Anomaly Detection and Attack Classification for Train Real-Time Ethernet

Ning Yang,Xiaobo Nie,Ruifeng Duo,Chuan Yue,Yongxiang Wang

doi:10.1109/access.2021.3055209

Abstract

Real-time Ethernet has been applied to train control and management system (TCMS) of 250km/h Fuxing Electric Multiple Units (EMUs) and some urban rail vehicles. The openness of the Ethernet communication protocol poses a risk of intrusion attacks on the train communication network. It is, therefore, necessary that a safety protection technology is introduced to the train communication network based on real-time Ethernet. In this paper, a train communication network intrusion detection system based on anomaly detection and attack classification is proposed. Firstly, the paper built an anomaly detection model based on support vector machines (SVM). The particle swarm optimization-support vector machines (PSO-SVM), and genetic algorithm-support vector machines (GA-SVM) optimization algorithms are used to optimize the kernel function parameters of SVM. Secondly, the paper built two attack classification models based on random forest. They are iterative dichotomiser3 (ID3) and classification and regression tree (CART). And then, the built intrusion detection and attack classification model is tested by using the public data set knowledge discovery and data mining-99(KDD-99) and the data set of the simulation train real-time Ethernet test bench. PSO-SVM improves the intrusion detection accuracy from 90.3% to 95.75%, GA-SVM improves the detection accuracy from 90.3% to 95.85%. The training time of the PSO-SVM algorithm was higher than that of the GA-SVM algorithm, and much higher than that of the SVM, without optimization. Both ID3 and CART models are verified valid in the attack classification, while the ID3 algorithm obtained 100% accuracy on the training set, and only 32.89% accuracy on the test set, ID3 has a poor classification accuracy of the data outside of the training set. Also, the classification time is very long for ID3 compared with CART. So the comprehensive experimental results show that the intrusion detection system of train real-time Ethernet can use the GA-SVM model for detection of abnormal data. After passing the normal data, the CART model can be used to distinguish between the types of attacks to better complete subsequent responses and operations. Compared with the anomaly detection model based on SVM, the proposed model improves intrusion detection accuracy. And the proposed attack classification algorithm based on CART can improve the computing speed while ensuring the precision of classification.

Highlights

With the advent of intelligent train control and management system, more and more sensors and equipment are connected to TCMS, the data transmission in TCMS is increasing rapidly, so real-time Ethernet with a high transmission rate is introduced into TCMS
We found that classification and regression tree (CART) was faster while its accuracy on the test set compared to the iterative dichotomiser3 (ID3) model was improved
In this paper, a study was conducted on two key issues of the intrusion detection problem: anomaly detection and attack classification

Summary

INTRODUCTION

With the advent of intelligent train control and management system, more and more sensors and equipment are connected to TCMS, the data transmission in TCMS is increasing rapidly, so real-time Ethernet with a high transmission rate is introduced into TCMS. R. Duo et al.: Anomaly Detection and Attack Classification for Train Real-Time Ethernet (IT) security. As a defense mechanism for the TCMS, intrusion detection technology performs the function of defense against attack and protection for the TCMS, to ensure the normal functioning of the train operation. Our work in this paper makes the following contributions: 1) Taking into account the characteristics of the train’s real-time Ethernet, the paper divides the train intrusion detection model into two modules: anomaly detection and attack classification. Considering a large amount of real-time data in TCMS, this paper models anomaly detection as a two-class classification problem with unbalanced samples.