IEEE Network • November/December 2016 6 0890-8044/16/$25.00 © 2016 IEEE Digital Object Identifier: 10.1109/MNET.2016.1600051NM ABSTRACT The separation of the control plane from the data plane of a switch enables abstraction of a network through a logically centralized control- ler. The controller functions as the “brain” of a software-defned network. However, centralized control draws attackers to exploit different net- work devices by hijacking the controller. Secu- rity was initially not a key characteristic of SDN architecture, which left it vulnerable to various attackers. The investigation of such attacks in the newly emerging SDN architecture is a challenging task. Therefore, a comprehensive forensic mech- anism is required to investigate different forms of attacks by determining their root cause. This article discusses an important area in SDN secu- rity, SDN forensics, which until now has received minimal focus. We compare traditional network forensics with SDN forensics to highlight the key diferences between them. A brief motivation for SDN forensics is presented to emphasize its sig- nifcance. Moreover, the potential locations with possible evidence against attackers are identifed in SDN. Key requirements are highlighted for SDN forensics with respect to baseline investiga- tion procedures. Finally, we identify challenges in SDN forensics by highlighting potential research areas for researchers, investigators, and academi- cians. I NTRODUCTION The advent of network architecture, that is, soft- ware-defined networking (SDN), separates the control plane from the data plane in OpenFlow (OF) switches (Fig. 1). This scenario results in numerous benefits, including easy insertion of applications and services, streamlined process- es, improved efciency, reduced complexity, and good user experience [1]. However, these advan- tages increase the number of malicious attacks on the logically centralized SDN architecture. The investigation of a security breach is frequently a difficult and tedious task that requires analyzing numerous parameters, such as malicious pack- ets, suspicious connection attempts, bombard- ed packets on the victim, log entries, and log-in attempts. Attackers mostly cover their tracks by removing malicious traces or claim innocence by declaring a legitimate system as the attacker. In the SDN paradigm, a malicious attack can be traced by incorporating different forensic techniques in SDN architecture to overcome the intelligence of an attacker. Although the concept of forensics is still new and evolving in SDN, the majority of current studies have focused specif- cally on detecting attacks [2]. This is due to SDN still being in its preliminary stages of implementa- tion, having yet to be adopted by organizations. Therefore, for SDN forensics to be adopted as a current practice, considerable effort must be exerted by researchers, security administrators, developers, investigation agencies, and network developers to establish standards, protocols, frameworks, and mechanisms. Each SDN layer (the application, control, and infrastructure layers) provides signifcant informa- tion that can support the investigation process as evidence against malicious activities [3]. In the application layer, various applications and applica- tion program interface (API) logs can be used to record malicious events occurring during attacks through malicious applications. The host-tracking system in the control layer is used to track the location of the host by looking at its IP and media access control (MAC) addresses, virtual local area network ID, and location. In addition, the link dis- covery service is used to fnd links among switch- es to track the network of an attacker [4]. In the infrastructure layer, OF table entries provide use- ful statistics regarding network flows generated from a source to a destination [5]. The malicious fow of information can be retrieved from entries in flow tables and analyzed to obtain required information. Therefore, evidence of malicious activities can be retrieved from all SDN layers. However, the question is how the trustworthiness and integrity of collected evidence can be main- tained. The answer to this question requires a col- laborative effort of different security vendors to overcome the aforementioned problem in SDN. The key contributions of this study are high- lighted as follows: • A brief motivation for SDN forensics and its signifcance are presented. • Potential locations within SDN for collect- ing valuable evidence against the malicious behavior of an attacker are identifed. • Key requirements for SDN forensics to achieve digital forensic procedures are ful- flled. • SDN forensic challenges are presented to attract researchers, practitioners, and securi- ty vendors. The rest of this article is organized as follows. First, we provide a comparison between tradition- Software-Defined Network Forensics: Motivation, Potential Locations, Requirements, and Challenges Suleman Khan, Abdullah Gani, Ainuddin Wahid Abdul Wahab, Ahmed Abdelaziz, Kwangman Ko, Muhammad Khurram Khan, and Mohsen Guizani Suleman Khan, Abdullah Gani, Ainuddin Wahid Abdul Wahab, and Ahmed Abdelaziz are with the Centre for Mobile Cloud Computing Research, Univer- sity of Malaya. Kwangman Ko is with Sangji University. Muhammad Khurram Khan is with Center of Excellence in Information Assurance, King Saud University. Mohsen Guizani is with the University of Idaho. The corresponding authors are Abdullah Gani and Kwangman Ko. NETWORK FORENSICS AND SURVEILLANCE FOR EMERGING NETWORKS