**3.1 Protection and prevention of attacks**

The risks and damage associated with physical-layer attacks can be alleviated through careful network planning, employment of additional equipment, quick and accurate postattack recovery and optical cryptography. Achieving complete protection requires large investments by the network operator and may be economically unviable. Thus, an advantageous trade-off between the costs and achieved protection must be found. Attack protection may include the following measures (Fok et al., 2011; Médard et al., 1997):


Physical-Layer Attacks in Transparent Optical Networks 141

network nodes in the next few years, while the remaining nodes will still consist of

Some monitoring methods which can detect specific attack scenarios are elaborated in (Médard et al., 1997). These methods can rely on statistical analysis of the optical properties of transmitted signals or they can use special, dedicated signals. Statistical methods include wideband power detection and optical spectrum analysis. The first method measures the power over a wide bandwidth and reacts to deviations from statistically computed expected power levels. It may be able to detect a high-powered in-band jamming attack, but sporadic jamming attacks, jamming attacks which deteriorate the SNR without changing the power levels in the affected signals or tapping attacks which tap a very small amount of the total signal power may not be detectable by this method. The second method, i.e. optical spectrum analysis, measures the shape of optical signal spectrum. It is able to detect an outof-band jamming attack causing gain competition, but in-band jamming may go undetected if the attacking signal doesn't introduce significant spectrum changes. This method isn't very helpful at detecting tapping attacks, unless the analyzer is placed on the link which drains the tapped portion of the signal and under the condition that it is able to distinguish

Two of the most common monitoring methods which use dedicated signals are the pilot tone method and optical time domain reflectometry (OTDR). Pilot tones are special signals dedicated to detecting transmission interruption. They may be carried along the legitimate signal's path at a different frequency. Their application in detecting in-band jamming requires very complex scenarios, because a pilot tone can only detect jamming on the very same frequency. Furthermore, pilot tones may be jammed themselves, creating an opportunity to mask jamming on legitimate lightpaths. Gain competition attacks may be discovered by pilot tones, but only if they receive amplification from the same EDFA as affected lightpaths. Even in this case, the BER degradation of the pilot tone caused by gain competition may go undetected because their main purpose is only to assert availability of communication, and not the available QoS. Pilot tones provide little help in detection of tapping, which would require a significant degradation of the signal quality. The main principle of OTDR is to inject pilot tones onto a link and analyze its echo in order to determine fiber cuts or losses, which makes attack detection abilities of these two methods similar. Detection of in-band jamming differs from the pilot-tone method only in its occurrence at the front-end of the link. Due to the fact that EDFAs are unidirectional, the OTDR method will not be able to detect gain competition. On the other hand, it may be successful in detecting tapping, which causes discontinuities in the reflected pilot tone.

Once the presence of an attack is detected in the network, the NMS will try to eliminate it as soon as possible and re-establish reliable communication. Reaction from an attack at the optical layer should be fast and recovery should take place before the upper, slower network layers activate their reaction mechanisms. In most cases, the link on which the presence of an attack was detected will be switched off, which will trigger mechanisms for network survivability. Survivability mechanisms include protection, where resources are reserved for pre-computed backup paths of each of the working paths at lightpath setup time, and restoration, in which backup paths are computed upon a failure of the working

FOADMs (Zsigmond, 2011).

**3.3 Reaction to attacks** 

authorized from unauthorized communication.


Prevention may play a significant role in enhancing TON resilience to attacks, as well as the reduction of the deteriorating effects of attacks. The concept of attack-aware optical networks planning to reduce attack consequences was introduced in (Skorin-Kapov et al., 2010). By determining the mutual jamming attack relations between lightpaths, a novel objective criterion for the routing and wavelength assignment problem was defined, called the Lightpath Attack Radius (LAR). By minimizing the LAR of each lightpath through judicious routing, the maximum possible damage caused by such attacks can be reduced. In (Furdek et al., 2010c), a similar approach was developed for minimizing crosstalk effects caused by in-band jamming through judicious wavelength assignment. Our current ongoing work in attack-aware optical network planning is focused on survivability mechanisms and node power equalization placement.

#### **3.2 Attack detection**

Detection of an attack relies closely on reliable and accurate monitoring methods. In TONs, real-time monitoring must take place in the optical domain, without electronically interpreting the carried data. Descriptions of techniques for monitoring various optical signal parameters can be found in (Ho & Chen, 2009; Kilper et al., 2004). Depending on the technology, monitoring methods should be capable of measuring parameters such as channel power (peak and average) and aggregate WDM signal power, eye diagram, optical spectrum, polarization state, phase, pulse shape, Q-factor, chromatic and polarization-mode dispersion (PMD) etc. The measured parameters indicate the level of quality of aggregate WDM layer parameters, as well as individual signal quality parameters. Due to high prices of monitoring equipment, placing their minimal number in strategic locations and establishing supervisory channels able to detect as many faults as possible remains an important network planning problem. Today, there are commercially available reconfigurable optical switches which provide per-channel power and wavelength monitoring, such as that from (Cisco, 2011). Furthermore, they are usually equipped with variable optical attenuators and are, thus, able to dynamically react to excessive power levels on individual channels and thwart jamming attacks. However, these devices are not yet widely deployed. Currently, around 80% of deployed network nodes consist of fixed optical switches and add-drop multiplexers (FOADMs) whose power settings are determined in the system commissioning phase and do not offer the capability of dynamically managing power level fluctuations of incoming signals. Current market trends show a tendency of reconfigurable node usage increasing to 50% of

Optical encryption – protects communication confidentiality by making it

 Optical steganography – protects communication privacy by hiding the transmission between a pair of users underneath the public transmission channel. In this way, an attacker is unaware of the existence of communication, which makes it extremely difficult to perform tapping or jamming. However, the overall network vulnerability to jamming attacks may result in hidden communication being a collateral victim of

 Optical network survivability – intelligent protection schemes can increase resilience to attacks by switching the signals under attack to unaffected parts of the spectrum or to

Prevention may play a significant role in enhancing TON resilience to attacks, as well as the reduction of the deteriorating effects of attacks. The concept of attack-aware optical networks planning to reduce attack consequences was introduced in (Skorin-Kapov et al., 2010). By determining the mutual jamming attack relations between lightpaths, a novel objective criterion for the routing and wavelength assignment problem was defined, called the Lightpath Attack Radius (LAR). By minimizing the LAR of each lightpath through judicious routing, the maximum possible damage caused by such attacks can be reduced. In (Furdek et al., 2010c), a similar approach was developed for minimizing crosstalk effects caused by in-band jamming through judicious wavelength assignment. Our current ongoing work in attack-aware optical network planning is focused on survivability mechanisms and

Detection of an attack relies closely on reliable and accurate monitoring methods. In TONs, real-time monitoring must take place in the optical domain, without electronically interpreting the carried data. Descriptions of techniques for monitoring various optical signal parameters can be found in (Ho & Chen, 2009; Kilper et al., 2004). Depending on the technology, monitoring methods should be capable of measuring parameters such as channel power (peak and average) and aggregate WDM signal power, eye diagram, optical spectrum, polarization state, phase, pulse shape, Q-factor, chromatic and polarization-mode dispersion (PMD) etc. The measured parameters indicate the level of quality of aggregate WDM layer parameters, as well as individual signal quality parameters. Due to high prices of monitoring equipment, placing their minimal number in strategic locations and establishing supervisory channels able to detect as many faults as possible remains an important network planning problem. Today, there are commercially available reconfigurable optical switches which provide per-channel power and wavelength monitoring, such as that from (Cisco, 2011). Furthermore, they are usually equipped with variable optical attenuators and are, thus, able to dynamically react to excessive power levels on individual channels and thwart jamming attacks. However, these devices are not yet widely deployed. Currently, around 80% of deployed network nodes consist of fixed optical switches and add-drop multiplexers (FOADMs) whose power settings are determined in the system commissioning phase and do not offer the capability of dynamically managing power level fluctuations of incoming signals. Current market trends show a tendency of reconfigurable node usage increasing to 50% of

incomprehensible to an eavesdropper.

jamming public channels.

node power equalization placement.

**3.2 Attack detection** 

physically disjoint backup paths.

network nodes in the next few years, while the remaining nodes will still consist of FOADMs (Zsigmond, 2011).

Some monitoring methods which can detect specific attack scenarios are elaborated in (Médard et al., 1997). These methods can rely on statistical analysis of the optical properties of transmitted signals or they can use special, dedicated signals. Statistical methods include wideband power detection and optical spectrum analysis. The first method measures the power over a wide bandwidth and reacts to deviations from statistically computed expected power levels. It may be able to detect a high-powered in-band jamming attack, but sporadic jamming attacks, jamming attacks which deteriorate the SNR without changing the power levels in the affected signals or tapping attacks which tap a very small amount of the total signal power may not be detectable by this method. The second method, i.e. optical spectrum analysis, measures the shape of optical signal spectrum. It is able to detect an outof-band jamming attack causing gain competition, but in-band jamming may go undetected if the attacking signal doesn't introduce significant spectrum changes. This method isn't very helpful at detecting tapping attacks, unless the analyzer is placed on the link which drains the tapped portion of the signal and under the condition that it is able to distinguish authorized from unauthorized communication.

Two of the most common monitoring methods which use dedicated signals are the pilot tone method and optical time domain reflectometry (OTDR). Pilot tones are special signals dedicated to detecting transmission interruption. They may be carried along the legitimate signal's path at a different frequency. Their application in detecting in-band jamming requires very complex scenarios, because a pilot tone can only detect jamming on the very same frequency. Furthermore, pilot tones may be jammed themselves, creating an opportunity to mask jamming on legitimate lightpaths. Gain competition attacks may be discovered by pilot tones, but only if they receive amplification from the same EDFA as affected lightpaths. Even in this case, the BER degradation of the pilot tone caused by gain competition may go undetected because their main purpose is only to assert availability of communication, and not the available QoS. Pilot tones provide little help in detection of tapping, which would require a significant degradation of the signal quality. The main principle of OTDR is to inject pilot tones onto a link and analyze its echo in order to determine fiber cuts or losses, which makes attack detection abilities of these two methods similar. Detection of in-band jamming differs from the pilot-tone method only in its occurrence at the front-end of the link. Due to the fact that EDFAs are unidirectional, the OTDR method will not be able to detect gain competition. On the other hand, it may be successful in detecting tapping, which causes discontinuities in the reflected pilot tone.

#### **3.3 Reaction to attacks**

Once the presence of an attack is detected in the network, the NMS will try to eliminate it as soon as possible and re-establish reliable communication. Reaction from an attack at the optical layer should be fast and recovery should take place before the upper, slower network layers activate their reaction mechanisms. In most cases, the link on which the presence of an attack was detected will be switched off, which will trigger mechanisms for network survivability. Survivability mechanisms include protection, where resources are reserved for pre-computed backup paths of each of the working paths at lightpath setup time, and restoration, in which backup paths are computed upon a failure of the working

Physical-Layer Attacks in Transparent Optical Networks 143

(Rejeb et al., 2006a) investigate the local correlation of security failures and attacks at each OXC node and mechanisms to discover the tracks of multiple attacks through the network using as little monitoring information as possible. The correct functioning of this distributed algorithm relies on a reliable NMS which provides correct message passing and processing at local nodes. Namely, the algorithm uses updated connection and monitoring information at the input and output sides of any OXC node in the network. In order to decrease these tight requirements on monitoring information, the health of lightpaths which simultaneously propagate through OXC nodes is estimated through correlation with other lightpaths. When a node detects serious performance degradation along a lightpath at its output side, it runs a generic procedure for localizing the set of lightpaths which traverse this node and are most likely to be the offender. The localization procedure is then delegated to the next upstream node along each of these lightpaths which also registers

In (Stanic & Subramaniam, 2011), the authors propose a fault localization scheme which collects monitoring information from lightpaths which carry traffic and from additionally established supervisory lightpath, achieving complete fault localization coverage. The authors consider a monitoring model where each OXC node is capable of detecting in-band loss–of-light faults. The problem of deciding which supervisory lightpaths will be added to the given set of traffic lightpaths is formulated as an Integer Linear Program (ILP) and an efficient heuristic approach for computing the optimal set of supervisory lightpaths is

This chapter presents an overview of the vulnerabilities of Transparent Optical Networks (TONs) to various physical-layer attacks. Furthermore, methods for attack detection and localization, as well as various countermeasures against attacks are described. As a result of the vulnerabilities associated with TONs stemming from optical components, transparency and high speed, new approaches to network security are increasingly needed as networks migrate to all-optical transmission. Such security frameworks require new, tailored attack detection, localization and network restoration mechanisms. In addition to upgrading existing ways of dealing with network failures and attacks, significant attention should be paid to prevention mechanisms, attack-aware planning and improved optical monitoring

This work was supported by projects "A Security Planning Framework for Optical Networks (SAFE)", funded by the Unity Through Knowledge Fund (UKF) in Croatia, and

Arbués, P.G., Mas Machuca, C. & Tzanakaki, A. (2007). Comparative Study of Existing

OADM and OXC Architectures and Technologies from the Failure Behavior

036-0362027-1641, funded by the Ministry of Science, Education and Sports, Croatia.

performance degradation, and this is repeated until no such node is found.

proposed.

methods.

**6. References** 

**5. Acknowledgements** 

**4. Conclusion** 

path. Protection can be dedicated, where each backup path has its own dedicated resources, or shared, where resource sharing among backup paths of link-disjoint working paths is allowed. After finding a backup path for the affected connections, transmission will resume. Finding the exact location of the attack and disabling the attacker before re-establishing transmission of affected connections is crucial for this step. If these conditions are not met, protection resources may be wasted and switching the transmission to backup paths may even enhance attack propagation and worsen its effects.

A standardized approach for attack management has not yet been established. The main reason for this is the fact that optical monitoring technology hasn't yet reached its maturity and cannot provide reliable attack detection (Rejeb et al., 2006b), as well as the fact that the fault and localization methods design highly depends on the specific physical layer details (Rejeb et al., 2006a). Several frameworks for managing physical-layer attacks have been proposed in the literature. Reliable attack detection in some of them is based on the currently unrealistic assumption that all nodes are able to provide per channel monitoring, while others propose efficient monitoring placement policies, matching more realistic network scenarios.

Initial works on attack source identification date from the late 90's. In (Bergman et al., 1998), the authors propose a distributed algorithm for localizing jamming attacks based on the relation between the signal power metrics at the output and input of each node. Neighboring nodes exchange messages and determine the presence of an attack. The nodes are aware of their positions along every connection (i.e., whether they are upstream or downstream from the neighboring node they exchange messages with) so the algorithm is able to find the most upstream node which detects an attack along a connection, and thus can identify the source of the attack.

In the next decade, (Wu & Somani, 2005) provide a model of jamming attacks exploiting intrachannel crosstalk in optical switches with propagation capabilities, which enable affected lightpaths to acquire attacking capabilities and spread the attack to lightpaths which do not share any common physical components with the original attacker. They identify the assumption of all nodes being able to monitor all channels as unrealistic due to the high costs of this solution and propose a monitoring node model, their sparse placement, an additional test connection setup policy and a lightpath routing policy which is able to localize the source of a single crosstalk attack in the network.

In (Mas et al., 2005), the problem of finding the exact location of the failure is extended to the presence of single and multiple failures in cases where alarms can be false and/or lost. This problem is NP-complete even when no false or lost alarms exist. The algorithm is based on building a binary tree whose branches correspond to sets of network elements which will raise an alarm when a particular network component fails. Alarms differ according to the type of the failure and equipment used. When alarms are raised during network operation, the location of the failure is determined by traversing the binary tree and finding the components whose corresponding failures justify the received alarms. The authors also propose an optimal monitoring placement scheme for minimizing the number of network elements which are candidates to have a failure and, thus, minimizing the result given by the failure location algorithm.

(Rejeb et al., 2006a) investigate the local correlation of security failures and attacks at each OXC node and mechanisms to discover the tracks of multiple attacks through the network using as little monitoring information as possible. The correct functioning of this distributed algorithm relies on a reliable NMS which provides correct message passing and processing at local nodes. Namely, the algorithm uses updated connection and monitoring information at the input and output sides of any OXC node in the network. In order to decrease these tight requirements on monitoring information, the health of lightpaths which simultaneously propagate through OXC nodes is estimated through correlation with other lightpaths. When a node detects serious performance degradation along a lightpath at its output side, it runs a generic procedure for localizing the set of lightpaths which traverse this node and are most likely to be the offender. The localization procedure is then delegated to the next upstream node along each of these lightpaths which also registers performance degradation, and this is repeated until no such node is found.

In (Stanic & Subramaniam, 2011), the authors propose a fault localization scheme which collects monitoring information from lightpaths which carry traffic and from additionally established supervisory lightpath, achieving complete fault localization coverage. The authors consider a monitoring model where each OXC node is capable of detecting in-band loss–of-light faults. The problem of deciding which supervisory lightpaths will be added to the given set of traffic lightpaths is formulated as an Integer Linear Program (ILP) and an efficient heuristic approach for computing the optimal set of supervisory lightpaths is proposed.
