Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks

Li Der Chou, Chien Chang Liu, Meng Sheng Lai, Kai Cheng Chiu, Hsuan Hao Tu, Sen Su, Chun Lin Lai, Chia Kuan Yen, Wei Hsiang Tsai

Research output: Contribution to journalArticlepeer-review

3 Scopus citations


Software-defined networking controllers use the OpenFlow discovery protocol (OFDP) to collect network topology status. The OFDP detects the link between switches by generating link layer discovery protocol (LLDP) packets. However, OFDP is not a security protocol. Attackers can use it to perform topology discovery via injection, man-in-the-middle, and flooding attacks to confuse the network topology. This study proposes a correlation-based topology anomaly detection mechanism. Spearman's rank correlation is used to analyze the network traffic between links and measure the round-trip time of each LLDP frame to determine whether a topology discovery via man-in-the-middle attack exists. This study also adds a dynamic authentication key and counting mechanism in the LLDP frame to prevent attackers from using topology discovery via injection attack to generate fake links and topology discovery via flooding attack to cause network routing or switching abnormalities.

Original languageEnglish
Article number8898949
JournalWireless Communications and Mobile Computing
StatePublished - 2020


Dive into the research topics of 'Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks'. Together they form a unique fingerprint.

Cite this