Behavior Anomaly Detection in SDN Control Plane:A Case Study of Topology Discovery Attacks

The SDN controller uses the OpenFlow Discovery Protocol (OFDP) to collect network topology status. OFDP detects the link between OpenFlow switches by generating Link Layer Discovery Protocol (LLDP) packets. However, OFDP is not a completely secure protocol and can be used by attackers to perform topology discovery injection attacks, topology discovery man-in-the-middle attacks, and topology discovery flood attacks, thereby confusing the network topology. This paper proposes a Correlation-based Topology Anomaly Detection (CTAD) mechanism to run in a software-defined network controller. Spearman's rank correlation is used to analyze the correlation between network traffic between links and measure the time difference between the round trip time of each LLDP frame to determine whether the topology man-in-the-middle attack exists in the network. This paper also adds a dynamic authentication key and counting mechanism in the LLDP frame to prevent attackers from using the topology discovery injection attack to generate fake links and topology discovery flooding attacks, causing network routing or switching abnormalities.