基于CTCS-3的终端隔离平台软件设计与实现
发布时间:2019-06-06 08:37
【摘要】:中国列车运行控制系统(CTCS-3)作为我国高速铁路客运专线的关键控制系统,肩负着保障列车高效、稳定、安全运营的重大责任。随着列控系统信息化的发展,大量通用服务器、操作系统和数据库应用于列控系统,这些产品存在着网络安全隐患,使列控系统面临严重的网络安全问题。而且C3系统中的无线闭塞中心是列控系统的对外接口,这给非法入侵提供了渠道。铁路运营关乎人民生命财产安全,一旦遭到恶意攻击将产生不可估量的损失,因此保障铁路系统的安全运营至关重要。 目前列控系统的安全防护主要使用防火墙、杀毒软件和安全隔离网闸等技术。防火墙和网闸可用于防御非信任网络对信任网络的攻击,但是不能阻止信任网络内部发起的攻击。杀毒软件需要不断更新特征库,对新病毒的防御总是滞后。对系统中的控制终端进行加固是提高列控系统安全性能的一种有效方法,当网络攻击或病毒入侵突破外层防护措施或直接从网内发起时,能够使其免受攻击。 本文分析了C3系统面临的网络威胁和常规网络安全防护技术,从保护通信终端的角度出发,设计了一个针对列控系统通信终端的硬件隔离平台。该平台采用双微处理器结构,集成以太网、CAN和422双向接口,放置于系统中关键终端设备的入网处,对该终端的网络通信数据进行分析与过滤。本文开发了该硬件平台的底层驱动软件与数据处理软件,采用“白名单”匹配技术对进出终端的数据包进行严格审查,阻止非法数据包流过,并将分析结果实时传至上位机。编写了上位机与隔离平台的通信软件,实现了数据分析结果的可视化显示及告警功能。 为验证该终端隔离平台的性能,论文基于C3系统的信号系统安全数据网,进行了扫描测试(包括主机扫描和端口扫描)、多种攻击测试(包括ARP攻击、缓冲区溢出攻击、木马攻击等)和隔离平台时延测试。测试结果表明:在不影响网络实时性、稳定性的前提下,采用该隔离平台能够有效防御非法入侵、网内设备间相互攻击和病毒在局域网内的传播,实现了对网内设备终端的安全加固。
[Abstract]:As the key control system of high-speed railway passenger dedicated line in China, China Train Operation Control system (CTCS-3) shoulders the important responsibility to ensure the efficient, stable and safe operation of trains. With the development of train control system informatization, a large number of general servers, operating systems and databases are applied to train control systems. These products have hidden dangers in network security, which makes train control systems face serious network security problems. Moreover, the wireless blocking center in C3 system is the external interface of train control system, which provides a channel for illegal intrusion. Railway operation is related to the safety of people's lives and property, once attacked maliciously, it will produce inestimable losses, so it is very important to ensure the safe operation of railway system. At present, the security protection of train control system mainly uses firewall, antivirus software and security isolation network gate and so on. Firewalls and gates can be used to defend against attacks on trusted networks by untrusted networks, but can not prevent attacks within trusted networks. The antivirus software needs to update the feature library constantly, and the defense against the new virus always lags behind. Strengthening the control terminal in the system is an effective method to improve the security performance of the train control system. When the network attack or virus intrusion breaks through the outer protection measures or is initiated directly from the network, it can be protected from attack. In this paper, the network threat and conventional network security protection technology of C3 system are analyzed, and a hardware isolation platform for train control system communication terminal is designed from the point of view of protecting communication terminal. The platform adopts dual microprocessor structure, integrates Ethernet, CAN and 422bidirectional interface, and places it at the access of the key terminal equipment in the system, and analyzes and filters the network communication data of the terminal. In this paper, the underlying driver software and data processing software of the hardware platform are developed. The "white list" matching technology is used to strictly examine the data packets in and out of the terminal, to prevent the illegal data packets from flowing through, and the analysis results are transmitted to the upper computer in real time. The communication software between the upper computer and the isolation platform is compiled, and the visual display and alarm function of the data analysis results are realized. In order to verify the performance of the terminal isolation platform, the scanning test (including host scanning and port scanning) and various attack tests (including ARP attack, buffer overflow attack) are carried out based on the signal system secure data network of C3 system. Trojan Horse attack, etc.) and isolation platform delay testing. The test results show that the isolation platform can effectively prevent illegal intrusion, attack each other between devices in the network and the spread of virus in LAN without affecting the real-time and stability of the network. The safety reinforcement of the equipment terminal in the network is realized.
【学位授予单位】:西南交通大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP273;TP393.08
本文编号:2494225
[Abstract]:As the key control system of high-speed railway passenger dedicated line in China, China Train Operation Control system (CTCS-3) shoulders the important responsibility to ensure the efficient, stable and safe operation of trains. With the development of train control system informatization, a large number of general servers, operating systems and databases are applied to train control systems. These products have hidden dangers in network security, which makes train control systems face serious network security problems. Moreover, the wireless blocking center in C3 system is the external interface of train control system, which provides a channel for illegal intrusion. Railway operation is related to the safety of people's lives and property, once attacked maliciously, it will produce inestimable losses, so it is very important to ensure the safe operation of railway system. At present, the security protection of train control system mainly uses firewall, antivirus software and security isolation network gate and so on. Firewalls and gates can be used to defend against attacks on trusted networks by untrusted networks, but can not prevent attacks within trusted networks. The antivirus software needs to update the feature library constantly, and the defense against the new virus always lags behind. Strengthening the control terminal in the system is an effective method to improve the security performance of the train control system. When the network attack or virus intrusion breaks through the outer protection measures or is initiated directly from the network, it can be protected from attack. In this paper, the network threat and conventional network security protection technology of C3 system are analyzed, and a hardware isolation platform for train control system communication terminal is designed from the point of view of protecting communication terminal. The platform adopts dual microprocessor structure, integrates Ethernet, CAN and 422bidirectional interface, and places it at the access of the key terminal equipment in the system, and analyzes and filters the network communication data of the terminal. In this paper, the underlying driver software and data processing software of the hardware platform are developed. The "white list" matching technology is used to strictly examine the data packets in and out of the terminal, to prevent the illegal data packets from flowing through, and the analysis results are transmitted to the upper computer in real time. The communication software between the upper computer and the isolation platform is compiled, and the visual display and alarm function of the data analysis results are realized. In order to verify the performance of the terminal isolation platform, the scanning test (including host scanning and port scanning) and various attack tests (including ARP attack, buffer overflow attack) are carried out based on the signal system secure data network of C3 system. Trojan Horse attack, etc.) and isolation platform delay testing. The test results show that the isolation platform can effectively prevent illegal intrusion, attack each other between devices in the network and the spread of virus in LAN without affecting the real-time and stability of the network. The safety reinforcement of the equipment terminal in the network is realized.
【学位授予单位】:西南交通大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP273;TP393.08
【参考文献】
相关期刊论文 前10条
1 许云明 ,李春生;物理隔离网闸原理及应用[J];计算机安全;2005年12期
2 杨奕;基于入侵诱骗技术的网络安全研究与实现[J];计算机应用研究;2004年03期
3 曾宪伟,张智军,张志;基于虚拟机的启发式扫描反病毒技术[J];计算机应用与软件;2005年09期
4 崔莹莹;张勇;;CTCS-3级列控系统仿真中速度监督的研究[J];铁道通信信号;2008年01期
5 季学胜;李开成;杨悌惠;;CTCS-3级列控系统的系统评估研究[J];铁道通信信号;2009年06期
6 黄卫中;贾琨;刘人鹏;;我国铁路CTCS-3级列控系统的分析与研究[J];铁道通信信号;2010年04期
7 王海龙;;《RSSP-Ⅱ》安全通信协议在RBC/CBI接口中的特殊点[J];铁路通信信号工程技术;2010年06期
8 张新宇,卿斯汉,马恒太,张楠,孙淑华,蒋建春;特洛伊木马隐藏技术研究[J];通信学报;2004年07期
9 林小进;钱江;;基于ICMP的木马通信技术研究[J];微处理机;2009年01期
10 王樱;徐雨明;;VC++中数据库访问技术研究[J];微计算机信息;2006年12期
,本文编号:2494225
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2494225.html
