Research Article Network Programming and Probabilistic Sketching for Securing the Data Plane Maha Shamseddine, 1 Wassim Itani , 2 Ali Chehab , 1 and Ayman Kayssi 1 1 Department of Electrical and Computer Engineering, American University of Beirut, Beirut, Lebanon 2 Department of Electrical and Computer Engineering, Beirut Arab University, Beirut, Lebanon Correspondence should be addressed to Wassim Itani; wassim.itani@bau.edu.lb Received 6 February 2018; Revised 7 May 2018; Accepted 17 May 2018; Published 28 June 2018 Academic Editor: Roberto Di Pietro Copyright © 2018 Maha Shamseddine et al. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Tis paper presents VISKA, a cloud security service for dynamically detecting malicious switching elements in sofware defned networking (SDN) infrastructures. Te main contributions of VISKA lie in (1) utilizing network programming and secure probabilistic sketching in SDN environments to dynamically detect and isolate parts of the data plane that experience malicious behavior, (2) applying a set of focused packet probing and sketching mechanisms on isolated network partitions/views rather than focusing the security mechanisms on the whole physical network, (3) efciently analyzing the network behavior of the resulting views by recursively partitioning them in a divide-and-conquer fashion to logarithmically reduce the problem size in order to localize abnormal/malicious switching units, and (4) providing an attack categorization module that analyzes live ingress/egress trafc of the maliciously detected switch(es) solely to identify the specifc type of attack, rather than inspecting the whole network trafc as is done in traditional intrusion detection systems. Tis signifcantly enhances the performance of attack detection and reduces the load on the controller. A testbed prototype implementation is realized on the Mininet network emulator. Te experimental analysis corroborated the algorithms’ convergence property using the linear and FatTree topologies with network sizes of up to 250 switches. Moreover, an implementation of the attack categorization module is realized and achieved an accuracy rate of over 90% for the diferent attack types supported. 1. Introduction Te next generation networking model adopted is the SDN network architecture which is based on the separation of the network control and confguration logic from the network switching logic, with SDN controllers having a fne-grained control over network routing and reconfguration [1]. SDN networks, as is the case with any packet switching network, experience a major security risk represented in the malicious operation of the network forwarding units. With the widely adopted network and infrastructure cloud services, which support network tenants with of-premise network topolo- gies, a compelling demand is realized for dedicated security services at the data plane to ensure that the switching units are not executing or participating in any active attack on network trafc. Tis dedicated security service must provide, with high confdence, SDN tenants with sufcient guarantees that the network they are running their applications on is free of malicious activities on the data plane. Moreover, such a service should (1) trigger security alarms in real time, (2) be efcient in applying the network monitoring/probing oper- ations using compact data structures, and most importantly (3) be specifcally designed for securing SDN networks. Te fexibility and programmability features of the SDN network model provide appealing advantages for the advancement of network autonomous creation and confgu- ration. Te introduction of the concept of data plane/control plane separation signifcantly facilitates network program- ming and central control over the switching and routing mechanisms of the global network view [2]. In this work, we present VISKA, a cloud security service for SDN networks that tackles security breaches in the switching data plane by leveraging network programming and probabilistic sketching. Te main focus in the literature Hindawi Security and Communication Networks Volume 2018, Article ID 2905730, 23 pages https://doi.org/10.1155/2018/2905730