A Filtering Model for Evidence Gathering in an SDN-Oriented Digital Forensic and Incident Response Context

Software-defined networking (SDN) architecture enables flexible and centralized network management from the controller, making it increasingly attractive in deploying telecommunications services. However, despite the many benefits of SDN, the vulnerabilities inherent in its architecture must be considered, and potential attacks must be discarded. When this occurs, not only the technical areas are interested in the source of the problem, but also the organizational areas, since attacks can violate terms of service and lead to legal actions. Despite the shared interest in cybersecurity event information, forensics and incident response processes often operate independently, impacting the root cause determination. Considering this concern, an architectural evolution for digital forensics and incident response (DFIR) management is introduced. This paper presents an event filtering model that serves as a trigger for initialing the DFIR process, which involves the detection of unusual traffic and unexpected behavior of SDN elements. The proposal applies artificial intelligence technology and showcases the performance of the model and the presentation of a proprietary dataset obtained from OpenFlow traffic.