A survey of security in software defined networks

IEEE Communications Surveys and Tutorials

Volumn 18, Issue 1, 2016, Pages 623-654

  Scott Hayward, Sandra ^a   Natarajan, Sriram ^b   Sezer, Sakir ^a  

^a QUEEN'S UNIVERSITY BELFAST   (United Kingdom)

^b DEUTSCHE TELEKOM LABORATORIES   (Germany)

Author keywords

Network security; OpenFlow; SDN; Secure SDN architecture; Software defined networking

Indexed keywords

APPLICATION PROGRAMS; NETWORK ARCHITECTURE; SOFTWARE DEFINED NETWORKING; SURVEYS;

FUTURE RESEARCH DIRECTIONS; HOLISTIC APPROACH; NETWORK DEVICES; NETWORK OPERATOR; OPENFLOW; RESEARCH COMMUNITIES; SECURITY ARCHITECTURE; SOFTWARE DEFINED NETWORKING (SDN);

NETWORK SECURITY;

EID: 84962446555     PISSN: None     EISSN: 1553877X     Source Type: Journal    
DOI: 10.1109/COMST.2015.2453114     Document Type: Review

References (169)

1. S. Horing, J. Menard, and R. Staehler, "Stored program controlled network," Bell Syst. Tech. J., vol. 61, no. 7, pp. 1759-1778, Sep. 1982.
2. D. L. Tennenhouse, J. M. Smith, W. D. Sincoskie, D. J. Wetherall, and G. J. Minden, "A survey of active network research," IEEE Commun. Mag., vol. 35, no. 1, pp. 80-86, Jan. 1997.
3. M. Casado, et al., "SANE: A protection architecture for enterprise networks," in Proc. USENIX Security Symp., 2006, p. 10.
4. M. Casado, et al., "Ethane: Taking control of the enterprise," in ACM SIGCOMM Comput. Commun. Rev., vol. 37, no. 4, pp. 1-12, Oct. 2007.
5. N. McKeown, et al., "OpenFlow: Enabling innovation in campus networks," ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69-74, Apr. 2008.
6. S. Jain, et al., "B4: Experience with a globally-deployed software defined WAN," in Proc. ACM SIGCOMM Conf., 2013, pp. 3-14.
7. P. Patel, et al., "Ananta: Cloud scale load balancing," in Proc. ACM SIGCOMM Conf., 2013, pp. 207-218.
8. S. Natarajan, A. Ramaiah, and M. Mathen, "A software defined cloudgateway automation system using OpenFlow," in Proc. IEEE 2nd Int. Conf. CloudNet, Nov. 2013, pp. 219-226.
9. VMware NSX Customer Story: Colt Decreases Data Center Networking Complexity, VMware, Inc., Palo Alto, CA, USA, 2014. [Online]. Available: http://blogs. vmware.com/networkvirtualization/2014/08/vmware-nsx-customer-story-colt-decreases-data-center-networkingcomplexity.html
10. Software Defined Networking: Gaining Momentum, Nuage Networks, Mountain View, CA, USA, 2014. [Online]. Available: http://www.nuagenetworks.net/momentum
11. N. Gude, et al., "NOX: Towards an operating system for networks," ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 3, pp. 105-110, Jul. 2008.
12. D. Erickson, "The beacon OpenFlow controller," in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw. Defined Netw., 2013, pp. 13-18.
13. Floodlight Controller, Floodlight Documentation, For Developers, Architecture. [Online]. Available: http://www.projectfloodlight.org/floodlight
14. OpenDaylight: A Linux Foundation Collaborative Project, 2014. Online]. Available: http://www.opendaylight.org
15. OpenContrail. [Online]. Available: http://opencontrail.org/
16. T. Koponen, et al., "Onix: A distributed control platform for large-scale production networks," in Proc. OSDI, 2010, vol. 10, pp. 1-6.
17. X. Jin, L. E. Li, L. Vanbever, and J. Rexford, "SoftCell: Scalable and flexible cellular core network architecture," in Proc. 9th ACM Conf. Emerging Netw. Exp. Technol., 2013, pp. 163-174.
18. A. Tootoonchian and Y. Ganjali, "HyperFlow: A distributed control plane for OpenFlow," in Proc. Internet Netw. Manage. Conf. Res. Enterprise Netw., 2010, p. 3.
19. S. H. Yeganeh and Y. Ganjali, "Kandoo: A framework for efficient and scalable offloading of control applications," in Proc. 1st Workshop Hot Topics Softw. Defined Netw., 2012, pp. 19-24.
20. P. Berde, et al., "ONOS: Towards an open, distributed SDN OS," in Proc. 3rd Workshop Hot Topics Softw. Defined Netw., 2014, pp. 1-6.
21. D. Kreutz, et al., "Software-defined networking: A comprehensive survey," arXiv preprint arXiv:1406. 0440, 2014.
22. M. Jarschel, T. Zinner, T. Hofeld, P. Tran-Gia, and W. Kellerer, "Interfaces, attributes, and use cases: A compass for SDN," IEEE Commun. Mag., vol. 52, no. 6, pp. 210-217, Jun. 2014.
23. ONF Specifications. [Online]. Available: https://www.opennetworking.org/sdn-resources/technical-library
24. S. Scott-Hayward, G. O'Callaghan, and S. Sezer, "SDN security: A survey," in Proc. IEEE SDN4FNS, 2013, pp. 1-7.
25. R. Kloeti, "OpenFlow: A security analysis," M. S. thesis, Inst. Tech. Inf. Commun., Swiss Federal Inst. Technol. Zurich, Zurich, Switzerland, Apr. 2013. [Online]. Available: ftp://yosemite. ee. ethz. ch/pub/students/2012-HS/MA-2012-20-signed.pdf
26. K. Benton, L. J. Camp, and C. Small, "OpenFlow vulnerability assessment," in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw. Defined Netw., 2013, pp. 151-152.
27. D. Kreutz, F. Ramos, and P. Verissimo, "Towards secure and dependable software-defined networks," in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw. Defined Netw., 2013, pp. 55-60.
28. D. Li, X. Hong, and J. Bowman, "Evaluation of security vulnerabilities by using ProtoGENI as a launchpad," in Proc. IEEEGLOBECOM, 2011, pp. 1-6.
29. S. Shin and G. Gu, "Attacking software-defined networks: The first feasibility study," in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw. Defined Netw., 2013, pp. 165-166.
30. R. Smeliansky, "SDN for network security," in Proc. 1st Int. Sci. Technol. Conf. MoNeTeC, 2014, pp. 1-5.
31. L. Schehlmann, S. Abt, and H. Baier, "Blessing or curse? Revisiting security aspects of software-defined networking," in Proc. 10th Int. CNSM, 2014, pp. 382-387.
32. V. T. Costa and L. H. M. K. Costa, "Vulnerability study of FlowVisorbased virtualized network environments," presented at the 2nd Workshop Network Virtualization Intelligence Future Internet, Rio de Janeiro, Brazil, 2013.
33. A. Y. Ding, J. Crowcroft, S. Tarkoma, and H. Flinck, "Software defined networking for security enhancement in wireless mobile networks," Comput. Netw., vol. 66, pp. 94-101, Jun. 2014.
34. M. Tsugawa, A. Matsunaga, and J. A. Fortes, "Cloud computing security: What changes with software-defined networking?" in Secure Cloud Computing. New York, NY, USA: Springer-Verlag, 2014, pp. 77-93.
35. S. Hernan, S. Lambert, T. Ostwald, and A. Shostack, "Threat modelinguncover security design flaws using the stride approach," MSDN Magazine-Louisville, 2006, pp. 68-75.
36. OpenFlow Switch Specification Version 1. 4, Open Networking Foundation. Online]. Available: https://www.opennetworking.org
37. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage, "Hey, you, get off of my cloud: Exploring information leakage in third-party compute clouds," in Proc. 16th ACM Conf. CCS, 2009, pp. 199-212.
38. R. Sherwood, et al., "FlowVisor: A network virtualization layer," Open-Flow Switch Consortium, Deutsche Telekom Inc. R&D Lab, Stanford, Nicira Networks, Tech. Rep., 2009.
39. A. Al-Shabibi, et al., "OpenVirteX: Make your virtual SDNs programmable," in Proc. 3rd Workshop Hot Topics Softw. Defined Netw., 2014, pp. 25-30.
40. OpenVirtex (OVX) Network Hypervisor. [Online]. Available: www.openvirtex.org
41. D. Drutskoy, E. Keller, and J. Rexford, "Scalable network virtualization in software-defined networks," IEEE Internet Comput., vol. 17, no. 2, pp. 20-27, Mar. /Apr. 2013.
42. SDN Dev Center: Unlock Network Innovation, Hewlett Packard Company, Palo Alto, CA, USA, 2014. [Online]. Available: www.hp. com/go/sdndevcenter
43. S. Sezer, et al., "Are we ready for SDN? Implementation challenges for software-defined networks," IEEE Commun. Mag., vol. 51, no. 7, pp. 36-43, Jul. 2013.
44. M. M. O. Othman and K. Okamura, "Securing distributed control of software defined networks," Int. J. Comput. Sci. Netw. Security, vol. 13, no. 9, pp. 5-14, Sep. 2013.
45. H. Li, P. Li, S. Guo, and S. Yu, "Byzantine-resilient secure softwaredefined networks with multiple controllers," in Proc. IEEE ICC, 2014, pp. 695-700.
46. D. Yu, A. W. Moore, C. Hall, and R. Anderson, "Authentication for resilience: The case of SDN," in ser. Security Protocols XXI. Berlin, Germany: Springer-Verlag, 2013, pp. 39-44.
47. X. Wen, Y. Chen, C. Hu, C. Shi, and Y. Wang, "Towards a secure controller platform for OpenFlow applications," in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw. Defined Netw., 2013, pp. 171-172.
48. S. Scott-Hayward, C. Kane, and S. Sezer, "OperationCheckpoint: SDN application control," in Proc. 22nd IEEE ICNP, 2014, pp. 618-623.
49. OPENFLOWSEC. ORG, Security-Enhanced Floodlight. [Online]. Available: www.openflowsec.org
50. P. Porras, S. Cheung, M. Fong, K. Skinner, and V. Yegneswaran, "Securing the software-defined network control layer," in Proc. NDSS, San Diego, CA, USA, Feb. 2015, pp. 1-15.
51. D. M. F. Mattos, L. H. G. Ferraz, and O. C. M. B. Duarte, "AuthFlow: Authentication and access control mechanism for software defined networking," Univ. Federal Rio Janeiro, Rio de Janeiro, Brazil, 2014.
52. P. Porras, et al., "A security enforcement kernel for OpenFlow networks," in Proc. 1st Workshop Hot Topics Softw. Defined Netw., 2012, pp. 121-126.
53. S. Shin, et al., "Rosemary: A robust, secure, and high-performance network operating system," in Proc. ACM SIGSAC Conf. Comput. Commun. Security, 2014, pp. 78-89.
54. B. Chandrasekaran and T. Benson, "Tolerating SDN application failures with LegoSDN," in Proc. 13th ACM Workshop Hot Topics Netw., 2014, p. 22.
55. S. Shin, V. Yegneswaran, P. Porras, and G. Gu, "AVANT-GUARD: Scalable and vigilant switch flow management in software-defined networks," in Proc. ACM SIGSAC Conf. Comput. Commun. Security, 2013, pp. 413-424.
56. P. Fonseca, R. Bennesby, E. Mota, and A. Passito, "A replication component for resilient OpenFlow-based networking," in Proc. IEEE NOMS, 2012, pp. 933-939.
57. G. Yao, J. Bi, and P. Xiao, "Source address validation solution with OpenFlow/NOXarchitecture,"inProc. 19thIEEEICNP, 2011, pp. 7-12.
58. J. Naous, R. Stutsman, D. Mazieres, N. McKeown, and N. Zeldovich, "Delegating network security with more information," in Proc. 1st ACM Workshop Res. Enterprise Netw., 2009, pp. 19-26.
59. M. Canini, D. Venzano, P. Peresini, D. Kostic, and J. Rexford, "A NICE way to test OpenFlow applications," in Proc. 9th USENIX Conf. Netw. Syst. Des. Implementation, 2012, p. 10.
60. E. Al-Shaer and S. Al-Haj, "FlowChecker: Configuration analysis and verification of federated OpenFlow infrastructures," in Proc. 3rd ACM Workshop Assurable Usable Security Config., 2010, pp. 37-44.
61. S. Son, S. Shin, V. Yegneswaran, P. Porras, and G. Gu, "Model checking invariant security properties in OpenFlow," Proc. IEEE Int. Conf. Commun., 2013, pp. 1974-1979. [Online]. Available: http://faculty.cse.tamu.edu/guofei/paper/Flover-ICC13.pdf
62. H. Mai, et al., "Debugging the data plane with anteater," ACM SIGCOMM Comput. Commun. Rev., vol. 41, no. 4, pp. 290-301, Aug. 2011.
63. A. Khurshid, W. Zhou, M. Caesar, and P. Godfrey, "VeriFlow: Verifying network-wide invariants in real time," ACM SIGCOMM Comput. Commun. Rev., vol. 42, no. 4, pp. 467-472, Oct. 2012.
64. P. Kazemian, et al., "Real time network policy checking using header space analysis," in Proc. USENIX Symp. NSDI, 2013, pp. 99-112.
65. J. Wang, et al., Towards a security-enhanced firewall application for OpenFlow networks, in Cyberspace Safety and Security. Basel, Switzerland: Springer-Verlag, 2013, pp. 92-103.
66. H. Hu, G.-J. Ahn, W. Han, and Z. Zhao, "Towards a reliable SDN firewall," presented at the Open Networking Summit, Santa Clara, CA, USA, 2014.
67. H. Hu, W. Han, G.-J. Ahn, and Z. Zhao, "FLOWGUARD: Building robust firewalls for software-defined networks," in Proc. 3rd Workshop Hot Topics Softw. Defined Netw., 2014, pp. 97-102.
68. W. Han, H. Hu, and G.-J. Ahn, "LPM: Layered policy management for software-defined networks," Data and Applications Security and Privacy XXVIII. Berlin, Germany: Springer-Verlag, 2014, pp. 356-363.
69. N. Foster, et al., "Frenetic: A network programming language," ACM SIGPLAN Notices, vol. 46, no. 9, pp. 279-291, Sep. 2011.
70. T. Hinrichs, N. Gude, M. Casado, J. Mitchell, and S. Shenker, "Expressing and enforcing flow-based network security policies," Univ. Chicago, Chicago, IL, USA, Tech. Rep., 2008.
71. M. Reitblatt, N. Foster, J. Rexford, and D. Walker, "Consistent updates for software-defined networks: Change you can believe in!" in Proc. 10th ACM Workshop Hot Topics Netw., 2011, p. 7.
72. F. A. Botelho, F. M. V. Ramos, D. Kreutz, and A. N. Bessani, "On the feasibility of a consistent and fault-tolerant data store for SDNs," in Proc. 2nd EWSDN, 2013, pp. 38-43.
73. C. Schlesinger, A. Story, S. Gutz, N. Foster, and D. Walker, "Splendid isolation: Language-based security for software-defined networks," in Proc. 1stWorkshop Hot Topics Softw. Defined Netw., 2012, pp. 79-84.
74. R. W. Skowyra, A. Lapets, A. Bestavros, and A. Kfoury, "Verifiably-safe software-defined networks for CPS," in Proc. 2nd ACM Int. Conf. High Confidence Netw. Syst., 2013, pp. 101-110.
75. A. Guha, M. Reitblatt, and N. Foster, "Machine-verified network controllers," ACM SIGPLAN Notices, vol. 48, no. 6, pp. 483-494, Jun. 2013.
76. T. Ball, et al., "VeriCon: Towards verifying controller programs in software-defined networks," in Proc. 35th ACM SIGPLAN Conf. Programm. Lang. Des. Implementation, 2014, p. 31.
77. N. Handigol, B. Heller, V. Jeyakumar, D. Mazieres, and N. McKeown, "Where is the debugger for my software-defined network?" in Proc. 1st Workshop Hot Topics Softw. Defined Netw., 2012, pp. 55-60.
78. S. Namal, I. Ahmad, A. Gurtov, and M. Ylianttila, "Enabling secure mobility with OpenFlow," in Proc. IEEE Softw. Defined Netw. Future Netw. Serv., 2013, pp. 1-5.
79. M. Liyanage, M. Ylianttila, and A. Gurtov, "Securing the control channel of software-defined mobile networks," in Proc. IEEE 15th Int. Symp. World Wireless, Mobile Multimedia Netw., 2014, pp. 1-6.
80. S. Shin, et al., "FRESCO: Modular composable security services for software-defined networks," in Proc. Netw. Distrib. Security Symp., San Diego, CA, USA, 2013, pp. 1-16.
81. J. McCauley, A. Panda, M. Casado, T. Koponen, and S. Shenker, "Extending SDN to large-scale networks," in Proc. Open Netw. Summit, pp. 1-2, 2013.
82. S. Scott-Hayward, "Design and deployment of secure, robust and resilient SDN controllers," in Proc. IEEE Conf. NetSoft, 2015, pp. 1-5.
83. F. Botelho, A. Bessani, F. M. Ramos, and P. Ferreira, "On the design of practical fault-tolerant SDN controllers," in Proc. 3rd EWSDN, 2014, pp. 73-78.
84. P. Kazemian, G. Varghese, and N. McKeown, "Header space analysis: Static checking for networks," in Proc. NSDI, 2012, pp. 113-126.
85. M. Reitblatt, N. Foster, J. Rexford, C. Schlesinger, and D. Walker, "Abstractions for network update," in Proc. ACM SIGCOMM Conf. Appl., Technol., Architect., Protocols Comput. Commun., 2012, pp. 323-334.
86. S. Natarajan, X. Huang, and T. Wolf, "Efficient conflict detection in flowbased virtualized networks," in Proc. ICNC, Jan. 2012, pp. 690-696.
87. R. Moskowitz, P. Nikander, P. Jokela, and T. Henderson, "Host identity protocol," RFC5201, Apr. 2008.
88. K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris, "Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments," Comput. Netw., vol 62, pp. 122-136, Apr. 2013.
89. R. Hand, M. Ton, and E. Keller, "Active security," in Proc. ACM SIGCOMM Hot Topics Netw., 2013, p. 17.
90. R. Skowyra, S. Bahargam, and A. Bestavros, "Software-defined IDS for securing embedded mobile devices," Boston Univ. Boston, MA, USA, 2013. [Online]. Available: http://www.cs.bu.edu/techreports/pdf/2013-005-software-defined-ids.pdf
91. Y. Wang, Y. Zhang, V. Singh, C. Lumezanu, and G. Jiang, "NetFuse: Short-circuiting traffic surges in the cloud," in Proc. IEEE ICC, 2013, pp. 3514-3518.
92. A. Zaalouk, R. Khondoker, R. Marx, and K. Bayarou, "OrchSec: An orchestrator-based architecture for enhancing network-security using network monitoring and SDN control functions," in Proc. IEEE NOMS, 2014, pp. 1-9.
93. E. Tantar, M. R. Palattella, T. Avanesov, M. Kantor, and T. Engel, "Cognition: A tool for reinforcing security in software defined networks," EVOLVE-A Bridge between Probability, Set Oriented Numerics, and Evolutionary Computation V. Basel, Switzerland: Springer-Verlag, 2014, pp. 61-78.
94. A. K. Nayak, A. Reimers, N. Feamster, and R. Clark, "Resonance: Dynamic access control for enterprise networks," in Proc. 1st ACM Workshop Res. Enterprise Netw., 2009, pp. 11-18.
95. A. Ramachandran, Y. Mundada, M. B. Tariq, and N. Feamster, "Securing enterprise networks using traffic tainting," in Proc. SIGCOMM, 2009, pp. 1-2.
96. J. H. Jafarian, E. Al-Shaer, and Q. Duan, "OpenFlow random host mutation: Transparent moving target defense using software defined networking," in Proc. 1st Workshop Hot Topics Softw. Defined Netw., 2012, pp. 127-132.
97. P. Kampanakis, H. Perros, and T. Beyene, "SDN-based solutions for moving target defense network protection," in Proc. IEEE 15th Int. Symp. WoWMoM Netw., 2014, pp. 1-6.
98. C.-J. Chung, P. Khatkar, T. Xing, J. Lee, and D. Huang, "NICE: Network intrusion detection and countermeasure selection in virtual network systems," IEEE Trans. Dependable Secure Comput., vol. 10, no. 4, pp. 198-211, Jul. /Aug. 2013.
99. T. Xing, D. Huang, L. Xu, C.-J. Chung, and P. Khatkar, "SnortFlow: A OpenFlow-based intrusion prevention system in cloud environment," in Proc. 2nd GENI GREE Workshop, 2013, pp. 89-92.
100. T. Xing, Z. Xiong, D. Huang, and D. Medhi, "SDNIPS: Enabling software-defined networking based intrusion prevention system in clouds," in Proc. 10th Int. Conf. Netw. Serv. Manage., 2014, pp. 308-311.
101. C. Jeong, T. Ha, J. Narantuya, H. Lim, and J. Kim, "Scalable network intrusion detection on virtual SDN environment," in Proc. IEEE 3rd Int. Conf. CloudNet, 2014, pp. 264-265.
102. S. A. Mehdi, J. Khalid, and S. A. Khayam, "Revisiting traffic anomaly detection using software defined networking," in Recent Advances in Intrusion Detection. Berlin, Germany: Springer-Verlag, 2011, pp. 161-180.
103. S. Dotcenko, A. Vladyko, and I. Letenko, "A fuzzy logic-based information security management for software-defined networks," in Proc. 16th ICACT, 2014, pp. 167-171.
104. R. Braga, E. Mota, and A. Passito, "Lightweight DDoS flooding attack detection using NOX/OpenFlow," in Proc. IEEE 35th Conf. LCN, 2010, pp. 408-415.
105. J. Suh, et al., "Implementation of content-oriented networking architecture (CONA): A focus on DDoS countermeasure," in Proc. European NetFPGA Developers Workshop, Cambridge, U. K., 2010, pp. 1-6.
106. Y. H. Chu, M. C. Tseng, Y. T. Chen, Y. C. Chou, and Y. R. Chen, "A novel design for future on-demand service and security," in Proc. IEEE 12th ICCT, 2010, pp. 385-388.
107. S. Lim, J. Ha, H. Kim, Y. Kim, and S. Yang, "A SDN-oriented DDoS blocking scheme for botnet-based attacks," in Proc. 6th ICUFN, 2014, pp. 63-68.
108. B. Anwer, T. Benson, N. Feamster, D. Levin, and J. Rexford, "A slick control plane for network middleboxes," in Proc. 2nd ACM SIGCOMM Workshop Hot Topics Softw. Defined Netw., 2013, pp. 147-148.
109. S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul, "Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags," in Proc. NSDI, 2014, pp. 533-546.
110. Z. A. Qazi, et al., "SIMPLE-fying middlebox policy enforcement using SDN," in Proc. ACM SIGCOMM, Aug. 2013, pp. 27-38.
111. Y.-J. Chen, F.-Y. Lin, and L.-C. Wang, "Dynamic security traversal in OpenFlow networks with QoS guarantee," Int. J. Sci. Eng., vol. 4, no. 2, pp. 251-256, 2014.
112. X. Liu, H. Xue, X. Feng, and Y. Dai, "Design of the multi-level security network switch system which restricts covert channel," in Proc. IEEE 3rd ICCSN, 2011, pp. 233-237.
113. J. R. Ballard, I. Rae, and A. Akella, "Extensible and scalable network monitoring using OpenSAFE," Proc. INM/WREN, 2010, p. 8.
114. S. Shin and G. Gu, "CloudWatcher: Network security monitoring using OpenFlow in dynamic cloud networks (or: How to provide security monitoring as a service in clouds?)," in Proc. 20th IEEE ICNP, 2012, pp. 1-6.
115. S. Hirono, Y. Yamaguchi, H. Shimada, and H. Takakura, "Development of a secure traffic analysis system to trace malicious activities on internal networks," in Proc. IEEE 38th Annu. COMPSAC Conf., 2014, pp. 305-310.
116. A. Bates, K. Butler, A. Haeberlen, M. Sherr, and W. Zhou, "Let SDN be your eyes: Secure forensics in data center networks," in Proc. Workshop SENT, 2014, pp. 1-7.
117. V. Dangovas and F. Kuliesius, "SDN-driven authentication and access control system," in Proc. Int. Conf. DINWC, 2014, pp. 20-23.
118. U. Toseef, A. Zaalouk, T. Rothe, M. Broadbent, and K. Pentikousis, "C-BAS: Certificate-based AAA for SDN experimental facilities," in Proc. 3rd EWSDN, 2014, pp. 91-96.
119. Z. Chen, et al., "Collaborative network security in multi-tenant data center for cloud computing," Tsinghua Sci. Technol., vol. 19, no. 1, pp. 82-94, Feb. 2014.
120. M. F. Ahmed, C. Talhi, M. Pourzandi, and M. Cheriet, "A softwaredefined scalable and autonomous architecture for multi-tenancy," in Proc. IEEE IC2E, 2014, pp. 568-573.
121. X. Wang, Z. Liu, J. Li, B. Yang, and Y. Qi, "Tualatin: Towards network security service provision in cloud datacenters," in Proc. 23rd ICCCN, 2014, pp. 1-8.
122. S. Seeber and G. D. Rodosek, "Improving network security through SDN in cloud scenarios," in Proc. 10th Int. Conf. Netw. Serv. Manage., 2014, pp. 376-381.
123. sFlowSampling Technology for Network Traffic Monitoring. Online]. Available: www.sflow.org
124. Y. Zhang, "An adaptive flow counting method for anomaly detection in SDN," in Proc. 9th ACM Conf. Emerging Netw. Exp. Technol., 2013, pp. 25-30.
125. S. Shirali-Shahreza and Y. Ganjali, "Efficient implementation of security applications in OpenFlow controller with FleXam," in Proc. IEEE 21st Annu. Symp. HOTI, 2013, pp. 49-54.
126. M. Yu, L. Jose, and R. Miao, "Software defined traffic measurement with OpenSketch," in Proc. 10th USENIX Symp. NSDI, 2013, pp. 29-42.
127. L. Jose, M. Yu, and J. Rexford, "Online measurement of large traffic aggregates on commodity switches," in Proc. USENIX HotICE Workshop, 2011, p. 13.
128. R. V. Nunes, R. L. Pontes, and D. Guedes, "Virtualized network isolation using software defined networks," in Proc. IEEE 38th Conf. LCN, 2013, pp. 683-686.
129. Nmap. [Online]. Available: http://nmap.org/
130. Cisco onePK. [Online]. Available: http://www.cisco.com/c/en/us/products/ios-nx-os-software/onepk.html
131. SnortOpen Source Intrusion Prevention System. [Online]. Available: https://www.snort.org
132. Open Source Intrusion Detection and Prevention System. [Online]. Available:\ignorespaceshttp://suricata-ids.org
133. IETF LISP (Locator/ID Separation Protocol). [Online]. Available: http://datatracker.ietf.org/wg/lisp
134. L. Zhang, G. Shou, Y. Hu, and Z. Guo, "Deployment of intrusion prevention system based on software defined networking," in Proc. IEEE 15th ICCT, 2013, pp. 26-31.
135. H. Farhadi and A. Nakao, "Rethinking Flow Classification in SDN," in Proc. IEEE IC2E, 2014, pp. 598-603.
136. S. Zander, G. J. Armitage, and P. Branch, "A survey of covert channels and countermeasures in computer network protocols," IEEE Commun. Surveys Tuts., vol. 9, no. 3, pp. 44-57, 3rd Quart. 2007.
137. G. Stabler, A. Rosen, S. Goasguen, and K.-C. Wang, "Elastic IP and security groups implementation using OpenFlow," in Proc. 6th Int. Workshop Virtualization Technol. Distrib. Comput. Date, 2012, pp. 53-60.
138. K. Wang, Y. Qi, B. Yang, Y. Xue, and J. Li, "LiveSec: Towards effective security management in large-scale production networks," in Proc. 32nd ICDCSW, 2012, pp. 451-460.
139. B. C. Neuman and T. Tso, "Kerberos: An authentication service for computer networks," IEEE Commun. Mag., vol. 32, no. 9, pp. 33-38, Sep. 1994.
140. "Lightweight directory access protocol (LDAP): The protocol," IETF RFC 4511, 2006.
141. GENI: Global Environment for Network Innovation. [Online]. Available: http://www.geni.net
142. OFELIA: OpenFlow in EuropeLinking Infrastructure and Applications. Online]. Available: www.fp7-ofelia.eu
143. H. Zhang, "A vision for cloud security," Netw. Security, vol. 2014, no. 2, pp. 12-15, Feb. 2014.
144. Open Networking Foundation Security Working Group. [Online]. Available: https://www.opennetworking.org/technical-communities/areas/services
145. SDN Architecture (Issue 1)," Jun. 2014. [Online]. Available: https://www.opennetworking.org/images/stories/downloads/sdn-resources/technical-reports/TR-SDN-ARCH-1.0-06062014.pdf
146. ETSI ISG Network Functions Virtualization Security Expert Group. Online]. Available: http://www.etsi.org/technologies-clusters/technologies/nfv
147. Network Functions Virtualization (NFV)-NFV Security-Problem Statement v1. 1. 1, Oct. 2014. [Online]. Available: http://www.etsi.org/deliver/etsi-gs/NFV-SEC/001-099/001/01.01.01-60/gs-NFVSEC001v010101p.pdf
148. Network Functions Virtualization (NFV)-NFV Security-Security and Trust Guidance v1. 1. 1, Dec. 2014. [Online]. Available: http://www.etsi.org/deliver/etsi-gs/NFV-SEC/001-099/003/01.01.01-60/gs-NFVSEC003v010101p.pdf
149. "Resolution 77-Standardization work in ITU-T for software-defined networking," ITU-T World Telecommunication Standardization Assembly, Tech. Rep., Nov. 2012. [Online]. Available: http://www.itu. int/en/iTU-T/wtsa12/Documents/resolutions/Resolution%2077.pdf
150. ITU-T SG13 Future NetworksQuestions Under Study. [Online]. Available: http://www.itu.int/en/ITU-T/studygroups/2013-2016/13/Pages/questions.aspx
151. IETF FORCES (Forwarding and Control Element Separation). [Online]. Available: http://datatracker.ietf.org/wg/forces
152. IETF PCE (Path Computation Element). [Online]. Available: http://datatracker.ietf.org/wg/pce
153. IETF ALTO (Application-Layer Traffic Optimization). [Online]. Available: http://datatracker.ietf.org/wg/alto
154. IETF Netmod (NETCONF Data Modeling Language). [Online]. Available: http://datatracker.ietf.org/wg/netmod
155. IETF NetConf (Network Configuration). [Online]. Available: http://datatracker.ietf.org/wg/netconf
156. IETF NVO3 (Network Virtualization Overlays). [Online]. Available: http://datatracker.ietf.org/wg/nvo3
157. IETF I2RS (Interface to the Routing System). [Online]. Available: http://datatracker.ietf.org/wg/i2rs
158. IRTF SDN Research Group. [Online]. Available: http://irtf.org/sdnrg
159. D. Meyer, "The software-defined-networking research group," IEEE Internet Comput., vol. 17, no. 6, pp. 84-87, Nov. /Dec. 2013.
160. "OpenFlowSec. [Online]. Available: http://www.openflowsec.org/SDNSuite.html
161. OpenDaylight AAA. [Online]. Available: https://wiki.opendaylight.org/view/AAA:Main
162. OpenDaylight AAA. [Online]. Available: https://wiki.opendaylight.org/view/AAA:Main
163. OpenDaylight SNBI. [Online]. Available: https://wiki.opendaylight.org/view/SecureNetworkBootstrapping:Main
164. Network Functions VirtualizationIntroductoryWhite Paper, Oct. 2012. Online]. Available: http://portal.etsi.org/NFV/NFV-White-Paper.pdf
165. "OpenStackCloudSoftware. " [Online]. Available:www.openstack.org
166. B. Lantz, B. Heller, and N. McKeown, "A network in a laptop: Rapid prototyping for software-defined networks," in Proc. 9th ACM SIGCOMM Workshop Hot Topics Netw., 2010, p. 19.
167. ProtoGENI, 2014. [Online]. Available: http://protogeni.net/
168. C. Hall, et al., "Collaborating with the enemy on network management, in Security Protocols XXII. Basel, Switzerland: Springer-Verlag, 2014, pp. 154-162.
169. M. Moshref, A. Bhargava, A. Gupta, M. Yu, and R. Govindan, "Flowlevel state transition as a new switch primitive for SDN," in Proc. 3rd Workshop Hot Topics Softw. Defined Netw., 2014, pp. 61-66.