Shoaib, Muhammad <br/><br/>
Securing Data Plane To Induce Secure Topology Discovery In Software-Defined Networks / 
Muhammad Shoaib 
 - Rawalpindi,  MCS (NUST),   2026 
 - xvii, 131 p 
<br/><br/>Software-Defined Networking (SDN) has revolutionized modern network architectures<br/>by decoupling the control plane from the data plane, enabling centralized network management,<br/>programmability and dynamic policy enforcement. However, this architectural<br/>shift introduces significant security challenges, particularly concerning the integrity of<br/>network topology information. Topology discovery, a fundamental controller service<br/>that constructs the network’s connectivity graph, is vulnerable to poisoning attacks<br/>where adversaries manipulate discovery messages to corrupt the controller’s view of the<br/>network. Such attacks can lead to severe consequences including traffic interception,<br/>denial of service, policy evasion and persistent network manipulation.<br/>This thesis addresses the critical problem of securing SDN topology discovery against<br/>sophisticated poisoning attacks. Current defense mechanisms primarily rely on single<br/>layer approaches such as cryptographic authentication, anomaly detection, or active<br/>probing-each with limitations in scalability, deployability, or resilience against adaptive<br/>adversaries. To overcome these limitations, this research adopts a paradigm shift by<br/>treating secure topology discovery as a consequence of establishing trust in the data<br/>plane, rather than addressing it solely as a protocol-level problem.<br/>The thesis makes two primary contributions. First, it presents VADSec (VLAN and<br/>Active Directory-based Security), a lightweight data-plane identity protection scheme<br/>that establishes a root of trust by enforcing host identity verification before allowing<br/>participation in network operations. VADSec employs quarantine VLANs, broadcastbased<br/>impersonation detection and directory-backed authentication to prevent host-level<br/>topology poisoning attacks.<br/>Second, building upon this trusted foundation, the thesis introduces TopoSleuth, a<br/>comprehensive multi-layer topology discovery defense framework. TopoSleuth integrates<br/>four complementary defense mechanisms: (1) deception-based detection using passive<br/>decoy links, (2) behavioral profiling of topology dynamics, (3) selective multi-hop<br/>validation of suspicious links and (4) confidence-based evidence fusion. By correlating<br/>evidence from multiple independent detection layers, TopoSleuth makes it significantly<br/>more difficult for attackers to manipulate topology discovery without being detected,<br/>while maintaining low operational overhead. 
<br/><br/><label>Subjects--Topical Terms: </label><br/>PhD Information Security Thesis
<br/><br/><label>Subjects--Geographic Terms: </label><br/>PhD IS Thesis
<br/><br/><label>Dewey Class. No.: </label>005.8,SHO