Software-defined networking controllers use the OpenFlow discovery protocol (OFDP) to collect network topology status. The OFDP detects the link between switches by generating link layer discovery protocol (LLDP) packets. However, OFDP is not a security protocol. Attackers can use it to perform topology discovery via injection, man-in-the-middle, and flooding attacks to confuse the network topology. This study proposes a correlation-based topology anomaly detection mechanism. Spearman’s rank correlation is used to analyze the network traffic between links and measure the round-trip time of each LLDP frame to determine whether a topology discovery via man-in-the-middle attack exists. This study also adds a dynamic authentication key and counting mechanism in the LLDP frame to prevent attackers from using topology discovery via injection attack to generate fake links and topology discovery via flooding attack to cause network routing or switching abnormalities.

中文翻译：

---

SDN控制平面中的行为异常检测：以拓扑发现攻击为例

软件定义的网络控制器使用OpenFlow发现协议（OFDP）收集网络拓扑状态。OFDP通过生成链路层发现协议（LLDP）数据包来检测交换机之间的链路。但是，OFDP不是安全协议。攻击者可以使用它通过注入，中间人攻击和泛洪攻击来执行拓扑发现，从而混淆网络拓扑。这项研究提出了一种基于相关性的拓扑异常检测机制。Spearman的秩相关用于分析链路之间的网络流量，并测量每个LLDP帧的往返时间，以确定是否存在通过中间人攻击的拓扑发现。