Software Defined Networking (SDN) is a new paradigm in networking that decouples the data and control plane to enable open network programmability and function virtualization. Beyond networking research, SDN has been adopted in large production networks, while many commercial switch and controller implementations are available. Unfortunately, security and forensics aspects of SDN have received little attention amid this rapid growth. This challenge seeks to advance the state-of-the-art in SDN forensics by focusing the community's attention on this emerging domain.
Four teams participated in this year's challenge and did excellent work. Congratulations to the winning team from Booz Allen! A summary of the challenge, scenario details, results, and the winning solution are available for download:
You have obtained a memory image from an SDN switch, along with a capture of the network traffic between the SDN switch and its controller(s), i.e., the "southbound" traffic. Your job is to analyze these artifacts for forensically interesting information. Download the:
Your job is to develop automated tools for analyzing southbound SDN forensic artifacts. Tools that fuse analysis of network traffic and memory dumps are especially encouraged. We know what hosts were connected to the SDN switch, what they did, and who they communicated with -- as well as the network policy and configuration as implemented by our SDN controller. Your tool should seek to reverse engineer as many of these details as possible! Some suggestions: