WO2023065712A1

WO2023065712A1 - Distributed train control network intrusion detection method, system, and storage medium

Info

Publication number: WO2023065712A1
Application number: PCT/CN2022/102197
Authority: WO
Inventors: 罗显光; 秦元庆; 李伟; 涂浩; 曾军; 张杨; 彭思维; 杨小波
Original assignee: 中车株洲电力机车有限公司
Priority date: 2021-10-22
Filing date: 2022-06-29
Publication date: 2023-04-27
Also published as: CN113904862A

Abstract

A distributed train control network intrusion detection method, a system, and a storage medium. The method comprises: capturing, in real time, all TRDP messages passing through a switch, and performing protocol identification and analysis on all the TRDP messages; performing compliance detection on fields of the analyzed messages according to a detection rule base to obtain compliance messages; performing feature extraction on a historical database composed of the compliance messages and then taking the historical database as input of a neural network, training the neural network, and obtaining an anomaly detection model; and for new train control network data, marking anomaly data flow of the train control network by using the anomaly detection model and generating corresponding alarm information. Known-type attacks and unknown-type attacks of the train control network can be detected, computing resource constraints of a vehicle-mounted network management switch and the real-time requirement for detection of the known-type attacks can be met, and the capacity of detecting the unknown-type attacks by means of message flow features and application data is also achieved; the detection real-time performance and accuracy are greatly improved.

Description

Distributed train control network intrusion detection method, system, and storage medium

technical field

The invention relates to the field of information security, in particular to a distributed train control network intrusion detection method, system and storage medium.

Background technique

The train control network is a data communication system used to connect train cars and the on-board equipment distributed in each car to realize train control, information sharing, fault diagnosis, passenger service and other functions. The traditional train control network mostly uses serial field bus Technologies, such as TCN (Train Communication Network), WorldFIP, LonWorks, ARCNET and CAN, among which the TCN technology combining WTB (Wired Train Bus) and MVB (Multifuction Vehicle Bus) is the most widely used in our country.

With the continuous integration and development of rail transit and IT technology, the network structure of trains is becoming more and more complex, the types of on-board intelligent devices are increasing, and passengers' demand for streaming media such as video and audio is increasing. Traditional low-speed fieldbus communication has been unable to meet need. Ethernet has the advantages of low cost, easy networking, good compatibility, and high bandwidth. With the continuous improvement of the carrier sense multiple access (CSMA/CD) method with collision detection and the improvement of other technologies, the Ethernet Network technology can adapt to the requirements of the train control network. The IEC 61375-2-5 (Ethernet Train Backbon, ETB) and IEC 61375-3-4 (Ethernet Consist Network, ECN) communication standards promulgated by the International Electrotechnical Commission in 2010 aim to replace the application of WTB and MVB in train communication networks .

The widespread use of general IT technologies such as embedded systems and Ethernet in train control systems, on the one hand, is conducive to system integration and interconnection, breaks traditional information islands, and improves the control quality and operational efficiency of train systems; Due to the use of Commercial Off The Shelf (COTS) and open protocols, as well as the lack of information security awareness in the design process, the train control system is facing increasingly serious information security threats, which affect the safe operation of the system.

Intrusion detection technology is an efficient active protection technology for information security. Through the monitoring of network traffic and in-depth analysis of communication protocols, it can quickly discover abnormal network behaviors, filter illegal messages or trigger security alarms. Designing a reasonable intrusion detection system in the train control network is of great practical significance for timely discovering the attack behavior against the train control network, ensuring the safe operation of the train, and preventing the occurrence of major security accidents.

As the core equipment of the train control network, the vehicle-mounted network management switch should not only meet the reliability, real-time and environmental adaptability requirements of the train control network, but also fully consider the information security threats of the train control network, and enhance access control, authority management, and message management. Filtering and other information security protection functions. Most of the existing train on-board network management switches follow the security technology of IT general switches, without considering the characteristics of the Train Realtime Data Protocol (TRDP) in the train control network, and do not have advanced information security protection such as protocol in-depth analysis, intrusion detection and response Function.

Although most rule-based intrusion detection methods can quickly detect illegal packets, the defect of such detection methods is that they can only detect known types of attacks, but cannot deal with unknown attacks. Therefore, how to integrate the two intrusion detection methods organically, according to the characteristics of train network communication, can not only adopt a simple rule matching method for known types of attacks, improve the real-time performance of intrusion detection, but also cover unknown types of attacks, and realize the Automatic updating of detection rules is a technical problem to be solved urgently.

The problem of intrusion detection of industrial control systems has received extensive attention from domestic and foreign researchers. The collaborative intrusion detection proposed in the invention patent application 202011313226.9 refers to the real-time collection of user data (enterprise management platform), equipment data (industrial host computer logs) and network traffic. Data (access control roles, permissions and email behavior data) and extract the characteristics of these three types of data, perform information extraction and association relationship mining on these three types of data, build a collaborative feature system for the internal industrial control network of the enterprise, and then use machine learning The method of collaborative feature data is trained to achieve the purpose of collaborative intrusion detection. This method is oriented to the internal industrial control network of the enterprise rather than the train communication network. Although it can detect unknown types of attacks, the real-time and accuracy of detection are low, and it cannot meet the real-time requirements of train communication network data. Very complex and difficult to implement.

Contents of the invention

The technical problem to be solved by the present invention is to provide a distributed train control network intrusion detection method, system, and storage medium for the deficiencies of the prior art, which can improve Check real-time and accuracy.

In order to solve the above-mentioned technical problems, the technical solution adopted in the present invention is: a distributed train control network intrusion detection method, comprising the following steps:

S1. Real-time capture of all TRDP messages passing through the switch, and perform protocol identification and analysis on TRDP messages;

S2. Perform compliance detection on each field of the parsed message according to the detection rule base to obtain a compliant message;

S3. Taking the historical database composed of compliant messages as the input of the neural network after feature extraction, and training the neural network to obtain an abnormality detection model;

S4. For new train control network data, repeat steps S1 and S2, and use the abnormality detection model to mark the abnormal data flow of the train control network and generate corresponding alarm information.

The present invention first identifies and analyzes the TRDP message, and then performs compliance detection on the analyzed result, and uses the compliance message after the compliance detection as the input of the neural network, that is, the present invention uses rule-based misuse Detection and machine learning-based anomaly detection are organically integrated in the train communication network, which has the advantages of the rapidity of misuse detection and the coverage of anomaly detection for unknown types of attacks. It is capable of detecting known types of attacks and unknown types of train control networks. At the same time, it greatly improves the real-time and accuracy of detection.

In the present invention, in order to make the machine learning algorithm (neural network) have certain growth, it also includes:

S4. If the detection rule base does not contain the attack type corresponding to the alarm information, put the attack type into the detection rule base in step S2, and update the detection rule base.

During the implementation of the method of the present invention, the detection rule base can be continuously updated according to the actual situation. With the increase of detection samples, the detection results of the present invention will become more and more accurate.

When checking the compliance of each field of the parsed message according to the detection rule base, if an illegal message is detected, an illegal message alarm message will be output.

In the present invention, the abnormal alarm information output by the abnormal detection model and the above-mentioned illegal message alarm information can be displayed in real time on the human-computer interaction interface of the security host to remind the user to perform corresponding emergency treatment.

The specific implementation process of step S1 includes:

1) judge whether the current Ethernet frame is an IP protocol, if not, then abandon the analysis of this Ethernet frame, for the next Ethernet frame, perform step 1); if so, then perform step 2);

2) judge the type of the transport layer protocol according to the protocol identification of the IP protocol, if the transport layer protocol is a TCP protocol, then enter step 3); if the transport layer protocol is a UDP protocol, then proceed to step 4);

3) if the TCP protocol message type is a TRDP-MD message, enter step 6), if not, then abandon the analysis of the current Ethernet frame, and for the next Ethernet frame, perform step 1);

4) If the UDP protocol message type is a TRDP-MD message, enter step 6); if the UDP protocol message type is a TRDP-PD message, enter step 7); if not in the TRDP-MD or TRDP-PD message one, proceed to step 5);

5) Read the message type MsgType of the TRDP agreement, if MsgType belongs to the set A of definition, then the current message is a TRDP-MD message, enter step 6), if MsgType belongs to the set B of definition, then the current message is TRDP-MD message PD, enter step 7); if MsgType neither belongs to set A nor to set B, then abandon the analysis of the current Ethernet frame, and for the next Ethernet frame, perform step 1);

6) Copy the data of the current message TRDP protocol part into the predefined TRDP-MD structure variable, obtain all field values of the message data defined by the TRDP protocol, and proceed to step 1);

7) Copy the data of the TRDP protocol part of the current message into the predefined TRDP-PD structure variable, obtain all field values of the process data defined by the TRDP protocol, and proceed to step 1).

1)

The present invention utilizes the protocol deep analysis technology to realize rapid detection and attack isolation of abnormal messages, and further improves the real-time performance of the intrusion detection process.

In step S2, the detection rule library includes MAC/IP compliance detection rules, port compliance detection rules, PDU compliance detection rules, and FDU compliance detection rules. Compliance detection can further improve the accuracy of detection results.

The specific implementation process of step S3 includes:

A) Extract the six-tuple information of each compliant message in the historical database, and synthesize the six-tuple information into a network flow, select N network flows as features, and calculate the corresponding feature values; combine all non-numeric values in the feature values The features are numericalized, and then all feature values are normalized; normal message tags or abnormal message tags are added to the set of normalized feature values;

B) carry out the processing of step A) to the rest compliance messages in the historical database, all the collections that add normal message labels or abnormal message labels form the training data set; The training data set is randomly divided into a training set and a test set;

C) The training set is used as the input of the neural network, the neural network is trained, and the trained neural network is tested by using the test set until an expected abnormality detection model is obtained.

The present invention also provides a distributed train control network intrusion detection system, including a plurality of vehicle-mounted network management switches and a security host; the vehicle-mounted network management switches are configured to perform the following steps:

The security host is configured to execute: taking the feature extraction of the historical database composed of compliance messages as the input of the neural network, training the neural network, and obtaining an abnormality detection model.

The present invention implements the operations of steps S1 and S2 on the vehicle-mounted network management switch, realizes the training of the neural network on the security host, saves the computing resources of the vehicle-mounted network management switch, and makes the intrusion detection method not subject to the constraints of the computing resources of the vehicle-mounted network management switch. At the same time, The on-vehicle network management switch and the security host can perform related operations at the same time, further improving the real-time performance of detection.

As an inventive concept, the present invention also provides a computer device, including a memory, a processor, and a computer program stored on the memory; the processor executes the computer program to implement the steps of the intrusion detection method of the present invention.

As an inventive concept, the present invention also provides a computer-readable storage medium, on which a computer program/instruction is stored; when the computer program/instruction is executed by a processor, the steps of the intrusion detection method of the present invention are implemented.

As an inventive concept, the present invention also provides a computer program product, including a computer program/instruction; when the computer program/instruction is executed by a processor, the steps of the intrusion detection method of the present invention are implemented.

Compared with prior art, the beneficial effect that the present invention has is:

1. The present invention can detect known types of attacks and unknown types of attacks on the train control network, which can not only meet the computing resource constraints of the on-board network management switch and the real-time requirements for detection of known types of attacks, but also have the characteristics of message flow and The ability to apply data to detect unknown types of attacks greatly improves the real-time and accuracy of detection.

2. The present invention uses protocol deep analysis technology to realize rapid detection and attack isolation of abnormal messages.

Description of drawings

Fig. 1 is a structural diagram of a distributed train control network intrusion detection system according to Embodiment 1 of the present invention;

Fig. 2 is the flow chart of TRDP protocol parsing in embodiment 2 of the present invention;

Fig. 3 is a flow chart of the misuse detection method of Embodiment 2 of the present invention;

FIG. 4 is a flow chart of anomaly detection based on LSTM in Embodiment 2 of the present invention;

FIG. 5 is a flowchart of offline establishment and training of an LSTM model according to Embodiment 2 of the present invention.

Detailed ways

As shown in Figure 1, the distributed train control network intrusion detection system proposed by the present invention includes three modules: TRDP protocol depth analysis module, rule-based misuse detection module and machine learning-based anomaly detection module, wherein the first two modules Embedded into each on-board network management switch in the train control network, it can quickly detect and isolate known types of attacks; the anomaly detection process based on machine learning is implemented on an independent security host, which forwards the attack to each network management switch In order to make up for the defect that the rule-based detection method cannot detect unknown types of attacks, it can identify abnormal behaviors that are not included in the rule base of the network management switch (that is, the detection rule base), as shown in Figure 1. shown. The TRDP protocol in-depth analysis module captures all TRDP messages passing through the switch in real time, and performs protocol identification and analysis on the messages, and the analysis results are output to the rule-based misuse detection module; the misuse detection module analyzes the analyzed Each field of the message is checked for compliance, illegal messages are filtered out and corresponding alarm information is generated, and the alarm information of the compliant message and illegal message is forwarded to the security host, and the abnormality detection module based on machine learning detects unknown attack.

1) TRDP protocol depth analysis module

The following steps are used to identify and analyze the protocol of the train real-time message, and the analysis process is shown in Figure 2:

Step 1.1: Determine the network layer protocol type according to the 13 and 14 bytes of the Ethernet frame header. If the 13 and 14 bytes of the Ethernet frame header are not 0X0800, it means that it is not an IP protocol, and the Ethernet frame is discarded. analysis, return to step 1.1, otherwise continue to step 1.2.

Step 1.2: Determine whether the transport layer protocol is TCP or UDP according to the 8th byte of the IP message header, if the byte content is 4, the transport layer is the TCP protocol, and jump to step 1.3; if the byte content If it is 17, the transport layer is UDP protocol, skip to step 1.4; if the content of the byte is other values, end the parsing and return to step 1.1

Step 1.3: Read the 3rd and 4th bytes of the TCP message header (that is, the destination port number of the message), and judge the message type; if it is 20550, the current message is TRDP-MD (TRDP-Message Data, TRDP message data), skip to step 1.6; if it is other values, then give up the parsing of this Ethernet frame.

Step 1.4: Read the 3rd and 4th bytes of the UDP message header (that is, the destination port number of the message), if it is 20550, then the current message is TRDP-MD, jump to step 1.6; if it is 20548, Then the current message is TRDP-PD (TRDP-Process Data, TRDP process data), jump to step 1.7; if it is other values, jump to step 1.5.

Step 1.5: Read the message type MsgType of the 7th and 8th bytes of the TRDP protocol part. If MsgType belongs to set A, the current message is TRDP-MD, and skip to step 1.6; if MsgType belongs to set B, the current message If it is TRDP-PD, go to step 1.7; otherwise, end the parsing of the current message and return to step 1.1. Sets A and B are defined as follows:

A={'4D6E':'Mn','4D72':'Mr','4D70':'Mp','4D71':'Mq','4D63':'Mc','4D65':'Me' }, B={'5072':'Pr','5070':'Pp','5064':'Pd','5065':'Pe'}, the first half of each element in the set is 2 words The ASCII code of the section, and the second half indicates the corresponding letter, that is, the type of the message.

Step 1.6: Copy the data of the TRDP protocol part of the current message to the predefined TRDP-MD structure variable, and obtain all field values of the message data defined by the TRDP protocol, including communication identifier (ComId), ETB topology count (etbTopoCnt ), data set length (DatasetLength), reply ComId, reply IP address, etc.; go to step 1.1.

Step 1.7: Copy the data of the TRDP protocol part of the current message to the predefined TRDP-PD structure variable, and obtain all field values of the process data defined by the TRDP protocol, including communication identifier (ComId), ETP topology count (etbTopoCnt ), data set length (DatasetLength), etc.; go to step 1.1.

The in-depth analysis result of the TRDP protocol of the message is stored in a predefined structure variable and provided to the misuse detection module for use.

2) Rule-based misuse detection module

For the parsed TRDP message, perform the message compliance detection of the following steps, filter illegal messages and generate corresponding alarm information:

Step 2.1 MAC/IP compliance detection: Each intelligent device in the train control network adopts static IP allocation, and the IP address space used is 10.0.0.0/8. Therefore, the vehicle-mounted network management switch can adopt a whitelist mechanism to detect unknown devices that are not in the whitelist to access the control network, and generate corresponding alarm information; Match detection, intercept mismatched messages and generate corresponding illegal message alarm information, divide IP addresses for devices with different functions, match IP addresses with ComId and DatasetLength, and use non-corresponding ComId and DatasetLength for a device with an IP address , to warn or intercept.

Step 2.2 Port compliance detection: Set the service ports used in the train communication network to the port whitelist, for example, TRDP-PD data communicates through port 20548, and TRDP-MD data communicates through port 20550. Communication outside the port whitelist is illegal communication. Or use the blacklist to put the port corresponding to the unopened service into the port blacklist. Once the port communication data in the blacklist is detected, it means that there is illegal traffic. Users can configure the legal port whitelist of the train control network, and the misuse detection module will intercept messages whose port numbers are not in the white list, and generate corresponding illegal message alarm information.

Step 2.3 PDU (Protocol Data Unit, protocol data unit) compliance detection: ComId is the unique identifier of PDU user data, the user can configure the matching rules between ComId and PDU security-related key fields, when the message to be detected appears both When there is a mismatch, the message is intercepted and a corresponding illegal message alarm message is generated.

Step 2.4 FDU (Function Data Unit) compliance detection: The function identifier, sub-function identifier and function instance number in the TRDP data packet all have fixed and legal combinations. Users can configure security-related key field combination rules to intercept mismatch reports. text and generate corresponding illegal message warning information.

The misuse detection module sends the illegal message alarm information generated and the compliance message through the train control network to the security host through the train control network, and the security host stores the illegal message alarm information in the alarm information database and displays it on the On the human-computer interaction interface of the intrusion detection system, the user is reminded that illegal messages appear in the train control network; the security host stores the compliant messages in the compliant message database, which is used to construct the training data set for the abnormal detection model .

In the present invention, the TRDP protocol deep analysis module and the rule-based misuse detection module are deployed on each vehicle-mounted network management switch in the train control network; the abnormality detection module based on machine learning is deployed on the security host.

In specific implementation, the open-source lightweight intrusion detection software Snort can be extended to realize the in-depth analysis of TRDP protocol and the rule-based misuse detection function, and the software can be embedded in the on-board network management switch in the train control network. The flow chart of the Snort-based misuse detection method is shown in Figure 3. In order to increase Snort's support for TRDP protocol detection, its detection rule field needs to be expanded, as shown in Table 1, and some custom train control network detection rules are shown in Table 2:

Table 1 Snort new detection rule field

Table 2 Example of detection rules for Snort part of the custom train communication network

The on-vehicle network management switch filters the detected illegal messages, and forwards the compliance messages and illegal message alarm information to the security host for abnormal detection based on machine learning. According to the characteristics of the train control network communication mode, the present invention extracts the relevant characteristics of the network flow, and proposes an anomaly detection method based on a long short-term memory network (Long Short-Term Memory, LSTM). By learning the characteristics of normal and abnormal network flows offline, an abnormality is established. Detect the model, and use the model for online anomaly detection, and generate abnormal alarm information. The schematic diagram of anomaly detection method based on LSTM is shown in Figure 4.

3) Anomaly detection module based on machine learning

The process of building and training the LSTM model offline is shown in Figure 5, including the following steps:

According to the characteristics of the train control network communication mode, the present invention extracts the relevant characteristics of the network flow, and proposes an anomaly detection method based on a long short-term memory network (Long Short-Term Memory, LSTM). By learning the characteristics of normal and abnormal network flows offline, an abnormality is established. Detect the model, and use the model for online anomaly detection, and generate abnormal alarm information.

Building and training an LSTM model offline involves the following steps:

Step 3.1: Feature Extraction. Extract the six-tuple information (including source and destination IP address, source and destination port, transport layer protocol and communication identifier) of the received compliant message to synthesize network flow, select 30 network flow characteristics as shown in Table 3, Calculate the corresponding eigenvalues.

Step 3.2: Numerical encoding of non-numerical features and normalization of feature values. Extend the non-numeric discrete eigenvalues extracted in step 3.1 to the Euclidean space using the one-hot encoding method, and digitize the non-numeric features; use the max-min normalization method to normalize all eigenvalues to the [0,1] interval.

Step 3.3: Build and train the LSTM detection model.

①Choose the cross entropy error formula

As the loss function of the neural network, where k represents the kth sample, the label vector t _k represents the label of the correct solution, using one-hot encoding, and y _k is the output of the neural network.

②Adaptive moment estimation (Adam) is selected as the gradient descent algorithm:

M _t =β ₁ M _t-1 +(1-β ₁ )g _t

F _t ＝β ₂ G _t-1 +(1-β ₂ )g _t ⊙g _t

where M _t is the first-order momentum term, which is the exponentially weighted average of the gradient g _t ; G _t is the second-order momentum term, which is the exponentially weighted average of the gradient square g _t ² ; β ₁ is the exponential decay of the first-order moment estimate; β ₂ is the exponential decay of the first moment estimate.

③Using the deep learning framework Keras to build an LSTM network model, set the number of input layer nodes as the network flow feature dimension, that is, the number of features extracted in step 3.1 is 30, and the number of hidden layer nodes is M (M is an adjustable network parameter, the user is training Adjust according to the classification performance of the model in the process), the number of output layer nodes is 2, the initialization method selects the He_normal method, the activation function selects the sigmoid function, the loss function selects the cross entropy error function Binary_crossentryopy, and the optimizer selects the Adam algorithm.

④ Perform the feature extraction and normalization processing of step 3.1 and step 3.2 on the historical data of compliance messages sent by the misuse detection module to the security host one by one, and add normal or abnormal messages to the normalized features labels to form an offline training dataset. Input the labeled training data set into the LSTM network model, use the detection rate DR, false alarm rate FAR and accuracy rate ACC as the performance metrics of the anomaly detection model, and manually adjust the network structure, β ₁ , β ₂ , learning rate, dropout Probability and other parameters to obtain a better classification model (for example, 80% of the training data set is used as the training set to train the LSTM model, and the remaining 20% is used as the test set. When the trained LSTM model is tested on the test set, the accuracy rate reaches 95%. %, it is considered that the classification model, that is, the training of the anomaly detection module is over). When the detection accuracy of the LSTM model on the training data set is higher than 95%, end the offline training, obtain an anomaly detection model that can be used for online detection, and go to the next step.

Table 3 Definition of TRDP packet flow characteristics

4) After the security host has trained the LSTM anomaly detection model, it can enter the online anomaly detection stage, mark the abnormal data flow of the train control network and generate corresponding alarm information. Security experts identify attack types not covered in the misuse detection rule base based on anomaly detection alarm logs, convert unknown attack types into known attack types, and supplement and send corresponding detection rules to the misuse detection rules of network management switches In the library, the online upgrade of the misuse detection capability is realized.

When implementing LSTM anomaly detection model training, the training algorithm shown in Table 4 can be used.

Table 4 LSTM anomaly detection model training algorithm

Claims

A distributed train control network intrusion detection method is characterized in that, comprising the following steps:

S1. Real-time capture of all TRDP messages passing through the switch, and perform protocol identification and analysis on TRDP messages;

S2. Perform compliance detection on each field of the parsed message according to the detection rule base to obtain a compliant message;

S3. Taking the historical database composed of compliant messages as the input of the neural network after feature extraction, and training the neural network to obtain an abnormality detection model;

S4. For new train control network data, repeat steps S1 and S2, and use the abnormality detection model to mark the abnormal data flow of the train control network and generate corresponding alarm information.
The distributed train control network intrusion detection method according to claim 1, is characterized in that, also comprises:

S4. If the detection rule base does not contain the attack type corresponding to the alarm information, put the attack type into the detection rule base in step S2, and update the detection rule base.
The distributed train control network intrusion detection method according to claim 1, characterized in that, in step S2, when each field of the parsed message is checked for compliance according to the detection rule base, if an illegal message is detected, Then output illegal message warning information.
The distributed train control network intrusion detection method according to claim 1, wherein the specific implementation process of step S1 includes:

1) judge whether the current Ethernet frame is an IP protocol, if not, then abandon the analysis of this Ethernet frame, for the next Ethernet frame, perform step 1); if so, then perform step 2);

2) judge the type of the transport layer protocol according to the protocol identification of the IP protocol, if the transport layer protocol is a TCP protocol, then enter step 3); if the transport layer protocol is a UDP protocol, then proceed to step 4);

3) if the TCP protocol message type is a TRDP-MD message, enter step 6), if not, then abandon the analysis of the current Ethernet frame, and for the next Ethernet frame, perform step 1);

4) If the UDP protocol message type is a TRDP-MD message, enter step 6); if the UDP protocol message type is a TRDP-PD message, then perform step 7); if the UDP protocol message type is not TRDP-MD or One of the TRDP-PD messages, then proceed to step 5);

5) Read the message type MsgType of the TRDP agreement, if MsgType belongs to the set A of definition, then the current message is a TRDP-MD message, enter step 6), if MsgType belongs to the set B of definition, then the current message is TRDP-MD message PD, enter step 7); if MsgType neither belongs to set A nor to set B, then abandon the analysis of the current Ethernet frame, and for the next Ethernet frame, perform step 1);

6) Copy the data of the current message TRDP protocol part into the predefined TRDP-MD structure variable, obtain all field values of the message data defined by the TRDP protocol, and proceed to step 1);

7) Copy the data of the TRDP protocol part of the current message into the predefined TRDP-PD structure variable, obtain all field values of the process data defined by the TRDP protocol, and proceed to step 1).
The distributed train control network intrusion detection method according to claim 1, characterized in that, in step S2, the detection rule library includes MAC/IP compliance detection rules, port compliance detection rules, PDU compliance Detection rules, FDU compliance detection rules.
According to the distributed train control network intrusion detection method according to any one of claims 1 to 5, it is characterized in that the specific implementation process of step S3 includes:

A) Extract the six-tuple information of each compliant message in the historical database, and synthesize the six-tuple information into a network flow, select N network flows as features, and calculate the corresponding feature values; combine all non-numeric values in the feature values The features are numericalized, and then all feature values are normalized; normal message tags or abnormal message tags are added to the set of normalized feature values;

B) carry out the processing of step A) to the rest compliance messages in the historical database, all the collections that add normal message labels or abnormal message labels form the training data set; The training data set is randomly divided into a training set and a test set;

C) The training set is used as the input of the neural network, the neural network is trained, and the trained neural network is tested by using the test set until an expected abnormality detection model is obtained.
A system for implementing the distributed train control network intrusion detection method according to any one of claims 1 to 6, characterized in that it includes multiple vehicle-mounted network management switches and a security host; the vehicle-mounted network management switch is configured to use to perform the following steps:

S1. Real-time capture of all TRDP messages passing through the switch, and perform protocol identification and analysis on TRDP messages;

S2. Perform compliance detection on each field of the parsed message according to the detection rule base to obtain a compliant message;

The security host is configured to perform:

The feature extraction of the historical database composed of compliant messages is used as the input of the neural network, and the neural network is trained to obtain an anomaly detection model.
A computer device, comprising a memory, a processor, and a computer program stored on the memory; characterized in that, the processor executes the computer program to realize the steps of the method according to any one of claims 1-6.
A computer-readable storage medium, on which computer programs/instructions are stored; it is characterized in that, when the computer program/instructions are executed by a processor, the steps of the method in any one of claims 1-6 are implemented.
A computer program product, including computer programs/instructions; characterized in that, when the computer program/instructions are executed by a processor, the steps of the method described in any one of claims 1-6 are implemented.