weighted Moving Average(EWMA)and random forest are adopted to build detection models based on communication.Bayesian network is used to build the detection model based on device states.In addition,an experimental environment is established to verify the effectiveness of the proposed method.The main work of the paper is as follows:(1)The characteristics of CBTC are analyzed,including communication,protocols,devices,and so on.Principles of attacks that may occur in CBTC are studied.An intrusion detection scheme is proposed according to both detection requirements and CBTC characteristics.(2)The communication detection method using EWMA and random forest is studied respectively.On the one hand,the flow sequence is analyzed by the improved EWMA algorithm.On the other hand,the typical packet features are extracted.As the distribution of communication in CBTC is stable,adjustable entropy of these features is calculated.The random forest algorithm is used to classify the packets based on the processed features.(3)The device state detection method using Bayesian network is proposed.The states of device in the subsystem are used as nodes of Bayesian network.The structure and parameter learning algorithms suitable for CBTC are selected.Then states of CBTC are determined through Bayesian network inference.With the probabilities of the state nodes,attacks and faults can be preliminarily distinguished.(4)An information fusion method based on HMM is proposed.The disadvantages of a single detection model are analyzed.HMM is adopted to fuse multiple detection results of different models.An experimental environment of CBTC is built,where data is collected and the intrusion detection dataset is generated.Then the performance of the method in this paper can be evaluated.The dataset including attacks and faults is adopted to evaluate the performance of the proposed intrusion detection method.Results show that the method can accurately identify attacks to CBTC,where the true positive rate is 99.02%.The method can also effectively distinguish between attacks and faults.Compared with traditional detection methods,the accuracy is improved by 8%-19%.The intrusion detection method can significantly improve the security protection capability of CBTC systems.