SecTopo: Efficient hybrid model for detecting LLDP topology poisoning attack in programmable data plane

The SDN controller constructs a global topology view of the programmable data plane leveraging the LLDP-based discovery mechanism. Although the controller has complete topology information, it is susceptible to attacks. Specifically, the LLDP topology poisoning attack aims to poison the topology view of the controller to degrade network performance. The attacker disrupts the controller by sending a false LLDP packet request. Sending this false LLDP request creates false link information, causes huge packet loss, and the controller gets saturated. Existing methods detect false LLDP packets through address verification and coarse-grained monitoring, which proves ineffective in achieving granular network attack classification. Moreover, the previous solution is deployed on the control plane and cannot cope with increased traffic rates and volumes in large-scale networks. This paper proposes SecTopo, an in-network hybrid model-based solution to secure topology discovery services with fine-grained monitoring of LLDP topology poisoning attacks in a programmable data plane. This solution employs autoencoders and a decision tree model to detect and mitigate LLDP topology poisoning attacks. Here, an autoencoder-based decision tree model is inferred within the match and action pipeline. The proposed solution was implemented and tested in Tofino hardware switch-based network topology. The experimental results reveal that SecTopo detects the attack, providing high accuracy (98.76%) and less resource consumption. Additionally, it identifies LLDP attack packets correctly with improved network performance and reduced control channel utilization.