ZHAI Yahong , CUI Junwei . Advances in software defined network security research and key technologies[J]. Science & Technology Review, 2023 , 41(13) : 76 -88 . DOI: 10.3981/j.issn.1000-7857.2023.13.008

[1] 强奇, 武刚, 黄开枝, 等 . 5G 安全技术研究与标准进展[J]. 中国科学: 信息科学, 2021, 51(3): 347-366.
[2] 付永红, 毕军, 张克尧, 等. 软件定义网络可扩展性研究综述[J]. 通信学报, 2017, 38(7): 141-154.
[3] 池亚平, 莫崇维, 杨垠坦, 等. 面向软件定义网络架构的入侵检测模型设计与实现[J]. 计算机应用, 2020, 40(1): 116-122.
[4] 岳猛, 王怀远, 吴志军, 等 . 云计算中 DDoS 攻防技术研究综述[J]. 计算机学报, 2020, 43(12): 2315-2336.
[5] 陈兴蜀, 滑强, 王毅桐, 等 . 云环境下 SDN 网络低速率DDoS攻击的研究[J]. 通信学报, 2019, 40(6): 210-222.
[6] 董仕 . 软件定义网络安全问题研究综述[J]. 计算机科学, 2021, 48(3): 295-306.
[7] Ahmad I, Namal S, Ylianttila M, et al. Security in software defined networks: A survey[J]. IEEE Communications Surveys & Tutorials, 2015, 17(4): 2317-2346.
[8] Kreutz D, Ramos F M V, Esteves Verissimo P, et al. Software-defined networking: A comprehensive survey[J]. Proceedings of the IEEE, 2015, 103(1): 14-76.
[9] Cox J H, Chung J, Donovan S, et al. Advancing software-defined networks: A survey[J]. IEEE Access, 2017, 5: 25487-25526.
[10] Khan S, Gani A, Abdul Wahab A W, et al. Topology discovery in software defined networks: Threats, taxonomy, and state-of-the-art[J]. IEEE Communications Surveys & Tutorials, 2017, 19(1): 303-324.
[11] 黄颖祺, 张宏斌, 卢赓, 等 . 软件定义网络的安全问题及对策研究[J]. 信息安全研究, 2020, 6(3): 202-211.
[12] Han T, Jan S R U, Tan Z Y, et al. A comprehensive survey of security threats and their mitigation techniques for next-generation SDN controllers[J]. Concurrency and Computation: Practice and Experience, 2020, 32(16): e5300.
[13] 徐玉华, 孙知信 . 软件定义网络中的异常流量检测研究进展[J]. 软件学报, 2020, 31(1): 183-207.
[14] 易芝玲, 崔春风, 韩双锋, 等 . 5G蜂窝物联网关键技术分析[J]. 北京邮电大学学报, 2018, 41(5): 20-25.
[15] Ahmad S, Mir A H. Scalability, consistency, reliability and security in SDN controllers: A survey of diverse SDN controllers[J].Journal of Network and Systems Management, 2020, 29(1): 1-59.
[16] Murillo A F, Rueda S J, Morales L V, et al. SDN and NFV security: Challenges for integrated solutions[M]//Computer Communications and Networks. Cham: Springer International Publishing, 2017: 75-101.
[17] 李可欣, 王兴伟, 易波, 等. 智能软件定义网络[J]. 软件学报, 2021, 32(1): 118-136.
[18] Artmann D, Khondoker R. Security analysis of SDN WiFi applications[M]//SDN and NFV Security. Cham: Springer International Publishing, 2018: 57-71.
[19] Bräuning M, Khondoker R. Analysis of SDN applications for smart grid infrastructures[M]//SDN and NFV Security. Cham: Springer International Publishing, 2018: 99-110.
[20] Chikhale A, Khondoker R. Security analysis of SDN cloud applications[M]//SDN and NFV Security. Cham: Springer International Publishing, 2018: 19-38.
[21] Jain R, Khondoker R. Security analysis of SDN WAN applications—B4 and IWAN[M]// SDN and NFV Security. Cham: Springer International Publishing, 2018: 111-127.
[22] Lee C, Yoon C, Shin S, et al. INDAGO: A new framework for detecting malicious SDN applications[C]//2018 IEEE 26th International Conference on Network Protocols. Piscataway: IEEE Press, 2013: 220-230.
[23] Lee C, Shin S. SHIELD: An automated framework for static analysis of SDN applications[C]//Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. New York: ACM, 2016: 29-34.
[24] Durairajan R, Sommers J, Barford P. Controller-agnostic SDN debugging[C]//Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies. New York: ACM, 2014: 227-234.
[25] Li Y H, Wang Z L, Yao J Y, et al. MSAID: Automated detection of interference in multiple SDN applications[J]. Computer Networks, 2019, 153: 49-62.
[26] Hu T, Yi P, Hu Y X, et al. SAIDE: Efficient application interference detection and elimination in SDN[J]. Computer Networks, 2020, 183: 107619.
[27] Ujcich B E, Jero S, Edmundson A, et al. Cross-app poisoning in software-defined networking[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018: 648-663.
[28] Chang R, Lin Z W, Sun Y, et al. MD-UCON: A multidomain access control model for SDN northbound interfaces[J]. Journal of Physics: Conference Series, 2019, 1187(3): 032091.
[29] 祝现威, 常朝稳, 朱智强, 等 . 基于身份属性的 SDN 控制转发方法[J]. 通信学报, 2019, 40(11): 1-18.
[30] 范广宇, 王兴伟, 贾杰, 等 . SDN 应用平面与控制平面安全交互方法[J]. 信息网络安全, 2021, 21(6): 70-79.
[31] Tseng Y, Pattaranantakul M, He R, et al. Controller DAC: Securing SDN controller with dynamic access control[C]//2017 IEEE International Conference on Communications. Piscataway: IEEE Press, 2017: 1-6.
[32] Padekar H, Park Y, Hu H X, et al. Enabling dynamic access control for controller applications in software-defined networks[C]// Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies.New York: ACM, 2016: 51-61.
[33] Toshniwal B, Joshi K D, Shrivastava P, et al. BEAM: Behavior-based access control mechanism for SDN applications[C]//2019 28th International Conference on Computer Communication and Networks (ICCCN). Piscataway: IEEE Press, 2019: 1-2.
[34] Tseng Y, Nait-Abdesselam F, Khokhar A. SENAD: Securing network application deployment in software defined networks[C]//2018 IEEE International Conference on Communications. Piscataway: IEEE Press, 2018: 1-6.
[35] Cui H Y, Chen Z M, Yu L F, et al. Authentication mechanism for network applications in SDN environments[C]//2017 20th International Symposium on Wireless Personal Multimedia Communications (WPMC). Piscataway: IEEE Press, 2017: 1-5.
[36] Kim G, An J, Kim K. A study on authentication mechanism in SEaaS for SDN[C]//Proceedings of the 11th International Conference on Ubiquitous Information Management and Communication. New York: ACM, 2017: 1-6.
[37] Banse C, Rangarajan S. A secure northbound interface for SDN applications[C]//2015 IEEE Trustcom/BigDataSE/ISPA. Piscataway: IEEE Press, 2015: 834-839.
[38] Tseng Y, Zhang Z H, Naït-Abdesselam F. ControllerSEPA: A security-enhancing SDN controller plug-in for OpenFlow applications[C]//2016 17th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT). Piscataway: IEEE Press, 2016: 268-273.
[39] Natanzi S B H, Majma M R. Secure northbound interface for SDN applications with NTRU public key infrastructure[C]//2017 IEEE 4th International Conference on Knowledge-Based Engineering and Innovation. Piscataway: IEEE Press, 2017: 452-458.
[40] Hu T, Zhang Z, Yi P, et al. SEAPP: A secure application management framework based on REST API access control in SDN-enabled cloud environment[J]. Journal of Parallel and Distributed Computing, 2021, 147: 108-123.
[41] 徐明迪, 高杨, 崔峰. 基于SDN的分布式欺骗防御系统[J]. 通信学报, 2018, 39(增刊2): 54-60.
[42] 周启钊, 于俊清, 李冬 . SDN 控制层泛洪防御机制研究：检测与缓解[J]. 通信学报, 2021, 42(11): 41-53.
[43] 柳林, 周建涛 . 软件定义网络控制平面的研究综述[J].计算机科学, 2017, 44(2): 75-81.
[44] 李军飞, 兰巨龙, 胡宇翔, 等 . SDN 多控制器一致性的量化研究[J]. 通信学报, 2016, 37(6): 86-93.
[45] Macedo R, De Castro R, Santos A, et al. Self-organized SDN controller cluster conformations against DDoS attacks effects[C]//2016 IEEE Global Communications Conference. Piscataway: IEEE Press, 2016: 1-6.
[46] Yu H S, Qi H, Li K Q. WECAN: An efficient west-east control associated network for large-scale SDN systems [J].Mobile Networks and Applications, 2020, 25(1): 114-124.
[47] Benamrane F, Ben Mamoun M, Benaini R. An East-West interface for distributed SDN control plane: Implementation and evaluation[J]. Computers & Electrical Engineering, 2017, 57: 162-175.
[48] Lam J H, Lee S G, Lee H J, et al. Securing distributed SDN with IBC[C]//2015 Seventh International Conference on Ubiquitous and Future Networks. Piscataway: IEEE Press, 2015: 921-925.
[49] Hashemi Natanzi S B, Majma M R. Secure distributed controllers in SDN based on ECC public key infrastructure[C]//2017 International Conference on Electrical and Computing Technologies and Applications (ICECTA). Piscataway: IEEE Press, 2017: 1-5.
[50] Khraisat A, Gondal I, Vamplew P, et al. Survey of intrusion detection systems: Techniques, datasets and challenges[J]. Cybersecurity, 2019, 2(1): 1-22.
[51] Song C, Park Y, Golani K, et al. Machine-learning based threat-aware system in software defined networks[C]//2017 26th International Conference on Computer Communication and Networks (ICCCN). Piscataway: IEEE Press, 2017: 1-9.
[52] Garg S, Kaur K, Kumar N, et al. Hybrid deep-learning-based anomaly detection scheme for suspicious flow detection in SDN: A social multimedia perspective[J]. IEEE Transactions on Multimedia, 2019, 21(3): 566-578.
[53] Malik J, Akhunzada A, Bibi I, et al. Hybrid deep learning: An efficient reconnaissance and surveillance detection mechanism in SDN[J]. IEEE Access, 2020, 8: 134695-134706.
[54] Tang T A, Mclernon D, Mhamdi L, et al. Intrusion detection in SDN-based networks: Deep recurrent neural network approach[M]//Deep Learning Applications for Cyber Security. Cham: Springer International Publishing, 2019: 175-195.
[55] Agborubere B, Sanchez-Velazquez E. OpenFlow commu⁃nications and TLS security in software-defined networks[C]//2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data. Piscataway: IEEE Press, 2017: 560-566.
[56] Benton K, Camp L J, Small C. OpenFlow vulnerability assessment[C]//Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York: ACM, 2013: 151-152.
[57] Lam J, Lee S G, Lee H J, et al. Securing SDN southbound and data plane communication with IBC[J]. Mobile Information Systems, 2016, 2016: 1-12.
[58] Marin E, Bucciol N, Conti M. An in-depth look into SDN topology discovery mechanisms: Novel attacks and practical countermeasures[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2019: 1101-1114.
[59] Nguyen T H, Yoo M. Attacks on host tracker in SDN controller: Investigation and prevention[C]//2016 International Conference on Information and Communication Technology Convergence (ICTC). Piscataway: IEEE Press, 2016: 610-612.
[60] Nguyen T H, Yoo M. Analysis of link discovery service attacks in SDN controller[C]//2017 International Conference on Information Networking (ICOIN). Piscataway: IEEE Press, 2017: 259-261.
[61] Azzouni A, Boutaba R, Trang N T M, et al. sOFTDP: Secure and efficient topology discovery protocol for SDN[J]. arXiv preprint: 1705.04527, 2017.
[62] Hong S, Xu L, Wang H P, et al. Poisoning network visibility in software-defined networks: New attacks and countermeasures[C]//Proceedings 2015 Network and Distributed System Security Symposium. Reston: Internet Society, 2015: 8-11.
[63] 朱良根, 张玉清, 雷振甲. DoS攻击及其防范[J]. 计算机应用研究, 2004(7): 82-84.
[64] Skowyra R, Xu L, Gu G F, et al. Effective topology tampering attacks and defenses in software-defined networks[C]//2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Piscataway: IEEE Press, 2018: 374-385.
[65] Lin T Y, Wu J P, Hung P H, et al. Mitigating SYN flooding attack and ARP spoofing in SDN data plane[C]//2020 21st Asia-Pacific Network Operations and Management Symposium (APNOMS). Piscataway: IEEE Press, 2020: 114-119.
[66] Akyildiz I F, Lee A, Wang P, et al. A roadmap for traffic engineering in SDN-OpenFlow networks[J]. Computer Networks, 2014, 71: 1-30.
[67] Dhawan M, Poddar R, Mahajan K, et al. Sphinx: Detecting security attacks in software-defined networks[C]//Network & Distributed System Security Symposium. San Diego, California, USA: 2015, 15: 8-11.
[68] Shrivastava P, Agarwal A, Kataoka K. Detection of topology poisoning by silent relay attacker in SDN[C]//Proceedings of the 24th Annual International Conference on Mobile Computing and Networking. New York: ACM, 2018: 792-794.
[69] Deng S H, Gao X, Lu Z B, et al. Packet injection attack and its defense in software-defined networks[J]. IEEE Transactions on Information Forensics and Security, 2018, 13(3): 695-705.
[70] Alshra'A A S, Seitz J. Using INSPECTOR device to stop packet injection attack in SDN[J]. IEEE Communications Letters, 2019, 23(7): 1174-1177.
[71] Imran M, Durad M H, Khan F A, et al. DAISY: A detection and mitigation system against denial-of-service attacks in software-defined networks[J]. IEEE Systems Journal, 2020, 14(2): 1933-1944.
[72] 尚立, 陈明, 张磊, 等. SDN中基于机器学习的DDoS攻击协同防御[J]. 电力系统保护与控制, 2021, 49(16): 170-176.
[73] Huang X L, Du X J, Song B. An effective DDoS defense scheme for SDN[C]//2017 IEEE International Conference on Communications. Piscataway: IEEE Press, 2017: 1-6.
[74] Xu J F, Wang L M, Xu Z. An enhanced saturation attack and its mitigation mechanism in software-defined networking[J]. Computer Networks, 2020, 169: 107092.
[75] Wang T, Chen H C, Cheng G Z, et al. SDNManager: A safeguard architecture for SDN DoS attacks based on bandwidth prediction[J]. Security and Communication Networks, 2018, 2018: 1-16.
[76] Sahoo K S, Tripathy B K, Naik K, et al. An evolutionary SVM model for DDoS attack detection in software defined networks[J]. IEEE Access, 8: 132502-132513.
[77] Wu D, Li J, Das S K, et al. A novel distributed denialof-service attack detection scheme for software defined networking environments[C]//2018 IEEE International Conference on Communications. Piscataway: IEEE Press, 2018: 1-6.
[78] Shohani R B, Mostafavi S A. Introducing a new linear regression based method for early DDoS attack detection in SDN[C]//2020 6th International Conference on Web Research (ICWR). Piscataway: IEEE Press, 2020: 126-132.
[79] Badotra S, Panda S N. SNORT based early DDoS detection system using Opendaylight and open networking operating system in software defined networking[J]. Cluster Computing, 2021, 24(1): 501-513.
[80] Barki L, Shidling A, Meti N, et al. Detection of distributed denial of service attacks in software defined networks[C]//2016 International Conference on Advances in Computing, Communications and Informatics (ICACCI). Piscataway: IEEE Press, 2016: 2576-2581.
[81] Li C H, Wu Y, Yuan X Y, et al. Detection and defense of DDoS attack-based on deep learning in OpenFlow-based SDN[J]. International Journal of Communication Systems, 2018, 31(5): e3497.
[82] Banitalebi Dehkordi A, Soltanaghaei M, Boroujeni F Z. The DDoS attacks detection through machine learning and statistical methods in SDN[J].The Journal of Supercomputing, 2021, 77(3): 2383-2415.
[83] Mohammadi R, Javidan R, Keshtgary M, et al. Practical extensions to countermeasure DoS attacks in software defined networking[C]//2017 IEEE Conference on Network Function Virtualization and Software Defined Networks. Piscataway: IEEE Press, 2017: 1-6.
[84] 林耘森箫, 毕军, 周禹, 等 . 基于 P4的可编程数据平面研究及其应用[J]. 计算机学报, 2019, 42(11): 2539-2560.
[85] Hwang R H, Nguyen V L, Lin P C. StateFit: A security framework for SDN programmable data plane model[C]//2018 15th International Symposium on Pervasive Systems, Algorithms and Networks (I-SPAN). Piscataway: IEEE Press, 2018: 168-173.
[86] Lewis B, Broadbent M, Race N. P4ID: P4 enhanced intrusion detection[C]//2019 IEEE Conference on Network Function Virtualization and Software Defined Networks(NFV-SDN). Piscataway: IEEE Press, 2019: 1-4.
[87] da Silveira Ilha A, Lapolli A C, Marques J A, et al. Euclid: A fully In-network, P4-based approach for real-time DDoS attack detection and mitigation[J]. IEEE Transactions on Network and Service Management, 2021, 18(3): 3121-3139.
[88] Hauser F, Schmidt M, Häberle M, et al. P4-MACsec: Dynamic topology monitoring and data layer protection with MACsec in P4-based SDN[J]. IEEE Access, 2020, 8: 58845-58858.
[89] Xing J R, Chen A, Ng T S E. Secure state migration in the data plane[C]// Proceedings of the Workshop on Secure Programmable Network Infrastructure. New York: ACM, 2020: 28-34.
[90] Xing J R, Wu W Q, Chen A. Architecting programmable data plane defenses into the network with FastFlex[C]//Proceedings of the 18th ACM Workshop on Hot Topics in Networks. New York: ACM, 2019: 161-169.
[91] Musumeci F, Ionata V, Paolucci F, et al. Machine-learning-assisted DDoS attack detection with P4 language[C]//ICC 2020-2020 IEEE International Conference on Communications (ICC). Piscataway: IEEE Press, 2020: 1-6.
[92] Dargahi T, Caponi A, Ambrosin M, et al. A survey on the security of stateful SDN data planes[J]. IEEE Communications Surveys & Tutorials, 2017, 19(3): 1701-1725.
[93] Scholz D, Gallenmüller S, Stubbe H, et al. SYN flood defense in programmable data planes[C]//Proceedings of the 3rd P4 Workshop in Europe. New York: ACM, 2020: 13-20.
[94] Lee S, Woo S, Kim J, et al. AudiSDN: Automated detection of network policy inconsistencies in software-defined networks[C]//IEEE INFOCOM 2020-IEEE Conference on Computer Communications. Piscataway: IEEE Press, 2020: 1788-1797.
[95] Lee S, Yoon C, Lee C, et al. Delta: A security assessment framework for software-defined networks[C]//The Network and Distributed System Security Symposium 2017. San Diego: NDSS , 2017: 1-5.
[96] Lee S, Kim J, Shin S, et al. Athena: A framework for scalable anomaly detection in software-defined networks[C]//2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Piscataway: IEEE Press, 2017: 249-260.
[97] Fawcett L, Scott-Hayward S, Broadbent M, et al. Tennison: A distributed SDN framework for scalable network security[J]. IEEE Journal on Selected Areas in Communications, 2018, 36(12): 2805-2818.
[98] Karmakar K K, Varadharajan V, Tupakula U. On the design and implementation of a security architecture for software defined networks[C]//2016 IEEE 18th International Conference on High Performance Computing and Communications; IEEE 14th International Conference on Smart City; IEEE 2nd International Conference on Data Science and Systems (HPCC/SmartCity/DSS). Piscataway: IEEE Press, 2016: 671-678.
[99] 唐菀, 张艳, 杨喜敏, 等.引入区块链的SDN-IoT网络安全：架构、方案与挑战[J]. 小型微型计算机系统, 2022, 43(10): 2179-2199.
[100] 陈何雄, 罗宇薇, 韦云凯, 等. 基于区块链的软件定义网络数据帧安全验证机制[J]. 计算机应用, 2021, doi: 51.1307.TP.20211202.2148.004.
[101] 黄韬, 刘江, 汪硕, 等. 未来网络技术与发展趋势综述[J]. 通信学报, 2021, 42(1): 130-150.
[102] Tupakula U. On the design and implementation of a security architecture for software defined networks[C]//2016 IEEE 18th International Conference on High Performance Computing and Communications; IEEE 14th International Conference on Smart City; IEEE 2nd International Conference on Data Science and Systems(HPCC/SmartCity/DSS). Piscataway: IEEE Press, 2016: 671-678.
[103] Sahoo K S, Puthal D. SDN-assisted DDoS defense framework for the internet of multimedia things[J]. ACM Transactions on Multimedia Computing, Communications, and Applications (TOMM), 2020, 16(3): 1-18.