EP2168273A1 - Dispositif et système de sécurité de communications optiques - Google Patents

Dispositif et système de sécurité de communications optiques

Info

Publication number
EP2168273A1
EP2168273A1 EP08756873A EP08756873A EP2168273A1 EP 2168273 A1 EP2168273 A1 EP 2168273A1 EP 08756873 A EP08756873 A EP 08756873A EP 08756873 A EP08756873 A EP 08756873A EP 2168273 A1 EP2168273 A1 EP 2168273A1
Authority
EP
European Patent Office
Prior art keywords
optical
module
signal
wavelength
input signal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP08756873A
Other languages
German (de)
English (en)
Other versions
EP2168273A4 (fr
Inventor
Saul Steve Carroll
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2007902970A external-priority patent/AU2007902970A0/en
Application filed by Individual filed Critical Individual
Publication of EP2168273A1 publication Critical patent/EP2168273A1/fr
Publication of EP2168273A4 publication Critical patent/EP2168273A4/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/80Optical aspects relating to the use of optical transmission for specific applications, not provided for in groups H04B10/03 - H04B10/70, e.g. optical power feeding or optical transmission through water
    • H04B10/85Protection from unauthorised access, e.g. eavesdrop protection

Definitions

  • the present invention relates generally to communications using optical fibres and, in particular, to arrangements that afford enhanced security for transmissions.
  • intrusion detection devices which monitor network links to detect if any other resources are tapping into the link to eavesdrop on the information being transmitted.
  • intrusion detection devices typically the total power levels of the light within the optical link are monitored for any evidence of intrusion or tapping on the physical fibre.
  • NMS Network Management System
  • an apparatus for detection of intrusion events on a first optical transmission line comprising: a first optical monitoring module for sampling a first optical input signal propagating on the first optical transmission line and including a plurality of first optical wavelength signals to form a first sampled signal for monitoring the first optical input signal, the first optical monitoring module including a first wavelength selective module and a first optical detection module, the first wavelength selective module adapted to receive the first sampled signal and direct one or more of the first optical wavelength signals in the first sampled signal to the first optical detection module, thereby to monitor the one or more of the first optical wavelength signals; and an analysing module operatively coupled to the first optical monitoring module for analysing the first sampled signal for characteristics associated with a possible intrusion event on the first optical transmission line.
  • the first wavelength selective module includes a wavelength selective element for selecting any one of the first optical wavelength signals, and a directional element for directing the selected first wavelength signal to the first optical detection module.
  • the wavelength selective element is a tunable wavelength selective element and adapted to sequentially select a plurality of selected first wavelength signals.
  • the first optical detection module is adapted for sequentially monitoring the plurality of the selected first wavelength signals, thereby to monitor the first optical input signal.
  • the tunable wavelength selective element is a tunable fibre Bragg grating.
  • the directional element is an optical circulator.
  • the first wavelength selective module includes a wavelength dependent separator for spatially separating the first optical wavelength signals in the first sampled signal and directing the spatially separated wavelength signals to the first optical detection module.
  • the first optical detection module includes a plurality of optical detectors, each detector substantially aligned with one of the spatially separated wavelength signals for receiving the one of the spatially separated wavelength signals, thereby to facilitate simultaneous monitoring of each of the first optical wavelength signals and the first optical input signal.
  • the wavelength dependent separator is an arrayed waveguide grating or a wavelength division demultiplexer.
  • the first optical monitoring module is adapted to monitor optical characteristics of the first wavelength signals, thereby monitoring optical characteristics of the first sampled signal and optical characteristics of the first optical input signal. More preferably the optical characteristics being monitored include optical power. Alternatively or additionally the optical characteristics being monitored include optical phase.
  • the apparatus also comprises a first optical input port for receiving the first optical input signal.
  • the apparatus further comprises a first optical output port for outputting an optical output signal which is a substantial portion of the first optical input signal. More preferably optical power of the first optical output signal is greater than 90% of optical power of the first optical input signal. Even more preferably the optical power of the first optical output signal is greater than 95% of the optical power of the first optical input signal.
  • the first optical input signal is a first encrypted optical signal and the apparatus includes an optical decryption module for decrypting the first encrypted optical signal. More preferably the optical decryption module is intermediate the first optical input port and the first optical output port. Even more preferably the optical decryption module is intermediate the first optical input port and the first optical monitoring module.
  • the first optical monitoring module includes a first optical coupling device for sampling a portion of the first optical input signal. More preferably the first optical coupling device is a 2x2 optical coupler or a 1x2 optical coupler.
  • the analysing module analyses the first sampled signal for variations in the optical characteristics of the first sampled signal, such variations being associated with an occurrence of a possible intrusion event. More preferably, upon the occurrence of a possible intrusion event, the analysing module transmits an alarm signal to a communications network management system.
  • the alarm signal is transmitted to the management system using a standard communication protocol.
  • the communication protocol is Internet Protocol.
  • the communication protocol is Simple Network Management Protocol .
  • the apparatus further comprises: a second optical monitoring module for sampling a second optical input signal propagating on a second optical transmission line and including a plurality of second optical wavelength signals to form a second sampled signal for monitoring the second optical input signal, the second optical monitoring module including a second wavelength selective module and a second optical detection module, the second wavelength selective module adapted to receive the second sampled signal and direct one or more of the second optical wavelength signals in the second sampled signal to the second optical detection module, thereby to monitor the one or more of the second optical wavelength signals.
  • a second optical monitoring module for sampling a second optical input signal propagating on a second optical transmission line and including a plurality of second optical wavelength signals to form a second sampled signal for monitoring the second optical input signal
  • the second optical monitoring module including a second wavelength selective module and a second optical detection module, the second wavelength selective module adapted to receive the second sampled signal and direct one or more of the second optical wavelength signals in the second sampled signal to the second optical detection module, thereby to monitor the one or more of the second optical wavelength signals.
  • the analysing module is operatively coupled to the second optical monitoring module for analysing the second sampled signal for characteristics associated with a possible intrusion event on the second optical transmission line.
  • the second optical monitoring module has any one or more of attributes of the first optical monitoring module, wherein the attributes are directed to the second optical input signal, the second sampled signal and the plurality of second optical wavelength signals, instead of the first optical input signal, the first sampled signal and the plurality of first optical wavelength signals, respectively.
  • the second wavelength selective module has any one or more of attributes of the first wavelength selective module, wherein the attributes are directed to the second optical input signal, the second sampled signal and the plurality of second optical wavelength signals, instead of the first optical input signal, the first sampled signal and the plurality of first optical wavelength signals, respectively.
  • the second optical detection module has one or more of attributes of the first optical detection module, wherein the attributes are directed to the second optical input signal, the second sampled signal and the plurality of second optical wavelength signals, instead of the first optical input signal, the first sampled signal and the plurality of first optical wavelength signals, respectively.
  • the apparatus also comprises a second optical input port for receiving the second optical input signal.
  • the apparatus also comprises a second optical output port for outputting a substantial portion of the second optical input signal.
  • the apparatus further comprises an optical encryption module for encrypting the substantial portion of the second optical input signal to form a second encrypted optical signal.
  • the optical decryption module is intermediate the second optical input port and the second optical output port.
  • the optical encryption module is intermediate the second optical monitoring module and the second optical output port.
  • the apparatus further comprises at least one optical test port for facilitating connection with at least one corresponding optical test device.
  • the apparatus includes first and second optical test ports and first and second optical test devices connected respectively to the first and second test ports, the apparatus including optical transmission paths such that the first test device tests optical characteristics of the first optical transmission line external to the first optical input port and the second test device test optical characteristics of a third optical transmission line external to the second optical output port.
  • the first and second optical test devices are each an optical time domain reflectometer.
  • a communications system comprising: first optical transceiver equipment for transmitting and receiving an optical signal including a plurality of first optical wavelength signals; a first apparatus adapted to couple the optical signal between the first optical transceiver equipment and an optical communications network, said first apparatus comprising a first optical monitoring module for sampling the optical signal to form a first sampled signal for monitoring the optical signal, the first optical monitoring module including a first wavelength selective module and a first optical detection module, the first wavelength selective module adapted to receive the first sampled signal and direct one or more of the first optical wavelength signals in the first sampled signal to the first optical detection module, thereby to monitor the one or more of the first optical wavelength signals; and a first analysing module operatively coupled to the first optical monitoring module for analysing the first sampled signal for characteristics associated with a possible intrusion event on the optical communications network; a second apparatus for coupling said signals from the network, said second apparatus comprising a second optical monitoring module for sampling the optical signal to form a second sampled signal for
  • a photonics-based apparatus for integration into existing modern network infrastructure which provides security for current and future optical network systems.
  • the arrangement provides for active real-time monitoring of optical communications networks, as well as providing security for the data transmitted over the communications link by users.
  • the apparatus is able to identify which wavelengths are being used on a multi-wavelength optical communications system - examples include coarse and dense wavelength division multiplexing networks (CWDM and DWDM respectively) - and at what capacity. This is of particular use for telecommunications carriers monitoring individual wavelength channels for customers on a multi-customer multi-wavelength optical network.
  • Specific implementations also include optical encryption and decryption modules for transmission and receipt of encrypted optical signals over the optical communications link, and functionality for optical testing of the communication link.
  • the specific implementations of the apparatus described herein are envisaged as the next generation of intrusion detection equipment. They have been designed specifically to utilise all- optical components for data acquisition and is capable of processing 32 wavelengths each running at 2.5 Gb/s. It will be apparent, however, that the apparatus may be modified to accommodate other optical communication network specifications. For example, networks having a larger wavelength channel count (channel counts of at least 160 channels are available under the ITU T G.694.1 frequency grid standard) and faster data transmission rates of 10 Gb/s and greater may utilise modified forms of the apparatus. This satisfies the need for monitoring on both current and future optical communications networks.
  • the efficiency provided by component reduction and optical connectivity in utilising photonic components over electronic components is a major advantage, as is the use of all-optical components to circumvent the problem of the speed of data transmission affecting present encryption methods.
  • the preferred embodiments of the present invention further provide for communication with a NMS utilising common network communications protocols such as Simple Network Management Protocol (SNMP) over a standard TCP/IP link to provide expedient action on potential network problems and/or intrusion.
  • SNMP Simple Network Management Protocol
  • Other network communications protocols can be utilised including Internet Protocols and any other proprietary signalling protocol, such as those based on RS232 standards.
  • Fig. 1 is a schematic block diagram representation of a communications system with an intrusion detection apparatus installed at each end of a communications link;
  • Fig. 2 is a schematic block diagram of representation of an embodiment of the intrusion detection apparatuses used in the communications system of Fig. 1 ;
  • FIG. 3 shows a more detailed schematic block diagram representation of an embodiment of the optical monitoring module of the apparatus of Fig. 2;
  • Fig. 4 is a schematic block diagram representation of an embodiment of the optical monitoring module of Fig. 3;
  • Fig. 5 is a schematic block diagram representation of another embodiment of the optical monitoring module of Fig. 3;
  • Fig. 6 is a schematic block diagram representation of another embodiment of the intrusion detection apparatus.
  • Fig. 7 is a schematic block diagram representation of yet another embodiment of the intrusion detection apparatus.
  • Fig. 8 is a schematic block diagram representation of a still another embodiment of the intrusion detection apparatus.
  • the arrangements to be described provide a modern intrusion detection system utilising state of the art photonic technology and are designed to be seamlessly integrated into the existing network infrastructure of all organisations, ranging from telecommunications carriers to individual companies utilising optical communications networks.
  • the arrangements detect physical security breaches in the fibre, on any wavelength transmitted or received in the optical communications network, via real-time monitoring of each wavelength channel in an optical transmission line, such as an optical fibre or an optical communications link. Data collected by the system is then transmitted to the organisation's Network Management System (NMS) using common network communications protocols such as Simple Network Management Protocol (SNMP) or Internet Protocol (IP).
  • NMS Network Management System
  • SNMP Simple Network Management Protocol
  • IP Internet Protocol
  • Fig. 1 shows a communications system 1 in which an intrusion detection apparatus 100 is connected into an existing or new optical fibre communications link 101 at both ends of the link, interposed with transmission/receiving (transceiver) equipment 103.
  • the connection typically occurs within the users premises 105, thereby providing a level of physical security.
  • the communications network 1 may have an apparatus 100 at only one end of the communications link 101.
  • an embodiment of the intrusion detection apparatus 100 includes a first optical input port 111 for receiving a first optical input signal 112 propagating on the optical fibre 113 of the communications link 101.
  • a first optical monitoring module 130 samples the input signal 112 by redirecting a first portion 114 of the first optical input signal 112 for monitoring by components 118. The redirected and monitored first portion 114 is analysed in an analysing module 150 for characteristics in the signal associated with a possible intrusion event on the optical communications link 101.
  • This embodiment of the apparatus 100 also includes a first optical output port 115 and a data output port 117.
  • the first optical output port 115 retransmits the remaining portion 116 of the input signal 112 onto the optical fibre 119 of the communications link, whereas data output port 117 is used to communicate with a network management system (NMS) 121 over network link 123.
  • NMS network management system
  • Fig. 2 only illustrates a single input of apparatus 100. Not shown is a second optical input port and a second optical output port for connection to optical fibres 126 and 128 of the communications system of Fig. 1 ; and a second optical monitoring module and a second analysing module for monitoring and analysis of optical signals on fibre 126 prior to transmission onto the communications link 101.
  • the network link 123 may use a network communications protocol such as Simple Network Management Protocol (SNMP) over a standard TCP/IP link.
  • SNMP Simple Network Management Protocol
  • Other common or future protocols such as internet or wireless communications protocols may alternatively be used.
  • Fig. 3 which shows a more detailed schematic block diagram representation of an embodiment of the optical monitoring module 130 of the apparatus of Fig. 2, the first optical monitoring module 130 is a photonics module including an optical coupling device 131 for sampling the input signal 112 by redirecting a first monitored input signal portion 114 of the input signal 112 propagating on an optical waveguide 133.
  • the optical waveguide 133 may be an optical fibre or a suitable planar waveguide.
  • optical signals 112, 114 and 116 may travel through free space (e.g. air) within module 130.
  • the optical components 118 of the first optical monitoring module 130 include a wavelength selective module 135 for selecting a desired wavelength from the input signal 112 and an optical detection module 137 for monitoring optical characteristics such as power level and/or phase of the first monitored input signal 114.
  • An electronic control module 139 is further included for powering and control of the wavelength selective module 135 and the detection module 137 as required.
  • the optical coupling device 131 is embodied as a 2x2 coupler for splitting a small portion 114 of the input signal 112 from optical waveguide 133 into the wavelength selection module 135. Typically approximately 1%-5% of the optical power on the communications link is redirected by the coupler 131, although this coupler can be replaced with a 1x2 coupler or a coupler of a different splitting ratio.
  • the detection module 135 in this arrangement includes an optical circulator 141 which directs all or most of the light from the coupler 131 to a tunable fibre Bragg grating (TFGB) 143.
  • TFGB fibre Bragg grating
  • the TFBG is electronically tunable for selection of a desired wavelength channel in the monitored input signal 114 and is controlled by control module 139 via cable 144.
  • the TFBG reflects the selected wavelength channel or signal 120 back to circulator 141 which in turn directs it to the detection module 137 via optical waveguide 122.
  • the detection module 137 in this arrangement is a single optical detector 138, for example a high bandwidth, high speed photodiode.
  • the detector 138 converts the amount of optical power of the selected wavelength channel 120 incident on the detector 138 into a voltage level or such data.
  • the detector 138 is powered and controlled by the control module 139 via cable 142.
  • the control module 139 collects the data from detector 138 also via cable 142 and transmits this data via cable 146 to the analysing module 150 for storage and further analysis.
  • it is not necessary to monitor each wavelength channel constantly. This may even be undesirable in some instances due to security concerns.
  • it is sufficient to sample each wavelength channel in the input signal 112 periodically or sequentially.
  • the TFBG 143 can be configured to poll sequentially across the entire array of wavelength channels included in the input signal 112 at desired intervals.
  • the monitoring module 130 collects data for each wavelength channel on the communications link 101 that is desired to be monitored, including the power of the signal and the specific wavelength, at the TFBG polling cycle rate.
  • the monitoring module 130 is also able to be configured for continuous monitoring of a single wavelength channel 120 if desired.
  • control module 139 the data received from control module 139 is transmitted via cable 146 to the analysing module 150, which both stores the data locally as well as transmits the data via
  • the data may be presented in the form of a graph showing power levels per wavelength against time, although other data representation methods are also possible.
  • Data-dependent alarms can be set to alert NMS support staff of events on the communications link 101.
  • the events for which an alarm may be appropriate include a sudden change in power levels for:
  • a specific wavelength which may indicate a fault in the network transmission equipment of the optical communications link, or a possible intrusion event on the communications link such as an intruder inserting signals at the specific wavelength channel to sniff network information or tap into resources of the network.
  • Fig. 5 shows an alternative arrangement 230 of an optical monitoring module.
  • the wavelength selective module 235 is a single wavelength selective component that is capable of spatially separating different wavelength channels and directing them to different spatial locations.
  • module 235 Examples of possible components able to be employed as module 235 include Arrayed Waveguide Gratings (AWG) or a wavelength division demultiplexer such as a CWDM or DWDM demultiplexer based on thin film designs. Use of other components for decomposing an optical input signal into its constituent wavelength channels and spatially separating those wavelength channels for independent access such as diffraction gratings or prisms is also possible.
  • AMG Arrayed Waveguide Gratings
  • CWDM CWDM
  • DWDM demultiplexer based on thin film designs.
  • Use of other components for decomposing an optical input signal into its constituent wavelength channels and spatially separating those wavelength channels for independent access such as diffraction gratings or prisms is also possible.
  • the now spatially separated plurality of individual wavelength channels 120 are each directed to detection module 237 consisting in this arrangement a plurality of optical detectors 138 - for example high bandwidth, high speed photodiodes.
  • Detectors 138 are each spatially aligned with one of the now spatially separated wavelength channels or signals 120 to enable continuous and/or simultaneous monitoring of each wavelength channel in real-time.
  • electronic control module 239 collects data for each wavelength monitored, including the power and/or phase of the signal and the specific wavelength. This data is transmitted via cables 142 from detectors
  • control module 239 is adapted to power and control the wavelength selective module 235 and the detection module as required.
  • control module 239 is adapted to provide these functions.
  • the apparatus 100 is capable of continuous and/or simultaneous monitoring of all wavelength channels 120 in the input signal 112.
  • an event such as a drop in power is observed on any wavelength channel individually, or over all channels simultaneously, an alarm signal is transmitted to the NMS where the nature of the event can be ascertained.
  • the optical monitoring module (135 or 235) is configured to detect and monitor the phase of the input signal 112 - either the phase of the input signal as a whole or of an individual wavelength channel contained in the input signal.
  • Suitable phase- sensitive components such as optical polarising elements (eg. polarisers, polarisation/phase- sensitive crystals), phase rotating components, (eg. Faraday rotators) and other phase sensitive components (eg. liquid crystal devices) are substituted as required.
  • the optical communications link 101 includes the capability for optical propagation in both forward and backward directions of the link.
  • at least two optical fibres are employed for each of the directional links, although with suitable components in the optical network (for example optical circulators and couplers), a single optical fibre can be used.
  • Fig. 6 illustrates an alternate arrangement of an optical intrusion detection apparatus 300.
  • the apparatus 300 includes a first optical monitoring module 310 and a second optical monitoring module 320. Both modules 310 and 320 are similar to that of either module 130 or 230. Furthermore, in a given arrangement of the apparatus, module 320 is typically similar to module 310 in both construction and mode of operation.
  • the apparatus 300 including a first optical input port 111 and a first optical output port 115 as in the apparatus 100 in Fig.1, further includes second optical input and output ports 301 and 303 for connection to optical waveguides 126 and 128 respectively. Waveguides 126 and 128 are optical fibre communications links of the communications network 1.
  • Optical fibre 126 typically supports an optical input signal 312 containing a plurality of wavelength channels 320 in a similar manner to that of the first optical input signal 112 and wavelength channels 120.
  • the second monitoring module 320 samples a portion 314 of optical input signal 312 for detection and directs the remaining portion 316 of optical signal 312 to output port 303.
  • the apparatus 300 also includes an analysing module 330 similar to analysing module 150, however, with modifications to enable module 330 to: receive data from both the first and second monitoring modules 310 and 320; analyse the data received from each module; and transmit the data from both modules to the NMS 121 over network link 123.
  • the analysing module 330 receives data from individual control modules (not shown) contained within optical monitoring module 310 for analysis of the first monitored optical signal 114, and also from monitoring module 320 for analysis of the second monitored optical signal 314.
  • the parameter analysed in the present arrangement is the optical power level of the individual wavelength channels 120 in the optical input signals 112 and 312 respectively.
  • the total power level of the optical input signals 112 and 312 across all wavelength channels in each signal is also monitored.
  • the analysing module 330 thereby analyses the monitored optical signals 114 and 314 for unexpected, suspicious, or unusual incidences of power loss, such incidences being associated with a possible intrusion event.
  • Optical parameters other than the power level may be alternatively or concurrently employed by the analysing module 330 for analysis of the optical signals and identification of a possible intrusion event. For example, by making suitable substitutions in the optical components of the optical monitoring modules 310 and 320, unexpected variations in phase of the monitored optical signal - either the phase of the signal as a whole or on any particular individual wavelength channel - may indicate a possible intrusion event.
  • the analysing modules (150 and 330) of the arrangements described above perform two primary functions: to control and collect data from the optical monitoring modules of the apparatus and to communicate this data to the NMS 121.
  • the analysing module includes a fast computer processor such as an Intel CPU operating with a clock speed in the range of 2 to 3 GHz or greater, a motherboard, and both volatile and non-volatile memory.
  • Typical memory storage requirements of the present arrangement are approximately 120 Gigabytes, although this is dependent upon a range of factors including the number of wavelength channels being monitored at any time, the amount and type of data that is monitored, and the precision at which that data is recorded. Accordingly, it will be appreciated that more or less storage capacity may be necessary as required.
  • the analysing module of the described arrangements may also include software routines required for both control of the various modules of the apparatus, and analysis of the data recorded from the optical monitoring modules.
  • the main functions of the system is the ability to operate remotely to an NMS host 121, the operating system and control software for the analysing module must be compatible with those communications protocols.
  • efficient software routines that can cope with the optical data rates of the communications link 101 are required. Accordingly, the requirements for the controlling software in the preferred embodiments include:
  • a suitable user interface eg. HTML/Internet interface.
  • a suitable operating system is the OpenBSD Operating System, with all control and analysis software routines written in the C++ programming language.
  • An internet interface for configuration and control may also be included within the analysing module to allow authorised users to log in remotely (from within the customer premises 105 via the internal computer network) to perform configuration and support functions as required.
  • Encryption and decryption capabilities may be selectively added to any of the arrangements of the intrusion detection apparatus and it is envisaged that each of the arrangements are able to provide such capabilities by way of an expansion modules that can be installed in the apparatus as required.
  • Fig. 7 illustrates an alternate arrangement of an optical intrusion detection apparatus 400 where encryption and decryption capabilities have been installed.
  • the first input optical signal 401 received on optical fibre 113 is an encrypted optical input signal.
  • Encrypted optical signal 401 is received in the apparatus 400 at optical input port 111 and transmitted to an optical decryption module 410 for decryption.
  • the optical decryption module 410 decrypts the encrypted optical signal 401 whilst retaining it in the optical domain.
  • Decrypted input signal 412 is then transmitted to the first optical monitoring module 420 which samples a portion 414 of the decrypted input signal 412 for monitoring and detection as previously described with reference to the optical monitoring module 310.
  • the remaining portion 416 of the decrypted input signal 412 is transmitted via optical the first output port 115 onto optical fibre 119 and to the (transceiver) equipment 103 within the user's premises 105, and subsequently to an intended recipient.
  • the arrangement 400 includes an optical encryption module 440.
  • An unencrypted second optical input signal 422 is received at the second optical input port 125 from optical fibre 126 and transmitted to a second optical monitoring module 430 which samples a portion 424 of the input signal 422 for monitoring and subsequent analysis as previously described with reference to the optical monitoring module 320.
  • the remaining portion 426 of the second input signal 422 is next transmitted to the optical encryption module 440 for encryption.
  • the optical encryption module 440 performs the encryption process in the optical domain so that the process occurs at the data transmission rate of the communications link 101.
  • the now encrypted optical signal 428 is transmitted to the second output port 127 and onto optical fibre 128 of the communications link 101.
  • the first optical signal 416 exits the first output port 115 in an unencrypted state.
  • an additional encryption module similar to module 440 may be inserted into the apparatus 400 intermediate monitoring module 420 and output port 115 for re- encryption of the signal before exiting the apparatus 400 onto optical fibre 119.
  • the second optical signal 422 enters the apparatus 400 as an un-encrypted optical signal. If the second optical input signal 422 was instead an encrypted optical input signal, a second decryption module (not shown) similar to module 410 may be inserted intermediate input port 125 and monitoring module 430 for initial decryption of optical input signal 422.
  • optical encryption/decryption capability into the apparatus significantly enhances the security features that can be readily accessed by the individual users of optical communications links, particularly over a metropolitan area network (MAN).
  • the arrangements described herein each include the capability of inserting suitable encryption/decryption modules into an existing arrangement as desired, and as such may be considered to be 'encryption ready'.
  • QKD Quantum Key Distribution
  • FIG. 8 illustrates an alternate arrangement of an optical intrusion detection apparatus 500.
  • the electronic control modules corresponding to, for example, the electronic control module 139 of Fig. 4
  • optical monitoring modules 520 and 530 that control the wavelength selection and detection components for both the receiving and transmission paths have been combined into a single electronic control module 550.
  • the electronic control module 550 is connected via cable 146 to analysing module 560 (similar in construction and operation to the analysing modules 150 and 330) which is in communication with NMS 121 via network link 123.
  • the arrangement of Fig. 8 further includes first and second optical test ports 571 and 573 for connection of the optical test instrumentation devices 580 and 590, e.g OTDRs, for checking the receiving and transmission paths of the optical communications link 113 and 128, respectively.
  • Optical coupling devices such as 2x2 couplers 131 and 575 are used to couple the test light from the test devices 580 and 590 onto respective optical fibres 128 and 113. The same 2x2 couplers 131 and 575 also direct the backscattered test light containing information on the communications link back to the test instrument devices 580 and 590 for analysis.
  • an additional 2x2 coupler 575 is used in the present arrangement although for the transmission path (optical fibre 128), the previously unused port of optical coupler 131 within monitoring module 530 can be used.
  • Other methods of coupling the test devices 580 and 590 to the optical fibres of communications link 101 may also be employed.
  • Alternate arrangements of the apparatus may also incorporate the test instrumentation devices 580 and/or 590 within the apparatus itself, with the control and analysis operations associated with the test devices being performed either by the existing analysing module 560 or by an additional analysis/control module.
  • optical test ports 571 and 573 allow for ongoing real-time monitoring of the integrity of the optical communications link, and also for identification of the location of a possible intrusion or break in the communications link 101.
  • a baseline trace of the optical fibre of the link 101 is performed using OTDRs 580 and 590.
  • Each OTDR provides an exact profile of the length of the monitored fibre of the link 101 , and shows such events as splice points, connections and any points of degradation.
  • the OTDR achieves this by launching laser test light down the monitored optical fibre and receiving both backscattered test light from the fibre itself and reflections from various different events along the fibres length (for example, where two fibres are connected at a splice point there will be a very small reflection of the light).
  • Any unidentifiable events on the baseline trace are ideally clarified with the telecommunications carrier providing the fibre at the time of commissioning the link 101 or the intrusion detection apparatus.
  • a further baseline trace should be undertaken periodically to track any long-term degeneration of the optical fibre link 101.
  • the intrusion detection apparatus eg. apparatus 500
  • the intrusion detection apparatus installed in the communications system 1 is then allowed to run autonomously, until the occurrence of an event which triggers an alarm to be sent to the NMS operator showing that there has been a drop in light level within the communications system 1.
  • a network support engineer then perform a fault trace using test device 580 and/or 590, to determine the physical location of the event which triggered the alarm signal i.e. on the communications link 101 or within equipment on the customer premises 105. Once this fault trace is obtained, it is compared to the baseline trace. If any extra splice points or connections are apparent on the fault trace that are not on the baseline trace, then the network may be assumed to be subject to an intrusion event and the communications link 101 has been compromised.
  • the present apparatus is also able to provide both telecommunications network providers and their customers the capability to monitor dark fibre communications links for the verification of service agreements between the network provider and customer.
  • the optical intrusion detection apparatus described in connection with the arrangements above are understood to be illustrative and the subject matter herein contained is not to be limited to those specific arrangement. On the contrary, it is intended for the subject matter of the current invention to include all alternatives, modifications and equivalents as can be included within the spirit and full scope of the following claims.
  • the intrusion detection apparatus may be situated between two communication links, instead of between a communication link and a user premises.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Optical Communication System (AREA)

Abstract

L'invention concerne un appareil pour la détection d'événements d'intrusion sur une première ligne de transmission optique, l'appareil comprenant un premier module de surveillance optique (130) pour échantillonner un premier signal d'entrée optique (112) se propageant sur la ligne de transmission optique (101), et comprenant une pluralité de premiers signaux de longueur d'onde optique (120) pour former un premier signal échantillonné (114) en vue de surveiller le premier signal d'entrée optique (112), le premier module de surveillance optique (130) comprenant un premier module sélecteur de longueur d'onde (135) et un premier module de détection optique (137), le premier module sélecteur de longueur d'onde (135) étant apte à recevoir le premier signal échantillonné (114) et à diriger un ou plusieurs des premiers signaux de longueur d'onde optique (120) du premier signal échantillonné (114) vers le premier module de détection optique (137), pour ainsi surveiller le ou les premiers signaux de longueur d'onde optique (112) ; et un module d'analyse (150) couplé de façon fonctionnelle au premier module de surveillance optique (130) pour analyser le premier signal échantillonné (114) pour des caractéristiques associées à un possible événement d'intrusion sur la première ligne de transmission optique (101). Lorsqu'un tel événement d'intrusion est identifié, le module d'analyse (150) génère un signal d'alarme vers un système de gestion de réseau (121). L'appareil optique comprend aussi des modules de cryptage optique (410) et de décryptage optique (440) pour recevoir des signaux optiques cryptés sur la liaison de communications (101) ; et des ports d'entrée de test optique (571, 573) pour une connexion à des dispositifs de test optique (580, 590).
EP08756873.9A 2007-06-01 2008-05-30 Dispositif et système de sécurité de communications optiques Withdrawn EP2168273A4 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2007902970A AU2007902970A0 (en) 2007-06-01 Optical communications security device and system
PCT/AU2008/000783 WO2008144844A1 (fr) 2007-06-01 2008-05-30 Dispositif et système de sécurité de communications optiques

Publications (2)

Publication Number Publication Date
EP2168273A1 true EP2168273A1 (fr) 2010-03-31
EP2168273A4 EP2168273A4 (fr) 2013-12-04

Family

ID=40074475

Family Applications (1)

Application Number Title Priority Date Filing Date
EP08756873.9A Withdrawn EP2168273A4 (fr) 2007-06-01 2008-05-30 Dispositif et système de sécurité de communications optiques

Country Status (4)

Country Link
EP (1) EP2168273A4 (fr)
AU (1) AU2008255572B2 (fr)
NZ (1) NZ581578A (fr)
WO (1) WO2008144844A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9083456B2 (en) 2012-12-04 2015-07-14 Adva Optical Networking Se Method and apparatus for detecting uncharacteristic power level changes of an optical signal
CN110346304B (zh) * 2019-06-26 2020-10-02 华中科技大学 一种基于时隙复用的光纤偏振光谱分析系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4973169A (en) * 1987-06-24 1990-11-27 Martin Marietta Corporation Method and apparatus for securing information communicated through optical fibers
US20020131106A1 (en) * 2001-03-16 2002-09-19 Peter Snawerdt Secure wave-division multiplexing telecommunications system and method
US6507012B1 (en) * 1998-02-25 2003-01-14 Massachusetts Institute Of Technology Method and apparatus for detecting malfunctions in communication systems

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5680104A (en) * 1996-05-31 1997-10-21 Volution Fiber optic security system
US7184553B2 (en) * 2002-02-07 2007-02-27 Eci Telecom Ltd. Method and system for encryption of optical signals
US8433201B2 (en) * 2003-02-03 2013-04-30 Texas Instruments Incorporated Dynamic gain equalizer-monitor
US7403674B2 (en) * 2003-07-18 2008-07-22 Network Integrity Systems Inc. Intrusion detection system for a multimode optical fiber using a bulk optical wavelength division multiplexer for maintaining modal power distribution
US7706641B2 (en) * 2005-08-03 2010-04-27 Network Integrity Systems, Inc. Monitoring individual fibers of an optical cable for intrusion

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4973169A (en) * 1987-06-24 1990-11-27 Martin Marietta Corporation Method and apparatus for securing information communicated through optical fibers
US6507012B1 (en) * 1998-02-25 2003-01-14 Massachusetts Institute Of Technology Method and apparatus for detecting malfunctions in communication systems
US20020131106A1 (en) * 2001-03-16 2002-09-19 Peter Snawerdt Secure wave-division multiplexing telecommunications system and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
JEDIDI A ET AL: "Hardware-based monitoring method for all-optical components", ICTON MEDITERRANEAN WINTER CONFERENCE, 2007. ICTON-MW 2007, IEEE, PI, 1 December 2007 (2007-12-01), pages 1-5, XP031212264, ISBN: 978-1-4244-1638-7 *
See also references of WO2008144844A1 *

Also Published As

Publication number Publication date
AU2008255572A1 (en) 2008-12-04
AU2008255572B2 (en) 2012-07-26
WO2008144844A1 (fr) 2008-12-04
EP2168273A4 (fr) 2013-12-04
NZ581578A (en) 2012-07-27

Similar Documents

Publication Publication Date Title
US6727490B2 (en) Method and apparatus for detecting malfunctions in communication systems
Iqbal et al. Optical fiber tapping: Methods and precautions
US7376293B2 (en) Remote location of active section of fiber in a multimode intrusion detection system
Rejeb et al. Fault and attack management in all-optical networks
JPH02119329A (ja) 光ファイバシステムの検知装置とその方法
Dahan et al. Security threats and protection procedures for optical networks
US11789206B2 (en) Secured fiber link system
US9553881B2 (en) Security monitoring for optical network
US20240137133A1 (en) Secured fiber link system
US9780868B2 (en) Security monitoring for optical network
JP2014222884A (ja) コアまたはメトロ光ネットワークへのリアルタイムの物理的浸入を見つけるためのeDC偏光逆フィルタ係数のモニタリング
EP2540013B1 (fr) Surveillance optique dans élément de réseau de communication
Médard et al. Node wrappers for QoS monitoring in transparent optical nodes
US7739561B2 (en) Method and apparatus for monitoring an optical network signal
AU2008255572B2 (en) Optical communications security device and system
US20130347112A1 (en) Method for a fine optical line monitoring in communication lines through qkd systems
Patel et al. Security issues and attack management in AON-A review
RUGHINIŞ et al. Optimization of performance monitoring and attack detection in all optical networks
Chang et al. Attacks and detection methods in all-optical networks
Liaw et al. Real-time monitoring implementation in a remote-pumped WDM PON

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20091223

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MT NL NO PL PT RO SE SI SK TR

AX Request for extension of the european patent

Extension state: AL BA MK RS

DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20131105

RIC1 Information provided on ipc code assigned before grant

Ipc: H04B 10/85 20130101AFI20131029BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20140603

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: H04B0010120000

Ipc: H04B0010250000

REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: H04B0010120000

Ipc: H04B0010250000

Effective date: 20150107