Skip to main content

Secure Network & Communication Infrastructure

Researcher: Ozan Tonguz

Research Area: Next Generation Secure and Available Networks

Abstract

Secure Network and Communication Infrastructure for Next Generation Internet

Next Generation Internet (NGI) will heavily rely, in terms of its infrastructure, on fiber optics technology and optical networks. While current optical networks are not all-optical and involve a fair amount of optoelectronic conversion at routers, switches, cross-connects, etc., the increasing demand for higher data rates on Internet (e.g., due to the convergence of telephony with computer networking in the form of Voice-over-IP) is making the electronic bottleneck at routers and switches less tolerable, thus fueling the drive toward transparent all-optical networks.

Our goal is to provide such communication infrastructures with security assurance in terms of service availability. As we have seen from the past experience, a particular solution to a particular attack is unfortunately not sufficient to provide networks with security assurance against the virtually infinite number of possible attack methods. Moreover, the insider attacks may easily circumvent all the countermeasures designed for outsider attacks. Thus we propose a new approach to protect the all-optical NGI network infrastructure, which is to embed sufficient intelligence and learning capability to the network, such that it can heal damages by itself and protect itself from unforeseen attacks.

Such a self-organizing network concept will require sufficient information about the network state from the PHY layer (optical layer), control layer, and upper layers to identify attacks and faults, to locate the source of attacks, and to decide effective countermeasures in a timely manner. While most previous protection strategies with postmortem detection and reaction schemes in optical networks only collect information about the damage caused by an attack, our strategy is to collect information on the network states which comprise an attack and provide the self-organizing network control with such information, which will find a way to resolve the problem and refine its knowledge from the experiences with events, countermeasures, and outcomes.

In addition, considering the high data rate on optical channels, the severity of service disruption, even for a short period, and the difficulty of attack detection due to the transparency of optical networks, it is clear that more efforts and creative techniques are needed to avoid attacks. Even though this does not guarantee the perfect avoidance of an attack, it provides more opportunity for a self-organizing network to operate properly.

The effectiveness of the proposed self-organized network concept will be evaluated not only in terms of protection capability but also in terms of resource consumption and network performance (delay, utilization, blocking probability), and the solution will be based on a combination of such performance metrics.

In many cases of network management or operation, the trustworthiness of the information source is crucial to assure the correctness of the activity. For example, when any intermediate node is compromised and reports incorrect integrity measurement results, the avoidance scheme, discussed previously, is simply not feasible. Therefore, we will investigate how physical (PHY) layer entities in a transparent optical network can establish trust amongst themselves. In addition, we will explore trust models as the basis for determining the misconfiguration of optical components, maliciousness/anomaly of traffic, software integrity of components, and proper functioning of the control plane. The trust models will evolve as the intelligence of the self-organizing networks does.

Technical Report: SCION: Scalability, Control, and Isolation On Next-Generation Networks (Revised March 11, 2011)