Software-defined network forensics: Motivation, potential locations, requirements, and challenges

Suleman Khan, Abdullah Gani, Ainuddin Wahid Abdul Wahab, Ahmed Abdelaziz, Kwangman Ko, Muhammad Khurram Khan, Mohsen Guizani

Research output: Contribution to journalReview articlepeer-review

30 Citations (Scopus)


The separation of the control plane from the data plane of a switch enables abstraction of a network through a logically centralized controller. The controller functions as the “brain” of a software-defined network. However, centralized control draws attackers to exploit different network devices by hijacking the controller. Security was initially not a key characteristic of SDN architecture, which left it vulnerable to various attackers. The investigation of such attacks in the newly emerging SDN architecture is a challenging task. Therefore, a comprehensive forensic mechanism is required to investigate different forms of attacks by determining their root cause. This article discusses an important area in SDN security, SDN forensics, which until now has received minimal focus. We compare traditional network forensics with SDN forensics to highlight the key differences between them. A brief motivation for SDN forensics is presented to emphasize its significance. Moreover, the potential locations with possible evidence against attackers are identified in SDN. Key requirements are highlighted for SDN forensics with respect to baseline investigation procedures. Finally, we identify challenges in SDN forensics by highlighting potential research areas for researchers, investigators, and academicians.
Original languageEnglish
Pages (from-to)6-13
Number of pages8
JournalIEEE Network
Issue number6
Publication statusPublished - 1 Dec 2016


Dive into the research topics of 'Software-defined network forensics: Motivation, potential locations, requirements, and challenges'. Together they form a unique fingerprint.

Cite this