Conference PaperPDF Available

Machine Learning for Optical Network Security Management

Authors:
Marija Furdek at Chalmers University of Technology
Marija Furdek
Carlos Natalino at Chalmers University of Technology
Carlos Natalino
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

We discuss the role of supervised, unsupervised and semi-supervised learning techniques in identification of optical network security breaches. The applicability, performance and challenges related to practical deployment of these techniques are examined.
Figures - uploaded by Marija Furdek
Author content
All figure content in this area was uploaded by Marija Furdek
Content may be subject to copyright.
Content uploaded by Marija Furdek
Author content
All content in this area was uploaded by Marija Furdek on Mar 23, 2020
Content may be subject to copyright.
Machine Learning for Optical Network Security
Management
Marija Furdek, Carlos Natalino
Electrical Engineering Department, Chalmers University of Technology, SE-41296 Gothenburg, Sweden
furdek@chalmers.se
Abstract: We discuss the role of supervised, unsupervised and semi-supervised learning
techniques in identification of optical network security breaches. The applicability, perfor-
mance and challenges related to practical deployment of these techniques are examined. ©
2020 The Author(s)
1. Introduction
The development of optical communication networks into trustworthy and reliable ecosystems that satisfy the tight
performance requirements of 5G and beyond services entails high target levels of resilience to a variety of failures.
Apart from resilience to inadvertent failures caused by e.g. equipment aging or misconfiguration, optical networks
must also be able to sustain deliberate man-made attacks aimed at violating confidentiality, integrity or availability
of communication. Methods of attacks targeting the optical layer can vary diversely in their sophistication, scope,
persistence, difficulty of detection, etc. Fiber cut attacks, for example, are relatively straightforward to perform,
their effect can be boosted by targeting more critical links (e.g., links with the highest betweenness), they affect
all carried services, and last until repaired. Fiber tapping for traffic analysis and eavesdropping purposes, e.g.
via microbending, requires more effort from an attacker but can also be more difficult to detect if the incurred
losses are low and/or occur sporadically. Harmful signals can also be inserted into a breached fiber to jam the co-
propagating signals at the same (in-band-jamming), or a different wavelength (out-of-band-jamming). Moreover,
service quality can be degraded without necessarily breaching the fiber. If fiber is squeezed at a sufficiently high
frequency, the incurred changes in the state of polarization will be too fast for the coherent receiver to compensate
for, which will result in erroneous detection. Efforts in improving optical network security are typically categorized
according to their objectives into security assurance, diagnostics, and remediation. Each of these categories entails
a set of challenges, summarized in Fig. 1.
www.transnet.org.uk
@transnet_pgm
#ONG 25
Optical Networks
19 & 20 September 2019
Security management pillars
Marija Furdek,
Chalmers University of Technology
Fig. 1. Three pillars of optical network security management.
Security assurance Guaranteeing a certain level of robustness to deliberate attacks requires detailed risk analy-
sis, identification of attack vectors, and evaluation of the size of the network exposed to attacks, possibly combined
with the definition of new risk measures. Based on such evaluation, security-enhancing network design should
then apply known good practices and/or develop novel methods to decrease network vulnerability to known attack
methods and reduce attack surface. This step needs to be periodically revisited to account for the emergence of
novel security threats or the elimination of existing ones by new technological solutions.
Attack cognition Detection of security breaches in optical networks requires deep knowledge about potential
attack entry points and effects (so-called signatures) of a variety of attack techniques to the optical signal parame-
ters. Continuous collection of Optical Performance Monitoring (OPM) data and its real-time analysis is paramount
for quick and accurate diagnostics of security breaches. In optical networks, collection of OPM data is a challenge
due to the sparse deployment of costly OPM devices and a lack of a standardized set of OPM parameters to
be provided by such equipment. Modern, commercially available coherent optical receivers offset this issue by
collecting a rich OPM dataset and exposing it to the network management plane via standardized interfaces. As
different attack techniques cause intricate changes in the relations of different signal parameters, and exact models
of physical-layer impairments under attacks do not exist, detecting and identifying security breaches can greatly
benefit from the application of Machine Learning (ML) techniques.
Incident response Once a breach has been detected and localized, affected services need to be recovered as
quickly and efficiently as possible, and the attack source needs to be neutralized. The complexity of service
recovery steps can vary for different attack techniques, and it can encompass, e.g., adaptation of the applied
encryption mechanisms to protect from eavesdropping, adaptation of the modulation format to counterbalance
service degradation, changing of the spectrum and/or routing of the connections, etc.
Although described separately, the three facets of optical network security management are intertwined and
require joint considerations as well as feedback loops among all steps to boost their efficiency. In this paper, we
focus on the latest advances and integration of ML for attack detection.
2. Supervised, Unsupervised and Semisupervised Learning for Security Diagnostics
Machine learning is regarded as an attractive tool for solving many problems in optical communications that re-
quire insight into complex phenomena when explicit models or complete information are unavailable. Diagnostics
of optical layer security entail (i) detecting that a breach has occurred, (ii) identifying the properties of the breach
(e.g. its type and intensity) and (iii) determining the location of the breach. This needs to be done under the
evolving threat environment, where a new, previously unseen type of attack can occur at any time.
Based on the dataset requirements and training procedures, ML approaches can be divided into supervised,
unsupervised and semisupervised learning (SL, UL, SSL, respectively) [1]. Supervised learning, e.g., Artificial
Neural Networks (ANNs) as a representative SL model, rely on extensive training over a representative dataset
labeled by experts. Details of the attack scenarios analyzed by ANN can be as finely granular as the data gathering
process allows. Once the characteristics of the considered dataset are learned through training, ANN can detect
the presence of an attack and determine its type and intensity [2]. This comes at the expense of high training
complexity and the necessity of re-training whenever the status of the connections in the network changes. As SL
techniques can only distinguish among the known attack types, new attack type discoveries also require re-training.
The underlying principle of unsupervised learning, e.g., Density-Based Spatial Clustering of Applications with
Noise (DBSCAN) as a representative UL model, is to cluster the OPM data such that the data from the attack
conditions appear as outliers from the data characterizing normal operating conditions. UL can only detect the
presence of a security breach and cannot provide as finely-granular information on the attack profile as SL. UL
typically does not require training, but unlike SL, the complexity of inference is high, and it also requires a certain
number of prior samples to form a baseline to which anomalies are compared. However, a major advantage of
UL over SL lies in the fact it is able to react to samples matching a new, previously unseen and untrained for
attack method. UL models do not require re-training upon introduction of new attack types, or when the network
connection status changes.
Semi-supervised learning, e.g., One-Class Support Vector Machine (OCSVM) model, lies between SL and
UL as it applies training on an amount of labeled data, in an effort to adjust the model parameters and achieve
tight enclosure of normal samples within a spatial region. The model can then be applied on large amounts of
unlabeled data, detecting samples that fall outside the learned region as outliers. This approach is very attractive
for applications where the number of anomalies (i.e., attacks) is not bounded or it is impractical to represent all
of them in the training dataset. Consequently, SSL cannot provide fine-granular identification of attacks but its
advantages refer to the fact that, unlike SL, it does not require a complete labeled dataset, while, unlike UL, it
does not require prior samples at every inference either, and has lower inference complexity. SSL models do not
need re-training when a new attack type is discovered, but it is necessary when a new connection is established.
The above properties have important implications on the practical deployment of SL, UL and SSL modules, not
only in terms of their performance, but also for the design and implementation choices. For example, SL and SSL
support stateless operation, which means that these ML modules can run on the data provided by the Network
Management System (NMS) for a snapshot of the network state. On the other hand, UL requires the prior network
states to be delivered from the NMS as well in order to support stateless operation, which increases the memory
and communication overhead with the network control, but allows the ML modules to be simpler, and more easily
migrated and scaled. An alternative is to deploy the security diagnostic approaches as stateful services, where
each module maintains the necessary long-term information for its execution. This reduces the communication
overhead with the NMS, but makes the modules more resource-demanding and less adaptable.
Multi-Domain Orchestrator
Metro Optical
Controller I
Metro Optical Network
Core Optical
Controller
Core Optical Network False positive rate
False negative rate
(a) (b)
Machine Learning Applications
Metro Optical
Controller II
Metro Optical Network
Model A
Model B
Normal
Attack1
Attack2
Normal
0.91 0.05 0.04
Attack1
0.01 0.85 0.14
Attack2
0.0 0.03 0.97
(c) Predicted status
True status
Fig. 2. (a) ML-assisted security management in multi-domain optical networks. (b) Performance
trade-off among different ML models. (c) Confusion matrix for SL models.
3. Challenges of Applying ML to Carrier-Grade Optical Network Security
The benefits of ML models in optical network use cases have been studied and demonstrated for several years.
Still, the deployment of these models in production carrier-grade environments is in its infancy. This reflects
several challenges faced by operators in making ML execution reliable and tightly integrated to the workflows and
tools already in place.
First, ML models should be accessible to a variety of network elements, ranging from optical nodes (enabling
paradigms known as federated or hierarchical learning [3]) to multi-domain orchestrators (enabling multi-domain
security management). Fig. 2(a) illustrates ML applications with multi-protocol adaptive interfaces, capable of
exposing their services to the different network elements involved in the security management process. In the
context of Software-Defined Networking (SDN), applications are external modules that implement functionalities
by consuming or manipulating information from the SDN controller.
Second, the accuracy of single-model single-sample ML might not meet the expectations for carrier-grade de-
ployments. Fig. 2(b) illustrates a typical trade-off (for UL and SSL models) important to consider when deciding
which model to use. While Model A offers lower false negative rates, Model B offers lower false positive rates. The
decision of which model is more acceptable depends greatly on the use case. Fig. 2(c) shows a confusion matrix
(applicable for SL models), where it is usual not to observe perfect accuracy, in addition to possible inaccura-
cies that may arise when new data is introduced. In this case, advanced strategies can be used to reduce or even
eliminate inaccuracies. For instance, a sliding-window-based approach can improve accuracy by smoothing out
inaccuracies scattered over an observation window with several correctly identified samples. Another alternative
is to use ensemble models, which combine multiple ML models to obtain better performance. Finally, symbolic
models can be used to combine specialist knowledge with the results from ML models, benefiting from the pow-
erful ML models while leveraging on long-term learned experiences from experts.
A third requirement is related to the execution performance of the ML models. Carrier-grade deployments adopt
an interval-defined monitoring cycle. Within this cycle, OPM data must be gathered from devices and sent to ML
applications, while the ML assessment should be consolidated in the SDN controller. With the evolution of optical
networks and the services they support, this cycle interval is expected to tighten in the near future. Therefore,
low-complexity (training and/or inference) models used in conjunction with purpose-specific ML accelerators,
containerization and load balancing are key to the implementation of encompassing security management without
impacting control procedures in place.
Finally, current operator deployments have a mix of current-generation and legacy devices that must be sup-
ported by the ML models. This means that the OPM data will not always be readily available from coherent
transceivers usually considered [4]. A potential solution is to exploit computer vision models to perform security
management tasks. In this case, graphical representations of the channel state, e.g., constellation or eye diagrams,
can replace OPM data and provide a unified characterization of optical channel state. However, computer vision
models are usually more complex, challenging the aforementioned monitoring cycle intervals.
4. Conclusions
This paper summarizes the main aspects of optical network security management, discusses the role of different
ML techniques in diagnosing security breaches, examines their advantages and trade-offs, and elaborates on the
challenges of adopting these techniques in real-world carrier-grade deployments.
References
1. F. Musumeci et al., J. Light. Technol. 37, 4125–4139 (2019). DOI: 10.1109/JLT.2019.2922586.
2. C. Natalino et al., J. Light. Technol. 37, 4173–4182 (2019). DOI: 10.1109/JLT.2019.2923558.
3. G. Liu et al., J. Light. Technol. 37, 218–225 (2019). DOI: 10.1109/JLT.2018.2883898.
4. M. Furdek et al., in Proc. of ECOC, (2019), p. We2.58.
... These systems are designed to be proactive, with the ability to learn from new attack patterns and enhance their detection capabilities over time. Additionally, the use of ML extends to enhancing optical network security by interpreting complex patterns within Optical Performance Monitoring (OPM) data, which is crucial for identifying subtle signs of security breaches [204]. For instance, demonstrations of ML-assisted security monitoring in optical networks provide practical insights into the effectiveness of these approaches, showcasing their ability to detect, identify, and localize opticallayer attacks within real-life network environments [205]. ...
Toward 6G Optical Fronthaul: A Survey on Enabling Technologies and Research Perspectives
Article
  • Jun 2024
The anticipated launch of the Sixth Generation (6G) of mobile technology by 2030 will mark a significant milestone in the evolution of wireless communication, ushering in a new era with advancements in technology and applications. 6G is expected to deliver ultra-high data rates and almost instantaneous communications, with three-dimensional coverage for everything, everywhere, and at any time. In the 6G Radio Access Networks (RANs) architecture, the Fronthaul connects geographically distributed Remote Units (RUs) to Distributed/Digital Units (DUs) pool. Among all possible solutions for implementing 6G fronthaul, optical technologies will remain crucial in supporting the 6G fronthaul, as they offer high-speed, low-latency, and reliable transmission capabilities to meet the 6G strict requirements. This survey provides an explanation of the 5G and future 6G optical fronthaul concept and presents a comprehensive overview of the current state of the art and future research directions in 6G optical fronthaul, highlighting the key technologies and research perspectives fundamental in designing fronthaul networks for 5G and future 6G. Additionally, it examines the benefits and drawbacks of each optical technology and its potential applications in 6G fronthaul networks. This paper aims to serve as a comprehensive resource for researchers and industry professionals about the current state and future prospects of 6G optical fronthaul technologies, facilitating the development of robust and efficient wireless networks of the future.
View
... Existing methodologies, however, display several shortcomings in effectively addressing network security issues [16][17][18][19]. Primarily, the reliance on pre-established rules and patterns constrains their efficacy against unfamiliar and complex network attacks. ...
Enhanced Network Security Protection through Data Analysis and Machine Learning: An Application of GraphSAGE for Anomaly Detection and Operational Intelligence
Article
Full-text available
  • May 2024
  • J Comput Inform Tech
With the Internet's rapid expansion, network security challenges have become increasingly complex and prominent. Traditional protection methods, largely dependent on predefined rules and patterns, demonstrate limited effectiveness against sophisticated and unknown network attacks, failing to harness the full potential of extensive network data. This study addresses the challenges faced by modern cybersecurity, particularly the limitations of traditional defense methods in countering unknown and complex attacks, by proposing a solution that integrates data analysis and machine learning technologies. The focus of this research is placed on network security anomaly detection as well as on intelligent network operations and maintenance exception management based on graph network algorithms, aiming to enhance security defense capabilities and operational efficiency. Specifically, the main contributions and innovations of this paper include: 1. Innovations in sampling, aggregation, and loss functions within the Graph Sample and Aggregation (GraphSAGE) model to improve the accuracy and robustness of the model for network anomaly detection; 2. The introduction of a novel network anomaly root cause analysis and localization model, which, combined with an optimized root cause likelihood assessment method and search scheme, significantly enhances the speed and accuracy of anomaly localization; 3. The design of an integrated decision support system that can automatically adjust protection strategies as network conditions change, achieving a high level of automation and intelligence in cybersecurity management. This work not only provides effective technical support for network security protection but also opens new avenues for future cybersecurity research.
View
... Detecting the disruption may aid in the discovery of attacks and, maybe, in preventing them. This could be enabled by OPM and MFI using machine learning [17]. • Boosting network efficiency: Implementing OPM and MFI with machine learning helps the optical network improve its utilization of resources. ...
Survey on Applications of Machine Learning in Low-Cost Non-Coherent Optical Systems: Potentials, Challenges, and Perspective
Article
Full-text available
  • Jun 2023
Direct Detection (DD) optical performance monitoring (OPM), Modulation Format Identification (MFI), and Baud Rate Identification (BRI) are envisioned as crucial components of future-generation optical networks. They bring to optical nodes and receivers a form of adaptability and intelligent control that are not available in legacy networks. Both are critical to managing the increasing data demands and data diversity in modern and future communication networks (e.g., 5G and 6G), for which optical networks are the backbone. Machine learning (ML) has been playing a growing role in enabling the sought-after adaptability and intelligent control, and thus, many OPM, MFI, and BRI solutions are being developed with ML algorithms at their core. This paper presents a comprehensive survey of the available ML-based solutions for OPM, MFI, and BFI in non-coherent optical networks. The survey is conducted from a machine learning perspective with an eye on the following aspects: (i) what machine learning paradigms have been followed; (ii) what learning algorithms are used to develop DD solutions; and (iii) what types of DD monitoring tasks have been commonly defined and addressed. The paper surveys the most widely used features and ML-based solutions that have been considered in DD optical communication systems. This results in a few observations, insights, and lessons. It highlights some issues regarding the ML development procedure, the dataset construction and training process, and the solution benchmarking dataset. Based on those observations, the paper shares a few insights and lessons that could help guide future research.
View
... The basic idea of Machine Learning is to automatically learn from a set of data in order to recognize patterns. Machine learning techniques are divided into three categories: supervised, unsupervised, and semi-supervised [37]. We present in Fig. 4 the various Machine Learning (ML) methods used for DDoS detection in SDN environment. ...
A Survey of Machine Learning Methods for DDoS Threats Detection Against SDN
Chapter
  • Apr 2022
Software Defined Networking (SDN), as a promising network architecture, has the potential to replace traditional networks in terms of simplicity of network administration, programmability, and elasticity. However, due to the centralized control method of SDN, threats to system vulnerabilities can damage the privacy, integrity, and confidentiality of the system, reducing network security, performance, and efficiency. Distributed Denial of Service (DDoS) is considered one of the most significant cyber security threats to SDN. In this survey, we begin with an overview of the properties and architecture of SDN. We present the different threats against SDN based on which part of the SDN paradigm they target and which security aspects are affected, such as availability, integrity, and confidentiality. We also review the main recent works using Machine Learning (ML) and Deep Learning (DL) approaches to detect DDoS and discuss their strengths and weaknesses. Besides, we compare the existing methods based on their accuracy rate. Finally, we give an insight of future directions for DDoS detection in the SDN environment using the presented approaches.
View
View
Machine Learning Approaches for Combating Distributed Denial of Service Attacks in Modern Networking Environments
Article
Full-text available
  • Jan 2021
A distributed denial of service (DDoS) attack represents a major threat to service providers. More specifically, a DDoS attack aims to disrupt and deny services to legitimate users by overwhelming the target with a massive number of malicious requests. A cyberattack of this kind is likely to result in tremendous economic losses for businesses and service providers due to increasing both operating and financial costs. In recent years, machine learning (ML) techniques have been widely used to prevent DDoS attacks. Indeed, many defense systems have been transformed into smart and intelligent systems through the use of ML techniques, which allow them to defeat DDoS attacks. This paper analyzes recent studies concerning DDoS detection methods that have adapted single and hybrid ML approaches in modern networking environments. Additionally, the paper discusses different DDoS defense systems based on ML techniques that make use of a virtualized environment, including cloud computing, software-defined network, and network functions virtualization environments. As the development of the Internet of Things (IoT) has been the subject of significant research attention in recent years, the paper also discusses ML approaches as security solutions against DDoS attacks in IoT environments. Furthermore, the paper recommends a number of directions for future research. This paper is intended to assist the research community with the design and development of effective defense systems capable of overcoming different types of DDoS attacks.
View
Optical network security management: requirements, architecture, and efficient machine learning models for detection of evolving threats [Invited]
Article
Full-text available
As the communication infrastructure that sustains critical societal services, optical networks need to function in a secure and agile way. Thus, cognitive and automated security management functionalities are needed, fueled by the proliferating machine learning (ML) techniques and compatible with common network control entities and procedures. Automated management of optical network security requires advancements both in terms of the performance and efficiency of ML approaches for security diagnostics, as well as novel management architectures and functionalities. This paper tackles these challenges by proposing what we believe to be a novel functional block called the security operation center, describing its architecture, specifying key requirements on the supported functionalities, and providing guidelines on its integration with optical-layer controller. Moreover, to boost efficiency of ML-based security diagnostic techniques when processing high-dimensional optical performance monitoring data in the presence of previously unseen physical-layer attacks, we combine unsupervised and semi-supervised learning techniques with three different dimensionality reduction methods and analyze the resulting performance and trade-offs between the ML accuracy and run-time complexity.
View
Machine Learning Techniques for Optical Performance Monitoring and Modulation Format Identification: A Survey
Article
Full-text available
  • Sep 2020
The trade-off between more user bandwidth and quality of service requirements introduces unprecedented challenges to the next generation smart optical networks. In this regard, the use of optical performance monitoring (OPM) and modulation format identification (MFI) techniques becomes a common need to enable the development of next-generation autonomous optical networks, with ultra-low latency and selfadaptability. Recently, machine learning (ML)-based techniques have emerged as a vital solution to many challenging aspects of OPM and MFI in terms of reliability, quality, and implementation efficiency. This paper surveys ML-based OPM and MFI techniques proposed in the literature. First, we address the key advantages of employing ML algorithms in optical networks. Then, we review the main optical impairments and modulation formats being monitored and classified, respectively, using ML algorithms. Additionally, we discuss the current status of optical networks in terms of MFI and OPM. This includes standards, monitoring parameters, and the available commercial products with their limitations. Second, we provide a comprehensive review of the available ML-based techniques for MFI, OPM, and joint MFI/OPM, describing their performance, advantages, and limitations. Third, we give an overview of the exiting ML-based OPM and MFI techniques for the emerging optical networks such as the new fiber-based networks that use future space division multiplexing techniques (e.g. few-mode fiber), the hybrid radioover-fiber networks, and the free space optical networks. Finally, we discuss the open issues, potential future research directions, and recommendations for the potential implementation of MLbased OPM and MFI techniques. Some lessons learned are presented after each section throughout the paper to help the reader identifying the gaps, weaknesses, and strengths in this field.
View
View
Experimental Study of Machine-Learning-Based Detection and Identification of Physical-Layer Attacks in Optical Networks
Article
Full-text available
  • Jun 2019
Optical networks are critical infrastructure supporting vital services and are vulnerable to different types of malicious attacks targeting service disruption at the optical layer. Due to the various attack techniques causing diverse physical- layer effects, as well as the limitations and sparse placement of optical performance monitoring devices, such attacks are difficult to detect, and their signatures are unknown. This paper presents a Machine Learning (ML) framework for detection and identification of physical-layer attacks, based on experimental attack traces from an operator field-deployed testbed with coherent receivers. We perform in-band and out-of-band jamming signal insertion attacks, as well as polarization modulation attacks, each with varying intensities. We then evaluate 8 different ML classifiers in terms of their accuracy, and scalability in processing experimental data. The optical parameters critical for accurate attack identification are identified and the generalization of the models is validated. Results indicate that Artificial Neural Networks (ANNs) achieve 99.9% accuracy in attack type and intensity classification, and are capable of processing 1 million samples in less than 10 seconds.
View
A Tutorial on Machine Learning for Failure Management in Optical Networks
Article
  • Jun 2019
Failure management plays a role of capital importance in optical networks to avoid service disruptions and to satisfy customers' service level agreements. Machine Learning (ML) promises to revolutionize the (mostly manual and human-driven) approaches in which failure management in optical networks has been traditionally managed, by introducing automated methods for failure prediction, detection, localization and identification. This tutorial provides a gentle introduction to some ML techniques that have been recently applied in the field of optical-network failure management. It then introduces a taxonomy to classify failure-management tasks and discusses possible applications of ML for these failure management tasks. Finally, for a reader interested in more implementative details, we provide a step-by-step description of how to solve a representative example of a practical failure-management task.
View
Hierarchical Learning for Cognitive End-to-End Service Provisioning in Multi-Domain Autonomous Optical Networks
Article
  • Nov 2018
This paper demonstrates, for the first time to our knowledge, hierarchical learning framework for inter-domain service provisioning in software-defined elastic optical networking (SD-EON). By using a broker-based hierarchical architecture, the broker collaborates with the domain managers to realize efficient global service provisioning without violating the privacy constrains of each domain. In the proposed hierarchical learning scheme, machine learning-based cognition agents exist in the domain managers as well as in the broker. The proposed system is experimentally demonstrated on a two-domain seven-node EON testbed for with real-time optical performance monitors (OPMs). By using over 42000 datasets collected from OPM units, the cognition agents can be trained to accurately infer the Q-factor of an unestablished or established lightpath, enabling an impairment-aware end-to-end service provisioning with an prediction Q-factor deviation less than 0.6 dB.
View