n SDNSuite


SDN Security Suite


CLICK HERE TO DOWNLOAD: SDN Security Actuator (Java and Perl versions), Beta 3 Release 6 December 2013

Requires:  SE-Floodlight, Java v1.6+ or Perl.

The SDN Security Actuator is a middle-ware abstraction service that enables legacy INFOSEC security products and technology to easily integrate into an OpenFlow network stack.  The Security Actuator enables security services to communicate high level threat response directives, which are then translated into stateful OpenFlow flow rule insertions to are sent to SE-Floodlight.  These directives utilize SE-Floodlight's Rule-chain Conflict Analysis (RCA) algorithm to ensure that all redirections and blocks cannot be circumvented by flow rules set actions that implement virtual tunnels that would otherwise violate the directive.

The Security Actuator provides a vital service for enabling security applications to focus on identify malicious and infected machines, while shielding them from the low-level implementation details of the OpenFlow network stack.

We provide two reference implementations of an SDN Security Actuator in Java and Perl, both of which implement 11 Security Directives.

CLICK HERE TO DOWNLOAD:   SE-Floodlight, beta 7 release, 20 February 2015.

Requires:  An OpenFlow v1.0 compatible switch and Java v1.6+.

SE-Floodlight is a software extension to the BigSwitch Floodlight controller, providing role-based authorization and strong security constraints enforcement.  It is the first reference implementation of an SDN security policy enforcing mediation service in an OpenFlow stack, and it is an improvement and extension of our original FortNOX security kernel ("A Security Enforcement Kernel for OpenFlow Networks," SIGCOMM HotSDN, 2012).  Here are SE-Floodlight's key security features:

  1. 1. Least Privilege: introduces a Google protocol-buffers-based Northbound API, enabling OpenFlow apps to operate outside the controller process context.

  1. 2.Digital Authentication: Flow rule producers, operating both through the remote API or as local Java classes, are now authenticated.  SE-Floodlight also introduces runtime class module digital signature validation, enabling integrity verification of Floodlight-local control logic implemented as loadable Java classes.

  1. 3.PACKET_OUT Control: PACKET_OUT messages produced by OpenFlow apps can now be restricted by administrators.    

  1. 4.Inline Flow Rule Conflict Detection:  Rule-Chain Conflict Analaysis described in our SE-Floodlight paper at NDSS 2015 to conduct inline rule conflict detection

  1. 5.Role-based Authorization: resolves candidate rule conflicts based on a role authorization scheme

  1. 6.Security Audit: SE-Floodlight introduces a new OpenFlow audit subsystem that tracks all security-relevant events produced by the OpenFlow network stack (a prerequisite for environments requiring security accreditations or conformance with most security compliance specifications).

Security-Enhanced Floodlight

Beta 7 release

20 February 2015

SDN Security Actuator

Beta 3 release

6 December 2013

CLICK HERE TO DOWNLOAD OF-BOTHUNTER: BHResponder, Beta 3 Release 6 December 2013

Requires:  SDN Security Actuator, BotHunter v1.7.2, and Perl.

OF-BotHunter is a sample reference application of a SDN-enabled antimalware mitigation service.  OpenFlow BotHunter consists of the standard BotHunter distribution package, available at www.bothunter.net, integrated with BHResponder.  OF-BotHunter is a network-based passive analysis system that detects when systems inside your network are producing communication patterns consistent with coordination-centric malware (botnets, spam, infection, spyware, worms, adware, etc.) .

BHResponder extends BotHunter with an automated interface to convey security directives to the SDN Security Actuator in response to botnet infection profiles generated by BotHunter.  An XML specification language enables end users to modify and extend BHResponder antimalware response policies for their needs.


Beta 3 release

6 December 2013

OF-BotHunter is a sample OpenFlow Security application that interfaces with our secure OpenFlow network stack via the SDN Security Actuator

SDN Security Actuator provides and abstract security directive  interface that enables INFOSEC technologies to implement complex threat responses to mitigate malicious hosts and traffic

SE-Floodlight enables developers to produce and evaluate

security enforcement applications


We gratefully acknowledge the support of the Defense Advanced Research Project (DARPA) Mission Resilient Cloud Program, Contract No. FA8750-11-C-0249, and the Army Research Office under the Cyber-TA Research Grant (No. W911NF-06-1-0316). Thank you to Howie Schrobe, Bob Ladaga, and Cliff Wang, for their program management support of basic research in Software Defined Network Security.