CN112351354A - Method for selecting monitoring node and monitoring and positioning multi-point crosstalk attack of multi-domain optical network - Google Patents

Method for selecting monitoring node and monitoring and positioning multi-point crosstalk attack of multi-domain optical network Download PDF

Info

Publication number
CN112351354A
CN112351354A CN202011055805.8A CN202011055805A CN112351354A CN 112351354 A CN112351354 A CN 112351354A CN 202011055805 A CN202011055805 A CN 202011055805A CN 112351354 A CN112351354 A CN 112351354A
Authority
CN
China
Prior art keywords
node
nodes
monitoring
attack
array
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011055805.8A
Other languages
Chinese (zh)
Other versions
CN112351354B (en
Inventor
吴启武
刘雪玥
姜姗
姜灵芝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Engineering University of Chinese Peoples Armed Police Force
Original Assignee
Engineering University of Chinese Peoples Armed Police Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Engineering University of Chinese Peoples Armed Police Force filed Critical Engineering University of Chinese Peoples Armed Police Force
Priority to CN202011055805.8A priority Critical patent/CN112351354B/en
Publication of CN112351354A publication Critical patent/CN112351354A/en
Application granted granted Critical
Publication of CN112351354B publication Critical patent/CN112351354B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • H04Q2011/0079Operation or maintenance aspects
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of multi-domain optical networks, and discloses a method for selecting, monitoring and positioning monitoring nodes of multi-point crosstalk attack of a multi-domain optical network. The invention describes the influence of the nodes in the network by using different characteristic attributes of the nodes, obtains a monitoring node set according with monitoring density through a two-round selection mechanism, selects the nodes with high influence in the network as much as possible to place monitoring devices, and achieves the purposes of monitoring crosstalk attack in real time and accurately positioning crosstalk attack source nodes.

Description

Method for selecting monitoring node and monitoring and positioning multi-point crosstalk attack of multi-domain optical network
Technical Field
The invention belongs to the technical field of multi-domain optical networks, and particularly relates to a method for selecting, monitoring and positioning monitoring nodes of multi-point crosstalk attack of a multi-domain optical network.
Background
With the rapid development of optical transmission technology, an optical network carries a multi-service, high-capacity and high-rate information transmission task, the flexibility and scalability of the optical network meet the continuously increasing network transmission requirements of users, and meanwhile, the transparency of the optical network brings risks and challenges to the safety of the optical network. Therefore, how to realize effective monitoring and accurate positioning of the multi-point crosstalk attack in the multi-domain optical network is an important problem which needs to be solved urgently at present.
At present, effective monitoring and accurate positioning of multi-domain optical network crosstalk attack still have certain challenges. Document [1] (li wei, wang fang, zhao, full optical network attack detection and location [ J ]. modern electronic technology, 2008,31(15):18-20.) proposes a parameter comparison and monitoring method of comprehensive monitoring device, but the method has low monitoring efficiency and the problem of influencing signal power, and can not accurately locate the crosstalk attack. In order to improve the speed of attack monitoring and realize effective monitoring, a distributed network abnormal attack monitoring method is proposed in the document [2] (Wangxiang. distributed network abnormal attack detection model simulation analysis [ J ]. computer measurement and control, 2016,24(10):61-63.), but the method is not suitable for the environment of a multi-domain optical network. In order to realize the positioning of various attack types and improve the accuracy of attack positioning, the optical network fault positioning algorithm based on the binary tree is proposed in the document [3] (Wangqun, good. research on the optical network fault positioning algorithm based on the binary tree [ J ]. the university of Guilin electronic technology, 2008,28(4):273 and 276.), but the method is only suitable for a single domain and has higher algorithm complexity. The document [4] (Wu T, Somani A K. Necessary and knowledge condition for k cross talk attack in all-optical networks [ C ] Global electronic communication Conference,2003,5:2541 + 2546.) proposes effective routing strategies and routing algorithms for the accurate positioning of multi-domain optical network cross talk attacks, but they are only suitable for the case of single point attacks. In document [5] (Yan H, Wang R Y, Mao Q J, et al. a fast multi-fault localization mechanism for multi-domain all-optical networks [ C ] International Conference on Advanced Computer and Engineering,2010: 158-. In the document [6] (Li Fang. Multi-domain optical network crosstalk attack detection and intrusion-tolerant technical research [ D ]. Shanxi: Wushu engineering university, 2018.) for the purpose of realizing real-time monitoring, a multi-domain optical network crosstalk attack monitoring and positioning method based on the gray theory is provided, but the monitoring model of the method only adopts an OSA device for visual judgment, so that the accuracy of crosstalk attack monitoring and positioning is not ideal.
In summary, the current research on monitoring and positioning of the optical network crosstalk attack is not mature enough, and most of the researches are directed at a single-domain environment or a single-point attack situation, and a monitoring and positioning method for multi-domain and multi-point crosstalk attack is lacked.
Disclosure of Invention
The invention aims to provide a method for selecting and positioning monitoring nodes of multi-domain optical network multi-point crosstalk attack, which is used for solving the problem that a monitoring and positioning method aiming at multi-domain and multi-point crosstalk attack is lacked in the prior art.
In order to realize the task, the invention adopts the following technical scheme:
a method for selecting monitoring nodes of multi-point crosstalk attack of a multi-domain optical network is used for obtaining the position arrangement of the monitoring nodes in the multi-domain optical network, and comprises the following steps:
step 1: acquiring a plurality of source nodes and a plurality of destination nodes of crosstalk attack, and acquiring a propagation path set U of the crosstalk attack according to links from all the source nodes to the destination nodes, wherein each link comprises a plurality of intermediate nodes;
step 2: numbering all intermediate nodes in the path set U to obtain the numbers of all the intermediate nodes; establishing an array Z1Setting the node number in the array Z, calculating NAP values of the intermediate nodes, sorting all the intermediate nodes from large to small according to the NAP values, and storing all the intermediate node numbers in the array Z according to the sorting1In (1), obtain the array Z1Said array Z1The length of the path set U is n, and n is the total number of intermediate nodes of the path set U;
and step 3: establishing an array Z2And set to null, extract array Z1The first x middle nodes are numbered and then stored in an array Z2Wherein y is more than x and less than n, y is the total number of the monitoring nodes, and an array Z is obtained2Said array Z2Is x;
and 4, step 4: establishing an array Z3And set to null, calculate Z2The clustering coefficient of each intermediate node, will Z2The middle nodes in the cluster are sorted from small to large according to the clustering coefficient value, and Z is sorted according to the sorting2In the middle of all intermediate node numbers are stored in the array Z3In (1), obtain the array Z3Said array Z3Is x;
and 5: extract array Z3And taking the middle and front y intermediate nodes as monitoring nodes to obtain a monitoring node set.
Further, in step2, the NAP value of the intermediate node is calculated according to formula i:
Figure RE-GDA0002813080900000031
wherein theta represents the possibility of the intermediate node v itself being attacked, 0-1, N represents the total number of nodes in the upstream neighbor node set of the intermediate node v, viRepresents the ith node in the upstream neighbor node set of the intermediate node v, and P represents the attack propagation probability of the downstream neighbor node of the intermediate node v.
A method for selecting, monitoring and positioning monitoring nodes of multi-point crosstalk attack of a multi-domain optical network comprises the following steps:
step a: the method for selecting the monitoring node of the multi-point crosstalk attack of the multi-domain optical network according to any one of claims 1 to 2 is adopted to obtain a monitoring node set, each node in the monitoring node set is provided with a monitoring device, the multi-domain optical network is subjected to crosstalk attack detection, and a crosstalk attack detection result of the node output by each monitoring device is obtained, wherein the crosstalk attack detection result comprises an alarm state and a safety state;
step b: if the alarm state of any node is alarm, taking the node with the alarm state as an alarm node to execute the step c; otherwise, the current network does not receive the crosstalk attack;
step c: if the alarm node has no upstream node, the alarm node is an attack source node; otherwise, detecting the safety state of the upstream node of the alarm node;
step d: if the security state of the upstream node is attacked by crosstalk, taking the upstream node as an alarm node, and returning to the step d;
and if the security state of the upstream node is not attacked by crosstalk, the alarm node is an attack source node.
Further, the monitoring devices are referred to as an eye monitor and a BER monitor.
Compared with the prior art, the invention has the following technical characteristics:
(1) the invention describes the influence of the nodes in the network by using different characteristic attributes of the nodes, obtains a monitoring node set according with monitoring density through a two-round selection mechanism, selects the nodes with high influence in the network as much as possible to place monitoring devices, and achieves the purposes of monitoring crosstalk attack in real time and accurately positioning crosstalk attack source nodes.
(2) The invention can realize the high-efficiency and real-time detection of the multi-domain optical network crosstalk attack under the condition of limited detection equipment by the monitoring placement selection method.
(3) The invention adopts a distributed positioning method to position the multi-domain optical network crosstalk attack. The general distributed positioning algorithm uses the communication information of local upstream nodes and downstream nodes, and needs to repeatedly consider different alarm parameter values of the upstream nodes and the downstream nodes. The crosstalk attack propagation path of the multi-domain optical network is propagated from a source attack node to a downstream node through a link, and the high-power crosstalk attack generates power attenuation in the propagation process, and the attack effect is no longer obvious after the three nodes are crossed and cannot propagate indefinitely. In order to realize the positioning of the crosstalk attack source node, the crosstalk attack is detected in real time, alarm information of each channel is collected, and the characteristics of crosstalk attack propagation of the multi-domain optical network are combined, so that the positioning of the crosstalk attack source node is realized by adopting an attack parameter analysis method considering continuous upstream nodes.
Figure illustrates the drawings
FIG. 1 is a flow chart of the present invention for locating a node of a source of crosstalk attack;
FIG. 2 is a schematic diagram of a joint monitoring device for crosstalk attack according to the present invention;
fig. 3 is a hierarchical PCE-based NSF network topology in an embodiment;
FIG. 4 is a schematic diagram of the positioning of a node as a source of crosstalk attack in an embodiment;
FIG. 5 is a graph comparing the accuracy of the three detection and localization methods in the examples.
The reference numbers in the figures denote: inputting user signal as Tx1~Tx6The main attack node of the high-power crosstalk attack is OXC1~OXC7The secondary attack node is F1~F6、EDFA1~EDFA3The monitoring node is M1~M6
Detailed Description
Multi-domain optical networks: in the multi-domain optical network, in order to enable normal communication and mutual cooperation among PCEs, a communication protocol, a standard interface and a message format need to be designed between the PCE and a network entity communicating with the PCE. In the multi-domain optical network G ═ (V, L, W), V represents a set including nodes such as optical fibers, EDFAs, OXCs, and the like; l represents the set of all links in the network, and a link L can be represented by an ordered pair in V; w represents the number of power accumulations from one node to another. And the source node of the crosstalk attack is q, the destination node is p, and the monitoring point set is M. The multi-domain optical network is set to have a stable node set and a stable link set, and a large number of nodes and links cannot be added suddenly.
An intermediate node: all nodes in the link except the source node and the destination node are intermediate nodes.
Monitoring nodes: nodes with monitoring devices placed are called non-monitoring nodes.
And (3) neighbor nodes: nodes in an area which can be covered by a communication radius by taking the nodes as a center, namely all nodes which can directly communicate with the sensor node are called as neighbor nodes of the nodes, an upstream neighbor node is a father node of the nodes, and a downstream neighbor node is a child node of the nodes.
A monitoring device: and the monitoring node is arranged and used for collecting crosstalk attack data and analyzing the crosstalk attack data to obtain a crosstalk attack detection result.
BER monitor: BER (bit Error rate), the BER of the monitoring signal is calculated by using an analytical expression method, and common calculation methods comprise a numerical method and a Monte Carlo method.
High-power crosstalk attack source: since the average optical power of the attack signal is much larger than that of the user signal, when it is 20dB larger than the user signal, it is possible to cause a crosstalk attack and to perform attack propagation.
Upstream neighbor node set uns (upstream neighbor set): in the process of high-power crosstalk attack propagation, a set of multiple nodes which are likely to be attacked by node v through propagation of multiple links, called a downstream neighbor set DNS of node v, is represented as: dns (v) ═ vi|v→vi},v,vi∈V。
A set of downstream neighbor nodes dns (downlink neighbor set). In the high-power crosstalk attack propagation process, a set of a plurality of nodes which are likely to propagate to the node v and accumulate attack power, called as an upstream neighbor set UNS of the node v, is represented as: uns (v) ═ vi|vi→v},v,vi∈V。
In this embodiment, a method for selecting a monitoring node for a multi-point crosstalk attack in a multi-domain optical network is disclosed, which is used to obtain the location arrangement of the monitoring node in the multi-domain optical network, and is characterized by including the following steps:
step 1: acquiring a plurality of source nodes and a plurality of destination nodes of crosstalk attack, and acquiring a propagation path set U of the crosstalk attack according to links from all the source nodes to the destination nodes, wherein each link comprises a plurality of intermediate nodes;
step 2: numbering all intermediate nodes in the path set U to obtain the numbers of all the intermediate nodes; establishing an array Z1Setting the node to be null, calculating NAP values of the intermediate nodes, sorting all the intermediate nodes from large to small according to the NAP values, and sorting all the intermediate nodes according to the sortingNumbering into an array Z1In (1), obtain the array Z1Said array Z1The length of the path set U is n, and n is the total number of intermediate nodes of the path set U;
and step 3: establishing an array Z2And set to null, extract array Z1The first x middle nodes are numbered and then stored in an array Z2Wherein y is more than x and less than n, y is the total number of the monitoring nodes, and an array Z is obtained2Said array Z2Is x;
and 4, step 4: establishing an array Z3And set to null, calculate Z2The clustering coefficient of each intermediate node, will Z2The middle nodes in the cluster are sorted from small to large according to the clustering coefficient value, and Z is sorted according to the sorting2In the middle of all intermediate node numbers are stored in the array Z3In (1), obtain the array Z3Said array Z3Is x;
and 5: extract array Z3And taking the middle and front y intermediate nodes as monitoring nodes to obtain a monitoring node set.
Specifically, in step2, the NAP value of the intermediate node is calculated according to formula i:
Figure RE-GDA0002813080900000071
wherein theta represents the possibility of the intermediate node v itself being attacked, 0-1, N represents the total number of nodes in the upstream neighbor set of the intermediate node v, viRepresents the ith node in the upstream neighbor set of the intermediate node v, and P represents the attack propagation probability of the neighbor node which is attacked by the node v in the multi-domain optical network.
Specifically, Z is calculated by formula II2The cluster coefficient of each intermediate node in the cluster,
Cv=2Ev/kv(kv-1) formula II
Wherein k isvThe total number of edges interconnected between nodes directly connected to node v, in degrees of intermediate node v, is Ev. If a leaf node with a value of 1 is encountered during calculation, the clustering coefficient is setIs infinite, and avoids the leaf node with the value of 1 being selected
The embodiment also discloses a method for selecting, monitoring and positioning the monitoring nodes of the multi-point crosstalk attack of the multi-domain optical network, which comprises the following steps:
step a: the method comprises the steps that a monitoring node set is obtained by adopting a multi-point crosstalk attack monitoring node selection method of a multi-domain optical network, a monitoring device is arranged at each node in the monitoring node set, crosstalk attack detection is carried out on the multi-domain optical network, and a crosstalk attack detection result of each node is obtained, wherein the crosstalk attack detection result comprises an alarm state and a safety state;
step b: if the alarm state of any node is alarm, taking the node with the alarm state as an alarm node to execute the step c; otherwise, the current network does not receive the crosstalk attack;
step c: if the alarm node has no upstream node, the alarm node is an attack source node; otherwise, detecting the safety state of the upstream node of the alarm node;
step d: if the security state of the upstream node is attacked by crosstalk, taking the upstream node as an alarm node, and returning to the step d;
and if the security state of the upstream node is not attacked by crosstalk, the alarm node is an attack source node.
In this embodiment, whether a node is an attack source node is determined, and the specific positioning steps are as follows:
step 1: the monitoring node set carries out real-time detection on the multi-domain optical network crosstalk attack, and when a certain monitoring node is influenced by the attack, the monitoring node set is switched to an alarm state and generates alarm information.
Step 2: in a multi-domain optical network based on a layered PCE architecture, a cPCE of each domain is responsible for collecting alarm information of the domain, and a pPCE collects the alarm information through a control plane.
Step 3: when finding that the alarm parameter M of a certain monitoring node is 1, starting to detect an upstream non-monitoring node N connected with the node after receiving alarm information; if M is equal to 0, the node M is detected to be in a normal state, and further detection on the node N is not needed.
Step 4: when M is equal to 1, when performing attack detection on the upstream non-monitoring node N, if an attack parameter N of the node N is equal to 1, N is affected by crosstalk attack, and further attack detection needs to be performed on the upstream non-monitoring node N' of N; if N is 0, the node N is not attacked and is in a secure state.
Step 5: when M is 1 and N is 1, and attack detection is performed on a secondary upstream node N ', if an attack parameter N' is 1 and an upstream non-monitoring node N 'exists in N', attack detection needs to be performed on N ″; if N 'is 0 or N' has no connected upstream node, the node N is determined as an attack source node.
Step 6: when M is equal to 1, N 'is equal to 1, and attack detection is carried out on the three upstream nodes N', if an attack parameter N 'is equal to 1, the N' is judged as an attack source node; if N ″ > is 0, it is determined that the node N' is an attack source node.
The method can be used for repeatedly judging the distribution of each node of the multi-domain optical network, and accurately positioning the crosstalk attack source nodes at each position in the multi-domain optical network.
Specifically, the monitoring devices generally include a wavelength meter, an optical power meter, an Optical Spectrum Analyzer (OSA), an Optical Time Domain Reflectometer (OTDR), an eye diagram monitor, and a BER monitor.
Preferably, the monitoring devices are an eye monitor and a BER monitor. The Eye monitor and the BER monitor have good attack detection capability, and can detect in-band out-of-band crosstalk and gain competition. The wavelength meter can detect both power attenuation and wavelength shift, but cannot detect critical attack types such as crosstalk between in and out of band and gain competition. In summary, in this embodiment, an Eye-BER monitor combination is adopted, and the crosstalk attack is jointly monitored by comprehensively analyzing the attack power, the Eye diagram and the bit error rate of the monitoring signal.
The embodiment also discloses a monitoring and positioning system based on the multipoint crosstalk attack, which comprises a crosstalk attack monitoring module, an alarm module and a crosstalk attack positioning module;
the crosstalk attack monitoring module comprises a monitoring node selection module, a data information acquisition module and a monitoring data analysis module; the monitoring node selection module adopts monitoring nodes of multi-point crosstalk attack of the multi-domain optical network to select and obtain a monitoring node set, and each node of the monitoring node set is provided with a monitoring device; the data information acquisition module acquires crosstalk attack data through a monitoring device; the monitoring data analysis module is used for calculating nodes where source attack occurs and the degree of the source attack by crosstalk according to the crosstalk attack data obtained by the data information acquisition module;
the alarm module is used for obtaining a crosstalk attack detection result according to a node where a crosstalk attack monitoring module output source attack occurs, wherein the crosstalk attack detection result comprises an alarm state and a safety state;
and the crosstalk attack positioning module is used for acquiring an attack source node according to the alarm state and the safety state of the node.
Specifically, the data information collection module collects crosstalk attack data which may be generated in the information transmission process after screening through a monitoring node set of the monitoring placement selection module, wherein the crosstalk attack data includes attack power, signal waveforms, signal frequency spectrums, BER and the like.
Specifically, the detection data analysis module analyzes, classifies, discriminates and collates the crosstalk attack data submitted by the data information acquisition module. Different crosstalk attack types have respective monitoring information characteristics, in-band crosstalk attack occurs at an optical cross connector, phase shift and time delay are generated, signal attenuation and BER are increased; the out-of-band crosstalk attack occurs at the optical fiber, and has the characteristics of high power, signal attenuation and BER increase; gain contention arises at the optical amplifier, which causes the high power crosstalk signal power to become higher while causing severe attenuation of the user signal. The main basis of detection is: attack power analysis, eye diagram analysis and bit error rate analysis.
Example 1
In this embodiment, an NSF network topology is adopted to perform example analysis on the proposed multi-domain optical network crosstalk attack monitoring method, the NSF network has 14 nodes and 20 links in total, a hierarchical PCE architecture thereof is shown in fig. 4, the NSF network is divided into three domains D1, D2, and D3, each domain has a different number of nodes, and each domain has a certain number of boundary nodes connected to the other two domains.
Setting the multi-domain optical network G to be (14,17), and setting the crosstalk attack source node to be q1、q6The destination node is p7、p9、 p13. Firstly, entering a monitoring placement selection module, finding domains where an attack source node and a destination node are located in a network by pPCE, and calculating by using Dijkstra algorithm to obtain a path set u of attack propagation1={q1,n2,n8,p7}, u2={q1,n2,n8,p9},u3={q1,n4,n5,p7},u4={q1,n4,n11,p13},u5={q6,n5,p7},u6={q6,n10,p9},u7={q6,n10,n12,p13},u8={q6,n14,n12,p9},u9={q6,n14,p13}. Natural sequence numbering the nodes except the source node and the destination node in the nine path sets, calculating NAP values of the 8 nodes, and establishing an array Z after sequencing1. Assume that the monitored density y is 4 and the candidate density x is 6. After the first round of selection by step3, n is2And n11Removing to obtain a new array Z2Calculating the clustering coefficient of each node, and establishing an array Z after sorting3A second selection pass through step5, extracting Z3And taking the nodes with the middle-to-front y proportion as monitoring detection points. Array Z3Ranked first is the set of paths u1And u2Node n in (1)8And then in turn a set of paths u3And u5Node n in (1)5Set of paths u3And u4N in (1)4Set of paths u7And u8Node n in (1)12. If the monitored density y is 6, n is added10And n14To monitor a node, it can aggregate u paths6And u9More direct monitoring is performed. Through the analysis of the steps, the monitoring points are set by selecting the corresponding node sets according to different monitoring densities in the actual situation, and the purpose of monitoring the crosstalk attack of the multi-domain optical network can be achieved.
Example 2
Various types of crosstalk attacks exist in a multi-domain optical network, wherein in-band crosstalk occurring at an OXC can cause more serious damage to a user signal, the OXC is taken as a main attack node in the multi-domain optical network, optical Fibers and an EDFA are taken as secondary attack nodes, and example analysis is carried out on the provided multi-domain optical network crosstalk attack positioning method. As shown in FIG. 4, the input user signal is set to Tx1~Tx6The main attack node of the high-power crosstalk attack is OXC1~OXC7The secondary attack node is F1~F6、EDFA1~EDFA3The monitoring node is M1~M6
To the user signal input Tx2、Tx6N of (A)1And N2High-power crosstalk attack signals are injected into the two positions, monitoring nodes in the network monitor crosstalk attacks, the monitoring nodes are switched to an alarm state and send alarm information, PCE collects the alarm information through a control plane, at the moment, the situation that the alarm information is sent out at the position M6 is found, and the specific positioning steps of the crosstalk attack source nodes are as follows:
step 1: it is found that an alarm message is sent out at M6, and the attack monitoring is carried out on the optical path of the OXC7 under the monitoring of M6.
Step 2: the analysis found that a condition of a cross-talk attack existed for both nodes OXC6 and EDFA2 connected to OXC7, thereby initiating monitoring of the optical path into node OXC6 and node EDFA 2.
Step 3: the eye pattern and the bit error rate at M2 are observed and analyzed, and the eye pattern and the bit error rate are less affected, which indicates that Tx5 is not the entrance end of the crosstalk attack source.
Step 4: the monitoring result of M5 is analyzed, and the vertical opening of the 'eye' is good, the eye pattern is clearer, and the Tx4 is not the entrance end of the crosstalk attack source. Thus, excluding the possibility that the node OXC3 is a source node of crosstalk attack, Tx6 is determined to be the input of one of the sources of crosstalk attack.
Step 5: in the determination of the other propagation path, by analyzing the monitoring result of M1, the possibility that the node OXC1 is a crosstalk attack source node can be excluded.
Step 6: comparing the monitoring results of M3 and M4, the attack effect at M3 is found to be larger than that at M4, and Tx2 is determined as the input end of another crosstalk attack source.
From the above analysis, when the M6 sends an alarm message, the Tx2 and Tx6 are finally located as the input ends of the crosstalk attack source by monitoring the monitoring node and the distributed location method for analyzing the continuous upstream nodes, and the determination result is consistent with the initial setting of the text. Therefore, the method can achieve the purpose of accurately positioning the crosstalk attack source nodes at all positions in the multi-domain optical network.
Example 3
In this embodiment, a VPI optical network software platform is used to perform simulation experiments, and comparative analysis is performed on a crosstalk attack detection and positioning method (abbreviated as I-CADL) based on gray theory, which is provided by the invention and is based on parameter comparison, and a crosstalk attack detection and positioning method (abbreviated as P-CADL) based on gray theory, which is provided by a multi-domain optical network multi-point crosstalk attack detection and positioning method (abbreviated as I-CADL) and a reference [1] (lie, wang, peak, and attack detection and positioning in all-optical network [ J ]. modern electronic technology, 2008,31(15):18-20 ]) and is based on parameter comparison, and a crosstalk attack detection and positioning method (abbreviated as G-CADL) provided by a reference [6] (lie, multi-domain optical network crosstalk attack detection and intrusion tolerance technology research [ D ]. shanxi: university of armed police engineering, 2018. The main modules used in the simulation experiment building process comprise a signal sending module, a signal transmission module, a high-power crosstalk attack source module and a signal receiving and detecting module.
FIG. 5 is a graph comparing the accuracy of three types of I-CADL, G-CADL and P-CADL cross-talk attack detection and positioning methods in different time periods. The observation and analysis show that the three detection and positioning methods can achieve the purpose of detecting and positioning the crosstalk attack in the multi-domain optical network, but the efficiency and the accuracy of the detection and positioning are different. The method has the advantages that the accuracy of the G-CADL is slightly higher than that of the I-CADL in the early stage of attack detection and positioning, certain advantages are realized in detection efficiency, the number of nodes affected by crosstalk attack propagation is increased along with the spread of the crosstalk attack in a multi-domain optical network, the accuracy of the I-CADL is the highest in the middle and later stages of attack detection and positioning, the advantages are obvious, the G-CADL is the second, the accuracy of the P-CADL is the lowest in the whole detection and positioning process, and the detection and positioning efficiency is low.
The I-CADL comprises a monitoring placement selection module based on a layered PCE and a local immune algorithm and a distributed positioning method for continuous upstream node parameter analysis, and has the characteristics of low monitoring cost and better real-time performance. The method has good real-time performance, and the detection and positioning efficiency of the method has certain advantages in the early stage, but the judgment and analysis of the crosstalk attack by the G-CADL are only based on the detection result of the spectrum analyzer, and quantitative analysis cannot be carried out, so that the accuracy cannot follow up at the same time in the middle and later stages with gradually complex attack propagation conditions and gradually lags behind the I-CADL. The P-CADL is proposed based on a parameter comparison method, since the method requires photoelectric conversion, the speed of detection and positioning depends on the photoelectric conversion time, which causes the efficiency to be reduced, and meanwhile, the power of the signal may be affected in the process of extracting the signal, so that the accuracy is not high enough.

Claims (4)

1. A method for selecting monitoring nodes of multi-point crosstalk attack of a multi-domain optical network is used for obtaining the position arrangement of the monitoring nodes in the multi-domain optical network, and is characterized by comprising the following steps:
step 1: acquiring a plurality of source nodes and a plurality of destination nodes of crosstalk attack, and acquiring a propagation path set U of the crosstalk attack according to links from all the source nodes to the destination nodes, wherein each link comprises a plurality of intermediate nodes;
step 2: numbering all intermediate nodes in the path set U to obtain the numbers of all the intermediate nodes; establishing an array Z1Setting the node number in the array Z, calculating NAP values of the intermediate nodes, sorting all the intermediate nodes from large to small according to the NAP values, and storing all the intermediate node numbers in the array Z according to the sorting1In (1), obtain the array Z1Said array Z1The length of the path set U is n, and n is the total number of intermediate nodes of the path set U;
and step 3: establishing an array Z2And set to null, extract array Z1The first x middle nodes are numbered and then stored in an array Z2Wherein y is more than x and less than n, y is the total number of the monitoring nodes, and an array Z is obtained2Said array Z2Is x;
and 4, step 4: establishing an array Z3And set to null, calculate Z2The clustering coefficient of each intermediate node, will Z2The middle nodes in the cluster are sorted from small to large according to the clustering coefficient value, and Z is sorted according to the sorting2In the middle of all intermediate node numbers are stored in the array Z3In (1), obtain the array Z3Said array Z3Is x;
and 5: extract array Z3And taking the middle and front y intermediate nodes as monitoring nodes to obtain a monitoring node set.
2. The method according to claim 1, wherein the step2 calculates the NAP value of the intermediate node according to formula i:
Figure FDA0002710825540000011
wherein theta represents the possibility of the intermediate node v itself being attacked, 0-1, N represents the total number of nodes in the upstream neighbor node set of the intermediate node v, viRepresents the ith node in the upstream neighbor node set of the intermediate node v, and P represents the attack propagation probability of the downstream neighbor node of the intermediate node v.
3. The method for selecting, monitoring and positioning the monitoring nodes of the multi-point crosstalk attack of the multi-domain optical network is characterized by comprising the following steps:
step a: the method for selecting the monitoring node of the multi-point crosstalk attack of the multi-domain optical network according to any one of claims 1 to 2 is adopted to obtain a monitoring node set, each node in the monitoring node set is provided with a monitoring device, the multi-domain optical network is subjected to crosstalk attack detection, and a crosstalk attack detection result of the node output by each monitoring device is obtained, wherein the crosstalk attack detection result comprises an alarm state and a safety state;
step b: if the alarm state of any node is alarm, taking the node with the alarm state as an alarm node to execute the step c; otherwise, the current network does not receive the crosstalk attack;
step c: if the alarm node has no upstream node, the alarm node is an attack source node; otherwise, detecting the safety state of the upstream node of the alarm node;
step d: if the security state of the upstream node is attacked by crosstalk, taking the upstream node as an alarm node, and returning to the step d;
and if the security state of the upstream node is not attacked by crosstalk, the alarm node is an attack source node.
4. The method according to claim 3, wherein the monitoring devices are an eye monitor and a BER monitor.
CN202011055805.8A 2020-09-30 2020-09-30 Monitoring node selection and monitoring positioning method for multi-point crosstalk attack of multi-domain optical network Active CN112351354B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011055805.8A CN112351354B (en) 2020-09-30 2020-09-30 Monitoring node selection and monitoring positioning method for multi-point crosstalk attack of multi-domain optical network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011055805.8A CN112351354B (en) 2020-09-30 2020-09-30 Monitoring node selection and monitoring positioning method for multi-point crosstalk attack of multi-domain optical network

Publications (2)

Publication Number Publication Date
CN112351354A true CN112351354A (en) 2021-02-09
CN112351354B CN112351354B (en) 2022-09-06

Family

ID=74361406

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011055805.8A Active CN112351354B (en) 2020-09-30 2020-09-30 Monitoring node selection and monitoring positioning method for multi-point crosstalk attack of multi-domain optical network

Country Status (1)

Country Link
CN (1) CN112351354B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6128769A (en) * 1997-12-31 2000-10-03 Intel Corporation Method for analyzing and efficiently reducing signal cross-talk noise
US20020186428A1 (en) * 2001-06-08 2002-12-12 Saleheen Hasan I. Crosstalk path enumeration in optical networks
CN110120836A (en) * 2019-03-26 2019-08-13 中国人民武装警察部队工程大学 A kind of multi-area optical network crosstalk attack detecting node is determining and localization method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6128769A (en) * 1997-12-31 2000-10-03 Intel Corporation Method for analyzing and efficiently reducing signal cross-talk noise
US20020186428A1 (en) * 2001-06-08 2002-12-12 Saleheen Hasan I. Crosstalk path enumeration in optical networks
CN110120836A (en) * 2019-03-26 2019-08-13 中国人民武装警察部队工程大学 A kind of multi-area optical network crosstalk attack detecting node is determining and localization method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
TAO WU: ""Attack monitoring and localization in an all-optical network"", 《IEEE/ACM TRANSACTIONS ON NETWORKING ( VOLUME: 13, ISSUE: 6, DEC. 2005)》 *
周辉,等: ""全光网络的攻击与检测方法研究"", 《军事通信技术》 *
李芳,等: ""基于传染病动力学的多域光网络串扰攻击传播模型"", 《电子技术应用》 *

Also Published As

Publication number Publication date
CN112351354B (en) 2022-09-06

Similar Documents

Publication Publication Date Title
KR102487453B1 (en) Method and apparatus, device, and storage medium for obtaining logical topology information of ODN
US6075766A (en) Method and apparatus for identifying restoral routes in a network
Chen et al. Assessing and safeguarding network resilience to nodal attacks
CN107979411B (en) Method and device for monitoring optical fiber link
CN110120836B (en) Method for determining and positioning crosstalk attack detection node of multi-domain optical network
CN111970050A (en) System for jointly monitoring modulation format and optical signal-to-noise ratio based on anomaly detection
CN111600805B (en) Bayes-based power data network congestion link inference method
Wang et al. Botnet detection using social graph analysis
CN112351354B (en) Monitoring node selection and monitoring positioning method for multi-point crosstalk attack of multi-domain optical network
Devigili et al. Dual time and frequency domain optical layer digital twin
CN117155629A (en) Electric power information system network active defense method and system based on artificial intelligence
Qu et al. Enabling a resilient and self-healing PMU infrastructure using centralized network control
CN104537238A (en) Networked relay protection reliability evaluating system
Wu et al. Necessary and sufficient condition for k crosstalk attacks localization in all-optical networks
CN112351353B (en) Multi-domain optical network multi-point crosstalk attack detection and positioning method based on distributed PCE
Iliev et al. Statistical processing and quality of service for incoming traffic in markov chains
Date et al. Silent failure localization on optical transport system
Skorin-Kapov et al. Self-organization in transparent optical networks: A new approach to security
CN111654327A (en) Service feature extraction method for optical cable fiber core remote management control
Sun et al. Autonomous and generalized soft failure detection based on digital residual spectrum in optical networks
Sun et al. A novel hypergraph structured optical network model
Wu et al. A crosstalk attack detection and location method based on distributed PCE in multi-domain optical networks
Li et al. Characterizing and modelling clustering features in AS-level Internet topology
Jiao et al. A Novel Framework of Failure Localization in Optical Transport Network
Wang et al. Recent advances in digital twin for optical communications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant