Necessary and Sufficient Condition for k Crosstalk Attacks Localization in All-Optical Networks Tao Wu and Arun K. Somani Dependable Computing & Networking Laboratory Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 E-Mail: {wutao, arun}@iastate.edu Abstract— An All-Optical Network (AON) is a network in which data does not undergo optical-to-electrical and electrical- to-optical conversion within the network. Transparency and non- regeneration features make attack detection and localization in AONs difficult. Among all attack methods, crosstalk attack has higher damage capabilities. In this paper, we make the following contributions. (1) We provide the crosstalk attack model and monitor model. (2) Based on these models, we prove necessary and sufficient conditions for k-crosstalk attacks diagnosable network. The key ideas used in our solution are to employ status of connections as diagnostic data. (3) We propose an efficient monitor placement policy, a test connection setup policy, and a routing policy for such network. These conditions will lead to efficient k-attack detection and diagnosis algorithms. Index Terms—rosstalk, Attack, Monitor, AONrosstalk, Attack, Monitor, AONC I. I NTRODUCTION An All-Optical Network (AON) is a network where the user-network interface is optical and the data do not undergo optical to electrical conversion within the network. AONs are attractive because they deliver very high data rates, and support a broad class of applications. Although AON is a viable technology for future telecommunication and data networks, its intrinsic security differences with existing electro-optic and electronic networks has received attention only recently. AONs introduce new physical layer mechanisms that may change potential models of attack from those that are known for electronic networks. This transparency characteristic has many advantages in certain aspects, however, it also creates many security vulnerabilities that do not exist in traditional networks. First and foremost is loss of an opportunity to detect security problems. A malicious connection can propagate from its primary source to other nodes without losing its attack capability. Transparency and non-regeneration features make attack detection and localization difficult. Generally, there are three main differences between an attack and a failure: 1) attacks may spread to many users and many parts of the network, while a component failure only affects those connections passing through it; The research reported in this paper is funded in part by a contract from G. W. U, funded by the the Defense Advanced Research Projects Agency under grant N66001-00-1-8949 and co-funded by NSA. 2) attacks attempt to avoid detection, while the failure cannot do that; 3) rerouting traffic connections using a scheme to tolerate hardware failure cannot solve the problem caused by an attack connection. There are several kinds of attacks, including fiber cuts (fiber attack), power jamming (amplifier attack), crosstalk attack (switching node attack), and correlated jamming (tapping attack), etc. Some of these attacks, such as fiber cuts, can be treated as a component failure. Other attacks, like correlated jamming, can only affect those connections that are sharing a link or node with the attack connections. Among all these attack methods, crosstalk attack has higher damage capabilities. The attacker injects a malicious connec- tion which has very high power energy, much beyond the expected normal value. When this connection passes through a wavelength selective switch, the leakage energy (crosstalk) from this malicious connection can be significant and affect the normal connections passing through the same switch. A crosstalk attack cannot only affect those connections sharing a link or node with it, but also may induce attack capabilities to those connections that are affected[1]. Figure 1 shows the crosstalk attack propagation mechanism. Channel 2 and channel 1 pass through the same switch. Some of the high energy is coupled to channel 2 from channel 1. This allows 2 to also acquire attack capability. This propagation characteristic makes attack connection localization more difficult. (λ) Channel 2 Channel 1 (λ) Channel 2 + Channel 1 Crosstalk Node j (a switch) superimposed on Channel 3 Crosstalk from (Channel 2 + Channel 1 Crosstalk) (λ) Channel 3 (Channel 2 + Channel 1 Crosstalk) Channel 3 + Crosstalk from Crosstalk from Channel 1 superimposed on Channel 2 Node i (a switch) Fig. 1. Example of crosstalk attack The prior work [1], [2], [3], [4] only considered networks in which all nodes are equipped with monitors. Some methods [5], [6], [7] provide probabilistic approaches to fault diagnosis in network, not suitable for the attack localization problem, as they can only identify a most likely set. We still need further steps to analyze where the exact location of the source is. GLOBECOM 2003 - 2541 - 0-7803-7974-8/03/$17.00 © 2003 IEEE