Conference PaperPDF Available

Towards Secure and Self-Diagnosable Optical Networks



Given the pivotal role of optical networks in supporting critical societal services, their robustness to deliberate attacks targeting disruption at the physical layer requires advanced approaches for security assurance, diagnostics and response. This paper analyzes the necessary advancements in optical network security needed to achieve secure and self-diagnosable systems. Keywords-optical network security, attack signature, security diagnostics, attack-aware network design, attack detection, attack recovery.
Towards Secure and Self-Diagnosable
Optical Networks
Marija Furdek
School of Electrical Engineering and Computer Science
KTH Royal Institute of Technology
Stockholm, Sweden
AbstractGiven the pivotal role of optical networks in
supporting critical societal services, their robustness to
deliberate attacks targeting disruption at the physical layer
requires advanced approaches for security assurance,
diagnostics and response. This paper analyzes the necessary
advancements in optical network security needed to achieve
secure and self-diagnosable systems.
Keywordsoptical network security, attack signature,
security diagnostics, attack-aware network design, attack
detection, attack recovery.
Optical networks are a critical part of communication
infrastructure responsible for transferring immense amounts
of data generated by services indispensable for a vital and
functional society. Security breaches that violate
confidentiality, integrity or availability of communication at
the optical layer can proliferate to multiple network layers
that reside on top of it, magnifying the detrimental effects
across the entire network stack. In spite of such tremendous
significance, optical communication infrastructure has
traditionally been viewed as secure, and little attention has
been paid to optical network security. In a changing cyber-
security landscape, where malicious attacks are in general
becoming ever larger in size, magnitude and sophistication,
and the deployment of critical optical network infrastructure
is widely exceeding a secure perimeter, optical network
security is receiving increasing attention from researchers in
industry and academia.
Optical-layer security threats are typically categorized
using the well-established division according to the objective
of the attacker into eavesdropping and service disruption
attacks. In an eavesdropping attack, the adversary gains
unauthorized access to the optical signal (e.g., by bending the
fiber and detecting the leaked light) and the unprotected
carried data. The carried information can be protected by
encrypting it at different network layers. More and more
equipment vendors offer devices for ‘in-flight’ data
encryption at the optical layer to protect the aggregate data at
line rates beyond 100/200 Gbit/s, allowing for secure end-to-
end communication between data centers and enterprise
sites. In addition, significant efforts are invested into post-
quantum cryptography and quantum key distribution, which
are out of scope of this study.
In service disruption attacks, which are in the focus of
this paper, the attacker can damage critical optical
components (e.g., cut an important fiber link or disable a
node), insert a harmful signal (e.g., jamming), or tamper with
the properties of the carried signals (e.g., via external
modulation) and degrade their quality [1]. In order to
increase the security of the optical network from such
attacks, substantial, multifaceted efforts are needed in
developing advanced security assurance, diagnostics, and
threat response approaches. Security assurance encompasses
actions aimed at assuring a certain level of security and
managing the related risks. Security diagnostics entail
detection of security breaches and identification of their
cause. Threat response refers to handling of security
incidents and recovery of affected services. The challenges in
realizing the above approaches in optical networks emanate
from several complicating factors. These primarily refer to
the high heterogeneity and complexity of the optical network
infrastructure shared among a multitude of users and
services, the technological and deployment limitations of
optical performance monitoring (OPM) devices, the limited
availability of physical-layer security information to the
network management system, the lack of data analytic
frameworks for attack identification and incident response
approaches, and the immense amount of traffic stressing the
scalability of security approaches. The remainder of this
paper summarizes key challenges and outlines possible
solutions towards enabling secure and self-diagnosable
optical networks.
Today’s optical networks are a multi-domain ecosystem
of heterogeneous devices with diverse capabilities, ranging
from legacy equipment with low flexibility to programmable
and agile state-of-the-art components. Moreover, they
aggregate traffic from multiple services with different
security requirements, and carry it across large geographical
areas with different geopolitical circumstances, making
security assurance and risk assessment challenging.
A basic security measure is to minimize the attack
surface, i.e., network exposure to attack, potential intrusion
points, or the extent of potentially incurred damage. At the
optical layer, this can entail, for example, designing the
network topology in a way which aggravates the effort an
attacker needs to invest into causing wide-spread service
disruption. In a data center environment, where replicas of
content are distributed across multiple geographical locations
and users can connect to any network node that hosts the
desired content in an anycast manner, selecting the number
of replicas and their locations plays an important role in
network robustness to targeted link cuts. Approaches for
identification of critical fiber links whose cutting maximizes
the connectivity interruption and reduces accessibility to
content, as well as sparse link addition and content
placement strategies to increase network robustness can be
found in [2] and [3], respectively.
An example illustrating the impact of replica placement
on the content accessibility under link cut attacks is shown in
Fig. 1a). In an effort to maximize the disruption, the two
links with the highest centrality (5-7 and 6-8) are cut by an
attacker. In the top solution, the two most central nodes
(nodes 5 and 6) host the content and the attack disconnects
five network nodes (nodes 7 to 11) from it. The measure of
Average Content Accessibility (ACA) [3] quantifies the
This article is based upon work from Celtic-Plus project SENDATE-
EXTEND and COST Action 15127 RECODIS.
portion of nodes which lose access to a replica in the
considered attack scenario. In the bottom solution, where
nodes 3 and 9 host the content, the considered attack scenario
does not disconnect any nodes, and it takes much greater
effort to prevent network nodes from accessing content.
In order to enhance security from attacks that rely on
insertion of harmful signals, careful assignment of physical
routes and spectrum to optical connections can reduce the
extent of damage caused by anticipated attacks and confine it
to a subset of known connections [4]-[6]. Moreover,
specialized devices for monitoring [7] and/or thwarting [8]
harmful signals can be placed at strategic network locations
to further enhance the security from the corresponding
service disruption attacks.
Real-time tracking of optical network performance is a
fundamental prerequisite for quick and accurate attack
detection. Optical performance monitoring (OPM)
encompasses estimation and acquisition of different physical
parameters of transmitted signals [9]. A major obstacle in
detection of physical-layer threats is the inability of current
optical networks to acquire extensive real-time information
about the signals’ physical states. Namely, OPM is costly
and there is no standard set of OPM parameters supported by
the monitoring devices (typical OPM parameters include
average and peak optical signal power, optical spectrum, eye
diagram, polarization state, dispersion, and optical/carrier
phase characteristics). Instead, it greatly depends on the
details of the physical network design and OPM device
deployment, which is cost-constrained and, consequently,
sparse. Therefore, efficient detection of security breaches
calls for intelligent approaches for analyzing the security
status of individual connections, and for correlating such
status across the network in order to meet two main
i. How to distinguish when a particular connection is
affected by an attack?
ii. How to identify which network element (e.g., link or
node) is the ground zero of a physical-layer breach?
Since the existing physical-layer attack models are
scarce, attack detection approaches are very limited as well.
A major step forward in achieving situational awareness in
optical networks is enabled by the introduction of machine
learning (ML) techniques. ML-based techniques can achieve
great benefits in solving problems where explicit statistical
characterization is difficult or unknown. When physical-layer
security is considered, it is extremely difficult to explicitly
model the consequences of a variety of known and
forthcoming attack methods, making security situation
assessment an ideal ground for the application of machine
learning methods. An ML-based approach for detection of
power jamming attacks of different intensities was recently
proposed in [10], by analyzing the resulting degradation of
the considered optical channel. The artificial neural network
approach proposed therein analyzes 25 different OPM
parameters provided by the coherent receiver at the
connection destination, and is able to identify an attack and
its intensity with 93% average accuracy.
Being able to identify when a connection is affected by
an attack by analyzing the rich OPM data set at its
destination, where the signal must be detected in any case,
realizes an important prerequisite for discovering attack
patterns at the network level. Existing approaches for
detection of high-power signal insertion attacks [11][12]
track power surges associated with an attack along each
connection, requiring knowledge of real-time status of all
connections at the input and the output ports of all nodes in
the network. Aside from their limited applicability to only
attacks which cause power surges, these solutions are costly
and unscalable in the current networks that support tens or
hundreds of nodes and hundreds of high-capacity
connections, possibly causing alarm storms and putting a
tremendous burden of message parsing on the control plane.
A promising approach to attack source identification is
correlating the security status of different connections and,
based on their affected subset, deducing the insertion point
and/or the propagation path of the attack. Fig. 2 illustrates a
promising approach for identifying the attacking connection
that carries a harmful signal based on attack syndromes [13].
An attack syndrome is a binary word that describes the scope
of a considered attack scenario, and is defined for each
potential source of attack. Each bit in the syndrome
represents one connection, and its value set to 1’ signifies
that the corresponding connection is identified as degraded
by an attack (‘0’ otherwise). The attack syndrome is then
compared to the known syndromes in the database to identify
the source of the breach. In this way, the optical network acts
as a sensor for physical-layer attacks and enables security
self-diagnostic abilities.
To provide a meaningful diagnostic insight, attack
syndromes of each potential source of attack must be unique.
For the routing example shown in the top of Fig. 2,
connections C1, C2 and C3 have matching syndromes, as do
connections C4 and C5. The shown syndromes are formed for
Content-hosting node
Average Content
|{7,8,9,10,11}|/11 = 45%
Average Content
Accessibility: 100%
Fig. 1. The impact of content placement on the accessibility of content
when two most central links are deliberately cut.
C1 C2 C3 C4 C5
C1 1 1 1 0 0
C2 1 1 1 0 0
C3 1 1 1 0 0
C4 0 0 0 1 1
C5 0 0 0 1 1
C1 C2 C3 C4 C5 P
C1 1 1 0 0 0 1
C2 1 1 0 0 0 0
C3 0 0 1 0 0 0
C4 0 0 0 1 1 1
C5 0 0 0 1 1 0
Attack syndromes:
Fig. 2. Localization of the harmful connection through security status
correlation by means of attack syndromes. Tailored routing and strategic
addition of attack monitoring probes reduces syndrome ambiguity.
a jamming attack scenario, by assuming that any connection
can carry a jamming signal inserted at its source node,
propagating to the destination node, and affecting all
connections that share a common link with it. Syndrome
ambiguity can be resolved through tailored routing aimed at
reducing the number of generated matching attack
syndromes, as well as sparsely adding attack monitoring
probes. A solution with slightly different connection routing
and an added monitoring probe P, shown in the bottom part
of Fig. 2, is capable of unambiguously identifying the
harmful connection by means of unique attack syndromes.
Note that this solution also reduces attack surface, i.e., the
number of connections which can be affected if C1, C2 or C3
carries a harmful signal is lower than in the upper figure.
Recovery from security breaches implies an appropriate,
automated reaction of the network management system to
compensate for the degradation induced by an attack and
restore operability of the affected services. Depending on the
attack method, connections can be recovered by changing
their allocated spectrum to a band unaffected by the attack.
Changing the higher-order modulation format to a lower-
order one with smaller sensitivity to physical-layer
impairments (e.g., crosstalk) aggravated by the harmful
signal can also reduce the effect of some service disruption
attacks, particularly those of lower intensity. Such approach
could leverage on the well-known distance-adaptive
modulation format assignment [14] and the field-trialed
approaches for recovery from soft failures via modulation
format adaptation [15].
In more severe attack scenarios, the affected connections
should be rerouted to an alternative path. In doing so, it is
important to ensure that the backup resources are not within
reach of the same attack, which would render the rerouting
futile. An approach for modeling the attack scope of the
working and the backup path of a connection by means of
attack groups can be found in [16]. Therein, protection from
jamming attacks is ensured by guaranteeing that the working
and the backup path of a connection do not share common
elements in their attack groups, i.e., they are not subject to
the same attack.
In data center networks, content placement, assignment
of working and backup data centers, and routing of the
respective paths can also play a significant role in recovery
from service disruption attacks, as illustrated on a simple
example in Fig. 3. In the solution shown in the left side of the
figure, the harmful signal affects both the working and the
backup path of both connections on their common links 3-5
and 6-8. The solution to the right side uses slightly different
content placement and path routing, and is not affected by
the considered attack scenario.
This paper focused on progress and issues in designing
and operating secure and self-diagnosable optical networks
in the presence of physical-layer breaches, primarily those
aimed at service disruption. While the related efforts are
picking up pace, a number of challenges remain to be
addressed. These primarily refer to a predominant lack of
security monitoring and response systems which would
collect OPM data in real time, analyze it to identify
signatures of various threats, share with relevant subsystems
and stakeholders, and autonomously decide on fast recovery
The author gratefully acknowledges the contributions of Carlos
Natalino and Prof. Lena Wosinska (KTH), Prof. Vincent Chan
(MIT), Marco Schiano and Andrea Di Giglio (Telecom Italia),
Federico Pederzolli and Domenico Siracusa (Fondazione Bruno
Kessler), to the presented security diagnostics concepts and
[1] N. Skorin-Kapov, M. Furdek, S. Zsigmond, L. Wosinska, “Physical-
layer security in evolving optical networks,” IEEE Commun. Mag.,
vol. 54, no. 8, pp. 110-117, Aug. 2016.
[2] C. Natalino, A. de Sousa, L. Wosinska, M. Furdek, “On the trade-offs
between user-to-replica distance and CDN robustness to link cut
attacks,” in Proc. IEEE RNDM, Aug. 2018.
[3] C. Natalino, A. Yayimli, L. Wosinska, M. Furdek, “Infrastructure
upgrade framework for content delivery networks robust to targeted
attacks,” Opt. Switch. Netw., in press.
[4] N. Skorin-Kapov, J. Chen, L. Wosinska, “A new approach to optical
network security: Attack-aware routing and wavelength assignment,”
IEEE/ACM Trans. Netw., vol. 18, no. 3, pp. 750-760, Nov. 2009.
[5] M. Furdek, N. Skorin-Kapov, M. Grbac, Attack-aware wavelength
assignment for localization of in-band crosstalk attack propagation,”
IEEE/OSA J. Opt. Commun. Netw., vol. 2, no. 11, pp. 1000-1009,
Nov. 2010.
[6] K. Manousakis, G. Ellinas, Attack-aware planning of transparent
optical networks,” Opt. Switch. Netw., vol. 19, no. 2, pp. 97-109, Jan.
[7] D. Monoyios et al., “Attack-aware resource planning and sparse
monitoring placement in otpical networks,” Opt. Switch. Netw., vol.
29, pp. 46-56, July 2018.
[8] N. Skorin-Kapov, A. Jirattigalachote, L. Wosinska, “An ILP
formulation for power equalization placement to limit jamming attack
propagation in transparent optical networks,” Security Comm. Netw.,
vol. 7, no. 12, pp. 2463-2468, Dec. 2014.
[9] Z. Dong et al., “Optical performance monitoring: A review of current
and future technologies,” IEEE/OSA J. Lightwave Technol., vol. 34,
no. 2, pp. 252-543, 2016.
[10] C. Natalino, M. Schiano, A. Di Giglio, L. Wosinska, M. Furdek,
“Field demonstration of machine-learning-aided detection and
identification of jamming attacks in optical networks,” in Proc.
ECOC, We2.58, Sept. 2018.
[11] R. Bergman et al., “Distributed algorithms for attack localization in
all-optical networks”, in Proc. NDSS, USA, 1998.
[12] R. Rejeb et al., “Multiple attack localization and identification in all-
optical networks”, Opt. Switch. Netw., vol. 3, no. 1, pp. 41-49, 2006.
[13] F. Pederzollli, M. Furdek, D. Siracusa, L. Wosinska, “Towards secure
optical networks: A framework to aid localization of harmful
connections,” in Proc. OFC, Th2A, Mar. 2018.
[14] L.R. Costa, G.N. Ramos, A.C. Drummond, “Leveraging adaptive
modulation with multi-hop routing in elastic optical networks,
Comp. Netw., vol. 105, pp. 124-137, May 2016.
[15] N. Sambo et al., “Dynamic (re)configuration of optical network based
on monitoring information: A field trial,” in Proc. ACP
NETWORKS, NeM2F.3, July 2018.
[16] M. Furdek, N. Skorin-Kapov, L. Wosinska, Attack-aware dedicated
path protection in optical networks,” IEEE/OSA J. Lightwave
Technol., vol. 34, no. 4, pp. 1050-1061, Feb. 2016.
Content-hosting node
Working path Backup path Harmful signal
... Management of opticallayer security has been in focus of substantial research efforts worldwide. It can broadly be classified into [12]: (i) security assurance through modeling of attack consequences and attack surface minimization [13]- [16]; (ii) security assessment through monitoring and detection of attacks, which is the primary goal of this work; and (iii) attack recovery through re-configuration of affected connections, attack source neutralization and network adaptation [17], [18]. ...
Full-text available
Optical networks are critical infrastructure supporting vital services and are vulnerable to different types of malicious attacks targeting service disruption at the optical layer. Due to the various attack techniques causing diverse physical- layer effects, as well as the limitations and sparse placement of optical performance monitoring devices, such attacks are difficult to detect, and their signatures are unknown. This paper presents a Machine Learning (ML) framework for detection and identification of physical-layer attacks, based on experimental attack traces from an operator field-deployed testbed with coherent receivers. We perform in-band and out-of-band jamming signal insertion attacks, as well as polarization modulation attacks, each with varying intensities. We then evaluate 8 different ML classifiers in terms of their accuracy, and scalability in processing experimental data. The optical parameters critical for accurate attack identification are identified and the generalization of the models is validated. Results indicate that Artificial Neural Networks (ANNs) achieve 99.9% accuracy in attack type and intensity classification, and are capable of processing 1 million samples in less than 10 seconds.
Conference Paper
Full-text available
Content Delivery Networks (CDNs) are a key enabler for geographically-distributed content delivery with high throughput and low latency. As CDNs utilize the underlying optical core network infrastructure, they inherit its vulnerability to targeted link cut attacks which can cause severe service degradation. One of the fundamental problems in CDN configuration is deciding on the placement of content replicas across the underlying network of data centers, which should obtain balance among multiple, often conflicting performance criteria. This paper investigates the implications of minimizing the average distance between the users and the content replicas on the CDN robustness to targeted link cuts. To this end, we compute Pareto-optimal replica placement solutions with minimal user-to-replica distance and maximal robustness to link cut attacks of the highest damaging potential. k-best replica placement solutions in terms of the user-to-replica distance are calculated by formulating the problem as an Integer Linear Programming (ILP) exact method. For each replica placement solution, the worst case link cut attack scenario is identified by defining the Critical Link Set Detection (CLSD) problem. CLSD returns the link set whose cutting disconnects the maximal number of nodes from the content. We develop an ILP model for the CLSD and evaluate the robustness of the resulting CDN attack scenario in terms of mean content accessibility. The approach is evaluated through extensive simulations on real-world reference topologies, indicating that it is possible to improve the robustness to link cuts at the expense of small user-to-replica distance penalties. Moreover, the improvement of robustness is more significant for topologies with smaller average node degree and when cuts involve a larger number of links.
Full-text available
This work presents joint optimization algorithms for lightpath establishment as well as sparse placement of optical performance monitoring (OPM) equipment in optical networks. OPMs are necessary to efficiently monitor the impact of physical layer attacks and are usually placed at locations that are more probable to be impacted by jamming attacks. A jamming attack is defined as a harmful signal interference with other signals, leading to service degradation, that is possible through intra-channel or inter-channel crosstalk effects. An Integer Linear Program (ILP) formulation is proposed to solve the problem of attack-aware routing and wavelength assignment (Aa-RWA), jointly with the placement of OPM equipment, in order to minimize the impact of physical layer jamming attacks in optical networks. Moreover, a Genetic Algorithm (GA) is proposed to solve the same optimization problem. The proposed GA algorithm is compared to the ILP formulation as well as to an attack-unaware RWA algorithm that has as an objective the minimization of the number of wavelengths required to accommodate all traffic demands, not accounting for the crosstalk interactions. Simulation results indicate that the proposed GA algorithm provides a solution that is close to the optimal in terms of crosstalk interactions, while also providing a very good solution in resource usage, measured in terms of the required number of wavelengths.
Full-text available
Due to the high data-rates in optical networks, physical-layer attacks targeting service degradation, such as power jamming, can potentially lead to large data and revenue losses. Conventional network survivability approaches which establish link-disjoint working and backup paths to protect from component faults may not provide adequate protection for such attacks. Namely, the working and the backup paths, although link-disjoint, might both be affected by a single attack scenario due to specific attack propagation characteristics. To enhance existing survivability approaches, we utilize the concept of an Attack Group (AG) which incorporates these characteristics to identify connections which can simultaneously be affected by a single attack. We apply this concept to Dedicated Path Protection (DPP) and develop Attack-Aware DPP (AA-DPP) approaches which aim to establish AG-disjoint primary and backup paths in a cost-effective manner. We provide a 2-step ILP formulation for the routing and wavelength assignment of the working and backup paths, as well as a heuristic for larger problem instances. Numerical results indicate that the proposed approaches provide dedicated path protection schemes with enhanced attack protection without using more resources (i.e., wavelengths, average path lengths) than standard DPP methods.
Content Delivery Networks (CDNs) are crucial for enabling delivery of services that require high capacity and low latency, primarily through geographically-diverse content replication. Optical networks are the only available future-proof technology that meets the reach and capacity requirements of CDNs. However, the underlying physical network infrastructure is vulnerable to various security threats, and the increasing importance of CDNs in supporting vital services intensifies the concerns related to their robustness. Malicious attackers can target critical network elements, thus severely degrading network connectivity and causing large-scale service disruptions. One way in which network operators and cloud computing providers can increase the robustness against malicious attacks is by changing the topological properties of the network through infrastructure upgrades. This work proposes a framework for CDN infrastructure upgrade that performs sparse link and replica addition with the objective of maximizing the content accessibility under targeted link cut attacks. The framework is based on a newly defined content accessibility metric denoted as μ-ACA which allows the network operator to gauge the CDN robustness over a range of attacks with varying intensity. Two heuristics, namely Content-Accessibility-Aware Link Addition Heuristic (CAA-LAH), and Content-Accessibility-Aware Replica Addition Heuristic (CAA-RAH) are developed to perform strategic link and replica placement, respectively, and hamper attackers from disconnecting users from the content even in severe attack scenarios. Extensive experiments on real-world reference network topologies show that the proposed framework effectively increases the CDN robustness by adding a few links or replicas to the network.
Conference Paper
We demonstrate dynamic reconfiguration based on an innovative control paradigm, named pre-programming. Experiment has been successfully carried on in a field trial at Telecom Italia.
The technology used for data transmission in optical networks is going through significant changes in response to the rapid growth of Internet traffic and emerging high performance applications, boosting research on how to satisfy the increasing demands with the available resources. In this scenario, the elastic optical networks paradigm enables improved provisioning through flexibility and scalability in spectrum assignment. This work proposes data and optical grooming and the use of spectral modulation control as a solution to the Routing, Modulation Level, and Spectrum Allocation problem in a dynamic traffic context. The proposed algorithm obtains the greatest spectrum aggregation possible using higher modulation levels through multiple hops in the virtual topology. Experiments show that this approach results in reduced blocking without impacting the use of the network’s resources.
Optical performance monitoring (OPM) is the estimation and acquisition of different physical parameters of transmitted signals and various components of an optical network. OPM functionalities are indispensable in ensuring robust network operation and plays a key role in enabling flexibility and improve overall network efficiency. We review the development of various OPM techniques for direct-detection systems and digital coherent systems and discuss future OPM challenges in flexible and elastic optical networks.
This work presents algorithms for the planning phase of wavelength division multiplexed (WDM) optical networks considering the impact of physical layer attacks. Since the signals in transparent WDM networks are transmitted all-optically without undergoing any Optical-Electrical-Optical (OEO) conversions, these networks are vulnerable to high-power jamming attacks. Due to crosstalk-induced interactions among different connections, malicious high-power signals can potentially spread widely in the network. To this end, it is necessary to plan an optical network in a way that the spread of an attack is minimized. In this work novel Integer Linear Programming (ILP) formulations are proposed that address the problem of Routing and Wavelength Assignment (RWA) with the objective to minimize the propagation of the introduced high-power malicious signals. The physical layer attack propagation is modeled as interactions among connections through in-band and out-of-band channel crosstalk. Additionally, Linear Programming (LP) relaxation techniques and heuristic algorithms are used to handle larger network instances. Performance results indicate that the proposed algorithms perform close to the traditional RWA algorithms in terms of total wavelength utilization of the network, while at the same time providing security against high-power jamming attacks by minimizing the total number of in-band and out-of-band lightpath interactions.