An Extended Object-Oriented Petri Net Model for Vulnerability Evaluation of Communication-Based Train Control System

Communication-based train control systems (CBTCs) have been widely used as crucial systems in urban rail transit networks. CBTCs typically utizes different levels of symmetry structure according to different geographic deployments. While, in practice, CBTCs crashes have destroyed the transportation systems of the whole city level for many times. Based on the extended object-oriented Petri net (EOOPN), this paper proposes a vulnerability model and an evaluation procedure, which are capable of considering the vulnerability factors in both inner system level and equipment level. On the system level, it establishes a complex dynamic communication structure model among the distributed subsystems, while on the equipment level, it details the equipment changing state during train operation. The searching algorithm of EOOPN depicts possible failed paths of CBTCs via the token transition among train–ground communication EOOPN subnets. The vulnerability calculation is applied to the metro company’s in situ CBTCs to illustrate the effectiveness of the approach.


Introduction
Urban rail transit has become one of the mainstream public transport systems over the world. Its advantages include punctuality, large capacity, and convenience. The train operation and control system is the critical system that supports the main line's fluid operation [1]. The most popular train operation and control system is the communication-based train control system (CBTCs), which consists of a complex and large scale symmetry train-ground distributed networked topological structure. CBTCs utilizes in-vehicle equipment and rail communication facilities to share information with stations and control centers. It dynamically controls the speed of trains to keep safe braking distances, ensuring that the dispatching commands are transmitted to the train in time. In the past, the failure of CBTCs has resulted in disasterous accidents, which cause disruption to trains' normal operation schedules. Therefore, studies on the vulnerability of CBTCs have significant implications. The purpose of these studies is to control the key failure of CBTCs, and to provide guidance for the maintenance working management for improving both operational efficiency and to ensure safe operations.
Vulnerability is related to performance degradation or failure due to disruptive events. The vulnerability of the system is determined by the degree of threat of the disturbance factors and the degree of damage to the system after the disturbance attack. The evaluation method based on specific strategies is an effective method to identify the vulnerabilities of different network configurations. Vladimir et al., suggested a quantities measurement approach to study hierarchy networks based on of the behavior mechanism of concurrent system on two levels. First, the Petri net directly shows the physical structure of concurrent system and the initial state of resources in the system. Second, it can indirectly show the dynamic behavior mechanism of the concurrent system under the function of the transition enabling rule of the Petri net. These two levels are interrelated, forming a set of physical structure and rows. Hua et al. combined object-oriented with a colored Petri net, using the characteristics of object encapsulation and inheritance, reducing the complexity of the system model [35]. As the complexity of the system increases, the establishment and analysis of the Petri net model of the system will be extremely complicated. Meanwhile, the extended object-oriented Petri net (EOOPN) combines object-oriented modeling technology with colored Petri nets, using the characteristics of object encapsulation and inheritance to reduce the structural complexity of the established system model and enhance its encapsulation and re-usability. When analyzing the behavior of the entire system, the work just pays attention to the information interface among the object and the outside world and the information transfer between different object interfaces. The model is simple and efficient. Therefore, this paper uses the object-oriented colored Petri net model to study the vulnerability of CBTCs.
The research of CBTCs now mainly focuses on its reliability and safety risks, and analyzes the degree of use and working ability of the equipment under the existing conditions. Vulnerability is different from reliability and risk. The purpose of vulnerability research is to analyze the potential vulnerabilities of the system equipment itself, and to analyze the inherent vulnerabilities to help fundamentally examine the causes and key points of the failure, to provide guidance for the equipment managers' maintenance work and equipment designing, and also to provide support to improve operational efficiency and ensure operational safety. In this study, we employ an extended object-oriented Petri net (EOOPN) for vulnerability modeling and evaluation of the CBTCs. EOOPN introduces some new features and modeling elements to describe vulnerability in a more convenient and clear way, which makes it more suitable for complex system analysis. Based on EOOPN, we propose a general modeling procedure performed in two levels: system and equipment level. On the system level, the model describes the networked data flow transfer among train-ground subsystems, while on the equipment level, it depicts state transition process of each equipment, such as in-vehicle units. EOOPN can be used in various complex system scenarios. Modeling, searching algorithm and computation of vulnerability approach are applied to this EOOPN model. Examples of CBTCs illustrate the modeling procedures. This paper is organized as follows. Section 2 provides a vulnerability framework for CBTCs and introduces the formal specifications of EOOPN. The vulnerability modeling and computation procedure are discussed. Section 3 describes general modules of CBTCs based on EOOPN. Section 4 offers the quantitative cases model and experiment of CBTCs. Section 5 presents the conclusions and future works.

Formal Specification of EOOPN
The EOOPN is defined as an 2-tuple, EOOPN N = ops, RT , where ops = {ob i , i ≥ 0} is a finite set of object subnets representing the dynamic behavior of the system. RT = T ij , i ≥ 0, j ≥ 0, i j . It is a finite set of message transfer transitions among different objects. The input place of T ij is the information output place of ob i . The output place of T ij is the information input place of ob j .
Object subnet ob i is a finite set of 9-tuple, • SP i is a finite places set of ob i , and it is divided into three types: state place, input place and output place; • AT i is a finite transitions set of ob i ; • IM i is a finite input information places set of ob i ; • OM i is a finite output information places set of ob i ; It is a colored arc from P to T; It is a colored arc from T to P; • C(SP i ) is the color set for state places of ob i ; • C(IM i ) is the color set for input places of ob i ; • C(OM i ) is the color set for output places of ob i ; • C(AT i ) is the color set for active transitions of ob i ; • NC i is the network relevance degree. It is connection relationship among subnet ob i and other subnets; • ε ij is the attack severity when place p j of ob i is attacked.

Vulnerability Computing Framework
The quantitative analysis method of the system vulnerability based on EOOPN can be summarized in the following steps. Firstly, analyze the data flow relationship and extract vulnerability factors based on failure information in the system. Secondly, divide the complex system into several object subnets and establish subnets models. Thirdly, determine the attack rules according to the characteristics of EOOPN and the data flow relationship of the system. Finally, the vulnerability calculation formula is substituted to evaluate the vulnerability of the system. The quantitative analysis method of system vulnerability based on EOOPN is summarized in the following steps, as shown in Figure 1:

Vulnerability Attack Path Searching Algorithm
Vulnerability analysis is generally aimed at complex and large systems. Due to the complexity of the system, it is difficult to analyze all elements of the system using the same method. Industrial control systems like CBTCs have many components, and the components and functions of different devices are very diverse. In addition, there are many causes of equipment failure, and there are many kinds of failure causes for each failure phenomenon. Therefore, mapping the same type of equipment failure causes to the same type of vulnerability factors and implementing the vulnerability by analyzing a small number of vulnerability factors is important.
The system vulnerability analysis is to trace the dynamic change process of the vicissitude. The attack rule of the vulnerability factor is the successive failure path of the change. It is the disturbance path to the entire system. The basis for determining the attack sequence of the vulnerable node is attack path searching. In the multi-level system, the effect of attack to a subsystem is transmitted to other subsystems through information transition. In EOOPN, it is reflected in the flow of object resources, that is, the dynamic tokens transferred. The transition changes the successive system enabling state, and the state subsequently changes one after another. This kind of attacked state degrades the system performance.
In order to facilitate the analysis of successive failure paths of transitions in each subsystem model, we propose an attack path searching algorithm for EOOPN. The algorithm steps are as follows: (1) Obtain input matrix I m×n and output matrix O m×n of the model from the Petri net structure, and make the counting variable i = 0 and paths Route = {t i }; (2) Search for the columns corresponding to the transition in the output matrix O m×n . If O pi = 1(p = 1, 2, 3, . . . , m) exists, go to step 3. Else i = i + 1, Loop i ≤ n; (3) Search for the rows corresponding to the input matrix I m×n in which the place is located. If I pq = 1, go to next step. Otherwise p = p + 1, go to step 3; (4) Judge the structural relationship between the transition t i and Different association structures have different effects and record the successive attack path of transitions according to the relationship between related structures. The input matrix and output matrix are separated in the description of Petri net structure, so the algorithm adopts double-layer cyclic structure, and the complexity of the algorithm is o(mn 2 ). We use the depth first search algorithm to search out all accessible paths.

Attack Rules of Vulnerability Influencing Factors
The basis of determining the attack order of the vulnerable nodes is the attack threat degree. The greater the attack threat degree, the greater the global hazard to the system. In fact, the failure effect of one equipment to the subsequent equipment is reflected by the transmission of information data. In the EOOPN model, it causes the enabling state of system transition and the place state change one after another, which eventually damage the system model and degrade the system performance. The action process of vulnerability factors on the whole system is the dynamic change process of transition, and the attack rule is the successive failure path of transition [36].
According to the path searching algorithm, the transition t i is the vulnerable node under attack. The route is the transition set of successive failures, and the initial state is Route = {t i }. For the input matrix I mn and output matrix Q mn , m and n are the number of nodes of the place and the transition respectively. First, judge whether the transition t i is the end of transition. If it is, the search ends. Otherwise, continue to judge the relationship between the subsequent transition of transition t i and itself. If it is a selection structure, the searching procedure will end. If it is not a selection structure, add the subsequent transition to the route set. Following this rule, the end point and attack path of vulnerability factors can be determined [37].

System Vulnerability Calculation
In the object-oriented Petri net model, the mutual communication and association between different object partitions constitute the network structure model of the signal system. Network vulnerability refers to whether the overall performance of the system is intact, or the size of performance loss after certain routines in the system are destroyed by certain attack rules, thereby determining the weak links in the system. Vulnerability influencing factors are only one node object in each object subnet, and cannot fully reflect the influence of a single factor on the entire network. The association relationship between the node objects reflects the connectivity between the node objects on the network, and the threats to highly correlated node objects on the network caused by the attack is greater [27]. Therefore, when calculating the threat degree of vulnerability influencing factors, not only the threat degree of a single vulnerability factor, but also the correlation degree of the target subnet where the vulnerability factor is located in the entire system should be considered. This paper considers that the object subnets communicate with each other, and the number of communication relationships between different object subnets and other subnets is different. Therefore, this paper introduces the concept of association degree in the calculation of the connection complexity of the object subnets.
When calculating the threat degree, we cannot only consider the single vulnerability factor, but also need to combine its object sub-nets in the overall system correlation. Since the object sub-nets of a system communicate with each other, and the number of communication relationships between different object sub-nets is different. We introduce the concept of correlation degree to calculate the connection complexity of the object sub-net, and determine the quantitative calculation formula of vulnerability. EOOPN has the advantages to simplify and encapsulate network connections. The vulnerability of a complex system is affected by the threat degree of the disturbance factor and the damage degree of the system after the disturbance attack.
The system vulnerability calculation formula V is given by where V is the vulnerability of the target system. NC i is the network association degree of the object subnet where the node exists. It determines the degree of influence of the elements in the target subnet on the entire system. ε ij is the degree of attack damage of the warehouse node, it is represented by the affected area of the attacked object-the greater the degree of harm, the greater the degree of threat to the influencing factors of vulnerability. The degree of attack damage refers to the range of influence on the subsequent system process after the vulnerability factors in the system are attacked. In Petri net, it is the successive failure effect of a certain transition on subsequent transition.
The greater the degree of attack damage of vulnerable nodes, the greater the degree of attack threat; the greater the network association of the object, the greater the degree of attack threat.
∆A is the loss rate. It is impact of attacked nodes to the system. The terms are defined in the following, Definition 1. Network correlation degree for object subnets: where num in/out (ob i ) refers to the number of relationship records related to an object ob i .
NC i refers to the ratio of the number of relationships of ob i to the number of all relationships in the system and it determines the influence degree of the elements in the object subnet on the whole system.

Definition 2. Attack severity of vulnerability influencing factors:
where ε ij is the degree of attack severity of a place p j in an object ob i , ij 1 is the transition number of node that lead to successive failures when the transition node t j fails, ij 1 is the number of transitions that change from death to enabling transition in the same situation, n is the total number of transitions in the assessed system. Definition 3. Topological efficiency of system network: (4) where N p and N t are the number of place p and transition t in the Petri net. d ij is the shortest distance between the place i and the transition j. min W P p i , T t j is the smallest value of the weight between the place i and transition j.

Definition 4.
The loss rate ∆A of the network efficiency is the impact of the attacked node.
where ∆A is the impact of vulnerable nodes on network efficiency after being attacked, A and A are the network topological efficiency value in normal operation and after being attacked, respectively.

Architecture of CBTCs
A common CBTCs is divided into four subsystems, which are control center system, trackside system, in-vehicle system and depot system according to geographical areas. The control center system realizes the operation supervision and adjustment of trains, so that dispatchers can manage all trains and complete the train operation schedule. The vehicle-mounted system periodically obtains the movement authorization by means of vehicle-ground communication, calculates the current allowable speed of the train, and controls the train operation. The trackside system generates the train's movement authorization in real time according to the operation schedule, guarantees the intervals between trains, and handles the route for the train. The depot system completes the safety management of train entry and exit depot. The control center system includes a traffic dispatching workstation, a running map editing workstation, a database server and an application server. The trackside system includes the station automatic train supervision system (ATS), computer interlocking system (CI), zone controller (ZC), a transponder, an axle counter, a switch, platform screen doors (PSD), emergency stop button (ESB), lineside electronic unit (LEU), data communication system, etc. The in-vehicle system includes balise transmission module (BTM), a beacon antenna, a coded odometer, a speed sensor, a radar, in-vehicle computer, in-vehicle cabinet, a wireless antenna, in-vehicle recording system, human-machine interface (HMI), etc. The depot system includes an ATS extension, a computer interlocking system (CI), a switch, a signal light, zone controller (ZC) and a transponder, and etc. Figure 2 shows a universal CBTCs structure.
CBTCs needs to meet the following key functional requirements within its four subsystems: (1) Control center system communicates with in-vehicle system. The control center ATS displays the train number, online running position, running direction and other information on the large screen through two-way communication with the train. The train receives the temporary shunting command from the control center ATS for schedule adjustments. (2) Control center system communicates with depot system. The control center sends the completed train operation map and operation plan to the depot ATS extension. The depot system dispatches according to the train operation plan and sends the train identification number to the control center through the depot ATS extension. The control center sends the temporary adjustment commands, train shunting arrangement and return commands to the ATS extension of the depot. Then, the depot equipment executes the operation and the procedure are monitored by the control center.
(3) Control center system communicates with trackside system. The control center system communicates with the ATS extension of the station to provide information, such as train schedule, route control commands, real-time train position, train identification number and equipment status. The trackside system transfers equipment operating status information to the control center. (4) Depot system communicates with in-vehicle system. The depot system realizes the driving mode management for train access sections through communication with the in-vehicle equipment. It also administers train entering and shunting within the depot. (5) In-vehicle system communicates with trackside system. The data communication between the in-vehicle equipment and the trackside equipment is the key to the normal operation of the train. The two-way communication between the vehicle and the trackside is used to detect the train position, calculate the train movement authorization and link the safety equipment. It remotely controls the train and the screen door, and route management.
To guarantee the trains operation safely controlled under the above communication interactive network environment, a clear and understandable modeling approach is critical. The key problem of model-based approach is to establish a system model. The EOOPN realizes the complete process of system analysis and design by adopting mechanisms such as object, class, inheritance, abstraction and encapsulation. It is a promising representation method to accomplish CBTCs modeling and vulnerability analysis.

CBTCs Modeling Based on EOOPN
CBTCs can be seen as a communication link between multiple units. The integrated system is actually the "input-output" relationship between the data flow. The relationship between the state and action of the "location" and "transition" is the reflection of the different states of the device in the Petri net model.
Each unit represents the operation control and data transmission of a train, and the equipment actions between adjacent units restrict each other. Therefore, analyzing the working process of a unit can characterize the general principles of the entire network system. The EOOPN models essentially integrate various object subnets, encapsulating the internal structure of each object subnet, leaving only the places that have input and output relationships with other object subnets as interfaces. In this section, the EOOPN model will be established according to the data flow relationship between the CBTCs subsystems.
According to the functional requirements of CBTCs and the data flow relationship between the objects, we establish the system level model and equipment level model of CBTCs as following, (1) CBTCs system level model TSNet is the trackside subnet; TrNetis is the in-vehicle subnet; CCNetis is the control center subnet; CDNet is the depot subnet. RT = {G 1 , G 2 , G 3 , . . . . . . , G 16 } is the set of transitions. Figure 3 and Table 1 show its implications.  (2) Control center system subnet model Figure 4. (3) Trackside system subnet model Trackside system subnet TSNet = SP 1 , AT 1 , IM 1 , OM 1 , I 1 , O 1 , C 1 , NC 1 , ε 1 j is shown in Figure 5. (4) In-vehicle system subnet model In-vehicle subnet TrNet = SP 2 , AT 2 , IM 2 , OM 2 , I 2 , O 2 , C 2 , NC 2 , ε 2 j is shown in Figure 6.

Vulnerability Analysis Based on EOOPN for CBTCs
According to the analysis of major international rail traffic crashes, the reason for train rear-end collisions is the failure of CBTCs equipment and improper command, that is, the unstable state of the equipment and the unsafe operation of two factors. Vulnerability analysis of the CBTCs system is the root of improving system security from the perspective of the system itself. Vulnerability is an inherent property of the system, and it is hidden. It cannot be reflected during the normal operation of the system. The influencing factors of vulnerability can be understood through system failures. This paper analyzes 5929 failure phenomena of an urban rail transit company from 2012 to 2014. Extract the reason of the failure and its phenomenon, divide the cause of the failure according to the structural attributes of the device.
The subnet model of the trackside system is simulated with the Petri net analysis software PIPE (Platform Independent Petri Net Editor). The model can be run normally. Each activity change and place in each subnet of the object are under the initial identification. Through appropriate transition and excitation of the gate, it can be excited, that is, all states are reachable. Moreover, each transition in the network were triggered again by the enabling of a series of transition sequences, which shows that the built EOOPN model is alive too.

Vulnerability Quantitative Evaluation Cases of CBTCs Based on EOOPN
In this paper, the trackside system and the in-vehicle system were taken as research examples by selecting a vulnerable node to analyze the vulnerability of the CBTCs. The main purpose is to verify the proposed quantitative calculation method of its vulnerability.
(1) Calculation of network correlation In the object-oriented Petri net system, the trackside system has information exchange with the control center system and the in-vehicle system, and there are one input and one output relationships with the control center system, and four input and two output relationships with the in-vehicle system. The network correlation degrees of the trackside system and the in-vehicle system are calculated: NC in−vehicle = 0.375 (8) (2) Calculation of attack severity degree of vulnerable nodes The attack threat degree of the vulnerability factors of the trackside system and the in-vehicle system obtained are shown in Tables 3 and 4.
(4) Network efficiency loss calculation According to the attack path of the vulnerability factor, the path efficiency of the attack is recorded as 0, that is, the path efficiency between the upper transition and the place is 0.
(1) Assuming that the interlocked host is attacked and fails, the successive failure are in Route1 and the network loss rate is obtained: (2) Assuming that the in-vehicle computer is attacked and fails, the successive failures are in Route2, and the network efficiency loss rate is obtained: (5) Node vulnerability calculation Available from Formula (7) is as following. The vulnerability of interlocking host: The vulnerability of in-vehicle computer: From the above calculation results: That is, the vulnerability of in-vehicle computer is greater than interlocking host. So, when the in-vehicle computer is attacked by certain disturbance factors, the damage is greater than interlocking host. This mechanism implies that reliability, availability, maintainability and safety work of in-vehicle computer are more important than that of interlocking host.

Discussions
The vulnerability of CBTCs is determined by the structure and function of the system. It is the sensitivity to reflect the degree of lack of function of the system after a threat and changes dynamically. We proposed calculation steps and attack route search algorithms of CBTCs system's vulnerability, according to the dynamic characteristics of Petri net. The vulnerability is an inherent property relflected into the following categories: (1) Vulnerability contains a series of concepts such as risk, sensitivity, adaptability and resilience.
It not only considers the influence of internal conditions of the system, but also includes the characteristics of the interaction between the system and the external environment. Therefore, when calculating the attack threat degree of vulnerability influencing factors, not only is the threat degree of a single vulnerability factor, but also the correlation degree of the object subnet where the vulnerability factor is located in the entire system should be considered. (2) Vulnerability is the degree of damage or threats from adverse effects. It is the loss of functions to system components under the influence of external factors. Selecting a certain high-vulnerability device as the object, the proposed vulnerability method is used to conduct an in-depth analysis and grasp the vulnerability of the internal components of the device, so it will support the designers from the perspective of intrinsic safety. (3) Vulnerability is the ability to withstand external disturbances. It is the system's ability responding to external disturbance factors, including resistance and recovery. The process of vulnerability factors to the entire system is the dynamic process of change. The attack rule of the vulnerability factor is the successive failure path of change. According to the attack path search algorithm of influencing factors, the disturbance path of a certain vulnerability factor to the system can be determined.

Conclusions
Vulnerability is different from reliability and risk. This paper proposed a general modeling procedure based on EOOPN for vulnerability evaluation. Models are constructed in system and component levels. According to the historical failure record of CBTCs equipment, we divide the symmetry geographic system into four subsystems. They are trackside, in-vehicle, control center and depot according to the region. Then, we establish their EOOPN model, design and verify the attack path search algorithm. Results of modelling shows that the EOOPN can effectively analyze the distributed multi-level structure. The attack rules are determined based on the characteristics of the Petri net and the data flow relationship, and then substituted into the vulnerability formula for quantitative evaluation. The approach is easy to understand and flexible enough to describe the complex characteristics and vulnerability calculation. Analyzing the inherent vulnerabilities of CBTCs will help to fundamentally examine the causes of system failures, find design flaws or management loopholes, provide guidance for equipment managers' maintenance work and provide support for equipment design and improvement to improve operational efficiency and safety.