Clear Sky Science
Evidence-based, jargon-light explanations

Clear Sky Science · en

TopoSleuth, a decoy-based multi-layered defense framework for securing SDN topology discovery

· Back to index

Why invisible map tricks matter

Modern digital life runs on huge, ever‑changing networks. In many data centers and cloud platforms, a newer approach called Software‑Defined Networking (SDN) lets engineers steer traffic with software instead of twisting knobs on individual routers and switches. That flexibility is powerful, but it comes with a catch: the central controller relies on an internal map of how everything is connected. If an attacker quietly tampers with that map, they can misdirect data, hide parts of the network, or knock services offline. This paper introduces TopoSleuth, a lightweight guardian for that map, designed to spot and stop such tricks in real time.

Figure 1
Figure 1.

A new way networks are run

In SDN, the intelligence of the network sits in a central controller. Physical devices in the “data plane” simply forward packets according to rules the controller sends them. To do its job, the controller must constantly discover which switches, links, and hosts exist and how they are connected. It does this using small housekeeping messages that switches exchange and report back. From those reports, the controller builds a simplified picture of the network, which then guides routing, load balancing, firewall policies, and more. The entire system assumes these reports are honest and complete—which turns out to be a dangerous assumption.

How attackers rewrite the network’s map

The messages used for discovering links and tracking hosts lack basic security checks such as integrity protection or strong authentication. Prior research has shown that a hostile machine or compromised switch can forge, relay, replay, or suppress these messages to mount what are called topology poisoning attacks. They can invent links that do not exist, hide ones that do, or hijack the identity and location of hosts. Newer attacks even “freeze” the controller’s view so it keeps believing an old, now‑wrong map, or combine multiple tricks to bypass earlier defenses. Existing protection schemes either cover only a narrow set of attacks, demand changes to switch hardware or protocols, or consume large amounts of computing and network resources.

Decoy links: tripwires in the network map

TopoSleuth tackles these gaps with a multi‑layer design that requires no new hardware and no heavy cryptography. Its most distinctive feature is a Decoy Engine that plants fake links—entries that exist only inside the controller’s map and never on real cables. Because only the controller knows which links are decoys, any attempt to “activate” one of them in a report is a strong sign of foul play. These decoys act as tripwires: when touched, they immediately flag the presence of forged or relayed discovery traffic. The system chooses where to place these lies strategically, preferring important and stable parts of the topology, and quietly refreshes them over time so attackers cannot learn and avoid them.

Watching behavior and double‑checking suspicious paths

Decoys are only one line of defense. A Behavioral Profiler continuously watches how discovery messages flow and how links are used. It looks at how often these messages arrive, whether they appear from both ends of a link, how their timing changes, how they correlate with real data traffic, and how hosts move between ports. From this, it builds a health score for each link and can spot patterns that match advanced attacks, including freezing the map or subtly changing message timing. When something looks off, a Multi‑Hop Validator steps in. Instead of probing everything all the time, it sends special test packets only along questionable paths to see whether they really exist and behave as expected. A Topology Monitor then combines evidence from decoys, behavior scores, and these targeted checks to decide whether to accept, question, or quarantine each link before the controller relies on it.

Figure 2
Figure 2.

Putting the guardian to the test

The authors built TopoSleuth as an add‑on application for a popular open‑source SDN controller and tested it on a 20‑switch, 40‑host virtual network. They unleashed ten different kinds of topology attacks drawn from the research literature, ranging from simple fake links and message floods to complex multi‑hop relay and timing‑manipulation schemes. In these trials, TopoSleuth detected the vast majority of attacks—often all of them for the simpler cases—while generating few false alarms. It spotted threats far faster than competing defenses, typically within a few tens of milliseconds, and added only modest overhead: about 6% extra CPU use and a few dozen megabytes of memory on the controller, with little additional network chatter.

What this means for everyday users

From a user’s perspective, the most important question is whether the network can be quietly steered against them. TopoSleuth’s central message is that the controller’s “mental map” of the network can and should be defended just as seriously as firewalls or encryption keys. By combining planted tripwires, continuous behavioral watching, and targeted double‑checks, the framework offers broad protection against both straightforward and subtle map‑tampering tricks, without demanding new hardware or slowing the network to a crawl. As SDN becomes more common in clouds, data centers, and service‑provider backbones, tools like TopoSleuth could help ensure that the flexible networks powering our apps and services remain trustworthy behind the scenes.

Citation: Shoaib, M., Amjad, M.F., Islam, F.u. et al. TopoSleuth, a decoy-based multi-layered defense framework for securing SDN topology discovery. Sci Rep 16, 8970 (2026). https://doi.org/10.1038/s41598-026-43048-z

Keywords: software defined networking, network security, topology attacks, intrusion detection, decoy defense