1 Introduction

Transparent optical networks allow high-speed end-to-end connections in the optical domain, without undergoing optical to electronical to optical (OEO) conversion at intermediate nodes. However, such transparency can lead to increased vulnerabilities to physical-layer attacks caused by high-powered jamming signal and can seriously degrade network performance [1]. Transparency also enhances the difficulties in detecting and localizing attacks, because monitoring must be performed in the optical domain [2,3,4]. In addition, techniques to detect and localize attacks need information from specialized optical monitoring equipment and can be quite expensive. In general, the more reliable performance of the network required, the more resources are needed and thus the cost of the security equipment is higher [5]. Along with the development and wide application of transparent wavelength division multiplexing (WDM) optical networks, security issues and physical-layer attack management have become increasingly important to the network manager [6]. Existing approaches to optical networks security are generally aimed at minimizing the potential damage caused by several major physical-layer attacks including gain competition, inter-channel crosstalk attack and in-band crosstalk attack [7].

A number of different attack-aware RWA algorithms have been proposed in the literature, for static [1, 5, 8, 9] and dynamic [10,11,12] lightpath allocation. Attack-aware RWA approaches typically try to reduce the attack-radius (AR) [11, 13, 14] for a given set of lightpaths, by suitably choosing the route and/or wavelength for each lightpath. The AR of a compromised lightpath p can be loosely defined as the number of lightpaths (including itself) that can be adversely affected by an attacking signal on p. This typically occurs when p shares at least one link or at least one node and a common channel [1, 15] with the other lightpath. The attack-radius of a lightpath p, is a widely used metric to measure the impact of introducing an attack signal on p and we have also used this metric in this paper.

In this paper, we propose 2 novel integer linear program (ILP) formulations to address the attack-aware routing and wavelength assignment (RWA) problem in transparent WDM optical networks for scheduled lightpath demands (SLDs) [13, 15]. First, we present a new ILP that minimizes the AR of a set of SLDs, by taking into account the start and end times of the demands under a fixed- window scheduled traffic model. Next, we show how this ILP can be extended to further reduce the AR, by intelligently selecting the demand start times, for the sliding window model. To the best of our knowledge, our work is the first that addresses attack-aware RWA for scheduled lightpaths. We have conducted extensive simulations to compare the performance of the proposed approaches to traditional attack-unaware RWA. Some preliminary results from these simulations are reported in [13] and [15] for the fixed-window and sliding-window scheduled traffic model, respectively. The major contributions of this paper are:

  • A novel ILP formulation (ILP_fixed) that can handle both in-band and out-of-band attacks for fixed- window scheduled traffic.

  • A second extended ILP (ILP_sliding) that can intelligently schedule demands in time, in addition to performing attack-aware RWA, for sliding-window scheduled traffic.

2 Related work

2.1 Scheduled traffic model

The models of traffic demand typically considered in the literature for the design of WDM network include static and dynamic traffic. For static demands, the set of traffic demands is known beforehand and does not change for relatively long periods. In dynamic traffic, the arrival time and duration of individual requests are not known ahead of time and lightpaths are established as needed, assuming sufficient resources are available. The RWA problem, under both the static and dynamic traffic models, has been widely investigated and a number of ILP formulations as well as heuristics are available to solve this problem [16].

In recent years there has been an increasing number of applications that require periodic use of lightpaths (e.g. once per day, or once per week) at predefined times. For example, an online “class” with one two hour lecture per week on a specified day and at a specified time, or a bank transferring its data to a central location every night between 2 and 4 am. A new model, called the scheduled traffic model (STM), has been proposed in the literature [17] to handle such demands. This model is appropriate for applications that require periodic use of lightpaths and exploits the fact that the setup and teardown times of the demands are known in advance, so that the RWA algorithm can optimize resource allocation in both space and time. An excellent survey of RWA for this model is available in [18].

One class of STM is the fixed-window model [13], where the start and end time for each SLD is fixed and known beforehand. A lightpath p in this model can be represented by a tuple p = (sp, dp, stp, τp), where sp (dp) is the source (destination) node of the demand, stp is the start time and τp is the duration. The second class of STM is the sliding-window model [15], where a demand has a specified duration τp, and can be scheduled any time within a larger window (αp, ωp), such that the demand can only start after αp, and must be completed before ωp. For the sliding window model, a demand is represented by a tuple p = (sp, dp, αp, ωp, τp), since the actual start time for the demand is not known ahead of time.

2.2 Handling attacks in all-optical networks

2.2.1 Attack types in TONs

Attacks on networks can be of forms, such as traffic analysis, eavesdropping, data delay, service denial, Quality of Service (QoS) degradation and spoofing [19]. Because many of these attacks have similar characteristics, they are often grouped into two main categories—(1) service disruption and (2) eavesdropping. All-Optical Networks provide transparency capabilities, allowing routing and switching of traffic without any modification or examination of signals in the network [20]. Transparency offers many advantages in supporting high data rate communications, but also brings new challenges that do not exist in traditional networks. Three main categories of physical layer attacks that have been identified for optical networks are [21]:

  • Signal insertion attacks,

  • Signal splitting attacks, and

  • Physical infrastructure attacks

Handling physical infrastructure attacks, which damage or tamper with network equipment are out of the scope of this paper. Our proposed approach deals with some common types of signal insertion and signal splitting attacks that can be used to compromise legitimate lightpaths established over the network. An overview of physical-layer attacks, which are addressed by the proposed ILP is discussed in this section.

A common type of signal insertion attack is the high power jamming attack, where an optical signal with high power (5–10 dB above normal) is introduced on a legitimate channel. When the attacker introduces a high-powered signal into the optical fiber, it can interfere with the signals on other wavelengths because of the optical fiber non linearities. The inter channel crosstalk between signals on different wavelengths transmitted over the same optical fiber can be exploited to mount out-of-band jamming attacks [1, 22]. The Raman gain effect and cross-phase modulation are some of the causes that create non linearities in optical fibers [22]. A high power signal can also cause gain competition attack [6] in optical amplifiers, as the attack signal acquires more energy at the expense of legitimate signals. Older networks, that are not equipped with variable optical amplifiers (VOAs) to regulate output power of signals, are typically the most susceptible to high power jamming attacks. However, even when the jamming signal is attenuated at the first downstream node in steady-state, short-lived oscillations, called transients, can cause error-bursts and may even propagate through multiple links [21]. Repeated, intermittent injection of high-power signals on a malicious lightpath can cause transients. The harmful effects of such transients may be multiplied, if they cause multiple ‘restorations’, which lead to even more transients as legitimate lightpaths are disrupted and reestablished.

In addition to affecting co-propagating channels on the same link, a high-power signal also introduces intra-channel (or in-band) crosstalk between the signals on the same wavelength inside an optical switch [10]. When a high-powered attacking signal is injected on a wavelength, all the signals using that wavelength and sharing a common switch gets attacked. This can be more harmful than the out-of-band high-power jamming attacks, as the signals are on the same wavelength as that of the attacker signal [23].

Another attack, called low-power QoS attack [21]—a type of signal splitting attack, can also be used to affect lightpaths on multiple links. In this type of attack, the attacker deliberately attenuates a channel, e.g. by attaching a splitter. This not only degrades the performance of the attacked channel, but the attack can propagate if nodes are equipped with fixed attenuation based power equalization. Such equipment is helpful for limiting propagation of high power jamming attacks but a low power attack can still propagate as legitimate signals on the link will be attenuated to ensure a flat power spectrum.

Another attack scenario outlined in [1] involves the attacker requesting a legitimate channel but not transmitting any data on it. In this case, the channel will carry only leakage signals picked up through crosstalk. The weak leakage signal can then be amplified along its path and delivered to the attacker at the destination node.

2.2.2 Attack-aware RWA

The attack-aware routing and wavelength assignment (RWA) is aimed at minimizing the potential damage caused by physical-layer attacks, without the requirement of specific network monitoring components. One of the most widely used metrics for measuring the potential negative impact of a malicious lightpath is the size of its attack group, i.e. the set of lightpaths that may be affected by it [1, 24]. In this paper, we will use the following terminology available in the literature.

  • The lightpath attack group (LAGp) for a lightpath p consists of the set of lightpaths (including p itself) that shares at least one common link with p. The lightpath attack radius (LARp) is a commonly used metric for measuring the impact of an out-of-band attack carried out on a lightpath p and is defined as the number of lightpaths in LAGp i.e., LARp = |LAGp|.

  • The in-band attack group (IAGp) is defined as the set of lightpaths (including p itself) that use the same wavelength and share at least one common node with p. The corresponding value of in-band attack radius (IARp) is defined as the number of lightpaths in IAGp i.e., IARp = |IAGp|.

In [1], an ILP is proposed to handle the out-of-band and gain competition attacks for static traffic. The main objective of this ILP is to minimize the Maximum link-share attack radius (maxLAR), which can be calculated as the maximum number of lightpaths that are link sharing with a single lightpath demand in the network. The secondary objective of this formulation is to reduce the average load on the network.

In [25], the authors propose ILP formulations to handle in-band attack propagation in all optical WDM networks for offline planning problem. Both the direct and indirect in-band crosstalk propagations are examined and are minimized to control the propagation. The main objectives of these two ILPs are minimizing the maximum primary attack radius (PAR) and the maximum secondary attack radius (SAR) values respectively. The ILP-PAR simply checks for the lightpaths that are sharing the same switch and are using the same wavelength and calculates the PAR value. ILP-SAR takes the constraints of ILP-PAR and calculates the secondary attack radius (SAR) value, by checking the spread of in-band crosstalk over the network indirectly, by already attacked signals. The wavelength assignment (WA) problem for in-band attacks are also considered in [5, 26, 27]. The concept of propagating crosstalk attack radius (P-CAR) is proposed in [5] and an attack-aware wavelength assignment that minimizes the worst-case potential propagation of in-band crosstalk jamming attacks is presented. In [26], the authors select a wavelength based on estimated BER to improve BER and blocking probability for dynamic lightpath allocation. In [27], the authors propose both ILP and heuristic formulations and define new objective criteria for wavelength assignment.

In [12], an ILP is proposed to handle the propagation of both in-band and out-of-band jamming attacks for the static lightpath allocation problem. Interactions among the lightpaths, which are sharing a common link are calculated and are added to the objective to cover the inter channel crosstalk susceptibility. In the first phase of programming, a set of K candidate paths is obtained using Dijkstra’s algorithm [4]. The acquired routes for all the source and destination pairs are given as an input to the ILP, with the objective of controlling the spread of both inter and intra channel crosstalk attacks.

A number of papers have also considered attack-aware RWA for survivable optical networks. In [28] the authors propose a two-step ILP for RWA of working and backup lightpaths using dedicated path protection and a heuristic for larger problems. Heuristic approaches that ensure attack groups of primary and backup paths are disjoint and use the minimum number of wavelengths are presented in [24] and [29]. Finally, in [30], the authors formulate and ILP for jamming-aware shared path protection (JA-SPP) in WDM networks.

3 Attack-aware integer linear program (ILP) formulations

In this section, we introduce our proposed approaches for solving the attack-aware RWA of for both fixed-window and sliding-window STM. The objectives of the proposed ILP formulations is to minimize the maximum combined attack radius (maxAR) for the set of lightpaths. We are given a physical network G(N, E), where N is the set of nodes and E is the set of fiber links in the network, and each link has a set of W available channels for establishing lightpaths. We are also given a set P of scheduled lightpath demands, where each \(p \in P\) can be specified as a tuple p = (sp, dp, stp, τp) (p = (sp, dp, αp, ωp, τp)) for fixed-window (sliding-window) STM.

The entire time period is divided into M non-overlapping intervals, numbered 1, 2, …, M. The proposed ILPs are independent of the duration of each interval and the number of such intervals. The duration of each interval can vary from a few seconds to several minutes or even hours, depending on the application, and is set by the user. In the proposed ILPs, the start and end times of a demand (or corresponding window for sliding window model) are specified in terms of the interval in which the demand (or window) starts and/or ends. Similarly, the duration τp of a demand p is specified in terms of the number of time intervals during which the demand is active. We use the notation \(a_{p,m}\) to denote that a demand p is active during interval m, where \(m = 1, 2, \ldots , M\). We note that for the fixed-window model, the values of \(a_{p,m}\) are known ahead of time for all \(p \in P\) and for all possible values of m, since the demand start times and durations are fixed. However, for the sliding-window model, the values of \(a_{p,m}\) must be determined by the ILP.

3.1 Proposed ILP for fixed-window SLDs (ILP_fixed)

Before solving the ILP_fixed, we first calculate the parameter \(t_{p,q}\), which determines if lightpaths p and q are time disjoint. For each pair of lightpaths \(p,q \in P\), \(t_{p,q}\) can be pre-calculated using Eqs. (1)–(2b), shown below, since the values of \(a_{p,m}\) and \(a_{q,m}\) are known in advance.

$$t_{p,q}^{m} = a_{p,m} \cdot a_{q,m} \quad \forall p,q \in P,\;\forall m = 1, 2, \ldots , M$$
(1)
$$t_{p,q} \ge t_{p,q}^{m} \quad \forall p,q \in P,\;\forall m = 1, 2, \ldots , M$$
(2a)
$$t_{p,q} \le \mathop \sum \limits_{m} t_{p,q}^{m} \quad \forall p, q \in P$$
(2b)
$$t_{p,q} \le 1\quad \forall p, q \in P$$
(2c)

Equations (1) and (2) determine if two different lightpaths p and q overlap in time (\(t_{p,q}\) = 1) or are time-disjoint (\(t_{p,q}\) = 0). Eq. (1) sets \(t_{p,q}^{m} = 1\), if lightpaths p and q are both active during interval m. If Eqs. (2a)–(2c) set \(t_{p,q} = 1\) if there is at least one interval (possibly more) during which both lightpaths are active; otherwise, \(t_{p,q} = 0\), indicating that p and q are time disjoint. The \(t_{p,q}\) values are pre-calculated and given as input to the ILP.

The following variables are defined for the ILP.


Variables:

  • \(x_{p,e}\) = 1 if lightpath p uses edge e; 0 otherwise.

  • \(y_{p,i}\) = 1 if lightpath p passes through node i; 0 otherwise.

  • \(\omega_{p,k}\) = 1 if lightpath p is assigned channel k; 0 otherwise.

  • \(\alpha_{p,q} \left( {\beta_{p,q,} } \right)\) = 1 if lightpaths p and q share at least one common edge (node); 0 otherwise. \(0 \le \alpha_{p,q} , \beta_{p,q} \le 1\)

  • \(\alpha _{p,q}^{e} \left( {\beta _{p,q}^{i} } \right)\) = 1 if lightpaths p and q share a common edge e (node i); 0 otherwise.

  • \(\gamma_{p,q}^{k}\) = 1 if lightpaths p and q both use channel k; 0 otherwise.

  • \(\gamma_{p,q}\) = 1 if lightpaths p and q both use the same channel; 0 otherwise. \(0 \le \gamma_{p,q} \le 1\)

  • \(\delta_{p,q}\) = 1 if lightpaths p and q use the same channel and have at least one common node; 0 otherwise.

  • \(LAR_{p,q}^{m} \left( {IAR_{p,q}^{m} } \right)\) = 1 if lightpath \(q \in LAG_{p}\) (\(q \in IAG_{p}\)) during time interval m.

  • LARp,q (IARp,q) = 1 if lightpath \(q \in LAG_{p}\) (\(q \in IAG_{p}\)) during at least one time interval. \(0 \le LAR_{p,q} ,\;IAR_{p,q} \le 1\)

  • LARp,m (IARp,m) = An integer value specifying the lightpath attack radius (in-band attack radius)of p during time interval m.

  • LARp (IARp) = An integer value specifying the lightpath attack radius (in-band attack radius)of p over all time intervals.

  • maxAR = An integer value specifying the maximum combined attack radius for all lightpaths.


Objective function:

$${\text{Minimize}}\quad maxAR$$
(3)

The objective function minimizes the maximum attack radius (maxAR), where maxAR is the upper bound of \(AR_{p} = LAR_{p} + IAR_{p}\), for all lightpaths \(p \in P\). This objective minimizes the maximum Attack Radius (\(AR_{p}\) value) for any lightpath.


Subject to:

Flow conservation constraints:

$$\mathop \sum \limits_{(e:i \to j \in E)} x_{(p,e)} - \mathop \sum \limits_{(e:j \to i \in E)} x_{(p,e)} = \left\{ {\begin{array}{*{20}l} 1 \hfill & {if\;i = s_{p} } \hfill \\ { - 1} \hfill & {if\;i = d_{p} } \hfill \\ 0 \hfill & {otherwise.} \hfill \\ \end{array} } \right.\quad \forall i \in N,\;p \in P$$
(4)
$$\mathop \sum \limits_{(e:i \to j \in E)} x_{(p,e)} \le 1\quad \forall i \in N, \;p \in P$$
(5)

Constraints (4) and (5) ensure flow conservation of lightpaths. Constraint (4) finds a valid path over the physical topology, for each lightpath. Constraint (5) ensures that the path does not contain any loops.

Wavelength continuity constraint:

$$\mathop \sum \limits_{k} \omega_{p,k } = 1 \forall p \in P$$
(6)

Constraint (6) ensures that a lightpath must be assigned the same wavelength on each link it passes without wavelength conversion.

Defining \(\alpha_{p,q}\) (link sharing) constraints:

$${\text{x}}_{p,e} + {\text{x}}_{q,e} - \alpha_{p,q}^{e} \le 1\quad \forall p,q \in P,\;p \ne q, \;\forall e \in E$$
(7)
$${\text{x}}_{p,e} \ge \alpha_{p,q}^{e} \quad \forall p,q \in P, \;p \ne q,\; \forall e \in E$$
(8)
$${\text{x}}_{q,e} \ge \alpha_{p,q}^{e} \quad \forall p,q \in P,\; p \ne q,\; \forall e \in E$$
(9)
$$\upalpha_{p,q} \ge \alpha_{p,q}^{e} \quad \forall p,q \in P,\;p \ne q,\;\forall e \in E$$
(10)
$$\upalpha_{p,q} \le \mathop \sum \limits_{e \in E} \alpha_{p,q}^{e} \quad \forall p,q \in P,\;p \ne q$$
(11)

Constraints (7)–(9) sets the value of \(\alpha_{p,q}^{e} = 1\) if lightpath p and lightpath q are both routed over link e. When both \({\text{x}}_{p,e}\) = 1 and \({\text{x}}_{q,e}\) = 1, constraint (7) forces \(\alpha_{p,q}^{e} = 1\). However, if either both \({\text{x}}_{p,e}\) = 0 or \({\text{x}}_{q,e}\) = 0, then constraint (8) and (9) forces \(\alpha_{p,q}^{e} = 0\). So, these 3 constraints allow \(\alpha_{p,q}^{e}\) to be defined as a continuous variable, even though it is constrained to take on integer values of 0 or 1 only. The use of this technique significantly reduces the number of integer variables in this formulation and hence its computational complexity. Constraints (10) and (11) determine if two lightpaths p and q share at least one (possibly more) common link(s), and if so set \(\alpha_{p,q} = 1\).

Node usage constraints:

$${\text{y}}_{p,i} = \mathop \sum \limits_{e:i \to j \in E} x_{p,e} \quad \forall p \in P,\;\forall i \in N,\;i \ne d_{p }$$
(12)
$${\text{y}}_{{p,d_{p} }} = 1\quad \forall p \in P$$
(13)

Constraint (12) determines if a lightpath p traverses a specific node i in its selected route. If so the value of \(y_{p,i}\) is set to 1. Constraint (13) states that the destination node of a lightpath must be on the selected route.

Defining \(\beta_{p,q}\) (node sharing) constraints:

$${\text{y}}_{p,i} + y_{q,i} - \beta_{p,q}^{i} \le 1\quad \forall p,q \in P,\;p \ne q,\;\forall i \in N$$
(14)
$${\text{y}}_{p,i} \ge \beta_{p,q}^{i} \quad \forall p,q \in P,\;p \ne q,\;\forall i \in N$$
(15)
$${\text{y}}_{q,i} \ge \beta_{p,q}^{i} \quad \forall p,q \in P,\;p \ne q,\;\forall i \in N$$
(16)
$$\beta_{p,q} \ge \beta_{p,q}^{i} \quad \forall p,q \in P,\;p \ne q,\;\forall i \in N$$
(17)
$$\beta_{p,q} \le \mathop \sum \limits_{i} \beta_{p,q}^{i} \quad \forall p,q \in P,\;p \ne q$$
(18)

Constraint (14)–(18) very similar to constraints (7)–(11) and are used to determine if two lightpaths p and q pass through at least one (possibly more) common node(s). If so, it we set \(\beta_{p,q} = 1\)

Defining \(\gamma_{p,q}\) (channel sharing) constraints:

$$\upomega_{p,k} + \omega_{q,k} - \gamma_{p,q}^{k} \le 1\quad \forall p,q \in P,\;p \ne q,\;\forall k \in W$$
(19)
$$\upomega_{p,k} \ge \gamma_{p,q}^{k} \quad \forall p,q \in P,\;p \ne q,\;\forall k \in W$$
(20a)
$$\upomega_{q,k} \ge \gamma_{p,q}^{k} \quad \forall p,q \in P,\;p \ne q,\;\forall k \in W$$
(20b)
$$\upgamma_{p,q} \ge \gamma_{p,q}^{k} \quad \forall p,q \in P,\;p \ne q,\;\forall k \in W$$
(21)
$$\upgamma_{p,q} = \mathop \sum \limits_{k} \gamma_{p,q}^{k} \quad \forall p,q \in P,\;p \ne q$$
(22)

Similarly, constraints (19)–(22) are applied to define channel-sharing and set the value of \(\gamma_{p,q} = 1\), if lightpaths p and q are assigned the same channel (or wavelength) k.

Defining δp,q (node-channel sharing) constraints:

$$\beta_{p,q} + \gamma_{p,q} - \delta_{p,q} \le 1\quad \forall p,q \in P,\;p \ne q$$
(23)
$$\beta_{p,q} \ge \delta_{p,q} \quad \forall p,q \in P,\;p \ne q$$
(24)
$$\upgamma_{p,q} \ge \delta_{p,q} \quad \forall p,q \in P,\;p \ne q$$
(25)

Constraints (23)–(25) define node-channel sharing. If lightpath p and q pass through at least one common node i (i.e. \(\beta_{p,q} = 1\)) and share the same channel k (i.e. \(\gamma_{p,q} = 1\)), then \(\delta_{p,q}\) is set to 1. The value of this variable determines if lightpath p might be in the attack-group of lightpath q.

Wavelength clash constraint:

$$\upalpha_{p,q} + \gamma_{p,q} + t_{p,q} \le 2\quad \forall p,q \in P,\;p \ne q$$
(26)

Constraint (26) ensures that if two or more lightpaths share a common fiber link and are not time-disjoint, they cannot be assigned the same wavelength.

LAR/IAR of lightpath p (attack radius in interval m) constraints:

$$\upalpha_{p,q} + t_{p,q}^{m} - LAR_{p,q}^{m} \le 1\quad \forall p,q \in P,\;\forall m = 1,2, \ldots ,M$$
(27a)
$$\alpha_{p,q} \ge LAR_{p,q}^{m} \quad \forall p,q \in P,\;\forall m = 1,2, \ldots ,M$$
(27b)
$$t_{p,q}^{m} \ge LAR_{p,q}^{m} \quad \forall p,q \in P,\;\forall m = 1,2, \ldots ,M$$
(27c)
$${\text{LAR}}_{p,m} = \mathop \sum \limits_{q \in P, p \ne q} LAR_{p,q}^{m} + a_{p,m} \quad \forall p,q \in P,\;\forall m = 1,2, \ldots ,M$$
(27d)

Constraints (27a)–(27d) are used to calculate lightpath attack radius (LAR) value for lightpath p during interval m. If two lightpaths p and q share a link (\(\alpha_{p,q} = 1\)) and are both active during interval m (\(t_{p,q}^{m} = 1\)) then lightpath q belongs to attack group of p during interval m, and vice versa. The lightpath attack radius of p during interval m, is the number of lightpaths in its attack group plus itself, as given in Eq. (27d).

$$\delta_{p,q} + t_{p,q}^{m} - IAR_{p,q}^{m} \le 1\quad \forall p,q \in P,\;\forall m = 1,2, \ldots ,M$$
(28a)
$$\updelta_{p,q} \ge IAR_{p,q}^{m} \quad \forall p,q \in P,\;\forall m = 1,2, \ldots ,M$$
(28b)
$$t_{p,q}^{m} \ge IAR_{p,q}^{m} \quad \forall p,q \in P,\;\forall m = 1,2, \ldots ,M$$
(28c)
$${\text{IAR}}_{p,m} = \mathop \sum \limits_{q \in P, p \ne q} IAR_{p,q}^{m} + a_{p,m} \quad \forall p \in P,\;\forall m = 1,2, \ldots ,M$$
(28d)

In a similar fashion, (28a)–(28d) are used to calculate in-band attack radius (IAR) value for lightpath p during interval m. We note that the values of LARp,m and IARp,m [as given in Eqs. (27d) and (28d)] are not needed if the objective value being optimized is maxAR (Eq. 3). However, they are used for minimizing one of the alternative objective functions, Total_ARp,m (Eq. 42), and hence included in the ILP.

Ligthpaths p and q belong to same attack group:

$${\text{LAR}}_{p,q} \ge LAR_{p,q}^{m} \quad \forall p \in P,\;\forall m = 1,2, \ldots ,M$$
(29a)
$${\text{LAR}}_{p,q} \le \mathop \sum \limits_{m} LAR_{p,q}^{m} \quad \forall p,q \in P$$
(29b)
$${\text{IAR}}_{p,q} \ge IAR_{p,q}^{m} \quad \forall p \in P,\;\forall m = 1,2, \ldots ,M$$
(30a)
$${\text{IAR}}_{p,q} \le \mathop \sum \limits_{m} IAR_{p,q}^{m} \quad \forall p,q \in P$$
(30b)

Eqn (29a)–(29b) indicate that lightpath q belongs to the lightpath attack group of p, if there is at least one interval m when q is in attack group of p. Similarly, (30a)–(30b) is used to set the in-band attack group of p over all time intervals.

Total LAR and IAR of lightpath p (over all intervals) constraints:

$${\text{LAR}}_{p} = \mathop \sum \limits_{q \in P, p \ne q} LAR_{p,q} + 1$$
(31)
$${\text{IAR}}_{p} = \mathop \sum \limits_{q \in P, p \ne q} IAR_{p,q} + 1$$
(32)

Constraint (31) [constraint (32)] defines the total LAR (IAR) value for lightpath p over all intervals.

Maximum attack radius maxAR of a lightpath:

$${\text{LAR}}_{p} + {\text{IAR}}_{p} - 1 \le maxAR\quad \forall p \in P$$
(33)

Constraint (33) ensures that the attack radius of any lightpath (over all intervals) does not exceed \(maxAR\). This variable is minimized as the objective function.

Hop Bound Constraints:

$$\mathop \sum \limits_{e:i \to j \in E} x_{p,e} \le hmax\quad \forall p \in P$$
(34a)
$$\mathop \sum \limits_{e:i \to j \in E} x_{p,e} - len_{p} \le l\quad \forall p \in P$$
(34b)

In order to avoid excessively long paths, it is important to allow the path lengths to be constrained based on the needs of the network. Constraint (34a) ensures that the maximum number of hops (i.e. path length) of a lightpath does not exceed a pre-specified upper limit \(h_{max}\). Constraint (34b) provides an alternate method of restricting the path length. It states that the number of hops for routing lightpath p cannot exceed the shortest path length for p (i.e. lenp) by more than l hops. Since the topology is known, lenp can be pre-calculated for each source–destination pair. Constraints (34a) or (34b) can be used individually, or both together, to limit the path length.

3.2 Proposed ILP for sliding-window SLDs (ILP_sliding)

In this section, we extend the ILP for the fixed-window model by adding constraints for scheduling each SLD in time. These constraints are based on the formulation in [31] In this case, the exact start times of the demands are not specified, but only the larger window during which each demand must be scheduled and the duration of the demand. For each demand, the ILP determines the optimal starting time of the demand, in order to minimize the overall attack radius. So, in addition to the variables listed in Sect. 3.1, we define the following binary variables:

  • \(st_{p,m}\) = 1 if m is the starting interval for demand p and 0 otherwise.

  • \(a_{p,m}\) = 1 if demand p is active during time interval m and 0 otherwise.

We also add the following constraints to those given for ILP_fixed from Sect. 3.1.

Sliding window scheduling constraints:

$$\mathop \sum \limits_{m \in M} st_{p,m} = 1\quad \forall p \in P,\; m \in M, \;\alpha_{p} \le m \le \omega_{p} - \tau_{p}$$
(35)
$$\mathop \sum \limits_{m} a_{p,m} = \tau_{p} \quad \forall p \in P,\;m \in M,\;\alpha_{p} \le m \le \omega_{p}$$
(36)
$$a_{{\left( {p,m + i} \right)}} \ge st_{p,m} \quad \forall p \in P,\;m \in M,\;\alpha_{p} \le m \le \omega_{p}$$
(37)

Time sharing constraints:

$$a_{p,m} + a_{q,m} - t_{p,q}^{m} \le 1\quad \forall p,q \in P,\;p \ne q,\;\forall m = 1,2, \ldots ,M$$
(38)
$$a_{p,m} \ge t_{p,q}^{m} \quad \forall p,q \in P,\;p \ne q,\;\forall m = 1,2, \ldots ,M$$
(39)
$${\text{a}}_{q,m} \ge t_{p,q}^{m} \quad \forall p,q \in P,\;p \ne q,\;\forall m = 1,2, \ldots ,M$$
(40)

The constraints (35)–(37) are the demand scheduling constraints. The constraint (35) is used to determine the actual start time for the lightpath p and ensure that each demand has only one possible start time. Clearly, in order to be accommodated within the specified time window (from \(\alpha_{p}\), \(\omega_{p}\)), a demand of duration \(\tau_{p}\) must start during the intervals from \(\alpha_{p}\) to \(\omega_{p} - \tau_{p}\). The constraint (36) activates the lightpath for exactly \(\tau_{p}\) number of intervals, and constraint (37) ensures that the lightpath is active for \(\tau_{p}\) consecutive time intervals starting from \(st_{p,m}\).

We note that for the fixed window model, \(a_{p,m}\) and \(a_{q,m}\) are constant values given as input to the ILP. However, for the sliding window these are variables whose values are determined by the ILP. Therefore, we cannot use Eq. (1) directly to calculate \(t_{p,q}^{m}\). So, constraints (38)–(40) are used to calculate the value of \(t_{p,q}^{m}\), in a way that ensures that constraints are still linear.

3.2.1 Alternative objective functions

A number of different objective functions can be used for RWA, for both attack-aware and attack-unaware cases. In the formulations given in Sect. 3.1, we use a traditional objective function, which minimizes the maximum attack radius of a lightpath. Another commonly used objective is to minimize the total attack radius (ARp = LARp + IARp) for all the lightpaths, as given in Eq. (41). Both of these objectives [i.e. Eqs. (3) and (41)] have been proposed in the literature for conventional attack-aware RWA and do not take into consideration the temporal nature of the demands. Since our proposed formulations focus on demands that are active during a specific time window, we also propose a new objective to incorporate their temporal nature. This objective, in Eq. (42), minimizes the total attack radius \(AR_{p,m} = IAR _{p,m} + LAR_{p,m}\) over all lightpaths and all intervals. In other words, we consider not only if a lightpath q belongs to the attack group of p, but also the duration for which both lightpaths are active. The longer the duration, the more it will contribute to the objective value.

Finally, for attack-unaware RWA, one of the most widely-used objectives is to route each lightpath along the shortest path. This objective is implemented in (43) and minimizes the total path length for all lightpaths in terms of the number of hops over the physical topology. This objective does not take into consideration any of the attack aware constraints in the ILP formulation. Clearly, this is not an exhaustive list of possible objectives, many other objectives can be used. We do not advocate for a particular objective function but simply provide several options for the network operator, who can choose the one that best fits their requirements.

  • Minimize the sum of attack radius for all lightpaths p.

    $${\text{Minimize}}\;Total\_AR_{p} = \mathop \sum \limits_{p \in P} (LAR_{p} + IAR_{p} )$$
    (41)

  • Minimize total attack radius for all lightpaths p over all intervals m.

    $$\text{Minimize}\;Total\_AR_{p,m} = \mathop \sum \limits_{\varvec{p}} \mathop \sum \limits_{\varvec{m}} (\varvec{LAR}_{{\varvec{p},\varvec{m} }} + \varvec{IAR}_{{\varvec{p},\varvec{m} }} )$$
    (42)

  • Minimize total path length

    $$\text{Minimize}\;Total\_path\_length = \mathop \sum \limits_{{\varvec{p} \in \varvec{P}}} \mathop \sum \limits_{{\varvec{e}:\varvec{i} \to \varvec{j} \in \varvec{E}}} \varvec{x}_{{\varvec{p},\varvec{e}}}$$
    (43)

We have used this objective for implementing the attack-unaware RWA approaches.

4 Simulation results

In this section, we present our simulation results obtained by the proposed ILP formulations. We evaluate the performance of the proposed approaches for different objective functions, using different network topologies and varying the number of demands. All simulations are carried out using IBM ILOG CPLEX 12.6.2 optimization studio [32]. We consider three well-known network topologies namely, DT10 (10 nodes) [33], NSFNET (14 nodes) [34], and ARPANET (20 nodes) [35]. Each value reported here is calculated as the average of five simulation runs. We evaluate the performance with respect to different objectives discussed in Sect. 3, using the following approaches:

  • The proposed ILP (ILP_sliding) for sliding window scheduled traffic.

  • The proposed ILP (ILP_fixed) for fixed window scheduled traffic.

  • The attack-unaware RWA using the shortest available path (SPATH)

For fixed-window model, we assume that each SLD is always initiated in its earliest possible time interval; while for the sliding-window model, the start and end intervals can slide within a larger window. According to the lightpath classification in [36], the demand sets are divided into three different categories based on the overlapping level. Clearly, the longer the demand holding time (DHT), the more lightpaths tend to overlap in time, leading to increased congestion. Hence, to evaluate the proposed approaches with different levels demand overlap in time, the following three variations of demand sets are used.

  1. 1.

    Low Demand Overlap (LDO): For each SLD \(p \in P\), the value of the demand holding time (\(\tau_{p}\)) is between 1 and 10 time intervals, i.e. \(1 \le \tau_{p} \le 10.\)

  2. 2.

    Medium Demand Overlap (MDO): For each SLD \(p \in P\), the value of the demand holding time (\(\tau_{p}\)) is between 1 and 24 time intervals, i.e. \(1 \le \tau_{p} \le 24.\)

  3. 3.

    High Demand Overlap (HDO): For each SLD \(p \in P\), the value of the demand holding time (\(\tau_{p}\)) is between 10 and 24 time intervals, i.e. \(10 \le \tau_{p} \le 24.\)

The total time period for each simulation run was set 24 h, divided into time intervals of 1 h each, i.e. M = 24. The number of available channels per fiber (W) is set W = 8. The ILPs do not minimize wavelength usage but ensure that number of lightpaths sharing a link does not exceed W. The following parameters were generated randomly from a set of valid values, for each demand \(p \in P\):

  • source (sp) and destination (dp) for the demand,

  • duration τp of the demand and

  • start and end time of the window (αp, ωp) during which the demand can be active

Figures 1 and 2 show the total attack radius over all lightpaths and all intervals [as given in Eq. (42)] for 20 demands, routed over the 10-node DT10 network and 14-node NSFNET respectively, using the three approaches mentioned above. As expected, ILP_sliding outperforms both the ILP_fixed and SPATH approaches, in reducing the AR especially for medium and high demand overlapping. The performance of ILP_sliding and ILP_fixed are similar, with ILP_sliding providing a 3–5% reduction in total attack radius compared to ILP_fixed. Compared to SPATH, ILP_sliding provides a much more significant improvement in attack radius, ranging from 20 to 28% for all levels of demand overlap. This pattern remains consistent for all topologies considered.

Fig. 1
figure 1

Total attack radius over all intervals for 10-node network with 20 demands

Full size image
Fig. 2
figure 2

Total attack radius over all intervals for 14-node network with 20 demands

Full size image

We note that the total value for this objective can seem high, given the number of demands. For example, in Fig. 1, the objective value for all lightpaths is around 900 for the HDO set with shortest path routing or around 45 per lightpath. This is because, for each lightpath the attack radius is summed overall all active intervals. For HDO a demand p is active for 10–24 intervals. So, if we consider τp = 15 and assume 2–4 lightpaths are in its attack group in any given interval, then \(\sum\nolimits_{\varvec{m}} {(\varvec{LAR}_{{\varvec{p},\varvec{m }}} + \varvec{ IAR}_{{\varvec{p},\varvec{m }}} )}\) will be between 30 and 60 for lightpath p.

Figure 3 compares the total attack radius over all lightpaths [Eq. (41)] for the different approaches, obtained by routing 20 demands over DT10 network topology. ILP_sliding again performs better than both ILP_fixed and SPATH approaches, with improvements up to 17% and 40% compared to ILP_fixed and SPATH respectively. Similar patterns are obtained for NSFNET and ARPANET network topologies.

Fig. 3
figure 3

Total attack radius of all demands for 10-node network with 20 demands

Full size image

Figure 4 shows the maximum attack radius[Eq. (3)] obtained by the three different approaches, for 14-node NSFNET network. Unlike the case for total attack radius values, there is a noticeable difference in performance between ILP_sliding and ILP_fixed in terms of the maximum attack radius. ILP_sliding is able to reduce the maxARp value by 34–50% compared to ILP_fixed and 40–67% compared to SPATH.

Fig. 4
figure 4

Maximum attack radius values for 14-node network with 20 demands

Full size image

Figure 5 shows the Total_ARp,m [Eq. (42)] values for different network topologies and 20 demands with LDO demands time overlap. The results demonstrate that ILP_sliding is able to consistently reduce the attack radius compared to both ILP_fixed and SPATH, regardless of the network topology. The results for MDO and HDO follow a similar pattern. Although, for each network, the objective value increases steadily, with the increased level of demand overlap (from LDO to HDO). This indicates that vulnerability to attacks increase with more interactions among lightpaths.

Fig. 5
figure 5

Total attack radius values for different topologies with LDO demand set

Full size image

The reduction in attack radius is achieved at the expense of slightly longer routes for lightpaths. This is because the attack-aware approaches may sometimes choose longer routes along less congested paths, rather than the shortest path. Figure 6 compares the average path length obtained using our proposed attack-aware approaches versus the attack-unaware shortest path approach for the HDO demands overlap and different network topologies. The average path length of ILP_sliding and ILP_fixed approaches may be up to 1–2 hops longer compared with SPATH approach. For example, for the 14-node topology, the average path length using shortest path routing is 2.05 and using the ILP is around 2.55. Even though this translates to a percentage increase on almost 25%, the actual increase is small. Even though our attack-aware approaches may result in slightly longer paths, this is a worthwhile tradeoff to reduce the vulnerability of lightpaths to potential malicious attacks.

Fig. 6
figure 6

Average path length for different approaches and network topologies

Full size image

Finally, we note that due to their computational complexity, simulation results for ILP-based solutions of the attack-aware RWA problem are typically only feasible for smaller networks and/or lower number of demands. Therefore, we limited the number of demands in our simulations to 20 in most cases, since for larger demand sets the ILPs often did converge to an optimal solution. However, we ran some additional simulations for the 10-node network with 40 demands. Figures 7, 8 and 9 show how the Total_ARp,m [Eq. (42)] values increase with the size of the demand set for 10 node topology, for LDO, MDO and HDO cases respectively. We see that the attack radius values increase with the demand set size and the amount of demand overlap.

Fig. 7
figure 7

Total attack radius values for different number of demands with LDO demand set

Full size image
Fig. 8
figure 8

Total attack radius values for different number of demands with MDO demand set

Full size image
Fig. 9
figure 9

Total attack radius values for different number of demands with HDO demand set

Full size image

In this section, we have shown the total attack radius values (LAR + IAR) for different approaches and network configurations. We have observed that the LAR values contribute more towards the total attack radius (AR) compared to the IAR values. Typically, LAR contributes 65–85% of the total AR, while IAR contributes 15–35% of the total AR. This is because for each node i traversed by a lightpath p, there can be at most degi lightpaths in its in-band attack group (IAGp), where degi is degree of node i. For the topologies considered in this paper, the nodal degree varies between 2 and 4, i.e. 2 ≤ degi ≤ 4. For each link i → j traversed by a lightpath p, there can be at most |W| lightpaths in its lightpath attack group (LAGp), where |W| is the number of wavelengths in link i → j. For our simulations, we have used |W| = 8. Therefore, it makes sense that LAR contributes more heavily to the total AR compared to IAR values.

In our simulations, the total attack radius increased consistently for a given network and demand size, with the amount of demand overlap (i.e. attack radius increases as the duration of the demands increase). But there were significant variations in the objective values when the actual demand sets were changed, even for demand sets that had the same number of demands. This means that the attack-radius values depend not only on the number of demands but the actual demands themselves (i.e. start and destination nodes) that were selected. However, despite the variation in the actual attack-radius based objective values for different demand sets, we observed following clear trend: ILP_sliding consistently provides the lowest attack-radius, followed by ILP_fixed and SPATH has the highest attack radius values. This improvement was evident as we varied both the network topologies and demand set sizes.

5 Conclusions and future work

In this study we consider the attack-aware RWA problem for scheduled demands using the fixed and sliding window models. We have presented a new ILP formulation for the fixed window model, with different objectives to minimize the total and the maximum attack radius. We have also shown how this ILP can be extended to handle the sliding window model as well. Our results show that by routing the scheduled demands in a way that reduces sharing of switches and/or fibers among simultaneously active demands, we can reduce the damaging effects of jamming attacks and therefore enhance the network security. We compare and evaluate the performance of the attack-aware fixed window and sliding window scheduling algorithms through extensive simulations. The sliding-window model not only selects an appropriate route and an effective wavelength for the lightpaths, but also assigns a suitable start time for them, within a predefined time range. Our experimental results indicate that, the time flexibility associated with sliding window scheduling gives best objective values compared to fixed window and attack-unaware approaches.

In case of sliding and fixed window scheduled traffic models, the data transmission is continuous, once the lightpath is established between the source and destination nodes. The transmission process doesn’t terminate until the entire data is transmitted to the other end. As a future work, it may be possible to divide the scheduled lightpath demand into two or more individual segments and send them separately within the predefined time range. This traffic model is called segmented or non-continuous sliding window scheduled traffic model [37]. It adds another degree of flexibility that can be exploited by various resource allocation techniques. In this work, we have not considered the issue of fault tolerance. In the future, an attack aware RWA for the scheduled traffic model with dedicated and/or shared path protection can be implemented.