Towards an Increased Detection Sensitivity of Time-Delay Attacks on Precision Time Protocol

Precision time protocol (PTP) is one of the most widely used protocols for clock synchronization in packet-switched networks, on which, among others, the transaction synchronization of the stock markets relies. PTP was not standardized with security as a core requirement and is therefore vulnerable and attractive to manifold kinds of malicious attacks, such as time-delay attacks (TDAs). TDAs, in short, corrupt the exchange of timestamped messages and thus cause an incorrect synchronization process. The annex P of the IEEE 1588-2019 standard has defined a number of security mechanisms for clock synchronization, but, however, none of these can protect a PTP-based system completely against TDAs. In this work, we enhance existing approaches by introducing a so-called observation task and analytically deriving attack properties of an ongoing TDA. Following the recommendation of the annex P of the IEEE 1588-2019 standard, these attack parameters are intended to serve as an additional input for intrusion detection systems to allow for a more reliable and sensitive detection of TDAs. The impact of the derived attack parameters is explored by means of comprehensive experiments.


I. INTRODUCTION
P RECISION time protocol (PTP) is one of the most widely used protocols for clock synchronization in packet-switched networks and is based on the exchange of timestamped messages between clients and servers. Among others, it is adopted to synchronize transactions at the stock markets. In 2013, Eurex (one of the world's largest derivatives exchanges) was halted for a few hours due to an internal time synchronization issue 1 , which led to a major loss of profit for many investors. Although this incident was caused by an internal fault, its profound and harmful consequences point out the vulnerability of PTP, turning it into an attractive target for malicious attacks.
In fact, PTP was not standardized with security as a core 1 https://www.reuters.com/article/idINL6N0GR0TY20130826 requirement and therefore is vulnerable to manifold kinds of attacks. One of these is the so-called time-delay attack (TDA) [1]- [3], in the course of which -in short -an attacker, who gained access to the network, delays individual PTPrelated messages, which leads to incorrect timestamps being used in the synchronization process. This can have various effects on the network and its participants, as we will discuss later on.
Although the annex P of the IEEE 1588-2019 standard [4] has defined a number of security mechanisms for clock synchronization, none of these measures can protect a PTP-based system completely against TDAs. For this reason, prong D of the annex P of the IEEE 1588-2019 standard does not only emphasize the importance of combining multiple security mechanisms, but specifically recommends to enhance the security of a PTP-based network by monitoring a broad range of parameters. Against this background, we complement existing approaches by making use of response time analysis techniques from the real-time domain and focusing on a parameter, which has, to the best of our knowledge, not yet been considered. By analytically deriving attack properties from the response time of a so-called observation task, we provide an additional input for intrusion detection systems, aiming to allow for a more reliable and sensitive detection of time-delay attacks.
In short, we make the following contributions: • We introduce an observation task, which can be inserted into existing PTP-synchronized client systems and allows to indicate if a TDA is performed in the network, based on its response time. • We analytically derive convergence properties of the busy window response time analysis method and exploit these to approximate the attack properties of an ongoing TDA, which can serve as an input to sophisticated intrusion detection systems and thus lead to an increased attack detection sensitivity. • By means of comprehensive simulations, we explore the impact of the attack parameters of a TDA on the system. The rest of this work is structured as follows: In Sec. II, we explain the precision time protocol (PTP) in detail, before we introduce the threat model adopted in this work in Sec. III. In the course of this, we first clarify how time-delay attacks can be performed on PTP in Sec. III-A and, thereon, reveal our attacker model in Sec. III-B. In Sec. IV, we provide an overview about existing security and attack mitigation mechanisms with respect to PTP, motivating the novelty and necessity of our analysis proposed in Sec. V. We explore the impact of our derived attack parameters experimentally in Sec. VI, before we summarize our findings and conclude this work in Sec. VII.

II. PRECISION TIME PROTOCOL
Precision Time Protocol (PTP) [4] is used for clock synchronization between different participants in a packet-switched network. In networks based on PTP, one participant's clock serves as the main clock (subsequently termed server clock) with respect to which all other participants' clocks need to be periodically adjusted. The synchronization process between the server and another network participant (henceforth termed client) is based on the exchange of timestamped messages, by means of which the clock offset, i.e., the difference between the server clock and the client clock, is computed. In the course of this, it is necessary to also determine the transmission delay, which is not part of the clock offset and therefore must be taken into consideration during the offset computation to ensure the correctness of the clock adjustment.
In Fig. 1, a simplified network is portrayed, by means of which the synchronization process is explained in more detail: Initially, the server sends a Sync message to the client and timestamps the moment t 1 , in which the message leaves the server. Depending on the implementation, this timestamp is transmitted to the client either via the Sync message or by using a so-called Follow_Up message. The client, in turn, timestamps the instant t 2 in which it receives the Sync message according to its local clock. Thereon, it computes the difference between t 2 and t 1 , which corresponds to the offset between its local clock and the server clock in addition to the transmission delay. To calculate the transmission delay, the client needs to measure the round-trip time to the server and back. For this purpose, it sends a Delay_Req message to the server and timestamps the moment t 3 , in which the message leaves the client. Once a Delay_Resp message is received, which is sent by the server and contains the timestamp t 4 marking the arrival of the Delay_Req message at the server, the client extracts t 4 and proceeds with the computation.
Based on the four timestamps, i.e., t 1 , t 2 , t 3 , and t 4 , the client can estimate the transmission delay under the assumption that the transmission channel is symmetric 2 , i.e., that the time required for transmitting a message from the server to the client equals the time required for transmitting a message from the client to the server, as given by (1).
After having computed the transmission delay, the clock offset can be calculated as given by (2) and the client's clock can be updated accordingly.

III. THREAT MODEL
In the following, we clarify the threat model considered in this work. First, we explain the principle of time-delay attacks on PTP in Sec. III-A, before we introduce the adopted attacker model in Sec. III-B.

A. TIME-DELAY ATTACKS ON PTP
As stated in Sec. II, the computation of the offset between a server clock and a client clock relies on the assumption that the communication channel is symmetric, which originates from the IEEE 1588-2019 standard [4] and constitutes a vulnerability attackers can exploit. By analyzing the network traffic, intercepting PTP messages, and artificially retaining (and thus delaying) Sync and/or Delay_Req messages, incorrect timestamps are retrieved by a client, which consequently computes a wrong clock offset and updates its clock incorrectly, as illustrated in Fig. 2a. For clarification, consider the offset computation process shown in Fig. 2. Initially, the client clock has an offset of +1 time units, which will be derived correctly if no TDA is performed. However, in the event of a TDA, the client will compute an incorrect offset of +0.5 time units. Please note that a late release instant of the Delay_Req message does not have an impact on the offset computation (which considers only t 4 and t 3 ), unless the Delay_Req message itself is affected by a time-delay attack. A TDA can be performed in different ways, namely, it is possible to delay either all messages or to delay PTP messages only. Moreover, a TDA can be performed either in one direction of the communication, known as asymmetric link delay attack [5], or in both directions with different delays 3 , termed symmetric delay attack. However, for the remainder of this work, the TDA type is not relevant.

B. ATTACKER MODEL
For the rest of this work, we assume that the attacker is either an external entity or an insider with malicious intents [6]. We adopt an in-band adversary model [3], according to which the attacker has full control of the communication path between the server and its clients. However, since we assume the MACsec or IPsec protocol to be used for securing the communication between the server and its clients, inserting fake messages and changing fields of passing messages is detectable and therefore not an option. Instead, the attacker is supposed to aim at compromising the time synchronization of the system using time-delay attacks.
The server is assumed to be trustworthy, such that it cannot be compromised. Moreover, clients are assumed to be secure, so that the attacker cannot compromise them directly. Nevertheless, the attacker is expected to have the expertise and the tools to compromise a switch 4 and thus to be able to compromise all clients indirectly by performing time-delay attacks. Concretely, we assume that a man-in-themiddle attack is implemented in the course of which a TDA on PTP synchronization tasks is performed (as explained in [7]), which introduces asymmetric communication delays, leading to a change of the activation periods of message transmissions.

IV. RELATED WORK
Owing to the vulnerability of PTP with respect to security attacks, the challenge of securing PTP and providing detec- 3 An identical delay introduced into both directions does not have any effect on the behavior of the protocol. 4 Explaining the initial exploit allowing the attacker to compromise the switch is beyond the scope of this work.

Server
Client  tion as well as mitigation mechanisms has been extensively studied [3], [8]. First, the annex K of the IEEE 1588-2008 standard [9] introduced a number of mechanisms to improve the security of PTP. These were extended and enhanced in the latest, recently released version (i.e., in the annex P of IEEE 1588-2019 [4]) and include the deployment of security protocols such as MACsec [10] and IPsec [11] in order to ensure data origin authentication, communication confidentiality, data integrity, as well as replay attack protection and, in consequence, to prevent PTP message manipulation [8], message dropping and insertion [12], denial of service (DoS) attacks [13], as well as master node falsification attacks [14].
With respect to time-delay attacks, multiple detection and mitigation strategies have been proposed in the literature, including architectural mechanisms such as the usage of multiple paths between the server and client clocks [1] or of multiple time sources, i.e., servers [4]. However, although such strategies are theoretically sound, they are not always practical due to their strong dependence on the network topology.
Another direction followed by the research community is to analyze the impact of TDAs on the calculation of the round-trip delay and offset at client nodes [2], [13] in order to develop better mitigation mechanisms. To detect a TDA, it VOLUME 4, 2016 is possible to use a predefined round-trip delay threshold [1], [15]: Whenever this threshold is exceeded, the client assumes that a TDA is in progress. Using this mechanism is, however, not always practical; for instance, if network delays are unbounded, false alarms may be triggered frequently [1]. Moreover, if an attacker permanently injects delays larger than the predefined threshold, a denial of service (DoS) attack may be introduced [2].
Apart from these works, much effort has been made to detect anomalies in general based on the timing behavior of a system. In [16], the worst-case execution time (WCET) of each code snippet of a task, as derived based on static timing analysis, is used to detect the execution of unauthorized code. More precisely, the system collects the task's timing metrics and compares them with predefined worst-case bounds. By doing this, the system becomes capable of detecting situations, in which the observed task is going to exceed its timing requirements due to a security breach. Instead of monitoring at the software level, the usage of dedicated hardware for monitoring the execution of code snippets is proposed in [17]. The monitored timing values are compared with precomputed WCET bounds, which allows to detect deviations. Applying worst-case response time analysis for deriving a new bound on the response time of a task and using this as an indicator of code injection attacks has been suggested in [18].
To the best of our knowledge, response-time analysisbased techniques have not yet been applied with regard to the detection of TDAs on PTP. Against this background, we follow the recommendation of the prong D of the annex P of the IEEE 1588-2019 standard [4], according to which the security of a PTP-based network should be enhanced by, in addition to other measures, monitoring a broad range of parameters in the network. Specifically, we subsequently derive attack properties from the response time of an observation task, which can serve as an additional input for intrusion detection systems.

V. TIMING ANALYSIS
As discussed in Sec. IV, it is meaningful to monitor a large number of parameters in order to detect time-delay attacks and to be able to invoke countermeasures. Although the number of parameters that can be monitored is large, not all of them are useful in this context. For instance, when considering a client system on which one or more tasks are delayed due to a TDA in the network (cf. Sec. III), monitoring the execution time of tasks is not meaningful for detecting the attack. In fact, the events of the respective tasks are delayed, but none is skipped, for which reason the TDA does not have any impact on their execution times 5 . What, in contrast, is affected during a TDA is the response time of tasks, as illustrated in the example in Fig. 3: If the activation 5 Please note that monitoring the execution times of tasks may be meaningful to detect other attacks such as code injection attacks, where additional instructions are inserted by an attacker. However, this is beyond the scope of this work.
: An example illustrating the effect of a delayed activation of the higher-priority task τ j on the response time of the lower-priority task τ k (second diagram) in comparison to a case in which the activation of τ j is not delayed (first diagram).
of the higher-priority task τ j is delayed by δ time units (cf. second diagram in Fig. 3), the response time of the lowerpriority task τ k is shorter compared to the case in which the activation of τ j is not delayed (cf. first diagram in Fig. 3). Accordingly, observing the response time of tasks on a client system appears to be a promising approach in order to detect TDAs in the network.
However, monitoring the response times of all (PTPsynchronized) tasks on all client systems in a network is inconvenient. For this reason, we subsequently introduce socalled observation tasks, which are scheduled under the lowest priority on each client system (strategies for integrating an observation task into an existing system can, e.g., be found in [19]). The response time of an observation task includes the interference from all higher-priority tasks and therefore reflects the effects of delays following from a TDA. Instead of simply comparing the observed response time of an observation task with the so-called nominal worst-case response time, i.e., the worst-case response time in the case that no TDA is performed in the network, we go one step further in this work and derive attack parameters from the observed response time, which can be used by intrusion detection systems to not only detect a TDA, but also to invoke countermeasures.
To this end, we subsequently provide a system model in Sec. V-A and model the timing behavior of the system in Sec. V-B, before we revisit the theoretical foundations of the busy window response time analysis in Sec. V-C and derive convergence properties, which are exploited in Sec. V-D to obtain approximations of the attack parameters of a TDA. In Sec. V-E, we provide some additional remarks. A supportive quick reference for the notation is given in Table 1. 1: An overview of the notation used in this work.

Notation
Explanation α i nominal event arrival function (upper bound) of task τ ĩ α i off-nominal event arrival function (upper bound) of task τ i C i worst-case execution time (WCET) of task τ i d i number of delayed events of task τ i due to a TDA δ fixed periodic delay resulting from a TDA δ min minimum possible periodic delay attack δ max maximum possible periodic delay without causing a DoS f i computation function of the busy window of task τ i f i (n) computation function of the busy window of task τ i at iteration n F i (n) bound on the computation function of the busy window of task τ i φ i (q) q-event earliest possible activation of task τ i I i set of interferers of task τ i , i.e., tasks with higher priority I non i set of interferers of task τ i , which are not affected by a TDA I tda i set of interferers of task τ i , which are affected by a TDA i number of periodic events of task τ i after which one event is delayed min i minimum possible value of i for task τ i max i maximum possible value of i for task τ i n tda convergence iteration of the computation function of the busy window of a task P i period of a task τ i R i worst-case response time (WCRT) of task τ i ρ i rate of convergence of the computation function of the busy window of task τ i T set of tasks on the contemplated client τ i task; general notion τ j interfering task of τ k τ k observation task with lowest priority w i (q) q-event busy window of task τ i w i 1-event busy window of task τ i w n i size of the 1-event busy window of task τ i at iteration n Ω overall delay introduced to the client system due to a TDA

A. SYSTEM MODEL
For the rest of this work, we consider a client system in a PTP-based network, on which a set of sporadic tasks T is assumed to be executed under a preemptive fixed-priority scheduling policy according to a given priority assignment.
Each task τ i ∈ T is characterized by its worst-case execution time (WCET) C i and its period (or inter-arrival time) P i . Moreover, α i describes the nominal event arrival function of a task τ i providing an upper bound on the number of resource accesses per period of time. For each task τ i , the set of interferers, i.e., the set of higher-priority tasks, is denoted as I i . The activation of (a subset of) tasks is synchronized using PTP synchronization operations (cf. Sec. II). In the following, the asymmetric communication delay resulting from the TDA (cf. Sec. III) as perceived from the perspective of the client system is modeled as a fixed periodic delay δ, which is introduced at particular activation periods during the so-called attack window, i.e., from the beginning until the end of an attack. Since delaying PTP synchronization messages for a longer time can result in an easily detectable denial of service (DoS) attack on the client node, we assume the fixed periodic delay δ to be at most δ max . Please note that δ max depends on the network design and the configurations of the employed intrusion detection system, but is not an intentionally chosen design parameter. We assume that δ max can be observed by an attacker as described in Sec. III-B, who is able to intercept and thus to analyze the network traffic.

B. TIMING AND EVENT MODEL
In order to analyze the response time of an observation task τ k , it is necessary to first define the previously mentioned nominal worst-case response time of a task as well as the method by means of which it is computed. Concretely, the observation task is analyzed during a busy window w k (q), which is defined as follows: Definition 1 (Busy Window). Let the busy window w k (q) be the maximum amount of time required to complete q activations of task τ k . It is bounded by Based on Def. 1, the nominal worst-case response time R k of task τ k is defined as follows: i.e., as the longest time interval between the activation and the completion of τ k , which equals the difference between the busy window w k (q) and the earliest possible activation φ k (q).
It is evident from Def. 1 that w k (q) of the analyzed task τ k strongly depends on the nominal event arrival functions α j of its interferers τ j ∈ I k . However, in the case that a TDA is performed in the network, a delay is introduced to a number of tasks in I k , as described above, which leads to a deviation from their nominal event arrival functions. To model the effect of a TDA on a task τ j ∈ I k , an off-nominal event arrival functionα j over an interval of time ∆t can be defined, for which holds that According to the threat model provided in Sec. III, we subsequently assume that due to the delayed activation of a task τ j every ( j + 1) th event within the attack window is delayed by δ time units, as illustrated in Fig. 4. With respect to all non-delayed events, i.e., where mod ( j + 1) = 0, the minimum distance between two subsequent events remains unchanged and thus equals the task period P j . Accordingly, the off-nominal event arrival functionα j of a delayed task τ j can be defined as follows: For clarification, consider each complete sequence of j events, followed by a time interval of P j + δ as a section of the interval ∆t: The first part of Eq. 6 counts the number of events contained in all complete sections in ∆t, while the second part of Eq. 6 factors in the remaining events. Please note that the number of events within ∆t computed byα j is an upper bound.
Being able to quantify the events of a delayed task using the off-nominal event arrival function given in Def. 3, it is necessary to redefine the busy window introduced in Def. 1 in order to include the impact of the off-nominal interference of one or more 6 delayed τ j ∈ I k on the response time of the observation task τ k : Definition 4 (Busy Window Revisited). Let the busy window w k (q) be the maximum time required to complete q activations of task τ k . It is bounded by where I tda k is the set of interferers of τ k delayed due a TDA in the network and I non k is the set of non-delayed interferers, for which holds that I tda So far, the nominal event arrival function of tasks as well as the nominal worst-case response time of the observation task τ k have been defined, allowing us to compare the latter to the actual response time of τ k in order to identify deviations. However, we are interested in retrieving more information about a TDA based on such deviations, namely, the so-called attack parameters, i.e., approximations of the delay δ, the overall delay Ω introduced to the client system, and the number of events j after which one event of a task τ j is delayed. Since the off-nominal event arrival functionsα j of delayed tasks τ j ∈ I k , which depend on δ and j (cf. Def. 3), are unknown, it is necessary to bridge the gap between these and the actual response time of the observation task τ k . In the following, we dive deeper into the theory of the busywindow method and derive convergence properties, that can be exploited for this purpose.

C. CONVERGENCE PROPERTIES OF THE BUSY-WINDOW METHOD
As evident from Def. 4, the busy window is calculated by a fixed-point computation, which is solved iteratively in a number of discrete steps. To facilitate the readability, we subsequently consider the computation of a one-event busy window, i.e., q = 1, for a task τ i . In this contemplated case, the computation starts at iteration 0, where w 0 i = C i , i.e., considering only the WCET of τ i without any interference. Thereon, one of the interferers I i is added in each iteration, until the computation reaches a fixed point. This process is illustrated on the left side of Fig. 5.
Let f i (n) = w n i be a discrete function associating to each iteration n a value w n i describing the size of the busy window. This function f i is referred to as the computation function of the busy window and is illustrated on the right side of Fig. 5.
Although the computation function f i is not known a priori, a bound can be obtained using numerical analysis. To this end, we make the following assumptions: (a) The event arrival functions of all τ i ∈ T are subadditive, preventing the size of the busy window from growing asymptotically. (b) When the workload of no not already considered τ j ∈ I i can be added from one iteration to the next one, the busy window converges and its size reaches a fixed point of value w n i . That is, Aiming to bound the computation function f i of the busy window of a task τ i , it is necessary to reflect upon its rate of convergence. In general, the rate of convergence fi(n+1)−r fi(n)−r determines the ratio between the error 7 at iteration n + 1 and the error at the previous iteration. Since r is not known in advance, the error f i (n) − r at iteration n is approximated with the value f i (n) − f i (n − 1).
For the specific f i (n) = w n i considered in this work, the following lemma can be formulated: Lemma 1 (Rate of Convergence). For the rate of convergence ρ i of the computation function f i of the busy window of a task τ i , it holds that Proof. In order to determine the rate of convergence ρ i , it is necessary to consider the difference of the size of the busy window between two iterations w n+1 i and w n i . According to Def. 1, for a 1-event busy window, w n+1 Cj Pj . Following from the schedulability condition for fixed-priority preemptive scheduling given in [20], τj ∈Ii Cj Pj ≤ 1. Based on the rate of convergence of the computation function f i of the busy window, it is possible to determine a bound on f i :

Theorem 1 (Bound on the Computation Function).
The computation function f i (n) of the busy window of a task τ i is bounded by the function Proof. The difference between two computation iterations of the busy window is defined as F i (n) = w n+1 i − w n i at iteration n. It can also be defined based on the value of the busy window at the previous iteration n − 1, taking into account the rate of convergence, which determines the error between the two iterations, i.e., F i (n) = ρ i · (w n i − w n−1 i ). This can be further repeated until the initial iteration, taking into account the error by considering the rate of convergence ρ i at each iteration.
In what follows, we exploit the above derived convergence properties of the busy window method to retrieve approximations of the attack parameters of a TDA based on the response time of an observation task τ k .

D. APPROXIMATION OF THE ATTACK PARAMETERS
As explained in Sec. V-B, the response time of an observation task τ k does not equal its nominal worst-case response time if a TDA is performed in the network, but the size of the busy window is reduced due to the delayed events of a (number of) higher-priority task(s) τ j ∈ I k , as stated in Def. 4. We refer to this reduced busy window by w tda k and assume that w tda k < w k , where w k corresponds to the nominal WCRT of τ k . Moreover, we assume that the computation function f k of the busy window converges at iteration n tda -which is unknown, but can be derived as follows: Theorem 2 (Convergence Iteration). The iteration n tda at which the computation function f k of the busy interval of a task τ k converges and the size of the busy window reaches w tda k is given by where w tda k indicates the observed response time of τ k .
Proof. The value w tda k can be written as w tda k = C k + n tda n=0 F k (n), which equals the value of w 0 k at the first iteration plus the accumulated difference of the added interference between two successive iterations until iteration n tda . Using Theorem 1, w tda n=0 ρ n k . The term n tda n=0 ρ n k is a geometric series, for which two cases must be distinguished, VOLUME 4, 2016 namely, case i) ρ k < 1 and case ii) ρ k = 1. We first consider case i), in which, due to the nature of the geometric series, . By inserting and rearranging, ρ In case ii), due to the nature of the geometric series, n tda n=0 ρ n k = ρ 0 k · n tda + 1 . Therefore, w tda Knowing the iteration n tda at which the computation function f k of the busy interval of the observation task τ k converges, it is possible to approximate a number of attack parameters of an ongoing TDA. For this purpose, we subsequently first assume that only one τ j ∈ I k is delayed in consequence of a TDA. In this case, the overall delay Ω introduced to the client system as well as the number of delayed eventsq j per delayed task τ j can be computed as follows: Theorem 3 (Overall Delay and Delayed Events). The overall delay Ω introduced to the client system due to a TDA delaying one interferer τ j ∈ I k is given by ) and the number of delayed eventsq j of τ j bỹ qj = Ω Pj . (13) Proof. Since we already discussed the properties of the convergence function f k of the busy interval in Sec. V-C, we only sketch the proof. As illustrated in Fig. 6, it holds by construction that f k (n tda + 1) = f k (n tda ) + Ω. Following from the assumption that only one τ j ∈ I k is delayed in consequence of a TDA, only events of τ j can have been delayed during Ω. Therefore, the number of delayed events of τ j is upper-bounded byq j = Ω Pj . Having considered the case that only one τ j ∈ I k is delayed in consequence of a TDA, we henceforth assume that multiple τ j ∈ I k are delayed. While this assumption does not have any impact on the overall delay Ω, no definite statement about the number of delayed events per task can be made in this case. Since it is unknown, which task contributed how much to Ω, and since finding a distribution of Ω that corresponds to the real system state is not trivial, we suggest to approximate it by means of a heuristic.
As a straightforward approach to approximate the number of delayed events per task under the assumption that the number of delayed tasks is known, it is possible to distribute Ω according to a uniform distribution. However, since not all tasks contribute the same amount of workload to the busy window w tda k , it is more sensible to distribute Ω proportionally to the task utilization. For clarification, consider two tasks τ j , τ y ∈ I k delayed in consequence of a TDA, to which, proportionally to their utilization, i.e., Cj Pj and Cy Py , respectively, the following shares of Ω are distributed: s j · Ω to τ j and s y · Ω to τ y , where s j + s y = 1. Based on this distribution, the number of delayed events per task can be approximated similarly to Theorem 3, i.e.,q j = sj ·Ω Pj and d y = sy·Ω Py . If the number of delayed tasks, however, is unknown, all possible combinations of potentially delayed tasks must be enumerated and the approximated number of delayed events for each enumerated scenario must be computed in order to cover all possible system states.
Although the number of delayed events per task can be determined (in case only one task is delayed) or at least approximated and enumerated (in case multiple tasks are delayed), determining the exact periodic delay δ is not possible, since not only δ, but also j and, in consequence,α j are unknown. Nevertheless, bounds on δ can be provided: As already known from Sec. V-A, δ is upper-bounded by δ max . To determine a lower bound δ min , we again first consider the case that only one τ j ∈ I k is affected by a TDA. Since in this case the number of delayed events can be computed using Theorem 3, δ min is obtained by: Theorem 4 (Minimum Periodic Delay). The minimum periodic delay δ min that can have been introduced to a PTPsynchronized interferer τ j ∈ I k of the observation task τ k due to a TDA is given by (14) Proof. Since the number of events of task τ j during the nominal busy window w k of the observation task τ k can be determined by its well-known nominal event arrival function α j (w k ), the number of events of task τ j during the off-nominal busy window w tda k of τ k can be computed as α j (w k ) −q j , whereq j is the number of delayed events. Although the number i of periodic activations of τ j after which one event is delayed by δ time units is unknown, the minimum possible value of j according to the threat and system models is min j = 1, which corresponds to the case that each event is delayed. Therefore, δ min is obtained by dividing the overall introduced delay Ω by the number of events, i.e., δ min = Ω αj (w k )−qj .
The approximation of δ min and the knowledge of δ max do not allow to determine the exact delay δ, but can be used to enumerate all possible values of δ. This enumeration can, for instance, be done by starting from j = min j = 1 and increasing the value of j in discrete steps, where the related value of δ can be computed similarly to Theorem 4, dividing Ω by the number of j -event sections. All possible values of δ have been enumerated as soon as one computed value of δ is larger than δ max . Then, max j = j − 1, where is the value used in the recently completed computation. In the case that more than one τ j ∈ I k is delayed in consequence of a  TDA, the same approach can be applied, however, taking all approximations ofq j for all delayed τ j ∈ I k into account.

E. REMARKS ON THE ANALYSIS
So far, we derived convergence properties from the busy window response time analysis method and used these to retrieve attack parameters of an ongoing TDA. In this context, we append two further remarks: 1) The derived attack parameters are approximations and are not required to be precise. This is particularly the case because they are intended to be fed into an intrusion detection system in addition to many further parameters and, therefore, play a supportive role. More specifically, the intrusion detection system does not rely on the attack parameters, but can exploit these in order to make more sensitive predictions and to invoke more effective countermeasures. 2) It is well-known that in the majority of cases tasks do not execute for their worst-case execution time. However, in our formal analysis, we consider their worst-case execution times anyway. This follows from the fact that the applied busy window response time analysis technique is designed for analyzing the worst-case response time of tasks and therefore relies on the usage of worst-case execution time values. This may introduce a high degree of pessimism into our approach and could lead to an overly sensitive intrusion detection system triggering frequent false alarms, but can be avoided if realistic worst average-case execution time values are provided.

F. REMARKS ON JITTERS
In the following, we will discuss the impact of jitters on the analysis proposed in this work. Jitters are deviations of the event arrival from a task's period. More precisely, an event can arrive earlier (negative jitter) or later (positive jitter) than the period due to environmental influences such as, e.g., the material characteristics of a hardware component.
A jitter is extremely small compared to a task period and can be bounded by the maximum negative jitter J − i and the maximum positive jitter J + i for a task τ i . Typically, a jitter is in the interval J − i , J + i and occurs at every event release. However, the maximum jitters occur only in very rare cases.
Based on the maximum jitters, an upper and a lower bound on the nominal event arrival function α i can be defined, namely, the nominal event arrival function with maximum negative jitter α − i and the nominal event arrival function with maximum negative jitter α + i , where the maximum negative (or positive, respectively) jitter occurs in each period.
Definition 5 (Nominal Event Arrival Functions with Maximum Jitter). The nominal event arrival function with maximum negative jitter of a task τ i is defined as (15) and the nominal event arrival function with maximum positive jitter of a task τ i is defined as Similarly, an off-nominal event arrival function with maximum negative jitterα − i and with maximum positive jitterα + i can be defined 8 . Consider the case that under a no-attack scenario each event of a task τ j arrives with the maximum positive jitter J + j , as illustrated on the left side of Fig. 7. In consequence, the accumulation of jitters may at some point in time 9 equal the length of one period, such that until this point in time one event less has arrived compared to the zero-jitter case. Accordingly, the accumulated jitter will have an impact on the response time of the observation task and, therefore, is likely to be considered as a delay introduced by a TDA. However, such a scenario can only occur if the jitter is large enough compared to the period and, moreover, if the observation interval is long enough. Further, consider the case that a TDA is performed, resulting in an off-nominal event arrival functionα j of task τ j including a constant delay δ, as illustrated on the right side of Fig. 7. Additionally, assume that each event of τ j arrives with a maximum negative delay J − j . In this scenario, the accumulated J − j may have amortized the delay δ at some point in time, such that the attack does not have any impact on the response time of the observation task. However, similar to the previous case, this can only occur if the jitter is large enough compared to the period, if the observation interval is long enough, and, moreover, if δ is small enough compared to the jitter and if the sequence of undelayed events before each introduced δ is long enough.
Both of the discussed cases are extremely rare, since the probability of event arrivals according to the nominal event arrival function with maximum positive or negative jitter is infinitesimal, whereas the typical jitter does not have a significant impact on the proposed analysis.

VI. EVALUATION
To study the impact of the attack parameters of a TDA on the response time of an observation task, we first explain how to model a PTP-based network for compositional performance analysis (CPA), before we perform two experiments using pyCPA [21], namely, one based on synthetic task sets in Sec. VI-B and one based on an exemplary network with in Sec. VI-C. Fig. 8 illustrates a simplified compositional performance analysis (CPA) model of a PTP-based network, including a server node, a client node, and a PTP-aware switch. The output ports of the switch are mapped to CPA resources using a fixed-priority non-preemptive scheduling policy. On the switch, four tasks are depicted, which are required for performing the PTP synchronization operations (cf. Sec. II). For each task, it holds that the lower the index, the higher the priority. Please note that in non-real-time operating systems such as Linux, PTP is implemented using one task only (the so-called PTP daemon). The decision to model PTP using four (sub-)tasks aims at modeling the effect of a TDA in a more fine-grained way.

A. MODELING FOR CPA
The PTP message flow starts in the event source Periodic Sync on the server, which generates the periodic activation of Sync() messages, represented by task τ 1 in the server node. Sync() messages are propagated through the path, including task τ 1 in the switch, until the input port of the client node, where it activates task τ 1 on the client node. Task τ 2 represents the Follow_Up() message sent by the master node. The IEEE 1588-2019 standard requires that Follow_Up() is transmitted as early as possible after the transmission of the related Sync() message [4]. This message is propagated through the model in the same way as described for Sync(). In multi-cast communication, the IEEE 1588-2019 standard requires that the Del_Req() message is generated with a particular periodicity. Therefore, the event source (Periodic Sync) on the client node is used to activate task τ 3 , which sends the message Del_Req() that is propagated through the switch until the input port of the server node. There, it activates the task τ 3 , which creates the Del_Resp() message to be propagated through the path until task τ 4 in the client node.
In the remainder of this work, we assume PTP to be modeled similarly in pyCPA, making adjustments as required for the respective experiment setups.

B. SYNTHETIC EVALUATION
In our first experiment, we explore the impact of different values of the attack parameters of a TDA on the WCRT of the observation task, applying our proposed analysis to synthetically generated task sets. To this end, we first introduce our experiment setup in Sec. VI-B1, before we discuss the results in Sec. VI-B2.

1) Experiment Setup
In the course of this experiment, we generate sets of periodic tasks with cardinality 2 and 4, which share a resource under fixed-priority preemptive scheduling. The utilization values of the tasks are generated using the UUniFast [22] algorithm such that a resource utilization of 80% is obtained, while their period P i is chosen according to a uniform distribution over the interval [5,2500]. For each task τ i , the deadline is created according to a uniform distribution over the interval [P i , 10 · P i ].
When simulating a TDA, the highest-priority task τ j is assumed to be delayed by an amount of time δ, while the observation task τ k is scheduled under the lowest priority. To carry out the analysis of each task set, pyCPA [21] was used.

2) Results
The impact of different combinations of the attack parameters δ and j of a TDA delaying a task τ j on the response time of the observation task τ k is portrayed in Fig. 9. It can be observed that with increasing length of the delay δ, the response time of τ k decreases. Moreover, it is evident that the lower the value of j , i.e., the more frequently a delay is introduced, the lower the response time of τ k . However, the relations between δ and the response time of τ k as well as between j and the response time of τ k are clearly not linear, but follow the dynamics elucidated in our analysis in Sec. V.
In Fig. 10, different combinations of values of the parameters δ and j are presented, which all result in a busy window w tda k = 255 of the observation task τ k . Following from this, it is evident that based on one observed responsetime value of τ k , it is not always possible to make a statement about the particular attack parameters of a TDA. Instead, it is more reasonable to enumerate and consider all possible attack scenarios.

C. USECASE EVALUATION
In our second experiment, we consider an exemplary usecase. The experiment setup is explained subsequently in Sec. VI-C1, before we discuss the results in Sec. VI-C2. Best-effort traffic PTP traffic FIGURE 11: An industrial distributed control network considered as the usecase of our simulation.

1) Experiment Setup
As an exemplary usecase, we consider the distributed control and clock-sync network depicted in Figure 11, as used, e.g., for robotic control, where typically update-rates in the order of microseconds are required. The network consists of a server and two clients, one of which is in charge of controlling a robot arm, and two PTP-capable switches. Moreover, the network comprises a video camera introducing mixed traffic.
When modeling the considered system, we follow a similar approach as proposed by Diemer et al. [21]: The system is modeled as an Ethernet AVB network, in which each client has input and output ports and each switch executes channel-delay tasks representing the default propagation and processing delays. Ports are modeled using a fixed-priority preemptive scheduling policy. Moreover, each output port accounts for the most significant arbitration delays. Static delays such as those caused by propagation in the communication channel are incorporated as constant-delay overhead in the paths. The analysis is performed using pyCPA [21]. Since the considered system is assumed to use an Ethernet 100BASE-TX network (100 Mbps), for each PTP synchronization message transmitted on the network, the payload is assumed to comply with the respective number of bits indicated by the IEEE 1588 standard [4], excluding additional bytes, i.e., the Ethernet header, the MACsec header, and the octets annexed at the physical link 10 . The size of each video packet is assumed to range from 875 bytes to 1400 bytes. Table 2 summarizes the total length of the PTP and video packets as well as the respective WCET, i.e., here, the time required for transmitting the packets at 100 Mbps. The timing characteristics of the PTP-related and observation tasks running on the client are given in Table 3.

2) Results
In Fig. 12, the impact of the attack parameters δ and j of a delayed task τ j is depicted for different values of j with δ being varied in discrete steps within the interval [0, 12]µs. It can be seen that the response time of the observation task τ k is reduced from 112 µs to 104 µs for j = 1, j = 2, and j = 3 as soon as δ ≥ 2µs (δ ≥ 3µs, respectively). However, no change is detectable for the same value of δ if j = 4.
Concretely, this means, that a less frequently introduced delay has no impact in this case, whereas a more frequently introduced delay of the same length does. A corresponding behavior has already been observed in Fig. 9 in Sec. VI-B2, 10 For more information, please refer to IEEE 802.3-2018 [23], Section 1.
where, e.g., for j = 2 at time 20 the response time of the observation task τ k is much lower than for j = 16. Moreover, Fig. 12 gives the hint that the choice of the worst-case execution time of the observation task τ k should be made very carefully. Depending on the task parameters of a specific usecase, the level of detail retrievable by means of the response time of the observation task can differ largely based on the considered parameters of the response time. Therefore, more fine-grained observations may be made by using different types of observation tasks. Exploring this, however, is beyond the scope of this work.

VII. CONCLUSION
Aiming to contribute to the development of more reliable and sensitive intrusion detection systems for PTP-based networks, we proposed to introduce observation tasks scheduled under the lowest priority on each client system. We showed, how, based on analysis techniques from the real-time domain, conclusions from the response time of an observation tasks to the existence of a TDA in the network can be drawn. Moreover, we analytically derived convergence properties of the busy window worst-case response time analysis methods, which do not only provide new theoretical insights, but can also be exploited to approximate attack parameters of an ongoing TDA. De facto, the attack parameters derived in our analysis can serve as an additional input for sophisticated intrusion detection systems such as, e.g., the so-called Red-Zone Principle [18], allowing them to select better bounds for distinguishing off-nominal from nominal system behavior; thus, also enabling them to detect TDAs more reliably and to invoke mitigation strategies effectively. Optimizing such bounds for a specific intrusion detection system and determining the resulting false positive and false negative rates remains future work.
By means of comprehensive simulations, we explored the impact of different configurations of the attack parameters on the response time of an observation task and showed that different configurations can lead to the same response time of an observation task, emphasizing the importance of approximations, since the exact attack parameters cannot always be retrieved. Moreover, we discovered in our usecase simulation that the choice of the execution time of observation tasks is extremely important and has a strong impact on the detection sensitivity of an intrusion detection system.