Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks

Li Der Chou; Chien Chang Liu; Meng Sheng Lai; Kai Cheng Chiu; Hsuan Hao Tu; Sen Su; Chun Lin Lai; Chia Kuan Yen; Wei Hsiang Tsai

doi:10.1109/ICTC46691.2019.8939903

Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks

Li Der Chou, Chien Chang Liu, Meng Sheng Lai, Kai Cheng Chiu, Hsuan Hao Tu, Sen Su, Chun Lin Lai, Chia Kuan Yen, Wei Hsiang Tsai

資訊工程學系

研究成果: 書貢獻/報告類型 › 會議論文篇章 › 同行評審

7 引文斯高帕斯（Scopus）

摘要

The SDN controller uses the OpenFlow Discovery Protocol (OFDP) to collect network topology status. OFDP detects the link between OpenFlow switches by generating Link Layer Discovery Protocol (LLDP) packets. However, OFDP is not a completely secure protocol and can be used by attackers to perform topology discovery injection attacks, topology discovery man-in-the-middle attacks, and topology discovery flood attacks, thereby confusing the network topology. This paper proposes a Correlation-based Topology Anomaly Detection (CTAD) mechanism to run in a software-defined network controller. Spearman's rank correlation is used to analyze the correlation between network traffic between links and measure the time difference between the round trip time of each LLDP frame to determine whether the topology man-in-the-middle attack exists in the network. This paper also adds a dynamic authentication key and counting mechanism in the LLDP frame to prevent attackers from using the topology discovery injection attack to generate fake links and topology discovery flooding attacks, causing network routing or switching abnormalities.

原文	???core.languages.en_GB???
主出版物標題	ICTC 2019 - 10th International Conference on ICT Convergence
主出版物子標題	ICT Convergence Leading the Autonomous Future
發行者	Institute of Electrical and Electronics Engineers Inc.
頁面	357-362
頁數	6
ISBN（電子）	9781728108926
DOIs	https://doi.org/10.1109/ICTC46691.2019.8939903
出版狀態	已出版 - 10月 2019
事件	10th International Conference on Information and Communication Technology Convergence, ICTC 2019 - Jeju Island, Korea, Republic of 持續時間: 16 10月 2019 → 18 10月 2019

出版系列

名字	ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future

???event.eventtypes.event.conference???

???event.eventtypes.event.conference???	10th International Conference on Information and Communication Technology Convergence, ICTC 2019
國家/地區	Korea, Republic of
城市	Jeju Island
期間	16/10/19 → 18/10/19

存取文件

10.1109/ICTC46691.2019.8939903

引用此

Chou, L. D., Liu, C. C., Lai, M. S., Chiu, K. C., Tu, H. H., Su, S., Lai, C. L., Yen, C. K., & Tsai, W. H. (2019). Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks. 於 ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future (頁 357-362). [8939903] (ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICTC46691.2019.8939903

Chou, Li Der ; Liu, Chien Chang ; Lai, Meng Sheng 等. / Behavior Anomaly Detection in SDN Control Plane : A Case Study of Topology Discovery Attacks. ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future. Institute of Electrical and Electronics Engineers Inc., 2019. 頁 357-362 (ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future).

@inproceedings{b05c4b1182fd41a9b7077085e16e5432,

title = "Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks",

abstract = "The SDN controller uses the OpenFlow Discovery Protocol (OFDP) to collect network topology status. OFDP detects the link between OpenFlow switches by generating Link Layer Discovery Protocol (LLDP) packets. However, OFDP is not a completely secure protocol and can be used by attackers to perform topology discovery injection attacks, topology discovery man-in-the-middle attacks, and topology discovery flood attacks, thereby confusing the network topology. This paper proposes a Correlation-based Topology Anomaly Detection (CTAD) mechanism to run in a software-defined network controller. Spearman's rank correlation is used to analyze the correlation between network traffic between links and measure the time difference between the round trip time of each LLDP frame to determine whether the topology man-in-the-middle attack exists in the network. This paper also adds a dynamic authentication key and counting mechanism in the LLDP frame to prevent attackers from using the topology discovery injection attack to generate fake links and topology discovery flooding attacks, causing network routing or switching abnormalities.",

keywords = "Link Layer Discovery Protocol, OpenFlow Discovery Protocol, Software Defined Networking, topology discovery attacks",

author = "Chou, {Li Der} and Liu, {Chien Chang} and Lai, {Meng Sheng} and Chiu, {Kai Cheng} and Tu, {Hsuan Hao} and Sen Su and Lai, {Chun Lin} and Yen, {Chia Kuan} and Tsai, {Wei Hsiang}",

note = "Publisher Copyright: {\textcopyright} 2019 IEEE.; null ; Conference date: 16-10-2019 Through 18-10-2019",

year = "2019",

month = oct,

doi = "10.1109/ICTC46691.2019.8939903",

language = "???core.languages.en_GB???",

series = "ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "357--362",

booktitle = "ICTC 2019 - 10th International Conference on ICT Convergence",

}

Chou, LD, Liu, CC, Lai, MS, Chiu, KC, Tu, HH, Su, S, Lai, CL, Yen, CK & Tsai, WH 2019, Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks. 於 ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future., 8939903, ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future, Institute of Electrical and Electronics Engineers Inc., 頁 357-362, 10th International Conference on Information and Communication Technology Convergence, ICTC 2019, Jeju Island, Korea, Republic of, 16/10/19. https://doi.org/10.1109/ICTC46691.2019.8939903

Behavior Anomaly Detection in SDN Control Plane : A Case Study of Topology Discovery Attacks. / Chou, Li Der; Liu, Chien Chang; Lai, Meng Sheng 等.

ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future. Institute of Electrical and Electronics Engineers Inc., 2019. p. 357-362 8939903 (ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future).

研究成果: 書貢獻/報告類型 › 會議論文篇章 › 同行評審

TY - GEN

T1 - Behavior Anomaly Detection in SDN Control Plane

AU - Chou, Li Der

AU - Liu, Chien Chang

AU - Lai, Meng Sheng

AU - Chiu, Kai Cheng

AU - Tu, Hsuan Hao

AU - Su, Sen

AU - Lai, Chun Lin

AU - Yen, Chia Kuan

AU - Tsai, Wei Hsiang

PY - 2019/10

Y1 - 2019/10

N2 - The SDN controller uses the OpenFlow Discovery Protocol (OFDP) to collect network topology status. OFDP detects the link between OpenFlow switches by generating Link Layer Discovery Protocol (LLDP) packets. However, OFDP is not a completely secure protocol and can be used by attackers to perform topology discovery injection attacks, topology discovery man-in-the-middle attacks, and topology discovery flood attacks, thereby confusing the network topology. This paper proposes a Correlation-based Topology Anomaly Detection (CTAD) mechanism to run in a software-defined network controller. Spearman's rank correlation is used to analyze the correlation between network traffic between links and measure the time difference between the round trip time of each LLDP frame to determine whether the topology man-in-the-middle attack exists in the network. This paper also adds a dynamic authentication key and counting mechanism in the LLDP frame to prevent attackers from using the topology discovery injection attack to generate fake links and topology discovery flooding attacks, causing network routing or switching abnormalities.

AB - The SDN controller uses the OpenFlow Discovery Protocol (OFDP) to collect network topology status. OFDP detects the link between OpenFlow switches by generating Link Layer Discovery Protocol (LLDP) packets. However, OFDP is not a completely secure protocol and can be used by attackers to perform topology discovery injection attacks, topology discovery man-in-the-middle attacks, and topology discovery flood attacks, thereby confusing the network topology. This paper proposes a Correlation-based Topology Anomaly Detection (CTAD) mechanism to run in a software-defined network controller. Spearman's rank correlation is used to analyze the correlation between network traffic between links and measure the time difference between the round trip time of each LLDP frame to determine whether the topology man-in-the-middle attack exists in the network. This paper also adds a dynamic authentication key and counting mechanism in the LLDP frame to prevent attackers from using the topology discovery injection attack to generate fake links and topology discovery flooding attacks, causing network routing or switching abnormalities.

KW - Link Layer Discovery Protocol

KW - OpenFlow Discovery Protocol

KW - Software Defined Networking

KW - topology discovery attacks

UR - http://www.scopus.com/inward/record.url?scp=85078250052&partnerID=8YFLogxK

U2 - 10.1109/ICTC46691.2019.8939903

DO - 10.1109/ICTC46691.2019.8939903

M3 - 會議論文篇章

AN - SCOPUS:85078250052

T3 - ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future

SP - 357

EP - 362

BT - ICTC 2019 - 10th International Conference on ICT Convergence

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 16 October 2019 through 18 October 2019

ER -

Chou LD, Liu CC, Lai MS, Chiu KC, Tu HH, Su S 等. Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks. 於 ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future. Institute of Electrical and Electronics Engineers Inc. 2019. p. 357-362. 8939903. (ICTC 2019 - 10th International Conference on ICT Convergence: ICT Convergence Leading the Autonomous Future). doi: 10.1109/ICTC46691.2019.8939903

Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks

摘要

出版系列

???event.eventtypes.event.conference???

存取文件

指紋

引用此