Attacker localization based on tracking anomaly propagation in time-sensitive networking

We claim: 1. An apparatus comprising: processing circuitry coupled to a memory, the processing circuitry to: detect one or more non-compliant nodes with respect to a timing schedule; detect one or more compliant nodes with respect to the timing schedule, wherein the timing schedule is based on one or more post-synchronization messages that are based on one or more remote performance measurements including one or more frame ingress time measurements; and identify a malicious node based on positions of the one or more non-compliant nodes and the one or more compliant nodes in a network topography, wherein the positions refer to placements of the one or more non-compliant nodes and the one or more compliant nodes with respect to one or more paths within the network topography, wherein the one or more non-compliant nodes and the one or more compliant nodes are to be detected based on the one or more post-synchronization messages. 2. The apparatus of claim 1 , wherein at least one of the one or more post-synchronization messages includes a remote performance measurement of the one or more remote per for measurements and a keyed hash value. 3. The apparatus of claim 2 , wherein the remote performance measurement includes a frame ingress time measurement of the one or more frame ingress time measurements, a residence time measurement or a correction field measurement. 4. The apparatus of claim 2 , wherein the keyed hash value is to be associated with a time stamp and a key pair shared by a monitor node and at least one of the one or more non-compliant nodes. 5. The apparatus of claim 1 , wherein the one or more non-compliant nodes are to be detected based on historical attribute data and plane diversity data. 6. At least one non-transitory computer-readable medium having stored thereon instructions which, when executed, cause a computing device to perform operations comprising: detecting one or more non-compliant nodes with respect to a timing schedule; detecting one or more compliant nodes with respect to the timing schedules wherein the timing schedule is based on one or more post-synchronization messages that are based on one or more remote performance measurements including one or more frame ingress time measurements; and identifying a malicious node based on positions of the one or more non-compliant nodes and the one or more compliant nodes in a network topography, wherein the positions refer to placements of the one or more non-compliant nodes and the one or more compliant nodes with respect to one or more paths within the network topography, wherein the one or more non-compliant nodes and the one or more compliant nodes are to be detected based on the one or more post-synchronization messages. 7. The non-transitory computer-readable of claim 6 , wherein at least one of the one or more post-synchronization messages includes a remote performance measurement of the one or more remote performance measurements and a keyed hash value. 8. The non-transitory computer-readable medium of claim 7 , wherein the remote performance measurement includes a frame ingress time measurement of the one or more frame ingress time measurements, a residence time measurement or a correction field measurement. 9. The non-transitory computer-readable medium of claim 7 , wherein the keyed hash value is to be associated with a time stamp and a key pair shared by a monitor node and at least one of the one or more non-compliant nodes. 10. The non-transitory computer-readable medium of claim 6 , wherein the one or more non-compliant nodes are to be detected based on historical attribute data and plane diversity data. 11. A method comprising: detecting one or more non-compliant nodes with respect to a timing schedule; detecting one or more compliant nodes with respect to the timing schedule, wherein the timing schedule is based on one or post-synchronization messages that are based on one or more remote performance measurements including one or more frame ingress time measurements; and identifying a malicious node based on positions of the one or more non-compliant nodes and the one or more compliant nodes in a network topography, wherein the positions refer to placements of the one or more non-compliant nodes and the one or more compliant nodes with respect to one or more paths within the network topography, wherein the one or more non-compliant nodes and the one or more compliant nodes are to be detected based on the one or more post-synchronization messages. 12. The method of claim 11 , wherein at least one of the one or more post-synchronization messages includes a remote performance measurement of the one or more remote performance measurements and a keyed hash value. 13. The method of claim 12 , wherein the remote performance measurement includes a frame ingress time measurement of the one or more frame ingress time measurements, a residence time measurement or a correction field measurement. 14. The method of claim 12 , wherein the keyed hash value is associated with a timestamp and a key pair shared by a monitor node and at least one of the one or more non-compliant nodes. 15. The method of claim 11 , wherein the one or more non-compliant nodes are detected based on historical attribute data and plane diversity data.