Page 68 - Cyber Defense eMagazine - November 2017
P. 68

Ignored  in  most  monitoring  applications,  each  signaling  protocol  layer  on  the  optical  network
               contains  information  identifying  the  carrier  responsible  for  transport  as  well  as  detailed
               geographical information that could identify the physical source or destination of the monitored
               traffic  flow.  As  cyber  intelligence  agents  try  to  gain  an  advantage  in  finding  criminals  who
               perpetrate network attacks, they will find that complementing traditional IP flow information with
               an extra layer of optical network analytics opens new opportunities to enhance threat detection.
               Here are a few examples of information extracted directly from the optical transport network:

               •    Telecom carrier ID: AT&T, Vodafone, Verizon, Oi, or other;

               •    Network fiber ID: for example, “Verizon_seattle_lax_345”;

               •    Optical wavelength: for example, ITU channel 16 or other;

               •    Signal type: STM-64, 100GbE, OTU4, other;

               •    Geolocation and path ID: for example, Russia to Brazil;

               •    Transport protocol: GFP, POS, Ethernet, etc.;

               •    Traffic volume - changes in traffic patterns may be an indicator of network misuse.

               Discovery starts by analyzing each of these data points across an entire monitored network or
               unique network segments. These network parameters can be used to characterize the optical
               network and may be tracked over time to gather historical trends over days, weeks, months or
               years.

               With access to current and historical information, network monitoring applications can identify a
               baseline  for  how  the  network  is  expected  to  operate.  More  importantly,  it  presents  the
               opportunity to detect abnormal network behavior and provide early warning of a network attack
               or  threat.  This  visibility  is  provided  through  the  collection  of  data  across  the  network  by
               orchestrating the monitoring tools used to access each optical transport layer. The data can be
               used  to  expose  network  trends,  unusual  events  and  provide  comprehensive,  real-time
               understanding of the monitored network.

               By providing continuous visibility through complex multi-layer transport networks, this advanced
               cyber threat-hunting capability offers automated responses to network provisioning changes and
               removes the need for costly on-site engineers and additional equipment.


               The application of analytics in this situation offers flexible alarm reporting where an end user
               can  create  thresholds  based  on  various  network  parameters  including  traffic  types,  transport
               overhead information and monitored traffic bandwidth. Each threshold setting can be used to
               trigger  alarms  notifying  surveillance  operations  centers  of  configuration  changes  to  the
               monitored network. Armed with this information, cyber intelligence agents can then initiate the
               appropriate response.





                   68    Cyber Defense eMagazine – November 2017 Edition
                         Copyright © 2017, Cyber Defense Magazine,  All rights reserved worldwide.
   63   64   65   66   67   68   69   70   71   72   73