A Method for Acquiring Network Information from Linux Memory Image in Software-Defined Networking

A Method for Acquiring Network Information from Linux Memory Image in Software-Defined Networking

Software defined network (SDN) is a novel network architecture which separates the control plane from the data plane of a network. Owing to its openness, programmability and centralized control, SDN accelerates the development of network technology. However, it also brings new security problems, such as SDN control security, external distributed denial of service (DDoS) attacks and the northbound-southbound interface security. Aiming at the various security attack problems in SDN, the physical memory forensic analysis method is applied to this new framework of SDN, which can extract and analyze the digital evidence including running status of the computer, the behaviour characteristics of the user, network information, opened file and register. The method in this paper mainly obtains the network information from the physical memory image file in realtime, including the address resolution protocol (ARP), network configuration information, and the network connection information. It does not depend on the kernel symbol table and system version. We have extracted the network information under a wide range of operating system versions. Finally, the method is verified on the ubuntukylin 14.04 system, by obtaining various network information, and the experiment results show that the method has high accuracy and effectiveness on comparing with the Volatility tool.