11.2. Crosstalk Attack Features and Monitoring Techniques
Among the attack methods listed previously, the crosstalk attack has the highest damage capabilities. In this case, an attacker injects a malicious signal with a very high power, far beyond the expected value. When this connection passes through a wavelength selective switch, the leakage energy (crosstalk) of this malicious connection significantly affects the normal connections passing through the same switch. Unlike other attacks, a crosstalk attack not only affects those connections that are sharing the same link or node with it, but also may induce attack capabilities to those connections that are attacked [3, 16–19] as explained below. We first describe the characteristics of crosstalk attacks and possible anti-attack mechanisms.
11.2.1. Crosstalk Attack Features
As depicted in Figure 11.1, the crosstalk attack happens at a wavelength switch and only affects the normal connections on the same wavelength. The attacker injects a strong signal into a switch, and the power leakage (crosstalk) from the malicious channel is superimposed on a normal channel that shares the same wavelength switch. The power of the malicious channel is high enough that just simply the power leakage can still greatly disturb a normal channel. It is also possible that the high energy on one wavelength may affect the signals on other wavelengths. However, for now we assume that the probability of such occurrences is low, and therefore, do not pursue this aspect further here.
Figure 11.1. Example of crosstalk attack using wavelength selective switches.
A crosstalk attack may also propagate as depicted in Figure 11.2. The original crosstalk attack occurs on node i, which carries connections 1 and 2. Connection 1 is originally a malicious attack connection. Because of the crosstalk attack from connection 1, the power of connection 2 is also beyond a certain threshold, so connection 2 itself has crosstalk attack capability. Thus, at node j, which carries connections 2 and 3, power leakage from connection 2 also superimposes on connection 3, therefore, connection 3 is also disturbed. This characteristic makes localization of the attack connection much more difficult.
11.2.2. Security Consideration
Security vulnerabilities that are specific to AONs stem from the characteristics of the physical devices, such as fiber and amplifiers. Thus, attack avoidance can only be achieved by a judicious design of components after understanding the security vulnerabilities and the techniques for detection, localization, and response to attacks. Network management in AONs must be able to differentiate an attack from normal network traffic problems caused, for example, by a physical failure. The strategy for protection and restoration of service due to hardware failure is simply to reroute the disturbed traffic connections [20–23]. However, these methods cannot be used to solve the problems caused by an attack. For example, consider an attack caused by connection 1 on node i, which has two connections, 1 and 2. If the network management system treats such an attack as a component failure, then it assumes that node i has failed and reroutes connections 1 and 2 to some other node, say j. After this rerouting, node j will appear as having failed because connection 1 will attack other normal connections on node j. The network management system may reroute all these channels to some other node k, and so on. Therefore, it is important for node i, which is under attack, to be able to identify an attack within its traffic stream and to differentiate it from a physical component failure.
11.2.3. Overview of Current Monitoring Methods
To detect attack signals, a sophisticated optical monitoring technique is required. With current techniques, we can monitor and detect some important features of optical signals. Typically, a monitoring device should be capable of measuring the following: the signal wavelength, signal power, and optical SNR. The following testing methods are available. We also describe their limitations.
Power Detection
Power detection over a wide band may be used to record an increase or decrease in power with respect to the expected value. The power detection technique is well suited to some problems such as amplifier failures. However, this alone is insufficient to detect a combination of in-band jamming attacks that increase average power and out-of-band jamming attacks that decrease power, as they might yield no difference in average received power. The power detection technique is also not satisfactory in the detection of gain competition attacks.
Optical Spectral Analyzers
Optical spectral analyzers (OSAs) display the spectrum of an optical signal. A significant programming effort is required to analyze the output of the OSA and map it to the generation of different types of alarms. Therefore, it is an expensive diagnostic tool for the automatic generation of network alarms. However, OSAs can detect those jamming attacks that seriously affect the optical spectrum.
Bit Error Rate Testers
Bit error rate testers (BERTs) operate by comparing a received pattern with the pattern that was known to have been sent. Given the number of discrepancies that are found, the bit error rate (BER) of the transmission is estimated. BERTs only examine a given test data sequence when this special sequence is transmitted. They do not test the actual data. The time it takes for a BERT to establish the BER will depend on the BER and the data rate. For instance, at 1 Gbps, it takes several seconds for a BERT to establish with good statistical accuracy that the BER has been degraded from 10–8 to 10–3. Moreover, some of the attacks may not seriously affect BER.
Pilot Tones
Pilot tones are signals that travel along the same links and nodes as the communication payload, but are distinguishable from the communication payload. Pilot tones are often at different carrier frequencies than the transmitted signal, and may also be distinguished from the communication payload by certain time slots or codes. The pilot tone technique may generate an alarm only if an attack is at the pilot wavelength. Thus, jamming attacks, for example, cannot be detected. Moreover, pilot tones themselves can be masked by malicious signals, such as gain competition attacks.
Optical Time Domain Refractometry
Optical time domain refractometries (OTDRs) are a special application of pilot tones. Rather than analyzing a pilot tone at the point where the communication signal is received, the pilot tone’s echo is analyzed. OTDRs are generally used to diagnose faults, bends, and losses in fibers. Thus, they are usually better adapted to detecting attacks that involve tampering. Since they operate by reflecting a signal back through the fiber, they may also provide information about other attacks that might be taking place. OTDRs with modulated signals can be used to detect jamming attacks as jamming attack signals can be returned in the reflections and observed. The detection efficiency for gain competition is dependent on the type of device. For example, a unidirectional amplifier, if attacked, cannot be detected.