A comparative analysis of software-defined network controllers in terms of network forensics processes and capabilities

Abstract

The proliferation of software-defined networks (SDN) increases the necessity of security and forensic research in this field. Network forensics is of particular importance considering the ever-increasing traffic density and variety of devices, and SDN has great potential for improved forensic processes thanks to its ability to provide a centralized view and control of the network. This article’s motivation is the lack of a standard forensic process in SDN. The main objective of this study is to examine the differences in the forensic processes of different SDN controllers, whether the southbound interface data is sufficient for the forensic processes, and whether it is possible to choose the best controller in terms of forensics. Four of the most widely used controllers have been selected and tested under seven different scenarios to ob-serve how the results were obtained in terms of forensics. During the tests, in addition to the routine data accesses, attack preparation tools and denial-of-service attack tools were used to expand the scope. Experiments in which each scenario was applied for four different controllers demonstrated that different controllers have different characteristics in network forensics parameters, such as attack type detection, attacker information, service interruptions, packet size, and the number of packets. Experiments proved that southbound interface data is sufficient for forensic processes, different controllers have different characteristics in forensic processes, none of the most used controllers is the best to cover all forensic processes, and a standard forensic method is required for software-defined network forensics.

Keywords

• Computer Networks
• Cyber Security
• Forensics
• Software-Defined Networks
• OpenFlow
• Southbound Interface
• Ryu
• ONOS
• OpenDaylight
• POX

References

1. [1] Abdelaziz A, Fong AT, Gani A, Garba U, Khan S, Akhunzada A, et al. Distributed controller clustering in software defined networks. PLoS One 2017;12. [CrossRef]
2. [2] Rawat DB, Reddy SR. Software defined networking architecture, security and energy efficiency: A survey. IEEE Commun Surv Tutorials 2017;19:325–346. [CrossRef]
3. [3] Van Adrichem NLM, Doerr C, Kuipers FA. OpenNetMon: Network monitoring in OpenFlow software-defined networks. IEEE/IFIP NOMS 2014 - IEEE/IFIP Netw. Oper. Manag. Symp. Manag. a Softw. Defin. World, IEEE Computer Society; 2014. [CrossRef]
4. [4] ONF White Paper, Software-Defined Networking: The New Norm for Networks, OPEN NETWORKING FOUNDATION, 2012. Available at: https://opennetworking.org/sdn- resources/whitepapers/software-defined-networking-the-new-norm-for-networks/ Accessed on Sep 5, 2022.
5. [5] Yan Z, Zhang P, Vasilakos A V. A security and trust framework for virtualized networks and software-defined networking. Secur Commun Networks 2016;9:3059–3069. [CrossRef]
6. [6] Chourishi D, Miri A, Milic M, Ismaeel S. Role-based multiple controllers for load balancing and security in SDN. 2015 IEEE Canada Int. Humanit. Technol. Conf. IHTC 2015, Institute of Electrical and Electronics Engineers Inc.; 2015. [CrossRef]
7. [7] Al-Najjar A, Layeghy S, Portmann M. Pushing SDN to the end-host, network load balancing using OpenFlow. 2016 IEEE Int. Conf. Pervasive Comput. Commun. Work. PerCom Work. 2016, Institute of Electrical and Electronics Engineers Inc.; 2016. [CrossRef]
8. [8] Kreutz D, Ramos FMV, Verissimo PE, Rothenberg CE, Azodolmolky S, Uhlig S. Software-defined networking: A comprehensive survey. Proc IEEE 2015;103:14–76. [CrossRef]

9. [9] Shin S, Xu L, Hong S, Gu G. Enhancing Network Security through Software Defined Networking (SDN). 2016 25th Int. Conf. Comput. Commun. Networks, ICCCN 2016, Institute of Electrical and Electronics Engineers Inc.; 2016. [CrossRef]
10. [10] Nguyen T, Yoo M. Analysis of link discovery service attacks in SDN controller. 2017 International Conference on Information Networking (ICOIN);2017. p. 259261.
11. [11] Chi PW, Kuo CT, Guo JW, Lei CL. How to detect a compromised SDN switch. 1st IEEE Conf. Netw. Softwarization Software-Defined Infrastructures Networks, Clouds, IoT Serv. NETSOFT 2015, Institute of Electrical and Electronics Engineers Inc.; 2015.
12. [12] Bawany NZ, Shamsi JA, Salah K. DDoS attack detection and mitigation using SDN: Methods, practices, and solutions. Arab J Sci Eng 2017;42:425–441. [CrossRef]
13. [13] Hong S, Xu L, Wang H, Gu G. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures, Internet Society; 2015. [CrossRef]
14. [14] Shrivastava G. Network forensics: Methodical literature review. 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom);2016. p. 2203–2208.
15. [15] Shrivastava G, Sharma K, Kumari R. Network forensics: Today and tomorrow. 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom); 2016. p. 2234–2238.
16. [16] Ring M, Wunderlich S, Scheuring D, Landes D, Hotho A. A survey of network-based intrusion detection data sets. Comput Secur 2019;86:147–167. [CrossRef]
17. [17] DFRWS Technical Report, A Road Map for Digital Forensic Research, The Digital Forensic Research Conference, DFRWS 2001, Page 27. https://dfrws.org/wp- content/uploads/2019/06/2001_USA_a_road_map_for_digital_forensic_research.pdf (Accessed on Jul 2, 2022.
18. [18] Pandya MK, Homayoun S, Dehghantanha A. Forensics Investigation of OpenFlow-Based SDN Platforms. In: Dehghantanha A., Conti M., Dargahi T. (Eds) Cyber Threat Intelligence 2018. Advances in Information Security, vol 70. Springer, Cham.;2018. p. 281297. [CrossRef]
19. [19] Akbari I, Tahoun E, Salahuddin MA, Limam N, Boutaba R. ATMoS: Autonomous Threat Mitigation in SDN using Reinforcement Learning. NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium; 2020. [CrossRef]
20. [20] Waseem Q, Alshamrani SS, Nisar K, Din WISW, Alghamdi AS. Future technology: Software-defined network (SDN) forensic. Symmetry (Basel) 2021;13. [CrossRef]
21. [21] Revathi M, Ramalingam VV, Amutha B. A Machine Learning Based Detection and Mitigation of the DDOS Attack by Using SDN Controller Framework. Wirel Pers Commun 2021;127:24172441. [CrossRef]
22. [22] Muraga, W H, Seman K, Marhusin M F. A POX Controller Module to Collect Web Traffic Statistics in SDN Environment. World Academy of Science, Engineering and Technology, International Journal of Computer, Electrical, Automation, Control and Information Engineering, 2017;10:21052110. [CrossRef]
23. [23] Bouba Mahamat S, Çeken C. Anomaly detection in software-defined networking using machine learning. Düzce Üniversitesi Bilim ve Teknoloji Dergisi 2019;7:748756. [CrossRef]
24. [24] Balarezo JF, Wang S, Chavez KG, Al-Hourani A, Fu J, Sithamparanathan K. Low-rate TCP DDoS Attack Model in the Southbound Channel of Software Defined Networks. 2020 14th Int. Conf. Signal Process. Commun. Syst. ICSPCS 2020 - Proc., Institute of Electrical and Electronics Engineers Inc.; 2020. [CrossRef]
25. [25] Khan S, Gani A, Wahab AWA, Abdelaziz A, Ko K, Khan MK, et al. Software-defined network forensics: Motivation, potential locations, requirements, and challenges. IEEE Netw 2016;30:6–13. [CrossRef]
26. [26] Khan S, Gani A, Wahab AWA, Abdelaziz A, Bagiwa MA. FML: A novel forensics management layer for software defined networks. Proc. 2016 6th Int. Conf. - Cloud Syst. Big Data Eng. Conflu. 2016, Institute of Electrical and Electronics Engineers Inc.; 2016, p. 619–623. [CrossRef]
27. [27] Mugitama SA, Dwi N, Cahyani W, Sukarno P. An Evidence-Based Technical Process for OpenFlow-Based SDN Forensics; An Evidence-Based Technical Process for OpenFlow-Based SDN Forensics 2020;16. [CrossRef]
28. [28] Spiekermann D, Keller J, Eggendorfer T. Network forensic investigation in OpenFlow networks with ForCon. DFRWS 2017 EU - Proc. 4th Annu. DFRWS Eur., Digital Forensic Research Workshop; 2017, p. S66–S74. [CrossRef]
29. [29] Achleitner S, La Porta T, Jaeger T, McDaniel P. Adversarial network forensics in software defined networking. SOSR 2017 - Proc. 2017 Symp. SDN Res., Association for Computing Machinery, Inc; 2017, p. 8–20.
30. [30] Zhang S, Meng X, Wang L. SDNForensics: A Comprehensive Forensics Framework for Software Defined Network; 2016.
31. [31] Wang H, Yang G, Chinprutthiwong P, Xu L, Zhang Y, Gu G. Towards fine-grained network security forensics and diagnosis in the SDN era. Proc. ACM Conf. Comput. Commun. Secur., Association for Computing Machinery; 2018, p. 3–16. [CrossRef]
32. [32] Mininet Project Contributors. Mininet, v2.3.0 (version 2.3.0), An Instant Virtual Network on your laptop, 2021. Available at: http://mininet.org/ Accessed on Jul 2, 2022.
33. [33] Ryu SDN Framework Community. Ryu Controller, v4.34 (version 4.34), 2017. Available at: https://Ryu-sdn.org/, Accessed on Jul 2, 2022.
34. [34] Open Networking Foundation. ONOS Controller, v2.5.1 (version 2.5.1), 2021. Available at: https://opennetworking.org/ONOS/ Accessed on Jul 2, 2022.
35. [35] OpenDaylight Project The Linux Foundation. Opendaygliht Controller, Beryllium release, 2016. Available at: https://www.OpenDaylight.org/ Accessed on Jul 2, 2022.
36. [36] McCauley et al. POX controller. v0.7.0 (version 0.7.0), 2015. Available at: https://noxrepo.github.io/POX-doc/html/ Accessed on Jul 2, 2022.
37. [37] Ubuntu, Desktop version 20.04&14.04, 2021. Available at: https://ubuntu.com/ Accessed on Jul 2, 2022.
38. [38] Oracle, VirtualBox v6.1 (version 6.1), 2021. https://www.virtualbox.org/ Accessed on Jul 2, 2022.
39. [39] Linux Foundation Collaborative Project, Openvswitch v2.13.1, (version 2.13.1), 2016. Available at: https://www.openvswitch.org/ Accessed on Jul 2, 2022.
40. [40] Wireshark, v3.2.3 (version 3.2.3), 2021. Available at: https://www.wireshark.org/ Accessed on Jul 2, 2022.
41. [41] Yersinia, v0.8.2, (version 0.8.2), 2021. Available at: https://www.kali.org/tools/yersinia/ Accessed on Jul 2, 2022.
42. [42] Nikto, v2.1.5 (version 2.1.5), 2012. Available at: https://tools.kali.org/information-gathering/nikto Accessed on Jul 2, 2022.
43. [43] Iperf, v2.0.13 (version 2.0.13), 2019. Available at: https://iperf.fr/ Accessed on Jul 2, 2022
44. [44] Nmap, v7.80 (version 7.80), 2019. Available at: https://nmap.org/ Accessed on Jul 2, 2022.
45. [45] Hping3, v3.0.0, (version 3.0.0-alpha-2), 2021. Available at: https://tools.kali.org/information-gathering/hping3 Accessed on Jul 2, 2022.