TY - JOUR
T1 - Software-defined network forensics
T2 - Motivation, potential locations, requirements, and challenges
AU - Khan, Suleman
AU - Gani, Abdullah
AU - Wahid Abdul Wahab, Ainuddin
AU - Abdelaziz, Ahmed
AU - Ko, Kwangman
AU - Khan, Muhammad Khurram
AU - Guizani, Mohsen
PY - 2016/12/1
Y1 - 2016/12/1
N2 - The separation of the control plane from the data plane of a switch enables abstraction of a network through a logically centralized controller. The controller functions as the “brain” of a software-defined network. However, centralized control draws attackers to exploit different network devices by hijacking the controller. Security was initially not a key characteristic of SDN architecture, which left it vulnerable to various attackers. The investigation of such attacks in the newly emerging SDN architecture is a challenging task. Therefore, a comprehensive forensic mechanism is required to investigate different forms of attacks by determining their root cause. This article discusses an important area in SDN security, SDN forensics, which until now has received minimal focus. We compare traditional network forensics with SDN forensics to highlight the key differences between them. A brief motivation for SDN forensics is presented to emphasize its significance. Moreover, the potential locations with possible evidence against attackers are identified in SDN. Key requirements are highlighted for SDN forensics with respect to baseline investigation procedures. Finally, we identify challenges in SDN forensics by highlighting potential research areas for researchers, investigators, and academicians.
AB - The separation of the control plane from the data plane of a switch enables abstraction of a network through a logically centralized controller. The controller functions as the “brain” of a software-defined network. However, centralized control draws attackers to exploit different network devices by hijacking the controller. Security was initially not a key characteristic of SDN architecture, which left it vulnerable to various attackers. The investigation of such attacks in the newly emerging SDN architecture is a challenging task. Therefore, a comprehensive forensic mechanism is required to investigate different forms of attacks by determining their root cause. This article discusses an important area in SDN security, SDN forensics, which until now has received minimal focus. We compare traditional network forensics with SDN forensics to highlight the key differences between them. A brief motivation for SDN forensics is presented to emphasize its significance. Moreover, the potential locations with possible evidence against attackers are identified in SDN. Key requirements are highlighted for SDN forensics with respect to baseline investigation procedures. Finally, we identify challenges in SDN forensics by highlighting potential research areas for researchers, investigators, and academicians.
U2 - 10.1109/MNET.2016.1600051NM
DO - 10.1109/MNET.2016.1600051NM
M3 - Review article
SN - 0890-8044
VL - 30
SP - 6
EP - 13
JO - IEEE Network
JF - IEEE Network
IS - 6
ER -