Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks

Software-defined networking controllers use the OpenFlow discovery protocol (OFDP) to collect network topology status. The OFDP detects the link between switches by generating link layer discovery protocol (LLDP) packets. However, OFDP is not a security protocol. Attackers can use it to perform topology discovery via injection, man-in-the-middle, and flooding attacks to confuse the network topology. This study proposes a correlation-based topology anomaly detection mechanism. Spearman’s rank correlation is used to analyze the network traffic between links and measure the round-trip time of each LLDP frame to determine whether a topology discovery via man-in-the-middle attack exists. This study also adds a dynamic authentication key and counting mechanism in the LLDP frame to prevent attackers from using topology discovery via injection attack to generate fake links and topology discovery via flooding attack to cause network routing or switching abnormalities.

[1]  Vahida Z. Attar,et al.  Network Discovery Protocol LLDP and LLDP - MED , 2010 .

[2]  Manoj Singh Gaur,et al.  SLDP: A secure and lightweight link discovery protocol for software defined networking , 2019, Comput. Networks.

[3]  Marius Portmann,et al.  The (in)security of Topology Discovery in Software Defined Networks , 2015, 2015 IEEE 40th Conference on Local Computer Networks (LCN).

[4]  Nicolae Tapus,et al.  LLDP packet generator , 2015, 2015 14th RoEduNet International Conference - Networking in Education and Research (RoEduNet NER).

[5]  Victor Cionca,et al.  Detecting Link Fabrication Attacks in Software-Defined Networks , 2017, 2017 26th International Conference on Computer Communication and Networks (ICCCN).

[6]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[7]  Richard Taylor Interpretation of the Correlation Coefficient: A Basic Review , 1990 .

[8]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[9]  Myungsik Yoo,et al.  Analysis of link discovery service attacks in SDN controller , 2017, 2017 International Conference on Information Networking (ICOIN).

[10]  Qiang Liu,et al.  A Survey on Security-Aware Measurement in SDN , 2018, Secur. Commun. Networks.

[11]  H. Zimmermann,et al.  OSI Reference Model - The ISO Model of Architecture for Open Systems Interconnection , 1980, IEEE Transactions on Communications.