This invention relates generally to network management systems and more particularly to techniques for detecting malfunctions in communications networks.
As is known in the art, an all-optical network (AON) refers to a network which utilizes exclusively lightwave communication. In particular, an AON system refers to a system in which: all network-to-network interfaces are based on optical transmission, all user-to-network interfaces use optical transmission on the network side of the interface, and all switching and routing within AON network nodes is performed optically. One important advantage of maintaining an optical network core in comparison to using electro-optic components at nodes or in transmission systems is higher bandwidth. Typically, optical bandwidths are generally one hundred fold those of electronic bandwidths. Thus, avoiding optical/electronic/optical conversions can provide in some instances roughly one hundred times greater data rates than possible with electro-optic networks.
An optical network that allows routing and switching of data within the network without interpretation or regeneration of the individual data streams is referred to as a transparent network or as a network having a transparency feature. Within this context of transparency, we do not include all-optical techniques for data regeneration. Such techniques may be faster than electro-optic regeneration methods, but may be modulation or format dependent and, hence non-transparent. While transparent networks have many desirable features (e.g. terminal upgrades do not require network upgrades), transparency has important ramifications for security.
Although contemporary AONs are still largely in the research arena, commercial providers are beginning to provide limited AON functions in their networks. Those AONs in the research arena may be generally classified into two types: wavelength division multiplexed (WDM), which separate multiple channels of traffic each onto its own wavelength, and time-division multiplexed (TDM), which separate multiple channels of traffic each into its own time slot. Code Division Multiple Access (CDMA) networks also exist. CDMA networks provide a multiple access scheme by using code sequences as traffic channels in a common optical channel. CDMA permits more than one signal to simultaneously utilize the channel bandwidth in a noninterfering manner. TDM networks to date have often employed soliton transmission and other features that will likely require further development to reach commercial maturity. Therefore, WDM AONs are more likely to be exploited in the near term than are TDM AONs.
Existing AONs are generally architected as circuit-switched networks. Circuit-switched networks are compatible with (1) existing telecommunication installations (long haul), (2) asynchronous transmission mode (ATM) networks, and (3) some multiplexing equipment often used with Internet networks. Fully operational packet-switched AONs have not been implemented, in part owing to the lack of a desirable optical memory.
AON architecture can generally be divided into optical terminals (which are the user-network interface), network nodes (which switch, route, and sometimes perform multiplexer/demultiplexer functions), and optically amplified fiber optic links. A separate control network (not always all-optical) is usually used for signaling purposes. The switching and routing may be done via mechanical switches, opto-electronic switches, passive optical routers, or splitter/combiners. Common network topologies include star, ring, and mesh. Some network architectures allow a hybrid mixture of network topologies.
Although there are a large number of possible architectures, most contemporary WDM AONs are built using a combination of a relatively small set of devices or components each of which has a security property. Some commonly used AON components are shown in Table 1.
One component of relative importance in AONs, as well as in other networks including but not limited to electro-optic networks, is the optical amplifier. Optical amplifiers are used in both nodes and links of AONs. Some optical amplifiers work by using a pump laser and a gain medium to amplify optical signals without converting them to electronic signals. One artifact of the amplification is amplified spontaneous emission (ASE) noise, which is added to the output of a signal exiting the amplifier.
Each of the components listed in Table 1 above is susceptible to some form of malfunction. As used herein, the term xe2x80x9cmalfunctionxe2x80x9d refers to any abnormal operational change, including but not limited to a degradation. A malfunction may cause a failure at one or more links or nodes and may have various causes, such as a security attack. A malfunction may affect signal channels having signal paths or routes which share devices with a nefarious user""s channel. An understanding of the security properties of each component provides a reasonable foundation for predicting network vulnerabilities and suggesting robust architectures.
The above components have been integrated into testbeds to show the operations and limitations of AONs. AON demonstrations to-date have taken place mostly in government-funded testbeds or testbeds funded by consortia. In the United States, there are consortia involving academia, industry, and government. In particular, the AON, MONET, and NTONC consortia have multiple participating organizations and have all developed testbeds. In addition, the European RACE consortium, and the Japanese efforts have also developed testbeds. Various testbeds and laboratory experiments have demonstrated aggregate throughputs of over 1 Tbit/s. The traffic carried has consisted of Asynchronous Transfer Mode (ATM), Internet Protocol (IP), Synchronous Optical Network (SONET), Frame Relay, and digitized video.
The components of AONs and other networks including non-AON networks are each vulnerable to some form of denial of service or eavesdropping-type attack. Some attack methods of concern include jamming (i.e. the overpowering of legitimate network signals with illegitimate or attack signals) which can be used to degrade or deny service, and the exploitation of device crosstalk. Device crosstalk exists within a number of different optical devices, and is the phenomenon in which signals from one portion of the optical device leak into another portion of the same device. The crosstalk phenomena can be used to implement service denial or eavesdropping attacks. It should be noted that signal interception and traffic analysis are both included under the eavesdropping heading as that term is used herein. It is thus desirable to detect malfunctions including attacks such as eavesdropping attacks in AON""s and other networks but not limited to electro-optic networks.
There are may reasons for which, in AONs, malfunctions must be detected and identified at all points in the network where malfunctions may occur, and the speed of detection should be commensurate with the data transmission rate of the network. One reason why the high data rates of AONs have an important consequence for malfunction detection, is because large amounts of data can be affected in a short time. When a fixed duration malfunction disrupts service, the amount of data affected is linearly proportional to the data rate. Similarly, in an eavesdropping attack the amount of data compromised is linearly proportional to the data rate. The larger amounts of data (e.g. number of xe2x80x9cbits in flightxe2x80x9d) on a particular fiber path for AONs versus electro-optic networks means more data is vulnerable to any particular malfunction than would be in a lower rate network.
For example, one conventional approach to checking for malfunctions in existing networks is to use data verification at the network perimeter. In this approach, the check on the data may be end-to-end decoding such as is done in some existing electronic networks (e.g. frame relay). Extending this technique to AONs, the check on the data may be accomplished by performing a power test on the received signal. In a tera-bit per second (Tbit/s) optical network, perimeter detection of malfunction combined with a total network path delay on the order of milliseconds will result in gigabits of data having been attacked. Moreover if the AON is transparent, it will not always be possible to place decoding and checking mechanisms at several locations throughout the AON to overcome the latency problem since transparent AONs do not currently include components for interpretation and regeneration at which such checking mechanisms would typically be arranged in the network.
High AON data rates are not the only reason why identification of malfunctions should take place at all possible malfunction locations. An incorrect diagnostic may be given by the network management system. For example, consider a system in which a first channel (e.g. channel 1) attacks a second channel (e.g. channel 2) via crosstalk in a switch (in-band jamming). In this case, the output of the switch can be a channel with excessive power that causes a gain competition attack on a third channel (e.g. channel 3) at an amplifier. If a monitoring device at the amplifier detects the attack of channel 2 on channel 3, but the switch does not detect the attack of channel 1 on channel 2, the network management system may decide to disconnect channel 2. Indeed, the only information available to the network management system is that channel 2 is nefarious at the amplifier, even though channel 1 is the offending channel.
Generally, there exist several techniques that might be used to perform malfunction detection in AONs: (1) wideband power detection, (2) optical spectral analysis (OSA), (3) pilot tones, and (4) optical time domain reflectometry (OTDR). Each of these techniques has strengths and weaknesses with respect to an individual network architecture and malfunction methods. Particular strengths include the detection of single-location overt jammers by pilot toners, power detectors, and OSAs, as well as the possibility of OTDRs to detect certain eavesdropping attacks. Limitations include the fact that power detection and OSA techniques are susceptible to sporadic malfunctions, and pilot tone and OTDR techniques do not protect against eavesdropping.
It would, therefore, be desirable to provide a technique to protect unmodified existing devices via a xe2x80x9cwrapperxe2x80x9d technique (i.e. a technique which xe2x80x9cfits aroundxe2x80x9d communication devices but does not require modification of the devices). It would also be desirable to provide a technique which does not require in-the-field retrofitting of nodes and links in networks including but not limited to AONs and electro-optic networks at great economic cost to make secure an inherently insecure infrastructure. It would also be desirable to provide a technique for dealing with: (1) sporadic jamming, which attempts to disrupt service but xe2x80x9cdisappearsxe2x80x9d before it can be detected; (2) multipoint malfunctions, which attempt to thwart service and to avoid detection methods that attempt to localize them (these malfunctions are potentially much more pernicious if the attackers are well synchronized); (3) control system and protocol malfunctions, which attempt to confuse the network controlling mechanisms into believing failures exist, usually to provoke reactions that negatively affect the network services; and (4) sporadic jamming combined with a protocol malfunction (which can become even more problematic if cleartext headers are exploitable by an attacker). It would further be desirable to provide a technique that works for transparent networks, and is capable of operation with very high-speed communications (e.g. commensurate with rates of several Gbps).
In view of the above problems and limitations associated with prior art techniques, it becomes apparent that transparent AONs do not afford a single integrity test on either the input or the output of any device within the network. Except for simple tests (e.g. total power), no one quantitative test can be used for malfunction detection since the legitimate signal could be modulated in very many ways. However, according to the invention, consideration of device input signals and output signals together yields malfunction detection, even for a transparent AON.
In accordance with the present invention, apparatus and techniques are described for providing a quantitative test to be used for operation monitoring and/or malfunction detection based on the concept that the input and output signals of a device have a mathematical relationship that is well known by the network management system that controls the service. In particular, malfunction detection is achieved by determining whether or not a function of the input and output signals conforms to an a priori known set of parameters.
In one embodiment, an apparatus for detecting malfunctions on an optical device, or element in a transparent all-optical network or an electro-optic network, includes (a) means for coupling a portion of an input signal of the optical device to an optical processing unit; (b) means for coupling a portion of an output signal from the optical device to the optical processing unit; and (c) means for comparing the portion of the input signal and the portion of the output signal to a predetermined set of parameters. Illustrative optical devices include operational nodes amplified links and the components listed in Table 1.
In accordance with a further aspect of the present invention, a method for detecting malfunctions on an optical device in a transparent all-optical network or an electro-optic network includes the steps of (a) coupling to an optical processing unit a portion of an input signal to the optical device; (b) coupling to the optical processing unit a portion of an output signal from the optical device; and (c) comparing the portion of the input signal and the portion of the output signal to a predetermined set of parameters.
With the above-described apparatus and techniques, detection defenses are provided against sporadic jamming, and against multipoint malfunctions assuming an algorithm running in a network management system integrates information from several devices or nodes in the network. Also, since it is not necessary to modify existing optical or AON devices, the described apparatus and techniques for implementing security measures are less expensive than field retrofitting of nodes, links, and other optical devices in AONs and electro-optic networks. Thus the present invention avoids the economic limitations encountered in the cost of retrofitting an inherently insecure infrastructure to make it more secure. Furthermore, the methods and apparatus proposed herein are relatively simple to implement, thereby further reducing costs below other apparatus and techniques which require changing existing AON devices.
The apparatus and techniques of the present invention provide a security xe2x80x9cwrapperxe2x80x9d which fits around communication devices but, as noted above, do not require modification of the devices. Wrappers can be placed or removed without changing the functionality of a device. Such an approach provides flexibility, ease of upgrade and applicability to different types of devices. Moreover, having a wrapper at a single device provides a determination that a malfunction occurred at a particular device. Such accurate pinpointing is useful for diagnostics which react to malfunctions. The detection methods are applicable to any modulation and encoding scheme and work without knowledge of which particular scheme is used and thus the techniques of the present invention work for transparent nodes. Further, the detection schemes described herein require relatively little processing and thus, are relatively rapid. The schemes therefore operate efficiently for very high-speed communications, such as on the order several Gbps.
In accordance with a still further aspect of the present invention, an optical comparator for comparing an input signal of an optical device with an output signal from the optical device includes: (a) a polarization controller having a first input port receiving a portion of the input signal and having an output port; (b) a second polarization controller having a first input port receiving a portion of the output signal and having an output port; and (c) an optical hybrid having a first input port coupled to the output port of the first polarization controller and a second input port coupled to the output port of the second polarization controller and having a plurality of output ports.
With this particular arrangement, an optical comparator is provided for detecting perturbations in an optical component by comparing the input and output signals of the device. In some applications, the detection of unwanted perturbations can correspond to those of a nefarious attacker in the optical component. In communication systems, it is desirable to detect malfunctions and sense such signal differences as rapidly as possible, at frequencies approaching the data rate, as is possible with the described optical comparator.
The optical comparator may further include a phase shifter coupled between the output port of the first polarization controller and the first input port of the optical hybrid. With this arrangement, the relative phase between the output signals from the two polarization controllers can be changed. The optical comparator may further include a plurality of optical to electrical signal converters, such as photodetectors, having input ports coupled to respective ones of the output ports of the optical hybrid and having output ports coupled to an optical phase controller which controls the phase of the phase shifter.