Detection and localization of attacks in all-optical networks

1 Introduction

All-optical network (AON) means that the signal in the network does not need electrical/optical and optical/electrical conversion, and always exists in the form of light during the transmission and exchange process. Since the node exchange uses large-capacity and highly flexible wavelength add/drop optical add/drop multiplexers (OADM) and optical cross-connect devices (OXC), transparent transmission is achieved. Once commercialized, it will greatly improve the transmission rate and network capacity. However, compared with the existing electrical/optical/electrical network and traditional electrical network, it is vulnerable to malicious attacks, and its security issues should be paid more attention to. The specific reasons are as follows:

(1) Attackers can more easily approach optical devices, making the network vulnerable to attack. For example, eavesdropping can be performed by injecting attack optical signals of a certain wavelength through a slightly bent optical fiber or using the optical signals radiated by it. This can be achieved by using an improved optical fiber clamp or an optical leakage detector;

(2) The physical structure of the optical network provides opportunities for attacks. For example, injecting an attack signal at the far end of the network can affect the entire network during transmission.

(3) Certain optical technologies have vulnerabilities that can be exploited by attackers. For example, the crosstalk level in an optical switch causes a portion of the leakage signal, which does not cause harm to normal signals, but when an attacker injects a strong interference signal, it is enough for the attacker to detect its presence and it is very likely to recover part of the data from the traffic.

The goal of this paper is to study the types and methods of attacks, introduce vulnerable devices in all-optical networks, and explore several effective attack detection methods and location algorithms.

2 Types and methods of attacks

From the perspective of countering attacks, an all-optical network security management framework is proposed, as shown in Figure 1.

2.1 Types of Attacks

Attack refers to malicious human damage. There are six main types of attacks: communication flow analysis, eavesdropping, data delay, service denial, QoS degradation and spoofing. Communication analysis and eavesdropping have similar characteristics; optical networks do not have optical storage and are not vulnerable to data delay attacks; spoofing can be prevented by encryption; service denial is the extreme result of QoS degradation, and the two are collectively referred to as service destruction. From the physical layer, there are two main types of attacks considered in all-optical networks: eavesdropping and communication flow analysis and service destruction.

2.2 Attack Method

To implement the above two attacks, the attacker must design an attack method based on the principle of being easy to implement and effective. There are four common attack methods: in-band interference attack, out-of-band interference attack, eavesdropping, and fiber cutting.

In-band jamming attacks inject an optical signal specifically to reduce the receiver's ability to correctly interpret data. It not only destroys the signal on the link where the attack source is located, but also affects the signal quality on other links connected to the link node, as shown in Figure 2. This is caused by the signal propagating directly in the link without regeneration.

Out-of-band interference attacks use the leakage or cross-modulation effects of devices to reduce signal energy. The attacker injects a signal with a wavelength different from the communication band but within the amplifier's amplification bandwidth. The attack signal will plunder the gain of other signals, as shown in Figure 3.

Eavesdropping is when an attacker listens to crosstalk leaking from adjacent channels to gain information about neighboring signals.

Fiber cut is an attack that cuts the optical cable. [page]

3 Vulnerable Devices

The vulnerable devices in the all-optical network mainly include: optical fiber, transmitter, receiver, (de)multiplexer, optical cross-connect device (OXC), optical filter, optical switch, coupler, optical amplifier, etc.

Taking the OXC node as an example, the vulnerable optical devices are analyzed and the attack points are numbered, as shown in Figure 4.

Attack Point 1 - Optical Fiber The accessibility of optical fiber and its inherent crosstalk, nonlinearity, and bending radiation characteristics provide opportunities for fiber cutting and eavesdropping attacks.

Attack point 2 - test access port The test access port used for testing or convenient connection when needed has become an object of exploitation by attackers: it can be used for eavesdropping, and the power, polarization and other indicators of the transmitted signal can be artificially changed at the port. When the signal passes through devices that are sensitive to these indicators (for example, amplifiers are sensitive to polarization), the service quality will be reduced.

Attack point 3 - EDFA EDFA has two problems that cannot be ignored: gain competition and uneven gain spectrum. If the gain spectrum is uneven, even if the optical power of each channel is equal, the output optical power will fluctuate after passing through the EDFA, and more serious gain competition will occur when passing through the next level EDFA, causing the optical signal-to-noise ratio to decrease. Therefore, attackers can use out-of-band interference attacks to reduce or destroy communication quality.

Attack point 4 - Splitter/combiner The demultiplexer is composed of a splitter and a filter. The danger it faces is the same as the vulnerability of the filter.

Attack point 5 - Filter In an all-optical network, the intervals between channels are very small, and the bandwidth requirements of the filter are very narrow, but the passband must be flat and the sideband must be steep. Otherwise, adjacent channel signals will crosstalk, providing opportunities for unauthorized intrusion. This type of attack is difficult to detect and locate.

Attack point 6 - Optical switch If the performance of the optical switch is not ideal, it will cause crosstalk, which is propagative. The first-order crosstalk causes the second-order crosstalk, which in turn causes the third-order crosstalk, as shown in Figure 5. Crosstalk may also exist between legitimate users. The scary thing is that once the attacker sends a malicious attack signal, it will cause serious in-band interference and can also eavesdrop through crosstalk.

4 Attack Detection Methods

4.1 Existing detection methods

Commonly used attack detection methods include: broadband power detection, spectrum analysis, monitoring signal analysis, and optical time domain reflectometry. They can preliminarily detect in-band interference attacks, out-of-band interference attacks, eavesdropping, and fiber breakage.

The broadband power detection method is a method of detecting attacks by measuring the power of optical signals within a larger spectrum width and comparing it with the expected value. It takes a long time, and a small power change is not necessarily caused by an attack (it may be due to device aging, fiber repair, etc.).

Spectral analysis is a method of detecting attacks by measuring changes in the spectrum of optical signals using a spectrum analyzer. However, the same comparison of sampling average and statistical average takes a long time and has a slow response, and it cannot detect attacks that do not change the shape of the spectrum.

The monitoring signal analysis method uses the transmitted monitoring signal to detect transmission interruptions, but the monitoring signal cannot fully represent the quality of the communication information and has an impact on the quality of the communication signal.

Optical time domain reflectometry is an attack method that uses an OTDR to monitor a signal and analyzes the reflected signal of the monitored signal. However, as long as there is no more than 1% light leakage, the OTDR cannot detect this attack.

In view of their limitations, two new detection methods are proposed.

[page]

4.2 Parameter comparison detection method

The parameter comparison method is based on the fact that the input and output signals of the device under test should satisfy a certain mathematical relationship. The optical signal for comparison is extracted from both ends of the device, where the extracted input signal is added with the inherent delay τ of the device under test, and then the optical signal is converted into an electrical signal through photoelectric conversion, and then sent to the parameter comparator to obtain the output function K. According to the type of parameters to be compared (amplitude, phase, wavelength, etc. of the optical signal) and the inherent characteristics of the device under test, in the absence of an attack, the output function of the comparator K=f(S1…Sn, R1…Rn) is a composite function of the input and output signals. Once an attack exists, the output function of the comparator K\'=f\'(S1\'…Sn\', R1\'…Rn\'). K\' is compared with K. If it exceeds the set threshold, it means that an attack exists, and the result is sent to the network management, which is processed uniformly by the network management. The comparison process is shown in Figure 6.

The parameter comparison method does not change the structure of the device being tested and has nothing to do with the bit rate of the transmission link. Since photoelectric conversion is required, the detection speed depends on the photoelectric conversion time, and the signal needs to be extracted at the same time, which may affect the signal power.

4.3 Comprehensive monitoring device detection method

The monitoring devices in the network are mainly responsible for monitoring the performance of the transmission devices. V represents the set of monitoring devices, which includes the following four categories: V0, V1, V2, V3, that is, V = {V0, V1, V2, V3}, as shown in Table 1.

The following is a specific example to illustrate the attack detection method. Figure 7 shows a DWDM line. If an attack occurs at Fiber-1, V0, V3, V1, and V2 devices are placed at ①, ②, ③, and ④ respectively to detect the attack.

If the monitoring channel receives an alarm signal from a V device, it is represented by 1, and if it does not receive an alarm signal, it is represented by 0. When an attack occurs, the alarm signals (0 or 1) sent by four V devices are arranged in a row to form a four-bit binary number, which is converted into a decimal number. Since the alarm values ​​of different attack methods are different, different attacks can be detected.

5 Attack Location Algorithm

After the attack method is detected, the next step is to locate the attack source. The following is the principle of the distributed positioning algorithm.

Assume that the alarm state parameter of the network node is S, S=0 in normal state and S=1 when attacked, the alarm state parameter of the upstream node is S\', and the alarm parameter of the downstream node is S", the main process of the distributed positioning algorithm is shown in Figure 8.

Node S first detects the alarm status parameter S\' from the upstream node. If S\'=1, it means that the upstream node is the source of attack and the node is not allowed to alarm. If S\'=0, it means that the upstream node is not the source of attack, so the local node is judged to be under attack. Once it is judged to be under attack, the local node alarm status parameter S=1 is set. If it is judged not to be under attack, S=0 is set, and then the local alarm status parameter S is passed to the downstream nodes. The downstream nodes are distributed and repeated in this way until the attack source of the entire network is found.

6 Conclusion

Domestic research on attacks in all-optical networks is not very in-depth. In view of this, an all-optical network security management framework is proposed, and two new attack detection methods and an effective attack localization algorithm are derived, which will help people improve their network security awareness and prevent malicious attacks.