On detecting compromised controller in software defined networks

While traditional networks depend on a fully distributed control plane, Software Defined Networks (SDNs), the rapidly emerging area in computer networking, utilize a centralized control plane. SDNs bring in many benefits such as fine-grained control, possibility of optimal routing, and resource management within the network. As a result, SDNs find wider deployments in certain segments of networking such as data center networks. In addition, SDN approach is a potential candidate for the control plane design in 5G networks. Despite the benefits, SDNs face certain issues such as the possibility of single point failure, the communication overhead between switches and controllers, and more importantly the security as well as trustability of the control plane. Due to the centralized nature of the control plane, it is important to detect the presence of compromised control plane in an SDN. Compromised control plane refers to the situation where one or more of the controllers in an SDN are compromised by malwares, resulting in deviation from the normal control plane behavior. Developing new solutions for detecting the presence of compromised controllers is exacerbated by the lack of appropriate SDN traffic data sets. As a result, existing literature lacks solutions to detect the presence of a compromised control plane. Of particular interest is the case where SDN controller-specific threats hide their presence from end-users and administrators of the network. Our contributions in this paper include the following: (i) identification of five threat vectors that represent compromised controllers in SDNs, (ii) creation of a large volume of OpenFlow traffic traces in order for studying various SDN threat vectors, (iii) proposal of nine novel OpenFlow-specific features that capture the above mentioned threat vectors, and (iv) study of machine-learning based detection technique for compromised control plane using six classifiers. The OpenFlow traffic trace data set, we created, is made available for the use of larger research community. We carried out detailed experimental studies that show the efficacy of our scheme in detecting the presence of compromised controllers. Our results indicate that Random Forest is the most suitable machine learning classifier that provides about 97% accuracy. (C) 2018 Elsevier B.V. All rights reserved.