SDN Forensics Challenge, 2016

Software Defined Networking (SDN) is a new paradigm in networking that decouples the data and control plane to enable open network programmability and function virtualization. Beyond networking research, SDN has been adopted in large production networks, while many commercial switch and controller implementations are available. Unfortunately, security and forensics aspects of SDN have received little attention amid this rapid growth. This challenge seeks to advance the state-of-the-art in SDN forensics by focusing the community's attention on this emerging domain.


Four teams participated in this year's challenge and did excellent work. Congratulations to the winning team from Booz Allen! A summary of the challenge, scenario details, results, and the winning solution are available for download:


You have obtained a memory image from an SDN switch, along with a capture of the network traffic between the SDN switch and its controller(s), i.e., the "southbound" traffic. Your job is to analyze these artifacts for forensically interesting information. Download the:


Your job is to develop automated tools for analyzing southbound SDN forensic artifacts. Tools that fuse analysis of network traffic and memory dumps are especially encouraged. We know what hosts were connected to the SDN switch, what they did, and who they communicated with -- as well as the network policy and configuration as implemented by our SDN controller. Your tool should seek to reverse engineer as many of these details as possible! Some suggestions:

  • What type of SDN switch and controller are in use?
  • What hosts (identified by MAC or IP addresses) were connected to which switch ports?
  • How much traffic did these hosts send, and to whom?
  • When were these hosts active (they may be virtual hosts in a cloud that move and are short-lived)?
  • What flows does the SDN switch match on? Are they static or dynamic rules?
  • What actions does the SDN switch take, and for which flow rules?


  • Submission deadline: July 8, 2016
  • Please see complete rules
  • All participants must send an email to with the subject line "Solution submission".
  • The actual solution (code and relevant documentation) can be submitted via email tarball, posted on a public VCS, or posted for HTTP/FTP download.
  • Submissions will be judged on: 1) completeness; 2) accuracy; and 3) tool/code quality.
Good luck!