基于CTCS-3的終端隔離平臺軟件設(shè)計與實現(xiàn)
發(fā)布時間:2019-06-06 08:37
【摘要】:中國列車運行控制系統(tǒng)(CTCS-3)作為我國高速鐵路客運專線的關(guān)鍵控制系統(tǒng),肩負著保障列車高效、穩(wěn)定、安全運營的重大責(zé)任。隨著列控系統(tǒng)信息化的發(fā)展,大量通用服務(wù)器、操作系統(tǒng)和數(shù)據(jù)庫應(yīng)用于列控系統(tǒng),這些產(chǎn)品存在著網(wǎng)絡(luò)安全隱患,使列控系統(tǒng)面臨嚴重的網(wǎng)絡(luò)安全問題。而且C3系統(tǒng)中的無線閉塞中心是列控系統(tǒng)的對外接口,這給非法入侵提供了渠道。鐵路運營關(guān)乎人民生命財產(chǎn)安全,一旦遭到惡意攻擊將產(chǎn)生不可估量的損失,因此保障鐵路系統(tǒng)的安全運營至關(guān)重要。 目前列控系統(tǒng)的安全防護主要使用防火墻、殺毒軟件和安全隔離網(wǎng)閘等技術(shù)。防火墻和網(wǎng)閘可用于防御非信任網(wǎng)絡(luò)對信任網(wǎng)絡(luò)的攻擊,但是不能阻止信任網(wǎng)絡(luò)內(nèi)部發(fā)起的攻擊。殺毒軟件需要不斷更新特征庫,對新病毒的防御總是滯后。對系統(tǒng)中的控制終端進行加固是提高列控系統(tǒng)安全性能的一種有效方法,當(dāng)網(wǎng)絡(luò)攻擊或病毒入侵突破外層防護措施或直接從網(wǎng)內(nèi)發(fā)起時,能夠使其免受攻擊。 本文分析了C3系統(tǒng)面臨的網(wǎng)絡(luò)威脅和常規(guī)網(wǎng)絡(luò)安全防護技術(shù),從保護通信終端的角度出發(fā),設(shè)計了一個針對列控系統(tǒng)通信終端的硬件隔離平臺。該平臺采用雙微處理器結(jié)構(gòu),集成以太網(wǎng)、CAN和422雙向接口,放置于系統(tǒng)中關(guān)鍵終端設(shè)備的入網(wǎng)處,對該終端的網(wǎng)絡(luò)通信數(shù)據(jù)進行分析與過濾。本文開發(fā)了該硬件平臺的底層驅(qū)動軟件與數(shù)據(jù)處理軟件,采用“白名單”匹配技術(shù)對進出終端的數(shù)據(jù)包進行嚴格審查,阻止非法數(shù)據(jù)包流過,并將分析結(jié)果實時傳至上位機。編寫了上位機與隔離平臺的通信軟件,實現(xiàn)了數(shù)據(jù)分析結(jié)果的可視化顯示及告警功能。 為驗證該終端隔離平臺的性能,論文基于C3系統(tǒng)的信號系統(tǒng)安全數(shù)據(jù)網(wǎng),進行了掃描測試(包括主機掃描和端口掃描)、多種攻擊測試(包括ARP攻擊、緩沖區(qū)溢出攻擊、木馬攻擊等)和隔離平臺時延測試。測試結(jié)果表明:在不影響網(wǎng)絡(luò)實時性、穩(wěn)定性的前提下,采用該隔離平臺能夠有效防御非法入侵、網(wǎng)內(nèi)設(shè)備間相互攻擊和病毒在局域網(wǎng)內(nèi)的傳播,實現(xiàn)了對網(wǎng)內(nèi)設(shè)備終端的安全加固。
[Abstract]:As the key control system of high-speed railway passenger dedicated line in China, China Train Operation Control system (CTCS-3) shoulders the important responsibility to ensure the efficient, stable and safe operation of trains. With the development of train control system informatization, a large number of general servers, operating systems and databases are applied to train control systems. These products have hidden dangers in network security, which makes train control systems face serious network security problems. Moreover, the wireless blocking center in C3 system is the external interface of train control system, which provides a channel for illegal intrusion. Railway operation is related to the safety of people's lives and property, once attacked maliciously, it will produce inestimable losses, so it is very important to ensure the safe operation of railway system. At present, the security protection of train control system mainly uses firewall, antivirus software and security isolation network gate and so on. Firewalls and gates can be used to defend against attacks on trusted networks by untrusted networks, but can not prevent attacks within trusted networks. The antivirus software needs to update the feature library constantly, and the defense against the new virus always lags behind. Strengthening the control terminal in the system is an effective method to improve the security performance of the train control system. When the network attack or virus intrusion breaks through the outer protection measures or is initiated directly from the network, it can be protected from attack. In this paper, the network threat and conventional network security protection technology of C3 system are analyzed, and a hardware isolation platform for train control system communication terminal is designed from the point of view of protecting communication terminal. The platform adopts dual microprocessor structure, integrates Ethernet, CAN and 422bidirectional interface, and places it at the access of the key terminal equipment in the system, and analyzes and filters the network communication data of the terminal. In this paper, the underlying driver software and data processing software of the hardware platform are developed. The "white list" matching technology is used to strictly examine the data packets in and out of the terminal, to prevent the illegal data packets from flowing through, and the analysis results are transmitted to the upper computer in real time. The communication software between the upper computer and the isolation platform is compiled, and the visual display and alarm function of the data analysis results are realized. In order to verify the performance of the terminal isolation platform, the scanning test (including host scanning and port scanning) and various attack tests (including ARP attack, buffer overflow attack) are carried out based on the signal system secure data network of C3 system. Trojan Horse attack, etc.) and isolation platform delay testing. The test results show that the isolation platform can effectively prevent illegal intrusion, attack each other between devices in the network and the spread of virus in LAN without affecting the real-time and stability of the network. The safety reinforcement of the equipment terminal in the network is realized.
【學(xué)位授予單位】:西南交通大學(xué)
【學(xué)位級別】:碩士
【學(xué)位授予年份】:2014
【分類號】:TP273;TP393.08
本文編號:2494225
[Abstract]:As the key control system of high-speed railway passenger dedicated line in China, China Train Operation Control system (CTCS-3) shoulders the important responsibility to ensure the efficient, stable and safe operation of trains. With the development of train control system informatization, a large number of general servers, operating systems and databases are applied to train control systems. These products have hidden dangers in network security, which makes train control systems face serious network security problems. Moreover, the wireless blocking center in C3 system is the external interface of train control system, which provides a channel for illegal intrusion. Railway operation is related to the safety of people's lives and property, once attacked maliciously, it will produce inestimable losses, so it is very important to ensure the safe operation of railway system. At present, the security protection of train control system mainly uses firewall, antivirus software and security isolation network gate and so on. Firewalls and gates can be used to defend against attacks on trusted networks by untrusted networks, but can not prevent attacks within trusted networks. The antivirus software needs to update the feature library constantly, and the defense against the new virus always lags behind. Strengthening the control terminal in the system is an effective method to improve the security performance of the train control system. When the network attack or virus intrusion breaks through the outer protection measures or is initiated directly from the network, it can be protected from attack. In this paper, the network threat and conventional network security protection technology of C3 system are analyzed, and a hardware isolation platform for train control system communication terminal is designed from the point of view of protecting communication terminal. The platform adopts dual microprocessor structure, integrates Ethernet, CAN and 422bidirectional interface, and places it at the access of the key terminal equipment in the system, and analyzes and filters the network communication data of the terminal. In this paper, the underlying driver software and data processing software of the hardware platform are developed. The "white list" matching technology is used to strictly examine the data packets in and out of the terminal, to prevent the illegal data packets from flowing through, and the analysis results are transmitted to the upper computer in real time. The communication software between the upper computer and the isolation platform is compiled, and the visual display and alarm function of the data analysis results are realized. In order to verify the performance of the terminal isolation platform, the scanning test (including host scanning and port scanning) and various attack tests (including ARP attack, buffer overflow attack) are carried out based on the signal system secure data network of C3 system. Trojan Horse attack, etc.) and isolation platform delay testing. The test results show that the isolation platform can effectively prevent illegal intrusion, attack each other between devices in the network and the spread of virus in LAN without affecting the real-time and stability of the network. The safety reinforcement of the equipment terminal in the network is realized.
【學(xué)位授予單位】:西南交通大學(xué)
【學(xué)位級別】:碩士
【學(xué)位授予年份】:2014
【分類號】:TP273;TP393.08
【參考文獻】
相關(guān)期刊論文 前10條
1 許云明 ,李春生;物理隔離網(wǎng)閘原理及應(yīng)用[J];計算機安全;2005年12期
2 楊奕;基于入侵誘騙技術(shù)的網(wǎng)絡(luò)安全研究與實現(xiàn)[J];計算機應(yīng)用研究;2004年03期
3 曾憲偉,張智軍,張志;基于虛擬機的啟發(fā)式掃描反病毒技術(shù)[J];計算機應(yīng)用與軟件;2005年09期
4 崔瑩瑩;張勇;;CTCS-3級列控系統(tǒng)仿真中速度監(jiān)督的研究[J];鐵道通信信號;2008年01期
5 季學(xué)勝;李開成;楊悌惠;;CTCS-3級列控系統(tǒng)的系統(tǒng)評估研究[J];鐵道通信信號;2009年06期
6 黃衛(wèi)中;賈琨;劉人鵬;;我國鐵路CTCS-3級列控系統(tǒng)的分析與研究[J];鐵道通信信號;2010年04期
7 王海龍;;《RSSP-Ⅱ》安全通信協(xié)議在RBC/CBI接口中的特殊點[J];鐵路通信信號工程技術(shù);2010年06期
8 張新宇,卿斯?jié)h,馬恒太,張楠,孫淑華,蔣建春;特洛伊木馬隱藏技術(shù)研究[J];通信學(xué)報;2004年07期
9 林小進;錢江;;基于ICMP的木馬通信技術(shù)研究[J];微處理機;2009年01期
10 王櫻;徐雨明;;VC++中數(shù)據(jù)庫訪問技術(shù)研究[J];微計算機信息;2006年12期
,本文編號:2494225
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2494225.html
最近更新
教材專著
