Implementing and testing a fiber-optic polarization-based intrusion detection system

Abstract. We describe a layer-1-based intrusion detection system for fiber-optic–based networks. Layer-1-based intrusion detection represents a significant elevation in security as it prohibits an adversary from obtaining information in the first place (no cryptanalysis is possible). We describe the experimental setup of the intrusion detection system, which is based on monitoring the behavior of certain attributes of light both in unperturbed and perturbed optical fiber links. The system was tested with optical fiber links of various lengths and types, under different environmental conditions, and under changes in fiber geometry similar to what is experienced during tapping activity. Comparison of the results for perturbed and unperturbed links has shown that the state of polarization is more sensitive to intrusion activity than the degree of polarization or power of the received light. The testing was conducted in a simulated telecommunication network environment that included both underground and aerial links. The links were monitored for intrusion activity. Attempts to tap the link were easily detected with no apparent degradation in the visual quality of the real-time surveillance video.


Introduction
The world is transitioning to an information-based society.Information represents a "wealth" component of such a society.As such, it is important to protect this wealth from unauthorized accesses and unauthorized entities.This is equally important for data at rest and for data in transit.
Fiber-based optical networks are the primary mode of transmitting data.While information leakage can be prevented through the use of encryption, all contemporary forms of encryption are only computationally secure.Given enough computational power, a cryptanalyst can recover the original information.The detection and prevention of eavesdropping/tapping activity in fiber-based optical networks represents an elevation in security, as it prevents the adversary from obtaining information in the first place.
Intrusion is not limited to criminal intent.One wellpublicized intrusion occurred in October 2013.Leaked documents indicating that the U.S. National Security Agency (NSA) infiltrated Yahoo and Google data centers captured the attention of the public.The NSA and its British counterpart tapped optical fiber cables connecting Google's and Yahoo's worldwide data centers. 1 The system described in this paper is a countermeasure to fiber-optic tapping activity.The state of polarization is extremely sensitive to changes in fiber geometry.Tapping activity necessarily involves changes to fiber geometry.
Previous research includes fiber-based sensor networks for perimeter protection using Mach-Zehnder Sagnac interferometers, 2 fiber Bragg grating sensors, 3 and polarization optical time domain reflectometry (POTDR) sensing devices. 4erimeter protection may involve fiber-optic meshes on fences for protection of sensitive areas, mats in museums, and the protection of railway assets.POTDR devices depend on polarization variations but do not measure the state of polarization directly.Instead, it converts polarization variations into power fluctuations that can be detected on POTDR traces.
This paper is organized as follows.In Sec. 2, the polarization properties of light (as they relate to this paper) are briefly described.In Sec. 3, fiber-optic tapping methods are reviewed.The theory behind the intrusion detection system, the experimental setup, and the results are addressed in Sec. 4. The application of the polarization-based intrusion detection system to a simulated telecommunications network is presented in Sec. 5.In Sec. 6, possible future work is discussed.Section 7 concludes the paper.

Polarization Properties of Light
This section describes the polarization properties of light as they relate to this paper.By convention, the direction of the electric field is used to define the polarization of the light.The electric field can be represented as E Q -T A R G E T ; t e m p : i n t r a l i n k -; e 0 0 1 ; 3 2 6 ; 1 9 7   Ẽðr; tÞ where x and ŷ are the directions of the two orthogonal components of the electric field, k is the wave vector, ∅ is the phase angle, ω is the angular frequency, E 0x and E 0y are the amplitudes of the orthogonal components of the electric field. 5n alternate way of describing the state of polarization is in terms of the Stokes parameters (S 1 , S 2 , and S 3 ) and their mapping onto the Poincare sphere. 6Each point on the Poincare sphere represents a unique state of polarization. 7he points on the surface of the sphere represent fully polarized light, while the points interior to the sphere represent partially polarized light.
The four Stokes parameters are defined in terms of the electric field components: 8 E Q -T A R G E T ; t e m p : i n t r a l i n k -; s e c 2 ; 6 3 ; 5 4 0 where S 0 is the total intensity of light, S 1 is the amount of linear horizontal or vertical polarization, S 2 is the amount of linear þ45 deg or −45 deg polarization, and S 3 is the amount of right or left circular polarization. 9The Stokes parameters are real quantities and can be experimentally measured.Examples of various states of polarization and their representation in Stokes space (S 0 , S 1 , S 2 , and S 3 ) are shown in Table 1.
3 Fiber-Optic Tapping Methods This section lists the fiber-optic tapping methods and the current countermeasures.It should be noted that all these tapping methods require access to the fiber and removal of the outer jacket.This activity necessarily involves perturbations of the fiber cable.Tapping methods can be divided into three categories: 10 • Fiber bending: light is coupled out of the core when the bend radius reaches a critical angle.At this angle, some portion of the light is emitted from the core and is detected by an optical detector.• Splitter or coupler: the original path is cut and a splitter or coupler is inserted.Cutting the original path can be easily detected because it interrupts the data flow.• Scattering: a fiber Bragg grating is etched to the core and part of the light is scattered outside the core and then detected by an optical detector.
Whatever the reason behind tapping optical fiber cables (criminal or otherwise), certain measures should be taken to secure sensitive networks. 11One countermeasure is to encase the fiber cable in cement, which prevents unauthorized access to the optical fiber cable.A second countermeasure is to install the fiber cable in a pressurized conduit, which generates alerts when pressure fluctuations occur.A third countermeasure is the continuous surveillance of the entire optical fiber link, which detects any unauthorized access to the fiber.

Intrusion Detection System
While Sec. 3 described the current countermeasures to fiberoptic tapping, this section presents a countermeasure based on monitoring the state of polarization.Polarization is extremely sensitive to any physical change in the fiber.Fiber geometry is necessarily altered during the placement of optical taps, and this affects the stability of polarization in the fiber.The theory behind this countermeasure, the experimental setup, and the results of the tests performed are addressed in detail in the following subsections.

Theory
In Ref. 12, the author investigated the properties of light as a means of insuring the integrity and security of the physical layer of a fiber-optic-based communication link.Specifically, the author focused on the behavior of polarization in a single-mode fiber, as it is shown to be especially sensitive to fiber geometry and to changing environmental conditions.Accordingly, we posit that the state of polarization (as represented in Stokes space) is more sensitive to environmental conditions than either the degree of polarization or the received power (S 0 ).
Recall that the degree of polarization is represented as Given negligible changes in DOP and S 0 , a change in one Stokes parameter necessitates a change in at least one other Stokes parameter (unless there is a sign change in a single parameter).From a practical standpoint, this last case is observed only under controlled conditions.What is usually observed are the changes in S 1 , S 2 , and S 3 .Furthermore, "small" changes over time are usually due to changing environmental conditions, while "large" changes are due to fiber perturbations.
Here, we regard polarization measurements as sampled points from a continuous function.In time series analysis, a common preprocessing step is to remove any trend in the data by taking the first-differences of the sampled points.The resulting time series of first-differences can often be regarded as a stationary process.The presence of "large" first-differences in the time series of first-differences is interpreted as being generated by a mechanism that is somehow different from the generating mechanism behind "small" first-differences.We interpret the former as arising from fiber perturbations and the latter as arising from changing environmental conditions.We approach the problem of detecting fiber perturbations as a time-series anomaly-detection problem.
Many techniques exist for detecting anomalous events.A few include (1) from ordinary statistics, the kurtosis of the distribution of first-differences, (2) from spatial statistics, the Hopkins metric for identifying cluster formation, 13 and (3) from machine learning, one-class support vector machines.In this paper, we employ the use of extreme value theory (EVT) for detecting anomalous events.
EVT has the advantage of being able to adapt to changing environmental conditions and encapsulating varying notions of "unusualness" (degrees of anomalous behavior).Essentially, we use EVT to characterize the first-difference ; t e m p : i n t r a l i n k -; t 0 0 1 ; 1 0 1 ; 6 7 6 0 B B @ ; t e m p : i n t r a l i n k -; t 0 0 1 ; 1 5 2 ; 6 7 6 0 B B @ ; t e m p : i n t r a l i n k -; t 0 0 1 ; 2 0 3 ; 6 7 6 0 B B @ ; t e m p : i n t r a l i n k -; t 0 0 1 ; 2 5 4 ; 6 7 6 0 B B @ behavior of unperturbed fiber, so that the first-differences produced by perturbations can be identified probabilistically.EVT employs two main approaches: 14 peak over threshold model and block maxima model.Block maxima model, used in this work, uses the maximum occurring data value from each block (a contiguous set of first-differences) without regard to preset thresholds.EVT essentially addresses the following question: What is the probability of observing some quantity that is more extreme than any quantity so far observed?We do not explain EVT here but later make references to "sensitivity threshold."This phrase refers to the magnitude of first-differences that are likely to be observed only under rare circumstances (fiber perturbations) as determined by the EVT block maximum method.(EVT-suggested threshold in terms of normalized Stokes parameters was 0.05.)

Experimental Setup
Section 4.1 presented the fundamental components of the intrusion detection system.This section describes the implementation of the system.The system was tested in the Quantum Optics Lab at OU-Tulsa, where the surrounding temperature is around 65°F.In the conducted experiment, depicted in Fig. 1, the following hardware and software were used: • Polarization analyzer: Agilent 8509C lightwave polarization analyzer offers high-speed, calibrated polarization measurements of optical signals and components.
For the purpose of the experiment, it was used to measure the state of polarization, represented by the Stokes parameters, the degree of polarization, and the power.
• Optical fiber: Single-mode optical fiber with FC connectors on both ends was used in the experiment.The system was also tested with multimode optical fiber with FC connectors.The operating wavelength was 1550 nm.• LabVIEW controller: LabVIEW 10.0.1 was used to build the implementation procedure and driver program.LabVIEW communicated with the Agilent 8509C lightwave polarization analyzer.It also saved the collected measurements in a text file for further processing.
The degree of polarization, power, and state of polarization of the received light were measured.The LabVIEW controller and driver generated a text file that included the following (Fig. 2): SeqNumber, Timestamp, LinkStatus, Power, S 1 , S 2 , S 3 , DegreeOfPolarization, HeartbeatInterval, FutureUse1, FutureUse2 • Sequence number: helps to identify missing measurements.
• Timestamp: the time and date at which the measurement is made.The time is in the 24-h format.• Link status: OK, Intrusion, and Suspicious: link status depends on the first-differences of the Stokes parameters.If the first-differences of S 1 , S 2 , and S 3 are below the sensitivity threshold, link status is OK.If they are all above the threshold, it is intrusion.In the other cases, the link status is suspicious.• Measured raw data: power of the received signal, the state of polarization in terms of the Stokes parameters (S 1 , S 2 , and S 3 ), and the degree of polarization.• Heartbeat interval: the time interval after which the file is updated (in seconds).
Two extra fields were reserved for any possible future use.

Results
The intrusion detection system was tested under a variety of scenarios.The results of those tests are presented in this section.The system was tested with a 10-km unperturbed single-mode fiber.For the unperturbed fiber, Stokes parameters, degree of polarization, and power were relatively stable.The first-differences of the Stokes parameters were relatively stable as well and did not exceed the EVT suggested sensitivity threshold.For this same unperturbed fiber, the input polarization state was modified using the Agilent 8169A polarization controller.As expected, the change in the input polarization state resulted in a significant change in the received state of polarization but with negligible differences in the degree of polarization and power values.Furthermore, the time-evolving Stokes parameters and their first-differences were relatively stable and did not exceed the sensitivity threshold.Simulation of changing environmental conditions (specifically, minor vibrational fluctuations and temperature variations) led to gradual changes in the values of the Stokes parameters.The resulting trajectory on the Poincare sphere traced out by the changing Stokes parameters tended to be more organized.However, first-differences of the Stokes parameters were relatively stable and did not exceed the sensitivity threshold.This suggests that the intrusion system is robust against changing environmental conditions, namely occasional vibration and temperature.(Vibrational stimuli were applied by affixing the fiber cable to cell phone set on vibrate mode.The vibration stimuli had a frequency of 180 Hz and ½−0.08; þ0.08 g.Temperature fluctuations were induced using a heating element in close proximity to the fiber cable.The applied external heat was in the range of 1500 to 1800 W, which resulted in a temperature of [70, 130]°F.) The system was tested with single-mode fiber for 24 h with occasional variations in temperature, vibration, and perturbation.The resulting measurements were plotted and are shown in Fig. 3.The system was tested with the following alterations: • At interval 3141 to 3378, external heat was applied to the fiber.This resulted in a change in the values of S 1 , S 2 , and S 3 .However, the first-differences were stable below the sensitivity threshold.• At interval 6235 to 6490, the fiber was subjected to external vibration.There was a smooth change in the values of the Stokes parameters and only the first-difference of S 3 exceeded the threshold.In both intervals, the power and the degree of polarization were stable and did not reflect the external alterations.• At interval 10178 to 10203, the fiber was bent.This event can be clearly seen in the values of S 1 , S 2 , and S 3 that showed an abrupt change.Also, the magnitude of the first-differences for all Stokes parameters far exceeded the sensitivity threshold, suggesting a different generating process.Only negligible changes in the degree of polarization and power were observed.
For a 5-m single-mode fiber, the system was tested with the following alterations: • At interval 130 to 157, vibration was applied.
• At interval 262 to 310, external heat was applied.
• At interval 391 to 416, the fiber was bent.
The results of the 5-m single-mode fiber, displayed in Fig. 4, were consistent with the results obtained in the previous case.The intrusion system was robust against changing environmental conditions.The Stokes parameters experienced an abrupt change when the fiber was bent.The magnitude of the first-differences for all Stokes parameters far exceeded the sensitivity threshold.Again, only negligible changes in the degree of polarization and power were observed.
The same procedure that was applied for the single-mode fiber was repeated for a 5-m multimode fiber (Fig. 5).The system was tested with the following alterations: • At interval 130 to 155, external vibration was applied to the fiber.S 1 , S 2 , and S 3 slightly changed and their first-differences remained below the threshold.Degree of polarization and power experienced negligible change.
• At interval 260 to 285, the fiber was subjected to applied heat.This resulted in a change in the values of S 1 , S 2 , and S 3 .Although the first-differences of some measurements in this interval exceeded the sensitivity threshold, not all three first-differences exceeded the sensitivity threshold simultaneously.These two events suggest that the intrusion system is robust against environmental conditions when using multimode fiber.The magnitude of the first-differences of the Stokes parameters far exceeded the sensitivity threshold, suggesting a different generating process.Similar to the case of a single-mode fiber, only negligible changes in the degree of polarization and power were observed.
5 Real-Life Application of Intrusion Detection System The polarization-based intrusion detection system was implemented as shown in Fig. 6.A schematic diagram of the system is depicted in Fig. 7.An IP camera was used to transmit real-time video.The output of the IP camera was connected to a Cisco SGE2010P switch #1 [Fig.6(a)].The intrusion detection system [Fig.6(b)] was applied on the link that connects switch #1 to Cisco SGE2010P switch #2.The corresponding port of switch #2 was connected to a computer for live viewing of the real-time video streamed by the IP camera [Fig.6(d)].The information between the two switches was routed through an optical fiber link similar to the one deployed in current networks [Fig.6(c)].The passage of information through this optical fiber link was monitored using the intrusion detection system.
Information corresponding to the real-time video was sent through port 13 of the Fiber Patch Panel at the input of the armored cable.The information passed through a Splice Case to either the aerial cable or to the cable in a conduit depending on the port number used at the input panel.(Ports 1 to 12 in the input panel connect the information to the conduit cable panel.Ports 13 to 24 in the input panel connect the information to the aerial cable panel.)The corresponding output port in the aerial cable panel was connected to the polarization analyzer of the intrusion detection system using a single-mode fiber.
The results of the intrusion detection system as applied in the aforementioned network were consistent with previously described findings.When perturbations were applied to the optical fiber link, the system issued an intrusion alert to indicate that an intruder was trying to tap the link.The transmitted video captured by the IP camera showed no apparent difference for unperturbed and perturbed fiber links.This application of the intrusion detection system in this configuration showed that the system is able to detect intrusion activity on the optical fiber link even when no hint of such activity is apparent to an observer of the video output.
6 Future Work The system described above seems well suited for single-link networks.Future work includes an analysis of networks employing optical amplifiers.Optical amplifiers change the input state of polarization.Since the state of polarization is the mechanism by which intrusion is detected, the behavior of any optical amplifier on a fiber span should be modeled in order to estimate the relationship between the output polarization state and the input polarization state.Such a model is required to enable intrusion detection on an end-to-end basis rather than a link-to-link basis.Sensitivity of the system can be improved by adjusting sensitivity thresholds dynamically.Just as EVT can be used to estimate the probability of observing values more extreme (larger) than what has been previously observed, it can also be used to estimate the probability of observing values smaller than that has been previously observed.In the case of intrusion detection, variations smaller than those previously observed are indicative of periods of greater ambient stability.This information can be used to update the sensitivity threshold, presumably to one that is lower than the current sensitivity threshold.
At the hardware level, the Agilent polarization analyzer used is a multipurpose device.Replacing this device with a single function polarization analyzer that only measures the state of polarization brings this system closer to being productized.

Conclusions
The intrusion detection system implemented and analyzed in this paper prevents data theft in optical fibers.The behavior of certain attributes of light has been examined both in unperturbed and perturbed optical fiber links of various lengths and types and under different environmental conditions and changes in fiber geometry.The system has also been tested in a real-life scenario to monitor the link through which a realtime video was being sent.The tests have proven that the state of polarization of light, represented by the Stokes parameters, is a better indicator of intrusion than the power and the degree of polarization and that the first-differences of the Stokes parameters indicate the presence of an intruder when their values exceed a sensitivity threshold.In the case of intrusion detection, the system will issue an alert to stop the communication due to the possibility of data theft.Since optical fibers are a primary means of transmitting information, efforts will continue to be exerted in this field in order to protect transmitted data from unauthorized access.

Fig. 1 Fig. 2
Fig.1Schematic diagram of polarization-based intrusion detection system consists of: Agilent 8509C lightwave polarization analyzer which measures the state of polarization, the degree of polarization, and the power, LabVIEW 10.0.1 that controls the experiment and collects the measured data, and optical fiber with FC connectors on both ends.

Fig. 3
Fig.3Results of single-mode fiber with occasional alterations.

Fig. 6
Fig. 6 Real-life application of intrusion detection system: (a) switches and IP camera layout; (b) intrusion detection system; (c) optical fiber link layout; and (d) real-time video.

Fig. 7
Fig. 7 Schematic diagram of real-life application of intrusion detection system.

Table 1
Stokes vector of common states of polarization.