Time synchronization attack detection in a deterministic network
First Claim
Patent Images
1. A method comprising:
- receiving, at a device, data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network;
comparing, by the device, the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path;
applying, by the device, one or more hop-level anomaly detectors to the comparisons between the packet arrival times and their scheduled delivery intervals of one or more individual nodes along the path;
detecting, by the device and using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals;
determining, by the device, when the time synchronization anomaly is caused by cumulative clock drift among the nodes, based on the one or more hop-level anomaly detectors not detecting a corresponding anomaly; and
causing, by the device, performance of a mitigation action in the network based on the detected time synchronization anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a device receives data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network. The device compares the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path. The device detects, using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals. The device causes performance of a mitigation action in the network based on the detected time synchronization anomaly.
19 Citations
18 Claims
-
1. A method comprising:
-
receiving, at a device, data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network; comparing, by the device, the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path; applying, by the device, one or more hop-level anomaly detectors to the comparisons between the packet arrival times and their scheduled delivery intervals of one or more individual nodes along the path; detecting, by the device and using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals; determining, by the device, when the time synchronization anomaly is caused by cumulative clock drift among the nodes, based on the one or more hop-level anomaly detectors not detecting a corresponding anomaly; and causing, by the device, performance of a mitigation action in the network based on the detected time synchronization anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus, comprising:
-
one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and adapted to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to; receive data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network; compare the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path; apply one or more hop-level anomaly detectors to the comparisons between the packet arrival times and their scheduled delivery intervals of one or more individual nodes along the path; detect, using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals; determine when the time synchronization anomaly is caused by cumulative clock drift among the nodes, based on the one or more hop-level anomaly detectors not detecting a corresponding anomaly; and cause performance of a mitigation action in the network based on the detected time synchronization anomaly. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device to execute a process comprising:
-
receiving, at the device, data indicative of packet arrival times at a plurality of nodes along a path in a deterministic network; comparing, by the device, the packet arrival times to their corresponding scheduled delivery intervals in a deterministic communication schedule used by the nodes along the path; apply one or more hop-level anomaly detectors to the comparisons between the packet arrival times and their scheduled delivery intervals of one or more individual nodes along the path; detecting, by the device and using a machine learning-based anomaly detector, a time synchronization anomaly based on the comparisons between the packet arrival times and their scheduled delivery intervals; determining, by the device, when the time synchronization anomaly is caused by cumulative clock drift among the nodes, based on the one or more hop-level anomaly detectors not detecting a corresponding anomaly; and causing, by the device, performance of a mitigation action in the network based on the detected time synchronization anomaly. - View Dependent Claims (18)
-
Specification