How does ASPC Attack Mitigator use DBSCAN unsupervised learning to detect novel optical attacks?
ASPC's innovative security framework uses the DBSCAN algorithm to protect optical networks by identifying unsupervised anomalies at the physical layer. By grouping standard performance data into dense clusters, the system can automatically flag irregular data points as outliers or potential attacks without requiring prior knowledge of specific threats.
This approach is particularly effective for novelty detection, allowing the network to recognise brand-new types of interference that traditional models might miss. To ensure high precision and filter out temporary glitches, the process incorporates Window-based Attack Detection, which only triggers an alarm if a consistent pattern of suspicion emerges over time.
DBSCAN Density-Based Optical Attack Detection
ASPC utilizes the DBSCAN (Density-Based Spatial Clustering of Applications with Noise) algorithm as an unsupervised learning technique to detect novel or "previously unseen" attacks at the optical physical layer. Unlike supervised models that require training on labeled datasets of known threats, DBSCAN detects attacks by identifying deviations from established patterns of normal network behavior.
Mechanism of Detection
The core principle of DBSCAN in this context is density-based clustering:
- Normal Behavior as Dense Clusters: The algorithm processes Optical Performance Monitoring (OPM) data collected from transceivers (e.g., optical power, Optical Signal-to-Noise Ratio). Under normal operating conditions, these samples naturally group together into dense clusters within the feature space.
- Attacks as Outliers (Noise): When a physical attack occurs (such as jamming or polarization scrambling), the signal parameters fluctuate or degrade, causing the corresponding data points to deviate significantly from the normal clusters. DBSCAN classifies these points as "noise" or outliers because they fall into low-density regions.
- Novelty Detection: Because the model simply looks for data that does not fit the normal cluster—rather than matching a specific, pre-learned attack signature—it can flag completely new types of breaches that have never been seen before.
Operational Workflow
- Data Collection: The system collects a set of OPM samples over a specific monitoring window. Unsupervised models typically require a sequence of samples (e.g., 300 samples) to sufficiently characterize the current density and operating conditions.
Inference: The Attack Inference component runs DBSCAN on these samples using two key hyperparameters:
- Epsilon: The maximum distance between two samples for them to be considered neighbors.
- MinSamples: The minimum number of neighbors a point must have to be considered a core part of a cluster.
- Classification: The algorithm returns cluster indices for the samples. An index of
-1 indicates an anomaly (attack), while indices ≥ 0 represent normal clusters.
Enhancing Accuracy with Window-based Attack Detection (WAD)
While effective at finding new threats, raw unsupervised learning can suffer from lower accuracy compared to supervised methods (e.g., ~80% F1 score in some tests). To compensate for this and reduce false positives from transient network instability, ASPC couples DBSCAN with Window-based Attack Detection (WAD).
- Process: Instead of triggering an alarm on a single anomalous sample, WAD analyzes a sliding window of DBSCAN outputs. It raises an alarm only if the number of samples categorized as anomalies within that window exceeds a predefined threshold.
- Result: This combination allows the system to detect previously unseen attacks with high accuracy (reported ~99%) while filtering out noise and fast oscillations.