CN112351353B - Multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE - Google Patents

Multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE Download PDF

Info

Publication number
CN112351353B
CN112351353B CN202011050749.9A CN202011050749A CN112351353B CN 112351353 B CN112351353 B CN 112351353B CN 202011050749 A CN202011050749 A CN 202011050749A CN 112351353 B CN112351353 B CN 112351353B
Authority
CN
China
Prior art keywords
domain
attack
node
crosstalk
alarm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011050749.9A
Other languages
Chinese (zh)
Other versions
CN112351353A (en
Inventor
吴启武
刘雪玥
姜灵芝
姜姗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Engineering University of Chinese Peoples Armed Police Force
Original Assignee
Engineering University of Chinese Peoples Armed Police Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Engineering University of Chinese Peoples Armed Police Force filed Critical Engineering University of Chinese Peoples Armed Police Force
Priority to CN202011050749.9A priority Critical patent/CN112351353B/en
Publication of CN112351353A publication Critical patent/CN112351353A/en
Application granted granted Critical
Publication of CN112351353B publication Critical patent/CN112351353B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • H04Q2011/0079Operation or maintenance aspects

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of multi-domain optical networks, and discloses a multi-domain optical network multi-point crosstalk attack detection and positioning method based on a distributed PCE. By using BER detection comparison of the alarm node, the state information value S of the alarm node is obtained nk And obtaining an OALP set through attack discrimination to achieve the purpose of eliminating interference alarm, and then adopting an MD-PLVM algorithm suitable for multi-domain optical network attack positioning to position a multi-point high-power crosstalk attack source of the OALP to obtain an inter-domain link subjected to crosstalk attack and an intra-domain link subjected to crosstalk attack.

Description

Multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE
Technical Field
The invention belongs to the technical field of multi-domain optical network multi-point crosstalk attack detection and positioning, and particularly relates to a multi-domain optical network multi-point crosstalk attack detection and positioning method based on a distributed PCE.
Background
In a large-scale, large-capacity and high-rate optical network, malicious users can easily perform high-power crosstalk attack on links in an intra-domain and an inter-domain by using the transparent characteristic of network transmission, and the high-power crosstalk attack which may occur at any time and any position can cause an attack propagation effect in the network, even paralysis of the whole network can be caused, and unpredictable loss is brought. Therefore, how to accurately detect and quickly locate the high-power crosstalk attack in the multi-domain optical network is an important research content for ensuring the network security and improving the survivability of the optical network.
Because each domain of the multi-domain optical network is managed by different service providers, and internal information is not exchanged between the domains, the cross-domain crosstalk attack positioning is difficult. The multi-domain optical network architecture based on the distributed PCE can well solve the problem, the computation path structure and the communication mechanism of the PCE can support the attack positioning of inter-domain links, and meanwhile, the PCEs are required to be strictly synchronous, so that not only can the network states of the domain such as the aspects of topology structure, resource information and the like be mastered, but also the computed path set and the reserved resources are real-time.
In a multi-domain optical network, since a high-power crosstalk attack may cause LP attack propagation, once a link is subjected to the high-power crosstalk attack, not only all LPs passing through it will be affected by the crosstalk attack, but also the crosstalk attack propagation may cause a large amount of SALPs and DALPs to appear in the network. Therefore, a section of optical path under crosstalk attack is likely to cause a large amount of alarms in the optical network, and the conventional network attack detection and positioning method cannot position the position of the crosstalk attack source at all.
Disclosure of Invention
The invention aims to provide a multi-domain optical network multi-point crosstalk attack detection and positioning method based on a distributed PCE (path computation element), which is used for solving the problems of large workload and low positioning speed in an attack positioning stage caused by a large amount of alarms generated in an optical network due to attack propagation aiming at high-power crosstalk attack in the prior art.
In order to realize the task, the invention adopts the following technical scheme:
the multi-domain optical network multi-point crosstalk attack detection method based on the distributed PCE comprises the following steps:
step 1: collecting BER information of all attack light paths at each alarm node, wherein the BER information of the attack light paths comprises a detection BER value, a reference BER value and a threshold value of the attack light paths;
step 2: obtaining a state information set Z of the attack light path according to BER information of all attack light paths at each alarm node n ={S nk };
Wherein,
Figure GDA0003647502200000021
Br nk BER value, Bb, detected for the kth attack path of the nth alarm node nk Reference BER, Bt of kth attack light path of nth alarm node nk Threshold value, dBr, of the kth attack path representing the nth alarm node nk =|Br nk -Bb nk |,Br nk 、Bb nk And Bt nk The value ranges of (A) and (B) are (0, 1);
and step 3: and judging the attack light path with the state information of 2 at each alarm node as an original attack light path, and acquiring the original attack light paths at all the alarm nodes as an original attack light path set.
A multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE comprises the following steps:
step 1: taking a boundary node of each domain and a destination node of each light path in a multi-domain optical network as alarm nodes, acquiring BER information of all attack light paths at each alarm node, and obtaining an original attack light path set according to the multi-domain optical network multi-point crosstalk attack detection method based on the distributed PCE as claimed in claim 1;
obtaining a DN set and a BN set according to the fact that each original attack light path in the original attack light path set comprises a destination node DN of the original attack light path and a domain boundary node BN of the original attack light path;
step 2: the DN set and the BN set are made to send signaling, all crosstalk attack domains in the multi-domain optical network are obtained according to the receiving and sending signaling relation of the DN set and the BN set, and the method comprises the following substeps:
step 2.1: each DN in the DN set sends an intra-domain alarm signaling to an intra-domain PCE of a domain where the DN is located and all nodes of the domain where the DN is located, wherein the intra-domain alarm signaling comprises a domain ID (identity) and a node ID of a sending node and IDs and lengths of all attacked light paths passing through the node;
an entrance of each BN in the BN set sends inter-domain alarm signaling to an intra-domain PCE of a domain where the BN is located, all nodes in the domain, a PCE of an upstream domain and a BN of an upstream domain, and also sends monitoring signals to an upstream DN and the upstream BN, wherein the inter-domain alarm signaling comprises a domain ID of a sending node, a node ID and IDs and lengths of all attacked light paths passing through the node;
an outlet of each BN in the BN set sends an inter-domain alarm signaling to a PCE in the domain, all nodes in the domain, a PCE in a downstream domain and a BN in the downstream domain, and also sends monitoring signals to a downstream DN and the downstream BN;
step 2.2: acquiring signaling received by a border node which does not belong to a BN set in the multi-domain optical network, if any border node which does not belong to the BN set receives an inter-domain alarm signaling containing a domain ID of the local domain, sending a control signaling to a downstream BN of any border node which does not belong to the BN set, wherein the control signaling contains a node ID of a sending node, and executing step 2.3; otherwise, executing step 2.3;
step 2.3: obtaining the number of DNs and BN in each domain and the signaling received by each BN in a BN set, judging according to a judgment criterion to obtain all crosstalk attack domains in the multi-domain optical network, wherein the judgment criterion comprises:
if the domain only contains DN and no BN, the domain is judged as a crosstalk attack domain;
if no BN in any domain receives the control signaling and all DNs and BN receive the monitoring signals, judging that no crosstalk attack exists in the domain; otherwise, the domain is determined as a crosstalk attack domain;
if any BN receives an inter-domain alarm signaling of a domain ID which is not the local domain, an inter-domain link formed by the BN and a signaling sending node is added into a crosstalk attack domain;
and step 3: judging the number relation of DN and BN in the crosstalk attack domain, if only DN is contained and BN is not contained, carrying out crosstalk attack positioning in the domain, and obtaining an intra-domain link subjected to crosstalk attack; otherwise, inter-domain crosstalk attack positioning is carried out, and inter-domain links subjected to crosstalk attack are obtained.
Further, the cross-talk attack positioning method in the step3 adopts an MD-PLVM algorithm.
Compared with the prior art, the invention has the following technical characteristics:
(1) the detection method of the invention utilizes BER detection and comparison of ALP of the OXC port at the alarm position to obtain the state information value S of the OXC port nk Calculating the state information value of ALP according to the relation between the actual value and the threshold value, judging and classifying the attack of ALP, and obtaining one through judging the attackAnd the OALP set achieves the purpose of eliminating interference alarm. The workload of the attack positioning stage is reduced, and the positioning speed is improved.
(2) Aiming at the problem that the light path attack propagation is caused by high-power crosstalk attack, so that a large amount of alarms are generated in an optical network, the invention provides an algorithm MD-PLVM suitable for multi-point crosstalk attack positioning of a multi-domain optical network on the premise of a network architecture of a distributed PCE and an OALP set output by an attack detection module on the basis of a PLVM algorithm idea, and realizes the rapid positioning of multi-point crosstalk attack sources between domains and in domains. Finally, a simulation experiment verifies a multi-domain optical network multi-point crosstalk attack detection and positioning method (DP-CADL) based on the distributed PCE, and the experiment result proves that the DP-CADL scheme can accurately detect and quickly position the multi-point crosstalk attack of the multi-domain optical network and has higher positioning accuracy.
Drawings
FIG. 1 is a multi-domain optical network formed by the topology of the embodiment;
FIG. 2 is a schematic diagram of the structure of an OXC port optical path;
FIG. 3 is a graph showing a comparison of the detected BER of the respective ALPs in the embodiment;
FIG. 4 is a diagram of attack discrimination results in the embodiment;
FIG. 5 is a diagram illustrating attack positioning accuracy in an embodiment;
FIG. 6 shows the maximum attack localization delay for seven cases;
fig. 7 shows the average attack localization delay in seven cases.
Detailed Description
The technical terms appearing in the present invention are explained first:
multi-domain optical networks: in the multi-domain optical network, in order to enable normal communication and mutual cooperation among PCEs, a communication protocol, a standard interface and a message format need to be designed between the PCE and a network entity communicating with the PCE. In the multi-domain optical network G ═ (V, L, W), V represents a set of nodes including optical fibers, EDFAs, OXCs, and the like; l represents the set of all links in the network, and one L link can be represented by an ordered pair in V; w represents the number of power accumulations from one node to another.
OALP (directional attached LP): and an original attack light path and a crosstalk attack source generated light path.
SALP (secondary attached LP): the second-order attack optical path is an optical path influenced by OALP attack, and although the attack power of SALP generates certain loss, the SALP still has the attack propagation capacity.
DALP (destination appended LP): the end point attack light path is a light path affected by SALP attack, and the DALP has no attack propagation capacity because the attack power attenuation is serious.
OXC: optical cross connect equipment, OXC in the present invention is an alarm node.
OXC port optical path: FIG. 2 is a depiction of the port lightpath definition for an OXC, using LP n Set of optical paths, LPi, representing all optical ports of the nth OXC nk The kth input port, LPo, representing the nth OXC nk The kth output port, LPI, representing the nth OXC n ={LPi n1 ,LPi n2 ,...,LPi nm Is the set of input ports of the nth OXC, LPO n ={LPo n1 ,LPo n2 ,...,LPo nm Is the set of output optical ports of the nth OXC, and LP n =LPI n ∪LPO n
Parallel finite boundary vector matching algorithm (PLVM): a most commonly used effective algorithm for multiple link attacks on an Optical network is disclosed in documents Mazen Khair, Jun Zheng, Hussein T.Mouftah.distributed Multi-Failure Localization Protocol for All-Optical networks.ONDM.2009.
In this embodiment, a multi-domain optical network multi-point crosstalk attack detection method based on a distributed PCE is disclosed, which includes the following steps:
step 1: collecting BER information of all attack light paths at each alarm node, wherein the BER information of the attack light paths comprises a detection BER value, a reference BER value and a threshold value of the attack light paths;
and 2, step: acquiring a state information set Z of the attack light path according to BER information of all attack light paths at each alarm node n ={S nk };
Wherein,
Figure GDA0003647502200000061
Br nk BER value, Bb, detected for the kth attack path of the nth alarm node nk Reference BER, Bt of kth attack light path of nth alarm node nk Threshold value, dBr, of the kth attack path representing the nth alarm node nk =|Br nk -Bb nk |,Br nk 、Bb nk And Bt nk The value ranges of (A) and (B) are (0, 1);
and step 3: and judging the attack light path with the state information of 2 at each alarm node as an original attack light path, and acquiring the original attack light paths at all the alarm nodes as an original attack light path set.
Classifying the state information of the attack light path to obtain S nk ALP of 0 is judged as DALP, and S is nk ALP 1 is determined as SALP, S nk ALP 2 is determined as OALP, the OALP corresponding optical path set is used as the original attack optical path set, and the meaning of each state value is shown in table 1:
TABLE 1 State value implication table for attack optics ALP
Figure GDA0003647502200000071
The embodiment also discloses a multi-domain optical network multi-point crosstalk attack detection and positioning method based on the distributed PCE, which comprises the following steps:
step 1: taking a boundary node of each domain and a destination node of each light path in a multi-domain optical network as alarm nodes, acquiring BER information of all attack light paths at each alarm node, and obtaining an original attack light path set according to the multi-domain optical network multi-point crosstalk attack detection method based on the distributed PCE;
obtaining a DN set and a BN set according to the fact that each original attack light path in the original attack light path set comprises a destination node DN of the original attack light path and a domain boundary node BN of the original attack light path;
step 2: the DN set and the BN set are made to send signaling, all crosstalk attack domains in the multi-domain optical network are obtained according to the receiving and sending signaling relation of the DN set and the BN set, and the method comprises the following substeps:
step 2.1: each DN in the DN set sends an intra-domain alarm signaling to an intra-domain PCE of a domain where the DN is located and all nodes of the domain where the DN is located, wherein the intra-domain alarm signaling comprises a domain ID (identity) and a node ID of a sending node and IDs and lengths of all attacked light paths passing through the node;
an inlet of each BN in the BN set sends an inter-domain alarm signaling to an intra-domain PCE of a domain where the BN set is located, all nodes in the domain, a PCE of an upstream domain and a BN of an upstream domain, and also sends monitoring signals to an upstream DN and the upstream BN, wherein the inter-domain alarm signaling comprises a domain ID of a sending node, a node ID and IDs and lengths of all attacked light paths passing through the node;
the outlet of each BN in the BN set sends an inter-domain alarm signaling to a PCE in the domain, all nodes in the domain, a PCE in a downstream domain and a BN in the downstream domain, and also sends monitoring signals to a downstream DN and the downstream BN;
step 2.2: acquiring signaling received by a border node which does not belong to the BN set in the multi-domain optical network, if any border node which does not belong to the BN set receives an inter-domain alarm signaling containing a domain ID of the domain, sending a control signaling to a downstream BN of any border node which does not belong to the BN set, wherein the control signaling contains a node ID of a sending node, and executing the step 2.3; otherwise, executing step 2.3;
step 2.3: acquiring the DN and the BN number in each domain and the signaling received by each BN in a BN set, and judging according to a judgment criterion to acquire all crosstalk attack domains in the multi-domain optical network, wherein the judgment criterion comprises the following steps:
if the domain only contains DN and no BN, the domain is judged as a crosstalk attack domain;
if no BN in any domain receives the control signaling and all DNs and BN receive the monitoring signals, judging that no crosstalk attack exists in the domain; otherwise, the domain is determined as a crosstalk attack domain;
if any BN receives an inter-domain alarm signaling of a domain ID which is not the local domain, an inter-domain link formed by the BN and a signaling sending node is added into a crosstalk attack domain;
and step 3: judging the quantity relation between DN and BN in the crosstalk attack domain, if only DN is contained and BN is not contained, then carrying out crosstalk attack location in the domain, and obtaining the intra-domain link attacked by crosstalk; otherwise, inter-domain crosstalk attack positioning is carried out, and inter-domain links subjected to crosstalk attack are obtained.
Specifically, the crosstalk attack positioning method in step3 adopts an MD-PLVM algorithm, and the parameters of the MD-PLVM algorithm are defined as table 2:
TABLE 2 MD-PLVM Algorithm parameter definition Table
Figure GDA0003647502200000081
Figure GDA0003647502200000091
Specifically, the step 2 of determining the crosstalk attack domain through the MD-PLVM algorithm includes the following sub-steps:
step 2 a: the DN contained in the OALP set has a 2D startup duration l /v 0 And sending "INTRADA" to PCE and all nodes in the domain;
and step 2 b: the OALP set contains an ingress BN start-up duration of 2d/v 0 The timer sends 'INTERDA' to PCE and all nodes in the domain, meanwhile, sends 'INTERDA' to PCE and boundary nodes in the upstream domain, and sends 'MS' to BN and DN in the downstream;
and step 2 c: the OALP set contains egress BN start-up duration of 2d/v 0 And sends an INT to PCE and all nodes within the domainERDA ", meanwhile, sending" ERDA "to PCE and border node of downstream domain, and sending" MS "to BN and DN of downstream in addition;
and step 2 d: when the border node not belonging to the BN set receives the INTERDA of the ID domain, the GA is sent to the connected downstream border node;
step 2 e: if a certain boundary node receives 'INTERDA' of different ID domains, judging an inter-domain link formed by the node and a signaling sending node into a crosstalk attack domain;
step 2 f: if a domain only contains DN and no BN, the domain is judged as a crosstalk attack domain;
step 2 g: if no exit border node in a certain domain receives GA and all DN and exit BN receive correct MS, judging that no crosstalk attack link exists in the domain. Otherwise, the domain is determined to be a crosstalk attack domain.
Specifically, the inter-domain multipoint crosstalk attack positioning by the MD-PLVM algorithm in step3 includes the following substeps:
step3 a: if a certain border node which does not belong to the BN set receives 'INTERDA' of different ID domains, judging that an inter-domain link formed by the node and a signaling sending node is attacked by crosstalk;
and step3 b: if a BN receives 'INTERDA' of different ID domains, searching whether at least one node in the pair of boundary nodes exists in 2d/v 0 If yes, judging that the inter-domain link formed by the pair of boundary nodes is not attacked by crosstalk, otherwise, judging that the inter-domain link is attacked by crosstalk.
Specifically, the step3 of performing intra-domain multipoint crosstalk attack positioning through the MD-PLVM algorithm includes the following sub-steps:
step 4 a: the DN within the domain is defined as the potential enforcement nodes PES, each PES sending "INTRADA" to all nodes within the domain, this "INTRADA" containing the ID of the PES and the length of all OALPs that reach it within the domain.
And 4 b: when a PES receives "INTRADA", all OALPs directed to it are extracted and inserted into a list in descending order according to their length. If the two OALPs have the same length, the OALP with smaller source node ID is inserted preferentially, and if the source nodes are the same, the node ID connected with the OALP is inserted preferentially with smaller node ID.
And 4 c: each PES compares the OALP in the list with the following OALP in turn, and stores two OALPs without a common link into different execution path queues ERQi, where i is 1,2, 3. If the first OALP in the list has a common link with other OALPs in the list, the second OALP is compared with other OALPs in the list, and so on until two OALPs without common links are found. If the OALPs without the common link are still found after all the OALPs in the list are compared, the attack is determined as a single-point crosstalk attack, and the attack can be positioned by using the LVM protocol.
And 4 d: when two separate OALPs are found, they are compared to the remaining OALPs in the list, which is done as follows:
step 4 d.1: if a public link exists between a certain remaining OALP in the list and one of the two OALPs without the public link, the OALP is added into the ERQi corresponding to the OALP.
Step 4 d.2: if a common link exists between a remaining OALP in the list and the two OALPs without the common link, the OALP is determined not to provide a useful reference for attack positioning, and is ignored.
Step 4 d.3: if there is no common link between a remaining OALP in the list and both OALPs without common links, it is added to a new ERQi. This situation illustrates the discovery of a new attack, which is then continued against the OALPs in the list.
Step 4 d.4: this process is cycled through until all remaining lightpaths in the list have been aligned.
And 4 e: at this time, all OALPs in the network have been stored in different ERQi according to the impact of different attacks. Next, performing single-point attack positioning on each ERQi, wherein the positioning process can be performed simultaneously, and the attack positioning of each ERQi specifically includes the following steps:
step 4 e.1: the first OALP in ERQi is defined as the execution path ER because its link length is shortest, while the PES of this OALP is determined to be the execution node ES.
Step 4 e.2: ES will generate an attack-affected link vector ALV for ER and determine a restricted area LA. This LA includes all nodes and links in the ER and its neighbors. And then the ES broadcasts the ALV to all nodes within the LA.
Step 4 e.3: when a node in LA receives ALV, the node matches the link vector LV of the light path where the node is located with the ALV, and the matching result is expressed by a binary vector BV. For OALP, if there is a common link between LV and ALV, set the corresponding bit in BV to 1, otherwise to 0, and set the OALP status to 0; for a normal LP, if its LV has a common link with the ALV, the corresponding bit in BV is set to 0, otherwise to 1, and the LP state is set to 1.
And step 4 f: if the acquired BV and ER do not have a common link, the corresponding destination node will not send the binary vector to the ES. Otherwise, the corresponding destination node will send BV to ES.
Step 4 g: each ES logically ANDs all BVs received within the LA. If the number of "1" in the result is 1, it indicates that the crosstalk ATTACK has been accurately located, ES will transmit the information of the ATTACK link to the PCE of the domain, and the PCE will broadcast an attach _ LOCATION message to the PCEs of all the domains adjacent to the domain where it is located. Otherwise, the ES will expand the LA range, i.e. the neighbor nodes of the adjacent nodes of the ALV are added into the LA range, and the positioning is performed again.
Specifically, if the OALP where the attack link in a certain domain is located passes through the domain and is transmitted to other domains, BN alarms at both ends of the inter-domain link may be caused, and at this time, multi-point crosstalk attack positioning of the cross-domain OALP is performed, and the DN in the domain is selected to be 2d/v 0 The exit BN which does not receive correct MS and the exit boundary node which receives GA in time are all defined as potential execution nodes PES, and then steps 4a to 4g in the multi-point crosstalk attack positioning in the domain are executed for carrying out the serializationAnd (5) positioning interference attack.
Example 1
As shown in fig. 1, which is a multi-domain optical network based on 34 nodes and 62 links under a distributed PCE, for convenience of analysis, it is assumed that the multi-domain optical network establishes a smaller number of optical paths LP. Assume that there are 11 lightpaths established in the network: LP1 ═ 3-6-11-34-25}, LP2 ═ 5-6-12-13}, LP3 ═ 16-15-21}, LP4 ═ 16-17-18-19-23}, LP5 ═ 17-18-19-32}, LP6 ═ 17-22-24-21-15}, LP7 ═ 18-19-24-20}, LP8 ═ 23-18-19-24-20-15}, LP9 ═ 23-19-24-21}, LP10 { (29-26-27-31 }, and LP11 ═ 30-25-26-33 }.
Suppose that two links in the multi-domain optical network suffer from high-power crosstalk attack, namely inter-domain links {11-34} of D1 and D3 and intra-domain links {18-19} of D2. High power crosstalk attacks can directly affect LP1, LP4, LP5, LP7, LP 8. The five optical paths are the optical paths where the high-power crosstalk attack source is located, namely OALP. For a general link failure, the two attacks only cause the destination node and the passed boundary node of five lightpaths to generate an alarm, but since the high-power crosstalk attack has the characteristic of lightpath attack propagation, in the attack propagation process of the five OALPs, the LP6, LP9 and LP11 are influenced by attack propagation and become SALPs and have attack propagation capacity, and the three SALPs then cause an attack on LP3 and LP10 and become DALPs. That is, there are ten optical paths affected by high-power crosstalk attack in the whole network, and both their destination nodes and the border nodes passed by them will generate alarms.
The inter-domain links {11-34} of the D1 and the D3 and the intra-domain links {18-19} of the D2 are attacked by high-power crosstalk, so that alarms are generated by n15, n19, n20, n21, n23, n25, n31, n32, n33 and n34 in the network, and interference alarms exist in all the alarms at the moment. And the PCE in each domain collects the alarm information of the domain, summarizes the ALP of the light path affected by the attack and taking the alarm point as the destination node, and finds the ID of the ALP and the port of the OXC corresponding to the alarm point. BER detection is performed on ALPs of the ports, and dBr of each ALP is calculated according to equation (5-1) nk And Bt corresponding thereto nk The comparison is made and then the status information of each ALP is obtained according to the different relationship in the equation (5-2)Information value S nk As shown in tables 5-3. Then according to different S nk And (3) carrying out attack discrimination classification on all ALPs, eliminating interference alarm nodes n21, n31 and n33, and finally obtaining an OALP set, wherein the judgment result is shown in a table 5-4. Through the analysis of the steps, the attack detection module based on ALP state discrimination can solve the problem of a large amount of interference alarms in a multi-domain optical network and output a final OALP set for a crosstalk attack positioning module.
TABLE 3 State information values for ALP
ID S nk
LP1 2
LP3 0
LP4 2
LP5 2
LP6 1
LP7 2
LP8 2
LP9 1
LP10 0
LP11 1
TABLE 4 ALP State discrimination results
Attack state Attack light path ID
OALP LP1、LP4、LP5、LP7、LP8
SALP LP6、LP9、LP11
DALP LP3、LP10
Example 2
According to the crosstalk attack detection module of embodiment 1, the output OALP ═ { LP1, LP4, LP5, LP7, and LP8}, and DN ═ { n15, n20, n23, n25, n32}, and BN ═ { n19, n32, and n34}, are defined. Firstly, determining a high-power crosstalk attack domain, executing steps 1-7 for determining the crosstalk attack domain in an MD-PLVM algorithm, finding that the exit boundary node of D2 does not receive GA, and DN and exit BN in the domain do not receive correct MS, and judging D2 as the crosstalk attack domain.
Then the large work between the domainsAnd (3) positioning rate crosstalk attack, and finding that n11 which does not belong to the BN set receives 'INTERDA' from different ID domains, namely D3, so that an inter-domain link {11-34} formed between n11 and a signaling sending node n34 is judged to be a high-power crosstalk attack source. It was found that n32 belonging to the BN set received "INTERDA" from a different ID field D2, and further analysis found that n32 was at 2D/v 0 Receives the correct "MS" in time, so it is determined that the inter-domain link 19-32 is not a source of a high power crosstalk attack.
Next, crosstalk attack localization is performed on OALPs in D2, and it is found that not only DN but also BN exist in D2, so that OALPs containing cross-domain in D2 is obtained, so n15, n19, n20, and n23 are all defined as PES, then the Step of performing intra-domain OALP crosstalk attack localization in MD-PLVM algorithm is performed, and when Step3 is performed, it is found that when all OALPs in the list are compared, but OALPs without a common link are still not found, so that it is determined that there is only one high-power crosstalk attack in D2 domain, and then the ERQi single point attack localization of Step5 is directly performed:
the shortest light path LP7 is defined as the execution path ER, while n20 is determined as the execution nodes ES, which generate one ALV and transmit to each node in LA. The ALV is shown in Table 5:
TABLE 5
Figure GDA0003647502200000151
When n21 receives ALV sent by ES, it matches the link vectors LV of the light paths LP3 and LP9 where it is located with ALV, although LP3 and LP9 do not belong to OALP set, they are in LA of LP7, so n21 responds to ES, and LV of n21 is as shown in table 6:
TABLE 6
Figure GDA0003647502200000152
According to the matching rule of step 4e.3 of the MD-PLVM algorithm, for a normal LP not belonging to the OALP set, if its LV and ALV have a common link, the corresponding binary bit in BV is set to 0, otherwise to 1, and the LP status is set to 1. At the same time, n21 will transmit the state of LP and the generated BV to ES, and the corresponding BV and LP states after matching are shown in Table 7:
TABLE 7
Figure GDA0003647502200000153
Figure GDA0003647502200000161
When the ES receives the matching result of n21, it is determined that the link 19-24 is not a high-power crosstalk attack source. When n15 receives ALV sent by ES, it matches the link vectors LV of light paths LP6 and LP8 where it is located with ALV, and the LV of n15 is shown in table 8:
TABLE 8
Figure GDA0003647502200000162
According to the matching rule of MD-PLVM algorithm step 4e.3, for OALP, if its LV and ALV have a common link, the corresponding binary bit in BV is set to 1, otherwise to 0, and OALP status is set to 0. At the same time, n15 will transmit the state of LP and the generated BV to ES, and the corresponding BV and LP states after matching are shown in Table 9:
TABLE 9
Figure GDA0003647502200000163
And the ES performs logic AND operation on all BVs received in the LA range, if the operation result does not contain 1, the LA range is expanded, and the neighbor nodes of the adjacent nodes of the ALV are added into the LA range. When n23 receives ALV sent by ES, it matches the link vector LV of the light path LP4 where it is located with the ALV, and the LV of n23 is shown in table 10:
watch 10
Figure GDA0003647502200000164
Matching is performed according to the matching rule of the MD-PLVM algorithm step 4e.3, then n23 will transmit the state of LP and the generated BV to the ES, and the corresponding BV and LP states after matching are shown in table 11:
TABLE 11
Figure GDA0003647502200000171
Up to this point, the ES can determine that the link {18-19} is a source of high power crosstalk ATTACK according to the BV transmitted by n23, and transmit the information to the PCE of D2, the PCE broadcasts an attach _ LOCATION message to the PCEs of D1 and D3, and the positioning of crosstalk ATTACK ends.
Through the analysis, the high-power crosstalk attack sources of the multi-domain optical network can be positioned to be the links {11-34} and the links {18-19 }. Therefore, the MD-PLVM crosstalk attack positioning algorithm can achieve the aim of accurately positioning the multipoint crosstalk attack source in the multi-domain optical network.
Example 3
In the embodiment, a VPI optical network simulation platform and Matlab simulation software are combined to verify the reliability and effectiveness of a multi-domain optical network multi-point crosstalk attack detection and positioning method (DP-CADL) based on distributed PCE.
(1) DP-CADL multipoint crosstalk attack detection capability
After the high-power crosstalk attack signal is injected, the destination nodes and the boundary nodes of the multiple optical paths connected with the monitoring module generate alarms. And counting IDs of the OXCs at the alarms, and searching damaged LPs of ports of the OXCs at the alarms to obtain the OXCs needing BER detection and taking the damaged LPs as destination nodes, wherein the OXCs are OXC15, OXC20, OXC21, OXC23, OXC25, OXC31, OXC32 and OXC 33. The actual BER measurements for all damaged LPs after port detection are shown in fig. 3.
As can be seen in fig. 3, the BER of LP1, LP4, LP5, LP7, and LP8 are all in a higher range, where the BER of LP4 is the highest, indicating that LP4 must belong to OALP; the BER of LP3 and LP10 are both at a lower level, with the lowest BER of LP10, but they are both less than 1E-9 and already have no attack propagation capability, so LP3 and LP10 must belong to DALP.
Comparing the actual BER detection value with the reference BER corresponding to different ports of different OXCs, and outputting the state information value S according to the comparison nk Attack discrimination classification is performed on the ALP, and the final attack discrimination of the ALP is shown in fig. 4. It can be concluded that the finally found OALP set contains LP1, LP4, LP5, LP7 and LP8, and that the excluded interference alarms are LP3, LP6, LP9, LP10 and LP11, consistent with the results of the 5.3.3 example analysis. The test result shows that DP-CADL has better attack detection capability, can achieve the purpose of accurately eliminating the interference alarm in the multi-domain optical network, and has higher reliability.
(2) DP-CADL multipoint crosstalk attack positioning capability
In this chapter, the multi-point crosstalk attack problem of the multi-domain optical network is divided into seven different attack situations a to G for analysis and discussion of a simulation experiment, and the seven attack situations are shown in table 12.
Attack code number Attacking content
A Only multi-point cross-talk attacks between domains exist
B Multi-point crosstalk attack with only OALP in the domain
C Multi-point crosstalk attack with cross-domain OALP only
D Multi-point crosstalk attack with simultaneous inter-domain and intra-domain OALPs
E Multi-point crosstalk attack with simultaneous inter-domain and cross-domain OALP
F Multi-point crosstalk attack with simultaneous intra-domain OALP and cross-domain OALP
G Multi-point crosstalk attack with simultaneous inter-domain, intra-domain OALP and cross-domain OALP
Setting different numbers of LP requests, observing the change of the DP-CADL attack positioning accuracy, and simultaneously analyzing the change of the DP-CADL maximum attack positioning time delay and the average attack positioning time delay under different attack conditions of A-G.
Fig. 5 shows the accuracy of attack localization under different numbers of LP requests, and it can be seen that the accuracy of attack localization is lower when the number of LP requests is smaller, but the accuracy of attack localization rapidly increases and grows significantly as the number of LP requests increases. The reason is that with the increase of the number of LP requests, the effective LPs which can participate in LA range positioning and matching in the multi-domain optical network become more, so that the attack positioning becomes easier, and the accuracy of the attack positioning is improved. However, when the number of LP requests increases to a certain value, the effective LP number no longer changes significantly, i.e., more LPs are no longer useful for locating the attack link, and therefore, the accuracy of attack location tends to be stable.
Fig. 6 and fig. 7 show the maximum attack positioning time delay Tm and the average attack positioning time delay Ta with increasing number of LP requests in different attack situations of a to G, respectively. As can be seen, with the LP requestThe increased number, Tm and Ta, also increases because as the number of LP requests increases, the OALP set output by the attack detection module also becomes larger, which increases the time required for the ERQi partitioning phase for all OALPs, thereby increasing the total positioning delay of the multi-domain optical network. It was observed that Tm and Ta are significantly larger for the C case than for the B case, because in the localization of the multi-point crosstalk attack on the cross-domain OALP, the nodes defined as PES are increased by 2d/v in addition to DN 0 The number of PES nodes increases the total positioning delay without receiving the correct egress BN of the "MS" and the egress border node of the "GA" in time. We also found that Tm and Ta are smaller for the F case than for the C case, which indicates that the presence of OALP in the domain will help to locate the multi-point crosstalk attack across OALP in the domain.
Through simulation experiments on the attack condition of the A, the maximum attack positioning time delay Tm of the A is 1.031e-4s, and the average attack positioning time delay Ta is 6.9782e-5 s. Therefore, the DP-CADL scheme can realize the purpose of quickly positioning the inter-domain multi-point crosstalk attack of the multi-domain optical network. As can be seen from fig. 5, when the number of LP requests reaches 400, the attack localization accuracy of the multi-domain optical network is close to 1, and the maximum attack localization delay is much less than the attack localization time 40ms required by OSPF. Therefore, the DP-CADL scheme can realize the purpose of quickly positioning the intra-domain multi-point crosstalk attack of the multi-domain optical network.
In summary, the DP-CADL scheme can quickly locate the inter-domain and intra-domain multi-point crosstalk attacks of the multi-domain optical network, and has higher location accuracy.

Claims (3)

1. The multi-domain optical network multi-point crosstalk attack detection method based on the distributed PCE is characterized by comprising the following steps of:
step 1: acquiring BER information of all attack light paths at each alarm node, wherein the BER information of the attack light paths comprises detection BER values, reference BER values and threshold values of the attack light paths;
step 2: obtaining a state information set Z of the attack light path according to BER information of all attack light paths at each alarm node n ={S nk };
Wherein,
Figure FDA0003647502190000011
Br nk BER value, Bb, detected for the kth attack path of the nth alarm node nk Reference BER, Bt of kth attack light path of nth alarm node nk Threshold value, dBr, of the kth attack path representing the nth alarm node nk =|Br nk -Bb nk |,Br nk 、Bb nk And Bt nk The value ranges of (A) and (B) are (0, 1);
and step 3: and judging the attack light path with the state information of 2 at each alarm node as an original attack light path, and acquiring the original attack light paths at all the alarm nodes as an original attack light path set.
2. The multi-domain optical network multi-point crosstalk attack detection and positioning method based on the distributed PCE is characterized by comprising the following steps of:
step 1: taking a boundary node of each domain and a destination node of each optical path in a multi-domain optical network as alarm nodes, acquiring BER information of all attack optical paths at each alarm node, and obtaining an original attack optical path set according to the multi-domain optical network multi-point crosstalk attack detection method based on the distributed PCE as claimed in claim 1;
obtaining a DN set and a BN set according to the fact that each original attack light path in the original attack light path set comprises a destination node DN of the original attack light path and a domain boundary node BN of the original attack light path;
and 2, step: the DN set and the BN set are made to send signaling, and all crosstalk attack domains in the multi-domain optical network are obtained according to the receiving and sending signaling relation of the DN set and the BN set, and the method comprises the following substeps:
step 2.1: each DN in the DN set sends an intra-domain alarm signaling to an intra-domain PCE of a domain where the DN set is located and all nodes of the domain where the DN set is located, wherein the intra-domain alarm signaling comprises a domain ID (identity) and a node ID of a sending node and IDs and lengths of all attacked light paths passing through the node;
an inlet of each BN in the BN set sends an inter-domain alarm signaling to an intra-domain PCE of a domain where the BN set is located, all nodes in the domain, a PCE of an upstream domain and a BN of an upstream domain, and also sends monitoring signals to an upstream DN and the upstream BN, wherein the inter-domain alarm signaling comprises a domain ID of a sending node, a node ID and IDs and lengths of all attacked light paths passing through the node;
the outlet of each BN in the BN set sends an inter-domain alarm signaling to a PCE in the domain, all nodes in the domain, a PCE in a downstream domain and a BN in the downstream domain, and also sends monitoring signals to a downstream DN and the downstream BN;
step 2.2: acquiring signaling received by a border node which does not belong to the BN set in the multi-domain optical network, if any border node which does not belong to the BN set receives an inter-domain alarm signaling containing a domain ID of the domain, sending a control signaling to a downstream BN of any border node which does not belong to the BN set, wherein the control signaling contains a node ID of a sending node, and executing the step 2.3; otherwise, executing step 2.3;
step 2.3: acquiring the DN and the BN number in each domain and the signaling received by each BN in a BN set, and judging according to a judgment criterion to acquire all crosstalk attack domains in the multi-domain optical network, wherein the judgment criterion comprises the following steps:
if the domain only contains DN and no BN, the domain is judged as a crosstalk attack domain;
if no BN in any domain receives the control signaling and all DNs and BN receive the monitoring signals, judging that no crosstalk attack exists in the domain; otherwise, the domain is determined as a crosstalk attack domain;
if any BN receives an inter-domain alarm signaling of a domain ID which is not the local domain, an inter-domain link formed by the BN and a signaling sending node is added into a crosstalk attack domain;
and step 3: judging the quantity relation between DN and BN in the crosstalk attack domain, if only DN is contained and BN is not contained, then carrying out crosstalk attack location in the domain, and obtaining the intra-domain link attacked by crosstalk; otherwise, inter-domain crosstalk attack positioning is carried out, and inter-domain links under crosstalk attack are obtained.
3. The multi-domain optical network multi-point crosstalk attack detection and location method based on the distributed PCE of claim 2, wherein the crosstalk attack location method in step3 employs an MD-PLVM algorithm.
CN202011050749.9A 2020-09-29 2020-09-29 Multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE Active CN112351353B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011050749.9A CN112351353B (en) 2020-09-29 2020-09-29 Multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011050749.9A CN112351353B (en) 2020-09-29 2020-09-29 Multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE

Publications (2)

Publication Number Publication Date
CN112351353A CN112351353A (en) 2021-02-09
CN112351353B true CN112351353B (en) 2022-09-06

Family

ID=74361342

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011050749.9A Active CN112351353B (en) 2020-09-29 2020-09-29 Multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE

Country Status (1)

Country Link
CN (1) CN112351353B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6507012B1 (en) * 1998-02-25 2003-01-14 Massachusetts Institute Of Technology Method and apparatus for detecting malfunctions in communication systems
CN101257416A (en) * 2008-03-11 2008-09-03 南京邮电大学 Networking type abnormal flow defense method based on combining network with host computer
CN105357132A (en) * 2015-10-30 2016-02-24 中国人民武装警察部队工程大学 Multi-domain ASON damage perception multicast routing method based on hypergraph model
CN110120836A (en) * 2019-03-26 2019-08-13 中国人民武装警察部队工程大学 A kind of multi-area optical network crosstalk attack detecting node is determining and localization method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9020779B2 (en) * 2011-10-25 2015-04-28 International Business Machines Corporation Detecting cross-talk on processor links
US9722696B2 (en) * 2013-02-15 2017-08-01 Telefonaktiebolaget Lm Ericsson (Publ) Monitoring of communications network at packet and optical layers

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6507012B1 (en) * 1998-02-25 2003-01-14 Massachusetts Institute Of Technology Method and apparatus for detecting malfunctions in communication systems
CN101257416A (en) * 2008-03-11 2008-09-03 南京邮电大学 Networking type abnormal flow defense method based on combining network with host computer
CN105357132A (en) * 2015-10-30 2016-02-24 中国人民武装警察部队工程大学 Multi-domain ASON damage perception multicast routing method based on hypergraph model
CN110120836A (en) * 2019-03-26 2019-08-13 中国人民武装警察部队工程大学 A kind of multi-area optical network crosstalk attack detecting node is determining and localization method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"A crosstalk attack detection and location method based on distributed PCE in multi-domain optical networks";Qiwu Wu,等;《Journal of Physics: Conference Series, Volume 1570, 2020 3rd International Conference on Advanced Algorithms and Control Engineering (ICAACE) 2020》;20200426;全文 *
"基于传染病动力学的多域光网络串扰攻击传播模型";李芳,等;《电子技术应用》;20181130;全文 *
"基于图着色的PCE在光网络中的单播研究";李芳,等;《电子世界》;20170415;全文 *

Also Published As

Publication number Publication date
CN112351353A (en) 2021-02-09

Similar Documents

Publication Publication Date Title
CN109962891B (en) Method, device and equipment for monitoring cloud security and computer storage medium
Xing et al. Ripple: A programmable, decentralized {Link-Flooding} defense against adaptive adversaries
US11848827B1 (en) Systems and methods for network security model
Azzouni et al. Fingerprinting OpenFlow controllers: The first step to attack an SDN control plane
Hirayama et al. Fast target link flooding attack detection scheme by analyzing traceroute packets flow
CN110120836B (en) Method for determining and positioning crosstalk attack detection node of multi-domain optical network
Wang et al. Botnet detection using social graph analysis
CN113364810B (en) Link flooding attack detection and defense system and method
CN112351353B (en) Multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE
Al Salti et al. LINK-GUARD: an effective and scalable security framework for link discovery in SDN networks
KR20220169584A (en) METHOD FOR SELECTING IoT OPTIMIZATION NODES AND REMOVING MALICIOUS NODES
KR102587055B1 (en) System for Detecting Anomaly Computing Based on Artificial Intelligence
Ge et al. Detection of Sybil attack on Tor resource distribution
Wu et al. Necessary and sufficient condition for k crosstalk attacks localization in all-optical networks
CN108881241A (en) A kind of software-oriented defines the dynamic source address verification method of network
CN112351354B (en) Monitoring node selection and monitoring positioning method for multi-point crosstalk attack of multi-domain optical network
Rani et al. Modeling and exploration of gain competition attacks in optical network-on-chip architectures
Wu et al. A multi-point crosstalk attack detection and location Scheme based on distributed PCE in multi-domain optical networks
Skorin-Kapov et al. Self-organization in transparent optical networks: A new approach to security
CN118233317B (en) Topology confusion defense method based on time-based network inference
Zheng et al. Intrusion detection of in-band wormholes in MANETs using advanced statistical methods
Wischik Routing and wavelength assignment in optical networks
Singh et al. Self-observation and recommendation based trust model with defense scheme for wireless ad hoc network
Huang et al. The dynamic OSPF routing scheme of optical networks
Asahina et al. Traceroute-based target link flooding attack detection scheme by analyzing hop count to the destination

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant