Software-Defined Network Forensics: Motivation, Potential Locations, Requirements, and Challenges

The separation of the control plane from the data plane of a switch enables abstraction of a network through a logically centralized controller. The controller functions as the "brain" of a software-defined network. However, centralized control draws attackers to exploit different network devices by hijacking the controller. Security was initially not a key characteristic of SDN architecture, which left it vulnerable to various attackers. The investigation of such attacks in the newly emerging SDN architecture is a challenging task. Therefore, a comprehensive forensic mechanism is required to investigate different forms of attacks by determining their root cause. This article discusses an important area in SDN security, SDN forensics, which until now has received minimal focus. We compare traditional network forensics with SDN forensics to highlight the key differences between them. A brief motivation for SDN forensics is presented to emphasize its significance. Moreover, the potential locations with possible evidence against attackers are identified in SDN. Key requirements are highlighted for SDN forensics with respect to baseline investigation procedures. Finally, we identify challenges in SDN forensics by highlighting potential research areas for researchers, investigators, and academicians.