Traffic-based Malicious Switch Detection in SDN

In Software Defined Networking (SDN) architecture, the control plane is separated from the data plane. On one hand, OpenFlow switches can only store and forward packets, which leaves all decisions to be made by the controller. On the other hand, the controller has a global view over the SDN. But if any switch is captured by an adversary, it may mislead the controller to make inaccurate decisions which may have terrible influences on the overall networks. In this paper, we elaborate on these problems and propose methods to detect malicious OpenFlow switches. We set a threshold value of the traffic-flows across an OpenFlow switch. If the switch's current traffic-flows exceed the threshold value, the controller has reasons to believe that this switch is suspicious and may monitor it intensively. Another scheme is to add a third-party server to accept users' report to warn the controller. In SDN, the controller cannot communicate with users directly, and sometimes users need to feed back their experience to the controller to help improve the SDN. In this case, it is necessary to set a third-party server in SDN to act as a middle role. These two schemes help to detect malicious switches. The controller can analyze the flow table of the suspicious switch and identify whether it is really malicious before isolating it.