Secure Two-Way Fiber-Optic Time Transfer Against Sub-ns Asymmetric Delay Attack With Clock Model-Based Detection and Mitigation Scheme

Two-way fiber-optic time transfer (TWFTT) is a promising precise time synchronization technique with subnanosecond stability. However, the asymmetric delay attack is a severe threat, which can deteriorate the performance of the TWFTT system. In this article, a clock model-based scheme is used to defend the subnanosecond asymmetric delay attack. For the scheme, a security threshold is set according to a two-state clock model, and the estimated frequency difference is excluded from the measured time difference to detect the subnanosecond asymmetric delay attack. Systematic detection and mitigation scheme for asymmetric delay attack is developed in this article. Theoretical simulation and experimental demonstration are implemented to explore the feasibility of the method. A TWFTT system of time stability with 24.5, 3.98, and 2.95 ps at average times of 1, 10, and 100 s is shown under subnanosecond asymmetric time delay attack experimentally for the first time. The proposed method provides a promising secure subnanosecond precise time synchronization technique against asymmetric delay attacks.

2.95 ps at average times of 1, 10, and 100 s is shown under subnanosecond asymmetric time delay attack experimentally for the first time. The proposed method provides a promising secure subnanosecond precise time synchronization technique against asymmetric delay attacks.
Index Terms-Delay attack, security, synchronization.

I. INTRODUCTION
P RECISE time synchronization has become increasingly important for transportation [1], smart grid [2], contemporary space geodesy [3], high-resolution radio astronomy [4], and modern particle physics [5]. Among various kinds of time transfer techniques, the two-way time transfer technique is a promising one that transmits time signals symmetrically in both directions to cancel the time jitter for one-way transfer [6].
Two-way satellite time transfer has achieved nanosecond accuracy [7] and a time stability of 200 ps [8]. Due to widely installed optical fiber infrastructure, two-way fiber-optic time transfer (TWFTT) [3], [9] has attracted much attention in recent years with the advantage of low cost. Based on directly measuring arrival times of pulses, a time stability as low as picosecond level has been reported [9], [10], [11], [12], [13], [14], [15], [16], [17], [18]. Recently, in order to improve the performance of the time transfer, some technologies are developed, such as joint time and frequency transfer [15], [16], phase modulation technique [15], [17], λ-swapping technique [18]. Although the performance of the time transfer is improved by these technologies, there are security threads for TWFTT, which can deteriorate the performance significantly. Security strategy based on encryption is proposed in [19]. However, there is a threat called asymmetric delay attack which can not be protected by encryption.
For TWFTT technology, there are two kinds of asymmetric time delay, intrinsic and extra. The intrinsic asymmetric time delay is caused by the nature of the fiber. In order to gain subnanosecond accuracy for TWFTT, the bidirectional signals are transferred in the same fiber to restrict the intrinsic asymmetric time delay. However, the residual asymmetric delay induced by the fiber characteristic, such as the fiber chromatic dispersion with unequal wavelength and the polarization mode dispersion (PMD) [9], is inevitable, which is related to the  lower bound of the performance of the TWFTT system. Except for the intrinsic asymmetric delay, the adversary can introduce extra asymmetric time delay, and it is unknown to the synchronization parties. So, if there is no secure measure, the extra asymmetric delay can deteriorate the performance of the TWFTT system significantly, which have been shown experimentally [20], [21]. However, to the best of our knowledge, the method to detect and mitigate the asymmetric delay attack of TWFTT has not been studied experimentally.
Similar asymmetric delay attacks and solutions have been studied for other time synchronization protocols like NTP and PTP [22], [23], [24], [25], [26], [27], [28], [29], [30], [31], [32], [33]. In [22], several security methods are proposed, such as round-trip time (RTT) monitor, multiple clocks, and multiple paths. However, no quantitative analysis on the countermeasure is provided. In [23], requirements for secure twoway protocol, such as PTP, are proposed, and RTT is proposed to detect the delay attack. However, the influence of fixed frequency difference between the two parties is not excluded from the adversary detection. In [24], a game theoretic analysis of delay attacks is studied, and a multiple paths strategy is proposed to mitigate delay attacks. However, this method needs multiple paths between the master and slave clocks. By using the information of multiple paths, different lower bounds on the best achievable performance are derived in the presence of asymmetric delay by using expectation-maximization (EM) algorithm [25] or space alternating generalized-maximization (SAGE) algorithm [26]. In [27], a new delay attack detection method is proposed by comparing the network clocks with each other. However, multiple clocks are needed for this method. In [28], an external reference clock called network time reference (NTR) with very high accuracy is used to detect cyber-attacks. However, external reference clock with very high accuracy is needed. In [29], the proposed model relies on a monitor unit called the trust supervisor node (TSN), which is able to compare clock offsets/delay measurements provided by a large number of slave devices. In [30], model-based and data-based methods are proposed as a countermeasure for time attacks. However, extra information from phase measurement unit (PMU) is needed and mitigation is not included in the method. In [31], polar coding is proposed as a security strategy. The channel polarization caused by polar coding is utilized to construct secure channel for timestamps. In [32], a detection and mitigation method based on probabilistic model checker for delay attack is studied theoretically and experimentally. However, only 100-µs level synchronization error is achieved by the method. In [33], an improved method is proposed by introducing an observation task and analytically deriving attack parameters of the time delay attack. However, only µs level synchronization error is achieved by the method. A comparison is given in Table I. In all, due to the high precision for TWFTT which can provide sub-ns level time synchronization, sub-ns delay attack can still influence the performance significantly. However, a real-time detection and mitigation method for subnanosecond asymmetric delay attacks is still an open question for TWFTT system.
In this article, we investigate the method to protect TWFTT from subnanosecond asymmetric time delay attacks. By analyzing the mechanism of asymmetric time delay attack, a defense scheme based on the clock dynamics is proposed. In this article, systematic method is proposed to detect and mitigate asymmetric delay attack, without extra information, such as multiple paths, multiple master clocks, or information from PMU. Then theoretical simulations and experimental demonstrations are implemented to explore the feasibility of this method. A TWFTT system of time stability with 26.4, 6.82, and 3.58 ps under subnanosecond equal interval asymmetric time delay attacks and with 24.5, 3.98, and 2.95 ps under subnanosecond random interval asymmetric time delay attacks at average times of 1, 10, and 100 s is shown. The experimental results show that almost all the asymmetric delay attacks with subnanosecond delay can be detected and mitigated by this scheme, no matter whether the attacks happen in an equal interval or randomly. To the best of our knowledge, it is the first time to demonstrate secure time transfer against sub-ns asymmetric delay attack for TWFTT. It provides an efficient method to protect TWFTT from the asymmetric time delay attack.

II. SCHEMATIC DESCRIPTION A. TWFTT Scheme
We consider a general scheme of the TWFTT system (as shown in Fig. 1). It consists of two parties, A and B, interconnected by an optical fiber channel. At each of the parties, the time scales (one pulse per second, 1PPS) are transmitted to each other through a bidirectional optical fiber link. The 1PPS signals are detected by the receiver. The time difference between the received 1PPS and the sent 1PPS is measured by the time interval counter (TIC) at each part, named T A and T B . So where τ B A is the propagation time from B to A, and τ AB in the other direction. According to (1) and (2), the time offset between A and B is derived by Assuming a symmetrical propagation delay, τ B A = τ AB , the time offset between A and B is given by For TWFTT system, one party is called the remote site and the other is called the local site. The measured time offset is used by the local site to correct its clock to synchronize with the remote clock. In this article, B is used as the local site, and A is used as the remote site.

B. Asymmetric Delay Attack
Unknown asymmetric delay in the channel will lead to synchronization errors in TWFTT system. There are two kinds of asymmetric time delay, intrinsic and extra. The intrinsic asymmetric time delay is caused by the nature of the fiber. In order to gain subnanosecond accuracy for TWFTT, the bidirectional signals are transferred in the same fiber to restrict the intrinsic asymmetric time delay. However, an adversary can deteriorate the performance of TWFTT system by introducing extra asymmetric time delays which are unknown to the synchronization parties. This attack is called the asymmetric delay attack.
The impact of the asymmetric delay attack is analyzed quantitatively. Specifically, if the adversary delays the 1PPS from B to A by τ attack , the actual time offset between A and B is given by Comparing (4) and (5), if no secure method is adopted, the adversary introduces a time synchronization error with τ error = (1/2) τ attack .

C. Countermeasure
In order to detect the asymmetric delay attack, a clock dynamic model is built for the time offset between A and B. An adversary detector function with the measured time offset and the estimated time offset from the dynamic model as variables are built. By setting a security threshold, if the value of the detector exceeds the threshold, a potential attack is detected, and a special time offset correction scheme is chosen. And if the value of the detector does not exceed the threshold, a normal time offset correction scheme is chosen.
In this article, a two-state clock model is employed [31]. Equations describing the clock dynamics are where s and γ (t) = f local − f remote are time offset and frequency difference between the local clock and the remote clock, ω θ (t) and ω γ (t) relate to random-walk phase noise and random-walk frequency noise, respectively, which are independent 1-D zero-mean Wiener processes with variances equal to σ 2 θ and σ 2 γ , respectively. For TWFTT system, the local clock is updated periodically, and time offset correction, u θ (t n ), is applied to the local clock to synchronize with the remote clock at the nth synchronization instant t n = n · τ . So, (6) can be rewritten as difference equations [32] θ (t n ) = θ (t n−1 ) + u θ (t n−1 ) + γ (t n−1 ) · τ + ω θ (t n ) γ (t n ) = γ (t n−1 ) + ω γ (t n ).
For TWFTT system, the measured time offset, which is rewritten as θ M (t n ) = T (t n ), can be used to correct the local clock. Correction strategy influences the performance of the TWFTT system and adversary detection effect. In this article, the direct correction strategy is chosen to compare with the attack detection strategy.
For direct correction strategy, the measured time offset is used to correct the local clock directly. That means, after the measurement of the time offset between the local clock and the remote clock, the update value of the local clock is given by the measured time offset u θ (t n ) = θ M (t n ). Then u θ (t n ) is used to correct the local clock. For the TWFTT system, the measured time offset is given by where T B and T A are the measured time intervals at local site and remote site, as described in II-A.
For the attack detection strategy, in order to detect the subnanosecond asymmetric delay attack, the frequency difference between the local clock and remote is supposed to be relatively stable, and excluded to construct the attack detector. Specifically, the frequency difference is estimated according to the clock model. And the attack index is defined as the absolute value of the measured time offset minus the time offset induced by the estimated frequency difference. A secure threshold is set for attack detection. If the attack index exceeds the threshold, a potential attack is detected, and a special time offset correction scheme is chosen. Otherwise, a normal time offset correction scheme is chosen. More details are shown below.
Algorithm Asymmetric Time Delay Attack Detection 2. Calculate the estimated frequency difference. If no attack is detected at t n−1 , then the measured frequency difference at t n is given by γ M (t n ) = (θ M (t n ) − θ M (t n−1 ) + u θ (t n−1 ))/τ , and the estimated frequency difference is given byγ Else, the estimated frequency difference is given bŷ γ E (t n ) = γ best (t n−1 ).

Calculate the fixed time offset induced by frequency
Calculate the attack index, 5. Make a judgment whether an attack happens at t n , and calculate the update value of the local clock and the best frequency difference estimation. If The estimated frequency difference is very important for the proposed algorithm. The measured frequency difference γ M (t n ) = (θ M (t n ) − θ M (t n−1 ) + u θ (t n−1 ))/τ fluctuates due to the measurement noise. In order to reduce the influence of the measurement noise, a smoothing method is introduced with a smoothing factor as w, as shown in step 5 of the algorithm.

D. Metric
On the one hand, in order to analyze the effect of the attack detection algorithm quantitatively, two performance metrics are introduced which are precision and recall. Precision is defined as the number of detected actual attack events over the total number of detected attack events, while recall is defined as the number of detected actual attack events over the total number of actual attack events.
On the other hand, in order to analyze the influence of the attack detection strategy on the performance of the time synchronization system, time deviation error variance (TDEV) and maximum time interval error (MTIE) are introduced as [33] TDEV(τ = n * τ 0 ) III. THEORETICAL SIMULATION In this section, theoretical simulation is implemented to explore the feasibility of the attack detection strategy proposed in this article.
Two strategies are compared in this article, which are direct correction strategy and attack detection strategy. First, as shown in Fig. 2, a free-running local clock module is applied to produce the time difference θ (t n ) at the nth synchronization instant t n = n·τ . In this module, ω θ (t n ) and ω γ (t n ) are the random-walk phase noise, random-walk frequency noise and transmission noise during the period between t n−1 and t n , which are independent 1-D zero-mean Wiener processes with standard deviation equal to σ θ and σ γ , respectively. After the free-running local clock module, a transmission module is applied, where ω d (t n ) is the transmission noise, which is an independent 1-D zero-mean Wiener process with standard deviation equal to σ d . A conditional delay attack is applied to modify the time difference with the value of (1/2) τ attack , as explained in (5). Then, a measurement noise ω m (t n ) is added, which is an independent 1-D zero-mean Wiener process with standard deviation equal to σ m . After the measurement module, the measured time offset θ M (t n ) is produced.
For direct correction strategy, the update value of the local clock is calculated as u θ (t n ) = θ M (t n ). For attack detection strategy, the frequency difference estimation unit is applied to calculate the estimated frequency differenceγ E (t n ), and the details are shown in step 3 of the algorithm. Then, the attack index is calculated, and the details are shown in step 4 of the algorithm. Attack judgment unit is applied to calculate the update value of the local clock u θ (t n ) and the best estimation of the frequency difference γ best (t n ) according to whether an attack happens during the period between t n−1 and t n , and the details are shown in step 5 of the algorithm.
After the strategies module, the calculated update value of the local clock u θ (t n ) is added to the actual time difference θ (t n ) to get the final time difference after the nth synchronization.
First, the performance of TWFTT system under no attack events with a direct correction strategy and attack detection strategy is compared by simulation. In the simulation, two extra independent 1-D zero-mean Wiener processes with variances σ 2 m and σ 2 d are introduced for the measurement noise and transmission noise. Without loss of generality, all the values of the noises in the simulation are chosen as in Table II. As shown in Fig. 3, the time synchronization error (time offset) is just around zero for both cases where the fluctuation is caused by measurement noise, transmission noise, and random-walk noise.
Second, the influences of delay attacks on time synchronization are studied. In the simulation, a delay attack happens once every 50 s. Two cases are compared, where direct correction strategy is adopted for the first case and attack detection strategy is adopted for the second one.
In order to evaluate the influence of the attack detection algorithm on the performance of time synchronization quantitatively, we studied the TDEV and MTIE for both cases. As shown in Fig. 4, time stabilities with metrics TDEV and MTIE are almost the same for the two cases. The results show   For the case of the direct correction strategy, since no attack detection is adopted, the time delay attack brings in synchronization errors [see Fig. 5(a)-(c)]. By the theoretical  (4) and (5), the direct correction algorithm does not recognize the time delay introduced by the adversary, the update value of the local clock is given by u θ (t n ) = θ M (t n ) = θ (t n ) + ω d + ω m + (1/2) τ attack , where θ (t n ) is the actual time offset of the local clock and the remote clock, ω d and ω m is the noise introduced by the transmission and measurement, and (1/2) τ attack is introduced by the delay attack. That means a time synchronization error with (1/2) τ attack is included in the update value. In the simulation, three cases are studied, where the values of delay attack τ attack are given by 2, 1, and 0.4 ns every 50 s. The theoretical analysis shows the time synchronization error introduced by the delay attack should be 1, 0.5, and 0.2 ns. As shown in Fig. 5(a)-(c), the actual synchronization error is around 1, 0.5, and 0.2 ns every 50 s. The fluctuation is caused by noises, such as measurement noise, transmission noise, and random-walk noise. So, the simulation results match with the theoretical analysis.
For the case of attack detection strategy, all the actual attack events are detected by the algorithm, and no event which is not attack event is recognized as an attack event. So, precision and recall for the simulation are both 100%. From Fig. 5(d)-(f), we can see that the actual time offset is around zero, and the influence of the delay attack is eliminated by the attack detection algorithm. In order to evaluate the influence quantitatively, TDEV and MTIE curves are drawn (see Fig. 6). By comparing the direct strategy without attack and with attack, the results show that the delay attack brings a serious influence on the performance of the time synchronization. By comparing the attack detection strategy without attack and with attack, the results show that the influence of the delay attack can be effectively eliminated by the attack detection strategy. As shown in Table III, TDEVs and MTIEs at average  TABLE IV  PERFORMANCE METRIC WITHOUT ATTACK times of 1, 10, and 100 s are compared. By comparing cases of attack detection strategy without attack, and with 1-, 0.5-, and 0.2-ns attacks, respectively, it shows that the proposed attack detection algorithm can distinguish effectively the attack events and the normal events. That means the values of precision and recall are all 100% for attack detection strategy. And all the TDEVs and MTIEs at different average times are almost the same. For TDEV@1 s, TDEV@10 s, TDEV@100 s, MTIE@1 s, MTIE@10 s, and MTIE@100 s, all the cases are around 25, 8.7, 1.3, 106, 125, and 145 ps, respectively. By comparing cases of direct correction strategy and cases of attack detection strategy with 1, 0.5, and 0.2 ns attacks, it shows that the asymmetric time delay attack brings a serious influence on the performance of the time synchronization. Counter-intuitively, TDEV@100 s is seemed to not be influenced by the attack. It is caused by the definition of TDEV. According to (8), when τ = 100, x i+2n − 2x i+n + x i equals to x i+200 −2x i+100 +x i . Since the interval of attack event in the simulation is 50 s, when i is an integral multiple of 50, the same time error is induced by the attack for x i+200 , x i+100 , and x i , so the effects are counteracted, and when i is not an integral multiple of 50, no time error is induced by the attack for x i+200 , x i+100 , and x i . So, the TDEV curve of the direct correction strategy and the TDEV curve of no attack case meet when τ = 100, as shown in Fig. 5, and the TDEVs@100 s are almost the same for the cases of attack detection strategy and the cases of direct correction strategy as shown in Table III. In this article, scientific notation is adapted in Tables III-VI, where nEm presents n × 10 m .

IV. EXPERIMENTAL DEMONSTRATION
In this section, an experimental TWFTT system is set up in the laboratory, and demonstrations are implemented to explore the feasibility of the attack detection strategy proposed in this article.
The experimental setup of TWFTT system with adversary simulator is shown in Fig. 7. On the remote/local site, the digital delay generator (DDG, SRS DG645) generates 1PPS electric signal. 1PPS from one output port of DDG drives an electrooptic modulator (EOM, AX-0S5-10-PFA-PFA-UL) to modulate the CW laser to generate 1PPS optic signal. The same 1PPS from another output port of DDG is sent to the start trigger port of a TIC. The 1PPS optic signal is coupled to channel 35 of DWDM, and transmitted to the local site through the fiber channel. The photodetector on the local/remote site detects the 1PPS optical signal and the generated electric signal is sent to the stop trigger port of the TIC on the local/remote site. The time difference recorded by TIC on the remote site is sent to the local site. By (4), the measured time offset is calculated on the local site. According to the adversary detection strategy and correction strategy, the delay correction value is calculated on the computer of the local site and sent to DDG on the local site to modify the time delay. In order to evaluate the strategy, an extra TIC is added to measure the actual time errors between the remote clock and the local clock.
An adversary simulator is installed in the fiber channel, which can simulate the asymmetry delay attack launched by the adversary. Similar to [21], the adversary simulator consists of a 1 × 4 optical switch. When the optical switch is set to path 1, no asymmetry delay is added to the channel. When the optical switch is set to path 2-4, 0.296, 0.83 s, and 1.25-ns asymmetry delay is added to the channel, respectively.
Before studying the influence of the attack on the TWFTT system, we first compare the attack detection strategy and direct correction strategy without attack. For each strategy,   the attack detection strategy and direction correction strategy are not the same. Because in the simulation, the measurement noise, transmission noise, and process noise are the same for the two strategies, and in the experiment, these noises are different for the two strategies. However, although the values of TDEV and MITE are not exactly the same for the two strategies, the values are very close. Many experiments are done to confirm that the differences between the two strategies are induced by random noises.
As shown in Table IV, TDEVs and MTIEs at average times of 1, 10, and 100 s are compared for attack detection strategy and direct correction strategy without attack. Different from the simulation results, the TDEVs and MTIEs are not the same for the two strategies, which are due to the random factors, such as the measurement noise, transmission noise, randomwalk phase noise, and frequency noise, in the experiment.
On the one hand, theoretically, the attack detection strategy is degraded to a simple form which is the same as the direct correction strategy. So, the difference between the two strategies in the experimental demonstration without attack is due to the random factors.
On the other hand, it is impossible to compare the direct correction strategy and the attack correction strategy in the same experiment with identical noise. So, in order to compare the direct correction strategy and the attack detection strategy, experiments are done with the same experimental parameters for the two strategies. However, the noise in the experiment is random process. Although the noises follow the same probability distribution, the actual noises are different for the experiment of the direction strategy and the experiment of the attack correction. So, although the two algorithms are the same when there is no attack, the calculated TDEVs and MTIEs are not the same. The experiments are implemented three times for each strategy, as shown in Table IV. Then, two kinds of asymmetry delay attacks are studied, the equal interval attack and the random interval attack.

A. Equal Interval Attack
For equal interval attack, the adversary launched asymmetry delay attack once at set intervals. Without loss of generality, we set 50 s as the interval. Three kinds of asymmetry delay attacks with 0.296, 0.83, and 1.25 ns, respectively, are studied.
As shown in Fig. 10(a)-(c), when no attack detection strategy is applied, the TWFTT system can not recognize the attacks, and large synchronization errors are brought by the asymmetry delay attacks. In order to evaluate the influence quantitatively, TDEV and MTIE curves are drawn, as shown in Fig. 11. The results show that the equal interval attack brings a serious influence on the performance of the time synchronization, and the influence of the delay attacks is eliminated by the attack detection strategy.
As shown in Table V, TDEVs and MTIEs at average times of 1, 10, and 100 s are compared. By comparing cases of attack detection strategy without attack, with 1.25-ns attack, with 0.83-ns attack, and with 0.296-ns attack, it shows that the attack detection algorithm proposed in this article can distinguish the attack events and the normal events. That means the values of precision and recall are all 100% for attack detection strategy under equal interval attacks. The differences between TDEVs and MTIE are caused by the difference in the noises. The smallest TDEVs at average times of 1, 10, and 100 s are 26.4, 6.82, and 3.58 ps, and the smallest MTIEs at average times of 1, 10, and 100 s are 122.1, 136.7, and 151.4 ps, under nanosecond and subnanosecond equal interval attacks. By comparing cases of direct correction strategy and cases of attack detection strategy with 1.25-, 0.83-, and 0.296-ns attack, it shows that the asymmetric time delay attack brings a serious influence on the performance of the time synchronization. Counter-intuitively, TDEV@100 s is seemed to be not influenced by the attack. It is caused by the definition of TDEV. According to (8), when τ = 100, x i+2n − 2x i+n + x i equals to x i+200 − 2x i+100 + x i . Since the interval of attack event in the simulation is 50 s, when i is an integral multiple of 50, the same time error is induced by the attack for x i+200 , x i+100 , and x i , so the effects are counteracted, and when i is not an integral multiple of 50, no time error is induced by the attack for x i+200 , x i+100 , and x i . So, the TDEV value of the direct correction strategy approaches the TDEV value without attack, as shown in Fig. 11.

B. Random Interval Attack
For random interval attack, the adversary launched asymmetry delay attack randomly. So, the attack can happen consecutively. The probability of the attack is a key parameter. Without loss of generality, three kinds of random interval attacks are studied. The first kind is a 0.83-ns delay random interval attack with probabilities p no = 0.8, p 0.83 ns = 0.2. The second kind is a 0.296-ns delay random interval attack with probabilities p no = 0.8, p 0.296 ns = 0.2. The third kind is mixed 0.83-and 0.296-ns delay random interval attack with probabilities p no = 0.7, p 0.83 ns = 0.15, P 0.296 ns = 0.15.
As shown in Figs. 12 and 13, the attack detection strategy can detect and mitigate the random interval attacks. As shown in Table VI, TDEVs and MTIEs at average times of 1, 10, and 100 s are compared. By comparing cases of attack detection strategy without attack, with 0.83-ns attack, with 0.296-ns attack, and mixed attack, it shows that the attack detection algorithm proposed in this article can distinguish the attack events and the normal events. The differences between TDEVs and MTIE are caused by the difference in the noises. The smallest TDEVs at average times of 1, 10, and 100 s are 24.5, 3.98, and 2.95 ps, and the smallest MTIEs at average times of 1, 10, and 100 s are 122.1, 136.7, and 151.4 ps, under subnanosecond random interval attacks. By comparing cases of attack detection strategy with cases of direct correction strategy, it shows that, different from the equal interval attack, the TDEVs of the direct correction strategy does not approach the TDEV value without attack when τ = 100 since the interval of the attack event is random.

V. DISCUSSION AND CONCLUSION
In this article, we propose a model-based method to protect the TWFTT system from subnanosecond asymmetric delay attacks. The theoretical simulation shows that the method is effective to protect the TWFTT system. Then, the method is tested under two kinds of attacks, equal interval attack and random interval attack for an experimental TWFTT system. The results show that the effect of the attack is eliminated by the method for the real TWFTT system. In order to measure the performance, TDEV and MTIE are calculated. With this method, an experimental TWFTT system of time stability with 26.4, 6.82, and 3.58 ps under subnanosecond equal interval asymmetric time delay attacks and with 24.5, 3.98, and 2.95 ps under subnanosecond random interval asymmetric time delay attacks at average times of 1, 10, and 100 s is shown. The proposed method can detect the attack in real time, and its computation complexity is low. So, this method can easily be integrated in the TWFTT system to provide secure sub-ns precise time synchronization under asymmetric delay attack.
Many interesting problems still remain. On the one hand, for longer transmission distances, such as 100-km fiber link, erbium-doped optical fiber amplifiers are integrated with the link as a repeater, which distorts the waveform. Part of the distortion is fixed, and the other part is random. So, optimization of the delay attack detection method for longer transmission is an interesting problem. On the other hand, the network of TWFTT has attracted much attention in recent years. For the network, a node may be an intersection of multiple TWFTT paths. Except for the information from the suspected path, additional information can be provided from other paths for attack detection. So, the systematic delay attack detection method in networks is an interesting open question.  He is currently a Professor with the School of Electronics, Peking University, Beijing, China. His research interests include quantum optics and quantum information.
Bingjie Xu received the B.S. degree in physics and the Ph.D. degree in radio physics from Peking University, Beijing, China, in 2007 and 2012, respectively.
He is currently the Chief Expert of the Department of Science and Technology on Communication Security Laboratory, Institute of Southwestern Communication, Chengdu, China. His research interests include quantum cryptography, quantum information, and secure time synchronization.