Honors Theses and Capstones

Date Completed

Spring 2026

Abstract

The Precision Time Protocol (IEEE 1588) provides sub-microsecond clock synchronization across packet-switched networks and has become foundational infrastructure in 5G fronthaul, industrial control systems, and financial exchanges. Despite its criticality, most deployed PTP networks operate without active security monitoring, and no standardized detection mechanism exists for the class of attacks that deliberately stay below conventional jitter thresholds. This thesis investigates whether hardware-level ptp4l offset logs alone are sufficient to reliably detect two such attacks, slowly wandering packet delay injection and rogue master spoofing, and whether detection can occur before severe synchronization failure.

A hardware-in-the-loop testbed was constructed using two hosts equipped with Intel i210 Network Interface Cards, which support hardware-level PTP timestamping. One host acted as the Grandmaster clock (rb1) and the other as the Slave (rb2), with a Net Storm network impairment appliance inline as the attack injection point. Trials followed a controlled 30-minute structure divided into three phases: a 615-second synchronization baseline, a 600-second attack injection window, and a 600-second recovery period. A real-time detection script monitored the growing ptp4l log and applied four independent detectors: a sustained master offset alarm, a single-sample path delay jump detector, a 60-second rolling slope regression on path delay, and a baseline exponential moving average drift check.

Across three clean trials of each attack type, the slope detector identified slow delay injection within 30 to 45 seconds of the attack beginning — consistently before the master offset exceeded the 250 nanosecond threshold that defines synchronization failure under the test criteria. For rogue master attacks, detection was effectively instantaneous: the BMCA state transition to an unauthorized Grandmaster appeared in the ptp4l log within one second of the link cut, and the path delay jump detector fired simultaneously. A secondary finding with practical implications was that the master offset metric drops to near zero during a rogue master attack, because the slave resynchronizes to the unauthorized clock rather than losing lock entirely. Offset monitoring alone is therefore insufficient for rogue master detection; BMCA state transition logging must be included in any robust monitoring strategy.

These results demonstrate that the detection gap identified in RFC 7384 as the absence of real-time, operator-facing tooling capable of catching attacks that evade standard jitter thresholds can be meaningfully closed using only unmodified ptp4l output on hardware already present in production deployments. The empirical signatures characterized here provide a validated foundation for a network-scale PTP health monitoring system, and the attack-specific detection profiles are directly actionable by network operators without requiring changes to the PTP implementation or additional monitoring hardware.

Document Type

Capstone

First Advisor

Radim Bartos

Creative Commons License

Creative Commons Attribution 4.0 International License
This work is licensed under a Creative Commons Attribution 4.0 International License.

College or School

CEPS

Department or Program

Computer Science

Degree Name

Bachelor of Science

Download

Share

COinS