Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks

Abstract EN

Software-defined networking controllers use the OpenFlow discovery protocol (OFDP) to collect network topology status.

The OFDP detects the link between switches by generating link layer discovery protocol (LLDP) packets.

However, OFDP is not a security protocol.

Attackers can use it to perform topology discovery via injection, man-in-the-middle, and flooding attacks to confuse the network topology.

This study proposes a correlation-based topology anomaly detection mechanism.

Spearman’s rank correlation is used to analyze the network traffic between links and measure the round-trip time of each LLDP frame to determine whether a topology discovery via man-in-the-middle attack exists.

This study also adds a dynamic authentication key and counting mechanism in the LLDP frame to prevent attackers from using topology discovery via injection attack to generate fake links and topology discovery via flooding attack to cause network routing or switching abnormalities.