CN103888446A - Protocol security isolation system oriented to railway signal control network - Google Patents

Abstract

The present invention discloses a protocol security isolation system oriented to a railway signal control network. Memory RAM, power-off storage FLASH, human-computer interaction platform 105, and power module 301; the first communication interface and the second communication interface intercept the data of the corresponding network from the link layer, and submit it to the first processor for analysis, analysis results and communication The content is sent to the human-machine interface 105 for display and written into the database, and at the same time, the secure network data information is sent to the second processor in a "ferry" manner through the high-speed dual-port RAM communication cache 302, and then passed through the second processor driven by the second processor. The second communication interface 203 transmits to the target terminal or network. The invention integrates multiple network technologies to monitor and isolate the existing railway signal control network in real time.

Description

Protocol Security Isolation System for Railway Signal Control Network

technical field

The invention relates to the fields of embedded product design, railway communication, network information security and rail transit. Through the comprehensive analysis of the data, the real-time monitoring and filtering of the control network data is realized.

Background technique

With the rapid development of China's railways, the network security of railway signal control network is very important. It is imperative to establish a safety analysis and evaluation system and certification system for China's railway communication signal system by studying foreign railway safety standards, safety assessment and certification systems, and combining with the actual situation of China's railway communication signal development.

Although it is an inevitable trend for railway communications to develop towards digitization, intelligence, networking and integration; however, due to the characteristics of openness, interconnection and sharing of computer networks, there are inherent deficiencies in online information security. Coupled with security holes in the system software and lack of strict management, the network is extremely vulnerable to damage. At the same time, my country's industrial control market is overly open (for example, the market share of PLC domestic products is less than 1%, and 95% of satellite navigation system chips rely on imports). The core control modules of most control systems are imported from abroad, while foreign industrial control chips , The design and configuration of industrial control system products have loopholes or backdoors to a certain extent, which seriously threatens the security of my country's industrial control network (including railway control network). In addition, the information transmission channel of the high-speed rail and intercity railway signaling system - the signal security data network, currently adopts an internal closed operation, and only the equipment connected to the network exchanges information with each other, and there is no network and information security equipment inside. This has buried a great security risk to the railway signal control network.

Contents of the invention

In view of the potential safety hazards of my country's railway signal control system and the above deficiencies in the prior art related to the control network, the present invention aims to provide a highly reliable network data isolation system.

The purpose of the present invention is achieved based on the following means:

A protocol security isolation system oriented to a railway signal control network, consisting of a first communication interface 101, a second communication interface 203, a first processor 102, a second processor 202, a high-speed dual-port RAM communication cache 302, a memory RAM, a switch Composed of electric storage FLASH, human-computer interaction platform 105, and power module 301; the first communication interface and the second communication interface intercept the data of the corresponding network from the link layer, and submit it to the first processor for analysis, and the analysis results and communication content are sent to the human-machine The interactive interface 105 is displayed and written into the database, and at the same time, the secure network data information is transmitted to the second processor through the high-speed dual-port RAM communication buffer 302 in a "ferry" manner, and then through the second communication interface 203 driven by the second processor Send to the target terminal or network.

The present invention adopts UCOS-II real-time operating system, runs under the clock frequency of 208MHZ, integrates Ethernet interface, CAN bus protocol interface, PROFIBUS bus protocol interface, 422 bus protocol interface and 232 bus protocol interface.

The high-speed dual-port RAM communication cache 302 is divided into two storage areas A and B; the storage areas A and B are divided into N equal small block storage areas ai, bi (1≤i≤N), K1 and K2 The constraint is K1ai*K2ai=0 and K1bi*K2bi=0 (where K1ai means that K1 is connected to ai).

On the premise of satisfying the safety-failure principle required by the railway, the present invention starts from the network transmission safety angle of the control network, and uses the network protocol analysis system based on the embedded real-time operating system to capture network data from the bottom layer by adopting the method of no protocol stack ; Combining network isolation technology, firewall technology, intrusion detection technology, white list technology, and data packet depth detection technology with the existing railway signal simulation network, it can transparently analyze the data between terminals, so that the control network data can improve security at the same time Fully meet the corresponding communication protocol technical standards.

The system of the present invention is designed based on a dual CPU+dual port RAM structure and a real-time embedded operating system: a data collection and forwarding part, a white list storage part, a data security analysis part, an inter-processor communication part and an analysis result display part. The system performs hierarchical analysis and multi-layer matching on the obtained network communication data to obtain the real-time communication parameters of the network data; at the same time, it records the characteristics of the intercepted network data packets, and obtains the logical indicators of the network data according to the logical analysis of the recorded characteristics among multiple packets . The real-time communication parameters of network data and the logical indicators of network data are combined with the white list library, which not only realizes the security isolation of the two parties in communication, but also prevents the hidden attack of multi-packet combination in the network, thereby preventing the transmission and diffusion of illegal data in the network .

The system uses the following method for data analysis and forwarding: when the data of the external terminal 1 reaches the network isolation platform, the first processor will intercept the data frame above the physical layer, and call the corresponding security policy to process the data according to the security level. Conduct security analysis. If the data is safe, then write the high-speed cache dual-port RAM and notify the second processor, after the second processor receives the notification, forward the cached data to the external terminal 2; if the data is not safe, then take corresponding measures according to different security levels Measures (such as discarding, alarming, etc.), so as to complete the safe exchange of data. vice versa.

The device that realizes the task of the present invention can adopt: switching power supply; Digital power supply module; Ethernet physical transceiver (CPU carries Ethernet MAC controller); CAN network physical transceiver, CAN network controller; PROFIBUS master-slave station controller and Transceiver; 422 transceiver; main control ARM platform; high-speed dual-port static RAM. The Ethernet physical transceiver forms the Ethernet data acquisition circuit together with the MAC controller carried by the main control ARM; the CAN transceiver forms the CAN network data acquisition circuit together with the CAN controller; the PROFIBUS master-slave station forms the PROFIBUS Network data acquisition circuit; 422 transceivers and ARM serial controller together form a 422 network data acquisition circuit. All data acquisition circuits are controlled by the main control platform ARM, and the collected data must be analyzed and filtered by the ARM platform.

The measures of the invention can simultaneously analyze the reliability of the data frame and the authenticity of the source of the data frame in the communication process, largely prevent the transmission and diffusion of various illegal network data, and ensure the safe operation of the control system. A similar system can be used to control the terminal reinforcement and border protection of the network signal system to improve the security of the signal system.

Fig. 1 is the schematic diagram of the system composition of the present invention.

Fig. 2 is the application diagram of the present invention in the railway signal control network.

Fig. 3 is the design schematic diagram of the high-speed dual-port RAM of the present invention.

Fig. 4 is the flow chart of the system software design of the present invention.

Fig. 5 is a flow chart of data security analysis of the present invention.

Fig. 6 is a real-time performance test diagram of the example system of the present invention.

Fig. 7 is a test diagram of time delay of analysis data of the example system of the present invention.

Detailed ways

In order to make the above purpose, features and advantages of the present application more obvious and understandable, the technical solutions in the examples of the present application will be described in detail below in conjunction with the accompanying drawings. The examples are only some examples of the present invention, not all examples. Based on the examples of the present invention, those skilled in the art belong to the protection scope of the present invention before making creative work.

Fig. 1 is a functional block diagram of the system, as shown in the figure. Described system is by the first communication interface 101, the second communication interface 203, the first processor 102, the second processor 202, the high-speed dual-port RAM communication cache 302, memory RAM103, memory RAM201, the first power-down storage FLASH104, the second 2. The FLASH 204 for power-off storage, the human-computer interaction platform 105 and the power module 301 are jointly composed. The communication interface module intercepts the data corresponding to the network from the link layer, and submits it to the first processor for analysis. The analysis results and communication content are sent to the human-computer interaction interface 105 for display and written into the database; "Ferry" to the second processor, and then to the target terminal or network through the communication interface 203 driven by the second processor. vice versa. The system example adopts UCOS-II real-time operating system, runs at a clock frequency of 208MHZ, and integrates Ethernet interface, CAN bus protocol interface, PROFIBUS bus protocol interface, 422 bus protocol interface and 232 bus protocol interface.

Figure 2 is the application diagram of this system in the railway signal control network. At present, the railway signal control network is composed of three sub-networks: the signal system safety data network, the CTC data communication network, and the signal centralized monitoring data communication network. In the practical application of the present invention, the railway communication equipment needs to pass through the system to be connected to the ring network, and all data sent and received by the communication equipment must pass through the system security check before being distributed to the execution terminal. That is, only when the communication data between devices fully conforms to the information security library and logical relationship set by the system can it be forwarded to the destination communication network or terminal by the system in a "ferry" manner. At the same time, the system can make the railway signal control terminal automatically isolate itself and break away from the ring network when it is maliciously hijacked or misoperated, preventing the spread and dissemination of illegal data, and effectively protecting the communication security of the network.

Figure 3 is a schematic diagram of high-speed dual-port RAM design. The high-speed dual-port RAM302 is a data communication cache between two processors in the network protocol analysis platform. Therefore, the bandwidth of the system is mainly limited by the performance of the processor and the data exchange speed of the dual-port RAM: the better the performance of the processor and the faster the exchange speed of the dual-port RAM, the greater the bandwidth of the system. In order to improve the data exchange speed, the system adopts multi-channel real-time switch technology with buffer to design dual-port RAM (here, dual-channel is taken as an example to illustrate the principle). First, divide the dual-port RAM into two storage areas, A and B. Then divide the A and B storage areas into N equal small storage areas ai and bi (1≤i≤N), and the constraints of K1 and K2 are K1ai*K2ai=0 and K1bi*K2bi=0 (where K1ai means K1 is connected to ai). Such a design enables one of the first processor and the second processor to access ai or bi, while the other can still access aj or bj (i≠j), which reduces the probability of read-write conflicts and improves The efficiency of the data channel is improved, thereby speeding up the speed of data exchange between the two processors.

Fig. 4 is the flow chart of the system software design of the present invention. The system instance is composed of 4 interface tasks, a dual-port RAM task, a system configuration task and a main task, a total of 7 tasks. When the program starts, the main task creates different work tasks to analyze and process the corresponding network data according to the different values of the function switches, and transmits the processing results and data content to the human-machine interaction platform for display in real time. If you need to change, add or delete communication terminals, restart the system and set the value of the function switch to enter the configuration task and reconfigure the system. When the configuration is completed, the system will automatically trigger the restart module, restart the system, and the system will enter the normal data analysis mode again. Described system adopts dual-CPU architecture, and the software design of two CPUs is basically symmetrical (only the first processor drives the human-computer interaction platform 105, so the analysis results of the second processor need to be transmitted to the first processor in real time by dual-port RAM302 to display).

Fig. 5 is a flow chart of data security analysis of the present invention. After the system captures data frames from the line, different data security analysis functions are triggered according to different work tasks to process different network data respectively.

The safety communication protocol used in the railway signal safety data network is mainly the RSSP-II protocol, which adds an adaptation and redundancy management layer, a message authentication layer, and a safety application middle layer on the basis of the TCP/IP protocol. Therefore, its security is essentially the network security of the private network. Combined with the specific requirements of the railway control network, the system analyzes the collected network data frames layer by layer, matches layer by layer, and analyzes the combination of multiple packages; all-round defense against illegal activities in the network.

In addition to Ethernet, the railway signal control system also has field bus networks such as CAN bus, 422 bus and PROFIBUS bus. As the underlying network of industrial control, these fieldbus protocols have less information and higher real-time requirements. Therefore, their model structure only takes the physical layer, data link layer and application layer at the bottom of OSI. Compared with the RSSP-II protocol, these protocols are relatively simple and have hidden attacks. When analyzing these network data, in addition to directly performing whitelist matching on single-packet application layer data, it is also necessary to use the "cross-packet matching method" to logically analyze continuous multi-packets, so as to defend against multi-packet combination attacks.

Fig. 6 is a real-time performance test diagram of the example system of the present invention. The system example is designed based on ARM+UCOS-II. UCOS-II is a hard real-time, priority-based scheduling preemptive real-time kernel specially designed for embedded systems. Its kernel is simplified, its multi-task management function is relatively perfect, its real-time performance is good, it can be cut and cured, its source code is open, and its portability is strong. The UCOS-II system can support up to 64 tasks, corresponding to priorities 0 to 63, of which 0 is the highest priority. 63 is the lowest level. The system reserves 4 tasks with the highest priority and 4 tasks with the lowest priority. There are only 56 tasks available to all users. The real-time performance of the system instance depends on the UCOS-II operating system, and the real-time performance of UCOS-II is reflected in the switching time of tasks: the shorter the switching time, the higher the real-time performance of the system. The program uses the system timestamp function OSTimeGet() provided by the CPU counter to preempt the switching time of the task to calculate the time, and the switching of the task is realized through the dynamic change of the priority. The calculation method of the task switching time in this example is given below (taking two tasks as an example): First, create two tasks A and B. It is stipulated that the priority of task A is N, and the priority of task B is N+1. After the program starts, task A first preempts the CPU; at a certain moment, the priority of task B is subtracted by 2, and the time stamp is recorded at the same time. Record a timestamp. In the whole process, two task scheduling switches occur. Subtract the two time stamps and divide by 2, and then divide by the CPU frequency to obtain the task switching time.

Fig. 7 is a test diagram of time delay of analysis data of the example system of the present invention. The time delay performance of the system example is measured in the signal system safety data network simulation network. Set the application data between a communication terminal in the simulated network to gradually change from 10Bytes to 1000Bytes, and test the delay time of the data in the transmission process before and after joining the isolation system. In FIG. 7 , the horizontal axis represents the transmission length (Byte) of each frame of data, and the vertical axis represents the transmission delay (ms) of each frame of data. It can be seen from the figure that when the length of the data frame is 10-1000 bits, the forwarding delay of the isolation system is 0.11-0.5ms. The railway safety data network specification specifies that the total delay of information transmission between communication devices is not greater than 50ms. Therefore, the real-time performance of network transmission will not be affected after the isolation system is added, and it can also meet the real-time requirements of most industrial control networks.

Claims (3)

1. A protocol security isolation system oriented to a railway signal control network, characterized in that it consists of a first communication interface (101), a second communication interface (203), a first processor (102), a second processor (202 ), high-speed dual-port RAM communication cache (302), memory RAM, power-off storage FLASH, human-computer interaction platform (105) and power supply module (301); the first communication interface and the second communication interface intercept the corresponding The network data is analyzed by the first processor, and the analysis results and communication content are sent to the human-computer interaction interface (105) for display and written into the database, and at the same time, the secure network data information is cached through the high-speed dual-port RAM (302) to " Ferry" to the second processor, and then to the target terminal or network through the second communication interface (203) driven by the second processor. 2. system according to claim 1, is characterized in that, adopts UCOS-II real-time operating system, runs under the clock frequency of 208MHZ, has integrated ethernet interface, CAN bus protocol interface, PROFIBUS bus protocol interface, 422 bus protocol Interface and 232 bus protocol interface. 3. The system according to claim 1, characterized in that the high-speed dual-port RAM communication cache (302) is divided into two storage areas A and B; the storage areas A and B are divided into N equal small blocks Storage area ai, bi (1≤i≤N), K1 and K2 are constrained by K1ai*K2ai=0 and K1bi*K2bi=0 (where K1ai means that K1 is connected to ai).

Images