Towards adding digital forensics capabilities in software defined networking based moving target defense

Moving Target Defense (MTD) is a security technique for Software Defined Networks (SDN) to change the attack surface constantly. Although MTD is an effective technique, it makes the digital forensics procedure challenging due to high transitions in the system state. There is an ever-increasing requirement for SDN forensics due to the increasing number of cyberattacks and the adoption of SDN by large-scale cloud service providers, telecommunication operators, and internet service providers. In this paper, we have proposed a digital forensics scheme for MTD-based SDN to record every movement of the MTD for collecting attack-related evidence, especially the attacker (attack source), to augment the forensics investigation. The proposed technique consists of a three-level logging mechanism. The first one is the native logging technique of ONOS. The second is a Java-based logging application called “Java ONOS Logs Collector (JOLC)”, developed to capture MTD-based SDN logs. Lastly, we utilized the Fluentd unified logging tool to dig out evidential data from MTD logs. The experimental testbed comprises an ONOS SDN controller, Mininet, and an event-based MTD application running over SDN using JSON FlowRule scripts on the ONOS controller while using sflow-rt to detect the level of attack/number of packets sent by the attacker. The native ONOS logging mechanism provides initial-level artifacts. The developed JOLC application creates separate files for ONOS and Mininet/host machine logs stored with the current timestamp. Fluentd generates a single file for the SDN controller, Mininet, and host machine logs, along with the flow rule entry into the SDN controller. Experimental results confirmed that our proposed multi-level forensics technique successfully collected all the relevant records.