Towards Fine-grained Network Security Forensics and Diagnosis in the SDN Era.

Diagnosing network security issues in traditional networks is difficult. It is even more frustrating in the emerging Software Defined Networks. The data/control plane decoupling of the SDN framework makes the traditional network troubleshooting tools unsuitable for pinpointing the root cause in the control plane. In this paper, we propose ForenGuard, which provides flow-level forensics and diagnosis functions in SDN networks. Unlike traditional forensics tools that only involve either network level or host level, ForenGuard monitors and records the runtime activities and their causal dependencies involving both the SDN control plane and data plane. Starting with a forwarding problem (e.g., disconnection) which could be caused by a security issue, ForenGuard can backtrack the previous activities in both the control and data plane through causal relationships and pinpoint the root cause of the problem. ForenGuard also provides a user-friendly interface that allows users to specify the detection point and diagnose complicated network problems. We implement a prototype system of ForenGuard on top of the Floodlight controller and use it to diagnose several real control plane attacks. We show that ForenGuard can quickly display causal relationships of activities and help to narrow down the range of suspicious activities that could be the root causes. Our performance evaluation shows that ForenGuard will add minor runtime overhead to the SDN control plane and can scale well in various network workloads.