Detecting Clock Synchronization Attacks in Time Sensitive Networks Using Key Performance Indicators

What is claimed is: 1 . A computing-implemented method, comprising: establishing a data stream between a first device and a second device, the data stream comprising a plurality of switching nodes; providing an indication of a protected transmission window to each of the plurality of switching nodes; receiving, from one of the plurality of switching nodes, a key performance indicator (KPI) relative to the timing of the protected transmission window for the one of the plurality of switching nodes; and determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI. 2 . The computing-implemented method of claim 1 , comprising: receiving an indication of values of the KPI over a time period; determining a mean of the values of the KPI over the time period; and determining a standard deviation of the values of the KPI over the time period. 3 . The computing-implemented method of claim 2 , the time period a first time period, receiving, from one of the plurality of switching nodes, a key performance indicator (KPI) relative to the timing of the protected transmission window for the one of the plurality of switching nodes comprising receiving a value of the KPI over a second time period subsequent to the time period. 4 . The computing-implemented method of claim 3 , determining whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI comprising: determining a mean of the values of the KPI over the second time period; determining whether the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to a threshold value; and determining whether the one of the plurality of switching nodes is subject to a timing attack based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to the threshold value. 5 . The computing-implemented method of claim 4 , wherein the threshold is based on the standard deviation of the values of the KPI over the time period. 6 . The computing-implemented method of claim 5 , wherein the threshold value is three (3) times the standard deviation of the values of the KPI over the time period. 7 . The computing-implemented method of claim 4 , determining whether the one of the plurality of switching nodes is subject to a timing attack based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to the threshold value comprising: incrementing a positive event counter based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to the threshold value; or incrementing a negative event counter based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is not greater than or equal to the threshold value; and determining the one of the plurality of switching nodes is subject to a timing attack based on a determination that the absolute value of the positive event counter minus the negative event counter is greater than an event counter threshold. 8 . The computing-implemented method of claim 1 , wherein the data stream is established in accordance with the Institute of Electrical and Electronics Engineers (IEEE) 802.1AS and/or 802.1Qbv standards. 9 . A computing apparatus comprising: a processor at a control device for a time sensitive network (TSN) of devices; and a memory storing instructions that, when executed by the processor, configure the apparatus to: establish a data stream between a first device and a second device in the TSN of devices, the data stream comprising a plurality of switching nodes in the TSN of device; provide an indication of a protected transmission window to each of the plurality of switching nodes; receive, from one of the plurality of switching nodes, a key performance indicator (KPI) relative to the timing of the protected transmission window for the one of the plurality of switching nodes; and determine whether the one of the plurality of switching nodes is subject to a timing attack based on the KPI. 10 . The computing apparatus of claim 9 , the instructions, when executed by the processor, configure the apparatus to: receive an indication of values of the KPI over a time period; determine a mean of the values of the KPI over the time period; and determine a standard deviation of the values of the KPI over the time period. 11 . The computing apparatus of claim 10 , the time period a first time period, the instructions, when executed by the processor, configure the apparatus to receive a value of the KPI over a second time period subsequent to the time period. 12 . The computing apparatus of claim 11 , the instructions, when executed by the processor, configure the apparatus to: determine a mean of the values of the KPI over the second time period; determine whether the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to a threshold value; and determine whether the one of the plurality of switching nodes is subject to a timing attack based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to the threshold value. 13 . The computing apparatus of claim 12 , wherein the threshold is based on the standard deviation of the values of the KPI over the time period. 14 . The computing apparatus of claim 13 , wherein the threshold value is three (3) times the standard deviation of the values of the KPI over the time period. 15 . The computing apparatus of claim 12 , the instructions, when executed by the processor, configure the apparatus to: increment a positive event counter based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is greater than or equal to the threshold value; or increment a negative event counter based on a determination that the absolute value of the mean of the values of the KPI over the second time period minus the mean of the values of the KPI over the first time period is not greater than or equal to the threshold value; and determine the one of the plurality of switching nodes is subject to a timing attack based on a determination that the absolute value of the positive event counter minus the negative event counter is greater than an event counter threshold. 16 . The computing apparatus of claim 9 , wherein the data stream is established in accordance with the Institute of Electrical and Electronics Engineers (IEEE) 802.1AS and/or 802.1Qbv standards. 17 . A non-transitory computer-readable storage device, storing instructions that when executed by processing circuitry of a controller of a time sensitive network (TSN), cause the controller to: establish a data stream between a first device and a second device, the data st