Security Risk Assessment of Multiple Sdn Controllers Using Stochastic Petri Nets

Laila M Almutairi, Tennessee State University


Software Defined Networking (SDN) realizes network orchestration by separating the centralized network control from the forwarding elements. Centralized network plane supports programmable network management and flexibility. However, it introduces a single point of failure and scalability issues. Researchers proposed multiple SDN controllers’ architectures in order to address the challenges with a single point of failure. Control plane remains the main component in the networks, and attacking the control will compromise the network. The control plane still suffers from number of threats such as denial of service (DoS), man in the middle (MITM), and information modification attacks. Assessment of the risk of any network is an important step to protect the network and design security countermeasures. Therefore, the security of multiple SDN controllers’ networks is evaluated in this work. The generalized stochastic Petri nets (GSPN), is an extension of stochastic Petri nets, to model attacks of the multiple SDN controllers, and analyze the security of the network. The system engineering approach was adopted in developing the assessment framework. The proposed assessment has two main subsystems: 1) attack modeling: network data and vulnerabilities data are collected to generate the attack graphs based on GSPN. This work focuses on two SDN attack surfaces: denial of service (DoS) attack and information attacks. An attacker can exploit SDN vulnerabilities that are located mostly in the control plane such as control services and messages. 2) security analysis: the combined approach based on attack graph paths and stochastic metrics are used to estimate the attack graphs. The results from attack path metrics and SPN metrics show which part of the network is more vulnerable and needs more attention when suggesting defense mechanisms. In addition, the results illustrate that using more controllers does not guarantee the network security when using the same SDN controller platforms as similar vulnerabilities will exist across the SDN controller platforms. The proposed framework can be extended to have more attack vectors and generate additional security metrics.

Subject Area

Computer Engineering|Computer science

Recommended Citation

Laila M Almutairi, "Security Risk Assessment of Multiple Sdn Controllers Using Stochastic Petri Nets" (2019). ETD Collection for Tennessee State University. Paper AAI13858437.