CN112019478A - TRDP protocol based train network safety protection method, device and system - Google Patents
TRDP protocol based train network safety protection method, device and system Download PDFInfo
- Publication number
- CN112019478A CN112019478A CN201910457139.1A CN201910457139A CN112019478A CN 112019478 A CN112019478 A CN 112019478A CN 201910457139 A CN201910457139 A CN 201910457139A CN 112019478 A CN112019478 A CN 112019478A
- Authority
- CN
- China
- Prior art keywords
- trdp
- protocol
- network
- message
- white list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 55
- 238000001514 detection method Methods 0.000 claims abstract description 95
- 238000004891 communication Methods 0.000 claims abstract description 75
- 230000005540 biological transmission Effects 0.000 claims description 19
- 230000004044 response Effects 0.000 claims description 19
- 230000000903 blocking effect Effects 0.000 claims description 13
- 230000003068 static effect Effects 0.000 claims description 10
- 238000002955 isolation Methods 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 5
- 230000007123 defense Effects 0.000 abstract description 11
- 230000002159 abnormal effect Effects 0.000 description 15
- 230000006872 improvement Effects 0.000 description 12
- 230000008569 process Effects 0.000 description 10
- 230000005856 abnormality Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005242 forging Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000007619 statistical method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L15/00—Indicators provided on the vehicle or train for signalling purposes
- B61L15/0018—Communication with or on the vehicle or train
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mechanical Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a TRDP protocol-based train network safety protection method, a device and a system, wherein the method comprises the following steps: s1, receiving a TRDP network message transmitted in a train communication network and carrying out protocol analysis to obtain analysis information of the TRDP network message; and S2, carrying out security detection on the analyzed information of the TRDP network message, and judging whether the TRDP network message is released according to the analyzed information. The method has the advantages of simple method, low cost, capability of realizing active defense, good defense performance, capability of resisting malicious attacks such as counterfeiting and tampering and the like.
Description
Technical Field
The present invention relates to the technical field of Train Communication Networks (TCNs), and in particular, to a method, an apparatus, and a system for safety protection of a Train network based on a TRDP (Train Real-time Data Protocol) Protocol.
Background
With the development of society, the number of trains is greatly increased, train marshalling is more and more, the content needing train Network transmission is more and more, and the transmission form is diversified, the traditional train communication Network is difficult to carry the transmission of a large amount of data, the original matching technology of the train communication Network can not meet the requirements of economy and information development, the IEC61375-3-4-2014 standard is provided under the background, the standard defines the standard of an Ethernet Communication Network (ECN) in the train communication Network TCN, the Ethernet carries the train communication Network, the requirements of low-delay and large-amount data transmission can be met, and the TRDP protocol based on the Ethernet train communication protocol is also generated. In a train communication network, under the condition of ensuring transmission efficiency, the most important is the communication safety problem of a vehicle-mounted network, and with the increasingly wide application of the TRDP, the control modes between the vehicle-mounted network and equipment are various and control instructions are transmitted more and more frequently, a large amount of TRDP message transmissions exist in the train network, the TRDP messages in the network need to be protected safely to ensure the safety and reliability of the train network transmission, and the conventional network protection mode is not suitable for the TRDP protocol train network.
For the safety protection of a train network based on a TRDP protocol, a passive defense mode is usually adopted at present, that is, when an apparatus is abnormal or fails, the apparatus is started to perform abnormal detection, or a blacklist for preventing message transmission is set by knowing a bug of the protocol in advance. For example, chinese patent application CN108173929A provides a method for diagnosing communication abnormality of TRDP protocol, which detects abnormal traffic and proposes a repair suggestion only when communication abnormality occurs in a device. The passive defense mode can only passively detect communication abnormality after the abnormality occurs, active defense cannot be performed before the abnormality occurs, serious communication safety hazards exist, protocol bugs must be known in advance in the mode of setting the blacklist, and defense performance is limited.
Some practitioners propose that illegal messages with inconsistent protocol types are detected by identifying the communication protocol types of the messages in the train network, and message transmission with inconsistent communication protocols can be actively prevented, but the method only simply identifies the protocol types of the messages, only partial APT attacks with inconsistent protocol types can be prevented, and for malicious attack messages generated by counterfeiting, tampering and other methods, if illegal terminal equipment sends a control instruction to train network equipment by counterfeiting a TRDP protocol message, the method cannot identify the forged and tampered messages due to the consistent communication protocol types, cannot resist the malicious attacks of the types, and still has great communication safety hidden dangers. Therefore, it is desirable to provide a method and a system for security protection of a train network based on a TRDP protocol, so as to achieve an active defense function and simultaneously resist malicious attacks in ways of counterfeiting, tampering, and the like.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: aiming at the technical problems in the prior art, the invention provides the safety protection method, the device and the system based on the TRDP protocol train network, which have the advantages of simple realization method, low cost, capability of realizing active defense and good defense performance, and can resist malicious attacks such as counterfeiting, tampering and the like.
In order to solve the technical problems, the technical scheme provided by the invention is as follows:
a safety protection method based on a TRDP protocol train network comprises the following steps:
s1, receiving a TRDP network message transmitted in a train communication network and carrying out protocol analysis to obtain analysis information of the TRDP network message;
and S2, carrying out security detection on the analysis information of the TRDP network message, and judging whether the TRDP network message is released according to the analysis information.
As a further improvement of the process of the invention: in step S1, the TRDP network packet is deeply analyzed to obtain information including one or more of a protocol version number, a communication mode, a train static topology sequence, a train dynamic topology sequence, an application data length, a source URI, a destination URI, a response data communication port identifier, and a response data communication IP address, so as to obtain analysis information of the TRDP network packet.
As a further improvement of the process of the invention: when the protocol is analyzed in the step S1, the method further includes detecting legal values of each field of the analyzed message to determine the validity of the message, and if the message is judged to be legal, the method goes to the step S2, otherwise, the illegal message is blocked or discarded.
As a further improvement of the process of the invention: before the step S1, TRDP protocol identification is performed on the message in the train communication network, and after the message is identified as a TRDP network message, the step S1 is executed.
As a further improvement of the process of the invention: the step S2 includes a white list rule detecting step when performing security detection, where the white list rule detecting step includes: and judging whether the analysis information of the TRDP network message accords with a white list rule, if so, releasing the message, and the white list rule is configured with a condition rule which is required to be met by the analysis information corresponding to the message allowed to be released.
As a further improvement of the process of the invention: in the white list rule detection step, each field in the analysis information of the TRDP network message is compared with corresponding configuration information in the white list rule, if the fields are consistent with the corresponding configuration information, the message is released, otherwise, the message is blocked or discarded, and the white list rule is provided with configuration information which corresponds to a plurality of fields specified in a TRDP protocol and allows release.
As a further improvement of the process of the invention: the fields set in the white list rule comprise one or more of protocol version number, communication mode, train static topology sequence, train dynamic topology sequence, application data length, source URI, destination URI, response data communication port identification and response data communication IP address.
As a further improvement of the process of the invention: the method also comprises a self-learning step, and the specific steps comprise: and configuring a collection engine, automatically collecting the information of the TRDP equipment in the train network, the credibility information of the newly added equipment and the information of the TRDP protocol data transmission between the newly added equipment by the collection engine, and generating the white list rule according to the collected information.
As a further improvement of the process of the invention: when performing security detection in step S2, before the white list rule detection step, the method further includes a protocol security detection step, where the protocol security detection step includes: and carrying out protocol detection on the analysis information of the TRDP network message, judging whether the TRDP network message conforms to a TRDP protocol, if so, switching to the step of carrying out white list rule detection, and otherwise, carrying out isolation or blocking control on the message which does not conform to the TRDP protocol.
As a further improvement of the process of the invention: the step of judging whether the TRDP network packet conforms to a TRDP protocol includes: and judging whether each field in the analysis information of the TRDP network message conforms to the TRDP message rule, if so, judging that the message conforms to the TRDP protocol, and otherwise, judging that the message does not conform to the TRDP protocol.
A safety protection device based on a TRDP protocol train network comprises:
the protocol analysis module is used for receiving the TRDP network message transmitted in the train communication network and carrying out protocol analysis to obtain analysis information of the TRDP network message;
and the safety detection module is used for carrying out safety detection on the analysis information of the TRDP network message and judging whether the TRDP network message is allowed to pass according to the analysis information.
As a further improvement of the apparatus of the present invention, the security detection module includes a white list rule detection unit, configured to determine whether the analysis information of the TRDP network packet conforms to a preset white list rule, and if so, release the TRDP network packet, where the white list rule is configured with a condition rule that the analysis information corresponding to the packet that is allowed to be released needs to be satisfied.
As a further improvement of the apparatus of the present invention, the apparatus further includes a self-learning module connected to the white list rule detecting unit, the self-learning module includes a collection engine and a white list generating unit, the collection engine automatically collects information of TRDP devices in the train network, credibility information of newly added devices, and information of which devices and devices have TRDP protocol data transmission therebetween, and sends the information to the white list generating unit, and the white list generating unit generates the white list rule according to the information collected by the collection engine.
As a further improvement of the apparatus of the present invention, the security detection module further includes a protocol security unit disposed at an input end of the white list rule detection unit, and is configured to perform protocol detection on the resolution information of the TRDP network packet, determine whether the TRDP network packet conforms to a TRDP protocol, if so, switch to the white list rule detection unit, and otherwise, perform isolation or blocking control on the packet that does not conform to the TRDP protocol.
A TRDP protocol based train network safety guard comprising a computer readable storage medium having a computer program stored thereon, which when executed performs the method as described above.
A safety protection system based on a TRDP protocol train network comprises a centralized management device and a plurality of safety protection devices, wherein each safety protection device is respectively connected with the centralized management device and respectively arranged at different positions in the train network so as to perform safety detection on TRDP messages in the train network, and each safety protection device uploads a detection result to the centralized management device and receives data which are sent by the centralized management device and comprise strategy configuration information.
Compared with the prior art, the invention has the advantages that:
1. the invention analyzes the protocol of the TRDP network message transmitted in the train communication network, carries out safety detection based on the analyzed information of the message, prevents or discards the message of which the analyzed information does not accord with the requirements of the TRDP protocol, can realize effective safety inspection of the message in the network based on the characteristics of the TRDP protocol, determines the message which can be released, can still identify the malicious message even if the protocol type accords with the TRDP protocol for the malicious attack messages of forgery, tampering and the like, thereby being capable of actively defending the messages of attack, abnormal equipment and the like on the train communication network, not only monitoring the communication state of the train network, but also realizing the safety protection of instruction level fine control, solving a series of safety problems of external attack, message hijack tampering, abnormal flow monitoring and the like in the train communication network, various safety protection detections such as abnormal equipment, abnormal flow and attack on the network are realized.
2. The invention presets the white list rule by integrating the TRDP protocol and the data to be transmitted, judges the message analysis information by using the preset white list rule after analyzing the message, and can only release the specific command or content transmitted between the required devices by combining the deep analysis and the white list detection mode, thereby preventing the device fault caused by misoperation or malicious message forgery, and further defending the attack on the network, the message of abnormal devices and the like in an active mode.
3. According to the invention, the safety detection of the TRDP is realized by combining the white list rule detection and the TRDP protocol detection, the TRDP which does not meet the requirement is detected by the TRDP protocol detection, the attacks in the modes of counterfeiting, tampering and the like are identified, and the white list rule detection is carried out after the TRDP protocol detection passes, so that only the specific command or content transmitted between the required devices is released, the device fault caused by misoperation or malicious message counterfeiting is prevented, the comprehensive active defense of the TRDP train network can be realized, the external attack, the message hijack tampering and the like are resisted to the greatest extent, and the safety and the reliability of the train network communication are ensured.
4. The invention can detect the illegal terminal equipment when the illegal terminal equipment sends the control instruction to the train network equipment by forging the TRDP protocol message, and generates an alarm after blocking the generated message, or prevents a certain equipment from sending an error control instruction due to the equipment failure in the network or the misoperation of an operator, thereby effectively ensuring the communication safety of the train network.
Drawings
Fig. 1 is a schematic flow chart of an implementation of the safety protection method for a train network based on a TRDP protocol according to this embodiment.
Fig. 2 is a detailed flowchart illustrating implementation of security protection detection in an embodiment of the present invention.
Fig. 3 is a detailed flowchart illustrating the white list rule detection implemented in this embodiment.
Fig. 4 is a schematic structural diagram of the safety protection device in this embodiment.
Detailed Description
The invention is further described below with reference to the drawings and specific preferred embodiments of the description, without thereby limiting the scope of protection of the invention.
As shown in fig. 1, the method for safeguarding a train network based on a TRDP protocol in this embodiment includes the steps of:
s1, protocol resolution: receiving a TRDP network message transmitted in a train communication network and carrying out protocol analysis to obtain analysis information of the TRDP network message;
s2, safety detection: and carrying out security detection on the analysis information of the TRDP network message, and judging whether the TRDP network message is allowed to pass according to the analysis information.
The embodiment performs protocol analysis on the TRDP network message transmitted in the train communication network, performs safety detection based on the analysis information of the message, prevents or discards the message of which the analysis information does not meet the requirement, effective security check of messages in the network can be realized based on the TRDP protocol characteristics, the messages which can be released can be determined, and for malicious attack messages such as counterfeiting, tampering and the like, even if the protocol type is consistent with the TRDP protocol, the malicious message can still be identified by detecting the analyzed information after the protocol analysis, thereby being capable of defending the messages of attack, abnormal equipment and the like on the train communication network in an active mode, not only monitoring the communication state of the train network, but also realizing the safety protection of instruction level fine control, the method can solve a series of safety problems of external attack, message hijacking tampering, abnormal flow monitoring and the like in the train communication network.
In step S1, in this embodiment, the TRDP network packet is specifically subjected to deep parsing to obtain parsing information including a protocol version number, a communication mode, a train static topology sequence, a train dynamic topology sequence, an application data length, a source URI, a destination URI, a response data communication port identifier, a response data communication IP address, and the like, and the parsing format and the parsed information field may be specifically configured according to actual requirements. The fine information of the TRDP network message can be obtained based on deep packet analysis, the legal message meeting the requirements can be accurately identified by combining the analysis information, and meanwhile, the malicious attack messages such as counterfeiting and tampering are identified.
In this embodiment, when the protocol is parsed in step S1, the method further includes detecting legal values of each field of the parsed packet to determine the validity of the packet, and if the legal value is determined to be legal, the method goes to step S2, otherwise, the illegal packet is blocked or discarded. Specifically, after the message is deeply analyzed, legal values of fields such as a protocol version number, a communication mode, a train static topology sequence, a train dynamic topology sequence, an application data length, a source URI, a destination URI, a response data communication port identifier, a response data communication IP address and the like obtained through analysis are respectively judged, and illegal message transmission can be effectively prevented.
In this embodiment, when receiving the TRDP network packet, step S1 further includes performing TRDP protocol identification on the TRDP network packet, and performing protocol analysis after identifying the TRDP network packet. When each message in the train network is detected safely, the protocol type of the message is detected first, and the message with the non-conforming protocol type is processed preferentially.
In this embodiment, the step S2 of performing security detection includes a step of detecting a white list rule, where the step of detecting the white list rule includes: judging whether the analysis information of the TRDP network message accords with a white list rule, if so, releasing the TRDP network message, and configuring a condition rule which is required to be met by the analysis information corresponding to the message allowed to be released in the white list rule. In the embodiment, a white list rule is set by integrating a TRDP protocol and data to be transmitted, after a message is analyzed, the message analysis information is judged by using a preset white list rule, and a specific command or content transmitted between required devices can be released only by combining a deep analysis mode and a white list detection mode, so that a device fault caused by misoperation or malicious message counterfeiting is prevented, attacks on a network, messages of abnormal devices and the like are defended in an active mode, and detection of abnormal devices, abnormal traffic and attacks on the network is realized.
In the white list rule detecting step in this embodiment, specifically, each field in the analysis information of the TRDP network packet is compared with corresponding configuration information in the white list rule, if all fields are met, the packet is released, otherwise, the packet is blocked or discarded, and configuration information that allows release corresponding to a plurality of fields specified in the TRDP protocol is set in the white list rule. The multi-dimensional TRDP protocol protection detection can be realized based on the white list rule, and the detected object in the embodiment is divided into two layers: the TRDP protocol data is header information of the TRDP protocol, wherein information such as a protocol version, a communication mode, a communication port and the like is marked, the application data is application layer data carried by the TRDP protocol, and a data format is defined by a service module participating in communication.
In this embodiment, the fields set in the white list rule specifically include a protocol version number, a communication mode, a train static topology sequence, a train dynamic topology sequence, an application data length, a source URI, a destination URI, a response data communication port identifier, a response data communication IP address, and the like, in this embodiment, each field of the TRDP protocol is configured in the white list rule, that is, each field is configured to allow passage when it meets certain requirements, so that a message meeting the configuration requirements is allowed to pass, as shown in fig. 3, after protocol application program data in a TCP/UDP data packet is extracted, whether the application data is the protocol data is determined according to TRDP protocol characteristics, if the application data is the protocol data, the message is further subjected to deep parsing, if the protocol data is complete, according to the protocol characteristic data obtained by deep parsing, the fields obtained by parsing the message are compared as a group with values configured in the white list rule, the method is used for judging whether the data packet violates the white list rule or not, discarding or releasing the message according to the comparison result, releasing the message conforming to the white list rule, blocking the non-conforming message, and generating a warning log violating the white list so as to record the corresponding security event.
In this embodiment, a white list template is formed by a set of white list rules, and the white list rules specifically include:
protocol version: the TRDP protocol version number only allows the TRDP message of the version number to pass through by setting;
communication mode: the passing is set such that only the set communication mode is allowed to pass;
train static topology sequence: the static topology number which is set is allowed to pass through by setting;
train dynamic topological sequence: the set dynamic topology number is allowed to pass through by setting;
application data length: the setting is carried out so that only the length which is in accordance with the set range is allowed to pass;
a source URI: the pass setting is such that only the source URI is allowed to pass for the set value;
destination URI: the pass setting is such that only the destination URI is allowed to pass through for the set value;
answer data communication port identification: the set IP address range is allowed to pass through by setting;
answer data communication IP address: the pass setting allows only the set IP address range to pass.
The fields and the configuration of the fields in the white list rule can be specifically set according to actual requirements, and other fields can be added or other configuration modes can be adopted for implementation.
As shown in fig. 3, when implementing white list rule detection in the embodiment of the present invention, protocol application program data in a TCP/UDP data packet is extracted, whether the application data is the protocol data is determined according to the TRDP protocol characteristics, and if the application data is the protocol data, the protocol version, the communication mode, the train static topology sequence, the train dynamic topology sequence, the application data length, the source URI, the destination URI, the response data communication port identifier, the response data communication IP address, and the integrity of the data and whether the data is request data or response data are further analyzed.
In the embodiment, the method further comprises a self-learning step, and the specific steps comprise: and configuring a collection engine, automatically collecting the information of the TRDP equipment in the train network, the credibility information of the newly-added equipment and the information of the TRDP protocol data transmission between the newly-added equipment by the collection engine, and generating a white list rule in an auxiliary manner according to the collected information. In this embodiment, a self-learning mode is specifically started to discover devices in a network, such as which devices have TRDP protocol communication, TRDP protocol version for transmission, content or command transmitted based on TRDP, and the like, and simultaneously collect device information, specifically, a list of TRDP devices is maintained, and a user sets a trust level, a priority, remark information, and the like of the TRDP devices, and when a network topology changes or a new device is added, obtains information for selecting whether the new device is a trusted device or an abnormal device, so as to perform corresponding different processing on a packet generated by the new device, and through the learning mode, device information in a train network can be automatically collected, and the user is assisted to automatically obtain and learn a behavior mode of the TRDP protocol in the network, so that it is possible to assist in intelligently generating an effective white list rule, and further improve security protection performance. The message is not discarded when the learning mode is started, and no influence is caused on the network.
In this embodiment, when performing security detection in step S2, before the white list rule detection step, the method further includes a protocol security detection step, where the protocol security detection step includes: and carrying out protocol detection on the analysis information of the TRDP network message, judging whether the TRDP network message conforms to the TRDP protocol, if so, switching to the step of carrying out white list rule detection, and otherwise, carrying out isolation or blocking control on the message which does not conform to the TRDP protocol. In this embodiment, when performing security detection on a TRDP network packet, first of all, whether the packet conforms to a protocol of a TRDP protocol is detected, isolation or blocking control is performed on a packet that does not conform to the protocol, after original data of the packet is further restored from the packet that conforms to the protocol, further security detection is performed on the data according to a white list rule of the TRDP protocol configured by a user, and isolation or blocking control is performed on a packet that does not conform to the white list rule.
According to the method, the white list rule detection and the TRDP protocol detection are combined to realize the safety detection of the TRDP message, the TRDP message which does not conform to the protocol is detected through the TRDP protocol detection, attacks in modes of counterfeiting, tampering and the like are identified, the white list rule detection is carried out after the TRDP protocol detection is passed, so that only specific commands or contents transmitted among required devices are released, the device faults caused by misoperation or malicious message counterfeiting are prevented, the comprehensive active defense of a TRDP train network can be realized, the external attack is resisted to the greatest extent, the tampering of the message is prevented, and the like, and the safety and the reliability of the train network communication are ensured.
In this embodiment, a set of policy definition protocol detection templates is used, where the set of policy includes corresponding constraints made by a TRDP protocol, and the step of determining whether a TRDP network packet conforms to the TRDP protocol includes: judging whether each field in the analysis information of the TRDP network message conforms to a TRDP message rule, if so, judging that the message conforms to a TRDP protocol, otherwise, judging that the message does not conform to the TRDP protocol, and specifically, generating a corresponding safety record when the message does not conform to the TRDP protocol. Taking UDP-based TRDP protocol as an example, the values of the message type field in UDP-based TRDP protocol are only 4 types: 5072H, 5070H, 5064H and 5065H, if the msgType field in the message is not the 4 values, the message is not in accordance with the TRDP protocol, if the message in the parsing message of the TRDP network message is one of 5072H, 5070H, 5064H and 5065H, if the message is determined to be in accordance with the TRDP protocol, otherwise, the message is determined to be not in accordance with the TRDP protocol, and corresponding safety records are generated.
As shown in fig. 2, in the embodiment of the present invention, when implementing the safety protection of the train network, the message transmitted in the train network is collected, the TRDP protocol is first identified, that is, it is determined whether the message is a TRDP message, after the message is identified as a TRDP message, the deep parsing is performed on the TRDP message, information such as a protocol URI, a destination URI, a response data communication port identifier, a response data communication IP address, and the like is parsed, in the message parsing process, the legal value of each field is detected, the safety detection is continuously performed on the legal message, the illegal message is discarded, and an alarm log violating the protocol specification is generated at the same time; when the safety detection is carried out, the TRDP messages which do not conform to the protocol are detected through TRDP protocol detection, attacks in modes of counterfeiting, tampering and the like are identified, white list rule detection is carried out after the TRDP protocol detection is passed, so that only specific commands or contents transmitted among required equipment are released, equipment faults caused by misoperation or malicious message counterfeiting are prevented, and isolation or blocking control is carried out on the messages which do not conform to the TRDP protocol and do not conform to the white list rule.
In this embodiment, the number of requests to the outside, the number of received requests, and the services provided to the outside of each device in the train network are detected and examined, so that each received/transmitted message is ensured to be credible and controllable, and the stability, reliability, and controllability of the train communication network are improved.
As shown in fig. 4, the safety protection device for a train network based on a TRDP protocol in this embodiment includes:
the protocol analysis module is used for receiving the TRDP network message transmitted in the train communication network and carrying out protocol analysis to obtain analysis information of the TRDP network message;
and the safety detection module is used for carrying out safety detection on the analysis information of the TRDP network message and judging whether the TRDP network message is released according to the analysis information.
In this embodiment, the security detection module includes a white list rule detection unit, configured to determine whether the analysis information of the TRDP network packet conforms to a preset white list rule, and if so, release the TRDP network packet, where the white list rule is set in advance according to a TRDP protocol format and data to be transmitted.
In this embodiment, the white list rule detecting unit compares each field in the analysis information of the TRDP network packet with corresponding configuration information in the white list rule, if all the fields are met, the packet is released, otherwise, the packet is blocked or discarded, and the white list rule is provided with configuration information allowing release corresponding to a plurality of designated fields in the TRDP protocol.
In this embodiment, the security detection module further includes a protocol security detection unit disposed at an input end of the white list rule detection unit, and is configured to perform protocol detection on analysis information of the TRDP network packet, determine whether the TRDP network packet conforms to a TRDP protocol, and if so, switch to the white list rule detection unit, otherwise, perform isolation or blocking control on the packet that does not conform to the TRDP protocol.
In this embodiment, the train network data transmission system further includes a self-learning module connected to the white list rule detection unit, where the self-learning module includes a collection engine and a white list generation unit, the collection engine automatically collects information of the TRDP devices in the train network, credibility information of the newly added devices, and information of which devices and devices have TRDP protocol data transmission, and sends the information to the white list generation unit, and the white list generation unit generates a white list rule according to the information collected by the collection engine.
In this embodiment, the system further includes a rule management module, configured to manage the set white list rule and the TRDP protocol, and determine whether the packet conforms to the white list rule and the TRDP protocol by calling the rule management module when performing security detection.
In the embodiment, the safety protection device detects and examines the number of external requests, the number of received requests and the services provided by the external devices in the train network, so that each received/sent message is credible and controllable, and the stability, reliability and controllability of the train communication network are improved.
The safety protection device based on the TRDP protocol train network in this embodiment corresponds to the safety protection method based on the TRDP protocol train network, and is not described in detail herein.
The embodiment also includes a safety protection device based on the TRDP protocol train network, which includes a computer readable storage medium storing a computer program, and the computer program implements the method when executed.
The safety protection system based on the TRDP protocol train network comprises a centralized management device and a plurality of safety protection devices, wherein each safety protection device is respectively connected with the centralized management device, each safety protection device is respectively arranged at different positions in the train network to perform safety detection on messages in the train network, and each safety protection device uploads a detection result to the centralized management device and receives data which are sent by the centralized management device and comprise policy configuration information.
Other functional modules can be configured according to actual requirements, such as a statistical analysis module configured for statistical analysis.
In a specific application embodiment of the present invention, the safety protection system is configured into three modes, namely a learning mode, an alarm mode and a normal mode, and the execution flow of the safety protection system is as follows:
step 1, connecting each safety protection device configured in a train network with centralized management equipment, wherein the safety protection devices support distributed deployment, and the centralized management equipment performs centralized management on each safety protection device and has the functions of white list rule issuing, log collection and the like.
Step 2, setting a white list rule on the centralized management equipment;
and 3, operating the safety protection system in a learning mode to discover devices in the network, wherein the devices comprise TRDP protocol communication among which devices, transmitted TRDP protocol versions, TRDP transmission-based contents or commands and the like, then collecting device information, setting the credibility level, priority, remark information and the like of the TRDP device by a user, finally selecting whether the newly added device is a credible device or an abnormal device by the user when the network topology changes or the newly added device is added, carrying out different processing on messages generated by the newly added device, assisting the user to know the behavior mode of the TRDP protocol in the network through the learning mode, generating a white list rule, and not discarding the messages when the learning mode is executed, thereby not influencing the network.
And 4, operating the safety protection system in an alarm mode to further verify the integrity and correctness of the TRDP white list rule, and only generating an alarm for the message violating the white list rule in the alarm mode without discarding the message, so that the network is not substantially affected, and the integrity and correctness of the TRDP white list strategy can be verified.
And 5, operating the safety protection system in a normal mode, and starting to execute safety protection, namely acquiring the passed messages by the safety protection device, carrying out deep protocol analysis and analysis, matching with a TRDP protocol and a white list rule, blocking the messages which do not hit the rule, generating alarm information, and enabling the protection function of the safety protection system to take effect.
Through the steps, when an illegal terminal device sends a control instruction to the train network device by forging a TRDP protocol message, the embodiment can detect the illegal terminal device and generate an alarm after blocking the generated message, or due to a device failure reason in the network or an incorrect control instruction sent to a certain device by an operator, the risk of normal operation of the whole network and the device exists, and because the message generated by the operation is excluded from a white list rule, the operation is also blocked and an alarm is generated, thereby effectively ensuring the communication safety of the train network.
The foregoing is considered as illustrative of the preferred embodiments of the invention and is not to be construed as limiting the invention in any way. Although the present invention has been described with reference to the preferred embodiments, it is not intended to be limited thereto. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical spirit of the present invention should fall within the protection scope of the technical scheme of the present invention, unless the technical spirit of the present invention departs from the content of the technical scheme of the present invention.
Claims (16)
1. A safety protection method based on a TRDP protocol train network is characterized by comprising the following steps:
s1, receiving a TRDP network message transmitted in a train communication network and carrying out protocol analysis to obtain analysis information of the TRDP network message;
and S2, carrying out security detection on the analysis information of the TRDP network message, and judging whether the TRDP network message is released according to the analysis information.
2. The TRDP protocol-based train network security protection method according to claim 1, wherein: in step S1, the TRDP network packet is deeply analyzed to obtain information including one or more of a protocol version number, a communication mode, a train static topology sequence, a train dynamic topology sequence, an application data length, a source URI, a destination URI, a response data communication port identifier, and a response data communication IP address, so as to obtain analysis information of the TRDP network packet.
3. The TRDP protocol-based train network security protection method according to claim 1, wherein: when the protocol is analyzed in the step S1, the method further includes detecting legal values of each field of the analyzed message to determine the validity of the message, and if the message is judged to be legal, the method goes to the step S2, otherwise, the illegal message is blocked or discarded.
4. The TRDP protocol-based train network security protection method according to claim 1, wherein: before the step S1, TRDP protocol identification is performed on the message in the train communication network, and after the message is identified as a TRDP network message, the step S1 is executed.
5. The TRDP protocol-based train network security protection method according to any one of claims 1 to 4, wherein the security detection in step S2 includes a white list rule detection step, and the white list rule detection step includes: and judging whether the analysis information of the TRDP network message accords with a white list rule, if so, releasing the message, and the white list rule is configured with a condition rule which is required to be met by the analysis information corresponding to the message allowed to be released.
6. The TRDP protocol-based train network security protection method according to claim 5, wherein: in the white list rule detection step, each field in the analysis information of the TRDP network message is compared with corresponding configuration information in the white list rule, if the fields are consistent with the corresponding configuration information, the message is released, otherwise, the message is blocked or discarded, and the white list rule is provided with configuration information which corresponds to a plurality of fields specified in a TRDP protocol and allows release.
7. The TRDP protocol-based train network security protection method according to claim 6, wherein: the fields set in the white list rule comprise one or more of protocol version number, communication mode, train static topology sequence, train dynamic topology sequence, application data length, source URI, destination URI, response data communication port identification and response data communication IP address.
8. The TRDP protocol-based train network security protection method according to claim 5, further comprising a self-learning step, the specific steps including: and configuring a collection engine, automatically collecting the information of the TRDP equipment in the train network, the credibility information of the newly added equipment and the information of the TRDP protocol data transmission between the newly added equipment by the collection engine, and generating the white list rule according to the collected information.
9. The TRDP protocol-based train network security protection method according to claim 5, wherein when performing security detection in step S2, before the white list rule detection step, the method further comprises a protocol security detection step, and the protocol security detection step comprises: and carrying out protocol detection on the analysis information of the TRDP network message, judging whether the TRDP network message conforms to a TRDP protocol, if so, switching to the step of carrying out white list rule detection, and otherwise, carrying out isolation or blocking control on the message which does not conform to the TRDP protocol.
10. The TRDP protocol-based train network security protection method according to claim 9, wherein said step of determining whether said TRDP network packet conforms to a TRDP protocol includes: and judging whether each field in the analysis information of the TRDP network message conforms to the TRDP message rule, if so, judging that the message conforms to the TRDP protocol, and otherwise, judging that the message does not conform to the TRDP protocol.
11. A safety protection device based on a TRDP protocol train network is characterized by comprising:
the protocol analysis module is used for receiving the TRDP network message transmitted in the train communication network and carrying out protocol analysis to obtain analysis information of the TRDP network message;
and the safety detection module is used for carrying out safety detection on the analysis information of the TRDP network message and judging whether the TRDP network message is allowed to pass according to the analysis information.
12. The TRDP protocol train network-based security protection device of claim 11, wherein the security detection module includes a white list rule detection unit, configured to determine whether the analysis information of the TRDP network packet conforms to a preset white list rule, and if so, release the TRDP network packet, and the white list rule is configured with a condition rule that the analysis information corresponding to the packet that is allowed to be released needs to be satisfied.
13. The TRDP protocol train network based safety apparatus according to claim 12, further comprising a self-learning module connected to the white list rule detecting unit, wherein the self-learning module includes a collection engine and a white list generating unit, the collection engine automatically collects information of TRDP devices in the train network, credibility information of newly-added devices, and information of which devices and devices have TRDP protocol data transmission therebetween, and sends the information to the white list generating unit, and the white list generating unit generates the white list rule according to the information collected by the collection engine.
14. The TRDP protocol train network-based safety protection device according to claim 11 or 12, wherein said safety detection module further comprises a protocol safety detection unit arranged at an input end of said white list rule detection unit, and is configured to perform protocol detection on the parsing information of the TRDP network packet, determine whether the TRDP network packet conforms to the TRDP protocol, if so, execute the white list rule detection unit, otherwise, perform isolation or blocking control on the packet that does not conform to the TRDP protocol.
15. A TRDP protocol train network based safety guard comprising a computer readable storage medium having a computer program stored thereon, wherein the computer program when executed implements a method according to any of claims 1 to 10.
16. A train network safety protection system based on a TRDP protocol, comprising a centralized management device and a plurality of safety protection devices according to any one of claims 11 to 15, wherein each safety protection device is connected to the centralized management device, each safety protection device is respectively disposed at different positions in the train network to perform safety detection on a TRDP packet in the train network, and each safety protection device uploads a detection result to the centralized management device and receives data including policy configuration information sent by the centralized management device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910457139.1A CN112019478A (en) | 2019-05-29 | 2019-05-29 | TRDP protocol based train network safety protection method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910457139.1A CN112019478A (en) | 2019-05-29 | 2019-05-29 | TRDP protocol based train network safety protection method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112019478A true CN112019478A (en) | 2020-12-01 |
Family
ID=73501824
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910457139.1A Pending CN112019478A (en) | 2019-05-29 | 2019-05-29 | TRDP protocol based train network safety protection method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112019478A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112994950A (en) * | 2021-04-07 | 2021-06-18 | 北京安天网络安全技术有限公司 | Alarm false alarm eliminating method, device and computer readable medium |
| CN113885474A (en) * | 2021-09-30 | 2022-01-04 | 株洲中车时代电气股份有限公司 | Control network and train |
| CN114162172A (en) * | 2021-12-03 | 2022-03-11 | 中车唐山机车车辆有限公司 | White list establishing method, device and storage medium |
| CN114189350A (en) * | 2021-10-20 | 2022-03-15 | 北京交通大学 | A train communication network intrusion detection method based on LightGBM |
| CN114465796A (en) * | 2022-01-30 | 2022-05-10 | 杭州立思辰安科科技有限公司 | A security protection method applied to a vehicle-mounted firewall |
| CN114500056A (en) * | 2022-01-28 | 2022-05-13 | 杭州立思辰安科科技有限公司 | An attack detection method based on FF protocol |
| CN114500057A (en) * | 2022-01-28 | 2022-05-13 | 杭州立思辰安科科技有限公司 | Safety protection method and system applied to FINS industrial Ethernet |
| CN115776449A (en) * | 2022-11-08 | 2023-03-10 | 中车工业研究院有限公司 | Train Ethernet communication state monitoring method and system |
| CN115866558A (en) * | 2022-11-23 | 2023-03-28 | 中车青岛四方机车车辆股份有限公司 | 5G-based dynamic networking method for rail transit wireless vehicle terminals |
| WO2023065712A1 (en) * | 2021-10-22 | 2023-04-27 | 中车株洲电力机车有限公司 | Distributed train control network intrusion detection method, system, and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107454047A (en) * | 2016-06-01 | 2017-12-08 | 中车株洲电力机车研究所有限公司 | A kind of train apparatus recognition methods and system for being used to prevent that illegality equipment from accessing |
| US20180020393A1 (en) * | 2016-07-14 | 2018-01-18 | Icomera Ab | Train communication system with silent compartments |
| CN108055282A (en) * | 2017-12-28 | 2018-05-18 | 国网浙江省电力有限公司电力科学研究院 | Industry control abnormal behaviour analysis method and system based on self study white list |
| CN108092854A (en) * | 2017-12-29 | 2018-05-29 | 中国铁道科学研究院 | The test method and device of train grade ethernet device based on IEC61375 agreements |
| CN108173929A (en) * | 2017-12-26 | 2018-06-15 | 中车大连机车车辆有限公司 | Wireless upload and expert diagnostic system of the medium-and low-speed maglev train based on TRDP agreements |
| CN108183886A (en) * | 2017-12-07 | 2018-06-19 | 交控科技股份有限公司 | A kind of safety enhancing equipment of rail traffic signal system security gateway |
| CN109167796A (en) * | 2018-09-30 | 2019-01-08 | 浙江大学 | A kind of deep-packet detection platform based on industrial SCADA system |
| CN109525459A (en) * | 2018-11-23 | 2019-03-26 | 上海控创信息技术股份有限公司 | The method for testing reliability of train control system after load information security monitoring engine |
-
2019
- 2019-05-29 CN CN201910457139.1A patent/CN112019478A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107454047A (en) * | 2016-06-01 | 2017-12-08 | 中车株洲电力机车研究所有限公司 | A kind of train apparatus recognition methods and system for being used to prevent that illegality equipment from accessing |
| US20180020393A1 (en) * | 2016-07-14 | 2018-01-18 | Icomera Ab | Train communication system with silent compartments |
| CN108183886A (en) * | 2017-12-07 | 2018-06-19 | 交控科技股份有限公司 | A kind of safety enhancing equipment of rail traffic signal system security gateway |
| CN108173929A (en) * | 2017-12-26 | 2018-06-15 | 中车大连机车车辆有限公司 | Wireless upload and expert diagnostic system of the medium-and low-speed maglev train based on TRDP agreements |
| CN108055282A (en) * | 2017-12-28 | 2018-05-18 | 国网浙江省电力有限公司电力科学研究院 | Industry control abnormal behaviour analysis method and system based on self study white list |
| CN108092854A (en) * | 2017-12-29 | 2018-05-29 | 中国铁道科学研究院 | The test method and device of train grade ethernet device based on IEC61375 agreements |
| CN109167796A (en) * | 2018-09-30 | 2019-01-08 | 浙江大学 | A kind of deep-packet detection platform based on industrial SCADA system |
| CN109525459A (en) * | 2018-11-23 | 2019-03-26 | 上海控创信息技术股份有限公司 | The method for testing reliability of train control system after load information security monitoring engine |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112994950A (en) * | 2021-04-07 | 2021-06-18 | 北京安天网络安全技术有限公司 | Alarm false alarm eliminating method, device and computer readable medium |
| CN113885474A (en) * | 2021-09-30 | 2022-01-04 | 株洲中车时代电气股份有限公司 | Control network and train |
| CN114189350A (en) * | 2021-10-20 | 2022-03-15 | 北京交通大学 | A train communication network intrusion detection method based on LightGBM |
| CN114189350B (en) * | 2021-10-20 | 2023-03-07 | 北京交通大学 | A method of intrusion detection for train communication network based on LightGBM |
| WO2023065712A1 (en) * | 2021-10-22 | 2023-04-27 | 中车株洲电力机车有限公司 | Distributed train control network intrusion detection method, system, and storage medium |
| CN114162172A (en) * | 2021-12-03 | 2022-03-11 | 中车唐山机车车辆有限公司 | White list establishing method, device and storage medium |
| CN114500057A (en) * | 2022-01-28 | 2022-05-13 | 杭州立思辰安科科技有限公司 | Safety protection method and system applied to FINS industrial Ethernet |
| CN114500056A (en) * | 2022-01-28 | 2022-05-13 | 杭州立思辰安科科技有限公司 | An attack detection method based on FF protocol |
| CN114465796A (en) * | 2022-01-30 | 2022-05-10 | 杭州立思辰安科科技有限公司 | A security protection method applied to a vehicle-mounted firewall |
| CN115776449A (en) * | 2022-11-08 | 2023-03-10 | 中车工业研究院有限公司 | Train Ethernet communication state monitoring method and system |
| CN115776449B (en) * | 2022-11-08 | 2023-10-03 | 中车工业研究院有限公司 | Train Ethernet communication status monitoring method and system |
| CN115866558A (en) * | 2022-11-23 | 2023-03-28 | 中车青岛四方机车车辆股份有限公司 | 5G-based dynamic networking method for rail transit wireless vehicle terminals |
| CN115866558B (en) * | 2022-11-23 | 2024-11-05 | 中车青岛四方机车车辆股份有限公司 | Dynamic networking method of rail transit wireless vehicle terminals based on 5G |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112019478A (en) | TRDP protocol based train network safety protection method, device and system | |
| CN114465739B (en) | Abnormal identification method and system, storage medium and electronic device | |
| CN107135093B (en) | Internet of things intrusion detection method and detection system based on finite automaton | |
| CN110086810B (en) | Fingerprint recognition method and device for passive industrial control equipment based on characteristic behavior analysis | |
| CN100443910C (en) | Active network defense system and method | |
| US11729183B2 (en) | System and method for providing secure in-vehicle network | |
| US20120124661A1 (en) | Method for detecting a web application attack | |
| CN112887274B (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
| CN112769833B (en) | Method and device for detecting command injection attack, computer equipment and storage medium | |
| CN111314276A (en) | Method, device and system for detecting multiple attack behaviors | |
| US20170099322A1 (en) | Method and system for modifying messages based on user-defined communication model | |
| US20030084340A1 (en) | System and method of graphically displaying data for an intrusion protection system | |
| CN113259349A (en) | Monitoring method and device for rail transit control network | |
| CN118972127A (en) | A real-time analysis and monitoring method for network security information data | |
| CN114124516A (en) | Situation awareness prediction method, device and system | |
| CN114679309B (en) | Message detection method and device | |
| Hong et al. | Security monitoring and network management for the power control network | |
| EP3688951B1 (en) | Method for detecting an attack on a control device of a vehicle | |
| CN114422195A (en) | Pseudo control instruction identification and early warning system and method suitable for industrial control system | |
| KR101160219B1 (en) | Tracking system and method of connecting route for the network security | |
| CN117560196A (en) | Intelligent substation secondary system testing system and method | |
| CN117375918A (en) | Electric power communication active and passive security defense detection method and system based on protocol interaction | |
| CN111585972B (en) | Security protection method and device for gatekeeper and network system | |
| Tian et al. | Industrial control intrusion detection model based on s7 protocol | |
| Mitra et al. | IDS for ARP spoofing using LTL based discrete event system framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201201 |
|
| RJ01 | Rejection of invention patent application after publication |