Experiment-based detection of service disruption attacks in optical networks using data analytics and unsupervised learning

Lipp³

et al. 2020

J. Lightwave Technol.

Self Cite

In order to accomplish cost-efficient management of complex optical communication networks, operators are seeking automation of network diagnosis and management by means of Machine Learning (ML). To support these objectives, new functions are needed to enable cognitive, autonomous management of optical network security. This paper focuses on the challenges related to the performance of ML-based approaches for detection and localization of optical-layer attacks, and to their integration with standard Network Management Systems (NMSs). We propose a framework for cognitive security diagnostics that comprises an attack detection module with Supervised Learning (SL), Semi-Supervised Learning (SSL) and Unsupervised Learning (UL) approaches, and an attack localization module that deduces the location of a harmful connection and/or a breached link. The influence of false positives and false negatives is addressed by a newly proposed Window-based Attack Detection (WAD) approach. We provide practical implementation guidelines for the integration of the framework into the NMS and evaluate its performance in an experimental network testbed subjected to attacks, resulting with the largest optical-layer security experimental dataset reported to date.

Section: B Optical Network Security Managementmentioning

confidence: 99%

Section: Network-wide Attack Detection and Identification Approamentioning

confidence: 99%

Machine Learning for Optical Network Security Monitoring: A Practical Perspective

Furdek

Lipp³

et al. 2020

J. Lightwave Technol.

Self Cite

“…Then, a feature-wise analysis can be performed between the normal and anomalous samples. Depending on the use case, different metrics can be used for the feature-wise analysis, such as distance [4] and correlation [5] . The family of diagnostic tools supporting RCA can be enriched with the Anomaly Vector (AV) whose elements contain the average difference between the OPM features in the baseline and anomaly condition.…”

Section: The Root Cause Analysis Frameworkmentioning

confidence: 99%

“…Previous works have investigated ways to facilitate the identification of anomaly causes, e.g. via Root Cause Analysis (RCA) using a distance metric [4] or analysing shifts in OPM parameters correlation [5] . However, they either work with supervised learning (requiring prior knowledge of the anomalies to be detected) or with a few key OPM parameters.…”

Section: Introductionmentioning

confidence: 99%

Root Cause Analysis for Autonomous Optical Networks: A Physical Layer Security Use Case

2020 European Conference on Optical Communications (ECOC)

Giglio

Schiano

et al. 2020

Self Cite

“…In our previous work, we have experimentally investigated the detection of harmful signals to identify signatures of jamming attacks of varying intensities. To this end, we developed machine learning approaches based on supervised [3] and unsupervised learning [4], that analyzed the OPM data obtained for a particular connection, and identified whether it has been affected by a jamming attack. The approaches based on supervised learning were able to achieve 100% accuracy in attack identification [3], while previously unseen (zero-day) attack scenarios were detected in up to 92% of occurrences [4].…”

Section: Introductionmentioning

confidence: 99%

Network-Wide Localization of Optical-Layer Attacks

Furdek

Chan

Lecture Notes in Computer Science

et al. 2020

Self Cite

Optical networks are vulnerable to a range of attacks targeting service disruption at the physical layer, such as the insertion of harmful signals that can propagate through the network and affect co-propagating channels. Detection of such attacks and localization of their source, a prerequisite for secure network operation, is a challenging task due to the limitations in optical performance monitoring, as well as the scalability and cost issues. In this paper, we propose an approach for localizing the source of a jamming attack by modeling the worst-case scope of each connection as a potential carrier of a harmful signal. We define binary words called attack syndromes to model the health of each connection at the receiver which, when unique, unambiguously identify the harmful connection. To ensure attack syndrome uniqueness, we propose an optimization approach to design attack monitoring trails such that their number and length is minimal. This allows us to use the optical network as a sensor for physical-layer attacks. Numerical simulation results indicate that our approach obtains network-wide attack source localization at only 5.8% average resource overhead for the attack monitoring trails.Index Terms-optical network security, physical-layer attack detection, attack monitoring trails.