Time synchronization attack detection in a deterministic network

US 10,673,883 B2
Filed: 05/14/2018
Issued: 06/02/2020
Est. Priority Date: 05/14/2018
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a device, data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network;

comparing, by the device, the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path;

applying, by the device, one or more hop-level anomaly detectors to the comparisons between the packet arrival times and their scheduled delivery intervals of one or more individual nodes along the path;

detecting, by the device and using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals;

determining, by the device, when the time synchronization anomaly is caused by cumulative clock drift among the nodes, based on the one or more hop-level anomaly detectors not detecting a corresponding anomaly; and

causing, by the device, performance of a mitigation action in the network based on the detected time synchronization anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a device receives data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network. The device compares the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path. The device detects, using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals. The device causes performance of a mitigation action in the network based on the detected time synchronization anomaly.

19 Citations

View as Search Results

18 Claims

1. A method comprising:
- receiving, at a device, data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network;
  
  comparing, by the device, the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path;
  
  applying, by the device, one or more hop-level anomaly detectors to the comparisons between the packet arrival times and their scheduled delivery intervals of one or more individual nodes along the path;
  
  detecting, by the device and using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals;
  
  determining, by the device, when the time synchronization anomaly is caused by cumulative clock drift among the nodes, based on the one or more hop-level anomaly detectors not detecting a corresponding anomaly; and
  
  causing, by the device, performance of a mitigation action in the network based on the detected time synchronization anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as in claim 1, wherein the mitigation action comprises one of:
    - blocking traffic from one or more of the nodes along the path, sending an anomaly detection alert, or clock re-synchronization of the nodes.
  - 3. The method as in claim 1, wherein the data indicative of the packet arrival times at the plurality of nodes along the path in the deterministic network is obtained by sending one or more Operations, Administration, and Maintenance (OAM) packets along the path, wherein the nodes along the path timestamp the one or more OAM packets with their arrival times.
  - 4. The method as in claim 1, wherein the anomaly detector is a path-level anomaly detector that comprises a model for the path.
  - 5. The method as in claim 4, further comprising:
    - determining, by the device, that the time synchronization anomaly is caused by a time synchronization attack launched by a particular one of the nodes along the path, based on the hop-level anomaly detector for the particular node detecting a time synchronization anomaly that corresponds to the time synchronization anomaly detected by the path-level anomaly detector.
  - 6. The method as in claim 4, further comprising:
    - clustering, by the device, the received data for two or more of the nodes along the path, based on the two or more nodes being of the same node type; and
      
      training, by the device, a hop-level anomaly detector using the clustered data; and
      
      using, by the device, the trained hop-level anomaly detector to detect hop-level time synchronization anomalies at the two or more nodes.
  - 7. The method as in claim 1, wherein the nodes along the path comprise Ethernet switches.
  - 8. The method as in claim 1, further comprising:
    - training, by the device, the machine learning-based anomaly detector using one or more of;
      
      a clock distribution topology for the nodes, configuration information regarding the nodes, or the deterministic communication schedule.

9. An apparatus, comprising:
- one or more network interfaces to communicate with a network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed configured to;
  
  receive data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network;
  
  compare the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path;
  
  apply one or more hop-level anomaly detectors to the comparisons between the packet arrival times and their scheduled delivery intervals of one or more individual nodes along the path;
  
  detect, using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals;
  
  determine when the time synchronization anomaly is caused by cumulative clock drift among the nodes, based on the one or more hop-level anomaly detectors not detecting a corresponding anomaly; and
  
  cause performance of a mitigation action in the network based on the detected time synchronization anomaly.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus as in claim 9, wherein the mitigation action comprises one of:
    - blocking traffic from one or more of the nodes along the path, sending an anomaly detection alert, or clock re-synchronization of the nodes.
  - 11. The apparatus as in claim 9, wherein the data indicative of the packet arrival times at the plurality of nodes along the path in the deterministic network is obtained by sending one or more Operations, Administration, and Maintenance (OAM) packets along the path, wherein the nodes along the path timestamp the one or more OAM packets with their arrival times.
  - 12. The apparatus as in claim 9, wherein the anomaly detector is a path-level anomaly detector that comprises a model for the path.
  - 13. The apparatus as in claim 12, wherein the process when executed is further configured to:
    - determine the time synchronization anomaly is caused by a time synchronization attack launched by a particular one of the nodes along the path, based on the hop-level anomaly detector for the particular node detecting a time synchronization anomaly that corresponds to the time synchronization anomaly detected by the path-level anomaly detector.
  - 14. The apparatus as in claim 12, wherein the process when executed is further configured to:
    - cluster the received data for two or more of the nodes along the path, based on the two or more nodes being of the same node type; and
      
      train a hop-level anomaly detector using the clustered data; and
      
      use the trained hop-level anomaly detector to detect hop-level time synchronization anomalies at the two or more nodes.
  - 15. The apparatus as in claim 9, wherein the nodes along the path comprise Ethernet switches.
  - 16. The apparatus as in claim 9, wherein the process when executed is further configured to:
    - train the machine learning-based anomaly detector using one or more of;
      
      a clock distribution topology for the nodes, configuration information regarding the nodes, or the deterministic communication schedule.

17. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device to execute a process comprising:
- receiving, at the device, data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network;
  
  comparing, by the device, the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path;
  
  apply one or more hop-level anomaly detectors to the comparisons between the packet arrival times and their scheduled delivery intervals of one or more individual nodes along the path;
  
  detecting, by the device and using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals;
  
  determining, by the device, when the time synchronization anomaly is caused by cumulative clock drift among the nodes, based on the one or more hop-level anomaly detectors not detecting a corresponding anomaly; and
  
  causing, by the device, performance of a mitigation action in the network based on the detected time synchronization anomaly.
- View Dependent Claims (18)
- - 18. The computer-readable medium as in claim 17, wherein the mitigation action comprises one of:
    - blocking traffic from one or more of the nodes along the path, sending an anomaly detection alert, or clock re-synchronization of the nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wetterwald, Patrick, Thubert, Pascal, Levy-Abegnoli, Eric, Vasseur, Jean-Philippe
Primary Examiner(s)
Phan, Tri H

Application Number

US15/978,252
Publication Number

US 20190349392A1
Time in Patent Office

750 Days
Field of Search
US Class Current
CPC Class Codes

H04J 3/0658   Clock or time synchronisati...

H04J 3/0667   Bidirectional timestamps, e...

H04L 41/0803   Configuration setting

H04L 41/16   using machine learning or a...

H04L 43/0852   Delays

H04L 43/10   Active monitoring, e.g. hea...

H04L 45/50   using label swapping, e.g. ...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 69/28   Timers or timing mechanisms...

Time synchronization attack detection in a deterministic network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Time synchronization attack detection in a deterministic network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others