An Integrated Authorization and Intrusion Detection System for GMPLS Control Plane

Period of Performance: 01/01/2006 - 12/31/2006


Phase 2 SBIR

Recipient Firm

Computer Networks & Software, Inc.
7405 Alban Station Court, B-225
Springfield, VA 22150
Principal Investigator
Firm POC


Networking and security technology have become inextricably linked as enterprises rely on computer networks for everyday operations. It is imperative to integrate several types of security technologies into the network to foil various kinds of attacks before they can do any damage. Generalized Multiple Protocol Label Switching (GMPLS) has extended Multi-Protocol Label Switching to provide the control plane for devices that can switch packet, time, wavelength, and fiber domains. This common control plane simplifies network operation and management, but increases the risk of service disruption, because the control plane has not been secured. This project will develop an Intrusion Detection System (IDS) that discriminates between correct and incorrect signals on the basis of the context, content, and history of control messages. Phase I developed an intrusion detection and prevention technique that protects the GMPLS control plane from external as well as insider attacks. An analysis of signaling and management protocols was conducted, a security framework to protect the control plane was developed, and the integrated intrusion detection and protection techniques were validated by using a primitive test-bed architecture. Phase II will develop syntax and semantics verification modules for appropriate routing protocols (similar to those developed in Phase I for signaling and management protocols); add support for the state-dependent analysis of various control plane protocols; analyze the inter-protocol interactions among the link management, signaling, and routing protocols; and develop detailed security attack scenarios. A prototype IDS will be implemented and tested. Commercial Applications and other Benefits as described by the awardee: The intrusion detection system would provide a unique security product that can be utilized to protect the control plane in the DOE¿s GMPLS-based high performance network. Other network applications include the Department of Defense¿s net centric network infrastructure. A modular and optimized system could be used by public carriers to protect their converged network infrastructure and provide end system security in the enterprise environment.