The application of Software Defined Networking on securing computer networks: A survey

Abstract Software Defined Networking (SDN) has emerged as a new networking paradigm for managing different kinds of networks ranging from enterprise to home network through software enabled control. The logically centralized control plane and programmability offers a great opportunity to improve network security, like implementing new mechanisms to detect and mitigate various threats, as well as enables deploying security as a service on the SDN controller. Due to the increasing and fast development of SDN, this paper provides an extensive survey on the application of SDN on enhancing the security of computer networks. In particular, we survey recent research studies that focus on applying SDN for network security including attack detection and mitigation, traffic monitoring and engineering, configuration and policy management, service chaining, and middlebox deployment, in addition to smart grid security. We further identify some challenges and promising future directions on SDN security, compatibility and scalability issues that should be addressed in this field.

[1]  Subhasree Mandal Experience with B4: Google's Private {SDN} Backbone , 2015 .

[2]  Rob Sherwood,et al.  On Controller Performance in Software-Defined Networks , 2012, Hot-ICE.

[3]  Mathieu Bouet,et al.  Statesec: Stateful monitoring for DDoS protection in software defined networks , 2017, 2017 IEEE Conference on Network Softwarization (NetSoft).

[4]  Nick Feamster,et al.  Procera: a language for high-level reactive network control , 2012, HotSDN '12.

[5]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[6]  Fulvio Risso,et al.  Supporting Fine-Grained Network Functions through Intel DPDK , 2014, 2014 Third European Workshop on Software Defined Networks.

[7]  Joaquín García,et al.  Cyber‐physical architecture assisted by programmable networking , 2018, Internet Technol. Lett..

[8]  Rakesh Kumar,et al.  Validating resiliency in Software Defined Networks for smart grids , 2016, 2016 IEEE International Conference on Smart Grid Communications (SmartGridComm).

[9]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[10]  Seungmin Rho,et al.  Traffic engineering in software-defined networking: Measurement and management , 2016, IEEE Access.

[11]  Narmeen Zakaria Bawany,et al.  DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions , 2017, Arabian Journal for Science and Engineering.

[12]  Aditya Akella,et al.  OpenNF: enabling innovation in network function control , 2015, SIGCOMM 2015.

[13]  Aaron Gember,et al.  Pratyaastha: an efficient elastic distributed SDN control plane , 2014, HotSDN.

[14]  Jianping Wu,et al.  Formal Modeling and Systematic Black-Box Testing of SDN Data Plane , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[15]  Scott Shenker,et al.  CAP for networks , 2013, HotSDN '13.

[16]  Houman Rastegarfar,et al.  Scheduling and control in hybrid data centers , 2017, 2017 IEEE Photonics Society Summer Topical Meeting Series (SUM).

[17]  Marco Canini,et al.  Automatic failure recovery for software-defined networks , 2013, HotSDN '13.

[18]  Fernando M. V. Ramos,et al.  On the Feasibility of a Consistent and Fault-Tolerant Data Store for SDNs , 2013, 2013 Second European Workshop on Software Defined Networks.

[19]  Sakir Sezer,et al.  Queen ' s University Belfast-Research Portal Are We Ready for SDN ? Implementation Challenges for Software-Defined Networks , 2016 .

[20]  Amin Vahdat,et al.  Hedera: Dynamic Flow Scheduling for Data Center Networks , 2010, NSDI.

[21]  Yifei Yuan,et al.  NetEgg: Programming Network Policies by Examples , 2014, HotNets.

[22]  Ada Gavrilovska,et al.  Towards IoT-DDoS Prevention Using Edge Computing , 2018, HotEdge.

[23]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[24]  Rob Sherwood,et al.  The controller placement problem , 2012, HotSDN@SIGCOMM.

[25]  Fang Hao,et al.  Towards an elastic distributed SDN controller , 2013, HotSDN '13.

[26]  Reza Nejabati,et al.  Seer: Empowering Software Defined Networking with Data Analytics , 2016, 2016 15th International Conference on Ubiquitous Computing and Communications and 2016 International Symposium on Cyberspace and Security (IUCC-CSS).

[27]  Vinod Yegneswaran,et al.  DELTA: A Security Assessment Framework for Software-Defined Networks , 2017, NDSS.

[28]  Seemab Latif,et al.  Handling intrusion and DDoS attacks in Software Defined Networks using machine learning techniques , 2014, 2014 National Software Engineering Conference.

[29]  Zonghua Zhang,et al.  Adaptive Policy-driven Attack Mitigation in SDN , 2017, IWSEC 2017.

[30]  Meral Shirazipour,et al.  StEERING: A software-defined networking for inline service chaining , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[31]  Murali S. Kodialam,et al.  Traffic engineering in software defined networks , 2013, 2013 Proceedings IEEE INFOCOM.

[32]  Craig A. Shue,et al.  DeepContext: An OpenFlow-Compatible, Host-Based SDN for Enterprise Networks , 2017, 2017 IEEE 42nd Conference on Local Computer Networks (LCN).

[33]  Fulvio Risso,et al.  User-Specific Network Service Functions in an SDN-enabled Network Node , 2014, 2014 Third European Workshop on Software Defined Networks.

[34]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[35]  Yi Wang,et al.  Towards a secure controller platform for openflow applications , 2013, HotSDN '13.

[36]  Dianxiang Xu,et al.  Security of Software Defined Networks: A survey , 2015, Comput. Secur..

[37]  David Hausheer,et al.  Position Paper: Software-Defined Network Service Chaining , 2014, 2014 Third European Workshop on Software Defined Networks.

[38]  Osama A. Mohammed,et al.  Software defined networking for resilient communications in Smart Grid active distribution networks , 2016, 2016 IEEE International Conference on Communications (ICC).

[39]  Murali S. Kodialam,et al.  Traffic steering in software defined networks: planning and online routing , 2014, DCC '14.

[40]  Paul Hudak,et al.  Maple: simplifying SDN programming using algorithmic policies , 2013, SIGCOMM.

[41]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[42]  David Walker,et al.  A compiler and run-time system for network programming languages , 2012, POPL '12.

[43]  Flavius Graur Dynamic network configuration in the Internet of Things , 2017, 2017 5th International Symposium on Digital Forensic and Security (ISDFS).

[44]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[45]  Marco Canini,et al.  FatTire: declarative fault tolerance for software-defined networks , 2013, HotSDN '13.

[46]  Peter Reiher,et al.  Drawbridge: software-defined DDoS-resistant traffic engineering , 2015, SIGCOMM 2015.

[47]  Syed M. Rahman,et al.  An Overview of the Security Concerns in Enterprise Cloud Computing , 2011, ArXiv.

[48]  Lisandro Zambenedetti Granville,et al.  ATLANTIC: A framework for anomaly traffic detection, classification, and mitigation in SDN , 2016, NOMS.

[49]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[50]  Olivier Bonaventure,et al.  A Declarative and Expressive Approach to Control Forwarding Paths in Carrier-Grade Networks , 2015, SIGCOMM.

[51]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[52]  Jamal Hadi Salim,et al.  Forwarding and Control Element Separation (ForCES) Protocol Specification , 2010, RFC.

[53]  Wei Yang,et al.  A survey on security in network functions virtualization , 2016, 2016 IEEE NetSoft Conference and Workshops (NetSoft).

[54]  Jianhua Li,et al.  Big Data Analysis-Based Secure Cluster Management for Optimized Control Plane in Software-Defined Networks , 2018, IEEE Transactions on Network and Service Management.

[55]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[56]  Nate Foster,et al.  NetKAT: semantic foundations for networks , 2014, POPL.

[57]  Zonghua Zhang,et al.  Towards Autonomic DDoS Mitigation using Software Defined Networking , 2015 .

[58]  Xiaohong Guan,et al.  Taming the Flow Table Overflow in OpenFlow Switch , 2016, SIGCOMM.

[59]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[60]  Roksana Boreli,et al.  A Host-Based Intrusion Detection and Mitigation Framework for Smart Home IoT Using OpenFlow , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[61]  Katia Obraczka,et al.  ARES: An autonomic and resilient framework for smart grids , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[62]  Mianxiong Dong,et al.  FCSS: Fog-Computing-based Content-Aware Filtering for Security Services in Information-Centric Social Networks , 2019, IEEE Transactions on Emerging Topics in Computing.

[63]  Rui Wang,et al.  An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[64]  Minlan Yu,et al.  Software Defined Traffic Measurement with OpenSketch , 2013, NSDI.

[65]  Ying Zhang,et al.  SENSS: Software Defined Security Service , 2014, ONS.

[66]  Rami Cohen,et al.  EnforSDN: Network policies enforcement with SDN , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[67]  Nick Feamster,et al.  The evolution of network configuration: a tale of two campuses , 2011, IMC '11.

[68]  Ghassan O. Karame,et al.  Access control for SDN controllers , 2014, HotSDN.

[69]  Tobias Kuhn,et al.  A Survey and Classification of Controlled Natural Languages , 2014, CL.

[70]  Vitaly Shmatikov,et al.  dFence: Transparent Network-based Denial of Service Mitigation , 2007, NSDI.

[71]  Piero Castoldi,et al.  OpenFlow-based segment protection in Ethernet networks , 2013, IEEE/OSA Journal of Optical Communications and Networking.

[72]  Ahmad Y. Javaid,et al.  A Deep Learning Based DDoS Detection System in Software-Defined Networking (SDN) , 2016, EAI Endorsed Trans. Security Safety.

[73]  Sakir Sezer,et al.  Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[74]  Xiaofeng Qiu,et al.  A software defined security architecture for SDN-based 5G network , 2016, 2016 IEEE International Conference on Network Infrastructure and Digital Content (IC-NIDC).

[75]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[76]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[77]  Chen Liang,et al.  Hierarchical policies for software defined networks , 2012, HotSDN '12.

[78]  Alan L. Cox,et al.  Maestro: A System for Scalable OpenFlow Control , 2010 .

[79]  Nick Feamster,et al.  CORONET: Fault tolerance for Software Defined Networks , 2012, 2012 20th IEEE International Conference on Network Protocols (ICNP).

[80]  David Hausheer,et al.  An SDN-Based CDN/ISP Collaboration Architecture for Managing High-Volume Flows , 2015, IEEE Transactions on Network and Service Management.

[81]  Didier Colle,et al.  OpenFlow: Meeting carrier-grade recovery requirements , 2013, Comput. Commun..

[82]  Vinod Yegneswaran,et al.  Athena: A Framework for Scalable Anomaly Detection in Software-Defined Networks , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[83]  Kostas Pentikousis,et al.  ForCES Applicability to SDN-Enhanced NFV , 2014, 2014 Third European Workshop on Software Defined Networks.

[84]  Xu Chen,et al.  ShadowNet: A Platform for Rapid and Safe Network Evolution , 2009, USENIX Annual Technical Conference.

[85]  Sujata Banerjee,et al.  Incremental Deployment of SDN in Hybrid Enterprise and ISP Networks , 2016, SOSR.

[86]  Youngsoo Kim,et al.  Machine-Learning Based Threat-Aware System in Software Defined Networks , 2017, 2017 26th International Conference on Computer Communication and Networks (ICCCN).

[87]  Monia Ghobadi,et al.  OpenTM: Traffic Matrix Estimator for OpenFlow Networks , 2010, PAM.

[88]  Alagan Anpalagan,et al.  Industrial Internet of Things Driven by SDN Platform for Smart Grid Resiliency , 2019, IEEE Internet of Things Journal.

[89]  Kemal Akkaya,et al.  SDN-based resilience for smart grid communications , 2015, 2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN).

[90]  Kok-Kiong Yap,et al.  The Stanford OpenRoads deployment , 2009, WINTECH '09.

[91]  David Walker,et al.  Frenetic: a high-level language for OpenFlow networks , 2010, PRESTO '10.

[92]  Pontus Sköldström,et al.  Scalable fault management for OpenFlow , 2012, 2012 IEEE International Conference on Communications (ICC).

[93]  Basil S. Maglaris,et al.  PaFloMon -- A Slice Aware Passive Flow Monitoring Framework for OpenFlow Enabled Experimental Facilities , 2012, 2012 European Workshop on Software Defined Networking.

[94]  Scott Shenker,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM.

[95]  F. Richard Yu,et al.  A Survey of Machine Learning Techniques Applied to Software Defined Networking (SDN): Research Issues and Challenges , 2019, IEEE Communications Surveys & Tutorials.

[96]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[97]  Raouf Boutaba,et al.  PolicyCop: An Autonomic QoS Policy Enforcement Framework for Software Defined Networks , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[98]  James F. Kurose,et al.  Recovery from link failures in a Smart Grid communication network using OpenFlow , 2014, 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm).

[99]  Tanesh Kumar,et al.  5G security: Analysis of threats and solutions , 2017, 2017 IEEE Conference on Standards for Communications and Networking (CSCN).

[100]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[101]  Wolfgang Kellerer,et al.  An SDN/NFV-Enabled Enterprise Network Architecture Offering Fine-Grained Security Policy Enforcement , 2017, IEEE Communications Magazine.

[102]  David A. Maltz,et al.  Unraveling the Complexity of Network Management , 2009, NSDI.

[103]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[104]  Olivier Festor,et al.  Network security through software defined networking: a survey , 2014, IPTComm.

[105]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[106]  Lisandro Zambenedetti Granville,et al.  Policy-based dynamic service chaining in Network Functions Virtualization , 2016, 2016 IEEE Symposium on Computers and Communication (ISCC).

[107]  Ye Wang,et al.  NetFuse: Short-circuiting traffic surges in the cloud , 2013, 2013 IEEE International Conference on Communications (ICC).

[108]  Basil S. Maglaris,et al.  Leveraging SDN for Efficient Anomaly Detection and Mitigation on Legacy Networks , 2014, 2014 Third European Workshop on Software Defined Networks.

[109]  Lisandro Zambenedetti Granville,et al.  Policy authoring for software-defined networking management , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[110]  Kostas Pentikousis,et al.  C-BAS: Certificate-Based AAA for SDN Experimental Facilities , 2014, 2014 Third European Workshop on Software Defined Networks.

[111]  Zhixin Sun,et al.  A Detection Method for Anomaly Flow in Software Defined Network , 2018, IEEE Access.

[112]  Sanjay Jha,et al.  A Survey of Securing Networks Using Software Defined Networking , 2015, IEEE Transactions on Reliability.

[113]  Christian Esteve Rothenberg,et al.  SlickFlow: Resilient source routing in Data Center Networks unlocked by OpenFlow , 2013, 38th Annual IEEE Conference on Local Computer Networks.

[114]  Gregory Blanc,et al.  ArOMA: An SDN based autonomic DDoS mitigation framework , 2017, Comput. Secur..

[115]  David A. Maltz,et al.  Network traffic characteristics of data centers in the wild , 2010, IMC '10.

[116]  Mohammad Ashiqur Rahman,et al.  A Novel Secure and Efficient Policy Management Framework for Software Defined Network , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[117]  Judith Kelner,et al.  An autonomic and policy-based authorization framework for OpenFlow networks , 2017, 2017 13th International Conference on Network and Service Management (CNSM).

[118]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[119]  Wenjuan Li,et al.  A survey on OpenFlow-based Software Defined Networks: Security challenges and countermeasures , 2016, J. Netw. Comput. Appl..

[120]  Huajun Zhang,et al.  A SDN-based deployment framework for Computer Network Defense Policy , 2015, 2015 4th International Conference on Computer Science and Network Technology (ICCSNT).

[121]  Fernando A. Kuipers,et al.  OpenNetMon: Network monitoring in OpenFlow Software-Defined Networks , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[122]  Jie Cui,et al.  LBBSRT: An efficient SDN load balancing scheme based on server response time , 2017, Future Gener. Comput. Syst..

[123]  Jia Wang,et al.  Scalable flow-based networking with DIFANE , 2010, SIGCOMM '10.

[124]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[125]  Anja Feldmann,et al.  Logically centralized?: state distribution trade-offs in software defined networks , 2012, HotSDN '12.

[126]  Jun Wu,et al.  NLES: A Novel Lifetime Extension Scheme for Safety-Critical Cyber-Physical Systems Using SDN and NFV , 2019, IEEE Internet of Things Journal.

[127]  Colin Scott,et al.  Troubleshooting blackbox SDN control software with minimal causal sequences , 2015, SIGCOMM.

[128]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM 2011.

[129]  Emin Gün Sirer,et al.  Managing the network with Merlin , 2013, HotNets.

[130]  Sonia Fahmy,et al.  BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems , 2017, RAID.

[131]  Mathieu Bouet,et al.  DISCO: Distributed multi-domain SDN controllers , 2013, 2014 IEEE Network Operations and Management Symposium (NOMS).

[132]  Vijay Varadharajan,et al.  A Policy-Based Security Architecture for Software-Defined Networks , 2018, IEEE Transactions on Information Forensics and Security.

[133]  Alberto Schaeffer-Filho,et al.  Capitalizing on SDN-based SCADA systems: An anti-eavesdropping case-study , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[134]  Marcos A. Simplício,et al.  Demonstration of a framework for enabling security services collaboration across multiple domains , 2018, 2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft).

[135]  Vijay Mann,et al.  CrossRoads: Seamless VM mobility across data centers through software defined networking , 2012, 2012 IEEE Network Operations and Management Symposium.

[136]  Lei Guo,et al.  SDN-based Resilience Solutions for Smart Grids , 2016, 2016 International Conference on Software Networking (ICSN).

[137]  Glen Gibb,et al.  NetFPGA: reusable router architecture for experimental research , 2008, PRESTO '08.

[138]  Yashar Ganjali,et al.  HyperFlow: A Distributed Control Plane for OpenFlow , 2010, INM/WREN.

[139]  Jürgen Schönwälder,et al.  Network Configuration Protocol (NETCONF) , 2011, RFC.

[140]  Mounir Ghogho,et al.  Deep learning approach for Network Intrusion Detection in Software Defined Networking , 2016, 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM).

[141]  Aditya Akella,et al.  Extensible and Scalable Network Monitoring Using OpenSAFE , 2010, INM/WREN.

[142]  Yashar Ganjali,et al.  Kandoo: a framework for efficient and scalable offloading of control applications , 2012, HotSDN '12.

[143]  Meral Shirazipour,et al.  SDN and Optical Flow Steering for Network Function Virtualization , 2014, ONS.

[144]  Nick Feamster,et al.  A slick control plane for network middleboxes , 2013, HotSDN '13.

[145]  Athanasios V. Vasilakos,et al.  Towards Bayesian-Based Trust Management for Insider Attacks in Healthcare Software-Defined Networks , 2018, IEEE Transactions on Network and Service Management.

[146]  Chu YuHunag,et al.  A novel design for future on-demand service and security , 2010, 2010 IEEE 12th International Conference on Communication Technology.

[147]  Kai Qian,et al.  OpenFlow flow table overflow attacks and countermeasures , 2016, 2016 European Conference on Networks and Communications (EuCNC).

[148]  Paul Hudak,et al.  Nettle: Taking the Sting Out of Programming Network Routers , 2011, PADL.