TopoSleuth: A Context-Aware, Multi-Layered Defense Framework Using Decoy Links and Behavioral Profiling Against SDN Topology Discovery Attacks

preprint OA: closed
Full text JSON View at publisher

Abstract

Abstract Software Defined Networking (SDN) is a diversified networking paradigm that is centralized, dynamic, and enables traffic control and administration through flexible network programmability. The controller and its applications have a holistic view of the underlying physical topology, including switches, ports, hosts, and links. With the increasing significance and popularity of SDN, novel attacks have arisen that can distort the controller’s view of topology. A corrupt topology view can have a catastrophic effect on the controller and topologically dependent services, resulting in falsified routing and forwarding decisions. In this paper, we have proposed a multi-layered, context-aware defense framework called TopoSleuth, that complements the current controller services, Link Discovery Service (LDS) and Host Tracking Service (HTS), with four lightweight modules: (i) Topology Monitor (TM) for correlation and escalation logic; (ii) Decoy Engine (DE) for deception-based tripwires called decoy links; (iii) Behavioral Profiler (BP) for temporal/structural anomalies; and (iv) Multi-hop Validator (MV) for on-demand active probing. The current controllers are seamlessly integrated with TopoSleuth. Because of its defense-in-depth methodology, our solution is effective against topology poisoning attacks, including combination attacks and even topology freezing attacks, for which there is currently no known countermeasure.
Full text 11,570 characters · extracted from preprint-html · click to expand
TopoSleuth: A Context-Aware, Multi-Layered Defense Framework Using Decoy Links and Behavioral Profiling Against SDN Topology Discovery Attacks | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article TopoSleuth: A Context-Aware, Multi-Layered Defense Framework Using Decoy Links and Behavioral Profiling Against SDN Topology Discovery Attacks Muhammad Shoaib, Muhammad Faisal Amjad, Faiz ul Islam, Shahzaib Tahir Butt, and 1 more This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7495772/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Software Defined Networking (SDN) is a diversified networking paradigm that is centralized, dynamic, and enables traffic control and administration through flexible network programmability. The controller and its applications have a holistic view of the underlying physical topology, including switches, ports, hosts, and links. With the increasing significance and popularity of SDN, novel attacks have arisen that can distort the controller’s view of topology. A corrupt topology view can have a catastrophic effect on the controller and topologically dependent services, resulting in falsified routing and forwarding decisions. In this paper, we have proposed a multi-layered, context-aware defense framework called TopoSleuth, that complements the current controller services, Link Discovery Service (LDS) and Host Tracking Service (HTS), with four lightweight modules: (i) Topology Monitor (TM) for correlation and escalation logic; (ii) Decoy Engine (DE) for deception-based tripwires called decoy links; (iii) Behavioral Profiler (BP) for temporal/structural anomalies; and (iv) Multi-hop Validator (MV) for on-demand active probing. The current controllers are seamlessly integrated with TopoSleuth. Because of its defense-in-depth methodology, our solution is effective against topology poisoning attacks, including combination attacks and even topology freezing attacks, for which there is currently no known countermeasure. SDN Topology Poisoning Attacks Link Fabrication Attack Identifier Binding Attacks Decoy Links Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7495772","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":513485246,"identity":"40d02733-d7f8-4f1c-b45b-6fff84c69b24","order_by":0,"name":"Muhammad Shoaib","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABUUlEQVRIie2RMWvCQBTHnwScLma9EO03KJwcnAhFv4py4BRKp+JQilBwsnW14IdIKWR+4cAuKa4ZHOri5GDpUkHaHmdDldR2LTQ/eAf3f/y49ziAnJw/CdHFEICaE8BJw5RCD8D6UXF7lgmp6eIhBbaKuTP8RTkePkZPr2czqHlXd9HabzT5dDqhy+7sErwBf1nBSSVAW7EvRSSnsjpgC6iPJ2fKDmU7TGTRHccLCuVYUIQOD7AkW7sKEZQwBSzxmSqE2BKJVfTsvqJAfaEHU+0ACccdZRoLd/OpROsQm3yotPJmFL5CeM8o6AsvfQXtEAsBSK30jML0YGiUvcF8zstsQeqjznaXUSK5Xky5fdo5pzGT/FaVJNsbrDpfbmZHNSrvn9dho+kMo3myvFCOo5NVt9uo3DxcKwoZCMtExe036bJIppm2DvK9kpOTk/Nf+ABMt4ZSa4ha3QAAAABJRU5ErkJggg==","orcid":"","institution":"National University of Sciences and Technology","correspondingAuthor":true,"prefix":"","firstName":"Muhammad","middleName":"","lastName":"Shoaib","suffix":""},{"id":513485248,"identity":"53d5d69b-1f4e-474c-b3d2-2eba304b939d","order_by":1,"name":"Muhammad Faisal Amjad","email":"","orcid":"","institution":"National University of Sciences and Technology","correspondingAuthor":false,"prefix":"","firstName":"Muhammad","middleName":"Faisal","lastName":"Amjad","suffix":""},{"id":513485249,"identity":"3d470fed-d11d-44d2-b11c-bd50c1b80063","order_by":2,"name":"Faiz ul Islam","email":"","orcid":"","institution":"National University of Sciences and Technology","correspondingAuthor":false,"prefix":"","firstName":"Faiz","middleName":"ul","lastName":"Islam","suffix":""},{"id":513485250,"identity":"46afe69a-e34f-4188-97b0-2c818fd56eb0","order_by":3,"name":"Shahzaib Tahir Butt","email":"","orcid":"","institution":"National University of Sciences and Technology","correspondingAuthor":false,"prefix":"","firstName":"Shahzaib","middleName":"Tahir","lastName":"Butt","suffix":""},{"id":513485252,"identity":"bf0d827a-be75-4c59-95d3-987adac8cb0a","order_by":4,"name":"Kashif Sattar","email":"","orcid":"","institution":"Pir Mehr Ali Shah Arid Agriculture University","correspondingAuthor":false,"prefix":"","firstName":"Kashif","middleName":"","lastName":"Sattar","suffix":""}],"badges":[],"createdAt":"2025-08-30 14:08:17","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7495772/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7495772/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":94995461,"identity":"82650572-9d3d-47be-8aed-28560138c453","added_by":"auto","created_at":"2025-11-03 07:54:07","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":711931,"visible":true,"origin":"","legend":"","description":"","filename":"TopoSleuth.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7495772/v1_covered_48e1f0bf-dd45-4b3b-a3bc-09416376755f.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"TopoSleuth: A Context-Aware, Multi-Layered Defense Framework Using Decoy Links and Behavioral Profiling Against SDN Topology Discovery Attacks\n\n\n","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"SDN, Topology Poisoning Attacks, Link Fabrication Attack, Identifier Binding Attacks, Decoy Links","lastPublishedDoi":"10.21203/rs.3.rs-7495772/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7495772/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"Software Defined Networking (SDN) is a diversified networking paradigm that is centralized, dynamic, and enables traffic control and administration through flexible network programmability. The controller and its applications have a holistic view of the underlying physical topology, including switches, ports, hosts, and links. With the increasing significance and popularity of SDN, novel attacks have arisen that can distort the controller’s view of topology. A corrupt topology view can have a catastrophic effect on the controller and topologically dependent services, resulting in falsified routing and forwarding decisions. In this paper, we have proposed a multi-layered, context-aware defense framework called TopoSleuth, that complements the current controller services, Link Discovery Service (LDS) and Host Tracking Service (HTS), with four lightweight modules: (i) Topology Monitor (TM) for correlation and escalation logic; (ii) Decoy Engine (DE) for deception-based tripwires called decoy links; (iii) Behavioral Profiler (BP) for temporal/structural anomalies; and (iv) Multi-hop Validator (MV) for on-demand active probing. The current controllers are seamlessly integrated with TopoSleuth. Because of its defense-in-depth methodology, our solution is effective against topology poisoning attacks, including combination attacks and even topology freezing attacks, for which there is currently no known countermeasure.","manuscriptTitle":"TopoSleuth: A Context-Aware, Multi-Layered Defense Framework Using Decoy Links and Behavioral Profiling Against SDN Topology Discovery Attacks","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-09-15 03:08:41","doi":"10.21203/rs.3.rs-7495772/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"863ff0a5-3317-4942-a4ea-ff8537451355","owner":[],"postedDate":"September 15th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2025-11-03T07:53:25+00:00","versionOfRecord":[],"versionCreatedAt":"2025-09-15 03:08:41","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-7495772","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7495772","identity":"rs-7495772","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2025) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00