NUST Institutions Library Catalogue catalog › Details for: Securing Data Plane To Induce Secure Topology Discovery In Software-Defined Networks /

Normal view MARC view ISBD view

Securing Data Plane To Induce Secure Topology Discovery In Software-Defined Networks / Muhammad Shoaib

By: Shoaib, Muhammad Contributor(s): Supervised by Dr. Muhammad Faisal Amjad Material type: Text

TextPublisher: Rawalpindi, MCS (NUST), 2026Description: xvii, 131 pSubject(s): PhD Information Security Thesis | PhD IS ThesisDDC classification: 005.8,SHO

Contents:

Software-Defined Networking (SDN) has revolutionized modern network architectures by decoupling the control plane from the data plane, enabling centralized network management, programmability and dynamic policy enforcement. However, this architectural shift introduces significant security challenges, particularly concerning the integrity of network topology information. Topology discovery, a fundamental controller service that constructs the network’s connectivity graph, is vulnerable to poisoning attacks where adversaries manipulate discovery messages to corrupt the controller’s view of the network. Such attacks can lead to severe consequences including traffic interception, denial of service, policy evasion and persistent network manipulation. This thesis addresses the critical problem of securing SDN topology discovery against sophisticated poisoning attacks. Current defense mechanisms primarily rely on single layer approaches such as cryptographic authentication, anomaly detection, or active probing-each with limitations in scalability, deployability, or resilience against adaptive adversaries. To overcome these limitations, this research adopts a paradigm shift by treating secure topology discovery as a consequence of establishing trust in the data plane, rather than addressing it solely as a protocol-level problem. The thesis makes two primary contributions. First, it presents VADSec (VLAN and Active Directory-based Security), a lightweight data-plane identity protection scheme that establishes a root of trust by enforcing host identity verification before allowing participation in network operations. VADSec employs quarantine VLANs, broadcastbased impersonation detection and directory-backed authentication to prevent host-level topology poisoning attacks. Second, building upon this trusted foundation, the thesis introduces TopoSleuth, a comprehensive multi-layer topology discovery defense framework. TopoSleuth integrates four complementary defense mechanisms: (1) deception-based detection using passive decoy links, (2) behavioral profiling of topology dynamics, (3) selective multi-hop validation of suspicious links and (4) confidence-based evidence fusion. By correlating evidence from multiple independent detection layers, TopoSleuth makes it significantly more difficult for attackers to manipulate topology discovery without being detected, while maintaining low operational overhead.

Tags from this library: No tags from this library for this title. Log in to add tags.

Holdings ( 1 )
Title notes ( 1 )
Comments ( 0 )

Item type	Current location	Home library	Shelving location	Call number	Status	Date due	Barcode	Item holds
Thesis	Military College of Signals (MCS)	Military College of Signals (MCS)	Thesis	005.8,SHO (Browse shelf)	Available		MCSPhD IS-20

Total holds: 0

Software-Defined Networking (SDN) has revolutionized modern network architectures
by decoupling the control plane from the data plane, enabling centralized network management,
programmability and dynamic policy enforcement. However, this architectural
shift introduces significant security challenges, particularly concerning the integrity of
network topology information. Topology discovery, a fundamental controller service
that constructs the network’s connectivity graph, is vulnerable to poisoning attacks
where adversaries manipulate discovery messages to corrupt the controller’s view of the
network. Such attacks can lead to severe consequences including traffic interception,
denial of service, policy evasion and persistent network manipulation.
This thesis addresses the critical problem of securing SDN topology discovery against
sophisticated poisoning attacks. Current defense mechanisms primarily rely on single
layer approaches such as cryptographic authentication, anomaly detection, or active
probing-each with limitations in scalability, deployability, or resilience against adaptive
adversaries. To overcome these limitations, this research adopts a paradigm shift by
treating secure topology discovery as a consequence of establishing trust in the data
plane, rather than addressing it solely as a protocol-level problem.
The thesis makes two primary contributions. First, it presents VADSec (VLAN and
Active Directory-based Security), a lightweight data-plane identity protection scheme
that establishes a root of trust by enforcing host identity verification before allowing
participation in network operations. VADSec employs quarantine VLANs, broadcastbased
impersonation detection and directory-backed authentication to prevent host-level
topology poisoning attacks.
Second, building upon this trusted foundation, the thesis introduces TopoSleuth, a
comprehensive multi-layer topology discovery defense framework. TopoSleuth integrates
four complementary defense mechanisms: (1) deception-based detection using passive
decoy links, (2) behavioral profiling of topology dynamics, (3) selective multi-hop
validation of suspicious links and (4) confidence-based evidence fusion. By correlating
evidence from multiple independent detection layers, TopoSleuth makes it significantly
more difficult for attackers to manipulate topology discovery without being detected,
while maintaining low operational overhead.

There are no comments on this title.

to post a comment.