تصميم وتنفيذ محرك استجابة ما بعد الكشف لهجمات الشبكات في بيئة SDN باستخدام وحدة التحكم Floodlight

Abstract

Software-Defined Networking (SDN) faces growing security challenges due to its centralized architecture and the separation of the control and data planes, which makes the controller a primary target for cyberattacks. This research proposes and implements an interactive post-detection response engine, integrated within the Floodlight controller, designed to automatically execute response actions upon receiving alerts from an external detection system. The engine analyzes alerts, compares them against predefined response policies, and issues appropriate flow table modification commands to the switches via the OpenFlow protocol. The possible actions include packet dropping, source isolation using Virtual Local Area Network (VLAN), or traffic rate limiting The system was tested in a virtual environment using Mininet, simulating three common attack types: SYN Flood, UDP Flood, and Port Scanning. The engine's performance was evaluated based on response time, malicious traffic mitigation rate, resource consumption, and false positive rate. Results demonstrated the system’s capability to initiate a response within less than 670 milliseconds, reduce malicious traffic by up to 94%, and maintain resource consumption of the controller below 3.4%. Additionally, the system showed a low false positive rate, reflecting the reliability and efficiency of the embedded response logic. This work highlights the importance of moving response logic from external systems to the controller itself, and highlights the role of customizable policies in building more flexible and adaptive security frameworks. It also paves the way for the development of intelligent controllers capable of making data-driven, autonomous security decisions, enhancing the concept of "self-defense" in SDN environments.