1 Introduction

The Blue Economy is crucial for the growth of human society as 70% of the Earth's surface is covered by water. About two-thirds of the world's population live near the coasts and benefit from seafood and raw materials from the ocean, as well as goods and services transported by sea.

There are various infrastructures that support the Blue Economy, both globally and locally. For instance, sea highways are routes used by cargo ships to transport goods and services. Thanks to a network of over 750 harbours, around 90% of all goods and materials are shipped by sea among continents. In 2020, there were 15 harbours with an annual traffic of over 10 million TEU (Twenty-foot Equivalent Unit), which is the ISO standard measurement unit for container volume. Similarly, all 49 major hubs worldwide had traffic higher than 4 million TEU each. Touristic traffic is also crucial in some parts of the world, with at least ten harbours having touristic traffic higher than 1.7 million passengers per year on average in the last 5 years [1].

Another essential infrastructure supporting the Blue Economy is the network of oil and gas pipelines that distribute energy sources. Despite the shift towards green energy, these pipelines will continue to refuel many countries for several decades. Moreover, the world network of underwater cables for information and data transfer is a strategic asset distributing information and data in near real-time to manage and control various aspects of daily life. In 2005, more than 200 cables were deployed worldwide, with an estimated total length of around 1.3 million km [2]. This infrastructure is the backbone of the digital economy, which will continue to expand to meet the increasing demand for data sharing. Finally, lithium and other rare-earth materials form the basis of new electronic and electric technologies, and the search for new mines and deposits is moving to the sea floor to increase their availability. The race for these elements will be strategic for the green transition and the autonomy of nations and the EU, with significant investments and efforts being made in this direction.

Monitoring and protecting infrastructures is important from both civilian and military perspectives. Different types of threats exist based on their potential effects on infrastructures themselves. Nations and national entities are interested in strategic to tactical infrastructures to push other nations and/or force their position in some contexts. For example, stopping oil/gas flow can create dramatic impacts on a regional economy with extension to the entire world. Another example is monitoring data flows accessing underwater cables to spy and get sensitive information to predict entities’ actions and/or manipulate governments [3].

Threats can be listed considering the increasing level of danger: at the lowest level, Intelligence Surveillance Reconnaissance (ISR) missions aim to acquire information about infrastructures to plan future attacks/reactions. These activities in a maritime environment are today simplified by the availability of autonomous/remotely controlled underwater and surfaced vehicles. These platforms can be relatively cheaper, with quite long endurance, fitted with different payloads to acquire data (movies and pictures by optical cameras, acoustic panorama by sonar, etc.). Due to their small dimensions and low noise print, it is difficult to detect and identify them.

An intermediate dangerous activity is the theft of raw materials, which often involves damaging infrastructure, such as underwater pipelines, and can lead to environmental damage. In some countries, this activity is typical and can result in oil spills from terminals, causing further harm to the environment.

The most dangerous threats involve military forces damaging strategic infrastructure such as pipelines, cables, terminals, power plants (including wind farms), and other critical structures. To carry out these actions, divers require support platforms such as Swimmer Delivery Vehicles or mini submarines. In the future, autonomous underwater vehicles may also be used for this purpose. These platforms can operate autonomously and damage infrastructure in several ways, including deploying explosives, using robotic arms, or exploding themselves near the target. In this context, the main targets that need to be identified and detected include divers, autonomous underwater vehicles (AUVs), remotely operated vehicles (ROVs), mini submarines, midgets, unmanned surface vehicles (USVs), and small crafts [4].

To effectively monitor and control maritime infrastructure, new technologies are required that are specifically designed for the underwater domain. This is because the physics of the water present unique challenges, such as high pressure that requires materials with high strength, poor visibility that limits the use of cameras, and underwater communication that is limited to acoustic channels with minimal bandwidth and throughput. Additionally, the deployment and maintenance of systems in the underwater domain are complex, and a large number of sensors are required to cover the vast area of the water column, making the solution costly compared to surface or aerial solutions.

As part of the InSecTT project, innovative applications and solutions have been explored for monitoring and protecting maritime infrastructures for both military and civilian purposes. The aim has been to improve the state of the art and make underwater protection systems more affordable and efficient.

2 Underwater Technologies for Monitoring Maritime Infrastructures

Monitoring and protecting maritime infrastructures is a challenging task that requires advanced technologies and systems. One of the most commonly used technologies is the deployment of surveillance cameras [5]. However, cameras have certain limitations in underwater environments due to poor visibility and the need for special housings to protect them from water pressure. Other technologies that have been explored include sonar systems, acoustic sensors, and radar [6]. More recently, AUVs and ROVs have become increasingly popular for monitoring and inspecting underwater structures [7]. These vehicles are equipped with various sensors and cameras that can capture high-resolution images and collect data on underwater structures and environments. In addition, AUVs and ROVs can be operated remotely, reducing the risks associated with underwater operations.

The size of underwater areas and infrastructures of interest is typically large, making it impractical to rely on a single sensor for monitoring. Instead, a network of nodes forming underwater barriers is needed to adequately cover the area, depending on its size and shape [8]. These systems are used to provide continuous coverage and real-time data transmission. These networks can consist of acoustic, optical and magnetic sensors, as well as communication systems that can transmit data to shore-based stations.

Figure 1 illustrates the concept of using underwater barriers, which consist of a network of sensors (either acoustic, magnetic or a combination of both) to monitor the water column and the surrounding volume. Two homogeneous barriers are depicted in the top picture, with red dots representing magnetic sensors and black dots representing acoustic transducers. These barriers are connected to a junction box composed of groups of nodes. The bottom picture shows the concept of a mixed barrier, where magnetic and acoustic nodes are connected to the same line.

Fig. 1
2 animated images of underwater sensor barriers. Both barriers include magnetic sensors and acoustic transducers that are connected to a junction box. The bottom image has a mixed barrier concept while the top image has acoustic barriers first followed by magnetic barriers.

Concept of underwater sensor barriers

Full size image

The approach of using a network of nodes is highly adaptable, expandable, and customizable, as it allows for the incorporation of various functionalities and capabilities by simply adding more nodes with different payloads. These nodes can operate in parallel or in conjunction with one another to provide a comprehensive dataset. The inclusion of intermediate processing nodes, akin to edge computing, allows for the fusion of data and the extraction of the most crucial information from a vast dataset. This is especially valuable in the case of barriers composed of a significant number of acoustic sensors. The integration of various data sources makes it possible to highlight information and behaviours that may not be apparent in a single dataset [9].

Different types of infrastructure have unique characteristics that require specific monitoring and protection solutions. However, it's important to have a flexible and scalable system regardless of the specific target. For example, long pipelines need thousands of sensors to cover their entire length, which can be costly and complicated to deploy and maintain (Fig. 2). To meet this requirement, low-cost nodes and wireless solutions are necessary. However, sensors require a power source, and a wired infrastructure can provide an unlimited power supply compared to a battery pack.

Fig. 2
An illustration of an underwater pipeline depicts water at the top and a soil layer at the bottom. The soil layer has a pipeline with multiple acoustic and magnetic nodes connected to the junction box.

Sensors strategically deployed along an underwater pipeline, with a higher concentration near gate valves and other critical points to ensure optimal monitoring and safety

Full size image

Wind farms cover a wide area, but they may already have an existing wired network for distributing energy. In this case, a wired network of sensors could benefit from these cables (Fig. 3). Alternatively, single or groups of nodes could be powered by a wind generator to reduce the number of connections and length of cables.

Fig. 3
An illustration of the sensor distribution near a wind generator. Nodes are at the soil layer under water. The nodes are connected to the wind generator. The wind generator is at the top of the water.

Example of sensor distribution near a wind generator. Sensors are strategically placed to ensure optimal monitoring and performance

Full size image

For perimeter monitoring, such as harbour entrances, borders of wind farms, oil and gas platforms, etc., a barrier of nodes can be deployed along lines to create a physical barrier (Fig. 4). For long infrastructures like pipelines and cables, single or set of nodes can be deployed along the length in random configurations to create uncertainty and make it difficult for threats to approach.

Fig. 4
An animated image of the setup includes the following components. Harbor control room, communication node, floating solution, acoustic barrier, magnetic barrier, and local and portable control station. All components are connected to each other with a wireless link.

Example of a perimeter and/or harbour entrance monitoring system based on acoustic and magnetic barriers to ensure security and safety

Full size image

Different types of sensors can be used underwater. Acoustic sensors, or sonar, are the most effective. They can be passive, which means they only pick up noise and extract information from the background. Or they can be active, sending out pulses and checking for echoes to identify targets and anomalies. Passive sensors are cheaper and use less power, but their performance is limited by the noise level of the target compared to the environment and other disturbances. Active sensors are more effective and can create “acoustic” images with varying levels of precision depending on the complexity of the sensor. However, they use more energy and produce more data. Passive sensors can be used as standalone wireless sensors, while active sensors must be connected to a network to provide power and share large amounts of data. The range of acoustic sensors depends on the characteristics of seawater (temperature and salinity) and external disturbances such as wind, rain, and human-made noise.

Underwater cameras are used for optical sensing. However, their effectiveness can be hindered by factors such as water turbidity, which is particularly prevalent in shallow waters near the seabed or river mouths. Limited light penetration in the water also affects their performance, with surface areas having a lot of reverberation and lamps only propagating light for a few meters in deep waters. Consequently, they are only suitable for short-range monitoring and are usually mounted on mobile nodes such as ROVs and AUVs to provide additional information in close proximity to the target.

Magnetic sensors detect local changes in the earth's magnetic field caused by ferromagnetic or metallic objects, or objects that produce electromagnetic fields. They are passive, use very little power, and produce low amounts of data. However, their range is limited due to the quick reduction of the magnetic field with distance. For instance, the signal produced by small objects like ROVs or AUVs can only be detected up to a few meters before being overwhelmed by background noise. Various types of magnetic transducers are available, but the most commonly used ones are fluxgate sensors. These sensors are affordable, rugged, and compact, with recent advancements in miniaturization leading to complete sensor solutions in the form of IC chips. To gather as much information as possible, the sensor is made up of three orthogonal transducers that measure the three components of the magnetic field in 3D space and combine the information to extract the module and data on the direction. The primary requirements for magnetic sensors include sensitivity to detect minimum variations in the earth's magnetic field due to distant movements, the ability to avoid saturation by background magnetic fields, and a low cost that allows for deploying a large number of sensors to compensate for their short range.

Environmental sensors are designed to gather a variety of data on the surrounding environment, such as chemical, physical, and biological information. They can be utilized for specific purposes, such as monitoring local pollution levels or providing support information to optimize acoustic performance of adaptable active sonar. These sensors typically have a limited range and are installed in close proximity to the target area, measuring data only at their specific location.

An optimized monitoring system should use a variety of sensor types, taking into account their different performances, limitations, and constraints, in order to achieve optimal coverage and effectiveness. Nodes can be designed to be interchangeable and use standard interfaces, allowing different payloads to be integrated together and simplifying deployment and maintenance. This approach ensures that different types of probes can be used according to potential targets, maximizing the system's capabilities.

3 Securing Ports from Seaside: Developing an Underwater Access Control System to Monitor and Prevent Unauthorized Entry

3.1 A Cost-Effective and Adaptable Underwater Barrier Based on Acoustic and Magnetic Sensors

The InSecTT project had a specific goal to support the maritime industry through the creation of advanced, cost-effective sensors for underwater use. To achieve this objective, high-performance magnetic and acoustic sensors has been developed, as well as a shared interface to enable the creation of single or multi-sensor barriers. Furthermore, innovative mechanical solution for easy deployment and maintenance of the system has been investigated, where sensors could be replaced with interchangeable payloads. In addition, the project sought to simplify data transfer from various types of nodes and payloads through extensive research and study.

The configuration of both acoustic and magnetic barriers is based on several components, including sensors nodes, connection cables, junction boxes, a local terminal node connected to a communication system, and a remote control station ashore. Figure 5 illustrates two possible configurations, with the terminal node and smart communication node integrated on a floating platform on the left, wired to the junction boxes, and the communication system transferring data to the remote control station through a wireless communication system. On the right, each junction box is wired to a communication node that provides the wireless link to the terminal node/remote control station.

Fig. 5
2 block diagrams exhibit the connections between junction boxes and terminal nodes. 1. The terminal nodes are connected to 2 junction boxes. 2. The terminal node is connected to 2 smart communication nodes followed by a junction box. One junction box is connected to acoustic sensors and the other junction box is connected to magnetic sensors.

Examples of connections between junction boxes and terminal nodes

Full size image

Low-cost sensors can be achieved by using commercial off-the-shelf (COTS) components, which offer advantages such as mass production, maintenance and support, standardization, and access to open-source software modules. However, adapting existing transducers to new applications or functionalities requires a preliminary verification and validation phase. During the first phase of the InSecTT project, various solutions were compared, and their performance levels and cost-effectiveness analysed to select the most suitable solutions.

Magnetic sensor. A digital model of flux gate magnetic sensor was compared to an analog one (Figs. 6 and 7). While the digital model is more compact and cheaper, its performance did not meet the project's requirements. In contrast, the analog model was found to be compliant with the project's needs, but additional electronic components were required for analog-to-digital (A-to-D) conversion. As a result, the analog model was chosen for implementation in the prototypes of magnetic nodes, which are currently being tested in the maritime environment.

Fig. 6
A photograph of the main analog magnetic sensor components. It includes the connection of the following components with multi-color wires. Ethernet switch, power supply, transducers, and Arduino board.

Main components used in the prototyping of the analog magnetic sensor

Full size image
Fig. 7
A photograph of the analog magnetic sensor. It exhibits a breadboard structure at the top and bottom. Both are connected with 4 cylindrical rods in between. The setup includes an Arduino board, ethernet switch, transducers, and power supply.

Integrated prototype of the analog magnetic sensor

Full size image

Acoustic sensor. Three different models of acoustic transducers, commonly used in fish finder applications, were compared during pool trials to verify their performances. However, a lengthy study phase was required to determine the appropriate conditions for their proper deployment on the sea bottom, as the installation process differs significantly from that of a fish finder (as shown in Fig. 8). Furthermore, fish finders are typically installed inside the ship hull, utilizing an acoustic window, whereas transducers for barrier installations are placed directly in water. In the current design, two transducers are mounted on top of a waterproof case to facilitate deployment. Water volume monitoring is a similar activity, but the position of the sensors may vary depending on the specific application. Figure 9 provides some potential solutions for sensor placement, but other configurations may also be employed.

Fig. 8
An illustration exhibits the boat with a transducer sensor at the bottom.

Typical installation of fish finder transducers: attached to the rear part of boats or inside just on the bottom. In both cases the transducers point to the sea bottom to search for prey

Full size image
Fig. 9
An illustration of the underwater setup. It exhibits the placement of acoustic sensors and other devices.

Possible layout for the deployment of acoustic sensors

Full size image

Following the selection of the transducers, the electronic components were designed and implemented, including power supply units, data acquisition boards based on Arduino and Raspberry Pi 4, and an Ethernet network for data and command sharing. The wired data distribution network was specifically designed with a redundant link to ensure data transfer in the event of node malfunction or broken cables.

Given the deployment in very shallow waters, infrastructures could be damaged due to extreme environmental conditions such as waves and currents. Therefore, a decision has been taken to adopt a wired network based on the following constraints and requirements:

  • sensor nodes require an external power supply for extended periods of use. The most straightforward approach is to utilize thin cables that can accommodate limited energy consumption and also incorporate communication functionalities. However, the most effective solution is to employ fibre optic cables and electro-optic converters integrated into the Ethernet switches. Despite the advantages of fibre optic cables, the barriers have been designed to use them exclusively for data transfer, while the prototypes are based on Ethernet cables. This decision was made to ensure easy deployment, maintenance, and the ability to adapt or modify the system as necessary;

  • acoustic transducers generate a large volume of measurements, which can be filtered and fused by the processing unit installed in the nodes. However, the total number of measurements requires a significant bandwidth to ensure near real-time dispatch, as shown in Fig. 10. This requirement is not compatible with the use of acoustic modems or other underwater wireless communication systems, especially given the potential delays resulting from limited range;

    Fig. 10
    A chart of M Q T T data transfer test. The switch ethernet has 4 nodes that are connected to the M Q T T status monitor, 15 sensor simulator, M Q T T broker, and 15 sensor simulator. The test result at the bottom reads Test performed for 180s. On M Q T T broker memory presents 5400 files for 256 kilobytes. No data lost is observed.

    Communication test conducted to verify the performance of the acoustic barrier wired network and its compatibility with the MQTT protocol

    Full size image

  • magnetic transducers acquire a relatively low amount of data and operate in close proximity to one another, making their range compatible with various underwater wireless communication systems. However, deployment in extremely shallow waters is not compatible with optical and acoustic communication models, which are susceptible to environmental noise, reflections, and diffraction of light and acoustic waves.

Despite the design constraints and logistical complexity associated with a wired solution, it is still preferable due to the high bandwidth and reliable data transfer it provides. This approach requires consideration of factors such as cable length, underwater connectors, and cable weight during deployment. Maintenance can also be more complex due to the disconnection of nodes, the need for more spare parts, and longer time required to complete activities.

To manage data flows, an MQTT protocol within the wired network has been implemented. It facilitates the transmission of measurements from the nodes to the junction box and from the junction box to the remote control station ashore, as well as the bidirectional periodic checks and control messages. Additionally, it enables commands to be sent from the remote control station ashore to the barriers/nodes.

The MQTT protocol has a proven track record in managing networks of sensors, nodes, and components in various applications. Its adoption is widespread, and there are existing codes and solutions that can be adapted to meet requirements. Furthermore, the protocol is subject to continued maintenance and improvements, ensuring that state-of-the-art solutions are always available.

Since infrastructure monitoring is a time-critical activity, the system requires robust, reliable, and secure data distribution solutions. As previously stated, the wired underwater network meets these requirements. However, since the junction box must collect all the data and transmit it to a remote control station that may be far from the barriers, wireless communication links must connect the barriers to the system. The components of the wireless network must account for the complexity of the maritime environment and the various constraints that can affect data transmission, such as:

  • real-time data transfer is a fundamental requirement to ensure continuous monitoring of the infrastructure, early identification of potential threats, and prompt reaction to prevent undesired events. However, achieving real-time data transfer in the maritime environment can be a challenging task that requires extensive study and design activities;

  • the use of surface buoys introduces additional challenges, as the antennas mounted on them are subject to movement and the signal could be affected by waves. This can lead to temporary breaks in communication and the need to consider strategies to mitigate their impact;

  • transmission paths must consider the influence of sea surface reflections and the range, which are dependent on the transmitted power and the antenna's height above sea level. Meeting international standards for the first parameter is crucial, while the second parameter affects the size and stability of the buoy.

Existing COTS components designed for maritime environments (e.g. Glomex WBBoat, Lowrance, Banten, Scout, Ubiquity Networks, and Radwin) could provide a viable solution. However, to ensure robustness, redundant antennas could be integrated, and multiple communication protocols could be used in parallel to provide alternatives in case of issues such as antenna malfunctions, bandwidth saturation, and interference. Such a solution has been studied in this work and a detailed description of the implementation is provided in the following sections.

In the InSecTT project, there is a focus on studying, implementing, and demonstrating Artificial Intelligence/Machine Learning (AI/ML) applications in various domains and use cases, including the proposed barriers and monitoring systems. These solutions can support data analysis, data fusion, and human interpretation.

To achieve a full integrated tactical picture, the remote control console should merge data from various sensors, and AI/ML algorithms can help in different ways. For example, they can speed up the processing activity by integrating and fusing data, filter data, especially for big amounts of acoustic data, and extract low-level magnetic signals from background noise. Additionally, AI/ML algorithms can help with threat identification and classification, which is very promising given their ability to quickly compare known signals (such as the typical magnetic footprint of a target) with real-time measurements.

3.2 A Software Defined Networking for Wireless Communication in Harbour Infrastructures

Effective communication is critical in a harbour environment due to its complex and dynamic nature. Connecting various equipment and devices, such as ships, cranes, and sensor systems, can lead to challenges like network congestion, maintenance difficulties, and cybersecurity threats. These challenges can negatively impact port operations, reducing efficiency, reliability, and safety. As a result, it’s crucial to prioritize requirements like reliability, scalability, and data transmission security [10].

In order to tackle the challenges posed by issues such as network congestion, cybersecurity threats, and troubleshooting difficulties, a Software Defined Network (SDN) architecture based on multi-interface wireless communication nodes has been proposed. This architecture aims to establish secure and reliable connections between the underwater acoustic and magnetic barriers and the Information and Communication Technologies (ICT) infrastructure of the harbour.

SDN provides a scalable and dynamically reconfigurable network architecture that separates control and forwarding functions for easy network management [11]. This architecture is divided into three main functional layers:

  • The data plane, also known as the infrastructure layer, consists mainly of forwarding elements (FEs) interconnected via wired or wireless media. The FEs follow the instructions provided by the controller to perform packet forwarding.

  • The control plane includes a set of software controllers that provide the control logic used to program the functions of the FEs. This layer performs general functions such as system configuration and management and the exchange of routing table information.

  • The application plane consists of programs that provide network functions specifically for controlling data plane devices. These functions include policy implementation, network management, and security services.

The control layer of an SDN architecture provides three communication interfaces that enable it to supervise and manage network behaviour [12]:

  • The southbound interface allows communication between controllers and communication devices. The OpenFlow protocol is the de facto standard used as the southbound Application Programming Interface (API) in SDN networks.

  • The northbound interface provides access for applications on the application plane to the controller.

  • The east/westbound interfaces allow communication between multiple controllers to expand control over a larger domain and increase reliability and fault tolerance.

SDN technology is a beneficial solution for the communication challenges faced in harbour environments [13]. It provides increased flexibility, maintainability, and programmability for port networks. By separating the control and forwarding planes, the network can be easily and efficiently managed, which is particularly useful in the dynamic and complex environment of a harbour. The network can adapt to changing conditions and quickly connect new devices and equipment without the need for manual configuration, resulting in improved network efficiency.

In a harbour setting, SDN architecture improves maintainability. Centralized network control and real-time monitoring and troubleshooting enable network administrators to swiftly identify and resolve any issues, significantly reducing downtime and improving network reliability.

SDN also enhances programmability, allowing the network to be programmatically controlled through APIs. This feature enables task automation and integration with other systems, such as network management. Traditional networks typically use device or vendor-specific Command Line Interface (CLI) or Graphical User Interface (GUI) for network management, making it difficult to automate tasks and integrate network management with other systems. In contrast, SDN architecture exposes the control plane through APIs, enabling the automation of tasks such as provisioning new services, configuring network devices, and detecting and resolving network problems [14].

4 Smart Communication Node

The Smart Communication Node (SCN) is an architecture developed within the InSecTT project that leverages SDN technology (as shown in Fig. 11). The SCN consist of two primary entities: the SDN Controller and the Forwarding Devices (FDs). The SDN Controller serves as the brains of the system, managing and controlling the behaviour of the FDs, which act as data plane devices that execute decisions made by the SDN Controller.

Fig. 11
A flowchart of the smart communication node begins with the control station followed by the forwarding device. The device divides the open v switch into 2 sets of W M for wifi and LoRa. The flow leads to another forwarding device with 2 sets of W M and a switch barrier. The first forwarding device includes an S D N controller which has security and reliability modules.

Architecture of the smart communication node (SCN)

Full size image

FDs are multi-interface wireless communication nodes equipped with several Wireless Modules, a logical entity that manages a specific wireless interface. Each FD integrates one or more Wireless Modules, each for a wireless interface that needs integration. A Wireless Module comprises custom logic that can be adjusted to meet the particular needs of the network. The FD design is modular, making it extensible with other types of Wireless Modules in the future without completely redesigning the architecture. This modularity allows for scalability and flexibility of the SCN, allowing different wireless interfaces to be employed in various parts of the network, depending on their unique requirements. For example, an area may require a higher bandwidth and throughput, while another may necessitate longer range and lower power consumption. The modular design accommodates diverse wireless interfaces, making the SCN adaptable, scalable, and more flexible overall.

As depicted in Fig. 12, the FD prototype developed for the InSecTT project is equipped with two Wireless Modules: LoRa and Wi-Fi. LoRa is a low-power, long-range wireless technology that is suitable for IoT applications and can communicate over distances of several kilometers [15]. Meanwhile, Wi-Fi is a high-speed wire-less technology commonly used in homes and businesses. The inclusion of both LoRa and Wi-Fi in the FD design allows the system to take advantage of the strengths of both technologies, enhancing its adaptability and versatility for different use cases [16].

Fig. 12
2 photographs of the forwarding device equipped with LoRa and wifi interfaces. a. A closed box labeled InsecTT consisting 2 tower structures for LoRa and wifi interfaces positioned at the top. b. An opened box labeled InsecTT has an arrangement of devices that are connected to LoRa and wifi tower structures with wires.

Prototype of the forwarding device (FD) equipped with LoRa and Wi-Fi interfaces

Full size image

The SDN architecture of the SCN employs the OpenFlow protocol as the Southbound API for communication between the SDN Controller and the FDs. To make the FD OpenFlow-enabled, the physical device is equipped with OpenVSwitch (OVS), a virtual switch that supports the OpenFlow protocol [17]. This configuration enables the SDN Controller to establish network flows between the FDs using OpenFlow rules and obtain statistics on the ports, flows, or flow tables of these devices.

The ONOS controller [18] was chosen as the SDN Controller because of its scalability, flexibility, and robustness, making it an ideal choice for managing the network of FDs in dynamic environments like harbours. The SDN Controller executes several applications, including two custom applications, the Reliability Module, and the Security Module, to supervise and control the network of FDs.

The Reliability Module is responsible for ensuring reliable wireless communication between FDs by analysing the physical channel to determine the most dependable wireless interface for communication.

The Security Module uses a Deep Learning model to conduct an IP-level analysis of each FD to detect possible attacks. If anomalies are detected, the type of attack is classified, and the most appropriate mitigation action is taken using OpenFlow's features. To ensure complete protection, this approach is combined with other security mechanisms, such as using Transport Layer Security (TLS) to communicate between the SDN Controller and FDs. TLS encrypts data and verifies the identity of participants involved in the communication, preventing data tampering and interception over network connections [19].

5 Reliability Module: An SDN-Based Approach for Reliable Wireless Communication

Harbours often experience interference from machinery, which can cause significant disruptions to wireless signals. Additionally, the harsh environment of a harbour, with saltwater and high humidity, can also have a negative impact on wireless communication. As a result, reliable and robust wireless communication between the FDs in the network is critical to ensuring the smooth operation avoiding potential delays and losses. The FDs and the Reliability Module in the SDN Controller are specifically designed to meet this requirement and provide a set of tools that will be described in this section.

The FDs and SDN Controller use a custom protocol (the SCN Protocol) in conjunction with OpenFlow for communication. OpenFlow provides a standard set of functions for managing and controlling packet flow in the network, while the SCN protocol covers all functionality not included in OpenFlow. The SCN protocol is used to send custom messages containing wireless statistics for each Wireless Module, enabling the SDN Controller to obtain a more detailed understanding of the network's performance and make decisions based on the wireless interface's performance. This is especially important when there are multiple wireless interfaces available, as the SCN protocol allows the SDN Controller to select the most reliable interface for use.

The Wireless Agent (shown on the left in Fig. 13) is responsible for managing the main business logic of an FD. Its primary function is to collect information about the performance of the wireless interfaces on the FD and transmit this data to the SDN controller. The SDN controller can then use this information to determine how to manage the flow of data packets throughout the network, ensuring reliable wireless communication. The Wireless Agent can send statistics in two ways: either in response to an explicit request from the SDN controller, or through an event-based logic that allows the wireless agent to send statistics when certain conditions are met, such as when a certain statistic exceeds a specific threshold value.

Fig. 13
An architecture includes the connection between the forwarding device and the S D N controller. The forwarding device includes a wireless agent with wireless performance monitors and communication handler, and an open v switch. S D N controller includes a reliability module, S C N core, and open flow handler. S C N core points to the wireless agent through S C N P, and the open flow handler points to the open v switch via open flow.

Software architecture for the reliability solution, showing the architecture of the forwarding device (FD) on the left and the architecture of the SDN controller on the right

Full size image

The SDN Controller is the other critical component of the SCN architecture (Fig. 13, right) consisting of multiple SDN applications that collaborate to manage and control the network of FDs. The SCN Core module acts as an intermediary between the SDN applications and the management logic of the FDs in the network. It maintains a record of the connected devices and their Wireless Modules, controls communication via the SCN Protocol, and offers APIs for other applications on the SDN Controller. These APIs enable other modules to identify the connected FDs, send them protocol messages, detect device connections or disconnections, and more.

The Wireless Stats Collector is a sub-module of the Reliability Module within the SDN Controller that collects various statistics from the Wireless Modules of each FD in the network. These statistics comprise signal strength, error rate, signal-to-noise, and other relevant metrics for wireless communication. The collected statistics provide an extensive view of the wireless environment's condition, which is critical for the network to adapt to changing conditions in real time. The Decision Making sub-module uses the collected statistics to identify the most reliable Wireless Module for communication between a pair of FDs. The Decision Making sub-module is flexible, allowing for the addition of new decision-making strategies to adapt to various environments. A performance index, based on factors such as signal strength and noise, is used to calculate the quality of wireless communication between two FDs for implementing a decision-making strategy. Once the most reliable Wireless Module is identified, the OpenFlow Rule Manager sends flow rules to the FDs to direct network flow towards the chosen interface. This sub-module's traffic direction ability allows granular control over traffic flow, restricting communication between specific hosts to enhance security and network protection against potential threats.

6 Security Module: A Network Intrusion Detection System for Wireless SDN Networks

The SDN approach offers flexibility, programmability, and maintainability, but it also brings new security threats. Each layer of the SDN architecture can potentially create vulnerabilities that affect the network's overall security. Malicious applications, controller vulnerabilities, flow rule legitimacy and consistency, non-standardization of northbound interfaces, and security risks associated with southbound interface communication are the typical security concerns that arise [20].

To address these security threats, a Network Intrusion Detection System (NIDS) was designed and developed to monitor the entire network and identify intrusions and attacks by analysing traffic. The NIDS is designed to detect attacks launched by hackers attempting to gain unauthorized access to the network, steal information, or disrupt service [21]. The NIDS operates across all three layers of the SDN architecture (Fig. 14). Data plane devices collect information on the traffic they handle and periodically send it to the controller using the IPFIX (IP Flow Information Export) protocol specification, which is an IETF protocol supported by OVS. IPFIX defines how flow information is formatted and transferred to one or more collectors in a certain observation domain.

Fig. 14
A flowchart of the network intrusion detection system. It begins with the forwarding device, followed by the S D N controller, and I D S rest service.

Software architecture of the network intrusion detection system

Full size image

Several scientific works [22,23,24,25] have demonstrated how IPFIX features can detect and identify attacks by representing key events. IPFIX not only defines basic statistics that Exporters must send to Collectors (IANA-registered Information Elements), but also enables the introduction of new, enterprise-specific Information Elements to meet specific needs.

The Controller receives IPFIX traffic statistics from switches in the network and uses the Collector sub-module to process them. The Collector sub-module then notifies a list of subscribers, including the Detector sub-module, of the collected statistics. The Detector sub-module aggregates the flow information obtained from various switches and stores it temporarily in a cache. Periodically, it invokes the IDS Service at the application level to analyse the network flows. The IDS Service employs a deep learning model to detect and identify possible attacks by analysing the data. The detection and classification tasks were addressed through the use of Deep Learning techniques because:

  • Deep learning models can learn meaningful representations from complex, high-dimensional data.

  • Incremental and transfer Learning paradigms can improve current performance as the data grows and adapt models to new types of attacks.

The model used in the analysis is a stacked model consisting of:

  • Anomaly Detector: One-Class Classification (OCC) Deep Neural Network (DNN) trained by minimizing the HSC Loss [26] to detect anomalous flows. The use of an OCC approach is justified by the fact that more normal samples are usually available and the prevention of large-scale attacks is difficult due to the ever-changing nature of attacks. However, like [26], the concept of Outlier Exposure [27] has been exploited to improve understanding of what is normal. HSC Loss is a variant of cross entropy loss which forces the model to learn a latent space in which normal examples are mapped close to the origin while anomalous examples are far from the origin. This neural network considers all flows that have an outlierness greater than a fixed threshold ϑ, determined during testing based on the ROC curve, to be anomalous.

  • Intrusion Classifier: Multi-Class Classification DNN trained by minimizing the Categorical Cross Entropy to identify the type of attack that was performed.

The dataset used to train the Anomaly Detector and Intrusion Classifier models is sourced from [28], an extended version of [29]. To ensure that the models are not biased and are able to interpret the data correctly during training, a data cleaning phase is performed before appropriate pre-processing of the features. The data cleaning phase eliminates attack classes and features that are not relevant to the detection of attacks in Software Defined Underwater Sensor Networks. In the pre-processing phase, numerical data is scaled using standard scaling, while categorical data is binary encoded. The IDS Service receives flows to be analysed on a REST channel in a JSON message, reorders and transforms the flow statistics into the expected format, and initiates the inference process. By building a REST API for the model, multiple applications can use it. Once the inference is complete, the predictions for each flow are returned to the Detector using the same channel. The Detector then provides each prediction to the Mitigation sub-module along with information required to select the flow for the most suitable mitigation action in the event of an anomaly. The Mitigation sub-module also maintains a record of the attack history to enable mitigation rules to be applied to new switches added to the network. It may decide to apply one of the following actions:

  • dropping malicious flows;

  • forwarding the malicious flows to a honeypot of the system in use;

  • limiting malicious flows by applying QoS operations via OpenFlow Meter, which introduces a check on ingress packet rate and byte rate for each port of every device before applying the expected treatment.

Currently, the system employs different mitigation strategies depending on the type of attack detected. Attacks that cause system stress and limit its availability, such as Denial of Service (DoS) and Distributed DoS (DDoS), are mitigated by dropping the corresponding traffic. For attacks where it is beneficial to gather information about the attacker and their methods, the forward strategy to Honeypot is used. For rare attacks that are difficult to recognize using the current model, OpenFlow Meter tables are set up. It should be noted that IPFIX statistics for flows forwarded to the Honeypot are not collected or analysed, as the purpose of the Honeypots is to gather information on hacker behaviour.

7 Conclusions

The emergence of the Blue Economy has shifted the attention of coastal nations towards the monitoring and protection of their maritime infrastructure. As a result, the protection of essential infrastructure such as oil rigs, pipelines, and offshore renewable power plants has become increasingly critical due to the evolving international political landscape. The InSecTT project aims to address these challenges by implementing smart, secure, and affordable solutions that deploy sensors and barriers to monitor maritime infrastructure. These solutions will be integrated with wireless communication systems, including AI/ML based solutions, to provide a comprehensive framework for protecting these essential assets.

The vast areas to be monitored and the distance from the coast pose significant challenges for the communication system. Therefore, specific wireless solutions based on redundancy and multi-protocols working in parallel must be studied and implemented, taking into account the challenges of the maritime environment.

The collaboration between Leonardo S.p.A. and University of Calabria has resulted in a valid solution for this specific application. This solution involves the deployment of acoustic and magnetic barriers at sea, integrated with a smart and redundant wireless communication system, to allow for integration with the harbour and/or infrastructure control system. However, further work is required to transform prototypes into products, and continuous monitoring of technological advances in components and wireless communication systems is necessary to keep the system up-to-date. Finally, progress in AI/ML algorithms and solutions for big-data processing and management will provide further improvements to safety and security, as well as efficient management of the barriers and the wireless communication infrastructure, in an integrated environment.