Innovations in Systems and Software Engineering https://doi.org/10.1007/s11334-019-00337-3 S.I. : CICBA 2018 Dynamic vulnerability assessments of software-defined networks Raktim Deb 1 · Sudipta Roy 1 Received: 18 January 2019 / Accepted: 25 March 2019 © Springer-Verlag London Ltd., part of Springer Nature 2019 Abstract The networks (SDN) poses many potential security threats because of its principle of dissociating the network management interface from the underneath networking components and making a programmable networking system. Many security countermeasures have been proposed regarding this current trending environment, but none of the research has considered the existing vulnerabilities in SDN entities. This paper demonstrates the vulnerabilities using CVSS in the first place and then identifies the mutual relationship between the vulnerabilities using Bayesian network methodology. Keywords SDN:software-defined networks · Common vulnerability scoring system (CVSS) · Bayesian network 1 Introduction Software-Defined Networking is a new network terminology which is able to provide better flexibility, programmability, cost-effective, vendor-agnostic, and on-demand configura- tion control over network resources as well as network architecture [1]. In spite of all of these conveniences given by SDN, different security issues, performance, and design flaws have been major interests since their evaluation. To address such issues, several research solutions have been proposed by the research contributors. But those existing solutions do not support the vulnerabilities and risks that exist in the different SDN entities which may lead to a serious impact on the organizational networking system. Vulnera- bilities that are embedded with SDN entities create several flaws in network communications. In order to carry out an effective security threat assessment for SDN, the individual and mutual relationship among the vulnerabilities of SDN entities must be taken into account. FIRST, an US-based nonprofit organization defines an open standard broadly known as the common vulnerabil- ity scoring system (CVSS) [2] for measuring the actual risk of networking services of an organization. But this scoring system determines only probability of individual entity of a networking system. Moreover, proper justification is not available to relate this scoring system to SDN which is the first goal of this paper. As SDN has some architectural dif- B Raktim Deb debraktim@gmail.com 1 Department of CSE, Assam University, Silchar, India ferences from the traditional networking system so, our first intention is to determine proper conditions to relate the CVSS for the SDN entities and set the local conditional probabilities for each and every entity of SDN. While dealing with threat modeling, it is very much inap- propriate to consider individual vulnerabilities only because the threat posed by vulnerability may change during network- ing transactions. Any ignorance of such situation where the probability of individual vulnerability could be mutual or joint to compromise critical resources may lead organiza- tion in greatest danger. CVSS does not provide such kind of dynamic measurement of vulnerability. To handle this prob- lem in the second section of this paper, we propose to explore the use of a Bayesian network to determine the mutual rela- tionship among the vulnerabilities of SDN entities. The rest of this paper is organized as follows. Sec- tion 2 identifies the motivation and reviews on related work. Section 3 presents the vulnerabilities of SDN entities and cor- responding score using CVSS method. Section 4 determines the mutual relationship among the vulnerabilities by imple- menting Bayesian network. Section 5 discusses the future work and concludes the paper. 2 Motivation and related work Due to architectural differences in between SDN and tra- ditional network, imposing of OpenFlow specification [3] and existence of vulnerabilities in SDN creates an attractive honeypots for an attacker to lodge several kinds of network 123