SecTopo: Efficient hybrid model for detecting LLDP topology poisoning attack in programmable data plane

IF 4.4 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-07-17 DOI:10.1016/j.comnet.2025.111510

Lilima Jain , Venkanna U. , Satyanarayana Vollala

{"title":"SecTopo: Efficient hybrid model for detecting LLDP topology poisoning attack in programmable data plane","authors":"Lilima Jain , Venkanna U. , Satyanarayana Vollala","doi":"10.1016/j.comnet.2025.111510","DOIUrl":null,"url":null,"abstract":"<div><div>The SDN controller constructs a global topology view of the programmable data plane leveraging the LLDP-based discovery mechanism. Although the controller has complete topology information, it is susceptible to attacks. Specifically, the LLDP topology poisoning attack aims to poison the topology view of the controller to degrade network performance. The attacker disrupts the controller by sending a false LLDP packet request. Sending this false LLDP request creates false link information, causes huge packet loss, and the controller gets saturated. Existing methods detect false LLDP packets through address verification and coarse-grained monitoring, which proves ineffective in achieving granular network attack classification. Moreover, the previous solution is deployed on the control plane and cannot cope with increased traffic rates and volumes in large-scale networks. This paper proposes SecTopo, an in-network hybrid model-based solution to secure topology discovery services with fine-grained monitoring of LLDP topology poisoning attacks in a programmable data plane. This solution employs autoencoders and a decision tree model to detect and mitigate LLDP topology poisoning attacks. Here, an autoencoder-based decision tree model is inferred within the match and action pipeline. The proposed solution was implemented and tested in Tofino hardware switch-based network topology. The experimental results reveal that SecTopo detects the attack, providing high accuracy (98.76%) and less resource consumption. Additionally, it identifies LLDP attack packets correctly with improved network performance and reduced control channel utilization.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"270 ","pages":"Article 111510"},"PeriodicalIF":4.4000,"publicationDate":"2025-07-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625004773","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

The SDN controller constructs a global topology view of the programmable data plane leveraging the LLDP-based discovery mechanism. Although the controller has complete topology information, it is susceptible to attacks. Specifically, the LLDP topology poisoning attack aims to poison the topology view of the controller to degrade network performance. The attacker disrupts the controller by sending a false LLDP packet request. Sending this false LLDP request creates false link information, causes huge packet loss, and the controller gets saturated. Existing methods detect false LLDP packets through address verification and coarse-grained monitoring, which proves ineffective in achieving granular network attack classification. Moreover, the previous solution is deployed on the control plane and cannot cope with increased traffic rates and volumes in large-scale networks. This paper proposes SecTopo, an in-network hybrid model-based solution to secure topology discovery services with fine-grained monitoring of LLDP topology poisoning attacks in a programmable data plane. This solution employs autoencoders and a decision tree model to detect and mitigate LLDP topology poisoning attacks. Here, an autoencoder-based decision tree model is inferred within the match and action pipeline. The proposed solution was implemented and tested in Tofino hardware switch-based network topology. The experimental results reveal that SecTopo detects the attack, providing high accuracy (98.76%) and less resource consumption. Additionally, it identifies LLDP attack packets correctly with improved network performance and reduced control channel utilization.

Abstract Image

查看原文本刊更多论文

SecTopo：一种检测可编程数据平面LLDP拓扑中毒攻击的高效混合模型

SDN控制器利用基于lldp的发现机制构建可编程数据平面的全局拓扑视图。控制器虽然具有完整的拓扑信息，但容易受到攻击。LLDP拓扑投毒攻击是指通过毒害控制器的拓扑视图来降低网络性能。攻击者发送错误的LLDP请求报文，导致控制器故障。发送此错误的LLDP请求会产生错误的链路信息，导致大量丢包，导致控制器饱和。现有的方法通过地址验证和粗粒度监控来检测LLDP虚假报文，无法实现细粒度的网络攻击分类。另外，原有方案部署在控制平面，无法应对大规模网络中流量速率和流量的增加。本文提出了SecTopo，一种基于网络混合模型的解决方案，通过对可编程数据平面上LLDP拓扑中毒攻击的细粒度监控来保护拓扑发现服务。该解决方案采用自动编码器和决策树模型来检测和减轻LLDP拓扑中毒攻击。在这里，基于自动编码器的决策树模型在匹配和操作管道中推断出来。在基于Tofino硬件交换机的网络拓扑中实现并测试了所提出的解决方案。实验结果表明，SecTopo检测攻击，准确率高达98.76%，且资源消耗较少。此外，它可以正确识别LLDP攻击数据包，提高网络性能，降低控制通道利用率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.