Abnormal Behavior Detection Method Of Railway Signal Safety Data Network

The railway signal safety data network(SSDN)is an important part of the railway signal system.It is a communication platform to ensure the reliable transmission of safety information between station and station equipment,station and central signal equipment.Its safety will directly affect the traffic safety.With the continuous escalation of attack means,the information security risk faced by SSDN is gradually increasing,and we cannot completely prevent the occurrence of abnormal behavior in SSDN only through management means.In order to improve the security level of SSDN,the first step is to detect abnormal behaviors accurately.However,most of the existing intrusion detection methods are applied to Internet and industrial control systems and cannot detect abnormal behavior in SSDN comprehensively,such as network storms,vulnerability attack against dedicated signal equipment,etc.In summary,it is of great practical significance to carry out the research on abnormal behavior detection methods of railway SSDN.This paper studies the abnormal behavior detection method for railway SSDN based on the results of penetration test.First,abnormal behavior is defined as network attack and network congestion,then penetration test is used to analyze information security risks.A network attack detection method that combines Density-Based Spatial Clustering of Applications with Noise(DBSCAN)and multiple seasonal Auto-Regressive Integrated Moving Average(ARIMA)model is proposed.Combining the high real time performance of Locality Sensitive Hashing(LSH)algorithm with the high accuracy of e Xtreme Gradient Boosting(XGBoost)algorithm,a LSH-XGBoost based network congestion detection method is proposed.Finally,a simulation test platform and an abnormal behavior detection software are established to analyze the detection performance.The main work of this paper is as follows.(1)The security risks in the SSDN are analyzed.The vulnerability of SSDN is studied through penetration test.According to the results of penetration test,the possible risks in SSDN are analyzed and summarized.(2)A DBSCAN-ARIMA based network attack detection method is investigated.The parameters of DBSCAN clustering algorithm are determined adaptively by the KAverage Nearest Neighbor(KANN)algorithm,calibrates the clustering results,and then further improves the detection rate by ARIMA time series prediction.(3)A LSH-XGBoost based network congestion detection method is proposed.A generalized form of network congestion is defined,and a detection architecture for detection-classification is proposed to detect the presence of congestion in the ring network by LSH algorithm,and then classify the congestion by XGBoost classification algorithm.(4)The network attack and network congestion detection methods are verified by simulation,and the detection performance is analyzed.A SSDN simulation test platform and an abnormal behavior detection software is built.The validity of the two detection algorithms is verified and the detection performance is analyzed.The simulation results show that the abnormal behavior detection method of SSDN proposed in this paper can detect network attacks and network congestion well,with an average TPR of 98.9501% for network attacks,which is 4.55% higher than the existing method.The average TPR for network congestion is 98.2887%,and 37.9% reduction in detection time compared to a single XGBoost algorithm,significantly improving the information security level for SSDN.