Next Article in Journal
Modeling Interaction Patterns in Visualizations with Eye-Tracking: A Characterization of Reading and Information Styles
Previous Article in Journal
ABMS-Driven Reinforcement Learning for Dynamic Resource Allocation in Mass Casualty Incidents
Previous Article in Special Issue
MEC and SDN Enabling Technologies, Design Challenges, and Future Directions of Tactile Internet and Immersive Communications
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Future Internet
Volume 17
Issue 11
10.3390/fi17110503
futureinternet-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Securing the SDN Data Plane in Emerging Technology Domains: A Review

by
Travis Quinn
1,
Faycal Bouhafs
1 and
Frank den Hartog
1,2,*
1
School of Computers and Systems, University of New South Wales, Canberra 2612, Australia
2
Network Engineering and Cybersecurity Capability, University of Canberra, Canberra 2617, Australia
*
Author to whom correspondence should be addressed.
Future Internet 2025, 17(11), 503; https://doi.org/10.3390/fi17110503
Submission received: 18 September 2025 / Revised: 18 October 2025 / Accepted: 27 October 2025 / Published: 3 November 2025
(This article belongs to the Special Issue Software-Defined Networking (SDN) and Network Function Virtualization (NFV) for a Hyperconnected World)
Browse Figures
Versions Notes

Abstract

Over the last decade, Software-Defined Networking (SDN) has garnered increasing research interest for networking and security. This interest stems from the programmability and dynamicity offered by SDN, as well as the growing importance of SDN as a foundational technology of future telecommunications networks and the greater Internet. However, research into SDN security has focused disproportionately on the security of the control plane, resulting in the relative trivialization of data plane security methods and a corresponding lack of appreciation of the data plane in SDN security discourse. To remedy this, this paper provides a comprehensive review of SDN data plane security research, classified into three primary research domains and several sub-domains. The three primary research domains are as follows: security capabilities within the data plane, security of the SDN infrastructure, and dynamic routing within the data plane. Our work resulted in the identification of specific strengths and weaknesses in existing research, as well as promising future directions, based on novelty and overlap with emerging technology domains. The most striking future directions are the use of hybrid SDN architectures leveraging a programmable data plane, SDN for heterogeneous network security, and the development of trust-based methods for SDN management and security, including trust-based routing.

1. Introduction

Software-Defined Networking (SDN) is an approach to computer networking that divorces the control and data planes of a system, investing network intelligence in a centralized controller [1]. The controller directly manages network infrastructure through the definition of traffic forwarding rules that are typically based on the logical connections between nodes and are enforced network wide. The logic that the controller applies in defining these rules is entirely configurable by the network operator, affording significant flexibility in how networking is performed.
The programmability and flexibility of SDN, combined with the global view of the controller, creates the opportunity for novel approaches to routing for enhanced network security. This is keenly reflected in the diversity and depth of academic discourse in the last decade, investigating various applications of SDN in cyber security. However, SDN security research to date has focused disproportionately on the security of the control plane, and specifically of controllers. This trend is reflective of the apparent criticality of the controller, as the failure or compromise of the controller may pose a threat to the entire system.
Yet this focus on the security of the control plane has resulted in the relative trivialization and a corresponding lack of awareness of research into SDN data plane security. This gap is further made problematic by growing data plane heterogeneity and functionality in modern networks. This is reflected by an increasing number of physical and softwarized communications media, devices, protocols, middleboxes, and middleware, and a clear move towards reintroducing statefulness and adding capability into the softwarized data plane. Together, these trends represent an increase in data plane complexity that poses new security and performance challenges that warrant greater investigation.
As a contribution to remedying the above issues, this paper provides an in-depth review of existing literature in SDN data plane security with a focus on emerging technologies. We highlight that there is already a body of high-quality research in SDN data plane security that exists and continues to grow. Additionally, we show that data plane security research has promising synergies with novel research in related technology domains, especially hybrid SDN, heterogeneous SDN (including Software Defined Wireless Networking (SDWN)), Internet of Things (IoT), and programmable data planes. These complementary technologies are foundational to the future of telecommunications and the Internet, adding substantial novelty and weight to our findings.
The structure of the paper is outlined in Figure 1 (below). Firstly, we describe the motivations for our research and the original contributions of this review. Then the paper provides a background to SDN and security for SDN as it is understood at the time of writing. This background includes a lightweight threat model for the SDN data plane to illustrate the current threat landscape. Our methodology is then outlined, including identification of the four research questions that we pose and answer in this work. Following this, an analysis of previous reviews on SDN security is provided, followed by a comprehensive literature review. Our review is structured according to the three primary domains of research that we identified: security capabilities within the data plane, security of the data plane infrastructure and dynamic routing within the data plane. These primary domains are then classified further into several sub-domains that relate to the specific themes identified in related security research. The paper then closes with a summary of our findings and discussion of directions for future research based on the findings of our review, with a brief conclusion.

2. Motivation and Contributions

This section addresses the motivations for this review and the contributions of this review to the state of the art for SDN security. Addressing our motivations highlights the relevance of the subject matter and the evident gaps in the discourse to date, which this review addresses. Furthermore, addressing our contributions identifies the specific original contributions that this review provides that are not addressed in the current discourse.
The motivation for this review stems from two important observations. The first observation is that the security of the SDN data plane has been the subject of diverse investigations for specific applications. These applications include novel security capabilities and the extension of SDN to emerging technology domains. The second observation is that existing SDN security research has failed to articulate the diversity of SDN data plane security methods and applications. These facts have resulted in the relative trivialization of SDN data plane security research, especially in contrast to SDN control plane security research. Importantly, to date there have been no comprehensive reviews of SDN data plane security, and therefore our review provides the first review of this type.
The contributions of this review are as follows:
  • We provide the first in-depth review of existing literature in SDN data plane security, encompassing over 300 relevant and high-quality sources.
  • We provide a detailed review of existing reviews, surveys, and equivalents into SDN security, classifying them based on the depth of their examination of SDN data plane security.
  • We provide a classification of existing SDN data plane security research into three (3) primary research domains and eleven (11) sub-domains.
  • For each domain and sub-domain, we identify research strengths and weaknesses, including gaps.
  • We provide a holistic analysis of the body of research to identify promising future directions for research.
  • Lastly, we identify and discuss the role of SDN in managing and securing the data planes of emerging technologies.

3. The Software-Defined Networking Data Plane

3.1. Software-Defined Networking

SDN is an approach to computer networking that separates the control and data planes of networks. By separating these planes and introducing a centralized controller, SDN achieves greater programmability and dynamism than traditional networks. Figure 2 shows the principle architectural planes of an SDN and its main interfaces. The operation of SDN is contingent on three elements: a controller, SDN infrastructure, and supported endpoints (e.g., servers, hosts). The former is the chief element of the SDN control plane. It orchestrates the operation of networks and network segments through interaction with the SDN infrastructure resident within the data plane. All forwarding rules in an SDN are defined by the controller, or in some instances by a network operator directly (e.g., pre-configured rules). The logic that the controller applies in this process is fully programmable by the network operator. This is performed using two interfaces: a Northbound Interface (NBI) connecting applications and supporting modules to the controller, and a Southbound Interface (SBI) connecting the controller to the SDN-enabled infrastructure by means of communication protocols such as OpenFlow [2,3]. This programmability (over the NBI) and subsequent configurability (over the SBI) is essential to the flexibility and decision-making power of SDN.
The SDN-enabled infrastructure refers to the switches and other network devices enforcing the forwarding rules defined by the controller. These elements are predominantly reserved for the movement of data around the network and hence they exist within (and enable) the data plane. This separation of functions is critical to the operation of SDN and enables sophisticated analysis and management of network traffic at the controller and the data plane infrastructure.
The final elements in an SDN are the endpoints, which may include servers, hosts, and any network node subject to the orchestration of the controller via forwarding rules at their supporting infrastructure (e.g., the switch an endpoint is associated with). For the purposes of this paper, endpoints and their links are incorporated into the data plane.
This model of SDN and the associated division of functions have both largely remained unchallenged in the literature, with the balance of new research focusing on evolution through innovative application (e.g., in network security and performance), rather than revolution of the model itself. The most fundamental changes to this model have emerged through data plane statefulness and programmability, as evidenced in projects such as the Programming Protocol-Independent Packet Processor (P4) language (see Bosshart et al. [4] for the original proposal and P4 Language Consortium [5] for the current project).

3.2. Data Plane Threats

Although the first specification for SDN stems from more than 15 years ago, the security threats to it are still being identified, mitigated, and discussed. Therefore, a current threat model for the SDN data plane is required to provide the necessary context for this review. In this context, a threat model is a generalized description of the types of threats that exist for current, OpenFlow-based SDN. This model can be extended to any system utilizing SDN infrastructure and is therefore also applicable to both hybrid networks (employing both SDN and traditional networking) and heterogeneous SDN in a shared data plane.
Table 1 summarizes the threats to OpenFlow-based SDN that are currently known to exist for the components of the data plane, including switches, switch firmware, switch software, endpoints, and communication links. This summary is based on the work described in two seminal papers (see Rahouti et al. [6], Gao et al. [7]). It should be noted that these papers do not provide any consideration to differences in threats given the physical medium for communications links, for instance regarding wired, wireless, or heterogeneous SDN. We believe that this is largely due to current implementations of SDN using only wired connections, and security researchers typically being computer scientists rather than network engineers.

4. Methodology

4.1. Research Questions

Four Research Questions (RQs) have been defined to support the structure of this review and the discussion provided. The RQs are the specific questions this review addresses, and they support identification of the relative strengths and weaknesses of existing research, as well as the opportunities for future research. The RQs of this review are as follows:
  • RQ1. How may existing research into the security of SDN data planes be classified?
  • RQ2. Based on this classification, what are the strengths of this research?
  • RQ3. Based on this classification, what are the weaknesses of this research?
  • RQ4. Based on the identified strengths and weaknesses, what are promising future directions for research?
For convenience, the literature review (Section 5, Section 6, Section 7 and Section 8) is structured according to the classification framework we have developed for answering RQ1. Additionally, the research strengths (RQ2) and weaknesses (RQ3) are summarized at the end of each section of the review. For numbering the research strengths and weaknesses we use the notation RSTR and RWKN, respectively.

4.2. Paper Selection

Relevant literature was identified using a keyword search performed on online journal databases. The process for paper selection is summarized in Figure 3 below. As shown in Figure 3, databases and keywords were pre-selected. The chosen databases were IEEE Xplore, ACM Digital Library, and the academic search engine Google Scholar. A keyword search was used to identify relevant papers based on permutations of three keywords: SDN, security, and data plane (e.g., SDN security, SDN data plane, data plane security). The papers returned by this keyword search were then filtered based on their apparent relevance to the subject matter of this paper. Finally, the selected papers were reviewed in detail, and their references (reference lists) were also examined to identify other relevant papers.
As per RQ1, the review of the selected papers included a qualitative analysis to support classification of the papers based on their research themes. This classification yielded the three primary research domains that are employed in this paper: security capabilities within the data plane (Section 6), security of the data plane infrastructure (Section 7), and dynamic routing within the data plane (Section 8). Each of these domains is further classified into sub-domains that closely reflect the research themes of the original reviewed papers and seek to further classify them according to their applications. The domains and sub-domains will be discussed in further detail in the next section, which considers the structure of the review.
This paper provides the first comprehensive review of SDN data plane security research to date. To achieve this, the paper first considers existing relevant reviews. The relevance of reviews was determined based on three factors: their focus on SDN security, how the authors chose to characterize their research, and a determination of the degree to which the research addresses SDN data plane security. Following a survey of previous reviews, the paper will then examine research according to the three research domains identified, as shown in Figure 4. Each domain is further decomposed into sub-domains that classify the research based on their specific foci. In summary, the primary research domains and sub-domains provide the classification framework per RQ1.

5. Previous Reviews

5.1. Overview

The historical bias of SDN security research towards security of the control plane has resulted in the inadvertent neglect of novel security research for (and using) the SDN data plane. In this section, existing relevant reviews are identified and discussed. As such, we demonstrate that a comprehensive view of data plane security as we are providing in this paper is novel.
Table 2 summarizes existing relevant reviews and equivalents we have surveyed. Reviews are ordered firstly by the topic of their review (Topic), which is our categorization of the primary research domain of the paper and may vary to the self-description provided by the authors. Secondly, reviews are ordered by year of publication (Year). For each review, the degree to which they have addressed data plane security is identified. Papers that specifically address data plane security are identified with a full circle (●). Papers that partially or briefly address data plane security are identified with a partially filled circle (◉). Lastly, papers that do not meaningfully address data plane security are identified with an empty circle (○). The latter are included to highlight research gaps, especially in otherwise relevant reviews that address SDN, programmable data planes, and related technologies.

5.2. Data Plane Security

The authors of [8] present the first attempt at providing a general review of SDN data plane security. They appropriately characterize the diversity of data plane research and consider threats and attacks on the softwarized data plane, spanning SDN, stateful data plane, and programmable data plane. Their review is structured following the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) threat model and consider Confidentiality, Integrity, and Availability (CIA) and Authorization, Authentication, and Accountability (AAA) as attributes of the data plane which are impacted by attacks. This approach is limiting, as STRIDE is a reductive threat model and this results in a narrow review, with notable gaps. Specifically, from our understanding of the literature, we believe that the proposed future research directions in [8] have already been realized.

5.3. Stateful Data Plane

Other authors have examined the closely related topic of stateful data plane. Stateful data plane refers to the introduction of state awareness and broadly speaking, intelligence, into the data plane. This contrasts with the classical view of SDN, which employs a stateless data plane. Refs. [9,10] provide detailed reviews of stateful data plane security, with the authors in [9] contending that stateful data plane does not contradict the principles of SDN and is complementary from both a performance and security perspective. Finally, ref. [11] provides a recent and detailed review of stateful data plane. They consider the introduction of security capabilities into the data plane to both mitigate SDN security issues and extend the functionality of the SDN data plane.
Relatedly, in [12,13,14,15,16,17,18,53] the authors provide reviews of the security applications of P4. As a programmable data plane technology, P4 offers flexibility in the definition and implementation of data plane security functions. Ref. [12] provides a detailed review of security applications published to date, focusing on access control, privacy and encryption, availability, and integrated defense. A comparable review is provided in [13], with the addition of a STRIDE-based threat model. Ref. [14] provides a review on the evolution and challenges of both SDN and P4, identifying a range of security-specific challenges, including a lack of physical evaluation in the literature, low-rate attacks, and hybrid SDN architectures utilizing programmable data planes (see Figure 5). The latter is topical and will be revisited in this review. Refs. [15,16] provide reviews of programmable data planes generally. Ref. [15] considers performance, QoS, monitoring, reliability, and security. Ref. [16] examines new architectures for programmable data planes. Ref. [17] provides a detailed review of P4-based programmable data planes, focusing on programmable switches. Lastly, ref. [18] considers applications of P4, spanning networking and, briefly, security.

5.4. SDN Security

A range of reviews exist for cross-plane SDN security. Ref. [19] provides an early review of SDN security, focusing on OpenFlow. They identify several data plane threats and, interestingly, they characterize controller hijacking and controller compromise as data plane threats. Another early security examination of SDN is provided in [20]. They examine the advantages and disadvantages of SDN for security, identifying both threats and countermeasures, including for the data plane. A similar review is provided in [21], incorporating a STRIDE-based threat modeling exercise and identification of threats, attacks, and controls. Ref. [22] provides a general review of SDN security from an academic and industry perspective, identifying a range of potential attacks on SDNs and their mitigations. A narrow review is provided in [23], focusing on DDoS attacks in SDN. Another brief review of SDN security is provided in [24], summarizing critical SDN security issues and approaches to their mitigation.
Other general reviews are provided in [25,26,27,28,29]. Ref. [25] provides a general SDN security review, notably including significant consideration of SDWN. Ref. [26] provides a review of methods for the management, performance, and security of SDN flow tables in OpenFlow, especially for IoT. Ref. [27] is a general review of SDN security, focusing on both the control and data planes, incorporating a focus on SDN-based Network Function Virtualization (SDN-NFV). Another general review is provided in [28], with a useful view on threats to the SBI. A broad review is provided in [29], benefiting from a focus on both stateless and stateful data planes.
Recent reviews of SDN security are provided in [6,30,31,32,33,34]. Ref. [6] provides a detailed review of SDN security with a focus on addressing challenges in securing SDN communications and solutions. Ref. [30] examines security issues in SDN, considering the attack surface of the SDN architecture. Ref. [31] examines traditional security approaches, artificial intelligence (AI)-based approaches, and Moving Target Defense (MTD)-based approaches. Ref. [32] provides a review of the security of the SDN control plane, with a useful examination of threats to the SBI. Ref. [33] provides a brief review of SDN security, although they take a narrow view of the data plane. Lastly, ref. [34] provides a general review of security and privacy issues in SDN, the latter being comparably niche.
The flexible architecture of SDN has also attracted significant interest. Refs. [35,36,37,38] all provide reviews of SDN architecture. Refs. [35,36] examine cross-plane threats in SDN and consider how SDN may be architected to address those threats. Refs. [37,38] provide a limited view of security in the context of broader reviews of SDN architecture. All four reviews are apparently focused more on the control plane than the data plane, with relatively few data plane threats considered.

5.5. SDN

General reviews on SDN are provided in [39,40,41,42,43,44,45,46]. Ref. [39] focuses on SDN for carrier grade networking, considering network performance, scalability, interoperability, and security. Ref. [40] examines the history of programmable networking (up to 2014), with a focus on SDN and modest consideration of security. Ref. [41] provides an early and detailed review of SDN. A similar review is provided in [42], with additional detail on data plane devices, including switch types, open network hardware, and implementation of SDN on vendor switches. In contrast, ref. [43] does not consider the data plane in detail, despite following a ‘bottom up’ structure. Ref. [44] examines data planes and data plane security in detail, considering in-band and out-of-band SBI communication, network resilience, and a range of security threats. Lastly, refs. [45,46] provide reviews for SDN, focusing on networking and resilience.
As highlighted already, heterogeneous SDN is a topic of growing interest. A data plane that is some combination of wired and wireless communications is inherently more complex, presenting a broader attack surface and exhibiting a greater range of vulnerabilities (see Figure 6). As discussed already, ref. [26] examines the performance and security challenges of OpenFlow-based IoT. Ref. [47] presents a domain-specific review for SDN in Wireless Sensor Networking (WSN). Lastly, ref. [48] examines SDN applications in IoT; however, they also incorporate Edge Computing (EC), describing this new domain as SDIoT-Edge.
The programmability of SDN also provides the opportunity for greater application plane support in networking and security. Ref. [49] examines the network and security applications of ML in SDN, especially the detection and prevention of attacks on heterogeneous networks. A comparable review on ML applications in SDN is provided in [50]. Despite both reviews being relatively recent (2019), they do not examine stateful data planes or P4. Ref. [51] examines deep learning applications for SDN security, including a threat model and consideration of various data plane threats. Ref. [52] provides a curious review spanning traditional, AI/ML, and blockchain-based approaches to SDN security, although the breadth of the review limits insights for the SDN data plane. Lastly, ref. [53] provides an overview of AI-based security solutions in programmable networks, including IoT.
Finally, several other relevant reviews have been published, with varying examinations of data plane security. Refs. [54,55,56] all consider SDN-NFV. Ref. [54] provides a general review of SDN-NFV, primarily from a service and performance perspective. Refs. [55,56] consider placement of Virtual Network Functions (VNFs) in SDN, with security policies acting as inputs for optimal VNF placement. Ref. [57] also considers the application of NFV for security SDN, focused on MTD. Ref. [58] provides a broad review of trends in programmable networking and considers applications of programmable networking in underrepresented domains, such as Operational Technology (OT). Ref. [59] provides a detailed review and classification approach for Denial-of-Service (DoS) and Distributed DoS (DDoS), spanning traditional networks, SDN, and virtual networks (predominantly NFV and SDN-NFV). Ref. [60] provides a review of a relatively niche domain: in-band control for SDN. In-band control refers to SDN deployment where the control and data planes share the same physical network.

5.6. Summary

In summary, it is evident that no comprehensive reviews of SDN data plane security have been conducted to date. Existing reviews have tended to be domain-specific (e.g., stateful data planes), evidenced notable gaps (as per Table 3), or generalized to SDN holistically, which has resulted in a bias towards the security of the control plane, as previously noted.
Our review addresses the need for a comprehensive review of SDN data plane security. Per RQ1, we achieve this by classifying existing research into three research domains: security capabilities within the data plane (Section 6), security of the data plane infrastructure (Section 7), and dynamic routing within the data plane (Section 8). These domains are intentionally broad to provide an encompassing and accurate view of the current state of the art for SDN data plane security. The domains are further divided into sub-domains which represent the specific themes in the discourse and provide the opportunity for detailed examination of reviewed papers. In these respects, our review provides a detailed view of the security of the SDN data plane that has not previously existed.

6. Security Capabilities Within the Data Plane

6.1. Overview

The first of the three research domains to be discussed is security capabilities within the data plane. This domain relates to the introduction of new security capabilities to the SDN data plane that are enabled by the SDN construct or which build upon the capabilities offered by SDN; for example, as implemented in OpenFlow. This domain is further classified into three sub-domains that describe intra-data plane capabilities that have been applied to data plane security. The three sub-domains are: programmable data plane (including P4), NFV, and traditional security controls, as implemented in the softwarized data plane (i.e., SDN).
The classical SDN construct as defined in OpenFlow offers a stateless data plane. A stateless data plane lacks intelligence, lacks decision-making ability, and is limited in capability to a small set of forwarding functions; hence, it is sometimes referred to as the forwarding plane. Early in the history of OpenFlow, researchers recognized that introducing a higher degree of statefulness into the SDN data plane had potential for networking and security applications, hence the emergence of stateful data planes. Over time, the concept of stateful data planes has been subsumed into programmable data planes, encompassing the addition of greater capability into the data plane, including, but not limited to, statefulness. For convenience, the remainder of this review will use the more general term programmable data plane.

6.2. Programmable Data Plane

As noted, programmable data planes have already been the subject of substantial research interest and have previously been reviewed in [9,10,11] and to a lesser extent in [29,31]. Consistent themes emerge across these reviews. Firstly, there is a trend towards statefulness, intelligence, and greater programmability within the SDN data plane. These enhanced capabilities support reduction in the computational burden on the controller and reduce the performance overhead of SDN by reducing the north–south communication over the SBI. Secondly, greater statefulness, intelligence, and programmability lend themselves to the implementation of novel security capabilities intra-data plane. In this section, existing programmable data plane implementations are reviewed, and security applications of programmable data planes are also examined.
In Table 4, we summarize research investigating implementations and applications of programmable data planes for security. For papers reviewed, their application (Application), year of publication (Year), and technology of implementation (Implementation) are noted. Papers are ordered firstly by Application and secondly by Year.
In the literature, four programmable data plane implementations are commonly referred to: FAST [62], OpenState [63], the Stateful Data Plane Architecture (SDPA) [64], and P4 [4]. Each implementation performs state definition, state storage, and state transitions (including removal) differently.
FAST and OpenState both utilize hash tables for state storage, although their methods of state transition and state removal vary. SDPA utilizes a set of three tables: a state table, a state transition table, and an action table, supported by a Forwarding Processor (FP). In SDPA, the FP maintains the state of flows and processes packets according to knowledge of current states and state transition policies defined by the network operator.
In contrast to the others, P4 is a high-level programming language for configuring data plane devices and is target-independent, requiring no knowledge of the forwarding device or its capabilities. P4 provides a flexible parser, match-action pipeline, and deparser for granularly configuring how data plane devices process packets (see Figure 7). Of the four programmable data plane implementations discussed, P4 has held the most enduring interest in programmable network security research and in programmable networking generally. However, none of the four implementations were designed with security as an explicit objective, and it has largely fallen to other researchers to build security applications atop the flexible data plane provided by these implementations.
P4 has attracted significant research interest for DoS/DDoS mitigation due to the programmability and performance it supports. Importantly, in the context of DoS/DDoS attacks, P4 switches support line rate packet processing, meaning it is feasible for a P4 switch to detect and block network attacks with manageable impact to benign network traffic. This presents the opportunity to perform DoS/DDoS defense in-network and in a distributed fashion. P4-based DoS/DDoS mitigation is examined in [65,66,67,68,69,70,71,72,73,74,75,76,77]. In [65,66], the authors propose three methods for P4-based mitigation of Transmission Control Protocol (TCP) Synchronization (SYN) floods in programmable data planes. Their methods are SYN cookies, SYN authentication, and SYN proxying. A similar solution is provided in [67], with added defense against Address Resolution Protocol (ARP) spoofing.
Moving away from TCP, ref. [68] proposes a DoS/DDoS mitigation for User Datagram Protocol (UDP) attacks, specifically Amplified Reflection DDoS (AR-DDoS) attacks. Ref. [69] present a unified DoS/DDoS attack detection scheme for TCP, UDP, and Internet Control Message Protocol (ICMP). Their solution provides real-time mitigation at line rate, QoS, and efficient flow table and control channel (SBI) utilization. A similar approach is presented in [70]. In contrast, ref. [71] presents a novel DDoS attack detection scheme based on P4-enabled SmartNICs (programmable NICs). Their scheme uses a cross-plane architecture, with detection, metadata, and feature extraction in the data plane.
Refs. [72,73] present solutions for mitigating volumetric DDoS attacks. Ref. [72] provides primitives that can be customized for the target network and extended to include new defenses. As per [72], the solution proposed in [73] is resource efficient and modular, utilizing mitigation building blocks and a flexible API to support defense strategies in the data plane. A comparable solution is proposed in [74], although focused on Link Flooding Attacks (LFAs).
A novel hybrid architecture is proposed in [75] for mitigating amplification DDoS attacks. Their architecture utilizes a software controller that provides instructions to data plane devices, and employs FPGAs for accelerated processing. The management of a programmable data plane by a centralized controller is curiously underinvestigated in the literature, but as demonstrated in [75], it can be employed to successfully manage a distributed security solution built atop a programmable data plane. A counterpoint is provided in [76], in which the authors provide a detailed analysis on DoS/DDoS mitigation using P4. They are critical of the long control loop of OpenFlow, citing the need for a strict time budget and switch memory efficiency in mitigating such attacks.
Ref. [77] presents a novel sketch data structure for programmable switches and implements it as part of an in-network DDoS victim identification strategy. Ref. [78] explores DDoS attack detection in programmable data planes. They present two strategies for flow cardinality and normalized network traffic entropy estimation implemented on P4 switches. Finally, ref. [79] examines the related issue of heavy-hitter detection. They identify several issues in managing heavy hitters and propose a heavy-hitter mitigation algorithm for P4 switches.
The programmable data plane DoS/DDoS research discussed thus far has considered IP networks generally. However, these attacks are often domain-specific, taking advantage of protocol or operational weaknesses to degrade availability. A stark example of this is Telephony DoS (TDoS) and Telephony DDoS (TDDoS). In [80,81], the authors examine P4-based mitigation of Session Initialization Protocol (SIP) INVITE flooding, a telephony-specific DoS/DDoS attack. Their solution is proposed in [80] and built upon in [81], providing in-network mitigation of SIP INVITE floods using P4 switches and centrally managed by a software controller added in [81].
As discussed, programmable networking enables the integration of greater support from the application plane than is possible in a traditional network [49,50]. This holds true in programmable data planes, and authors have proposed various ML-based security applications, including for anti-DoS/DDoS. Refs. [82,83] examine ML-based pushback methods for DDoS mitigation. Pushback describes a method for throttling and filtering malicious traffic during a DDoS attack as close as possible to the source of the attack. Reference [84] proposes a DoS detection scheme that extracts relevant features from flow tables and uses a Back Propagation (BP) neural network to construct a classifier.
Conversely, ref. [85] provides a broader analysis and considers three scenarios: packet mirroring, header mirroring, and P4 metadata extraction, comparing the performance of different ML algorithms across the scenarios. Lastly, ref. [86] proposes a solution for detecting and defending against attacks on the programmable data plane, using attention mechanisms to enhance traffic processing and suspicious lists for source addresses of potential attackers. The processed data is then fed into a Convolutional Neural Network (CNN) to determine whether it constitutes attack traffic.
While DoS/DDoS attack identification and mitigation has attracted the most significant interest in the literature, authors have proposed general purpose Intrusion Detection Systems (IDS) and Intrusion Detection and Prevention Systems (IDPS) based on programmable data planes.
Ref. [87] proposes a hybrid IDS architecture for Industrial Control Systems (ICS) based on OpenFlow and P4. Their architecture is hybrid, using a P4 data plane and an SDN controller for orchestration. Ref. [88] presents a stateful and stateless IDPS based on a P4 data plane and the open source IDPS Snort. Ref. [89] proposes an IDS for detecting intra-data plane reconnaissance by attackers. Their solution takes inspiration from the algorithm proposed in [79] for improved hash tables and lookups. Ref. [90] implements a cross-plane solution for collaborative intrusion detection, running a classification model within the programmable data plane on P4 switches and using the P4Runtime API for integration to the control plane. Ref. [91] examines the problem of balancing network data compression and granular packet analysis for intrusion detection, proposing a P4-based packet-level feature extraction and pre-processing solution. Ref. [92] presents an anomaly detection method, implemented in P4. Their solution establishes a network baseline and periodically assesses actual behavior versus the baseline, raising alerts for violations.
ML-based IDS implementations using P4 switches are provided in [93,94]. Ref. [92] proposes the use of Binarized Neural Networks (BNN) for traffic classification and defense of the network edge, while ref. [94] proposes offloading of ML algorithms to the data plane to support different stages of intrusion detection (see Figure 8). In [95,96], the authors propose an AI/ML-based IDS using P4 which supports limited autonomy of network devices and both in-band and out-of-band analysis, using ML modules for confident classification. Refs. [97,98] examine intrusion detection and prevention in the programmable data plane for 6G. Ref. [97] highlights the ultra-low latency, high bandwidth, and dense device connectivity requirements of 6G, proposing a ML framework for real time threat detection and mitigation built on a hybrid SDN architecture with a P4 data plane. Ref. [98] proposes a distributed IDPS paradigm based on ML and implemented in a programmable data plane. Ref. [99] proposes a distributed monitoring solution for the programmable data plane. Their solution extracts statistics from the data plane and performs ML-based monitoring and classification. Lastly, ref. [100] examines the problem of traffic classification for encrypted traffic and implements a two-phase traffic classification scheme using a combination of ML models.
Complementary to the security capabilities discussed so far, authors have also sought to implement DPI in the programmable data plane, taking advantage of the ability of programmable data plane technologies to perform granular operations at line rate. Ref. [101] examines traffic offloading, classification, and DPI using programmable data plane. Ref. [102] introduces a method for performing efficient regular expression matching on payloads using network processors. Their solution provides flow-based DPI and packet accounting. Ref. [103] provides a P4-based DPI solution that extracts domain information from Domain Name System (DNS) queries and applies security policies on domains. Lastly, ref. [104] provides a novel approach to DPI, implementing URL filtering in P4 using a packet recirculation process.
Along with IDPS, authors have implemented packet filtering in the programmable data plane for both stateless and stateful packet filtering [105,106,107,108]. Ref. [105] provides an early investigation of security middleware programmed using P4. The authors propose a Layer 3 firewall, implemented in P4. The authors in [106] propose a novel stateful packet filter for efficient packet filtering of large flows and hash-based. Ref. [107] proposes a P4-based firewall that utilizes SDN for management, including firewall placement. Finally, ref. [108] proposes a firewall for 5G based on P4 and NetFPGA hardware.
Authors have also proposed proactive defensive measures using programmable data planes. Refs. [109,110,111,112] examine anti-spoofing and implementation of Anti-Spoofing Mechanisms (ASMs) using OpenFlow and P4. Ref. [109] proposes a hybrid SDN architecture for anti-spoofing and anti-DoS/DDoS. Ref. [110] provides a comparative analysis of six IP address ASMs and implements them using P4 on NetFPGA SUME hardware Network Interface Cards (NICs). A novel ASM is proposed in [111], although it is explicitly focused on supplementing the weaknesses of the Duplicate Address Detection (DAD) protocol, part of the IPv6 Neighbor Discovery Protocol (NDP). Ref. [112] proposes a novel method based on hop count filtering using P4.
Anti-eavesdropping is investigated in [113,114,115,116]. Eavesdropping is a significant data plane threat that is traditionally mitigated through encryption. However, a programmable data plane offers the opportunity for adaptive methods in mitigating eavesdropping. Ref. [113] examines IP address obfuscation for anti-eavesdropping in a shared data plane, implemented in P4. Another anti-eavesdropping approach is provided in [114], utilizing the long prefix of IPv6 and encryption of the originating IPv4 address, implemented in P4 with an SDN controller for orchestration. Ref. [115] proposes an anti-eavesdropping method for the QUIC protocol, implemented in P4. QUIC is an encrypted-by-default transport protocol developed by Google and standardized in [150]. Lastly, refs. [116,117] implement eavesdropping protection based on multi-path forwarding, encryption, of header metadata and existing encryption methods.
Another proactive technique that has been implemented using programmable data planes is topology obfuscation (network anonymity). Ref. [118] presents a P4-based topology obfuscation method designed to mitigate DoS/DDoS attacks and specifically LFAs. They frame topology obfuscation as an optimization problem, allowing a tradeoff between security and usability (of the network). Ref. [119] provides P4-based network anonymity for in-network defense and eavesdropping protection based on source address transformation and path confusion using hop-by-hop routing.
Another network anonymity method is provided in [120], although in contrast to [119] their solution is policy-driven and provides an abstraction that the network operator uses to define anonymity policies.
The programmable data plane has also seen investigation of implementation of authentication methods, predominantly for network access control. Ref. [121] implements port knocking in P4. Port knocking refers to sending messages to a pre-agreed sequence of ports in order to authenticate. They built upon their work in [122], investigating both port knocking and the use of a One-Time Password (OTP) for lightweight edge authentication, implemented in P4. Ref. [123] also investigates port knocking based on P4, although their solution is hybrid and recruits the support of a Python 3-based controller.
Layer 2–4 encryption for the programmable data plane has seen some investigation in the literature. Ref. [124] proposes a flexible encryption system for reliable transmission in the data plane. Their solution employs a hybrid architecture, with an SDN controller for policy definition and network management and a P4 data plane. Ref. [125] also implements encryption in P4 switches, although they focus exclusively on the Advanced Encryption Standard (AES) and seek to provide security for in-network applications, which they argue is a weakness in earlier proposals. Ref. [126] implements Diffie–Hellman (DH) and AES on P4 switches to establish secure data plane communications.
Refs. [127,128] present related research from the same authors: the implementation of Media Access Control (MAC) Security (MACsec) in P4 and IP Security (IPsec) in P4, respectively. In both papers, the authors demonstrate the flexibility of P4 for supporting the extension of existing security protocols in a programmable data plane. Finally, ref. [129] implements cryptographic hashing using P4, proposing an extension of the P4 Portable Switch Architecture for three different data plane target platforms (CPU, NPU, and FPGA). They note the lack of support for both concurrent efficient processing of payload and cryptographic hash functions in P4.
In addition to the discrete security functions described already, authors have investigated the programmable data plane for holistic network defense. Ref. [130] examines attacks on the data plane, focusing on Domain Host Control Protocol (DHCP) starvation and spoofing, IP address spoofing, and ARP spoofing and poisoned routing. For each vulnerability, they provide a set of mitigations using P4. Ref. [131] implements a multi-faceted network defense based on a hybrid SDN architecture, including ML support to decision-making about network state, stateful encryption based on intent, and application-awareness. Ref. [132] proposes a multimodal network defense strategy that uses a hybrid architecture combining an SDN controller and P4 switches.
Monitoring of programmable data planes is examined in [133,134]. Ref. [133] proposes efficient monitoring of the programmable data plane using P4. Their system offloads tasks from the control to the data plane and performs monitoring in-network. Another approach for monitoring is provided in [134] based on attack graphs. Their solution generates attack graphs in the control plane, which are then translated into network rules using P4.
Ref. [135] provides an ML-based approach for attack detection and mitigation in programmable data planes. They use decision trees and logistic regression to identify decision boundaries at the controller site, which are then used to develop range compressed match-action table rules. Ref. [136] notes the emergence of topology poisoning attacks on SDN and P4. To address this, they propose a lightweight in-network solution that verifies source address details contained within protocol headers and uses a novel variance-based anomaly detection method. Ref. [137] discusses the premise of Intelligent Data Plane (IDP), referring to the deployment of AI and ML directly on data plane devices. Their solution uses data plane-aware model design and efficient model deployment in-network, running on P4 switches. Related work is provided by the authors of [138], who note limitations in P4 that make it difficult to implement ML models in-network. They propose a hybrid SDN solution that supports two layers of ML classification for attack detection in the data and control planes.
Ref. [139] proposes a hybrid architecture using an OpenFlow controller and a P4-based edge node for packet-over-optical network aggregation. Their solution provides traffic engineering, network security, precise forwarding, advanced network monitoring, and packet header customization for service differentiation. Ref. [140] provides a novel security framework and hybrid architecture based on OpenFlow with P4 switches.
Finally, a range of niche security applications have been proposed for or use the programmable data plane. Ref. [141] proposes a host-based agent to alert P4 switches to implement exclusionary routing rules. Ref. [142] proposes a security policy language for Bring-Your-Own-Device (BYOD) scenarios using hybrid SDN, enabling network operators to define security policies that are then compiled into P4 for implementation. The authors in [143] propose a solution for improving flow table look-up time in P4 switches with multiple forwarding tables. Their solution has evident utility in networks at risk of DoS/DDoS attacks. Ref. [144] examines covert channel defense in programmable data planes. Their solution preserves TCP performance while detecting and mitigating covert channels. Ref. [145] provides a method for modeling Explicit Congestion Notification (ECN) in the programmable data plane using P4. Their model supports stateful security monitoring and mitigation in the data plane using P4. Ref. [146] examines flow classification for ML-based security appliances. Ref. [147] proposes a novel Operating System (OS) fingerprinting method using P4. Their solution can fingerprint host OS types and react in real-time at line rate. Ref. [148] examines the security of file transfers in the data plane. Their solution is a novel packet parser architecture utilizing blockchain and implemented in P4. Finally, ref. [149] discusses the problem of heterogeneity in network resources as exposed by network devices. They present a framework for the deployment of disaggregated and decomposed network functions, implemented in a hybrid SDN.

6.3. Network Function Virtualization

NFV is conceptually related to SDN but refers specifically to the softwarization of network and security functions into software-defined middleboxes (sometimes referred to as Network Functions (NFs) or virtual network functions (VNFs)). Being software-defined, the middleboxes are flexible in their definition and deployment. In the data plane, NFV supports the deployment of in-network capabilities that provide portable network and security functions. Despite the apparent flexibility it offers, NFV requires orchestration and over the last decade authors have increasingly viewed SDN-based NFV (SDN-NFV) as a promising union of the two technologies. In this section, SDN-NFV implementations and applications for data plane security are reviewed.
In Table 5, we summarize research investigating applications of SDN-NFV for security. As per earlier tables, application (Application), year of publication (Year), and technology of implementation (Implementation) are noted. Papers are ordered firstly by Application and secondly by Year.
The flexibility of the SDN-NFV construct has garnered interest for network management, performance, and security applications (see Figure 9 for a generalized view of the SDN-NFV architecture). Ref. [151] examines the problem of cost-based placement for SDN-NFV functions for DPI. Their solution deploys DPI engines as VNFs in the data plane. Ref. [152] examines SDN-NFV for user-specified secure routing. In their solution, users define their desired network functions and store them in a network service graph, with network path configuration using dynamic flow rule installation. In [153], the authors propose a network intrusion prevention solution based on SDN-NFV which provides two-layer traffic classification and DPI in the data plane, extended OpenFlow protocol messaging, and service chaining. Ref. [154] provides adaptive routing based on SDN-NFV. Their solution enables customization of routing services for different applications.
A comparable approach to [154] is presented in [155], focusing on SDWN. They provide service differentiation using transmission control and enable network operators and users to specify application and flow priorities. The authors argue their solution is appealing for securing hotspot architectures through the splitting of functions.
Deployment and management of middleware and softwarized middleboxes using SDN-NFV has also attracted substantial research interest. This reflects the portability of NFV as discrete functions based on the software and the orchestration possibilities enabled by SDN, which are informed by its global view. Ref. [156] presents a novel data plane abstraction for Software-Defined Middleboxes (SDM). A similar approach is presented in [157,158], although implemented in OpenFlow. Their solution is a novel architecture that supports security services as a set of abstract actions which are translated into OpenFlow forwarding rules.
Refs. [159,160] examine SDN-NFV as security middleware for firewall and network deception (honeypots), respectively. Ref. [159] provides an NFV-based framework for firewall management in SDN. Their solution defines a high-level firewall policy language, determines optimal placement for the virtual firewalls, and then adapts virtual firewalls to changes in the VN. Ref. [160] examines SDN-NFV for network intrusion detection using efficient NFV-based honeypots, managed by the controller.
Lastly, recent research has investigated SDN-NFV applications in cellular communications. Ref. [161] examines the application of SDN-NFV using P4 for 5G networks. They consider traffic engineering, security, multi-tenancy, offloading, and telemetry implemented using VNFs and deployed in a hybrid architecture. In contrast, ref. [162] proposes a blockchain-based SDN framework for securing network transactions using SDN-NFV. Their solution aims to address the risk of man-in-the-middle (MITM) attacks between the control and data planes in SDN.

6.4. Post-Quantum Security

SDN has attracted recent and significant attention for quantum security methods, specifically the implementation of quantum cryptographic capabilities using SDN. This research interest reflects the flexibility and programmability that SDN affords, especially when paired with complementary technologies like NFV and programmable data plane. Quantum cryptographic capabilities provide resiliency to the quantum cryptanalysis that is enabled by quantum computers.
Ref. [163] provides the first example of a Quantum Key Distribution (QKD) solution implemented in SDN, specifically utilizing SDN-NFV for a secure optical network use case. Their SDN-QKD architecture supports time-sharing, with an SDN controller managing a set of QKD nodes that each run a (cryptographic) key server and QKD application. The authors built on their work in [164,165], although their solution did not change substantially. Another SDN-QKD solution is proposed in [166], specifically designed to secure the SBI against the threat of eavesdropping and MITM attacks.
Ref. [167] employs SDN-QKD to secure a fiber telecommunication network related to the work in [163,164,165]. Their implementation was based on a physical network spanning a several-kilometer area and demonstrates the effectiveness of SDN-QKD for establishing a quantum-secure channel between remote sites. They build on their solution in [168], which is implemented per the European Telecommunications Standards Institute (ETSI) Group Specification (GS) Quantum Key Distribution 015 (ETSI-GS-015) standard. Ref. [169] implements an SDN-QKD solution for real-time monitoring and controlling of a quantum-secure network, which takes advantage of hardware encryptors for performant and on-demand encryption and decryption. Refs. [170,171] also examine implementation of hardware encryptors for SDN-QKD use cases. Interestingly, they also note that the addition of encryption and decryption as implemented did not meaningfully impact latency during experimentation.
Ref. [172] examines SDN-QKD for 5G, utilizing a hybrid approach that uses classical and quantum key distribution to provide flexible security depending on computational complexity and relevant physical properties. Ref. [173] proposes an SDN-QKD architecture based on the ETSI GS QKD 014 standard, implementing SDN controllers and agents as Secure Application Entities (SAEs) per the standard. Another SDN-QKD architecture is proposed in [174], utilizing an application plane orchestrator integrated with an SDN controller. Lastly, ref. [175] presents another SDN-QKD solution based on the BB84 protocol. Their solution provides confidentiality, integrity, efficient key distribution, and network orchestration via the SDN controller. They also posit a ‘quantum layer’ in the SDN architecture.

6.5. Traditional Security Capabilities

The final family of intra-data plane capabilities that will be discussed is traditional security capabilities implemented in SDN. For the purposes of this paper, a traditional security capability is any detective, preventative, or mitigative security control or security function that is not based on NFV or a programmable data plane. Compared to programmable data planes and SDN-NFV, this is a comparatively niche subject and has been the subject of decreasing security research over time as NFV and programmable data plane technologies like P4 have gained popularity. However, SDN is a convenient method for managing distributed security capabilities in the data plane, and over the last decade researchers have examined how SDN can extend traditional security capabilities by taking advantage of the appealing features of SDN, including but not limited to the global view of the controller, dynamic management of forwarding tables, and well-defined APIs for programmatic network management.
In Table 6, we summarize research investigating traditional security capabilities implemented in the SDN data plane. As per earlier tables, application (Application), year of publication (Year), and technology of implementation (Implementation) are noted. Papers are ordered firstly by Application and secondly by Year.
Software-Defined Firewall (SDF) is the implementation of a firewall in SDN. A simple packet-filtering firewall is relatively trivial in SDN, as the controller must decide on all mismatched packets. However, extending SDF introduces challenges related to performance and responsiveness.
Refs. [176,177] both investigate the feasibility of SDF. Ref. [176] configures OpenFlow switches to act as a distributed Layer 2/3 firewall by mapping addresses to ports and filtering traffic according to the flow rules defined. In [177], the authors propose an application-aware firewall as an extension to OpenFlow.
Relatedly, authors have examined SDN for novel approaches to DPI. DPI is challenging in SDN, as the network must preserve performance amid the introduction of any new security capabilities, which is complicated by the control loop of SDN and the limited functionality of the traditional (stateless) SDN data plane. Ref. [178] proposes a novel solution for DPI using in-network DPI proxy nodes, implemented in both hardware and software, for proxy selection and route planning.
In [179], the authors propose a QoS-aware traffic classification scheme using OpenFlow, providing both DPI and semi-supervised ML for traffic classification. Another ML-based approach is presented in [180] for DPI in OpenFlow SDN. Their solution performs early detection at flow level granularity and DPI at packet-level granularity for both encrypted and unencrypted traffic. In contrast, ref. [181] discusses SDN-based DPI for ICS use cases. They utilize an isolated SDN controller to perform DPI out-of-band.
DDoS mitigation has been broadly investigated using SDN, with both detection and enforcement typically being performed in the data plane. The former relies on parsing incoming network traffic and referring suspicious flows to the controller or a security solution. The latter is typically the routine match-action operation of the SDN but extended through dynamic rule definition. A key challenge in both cases is the ability of the SDN to perform these operations at line rate and without saturating the SBI or controller.
Ref. [182] provides an investigation into DDoS attacks on the SDN data plane, examining flow table sizes and table miss rates to demonstrate that attackers can maximize degradation and minimize attack rate, thereby reducing the likelihood of detection and mitigation. Ref. [183] examines attacks that rely on SBI congestion and proposes a statistical detection approach with lightweight mitigations (see Figure 10). A similar investigation is provided in [184], focusing on attacks that exploit table miss packets. Their solution is positioned between the controller and other control plane applications to protect both control and data plane resources.
Ref. [185] examines DDoS attacks in SDN using source IP address and various TCP attributes for mitigation of volumetric and application-based attacks. They use Shannon’s Entropy to calculate entropy in a fixed time window to identify anomalous traffic. A comparable method is provided in [186] for an Internet of Multimedia Things (IoMT) use case, with incorporation of a classification model for further analysis. Ref. [187] combines multiple entropy-based methods and performs data plane data collection using an open-source signature-based IDS to reduce network overhead. Analysis and detection improvement are performed using DL models.
A recent entropy-based method is also presented in [188]. The authors use a combination of source IP and specific TCP flags to calculate entropy for detecting traffic associated with volumetric and low-rate Layer 7 DDoS attacks. Another entropy-based DDoS detection mechanism is proposed in [189], focusing on TCP-SYN flood attacks.
In contrast to the above, ref. [190] proposes a general control and data plane DoS attack detection solution. Their implementation contains a monitoring function based on PACKET_IN messages, a detection and localization function, a host defending function, and a switch defending function. In [191], the authors propose the use of deeply programmable packet-switching nodes to implement DoS mitigation. They implement three modes: DoS traffic filtering on the output interface, DoS traffic filtering on the input interface, and DoS attack redirection to a honeypot. A similar approach is provided in [192], in which the authors extend the functionality of the SDN data plane with modules for analyzing packets, performing traffic classification, and implementation of DoS countermeasures.
Ref. [193] proposes two DoS attack detection mechanisms. One mechanism is entropy-based, while the other is chi-square-based. In both instances, they rely on OpenFlow switch statistics to distinguish benign from malicious traffic. Ref. [194] proposes a novel table overflow attack for SDN, which exploits flow entry eviction mechanisms to pre-empt the flow entries of normal applications, resulting in performance degradation. To address this, they propose mitigation using table segmentation, a score-based eviction algorithm, and concept drift-based detection.
In addition to the above, a range of ML-based DoS and DDoS attack detection methods have been proposed, using SDN. A DL-based method for DDoS detection is proposed in [195]. Their solution is largely control plane-based, only performing traffic collection and flow installation in the data plane. Ref. [196] examines two novel DDoS attacks targeting SDN. They propose a solution that collects network statistics from the data plane and performs ML-based classification in the control plane. They also implement honey pots in the data plane for redirecting attack traffic. Ref. [197] considers DDoS mitigation using data plane data sampling and ML support at the controller for classifying the sampled data.
Ref. [198] proposes a cross-plane security framework for OpenFlow SDN. They perform coarse-grained monitoring in the data plane for rapid anomaly detection and fine-grained hybrid DL-based classification in the control plane. Ref. [199] provides a general discussion of SDN-based approaches to DDoS mitigation and classifies approaches into statistical and policy-based defense, machine-learning based defense, and application-specific defense. Ref. [200] proposes a multifaceted method for detecting DoS attacks in the SDN data plane. Their solution extracts relevant features from flow information and they provide a performance comparison of three algorithms, SVM, neural network, and Naïve Bayes, with the latter two demonstrating the greatest accuracy.
Ref. [201] presents a comprehensive evaluation of several ML techniques for the mitigation of DDoS attacks in SDN and SDN in 5G. Based on classical ML performance measures, SVM performed best. Another DL-based method for DDoS detection in SDN is proposed in [202]. Particle Swarm Optimization (PSO) is used for feature selection, with optimal features given as inputs to the DNN to perform classification. A DL-based method for detecting attacks in the data plane is proposed in [203]. They perform pre-processing of the dataset prior to classification to improve performance and increase accuracy.
In [204], the authors propose a source-IP-agnostic DDoS traffic classification and filtering scheme. Their solution identifies packet signatures via supervised ML and then generates signature-based filtering rules. Ref. [205] proposes a hybrid DDoS attack detection scheme. Their scheme is cooperative and cross-plane, using a coarse-grained entropy-based detection module deployed on edge switches and a precise attack detection module deployed at the controller. Ref. [206] provides a hybrid statistical method for DDoS attack detection using second order correlation coefficient techniques based on entropy. Ref. [207] proposes a two-level DDoS attack detection method based on information entropy and DL. Lastly, another DL-based method is proposed in [208], although it is focused on attacks on both the control and data planes. For the control plane, they use a DL model with features extracted from traffic statistics. For the data plane, they use a combination of traffic metadata and switch statistics.
There has been recent and growing interest in low-rate DoS and DDoS attacks on the SDN data plane. These attacks are domain-specific in that they take advantage of knowledge of the operation of the SDN, especially the OpenFlow protocol.
In [209], the authors propose a low-rate DoS attack that computes the lower bound of attack rates to overflow flow tables based on inferred network configurations. Their attack uses a probing phase to learn the network configuration and an attacking phase to install malicious rules on target switches. The authors expanded on their work in [210] with additional evaluation.
Ref. [211] proposes a mitigation for low-rate DoS attacks targeting TCAM in SDN switches. Their solution has three modules: a monitor, a ranker, and a mitigator. The authors published comparable solutions in [212,213,214,215]. Ref. [212] proposes a low-rate DoS attack mitigation scheme based on ML, with attack detection, feature extraction, and mitigation. Ref. [213] is similar, with the addition of a rule-prediction module for monitoring rule numbers in tables and making real-time predictions for threshold-based detection of attacks. Refs. [214,215] examine the same problem, utilizing novel methods based on different ML models for attack classification and mitigation (Random Forest and LightGBM-LR, respectively).
Ref. [216] proposes an ML-based mitigation method for low-rate DoS attacks, specifically table overflow attacks. Their method uses a detection module that monitors flow properties, identifies malicious flows, and then backlists malicious addresses. Another ML-based approach is presented in [217]. Their solution extracts flow features from flow information in the data plane and aggregates them into a current time graph model. They then utilize graph neural networks to perform graph anomaly detection and flow entry classification. Mitigation is performed by deleting malicious flows and blocking attackers. Lastly, ref. [218] proposes an ensemble learning-based ML method for detecting and mitigating low-rate DoS attacks in SDN.
With obvious complementarity to SDF and SDN-based DoS/DDoS mitigation, SDN-based intrusion detection and prevention has attracted research interest. Ref. [219] proposes a set of programmable abstractions for the SDWN data plane, which model the fundamental aspects of wireless networks and, most relevantly, provide abstractions for network monitoring and network reconfiguration. Their solution relies on agents distributed throughout the data plane on centrally managed APs.
Refs. [220,221] examine IDPS for wired SDN. Ref. [220] investigates data plane security using DNN-based network intrusion detection. They implement an SDN-based IDPS for performing early mitigation of DoS/DDoS attacks and other attacks based on timely anomaly detection and mitigation within the data plane. In contrast, the authors in [221] consider the efficacy of cloud-based IDPS using a combination of ML methods with an in-network IDS performing anomaly detection and the routing of suspicious flows back to a secondary IDS for deeper analysis using a signature-based method. Lastly, ref. [222] proposes a real-time anomaly detection architecture using Security Information Event Management (SIEM) and ML for traffic classification.
Relatedly, authors have implemented novel methods for traffic classification in SDN. Ref. [223] proposes a DL-based traffic classification solution for home gateways. Their solution supports management of distributed devices and supporting controllers in the core network, providing QoS based on traffic monitoring and resource allocation. Another DL-based traffic classification solution is proposed in [224]. The authors note that the increase in Internet traffic complexity is challenging to current port-based and DPI approaches. Their solution uses a cross-plane SDN approach, with extraction of traffic information from the data plane and monitoring, classification, and other functions in the control plane. Lastly, ref. [225] investigates ML-based traffic classification for SDN, primarily for QoS and network performance.
In addition to firewall, DoS/DDoS mitigation, and IDPS, researchers have implemented a range of other traditional security capabilities using SDN, although the level of research interest has been modest in comparison to the former. Ref. [226] presents a novel OpenFlow-based approach for Virtual Local Area Network (VLAN) tagging. The authors provide both the architecture and implementation of their solution for a heterogeneous SDN. While OpenFlow has VLAN support, SDN-based VLAN for data plane security is underinvestigated in the literature. Ref. [227] examines privacy preservation for Device-to-Device (D2D) communication and caching strategies for maintenance of QoS/QoE. Their SDN-based solution calculates node importance according to information requests and encounters collected by SDN switches, which enables base stations to make decisions based on historical information. Lastly, ref. [228] focuses on mitigating fingerprinting attacks in SDN. The authors propose a probabilistic scrambling strategy to mitigate fingerprinting attacks by hiding network and node information.
Ref. [229] provides a general study of threats and attacks in SDN. They examine defenses of SDN and posit the main techniques as access control, traffic monitoring, key management, identity authentication, and others. Ref. [230] examines the application of Federated Learning (FL) in multi-controller SDN. They consider FL for addressing data plane vulnerabilities, including misuse and malicious activities.
Ref. [231] introduces the concept of shadow controllers for cross-plane security. The shadow controller responds to malicious probing in place of the actual controller and their framework adopts both reactive and proactive approaches, leveraging MTD through IP and port shuffling.
In [232], the authors examine Identity-Based Cryptography (IBC) for security in SDN. They propose the use of IBC for securing both east–west (inter-controller) and SBI communication. Noting this, their solution is multi-domain capable and supports multi-controller architectures. Another SDN-based encryption technique is proposed in [233], who posit the use of ECDH and AES encryption for SDN to prevent eavesdropping and MITM.
Ref. [234] examines ARP spoofing in OpenFlow-based SDN. They propose an anti-ARP spoofing solution implemented solely in the data plane through an extendable and customizable software architecture. Finally, ref. [235] proposes a security framework for SDN based on blockchain. They adopt a multi-controller architecture that uses LLDP to obtain link state information which is used to establish a Merkle tree. Signatures are generated for each link and network changes are recorded on the blockchain, providing consistency among controllers.

6.6. Summary

The programmability of the SDN data plane supports a range of security capabilities, both novel and inherited from traditional networks. As demonstrated, there is a focus on availability, which is reflective of the criticality of the control plane and the perception of the controller as a single point of failure. This also correlates with a focus on DoS and DDoS attacks as the (perceived) chief threat to SDN. These attacks take advantage of SDN’s dependence on the controller and specific technical limitations of SDN, such as the long control loop.
With the emergence of programmable data planes, various authors have posited the relative advantages of stateful and programmable data plane infrastructure, which can implement performant primitives to realize security capabilities at line rate and without dependence on a controller for decision-making. This growing interest is associated with a strong critique of the centralized model of SDN. However, there are also disadvantages to the decentralized model offered by programmable data planes, such as the lack of a global view, the loss of central programmability, the loss of well-defined cross-plane interfaces, and the lack of convenient network orchestration. Recently, researchers have recognized the value of hybrid SDN architectures, combining the functionality of a programmable data plane with central management and orchestration by an SDN controller. This hybrid approach is a promising future direction for SDN security research.
Finally, other notable gaps remain for this domain (see Table 7). They include security for in-network controllers (especially in multi-controller architectures), attacks on P4 switches, and software security for SDN (especially in a programmable data plane).

7. Security of the Data Plane Infrastructure

7.1. Overview

The second of the three research domains to be discussed is security of the data plane infrastructure. This domain concerns research that seeks to secure the components of the SDN data plane, including forwarding devices (routers and switches), communications links, and participating hosts (refer to Table 1). Research in this domain is further classified into the following sub-domains: device compromise, forwarding anomaly detection, and secure southbound communication (i.e., security of the SBI).
With the strong separation of planes introduced in SDN, the data plane may superficially appear to become a less appealing target for attackers in favor of the control plane. However, as will be demonstrated in this section, compromise of the data plane is equally dangerous as compromise of the control plane. This is because a compromise of the data plane may be opaque to the controller and the network operator, especially in the absence of a specialized security control or other mechanism to detect violations of network and security policy in the data plane. Additionally, an attacker that has insight into the SDN protocol(s) in use may exploit or fabricate southbound messaging to obfuscate their actions in the data plane and establish persistence. This section will show, through a detailed review of relevant literature, that security of the data plane is essential to the security of SDNs but is complicated by advanced domain-specific threats.

7.2. Device Compromise

While SDN limits the capabilities of the data plane predominantly to forwarding and interaction with the controller, it also introduces new primitives and other vectors that may exhibit vulnerability or be the target of attack. For the purposes of this paper, this is broadly described as device compromise and relates to the compromise of forwarding devices, specifically SDN-enabled routers, and switches. The risk of device compromise is arguably expounded by the lack of ‘intelligence’ in the stateless data plane of classical SDN, due to the inability of the data plane to inherently detect anomalies, and authors have proposed various methods to both detect device compromise in the data plane and increase the resiliency of the data plane itself, the latter being well-reflected in the literature reviewed in the previous section (see Section 5).
In Table 8, we summarize research investigating device compromise in the SDN data plane. As per earlier tables, application (Application), year of publication (Year), and technology of implementation (Implementation) are noted. Papers are ordered firstly by Application and secondly by Year.
OpenFlow natively lacks security features, and arguably the most detrimental among these are methods for attesting to appropriate switch behavior and switch security or trustworthiness. An unmodified OpenFlow SDN has no method for detecting malicious switch behavior and therefore the ability to implement detection for switch compromise is essential. This has manifested in several novel methods for identifying, preventing, and mitigating switch compromise [236,237,238,239,240,241,242,243,245].
In [236], the authors provide a classification of attacks on SDN switches. They consider the potential malicious actions possible through a compromised switch, such as incorrect forwarding, duplicated forwarding, packet manipulation, and malicious weight adjustment (see Figure 11). To address these attacks, the authors propose an anomalous forwarding detection method and weighting detection to identify unexpected ratios in dispatched packets. The problem of compromised switch detection is also explored in [237], with an added focus on localization and mitigation. They propose three complementary techniques: active probing, statistical checking, and packet obfuscation.
Out-of-band audit methods have been proposed in [238,239]. In [238], the solution employs a multi-controller architecture with a secondary controller that performs audits of network update events. In [239], the authors propose a novel attack based on manipulating flow-table timeout values and a detection method using a global flow table for audit purposes. Ref. [240] investigates DoS/DDoS attacks in SDN, with the authors demonstrating that by manipulating the timeout values of flows on SDN switches, an attacker can prompt spurious messages over the SBI, resulting in resource exhaustion.
An IPS for the SDN data plane is proposed in [241]. The authors highlight detection and mitigation of device compromise as research gaps. To address this, they propose their IPS, which uses an unsupervised trajectory-based sampling mechanism that computes expected versus actual packet trajectories and identifies anomalous forwarding devices.
Methods for real-time detection of compromised SDN switches are proposed in [242,243]. Ref. [242] proposes a method using predictive analysis to perform accurate classification of anomalous SDN switch behavior. Building on their work in [242], the authors in [243] propose a stochastic Recurrent Neural Network (RNN) variant of multivariate time-series-based anomaly detection for detection of compromised switches.
Ref. [244] proposes a novel method for the detection of flow table integrity violation in OpenFlow, including localization of compromised switches. Their solution includes detection of the unauthorized addition, modification, and removal of forwarding rules, utilizing a cookie field in the OpenFlow protocol to place a digest value for each flow table entry.
In contrast, ref. [245] examines P4 switch compromise. The authors provide a novel threat model focused on flow table modification in P4 data planes and examine the manipulation of flow rules via switch compromise. To mitigate the threat of flow table manipulation, they propose a detection framework that utilizes backtracking of flows, as well as defining a fuzzy rule-based mitigation. Curiously, the security of P4 switches is underinvestigated in the current literature.
A related area of research is packet injection in the data plane. Packet injection is a significant threat, as OpenFlow does not provide any inherent security against malicious OpenFlow messages.
Packet injection is investigated in [246,247]. In [246], the authors posit a novel packet injection attack. By inserting spurious packet header information in PACKET_IN OpenFlow messages, an attacker can force a victim controller to generate a ‘ghost topology’ of non-existent devices. To mitigate this attack, the authors propose a method for inspecting and filtering PACKET_IN messages. Another mitigation for packet injection attacks is proposed in [247], focusing on packet injection attacks launched from a compromised data plane. Their solution inspects PACKET_IN messages on the SBI and retains a database to store host and switch information.
Finally, novel attacks on SDN are presented in [248,249]. Ref. [248] examines advanced attacks on SDN utilizing compromised switches. The attacks considered include flow table modification, control channel hijacking, eavesdropping on control plane communications, state spoofing, topology spoofing, and DoS. The authors posit defenses for each attack. Ref. [249] examines poisoning attacks in the SDN data plane and proposes a novel attack that takes advantage of a weakness in OpenFlow in which flow table capacity exhaustion forces the controller to begin inserting and deleting flow entries, degrading network performance. The authors propose two defense mechanisms for this type of attack: compression of flow table entries, and implementation of larger flow tables.

7.3. Forwarding Anomaly Detection

A forwarding anomaly refers to when the behavior of a forwarding device is non-compliant. Typically, this means a packet is handled anomalously, such as being forwarded, dropped, or modified in a manner that violates the forwarding rules provided by the controller or the conventions of the SDN protocol in use.
In OpenFlow-based SDN, forwarding anomalies are conceptually simple, but with the growing interest in programmable data planes and hybrid SDN the potential for complex forwarding behaviors will also grow accordingly. As a result, there is a need for efficient and flexible forwarding anomaly detection solutions. Fortunately, there has been research interest in designing and implementing forwarding anomaly detection since the early 2010s and this research interest has persisted. This section will review this research, highlighting proposed solutions and characterizing trends where relevant.
In Table 9, we summarize research investigating forwarding anomaly detection in SDN. As per earlier tables, application (Application), year of publication (Year), and technology of implementation (Implementation) are noted. Papers are ordered firstly by Application and secondly by Year.
Detection and mitigation of forwarding anomalies has attracted significant research interest over the last decade [250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265]. Ref. [250] proposes a lightweight architecture for detecting anomalies in the SDN data plane, including forwarding anomalies. Their architecture uses a data collector, a feature selection module, and a classification module collocated with the controller, operating on inputs from the data plane. Ref. [251] proposes a similar solution for anomaly detection, with added data plane localization. They built upon their work in [252] to further enhance localization and to optimize the placement of monitoring positions along network paths.
Ref. [253] proposes a formal approach for predicting a packet path inside an SDN. Their solution relies on generating queries that contain all possible packets that could pass through the network from all ingress switches to detect possible policy conflicts. The same authors proposed an incremental approach for detecting potential anomalies in an SDN policy in [254].
In [255,256], the authors propose a forwarding anomaly detection method for OpenFlow-based SDN that uses a flow conservation principle for checking behaviors of all flows in a network simultaneously. Their solution works by modeling the controller’s global view in a flow counter matrix and capturing flow rules and flow statistics from the data plane. In [256], they build on their previous work by adding localization to identify the compromised switch.
Ref. [257] proposes a real-time packet forwarding verification method for OpenFlow (see Figure 12). Their solution uses both packet forwarding and forwarding statistics to detect forwarding anomalies and violations of packet integrity with dynamic sampling. Ref. [258] proposes a traffic anomaly detection and mitigation solution. Their solution is essentially a signature-based IDS that collaborates with the SDN controller using an external application, with the controller performing mitigation upon anomaly detection. Lastly, in [259], the authors propose a scheme for mitigating forwarding anomalies in real time. Their solution uses tags to disambiguate dependent rules and remove forwarding ambiguity.
P4-based approaches for forwarding anomaly detection are investigated in [260,261]. In [260], the authors examine forwarding anomaly detection in a hybrid SDN architecture. P4 switches are enrolled into the network to perform network traffic sampling. The sampled packets are referred to the OpenFlow controller for verification. Ref. [261] proposes methods for real-time packet verification to defend against hijacking and new stream attacks. For hijacking attacks, they use a comparison of P4 metadata and register contents. For new stream attacks, their solution uses an exception window for initial detection and computation of information entropy.
ML-based methods for forwarding anomaly detection are proposed in [262,263,264,265]. Ref. [262] proposes a DNN-based anomaly detection method for SDN. Their solution is a network IDS (NIDS) that utilizes Gated Recurrent Unit Long Short Term Memory (GRU-LSTM). To improve classifier performance, the authors employ a combination of feature selection methods. In [263], the authors use the DBSCAN algorithm to identify anomalous rules and controller behavior using the IP address, action on rule match, rule duration, and link utilization as features.
Ref. [264] proposes both a flow-based and packet-based Multilayer Perceptron (MLP) DL method for detecting anomalies in high-traffic and high-performance networks. In contrast, ref. [265] proposes a multi-faceted solution that uses deep RL to learn traffic flow matching strategies to maximize traffic flow granularity while protecting the SDN. Their solution has two components, a DL-based matching control component and an anomaly detection and classification component. Mitigation is performed by implementing attack mitigation policies.
Other solutions for forwarding anomaly detection are proposed in [266,267,268]. In [266], the authors propose a novel solution for real-time verification of network invariants. Their solution provides proactive anomalous forwarding mitigation by leveraging the controller to access the global view and validating the rules that are generated. In [267], the authors propose a solution for detecting cross-plane attacks that works by dynamically learning the topology and network behavior by intercepting OpenFlow messages, building a flow graph and validating network behavior. Finally, in [268], the authors propose a solution for load optimization and anomaly detection in OpenFlow-based SDN with a multi-controller architecture. Enforcement of anomaly mitigation is provided using access control policies that are implemented as flow rules intra-data plane.

7.4. Heterogeneous SDN

For the purposes of this review, heterogeneous SDN is SDN utilizing diverse communications media in the data plane. In simple terms, this can be thought of as SDN utilizing a mix of wired and wireless communications. This is a broad definition and naturally encompasses SDN applications in 5G and IoT. However, it is also a valuable domain of research, as network heterogeneity is generally increasing (e.g., 6G), resulting in greater network complexity and an attack surface that is more difficult to secure, warranting novel methods for network security.
In heterogeneous SDN, confidentiality and integrity are of greater concern than in a traditional (wired) SDN, as the wireless medium is susceptible to eavesdropping and more advanced attacks that may exploit the readily available signal of the wireless data plane.
In Table 10, we summarize research investigating security of heterogeneous SDN. As per earlier tables, application (Application), year of publication (Year), and technology of implementation (Implementation) are noted. Papers are ordered firstly by Application and secondly by Year.
Security for IoT is an enduring challenge and SDN has seen investigation for both the introduction of new security capabilities (see [26] for a relevant review) and for how SDN-IoT itself may be secured. Ref. [269] investigates security for IoT and ad hoc networks, providing a new SDN architecture for wired, wireless, and heterogeneous use cases. They examine security policy definition and enforcement for monolithic and multi-controller architectures and introduce the concept of ‘border controllers’ for joining SDN domains.
SDN-IoT is also discussed in [270,271]. Ref. [270] examines SDN-IoT based on P4, utilizing in-network firewall and routing implemented on P4 switches with referral to the control plane for new and unknown packets, per the traditional SDN model. They also utilize a learning algorithm to support effective traffic classification. Similarly, ref. [271] examines SDN-IoT for QoS and security-aware routing. Their solution is deep RL-based, extracting knowledge from historical traffic and optimizing routing policies for secure delivery.
In contrast, ref. [272] examines SDN for Big Data for a range of use cases, including data processing in cloud data centers, data delivery, joint optimization, and scheduling. Importantly, they also demonstrate that Big Data may support SDN performance and security through integration with the control and application planes, with benefit to the data plane. Lastly, ref. [273] examines heterogeneity in 5G networks and argues that SDN can support security and performance in 5G. They discuss security challenges of SDN-based 5G and provide a robust security architecture, with cryptographic authentication and implementation of security gateways for cross-plane communication.

7.5. Secure Southbound Communication

The SBI is a critical component of SDNs, supporting the transfer of protocol messaging between the control and data planes. However, native OpenFlow does not provide any security features and instead relies on existing security methods to protect the components of an SDN, including the SBI. These facts make security research into the SBI appealing and potentially productive, yet to date it has remained relatively niche in contrast to the dominant topics of SDN security research (predominantly the security of the control plane and controllers specifically). Regardless, some novel research exists, and authors have posited diverse methods for assuring the security of the SBI.
In Table 11, we summarize research investigating secure southbound communication in SDN. As per earlier tables, application (Application), year of publication (Year), and technology of implementation (Implementation) are noted. Papers are ordered firstly by Application and secondly by Year.
Ref. [274] proposes a solution for cross-plane DoS/DDoS attack defense in SDN (see [239,240] for example attacks). The authors discuss the shortcomings of existing methods for SBI security and propose their solution, which employs collaborative cross-plane intelligence, providing attack detection, mitigation, cross-plane offloading, and localization of attackers within a botnet.
In contrast, ref. [275] considers the confidentiality and integrity of the SBI. The authors examine the implementation of IPsec in SDN for providing southbound security. They propose an evaluation model to find an effective trade-off between communication performance and link security. Ref. [276] examines the problem of cross-plane communication security between the control and data planes. They present a trust-based framework for the wireless data plane and classify attacks according to the planes and components they affect.
Finally, in [277] the authors discuss secure southbound communication and the threat of MITM attacks. To mitigate MITM, they propose a security framework that reduces the Time-To-Live (TTL) delay in which attacks can occur by defining a security policy which accepts new nodes only during specific periods and they allocate a TTL timer to the new node trying to join the network to detect any abnormal behavior in the network. They extended their framework using the Random Forest (RF) algorithm to improve accuracy and performance.

7.6. Summary

Research investigating the security of data plane infrastructure has highlighted the general vulnerability of the SDN data plane. This is primarily due to the lack of inherent security in OpenFlow, especially regarding encryption, authentication, network access control, validation of messages, audit, and switch security. We also demonstrated the lack of portable and mature security capabilities that can be deployed to protect SDN switches. This relates to the lack of native security within OpenFlow and the failure of industry and academia to develop and adopt any widely accepted security frameworks for SDN. Finally, there is a lack of convenient methods for domain-specific monitoring and insights. This means that researchers are independently implementing monitoring and extracting insights that relate to their specific applications.
Various gaps remain in this domain (see Table 12). Firstly, SDN-based MTD is underinvestigated despite the obvious appeal of SDN and especially programmable data planes for implementation. Secondly, despite the threat of device compromise and anomalous forwarding, there has been modest investigation of trust management and trust-based approaches using SDN. The latter issue is further discussed in the following section.

8. Dynamic Routing Within the Data Plane

8.1. Overview

The last of the three primary research domains to be discussed is dynamic routing within the data plane. This domain is concerned with dynamic and resilient routing methods within the data plane that are possible using SDN. These methods capitalize on the global view of the controller and programmability to proactively and reactively modify data plane forwarding to support network security and performance.
From a data plane security perspective, SDN enables flexible forwarding that can associate traffic security requirements with appropriate paths throughout the data plane to improve delivery, minimize opportunities for eavesdropping, and reduce the likelihood of more complex attacks. However, of the three primary research domains, this domain is the most nascent, with research tending to be more recent and exhibiting the most unresolved research opportunities. To support analysis, the research in this domain has been further classified into multi-path routing, resilient routing, and trust-based routing, with each term defined accordingly.

8.2. Multi-Path Routing

Multi-path routing is the concurrent utilization of multiple network paths for flows. Multi-path routing is commonly associated with load balancing and datacenter networking, but this section will demonstrate that multi-path routing has broader application in the SDN data plane for secure and performant delivery of traffic. While the security emphasis of the selected papers varies, the utility of multi-path routing for improving security is apparent. Multi-path routing confounds eavesdropping, MITM, and similar attacks by splitting a given flow across multiple paths and forwarding simultaneously along those paths, with reconstruction at the endpoint. It also improves the resilience of a network under DoS/DDoS attack by employing multiple paths to improve the likelihood of successful packet delivery, even with degraded availability. These features make multi-path routing a powerful and proactive defensive technique to support security within the SDN data plane, and this is reflected in the diversity of research in SDN-based multi-path routing.
In Table 13, we summarize research investigating multi-path routing in SDN. As per earlier tables, application (Application), year of publication (Year), and technology of implementation (Implementation) are noted. Papers are ordered firstly by Application and secondly by Year.
Research into SDN-based multi-path routing has been diverse, with authors focusing on various methods that capitalize on the global view, flexibility, and dynamism of SDN. In [278], the authors implement multi-path routing using OpenFlow for a Supervisory Control And Data Acquisition (SCADA) use case. They implement multi-path routing to increase the difficulty of eavesdropping using a control plane application and a secure channel for managing forwarding rules in the data plane.
In [279], the authors highlight the inherent lack of security in OpenFlow and examine multi-path routing for network security and resilience. Their solution uses Erasure Resilient Coding (ERC) for data fragmentation and performs distribution across multiple paths concurrently, orchestrated by the SDN controller (see Figure 13).
Ref. [280] considers the problem of efficient multi-path routing that can provide disjoint end-to-end paths satisfying specific operational goals without overwhelming the data plane with excessive forwarding-state information. This problem is central to the feasibility of multi-path in SDN, and the authors demonstrate both that the underlying problem is NP-complete and that it is possible to closely attain the optimal path length.
ML-based approaches for multi-path in SDN are investigated in [281,282,283,284]. Ref. [281] proposes an RL-based multi-path method for QoS-aware multi-path using OpenFlow-based SDN. The authors critique existing methods for multi-path and argue that they do not consider QoS. To address this, they propose an RL-based multi-path scheme that uses RL to find multiple forwarding paths for flows based on their characteristics. Relatedly, ref. [282] examines RL for service-oriented multi-path routing. Their solution implements a custom protocol for obtaining network state, a DL-based traffic classification model to identify network services, and a differentiated reward scheme for service types.
Ref. [283] proposes a deep RL multi-path scheme for SDN, focusing particularly on countering DoS attacks. Their method uses trust values and node diversity to mitigate issues such as network fluctuations, low robustness, and congestion, with path selection incorporating security, network delay, and variations in multi-path delay.
Lastly, ref. [284] proposes a QoS and congestion-aware deep RL approach. Their solution learns and optimizes routing decisions through trial and error based on a congestion severity index, which aims to minimize delay, packet loss, and packet drops while maximizing bandwidth utilization.
Authors have also proposed SDN-NFV-based multi-path routing [285,286]. Ref. [285] examines multi-path routing implemented using SDN-NFV for survivable networking. They propose a scheme that employs multi-path provisioning implemented in SDN-NFV for survivable optical networking for any given number of network failures. Ref. [286] also examines SDN-NFV for multi-path routing, providing a complete SDN-NFV architecture. Network monitoring, path selection, and network resource management are performed in the control plane, while the data plane provides flow splitting, route mapping, flow execution, and reconstruction.
Scheduling is a key issue in multi-path routing, as out-of-order packet arrival may impact flow reconstruction. Authors have investigated SDN for implementing scheduling mechanisms. Ref. [287] provides an OpenFlow-based scheduling method that includes efficient load balancing and path optimization for datacenter networks. Their solution uses SDN for load monitoring and path optimization based on global load awareness. In contrast, ref. [288] provides a P4-based multi-path scheduling method that provides both network path selection and packet scheduling.
Authors have investigated a range of other niche use cases. The authors of [289] highlight the unique challenges of satellite networks and propose a multi-path routing strategy based on SDN that uses a combination of delay, bandwidth, and node load to adjust the route for end-to-end transmission. Ref. [290] proposes an SDN-based multi-path scheme for satellite networks that uses QUIC and a multi-objective optimization strategy to improve throughput.
Ref. [291] implements OpenFlow-based multi-path routing for a datacenter use case. Their solution incorporates network heterogeneity to optimize the transmission time of flow groups (a group of flows that have the same source edge switch and the same destination edge switch). They use control plane modules to extract information from the data plane and a forwarding manager to develop rules based on the instructions of a multi-path scheduler module.
Finally, in [292], the authors propose a hop-by-hop method for forwarding on multiple paths. This is novel, as previous methods have all considered end-to-end path selection. They propose a method that ensures convergence and provides loop-free multi-path forwarding.

8.3. Trust-Based Routing

SDN provides the capability to dynamically route network traffic according to the security requirements of the traffic (e.g., the requirements of the sender, the sensitivity of the payload) and the trustworthiness of nodes and links along available paths. In this review, this is referred to as trust-based routing, although there is no consistent nomenclature in the literature, as this is an emerging domain of research. Additionally, there is no consensus on what constitutes trust or trustworthiness in a network security context, although authors have offered various definitions and have typically equated trust with security as a state (i.e., the state of being secure at a point-in-time). Regardless of how authors choose to define trust, it is apparent that it is an appealing paradigm for intuitive and explainable security that has attracted significant research interest.
In Table 14, we summarize research investigating trust-based routing in SDN. As per earlier tables, application (Application), year of publication (Year), and technology of implementation (Implementation) are noted. Papers are ordered firstly by Application and secondly by Year.
Trust-based routing methods using SDN are proposed in [293,294,295,296]. Ref. [293] examines the protection of data in the cloud by controlling the paths used in data transfer. They propose an OpenFlow-based approach that enables network operators to enforce trust-based routing based on policies defined by the network operator (see Figure 14).
Ref. [294] proposes a trust-based routing method using a multi-controller architecture, with the controllers operating in different execution environments and leveraging hardware-based trusted computing technologies (e.g., Trusted Platform Modules). Another multi-controller approach is provided in [295]. Their focus is multi-domain routing across domains with specific security and regulatory requirements. Their solution relies on a cooperating SDN controller deployed to each domain along the path to establish a trusted end-to-end path.
Lastly, a trust-based routing method for OpenFlow focusing on the trust of SDN switches is presented in [296]. They provide a trust management system for assessing switch trust values over time and detecting compromised switches.
Trust-based routing for wireless and heterogeneous SDN is investigated in [297,298,299]. Ref. [297] provides a secure clustering model for SDN-based IoT. Their solution supports cluster-based communication using SDN, providing both the clustering method and a trust management system for electing cluster heads. Ref. [298] proposes a trust-based cooperative system for efficient Wi-Fi Radio Access Networks (RANs) using SDWN. The proposed architecture uses both a conventional Wireless Local Area Network (WLAN) and a blockchain-based network in the data plane, managed by a SDWN controller. In [299], the authors of this review examine trust-based routing for heterogeneous SDN. We demonstrate the learning and matching of traffic security requirements to the trustworthiness of available paths.
Closely related to trust-based routing is the premise of trust management. In [300], the authors provide a position paper arguing for secure and dependable SDN by design, incorporating trust and trust management. The trust management components relate primarily to whitelisting of trusted devices and blocking of malicious or anomalous devices. Relatedly, ref. [301] provides an experimental framework for SDN security, incorporating trust zones. Upon joining the network, devices are placed in trust zones automatically, requiring no intervention from the network operator and enabling management of devices based on their assessed trustworthiness.
Ref. [302] proposes a distributed trust framework for SDN. Their framework is closely modeled on classical Public Key Infrastructure (PKI) but supports distributed implementation and verification to reduce application overhead. In [303], the authors examine trust management for the data plane of ad hoc networks. They propose trust management using fuzzy logic to formulate imprecise empirical knowledge for formulating trusted paths. Ref. [304] examines trust management for the Internet of Vehicles (IoVs), specifically VANETs. They propose a multi-faceted SDN solution that includes the evaluation of vehicles within range of Roadside Units (RSU), a distributed trust evaluation method for vehicles outside the range of the RSU, and inter-vehicular trust evaluation.
In addition to the above, authors have proposed trust-based routing for other applications. Ref. [305] examines the problem of security and trust for softwarized networks, focusing on 5G. Their solution is effectively SDN-NFV, defining a Root Trusted Module (RTM) for ensuring components built upon it are trustworthy, and then a set of VNFs provide security and trust functions.
Another trust-based framework using SDN-NFV is proposed in [306], in which the authors introduce trust-awareness for SDN switches. Their framework uses subjective logic-based techniques to derive the trust levels of switching devices at runtime, which are then used to inform service provisioning.
Ref. [307] considers trust-based routing in the context of Segment Routing (SR). Their solution uses a trust verification mechanism with a custom Authentication Header (AH) and four trust management mechanisms, including initial trust value assignment, trust evaluation, trust renewal, and trust inheritance.
Lastly, ref. [308] proposes a zero trust-based trust management and traffic engineering system for supporting the security of critical nodes in SDN-based IoT networks. Their solution evaluates the risk of nodes based on multiple factors and performs trust evaluation between nodes. Using these evaluations, they dynamically adjust security and routing.

8.4. Resilient Routing

The final topic of this review is resilient routing in the SDN data plane. Resilient routing contrasts to multi-path routing in that it does not necessitate concurrent utilization of paths for traffic delivery, although it may involve optimal path selection and utilization of multiple paths over time. Additionally, resilient routing is distinct from trust-based routing as it does not involve the intentional incorporation of trust in routing decisions or employ a trust management system. For a working definition, resilient routing is an approach to routing in SDN that takes advantage of the dynamicity of SDN to support traffic delivery and improve security. This is the broadest class of dynamic routing, and this is reflected in a diversity of objectives and methods in the literature.
In Table 15, we summarize research investigating multi-path routing in SDN. As per earlier tables, application (Application), year of publication (Year), and technology of implementation (Implementation) are noted. Papers are ordered firstly by Application and secondly by Year.
As noted, current applications for resilient routing are diverse. Ref. [309] examines source address validation for security. The authors argue that the existing frameworks are too limited and propose a novel scheme that provides on-demand filtering, tracking of flow table states using a NOX SDN controller, and utilization of OpenFlow devices as a de facto security perimeter. Ref. [310] proposes a novel random routing mutation architecture using SDN. Their approach takes advantage of the global view and centralized control in SDN to confound network reconnaissance and DoS attacks. Ref. [311] implements a novel routing method, capability-based routing. In capability-based routing, routing is security-oriented and accounts for the capabilities of nodes on available paths.
Ref. [312] proposes dynamic routing using SDN for Flying Ad Hoc Networks (FANETs). FANETs present a unique challenge, as the nodes are mobile and the topology is dynamic. To address these challenges, the authors propose a hybrid SDN model, providing topology discovery, statistics gathering, and route computation.
Ref. [313] implements ML-based MTD. Their solution uses route randomization based on up-to-date network information via real-time network telemetry, with the updated routes implemented in a programmable data plane.
A highly resilient routing design is provided in [314]. They propose a hybrid SDN architecture leveraging programmable data planes which provides failure detection and recovery using switch link probing and fast rerouting, incorporating failure detection, computation of new routes, and installation.
Another adaptive failure recovery solution is proposed in [315]. Their architecture is also hybrid, although focused explicitly on the failure of multiple links, as well as backup path computation and propagation using custom packet headers.
In [316], the authors propose a scheme for optical transport networking using SDN. Their proposed method uses the SDN controller to collect network resource information in real time and to dynamically change the weight of paths, which are then used for path calculation. Finally, ref. [317] proposes an ML-based routing optimization scheme based on the Multi-Armed Bandit Problem. They examine this problem in SDN from the perspective of seeking optimal end-to-end dynamic routing of data flows and posit that a centralized routing approach like SDN can solve routing issues more quickly than a distributed model.

8.5. Summary

Dynamic routing using SDN is the least researched of the three primary domains examined in this review. The domain is also diverse and exhibits breadth in methods, implementation and use cases. We have identified a growing interest in adaptive and resilient routing using SDN. These approaches take advantage of the global view and programmability of SDN to establish performant and secure end-to-end paths. This contrasts with the hop-by-hop forwarding of traditional networks, which are best effort by design and are unable to flexibly adapt to changing network conditions or security policies.
This domain exhibits a wide range of research gaps (see Table 16). They include extension of dynamic routing methods to heterogeneous SDN, greater incorporation of knowledge of node capabilities, performance, and trustworthiness in end-to-end-path computation, SDN-based time-sensitive routing (especially contrasted to best effort), and lastly, trust-based routing.

9. Discussion

9.1. Overview

The review of SDN data plane security research this paper has provided is illustrative of the diversity and depth in the discourse. Table 17 and Table 18 below summarize the strengths and weaknesses of the SDN data plane security research that have been identified. In this section, the most promising future directions for SDN data plane security research will be discussed based on the research weaknesses, gaps, and opportunities that remain.

9.2. Hybrid SDN Security and Management

A frequent issue that has emerged in this paper is the fallacy that there is a linear progression in networking technology from SDN to programmable data planes, and especially from OpenFlow to P4. In providing the impetus for their work in P4, many authors cite the weaknesses of OpenFlow and pose P4 as a replacement for OpenFlow, rather than as a complement. This is a reductive view and is inconsistent with the purpose of P4 as provided by the creators of P4 themselves in the original proposal in 2014 [4]. While the authors of [4] highlight valid shortcomings of OpenFlow, they (and various subsequent authors) envision a “hybrid” SDN architecture that employs a central control protocol managing a programmable data plane.
This hybrid architecture provides the benefits of classical SDN, including a global view, well-defined interfaces, and a model for centralized control, in addition to the benefits of a programmable data plane that offers flexible header definition, granularity of operation, support for added primitives, and the potential to work at line rate. From a security perspective, such a hybrid SDN is challenging, as it adds complexity, imposes additional southbound communication, and further strains the resources of devices in the data plane. As hybrid SDN are the most promising future architecture for SDNs, their data plane security requires further research. This should take the form of a review of hybrid SDN architectures and the development of a detailed threat model to understand the security threats that exist for hybrid SDN. Additionally, with this new understanding, reference architectures should be developed to guide future implementations.
Relatedly, there is a trend towards decentralization in modern SDN architectures. This is evidently spurred by the growing popularity of the programmable data plane and the acknowledgement of the shortcomings of OpenFlow in the literature.
These decentralized approaches implement independent security capabilities in the data plane based on programmable data plane devices. They are appealing because they are not reliant on a controller, which is often perceived as a single point of failure, and they are performant, able to operate at line rate, and reduce network overhead (e.g., through reduction in SBI messaging). However, they also lose the advantages of classical SDN, notably central management, and are typically not scalable or portable. Furthermore, they are typically designed and implemented to meet a specific security application (e.g., DoS/DDoS mitigation, intrusion detection) and do not support other applications meaningfully, meaning they are essentially repurposing data plane devices as inflexible security middleware. Both centralized and decentralized SDN architectures come with security threats and opportunities, but the trade-off is still to be investigated.

9.3. Heterogeneous SDN Security

Another prominent theme that has emerged from the survey is the complexity of providing security for the data plane in heterogeneous networks (e.g., SDWN, SDN-based IoT). With the proliferation of softwarized networks as part of next-generation technologies (e.g., 6G), there is a clear need for robust SDN and other programmable network architectures. Yet, this is clearly an immature domain of research and existing proposals are disjointed and ad hoc. This provides the impetus for novel research into heterogeneous SDN.
The data plane of any heterogeneous system is inherently complex in terms of communications methods, protocols, mobility, and security requirements. From a security perspective, this complexity equates to a more diverse attack surface, which is difficult to secure and which may obfuscate malicious or otherwise anomalous behaviors. However, using SDN it is possible to implement secure end-to-end routing that incorporates an understanding of the security requirements of network participants (e.g., nodes, users), traffic sensitivity (e.g., traffic containing personally identifiable information), and, most importantly in the context of heterogeneous SDN, knowledge of available paths (e.g., wired links, wireless links, security capabilities of nodes). For these reasons, SDN is appealing for managing heterogeneous networks where the controller has global awareness and the decision-making ability to establish such end-to-end paths with security as an explicit objective.
However, as demonstrated in this review, this is an emerging domain of research and requires further investigation. A general review of heterogeneous SDN is required to understand the current state of the art. This review should consider the benefits and challenges of security for SDWN, as to date this has largely been limited to specific technology domains (e.g., IoT, WSN).

9.4. Trust-Based Methods

A third significant theme that has emerged through this review is trust. There is growing interest in trust as an intuitive and explainable framework for making networking and security decisions. Of relevance to this paper, trust has been applied to support adaptive routing that negotiates a secure end-to-end path based on the assessed trustworthiness of nodes and links along available paths. This is referred to in this paper as trust-based routing. It is a highly promising direction for future research, especially in heterogeneous SDN, where the paths between any two given endpoints may represent a diversity of communications media, supported protocols, and security challenges. Furthermore, trust-based routing provides a framework for realizing security requirements by mapping security requirements to decisions and actions based on trust and the assessed trustworthiness of nodes, links, and potentially whole domains and networks.
Unfortunately, there is no widely accepted definition of trust in security, and it is frequently conflated with security as a state (i.e., if something is secure it is trustworthy). Some researchers have provided complete trust frameworks for particular domains, such as IoT [318], but there remains potential for a complete, extensible, and scalable trust framework for heterogeneous SDN. We provide a rudimentary view of this in [299], albeit under limitations imposed by OpenFlow and the need for evaluation in simulation versus implementation. As a result, there is a need for a complete trust management framework for SDN and the implementation of a defensible trust management system based on said framework. This framework should include algorithms for trust assessment and the computation of secure end-to-end paths based on trust (i.e., trustworthy paths). Additionally, experimental validation should be provided using a proof-of-concept implementation.

9.5. Other Issues

Finally, several other issues in the existing research have been identified through this review. These issues provide the opportunity for future research that addresses a specific deficit in the current state of the art for SDN data plane security.
Firstly, there is a detrimental focus on availability and specifically on DoS/DDoS attacks in SDN security literature, including for the data plane. This is essentially a ‘low hanging fruit’ problem that manifests due to the lack of native security in OpenFlow. By default, OpenFlow supports no authentication of devices, provides no encryption, and, importantly for DoS/DDoS, provides no convenient method for rejecting malicious and non-compliant messages without processing. Future security research in SDN should assume that the industry will soon solve these issues in subsequent specifications of the OpenFlow or other southbound-interface protocols.
Secondly, monitoring and observability are notable issues for SDN and specifically for the SDN data plane. Currently, SDN security researchers inherit existing approaches to monitoring and observability from traditional networks, or, alternatively, they implement monitoring and observability specific to their application. Evidently, there is a gap in domain-specific monitoring and observability for SDN and SDN devices. Future research should address this gap by developing meaningful security and network events and metrics specific to SDN.
Thirdly, the security of P4 is underinvestigated. This is surprising, given the substantial research interest that P4 has attracted in the last decade. However, existing P4 security research has consistently been application-focused, rather than concerned with the security of the P4 architecture or P4 devices. A comprehensive threat model for P4 is required and novel attacks on P4 devices should be investigated to understand tactics, techniques, and procedures that may be effective against networks and systems utilizing P4.
Finally, software security for SDN is underinvestigated. To date, security researchers have implicitly adopted existing software security methodologies and practices for SDN [61]. However, the appropriateness of this has yet to be meaningfully investigated. An SDN-based view of the Software Development Lifecycle (SDLC) should be developed to define best practice for software development for SDN. A threat model for network software and firmware in SDN should be developed to understand the security threats that exist, as well as to act as an input to the SDN SDLC. Lastly, application security techniques and controls for SDN should be investigated.

10. Conclusions

Security of the SDN data plane has been the subject of growing research attention over the last decade. There is a clear impetus for detailed investigation into both the security of and security for the SDN data plane as a potential technology for supporting the increasingly complex enterprise and telecommunications networks of the future.
However, most work to date is focused just on the security capabilities within the data plane, the security of the data plane infrastructure, and dynamic routing within the data plane. This paper has demonstrated emerging trends that serve to highlight and expound under-investigated domains, including data plane security for hybrid SDN and heterogeneous SDN and trust-based methods for data plane security.

Author Contributions

Conceptualization, T.Q., F.B. and F.d.H.; methodology, T.Q., F.B. and F.d.H.; investigation, T.Q., F.B. and F.d.H.; writing—original draft preparation, T.Q.; writing—review and editing, T.Q., F.B. and F.d.H.; visualization, T.Q.; supervision, F.B. and F.d.H.; project administration, F.B. and F.d.H.; funding acquisition, F.B. and F.d.H. All authors have read and agreed to the published version of the manuscript.

Funding

This research is partly funded by the Australian National Next Generation Technology Fund under agreement number ID 10385.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
AIArtificial Intelligence
APIApplication Programming Interface
CNNConvolutional Neural Network
DLDeep Learning
DNNDeep Neural Network
DoSDenial-of-Service (Attack)
DDoSDistributed-Denial-of-Service (Attack)
IoTInternet of Things
MITMMan-in-the-Middle (Attack)
MLMachine Learning
MTDMoving Target Defense
NBINorthbound Interface
NFNetwork Function
NFVNetwork Function Virtualization
P4Programming Protocol-independent Packet Processors
PDPProgrammable Data Plane
RLReinforcement Learning
SBISouthbound Interface
SDNSoftware-Defined Networking
SDPStateful Data Plane
SDWNSoftware-Defined Wireless Network
SIoTSocial Internet of Things
VANETVehicular Ad Hoc Network
VNFVirtual(-ized) Network Function
WSNWireless Sensor Network

References

  1. Casado, M.; Freedman, M.J.; Pettit, J.; Luo, J.; McKeown, N.; Shenker, S. Ethane: Taking control of the enterprise. In Proceedings of the SIGCOMM ’07: Proceedings of the 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Kyoto, Japan, 27–31 August 2007. [Google Scholar]
  2. McKeown, N.; Anderson, T.; Balakrishnan, H.; Parulkar, G.; Peterson, L.; Rexford, J.; Shenker, S.; Turner, J. OpenFlow: Enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 2008, 38, 69–74. [Google Scholar] [CrossRef]
  3. Open Networking Group. OpenFlow Switch Specification (v 1.5.1). Available online: https://opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.5.1.pdf (accessed on 5 April 2025).
  4. Bosshart, P.; Daly, D.; Gibb, G.; Izzard, M.; McKeown, N.; Rexford, J.; Schlesinger, C.; Talayco, D.; Vahdat, A.; Varghese, G.; et al. P4: Programming protocol-independent packet processors. ACM SIGCOMM Comput. Commun. Rev. 2014, 44, 87–95. [Google Scholar] [CrossRef]
  5. P4 Language Consortium. P4 Open Source Programming Language. Available online: https://p4.org/ (accessed on 5 April 2025).
  6. Rahouti, M.; Xiong, K.; Xin, Y.; Jagatheesaperumal, S.; Ayyash, M.; Shaheed, M. SDN security review: Threat taxonomy, implications and open challenges. IEEE Access 2022, 10, 45820–45854. [Google Scholar] [CrossRef]
  7. Gao, S.; Li, Z.; Xiao, B.; Wei, G. Security threats in the data plane of software-defined networks. IEEE Netw. 2018, 32, 108–113. [Google Scholar] [CrossRef]
  8. Tankovic, A.; Dervisevic, E.; Mehic, M.; Kaljic, E. A survey on data plane security in software-defined networks: Twoard adaptive security of data planes. IEEE Access 2025, 13, 97058–97093. [Google Scholar] [CrossRef]
  9. Dargahi, T.; Caponi, A.; Ambrosin, M.; Bianchi, G.; Conti, M. A survey on the security of stateful SDN data planes. IEEE Commun. Surv. Tutor. 2017, 19, 1701–1725. [Google Scholar] [CrossRef]
  10. Shaghaghi, A.; Kaafar, M.; Buyya, R.; Jha, S. Software-defined network (SDN) data plane security: Issues, solutions and future directions. In Handbook of Computer Networks and Cyber Security; Gupta, B., Perez, G., Agrawal, D., Gupta, D., Eds.; Springer: Cham, Switzerland, 2020. [Google Scholar]
  11. Zhang, X.; Cui, L.; Wei, K.; Fung Po, T.; Ji, Y.; Jia, W. A survey on stateful data plane in software defined networks. Comput. Netw. 2021, 184, 107597. [Google Scholar] [CrossRef]
  12. Gao, Y.; Wang, Z. A review of P4 programmable data planes for network security. Mob. Inf. Syst. 2021, 2021, 1257046. [Google Scholar] [CrossRef]
  13. AlSabeh, A.; Khoury, J.; Kfoury, E.; Crichigno, J.; Bou-Harb, E. A survey on security applications of P4 programmable switches and a STRIDE-based vulnerability assessment. Comput. Netw. 2022, 207, 108800. [Google Scholar] [CrossRef]
  14. Goswami, B.; Kulkarni, M.; Paulose, J. A survey on P4 challenges in software defined networks: P4 programming. IEEE Access 2023, 11, 54373–54387. [Google Scholar] [CrossRef]
  15. Kaljic, E.; Maric, A.; Njemcevic, P.; Hadzialic, M. A survey on data plane flexibility and programmability in software-defined networking. IEEE Access 2019, 7, 47804–47840. [Google Scholar] [CrossRef]
  16. Michel, O.; Bifulco, R.; Rétvári, G.; Schmid, S. The programmable data plane: Abstractions, architectures, algorithms, and applications. ACM Comput. Surv. 2021, 54, 82. [Google Scholar] [CrossRef]
  17. Kfoury, E.F.; Crichigno, J.; Bou-Harb, E. An exhaustive survey on P4 programmable data plane switches: Taxonomy, applications, challenges, and future trends. IEEE Access 2021, 9, 87094–87155. [Google Scholar] [CrossRef]
  18. Hauser, F.; Häberle, M.; Merling, D.; Lindner, S.; Gurevich, V.; Zeiger, F.; Frank, R.; Menth, M. A survey on data plane programming with P4: Fundamentals, advances, and applied research. J. Netw. Comput. Appl. 2023, 212, 103561. [Google Scholar] [CrossRef]
  19. Ahmad, I.; Namal, S.; Ylianttila, M.; Gurtov, A. Security in software defined networks: A survey. IEEE Commun. Surv. Tutor. 2015, 17, 2317–2346. [Google Scholar] [CrossRef]
  20. Dabbagh, M.; Hamdaoui, B.; Guizani, M.; Rayes, A. Software-defined networking security: Pros and cons. IEEE Commun. Mag. 2015, 53, 73–79. [Google Scholar] [CrossRef]
  21. Alsmadi, I.; Xu, D. Security of software defined networks: A survey. Comput. Secur. 2015, 53, 79–108. [Google Scholar] [CrossRef]
  22. Scott-Hayward, S.; Natarajan, S.; Sezer, S. A survey of security in software defined networks. IEEE Commun. Surv. Tutor. 2016, 18, 623–654. [Google Scholar] [CrossRef]
  23. Dayal, N.; Maity, P.; Srivastava, S.; Khondoker, R. Research trends in security and DDoS in SDN. Secur. Commun. Netw. 2016, 9, 6386–6411. [Google Scholar] [CrossRef]
  24. Krishnan, P.; Najeem, J.S. A review of security, threats and mitigation approaches for SDN. Int. J. Innov. Technol. Explor. Eng. 2019, 8, 389–393. [Google Scholar]
  25. Iqbal, M.; Iqbal, F.; Mohsin, F.; Rizwan, M.; Ahmad, F. Security issues in software defined networking (SDN): Risks, challenges and potential solutions. Int. J. Adv. Comput. Sci. Appl. 2019, 10, 298–303. [Google Scholar] [CrossRef]
  26. Isyaku, B.; Zahid, M.S.M.; Kamat, M.B.; Abu Bakar, K.; Ghaleb, F.A. Software defined networking flow table management of OpenFlow switches performance and security challenges: A survey. Futur. Internet 2020, 12, 147. [Google Scholar] [CrossRef]
  27. Chica, J.C.C.; Imbachi, J.C.; Vega, J.F.B. Security in SDN: A comprehensive survey. J. Netw. Comput. Appl. 2020, 159, 102595. [Google Scholar] [CrossRef]
  28. Alhaj, A.N.; Dutta, N. Analysis of security attacks in SDN network: A comprehensive survey. In Contemporary Issues in Communication, Cloud and Big Data Analytics; Springer: Berlin/Heidelberg, Germany, 2021. [Google Scholar]
  29. Jimenez, M.B.; Fernandez, D.; Rivadeneira, J.E.; Bellido, L.; Cardenas, A. A survey of the main security issues and solutions for the SDN architecture. IEEE Access 2021, 9, 122016–122038. [Google Scholar] [CrossRef]
  30. Deb, R.; Roy, S. A comprehensive survey of vulnerability and information security in SDN. Comput. Netw. 2022, 206, 108802. [Google Scholar] [CrossRef]
  31. Hirsi Abdi, A.; Audah, L.; Salh, A.; Alhartomi, M.A.; Rasheed, H.; Ahmed, S.; Tahir, A. Security control and data planes of SDN: A comprehensive review of traditional, AI, and MTD approaches to security solutions. IEEE Access 2024, 12, 69941–69980, Erratum in IEEE Access 2024, 12, 162107–162108. [Google Scholar] [CrossRef]
  32. Bhuiyan, Z.A.; Islam, S.; Islam, M.; Ullah, A.B.M.A.; Naz, F.; Rahman, M.S. On the (in)security of the control plane of SDN architecture: A survey. IEEE Access 2023, 11, 91550–91582. [Google Scholar] [CrossRef]
  33. Mahar, I.A.; Libing, W.; Maher, Z.A.; Rahu, G.A. A comprehensive survey of software defined networking and its security threats. In Proceedings of the IEEE 1st Karachi Section Humanitarian Technology Conference (Khi-HTC), Tandojam, Pakistan, 8–9 January 2024. [Google Scholar]
  34. Farooq, M.S.; Riaz, S.; Alvi, A. Security and privacy issues in software-defined networking (SDN): A systematic literature review. Electronics 2023, 12, 3077. [Google Scholar] [CrossRef]
  35. Yoon, C.; Lee, S.; Kang, H.; Par, T.; Shin, S.; Yegneswaran, V.; Porras, P.; Gu, G. Flow wars: Systemizing the attack surface and defenses in software-defined networks. IEEE Trans. Netw. 2017, 25, 3514–3530. [Google Scholar] [CrossRef]
  36. Raghunath, K.; Krishnan, P. Towards a secure SDN architecture. In Proceedings of the 9th International Conference on Computing and Networking Technology (ICCNT), Amsterdam, The Netherlands, 10–12 July 2018. [Google Scholar]
  37. Nisar, K.; Jimson, E.R.; Hijazi, M.H.A.; Welch, I.; Hassan, R.; Aman, A.H.M.; Sodhro, A.H.; Pirbhulal, S.; Khan, S. A survey on the architecture, application, and security of software defined networking: Challenges and open issues. Internet Things 2020, 12, 100289. [Google Scholar] [CrossRef]
  38. Gaur, K.; Choudhary, P.; Yadav, P.; Jain, A.; Kumar, P. Software defined networking: A review on architecture, security and applications. In Proceedings of the International Conference on Applied Scientific Computational Intelligence Using Data Science (ASCI 2020), Jaipur, India, 22–23 December 2020. [Google Scholar]
  39. Sezer, S.; Scott-Hayward, S.; Chouhan, P.K.; Fraser, B.; Lake, D.; Finnegan, J.; Viljoen, N.; Miller, M.; Rao, N. Are we ready for SDN? Implementation challenges for software-defined networks. IEEE Commun. Mag. 2013, 51, 36–43. [Google Scholar] [CrossRef]
  40. Feamster, N.; Rexford, J.; Zegura, E. The road to SDN: An intellectual history of programmable networks. ACM SIGCOMM Comput. Commun. Rev. 2014, 44, 100289. [Google Scholar] [CrossRef]
  41. Braun, W.; Menth, M. Software-defined networking using OpenFlow: Protocols, applications and architectural design choices. Futur. Internet 2014, 6, 302–336. [Google Scholar] [CrossRef]
  42. Xia, W.; Wen, Y.; Foh, C.H.; Niyato, D.; Xie, H. A survey on software-defined networking. IEEE Commun. Surv. Tutor. 2015, 17, 27–51. [Google Scholar] [CrossRef]
  43. Kreutz, D.; Ramos, F.M.V.; Veríssimo, P.E.; Rothenberg, C.E.; Azodolmolky, S.; Uhlig, S. Software-defined networking: A comprehensive survey. Proc. IEEE 2015, 103, 14–76. [Google Scholar] [CrossRef]
  44. Benzekki, K.; El Fergougui, A.; Elalaoui, A.E. Software-defined networking (SDN): A survey. Secur. Commun. Netw. 2016, 9, 5803–5833. [Google Scholar] [CrossRef]
  45. Ali, J.; Lee, G.-M.; Roh, B.-H.; Ryu, D.K.; Park, G. Software-defined networking approaches for link failure recovery: A survey. Sustainability 2020, 12, 4255. [Google Scholar] [CrossRef]
  46. Isyaku, B.; Bin Abu Bakar, K.; Ghaleb, F.A.; Al-Nahari, A. Dynamic routing and failure recovery approaches for efficient resource utilization in OpenFlow-SDN: A survey. IEEE Access 2022, 10, 121791–121815. [Google Scholar] [CrossRef]
  47. Kobo, H.I.; Abu-Mahfouz, A.M.; Hancke, G.P., Jr. A survey on software-defined wireless sensor networks: Challenges and design requirements. IEEE Access 2017, 5, 1872–1899. [Google Scholar] [CrossRef]
  48. Rafique, W.; Qi, L.; Yaqoob, I.; Imran, M.; Rasool, R.U.; Dou, W. Complementing IoT services through software defined networking and edge computing: A comprehensive survey. IEEE Commun. Surv. Tutor. 2020, 22, 1761–1804. [Google Scholar] [CrossRef]
  49. Zhao, Y.; Li, Y.; Zhang, X.; Geng, G.; Zhang, W.; Sun, Y. A survey of networking applications applying the software defined networking concept based on machine learning. IEEE Access 2019, 7, 95397–95417. [Google Scholar] [CrossRef]
  50. Xie, J.; Yu, F.R.; Huang, T.; Xie, R.; Liu, J.; Wang, C.; Liu, Y. A Survey of Machine Learning Techniques Applied to Software Defined Networking (SDN): Research Issues and Challenges. IEEE Commun. Surv. Tutor. 2019, 21, 393–430. [Google Scholar] [CrossRef]
  51. Taheri, R.; Ahmed, H.; Arslan, E. Deep learning for the security of software-defined networks: A review. Clust. Comput. 2023, 26, 3089–3112. [Google Scholar] [CrossRef]
  52. Shahzad, M.; Rizvi, S.; Khan, T.A.; Ahmad, S.; Ateya, A.A. An exhaustive parametric analysis for securing SDN through traditional, AI/ML, and blockchain approaches: A systematic review. Int. J. Networked Distrib. Comput. 2025, 13, 12. [Google Scholar] [CrossRef]
  53. Bardhi, E.; Conti, M.; Lazzeretti, R. Is AI a trick or t(h)reat for securing programmable data planes? IEEE Netw. 2024, 38, 146–152. [Google Scholar] [CrossRef]
  54. Li, Y.; Chen, M. Software-defined network function virtualization: A survey. IEEE Access 2015, 3, 2542–2553. [Google Scholar] [CrossRef]
  55. Demirci, S.; Demirci, M.; Sagiroglu, S. Virtual security functions and their placement in software defined networks: A survey. GAZI Univ. J. Sci. 2019, 32, 833–851. [Google Scholar] [CrossRef]
  56. Demirci, S.; Sagiroglu, S. Optimal placement of virtual network functions in software defined networks: A survey. J. Netw. Comput. Appl. 2019, 147, 102424. [Google Scholar] [CrossRef]
  57. Sengupta, S.; Chowdhary, A.; Sabur, A.; Alshamrani, A.; Huang, D.; Kambhampati, S. A Survey of Moving Target Defenses for network security. IEEE Commun. Surv. Tutor. 2020, 22, 1909–1941. [Google Scholar] [CrossRef]
  58. Macedo, D.F.; Guedes, D.; Vieira, L.F.M.; Vieira, M.A.M.; Nogueira, M. Programmable networks-from software-defined radio to software-defined networking. IEEE Commun. Surv. Tutor. 2015, 17, 1102–1125. [Google Scholar] [CrossRef]
  59. Balarezo, J.F.; Wang, S.; Chavez, K.G.; Al-Hourani, A.; Kandeepan, S. A survey on DoS/DDoS attacks mathematical modelling for traditional, SDN and virtual networks. Eng. Sci. Technol. Int. J. 2022, 31, 101065. [Google Scholar] [CrossRef]
  60. Carrascal, D.; Rojas, E.; Arco, J.M.; Lopez-Pajares, D.; Alvarez-Horcajo, J.; Carral, J.A. A comprehensive survey of in-band control in SDN: Challenges and opportunities. Electronics 2023, 12, 1265. [Google Scholar] [CrossRef]
  61. Diouf, M.; Ouya, S.; Klein, J.; Bissyandé, T. Software security in software-defined networking: A systematic literature review. arXiv 2025, arXiv:2502.13828. [Google Scholar] [CrossRef]
  62. Moshref, M.; Bhargava, A.; Gupta, A.; Yu, M.; Govindan, R. Flow-level state transition as a new switch primitive for SDN. In Proceedings of the 2014 ACM conference on SIGCOMM (SIGCOMM14), Chicago, IL, USA, 17–22 August 2014. [Google Scholar]
  63. Bianchi, G.; Bonola, M.; Capone, A.; Cascone, C. OpenState: Programming platform-independent stateful OpenFlow applications inside the switch. ACM SIGCOMM Comput. Commun. Rev. 2014, 44, 44–51. [Google Scholar] [CrossRef]
  64. Sun, C.; Bi, J.; Chen, H.; Hu, H.; Zheng, Z.; Zhu, S.; Wu, C. SDPA: Toward a stateful data plane in software-defined networking. IEEE/ACM Trans. Netw. 2017, 25, 3294–3308. [Google Scholar] [CrossRef]
  65. Scholz, D.; Gallenmuller, S.; Stubbe, H.; Carle, G. SYN flood defense in programmable data planes. In Proceedings of the 3rd P4 Workshop in Europe (EuroP4 2020), Part of CoNEXT 2020, New York, NY, USA, 1–4 December 2020. [Google Scholar]
  66. Scholz, D.; Gallenmuller, S.; Stubbe, H.; Jaber, B.; Rouhi, M.; Carle, G. Me Love (SYN-) Cookies: SYN Flood Mitigation in Programmable Data Planes. Available online: https://arxiv.org/pdf/2003.03221 (accessed on 18 January 2025).
  67. Lin, T.-Y.; Wu, J.-P.; Hung, P.-H.; Shao, C.-H.; Wang, Y.-T.; Cai, Y.-Z.; Tsai, M.-H. Mitigating SYN flooding Attack and ARP Spoofing in SDN Data Plane. In Proceedings of the 21st Asia-Pacific Network Operations and Management Symposium (APNOMS), Daegu, Republic of Korea, 22–25 September 2020. [Google Scholar]
  68. Khooi, X.Z.; Csikor, L.; Divakaran, D.M.; Kang, M.S. DIDA: Distributed in-network defense architecture against amplified reflection DDoS attacks. In Proceedings of the 6th IEEE International Conference on Network Softwarization (NetSoft), Ghent, Belgium, 29 June–3 July 2020. [Google Scholar]
  69. Friday, K.; Kfoury, E.; Bou-Harb, E.; Crichigno, J. Towards a Unified In-Network DDoS Detection and Mitigation Strategy. In Proceedings of the 6th IEEE International Conference on Network Softwarization (NetSoft), Ghent, Belgium, 29 June–3 July 2020. [Google Scholar]
  70. Simsek, G.; Bostan, H.; Sarica, A.K.; Sarikaya, E.; Keles, A.; Angin, P.; Alemdar, H.; Onur, E. DroPPPP: A P4 Approach to Mitigating DoS Attacks in SDN. In Proceedings of the International Workshop on Information Security Applications, Jeju Island, Republic of Korea, 26–28 August 2020. [Google Scholar]
  71. Dimolianis, M.; Pavlidis, A.; Maglaris, V. A multi-feature DDoS detection schema on P4 network hardware. In Proceedings of the 1st Workshop on Flexible Network Data Plane Processing (NETPROC@ICIN2020), Paris, France, 24–27 February 2020. [Google Scholar]
  72. Zhang, M.; Li, G.; Wang, S.; Liu, C.; Chen, A.; Hu, H.; Gu, G.; Li, Q.; Xu, M.; Wu, J. Poseidon: Mitigating volumetric DDoS attacks with programmable switches. In Proceedings of the Network and Distributed Systems Security (NDSS) Symposium, San Diego, CA, USA, 23–26 February 2020. [Google Scholar]
  73. Liu, Z.; Namkung, H.; Nikolaidis, G.; Lee, J.; Kim, C.; Jin, X.; Braverman, V.; Yu, M.; Sekar, V. Jaqen: A High-Performance Switch-Native Approach for Detecting and Mitigating Volumetric DDoS Attacks with Programmable Switches. In Proceedings of the 30th USENIX Security Symposium, Online, 11–13 August 2021. [Google Scholar]
  74. Xing, J.; Wu, W.; Chen, A. Ripple: A programmable, decentralized link-flooding defense against adaptive adversaries. In Proceedings of the 30th USENIX Security Symposium, Online, 11–13 August 2021. [Google Scholar]
  75. Kuka, M.; Vojanec, K.; Kucera, J.; Benacek, P. Accelerated DDoS attacks mitigation using programmable data plane. In Proceedings of the ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), Cambridge, UK, 24–25 September 2019. [Google Scholar]
  76. Lapolli, A.C.; Marques, J.A.; Gaspary, L.P. Offloading real-time DDoS attack detection to programmable data planes. In Proceedings of the IFIP/IEEE Symposium on Integrated Network and Service Management (IM), Arlington, WA, USA, 8–12 April 2019. [Google Scholar]
  77. Ding, D.; Savi, M.; Pederzolli, F.; Campanella, M.; Siracusa, D. In-network volumetric DDoS victim identification using programmable commodity switches. IEEE Trans. Netw. Serv. Manag. 2021, 18, 1191–1202. [Google Scholar] [CrossRef]
  78. Ding, D.; Savi, M.; Siracusa, D. Tracking normalized network traffic entropy to detect DDoS attacks in P4. IEEE Trans. Dependable Secur. Comput. 2022, 19, 4019–4031. [Google Scholar] [CrossRef]
  79. Sivaraman, V.; Narayana, S.; Rottenstreich, O.; Muthukrishnan, S.; Rexford, J. Heavy-hitter detection entirely in the data plane. In Proceedings of the Symposium on SDN Research (SOSR17), Santa Clara, CA, USA, 3–4 April 2017. [Google Scholar]
  80. Febro, A.; Xiao, H.; Spring, J. Telephony denial of service defense at data plane (TDoSD@DP). In Proceedings of the 2018 IEEE/IFIP Network Operations and Management Symposium, Taipei, Taiwan, 23–27 April 2018. [Google Scholar]
  81. Febro, A.; Xiao, H.; Spring, J. Distributed SIP DDoS defense with P4. In Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC), Marrakesh, Morocco, 15–18 April 2019. [Google Scholar]
  82. Mi, Y.; Wang, A. ML-Pushback: Machine learning based pushback defense against DDoS. In Proceedings of the 15th International Conference on Emerging Networking EXperiments and Technologies (CoNEXT19), Orlando, FL, USA, 9–12 December 2019. [Google Scholar]
  83. González, L.A.Q.; Castanheira, L.; Marques, J.A.; Schaeffer-Filho, A. BUNGEE: An adaptive pushback mechanism for DDoS detection and mitigation in P4 data planes. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management (IM), Bordeaux, France, 16–21 May 2021. [Google Scholar]
  84. Yue, M.; Wang, H.; Liu, L.; Wu, Z. Detecting DoS attacks based on multi-features in SDN. IEEE Access 2020, 8, 104688–104700. [Google Scholar] [CrossRef]
  85. Musumeci, F.; Ionata, V.; Paolucci, F.; Cugini, F.; Tornatore, M. Machine-learning-assisted DDoS attack detection with P4 language. In Proceedings of the IEEE International Conference on Communications (ICC) (ICC2020), Dublin, Ireland, 7–11 June 2020. [Google Scholar]
  86. Zhang, W.; Jing, S.; Zhao, C. Anti-DDoS attacks strategy of SDN data plane with data augmentation based on P4. In Proceedings of the International Conference on High Performance Computing & Communications, Data Science & Systems, Smart City & Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys), Melbourne, Australia, 17–21 December 2023. [Google Scholar]
  87. Ndonda, G.K.; Sadre, R. A two-level intrusion detection system for industrial control system networks using P4. In Proceedings of the 5th International Symposium for ICS & SCADA Cyber Security Research 2018 (ICS-CSR 2018), Hamburg, Germany, 29–30 August 2018. [Google Scholar]
  88. Lewis, B.; Broadbent, M.; Race, N. P4ID: P4 enhanced intrusion detection. In Proceedings of the IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), Dallas, TX, USA, 12–14 November 2019. [Google Scholar]
  89. Cai, Y.-Z.; Lin, T.-Y.; Wang, Y.-T.; Tuan, Y.-P. E-Replacement: Efficient scanner data collection method in P4-based software-defined networks. Int. J. Netw. Manag. 2021, 31, e2162. [Google Scholar] [CrossRef]
  90. Golchin, P.; Zhou, C.; Agnihotri, P.; Agnihotri, P.; Hajizadeh, M.; Kundel, R.; Steinmetz, R. CML-IDS: Enhancing intrusion detection in SDN through collaborative machine learning. In Proceedings of the 19th International Conference on Network and Service Management (CNSM 2023), Niagara Falls, ON, Canada, 30 October–2 November 2023. [Google Scholar]
  91. Doriguzzi-Corin, R.; Knob, L.A.D.; Mendozzi, L.; Siracusa, D.; Savi, M. Introducing packet-level analysis in programmable data planes to advance network intrusion detection. Comput. Netw. 2024, 239, 110162. [Google Scholar] [CrossRef]
  92. Sanghi, A.; Kadiyala, K.P.; Tammana, P.; Joshi, S. Anomaly detection in data plane systems using packet execution paths. In Proceedings of the ACM SIGCOMM 2021 Workshop on Secure Programmable Network Infrastructure, New York, NY, USA, 27 August 2021. [Google Scholar]
  93. Qin, Q.; Poularakis, K.; Leung, K.K.; Tassiulas, L. Line-speed and scalable intrusion detection at the network edge via federated learning. In Proceedings of the IFIP Networking Conference (Networking), Paris, France, 22–25 June 2020. [Google Scholar]
  94. Gutierrez, S.A.; Branch, J.W.; Gaspary, L.P.; Botero, J.F. Watching Smartly from the Bottom: Intrusion Detection Revamped Through Programmable Networks and Artificial Intelligence. Available online: https://arxiv.org/pdf/2106.00239 (accessed on 18 January 2025).
  95. Brandino, B.; Casas, P.; Grampín, E. Detecting attacks at switching speed: AI/ML and active learning for in-network monitoring in data planes. In Proceedings of the IEEE 32nd International Conference on Network Protocols (ICNP 2024), Charleroi, Belgium, 28–31 October 2024. [Google Scholar]
  96. Brandino, B.; Grampin, E.; Dietz, K.; Wehner, N.; Seufert, M.; Hoßfeld, T.; Casas, P. HALIDS: A hardware-assisted machine learning IDS for in-network monitoring. In Proceedings of the 8th Network Traffic Measurement and Analysis Conference (TMA 2024), Dresden, Germany, 21–24 May 2024. [Google Scholar]
  97. Maheswaran, N.; Bose, S.; Gokulraj, G.; Anitha, T.; Shruthi, T.; Vijayaraj, G. Intrusion prevention system in SDN environment for 6G networks using deep learning. In Proceedings of the 6th International Conference on Mobile Computing and Sustainable Informatics (ICMCSI-2025), Lalitpur, Nepal, 7–8 January 2025. [Google Scholar]
  98. Spina, M.G.; DeRango, F.; Scalzo, E.; Guerriero, F.; Iera, A. Distributing intelligence in 6G programmable data planes for effective in-network intrusion prevention. IEEE Netw. 2025, 39, 319–325. [Google Scholar] [CrossRef]
  99. Seufert, M.; Dietz, K.; Wehner, N.; Geißler, S.; Schüler, J.; Wolz, M.; Hotho, A.; Casas, P.; Hoßfeld, T.; Feldmann, A. Marina: Realizing ML-driven real-time network traffic monitoring at terabit scale. IEEE Trans. Netw. Serv. Manag. 2024, 21, 2773–2790. [Google Scholar] [CrossRef]
  100. Wang, H.; Tan, X.; Yuan, S.; Li, M.; Wu, J.; Zheng, Q. A two-phase encrypted traffic classification scheme in programmable data plane. In Proceedings of the IEEE International Symposium on Parallel and Distributed Processing with Applications (ISPA), Kaifeng, China, 30 October–2 November 2024. [Google Scholar]
  101. Sanvito, D.; Moro, D.; Capone, A. Towards traffic classification offloading to stateful SDN data planes. In Proceedings of the IEEE Conference on Network Softwarization (NetSoft 2017), Bologna, Italy, 3–7 July 2017. [Google Scholar]
  102. Hypolite, J.; Sonchack, J.; Hershkop, S.; Dautenhahn, N.; DeHon, A.; Smith, J.M. DeepMatch: Practical deep packet inspection in the data plane using network processors. In Proceedings of the 16th International Conference on Emerging Networking EXperiments and Technologies (CoNEXT20), Barcelona, Spain, 1–4 December 2020. [Google Scholar]
  103. AlSabeh, A.; Kfoury, E.; Crichigno, J.; Bou-Harb, E. P4DDPI: Securing P4-programmable data plane networks via DNS deep packet inspection. In Proceedings of the Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb), San Diego, CA, USA, 28 April 2022; pp. 1–7. [Google Scholar]
  104. Gupta, S.; Gosain, D.; Kwon, M.; Acharya, H.B. DeeP4R: Deep packet inspection in P4 using packet recirculation. In Proceedings of the IEEE Conference on Computer Communications (INFOCOM 2023), New York, NY, USA, 17–20 May 2023. [Google Scholar]
  105. Voros, P.; Kiss, A. Security middleware programming using P4. In International Conference on Human Aspects of Information Security, Privacy, and Trust; Tryfonas, T., Ed.; Springer: Berlin/Heidelberg, Germany, 2016. [Google Scholar]
  106. Cao, J.; Bi, J.; Zhou, Y.; Zhang, C. CoFilter: A high-performance switch-assisted stateful packet filter. In Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos, Budapest, Hungary, 20–25 August 2018. [Google Scholar]
  107. Datta, R.; Choi, S.; Chowdhary, A.; Park, Y. P4Guard: Designing P4 based firewall. In Proceedings of the 2018 IEEE Military Communications Conference (MILCOM), Los Angeles, CA, USA, 29–31 October 2018. [Google Scholar]
  108. Ricart-Sanchez, R.; Malagon, P.; Alcarez-Calero, J.M.; Wang, Q. NetFPGA-based firewall solution for 5G multi-tenant architectures. In Proceedings of the 2019 IEEE International Conference on Edge Computing (EDGE), Milan, Italy, 8–13 July 2019. [Google Scholar]
  109. Afek, Y.; Bremler-Barr, A.; Shafir, L. Network anti-spoofing with SDN data plane. In Proceedings of the IEEE Conference on Computer Communications (INFOCOM 2017), Atlanta, CA, USA, 1–4 May 2017. [Google Scholar]
  110. Gondaliya, H.; Sankaran, G.C.; Sivalingam, K.M. Comparative Evaluation of IP Address Anti-Spoofing Mechanisms Using a P4/NetFPGA-Based Switch. In Proceedings of the 3rd P4 Workshop in Europe (EuroP4 2020), Part of CoNEXT 2020, Barcelona, Spain, 1 December 2020. [Google Scholar]
  111. Kuang, P.; Liu, Y.; He, L. P4DAD: Securing duplicate address detection using P4. In Proceedings of the IEEE International Conference on Communications (ICC), Dublin, Ireland, 7–11 June 2020. [Google Scholar]
  112. Li, G.; Zhang, M.; Liu, C.; Kong, X.; Chen, A.; Gu, G.; Duan, H. NetHCF: Enabling Line-Rate and Adaptive Spoofed IP Traffic Filtering. In Proceedings of the IEEE 27th International Conference on Network Protocols (ICNP), Chicago, IL, USA, 8–10 October 2019. [Google Scholar]
  113. Datta, T.; Feamster, N.; Rexford, J.; Wang, L. SPINE: Surveillance protection in the network elements. In Proceedings of the 9th USENIX Workshop on Free and Open Communications on the Internet (FOCI 19), Santa Clara, CA, USA, 13 August 2019. [Google Scholar]
  114. Chang, D.; Sun, W.; Yang, Y. A SDN proactive defense mechanism based on IP transformation. In Proceedings of the 2nd International Conference on Safety Produce Informatization (IICSPI), Chongqing, China, 28–30 November 2019. [Google Scholar]
  115. Govil, Y.; Wang, L.; Rexford, J. MIMIQ: Masking IPs with migration in QUIC. In Proceedings of the USENIX Workshop on Free and Open Communications on the Internet (FOCI), Austin, TX, USA, 11 August 2020. [Google Scholar]
  116. Liu, G.; Quan, W.; Cheng, N.; Lu, N.; Zhang, H.; Shen, X. P4NIS: Improving network immunity against eavesdropping with programmable data planes. In Proceedings of the IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Vancouver, BC, Canada, 20 May 2020. [Google Scholar]
  117. Liu, G.; Quan, W.; Cheng, N.; Gao, D.; Lu, N.; Zhang, H.; Shen, X. Softwarized IoT network immunity against eavesdropping with programmable data planes. IEEE Internet Things 2021, 8, 6578–6590. [Google Scholar] [CrossRef]
  118. Meier, R.; Tsankov, P.; Lenders, V.; Vanbever, L.; Vechev, M. NetHide: Secure and practical network topology obfuscation. In Proceedings of the 27th USENIX Security Symposium, Baltimore, MD, USA, 15–17 August 2018. [Google Scholar]
  119. Moghaddam, H.M.; Mosenia, A. Anonymizing Masses: Practical Light-Weight Anonymity at the Network Level. Available online: https://arxiv.org/abs/1911.09642 (accessed on 17 January 2025).
  120. Kim, H.; Gupta, A. ONTAS: Flexible and scalable online network traffic anonymization system. In Proceedings of the 2019 Workshop on Network Meets AI & ML (NetAI19), Beijing, China, 23 August 2019. [Google Scholar]
  121. Almaini, A.; Al-Dubai, A.; Romdhani, I.; Schramm, M. Delegation of authentication to the data plane in software-defined networks. In Proceedings of the 2019 IEEE International Conferences on Ubiquitous Computing & Communications (IUCC) and Data Science and Computational Intelligence (DSCI) and Smart Computing, Networking and Services (SmartCNS), Shenyang, China, 21–23 October 2019. [Google Scholar]
  122. Almaini, A.; Al-Dubai, A.; Romdhani, I.; Schramm, M.; Alsarhan, A. Lightweight edge authentication for software defined networks. Computing 2021, 103, 291–311. [Google Scholar] [CrossRef]
  123. Zaballa, E.O.; Franco, D.; Zhou, Z.; Berger, M.S. P4Knocking: Offloading host-based firewall functionalities to the network. In Proceedings of the 1st Workshop on Flexible Network Data Plane Processing (NETPROC@ICIN2020), Paris, France, 24–27 February 2020. [Google Scholar]
  124. Qin, Y.; Quan, W.; Song, F.; Zhang, L.; Liu, G.; Liu, M. Flexible encryption for reliable transmission based on the P4 programmable platform. In Proceedings of the Information Communication Technologies Conference, Nanjing, China, 29–31 May 2020. [Google Scholar]
  125. Chen, X. Implementing AES encryption on programmable switches via scrambled lookup tables. In Proceedings of the 2020 ACM SIGCOMM Workshop on Secure Programmable Network Infrastructure (SPIN20), Online, 10 August 2020. [Google Scholar]
  126. Oliveira, I.; Neto, E.; Immich, R.; Fontes, R.; Neto, A.; Rodriguez, F.; Rothenberg, C.E. Dh-aes-p4: On-premise encryption and in-band key-exchange in P4 fully programmable data planes. In Proceedings of the 4th Workshop on Mobility Support in Slice-Based Network Control for Heterogeneous Environments (IEEE NFV-SDN 2021), Heraklion, Greece, 9 November 2021. [Google Scholar]
  127. Hauser, F.; Schmidt, M.; Haberle, M.; Menth, M. P4-MACsec: Dynamic topology monitoring and data layer protection with MACsec in P4-based SDN. IEEE Access 2020, 8, 58845–58858. [Google Scholar] [CrossRef]
  128. Hauser, F.; Haberle, M.; Menth, M. P4-IPsec: Site-to-site and host-to-site VPN with IPsec in P4-based SDN. IEEE Access 2020, 8, 139567–139586. [Google Scholar] [CrossRef]
  129. Scholz, D.; Oeldemann, A.; Geyer, F.; Gallenmüller, S.; Stubbe, H.; Wild, T.; Herkersdorf, A.; Carle, G. Cryptographic hashing in P4 data planes. In Proceedings of the ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS 2019), Cambridge, UK, 24–25 September 2019. [Google Scholar]
  130. Narayanan, N.; Sankaran, G.; Sivalingam, K. Mitigation of security attacks in the SDN data plane using P4-enabled switches. In Proceedings of the 2019 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), Goa, India, 16–19 December 2019. [Google Scholar]
  131. Liu, M.; Gao, D.; Liu, G.; He, J.; Jin, L.; Zhou, C.; Yang, F. Learning based adaptive network immune mechanism to defense eavesdropping attacks. IEEE Access 2019, 7, 182814–182826. [Google Scholar] [CrossRef]
  132. Xing, J.; Wu, W.; Chen, A. Architecting programmable data plane defenses into the network with FastFlex. In Proceedings of the 18th ACM Workshop on Hot Topics in Networks (HotNets 2019), Princeton, NJ, USA, 13–15 November 2019. [Google Scholar]
  133. Castanheira, L.; Parizotto, R.; Schaeffer-Filho, A.E. FlowStalker: Comprehensive traffic flow monitoring on the data plane using P4. In Proceedings of the 2019 IEEE International Conference on Communications (ICC 2019), Shanghai, China, 20–24 May 2019. [Google Scholar]
  134. Gori, G.; Rinieri, L.; Sadi, A.A.; Melis, A.; Callegati, F.; Prandini, M. GRAPH4: A security monitoring architecture based on data plane anomaly detection metrics calculated over attack graphs. Future Internet 2023, 15, 368. [Google Scholar] [CrossRef]
  135. Ganesan, A.; Sarac, K. Attack detection and mitigation using intelligent data planes in SDNs. In Proceedings of the IEEE Global Communications Conference: Communication & Information Systems Security (GLOBECOM 2022), Rio de Janeiro, Brazil, 4–8 December 2022. [Google Scholar]
  136. Smyth, D.; Scott-Hayward, S.; Cionca, V.; McSweeney, S.; O’Shea, D. SECAP switch–defeating topology poisoning attacks using P4 data planes. J. Netw. Syst. Manag. 2023, 31, 28. [Google Scholar] [CrossRef]
  137. Zhou, G.; Liu, Z.; Fu, C.; Li, Q.; Xu, K. An efficient design of intelligent network data plane. In Proceedings of the 32nd USENIX Security Symposium, Anaheim, CA, USA, 9–11 August 2023. [Google Scholar]
  138. Nascimento, A.; Abreu, D.; Riker, A.; Abelém, A. AID-SDN: Advanced intelligent defense for SDN using P4 and machine learning. In Proceedings of the IEEE Latin-American Conference on Communications (LATINCOM), Panama City, Panama, 15–17 November 2023. [Google Scholar]
  139. Paolucci, F.; Civerchia, F.; Sgambelluri, A.; Giorgetti, A.; Cugini, F.; Castoldi, P. P4 edge node enabling stateful traffic engineering and cyber security. J. Opt. Commun. Netw. 2019, 11, A84–A95. [Google Scholar] [CrossRef]
  140. Hwang, R.-H.; Nguyen, V.-L.; Lin, P.-C. StateFit: A security framework for SDN programmable data plane model. In Proceedings of the 15th International Symposium on Pervasive Systems, Algorithms and Networks, Yichang, China, 16–18 October 2018. [Google Scholar]
  141. Grigoryan, G.; Liu, Y. LAMP: Prompt Layer 7 attack mitigation with programmable data planes. In Proceedings of the IEEE 17th International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA, 1–3 November 2018. [Google Scholar]
  142. Kang, Q.; Xue, L.; Morrison, A.; Tang, Y.; Chen, A.; Luo, X. Programmable in-network security for context-aware BYOD policies. In Proceedings of the 29th USENIX Security Symposium, Boston, MA, USA, 12–14 August 2020. [Google Scholar]
  143. Yang, S.; Bai, L.; Cui, L.; Ming, Z.; Wu, Y.; Yu, S.; Shen, H.; Pan, Y. An efficient pipeline processing scheme for programming Protocol-independent Packet Processors. J. Netw. Comput. Appl. 2020, 171, 102806. [Google Scholar] [CrossRef]
  144. Xing, J.; Kang, Q.; Chen, A. NetWarden: Mitigating network covert channels while preserving performance. In Proceedings of the 29th USENIX Security Symposium, San Diego, CA, USA, 12–14 August 2020. [Google Scholar]
  145. Laraba, A.; Francois, J.; Chrisment, I.; Chowdhury, S.R.; Boutaba, R. Defeating protocol abuse with P4: Application to explicit congestion notification. In Proceedings of the IFIP Networking Conference (Networking), Paris, France, 22–26 June 2020. [Google Scholar]
  146. Barradas, D.; Santos, N.; Rodrigues, L.; Signorello, S.; Ramos, F.M.V.; Madeira, A. FlowLens: Enabling Efficient Flow Classification for ML-based Network Security Applications. In Proceedings of the Network and Distributed Systems Security (NDSS) Symposium, Online, 21–25 February 2021. [Google Scholar]
  147. Bai, S.; Kim, H.; Rexford, J. Passive OS Fingerprinting on Commodity Switches. In Proceedings of the IEEE 8th International Conference on Network Softwarization (NetSoft), Milan, Italy, 27 June–1 July 2022. [Google Scholar]
  148. Yazdinejad, A.; Parizi, R.M.; Dehghantanha, A.; Choo, K.-K.R. P4 to-blockchain: A secure blockchain-enabled packet parser for software defined networking. Comput. Secur. 2020, 88, 101629. [Google Scholar] [CrossRef]
  149. Moro, D.; Verticale, G.; Capone, A. Network function decomposition and offloading on heterogeneous networks with programmable data planes. IEEE Open J. Commun. Soc. 2021, 2, 1874–1885. [Google Scholar] [CrossRef]
  150. Internet Engineering Task Force. Request for Comments (RFC) 9000 QUIC: A UDP-Based Multiplexed and Secure Transport; RFC Editor: Marina del Rey, CA, USA, 2021. [Google Scholar]
  151. Bouet, M.; Leguay, J.; Conan, V. Cost-based placement of virtualized deep packet inspection functions in SDN. In Proceedings of the IEEE Military Communications Conference (MILCOM-IEEE 2013), San Diego, CA, USA, 18–20 November 2013. [Google Scholar]
  152. Cerrato, I.; Jungel, T.; Palesandro, A.; Risso, F.; Sune, M.; Woesner, H. User-specific network service functions in an SDN-enabled network node. In Proceedings of the Third European Workshop on Software-Defined Networks, Budapest, Hungary, 1–3 September 2014. [Google Scholar]
  153. Lin, Y.-D.; Lin, P.-C.; Yeh, C.-H.; Wang, Y.-C.; Lai, Y.-C. An extended SDN architecture for network function virtualization with a case study on intrusion prevention. IEEE Netw. 2015, 29, 48–53. [Google Scholar] [CrossRef]
  154. Bu, C.; Wang, X.; Cheng, H.; Huang, M.; Li, K.; Das, S.K. Enabling adaptive routing service customization via the integration of SDN and NFV. J. Netw. Comput. Appl. 2017, 93, 123–136. [Google Scholar] [CrossRef]
  155. Schulz-Zander, J.; Mayer, C.; Ciobotaru, B.; Lisicki, R.; Schmid, S.; Feldmann, A. Unified programmability of virtualized network functions and software-defined wireless networks. IEEE/ACM Trans. Netw. 2017, 14, 1046–1060. [Google Scholar] [CrossRef]
  156. Tian, C.; Munir, A.; Liu, A.; Yang, J.; Zhao, Y. OpenFunction: An extensible data plane abstraction protocol for platform-independent software-defined middleboxes. IEEE/ACM Trans. Netw. 2018, 26, 1488–1501. [Google Scholar] [CrossRef]
  157. Park, T.; Kim, Y.; Yegneswaran, V.; Porras, P.; Xu, Z.; Park, K.; Shin, S. DPX: Data-plane extensions for SDN security service instantiation. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Gothenburg, Sweden, 19–20 June 2019. [Google Scholar]
  158. Kim, J.; Kim, Y.; Yegneswaran, V.; Porras, P.; Shin, S.; Park, T. Extended data plane architecture for in-network security services in software-defined networks. Comput. Secur. 2023, 124, 102976. [Google Scholar] [CrossRef]
  159. Deng, J.; Hu, H.; Li, H.; Pan, Z.; Wang, K.-C.; Ahn, G.-J.; Bi, J.; Park, Y. VNGuard: An NFV/SDN combination framework for provisioning and managing virtual Firewalls. In Proceedings of the IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN), San Francisco, CA, USA, 18–21 November 2015. [Google Scholar]
  160. Thang, N.; Park, M.; Joo, Y.-I. Elastic Virtual Honeypot System for SDNFV-based networks. Int. J. Commun. Netw. Inf. Secur. 2020, 12, 295–301. [Google Scholar] [CrossRef]
  161. Paolucci, F.; Cugini, F.; Castoldi, P.; Osinski, T. Enhancing 5G SDN/NFV edge with P4 data plane programmability. IEEE Netw. 2021, 35, 154–160. [Google Scholar] [CrossRef]
  162. Das, D.; Banerjee, S.; Dasgupta, K.; Chatterjee, P.; Ghosh, U.; Biswas, U. Blockchain enabled SDN framework for security management in 5G applications. In Proceedings of the 24th International Conference on Distributed Computing and Networking, Kharagpur, India, 4–7 January 2023. [Google Scholar]
  163. Aguado, A.; Hugues-Salas, E.; Haigh, P.A.; Marhuenda, J.; Price, A.B.; Sibson, P.; Kennard, J.E.; Erven, C.; Rarity, J.G.; Thompson, M.G.; et al. First experimental demonstration of secure NFV orchestration over an SDN-controlled optical network with time-shared quantum key distribution. In Proceedings of the 42nd European Conference and Exhibition on Optical Communications, Düsseldorf, Germany, 18–22 September 2016. [Google Scholar]
  164. Aguado, A.; Hugues-Salas, E.; Haigh, P.A.; Marhuenda, J.; Price, A.B.; Sibson, P.; Kennard, J.E.; Erven, C.; Rarity, J.G.; Thompson, M.G.; et al. Secure NFV orchestration over an SDN-controlled optical network with time-shared quantum key distribution resources. J. Lightwave Technol. 2017, 35, 1357–1362. [Google Scholar] [CrossRef]
  165. Aguado, A.; Lopez, V.; Lopez, D.; Peev, M.; Poppe, A.; Pastor, A.; Folgueira, J.; Martin, V. The engineering of software-defined quantum key distribution networks. IEEE Commun. Mag. 2019, 57, 20–26. [Google Scholar] [CrossRef]
  166. Peng, Y.; Wu, C.; Zhao, B.; Yu, W.; Liu, B.; Qiao, S. QKDFlow: QKD based secure communication towards the OpenFlow interface in SDN. In Proceedings of the 4th International Conference on Geo-Informatics in Resource Management and Sustainable Ecosystem (GRMSE2016), Hong Kong, China, 18–20 November2016. [Google Scholar]
  167. Lopez, D.R.; Martin, V.; Lopez, V.; Iglesia, F.d.l.; Pastor, A.; Brunner, H.; Aguado, A.; Bettelli, S.; Fung, F.; Hillerkuss, D.; et al. Demonstration of software defined network services utilizing quantum key distribution fully integrated with standard telecommunication network. Quantum Rep. 2020, 2, 453–458. [Google Scholar] [CrossRef]
  168. Lopez, V.; Pastor, A.; Lopez, D.; Aguado, A.; Martin, V. MadQCI: A heterogeneous and scalable SDN QKD network deployed in production facilities. arXiv 2023, arXiv:2311.12791. [Google Scholar] [CrossRef]
  169. Tessinari, R.S.; Arabul, E.; Alia, O.; Muqaddas, A.S.; Kanellos, G.T.; Nejabati, R.; Simeonidou, D. Demonstration of a dynamic QKD network control using a QKD-aware SDN application over a programmable hardware encryptor. In Proceedings of the Optical Fiber Communication Conference (OFC2021), Washington, DC, USA, 6–11 June 2021. [Google Scholar]
  170. Arabul, E.; Tessinari, R.S.; Alia, O.; Hugues-Salas, E.; Kanellos, G.T.; Nejabati, R.; Simeonidou, D. Experimental demonstration of programmable 100 Gb/s SDN-enabled encryptors/decryptors for QKD networks. In Proceedings of the Optical Fiber Communication Conference (OFC 2021), Washington, DC, USA, 6–11 June 2021. [Google Scholar]
  171. Arabul, E.; Tessinari, R.S.; Alia, O.; Oliveira, R.; Kanellos, G.T.; Nejabati, R.; Simeonidou, D. 100 Gb/s dynamically programmable SDN-enabled hardware encryptor for optical networks. J. Opt. Commun. Netw. 2022, 14, A50–A60. [Google Scholar] [CrossRef]
  172. Mahdi, S.S.; Abdullah, A.A. Enhanced security of software-defined network and network slice through hybrid quantum key distribution protocol. Infocommun. J. 2022, 14, 9–15. [Google Scholar] [CrossRef]
  173. Tessinari, R.S.; Woodward, R.I.; Shields, A.J. Software-defined quantum network using a QKD-secured SDN controller and encrypted messages. In Proceedings of the Optical Fiber Communication Conference (OFC 2023), San Diego, CA, USA, 5–9 March 2023. [Google Scholar]
  174. García, C.R.; Rommel, S.; Olmos, J.J.V.; Monroy, I.T. Enhancing the security of software defined networks via quantum key distribution and post-quantum cryptography. In Proceedings of the Distributed Computing and Artificial Intelligence, Special Sessions I, 20th International Conference (DCAI2023), Guimarães, Portugal, 12–14 July 2023. [Google Scholar]
  175. Rempola, M.H.; Smith, A.; Li, Y.; Du, L. Securing SDN communication through quantum key distribution. In Proceedings of the Distributed Computing and Artificial Intelligence, Special Sessions I, 20th International Conference (DCAI2023), Guimarães, Portugal, 12–14 July 2023. [Google Scholar]
  176. Satasiya, D.; Rupal, D.R. Analysis of software defined network firewall (SDF). In Proceedings of the International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), Chennai, India, 23–25 March 2016; pp. 228–231. [Google Scholar]
  177. Nife, F.; Kotulski, Z. Application—Aware firewall mechanism for software defined networks. J. Netw. Syst. Manag. 2020, 28, 605–626. [Google Scholar] [CrossRef]
  178. Huang, H.; Li, P.; Guo, S. Traffic scheduling for deep packet inspection in software-defined networks. Concurr. Comput. Pract. Exp. 2017, 29, e3967. [Google Scholar] [CrossRef]
  179. Yu, C.; Lan, J.; Xie, J.; Hu, Y. QoS-aware traffic classification architecture using machine learning and deep packet inspection in SDNs. In Proceedings of the 8th International Congress of Information and Communication Technology (ICICT 2018), Xiamen, China, 23–25 March 2018. [Google Scholar]
  180. Cheng, Q.; Wu, C.; Zhou, H.; Kong, D.; Zhang, D.; Xing, J.; Ruan, W. Machine learning based malicious payload identification in software defined networking. J. Netw. Comput. Appl. 2021, 192, 103186. [Google Scholar] [CrossRef]
  181. Sainz, M.; Garitano, I.; Iturbe, M.; Zurutuza, U. Deep packet inspection for intelligent intrusion detection in software-defined industrial networks: A proof of concept. Log. J. IGPL 2020, 28, 461–472. [Google Scholar] [CrossRef]
  182. Wu, X.; Liu, M.; Dou, W.; Yu, S. DDoS attacks on data plane of software-defined network: Are they possible? Secur. Commun. Netw. 2016, 9, 5444–5459. [Google Scholar] [CrossRef]
  183. Durner, R.; Lorenz, C.; Wiedemann, M.; Kellerer, W. Detecting and mitigating denial of service attacks against the data plane in software defined networks. In Proceedings of the IEEE Conference on Network Softwarization (NetSoft 2017), Bologna, Italy, 3–7 July 2017. [Google Scholar]
  184. Shang, G.; Zhe, P.; Bin, X.; Aiqun, H.; Kui, R. FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks. In Proceedings of the IEEE Conference on Computer Communications (IEEE INFOCOM 2017), Atlanta, GA, USA, 1–4 May 2017. [Google Scholar]
  185. Ambrosin, M.; Conti, M.; Gaspari, F.D.; Poovendran, R. LineSwitch: Tackling control plane saturation attacks in software-defined networking. IEEE/ACM Trans. Netw. 2017, 25, 1206–1219. [Google Scholar] [CrossRef]
  186. Sahoo, K.; Puthal, D. SDN-assisted DDoS defense framework for the Internet of Multimedia Things. ACM Trans. Multimed. Comput. Commun. Appl. 2020, 98, 98. [Google Scholar] [CrossRef]
  187. Ujjan, R.; Pervez, Z.; Dahal, K.; Khan, W.; Khattak, A.; Hayat, B. Entropy Based Features Distribution for Anti-DDoS Model in SDN. Sustainability 2021, 13, 1522. [Google Scholar] [CrossRef]
  188. Sumantra, I.; Ghandi, S. DDoS attack detection and mitigation in software defined networks. In Proceedings of the International Conference on System, Computation, Automation and Networking (ICSCAN), Pondicherry, India, 3–4 July 2020. [Google Scholar]
  189. Carvalho, R.N.; Bordim, J.L.; Alchieri, E.A.P. Entropy-based DoS attack identification in SDN. In Proceedings of the IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW 2019), Rio de Janeiro, Brazil, 20–24 May 2019. [Google Scholar]
  190. Wang, S.; Chandrasekharan, S.; Gomez, K.; Kandeepan, S.; Al-Hourani, A.; Asghar, M.R.; Russello, G.; Zanna, P. SECOD: SDN sEcure control and data plane algorithm for detecting and defending against DoS attacks. In Proceedings of the IEEE/IFIP Network Operations and Management Symposium (NOMS 2018), Taipei, Taiwan, 23–27 April 2018. [Google Scholar]
  191. Kaljic, E.; Maric, A.; Njemcevic, P. DoS attack mitigation in SDN networks using a deeply programmable packet-switching node based on a hybrid FPGA/CPU data plane architecture. In Proceedings of the XXVII International Conference on Information, Communication and Automation Technologies (ICAT 2019), Sarajevo, Bosnia and Herzegovina, 20–23 October 2019. [Google Scholar]
  192. Mahrach, S.; Haqiq, A. DDoS flooding attack mitigation in software defined networks. Int. J. Adv. Comput. Sci. Appl. 2020, 11, 693–700. [Google Scholar] [CrossRef]
  193. Carvalho, R.N.; Costa, L.R.; Bordim, J.L.; Alchieri, E.A.P. Enhancing an SDN architecture with DoS attack detection mechanisms. Adv. Sci. Technol. Eng. Syst. 2020, 5, 215–224. [Google Scholar] [CrossRef]
  194. Liu, Y.; Wang, Y.; Feng, H. POAGuard: A defense mechanism against preemptive table overflow attack in software-defined networks. IEEE Access 2023, 11, 123659–123676. [Google Scholar] [CrossRef]
  195. Niyaz, Q.; Sun, W.; Javaid, A.Y. A deep learning based DDoS detection system in software-defined networking (SDN). arXiv 2016, arXiv:1611.07400. [Google Scholar] [CrossRef]
  196. Alshamrani, A.; Chowdhary, A.; Pisharody, S.; Lu, D.; Huang, D. A defense system for defeating DDoS attacks in SDN based networks. In Proceedings of the 15th ACM International Symposium on Mobility Management and Wireless Access (MobiWac 2017), Miami, FL, USA, 21–25 November 2017. [Google Scholar]
  197. Prakash, A.; Priyadarshini, R. An intelligent software defined network controller for preventing Distributed Denial of Service (DDoS) attacks. In Proceedings of the Second International Conference on Inventive Communication and Computational Technologies (ICICCT 2018), Coimbatore, India, 20–21 April 2018. [Google Scholar]
  198. Krishnan, P.; Duttagupta, S.; Achuthan, K. VARMAN: Multi-plane security framework for software defined networks. Comput. Commun. 2019, 148, 215–239. [Google Scholar] [CrossRef]
  199. Swami, R.; Dave, M.; Ranga, V. Software-defined networking-based DDoS defense mechanisms. ACM Comput. Surv. 2019, 52, 28. [Google Scholar] [CrossRef]
  200. Abhiroop, T.; Babu, S.; Manoj, B.S. A machine learning approach for detecting DoS attacks in SDN switches. In Proceedings of the 24th National Conference on Communications (NCC), Hyderabad, India, 25–28 February 2018. [Google Scholar]
  201. Ahmad, A.; Harjula, E.; Ylianttila, M.; Ahmad, I. Evaluation of machine learning techniques for security in SDN. In Proceedings of the IEEE Globecom Workshops (GC Workshops 2020), Taipei, Taiwan, 7–11 December 2020. [Google Scholar]
  202. Elsayed, M.S.; Le-Khac, N.-A.; Dev, S.; Jurcut, A.D. DDoSNet: A deep-learning model for detecting network attacks. In Proceedings of the IEEE 21st International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM), Cork, Ireland, 31 August–3 September 2020. [Google Scholar]
  203. Ahuja, N.; Singal, G.; Mukhopadhyay, D. DLSDN: Deep learning for DDOS attack detection in software defined networking. In Proceedings of the 11th International Conference on Cloud Computing, Data Science & Engineering (Confluence 2021), Noida, India, 28–29 January 2021. [Google Scholar]
  204. Dimolianis, M.; Pavlidis, A.; Maglaris, V. Signature-based traffic classification and mitigation for DDoS attacks using programmable network data planes. IEEE Access 2021, 9, 113061–113076. [Google Scholar] [CrossRef]
  205. Yu, S.; Zhang, J.; Liu, J.; Zhang, X.; Li, Y.; Xu, T. A cooperative DDoS attack detection scheme based on entropy and ensemble learning in SDN. Wirel. Commun. Netw. 2021, 90, 90. [Google Scholar] [CrossRef]
  206. Dehkordi, A.; Soltanaghaei, M.; Boroujeni, F. A hybrid mechanism to detect DDoS attacks in software defined networks. Majlesi J. Electr. Eng. 2021, 15, 1–8. [Google Scholar] [CrossRef]
  207. Liu, Y.; Zhi, T.; Shen, M.; Wang, L.; Li, Y.; Wan, M. Software-defined DDoS detection with information entropy analysis and optimized deep learning. Future Gener. Comput. Syst. 2022, 129, 99–114. [Google Scholar] [CrossRef]
  208. Gadallah, W.G.; Ibrahim, H.M.; Omar, N.M. A deep learning technique to detect distributed denial of service attacks in software defined networks. Comput. Secur. 2024, 137, 103588. [Google Scholar] [CrossRef]
  209. Cao, J.; Xu, M.; Li, Q.; Sun, K.; Yang, Y.; Zheng, J. Disrupting SDN via the data plane: A low-rate flow table overflow attack. In Proceedings of the 13th International Conference on Security and Privacy in Communications Networks (SECURECOMM17), Niagara Falls, ON, Canada, 22–25 October 2017. [Google Scholar]
  210. Cao, J.; Xu, M.; Li, Q.; Sun, K.; Yang, Y. The LOFT attack: Overflowing SDN flow tables at a low rate. IEEE/ACM Trans. Netw. 2023, 31, 1416–1431. [Google Scholar] [CrossRef]
  211. Tang, D.; Yan, Y.; Gao, C.; Liang, W.; Jin, W. LtRFT: Mitigate the low-rate data plane DDoS attack with learning-to-rank enabled flow tables. IEEE Trans. Inf. Forensics Secur. 2023, 18, 3143–3157. [Google Scholar] [CrossRef]
  212. Tang, D.; Gao, C.; Liang, W.; Zhang, J.; Li, K. FTMaster: A detection and mitigation system of low-rate flow table overflow attacks via SDN. IEEE Trans. Netw. Serv. Manag. 2023, 20, 5073–5084. [Google Scholar] [CrossRef]
  213. Tang, D.; Zhang, D.; Qin, Z.; Yang, Q.; Xiao, S. SFTO-guard: Real time detection and mitigation system for slow-rate flow table overflow attacks. J. Netw. Comput. Appl. 2023, 213, 103597. [Google Scholar] [CrossRef]
  214. Tang, D.; Zheng, Z.; Li, K.; Yin, C.; Liang, W.; Zhang, J. FTOP: An efficient flow table overflow preventing system for switches in SDN. IEEE Trans. Netw. Sci. Eng. 2024, 11, 2524–2536. [Google Scholar] [CrossRef]
  215. Tang, D.; Zheng, Z.; Yin, C.; Xiong, B.; Qin, Z.; Yang, Q. FTODefender: An efficient flow table overflow attacks defending system in SDN. Expert Syst. Appl. 2024, 237, 12146. [Google Scholar] [CrossRef]
  216. Mudgal, A.; Verma, A.; Singh, M.; Sahoo, K.S.; Elmroth, E.; Bhuyan, M. FloRa: Flow table low-rate overflow reconnaissance and detection in SDN. IEEE Trans. Netw. Serv. Manag. 2024, 21, 6670–6683. [Google Scholar] [CrossRef]
  217. Zeng, Y.; Wang, Y.; Liu, Y. Research on detection and mitigation methods of adaptive flow table overflow attacks in software-defined networks. IEEE Access 2024, 12, 48830–48845. [Google Scholar] [CrossRef]
  218. Jain, L.; Venkanna, U.; Vollala, S. FTSheild: An intelligent framework for LOFT attack detection and mitigation with programmable data plane. Expert Syst. Appl. 2025, 265, 125865. [Google Scholar] [CrossRef]
  219. Riggio, R.; Marina, M.; Schulz-Zander, J.; Kuklinski, S.; Rasheed, T. Programming abstractions for software-defined wireless networks. IEEE Trans. Netw. Serv. Manag. 2015, 12, 146–162. [Google Scholar] [CrossRef]
  220. Celesova, B.; Val’ko, J.; Grezo, R.; Helebrandt, P. Enhancing security of SDN focusing on control plane and data plane. In Proceedings of the International Symposium on Digital Forensic and Security (ISDFS), Barcelos, Portugal, 10–12 June 2019. [Google Scholar]
  221. Ibrahim, O.; Bhaya, W. Intrusion detection system for cloud based software-defined networks. In Proceedings of the International Conference of Modern Applications on Information and Communication Technology (ICMAICT), Hilla, Iraq, 22–23 October 2020. [Google Scholar]
  222. Sebbar, A.; Cherqi, O.; Chougdali, K.; Boulmalf, M. Real time anomaly detection in SDN architecture using integrated SIEM and machine learning for enhancing network security. In Proceedings of the IEEE Global Communications Conference: Communications Software and Multimedia (GLOBECOM-IEEE 2023), Kuala Lumpur, Malaysia, 4–8 December 2023. [Google Scholar]
  223. Wang, P.; Ye, F.; Chen, X.; Qian, Y. Datanet: Deep learning based encrypted network traffic classification in SDN home gateway. IEEE Access 2018, 6, 55380–55391. [Google Scholar] [CrossRef]
  224. Malik, A.; Frein, R.d.; Al-Zeyadi, M.; Andreu-Perez, J. Intelligent SDN traffic classification using deep learning: Deep-SDN. In Proceedings of the 2nd International Conference on Computer Communication and the Internet (ICCCI 2020), Nagoya, Japan, 26–29 June 2020. [Google Scholar]
  225. Serag, R.H.; Abdalzaher, M.S.; Elsayed, H.A.E.A.; Sobh, M.; Krichen, M.; Salim, M.M. Machine-learning-based traffic classification in software-defined networks. Electronics 2024, 13, 1108. [Google Scholar] [CrossRef]
  226. Koerner, M.; Kao, O. MAC based dynamic VLAN tagging with OpenFlow for WLAN access networks. In Proceedings of the International Workshop on Applications of Software-Defined Networking in Cloud Computing (SDNCC), Montreal, QC, Canada, 15–18 August 2016. [Google Scholar]
  227. Zhong, Y.; Li, Z.; Liao, L. A privacy-preserving caching scheme for device-to-device communications. Secur. Commun. Netw. 2021, 2021, 6696149. [Google Scholar] [CrossRef]
  228. Wang, T.; Chen, H. A lightweight SDN fingerprint attack defense mechanism based on probabilistic scrambling and controller dynamic scheduling strategies. Secur. Commun. Netw. 2021, 1, 6688489. [Google Scholar] [CrossRef]
  229. Ye, R.; Ouyang, Y.; Che, X. Security and attack prevention in software-defined network. In Proceedings of the International Conference on Telecommunications and Power Electronics (TELEPE 2024), Frankfurt, Germany, 29–31 May 2024. [Google Scholar]
  230. Alkhamisi, A.; Katib, I.; Buhari, S.M. Federated learning-based security attack detection for multi-controller software-defined networks. Algorithms 2024, 17, 290. [Google Scholar] [CrossRef]
  231. Hyder, M.F.; Ismail, M.A. Securing control and data planes from reconnaissance attacks using distributed shadow controllers, reactive and proactive approaches. IEEE Access 2021, 9, 21881–21894. [Google Scholar] [CrossRef]
  232. Lam, J.H.; Lee, S.; Lee, H.-J.; Oktian, Y.E. Securing distributed SDN with IBC. In Proceedings of the 2015 Seventh International Conference on Ubiquitous and Future Networks (ICUFN), Sapporo, Japan, 7–10 July 2015. [Google Scholar]
  233. Adhikari, T.; Kule, M.; Khan, A.K. An ECDH and AES based encryption approach for prevention of MiTM in SDN southbound communication interface. In Proceedings of the 13th International Conference on Computing Communication and Networking Technologies (ICCCNT 2022), Kharagpur, India, 3–5 October 2022. [Google Scholar]
  234. Buzura, S.; Lehene, M.; Iancu, B.; Dadarlat, V. An extendable software architecture for mitigating ARP spoofing-based attacks in SDN data plane layer. Electronics 2022, 11, 1965. [Google Scholar] [CrossRef]
  235. Guo, X.; Wang, C.; Cao, L.; Jiang, Y.; Yan, Y. A novel security mechanism for software defined network based on blockchain. Comput. Sci. Inf. Syst. 2022, 19, 523–545. [Google Scholar] [CrossRef]
  236. Chi, P.-W.; Kuo, C.-T.; Guo, J.-W.; Lei, C.-L. How to detect a compromised SDN switch. In Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft), London, UK, 13–17 April 2015. [Google Scholar]
  237. Chao, T.-W.; Ke, Y.-M.; Chen, B.-H.; Chen, J.-L.; Hsieh, C.J.; Lee, S.-C.; Hsiao, H.-C. Securing data planes in software-defined networks. In Proceedings of the IEEE Conference on Network Softwarization (NetSoft), Seoul, Republic of Korea, 6–10 June 2016. [Google Scholar]
  238. Zhou, H.; Wu, C.; Yang, C.; Wang, P.; Yang, Q.; Lu, Z.; Cheng, Z. SDN-RDCD: A real-time and reliable method for detecting compromised SDN devices. IEEE/ACM Trans. Netw. 2018, 26, 2048–2061. [Google Scholar] [CrossRef]
  239. Pattanaik, A.; Gupta, A.; Kanavalli, A. Early detection and diminution of DDoS attack instigated by compromised switches on the controller in software defined networks. In Proceedings of the IEEE International Conference on Distributed Computing, VLSI, Electrical Circuits and Robotics (DISCOVER), Manipal, India, 11–12 August 2019. [Google Scholar]
  240. Sanjeetha, R.; Srivastava, S.; Pokharna, R.; Shafiq, S.; Kanavalli, A. Mitigation of DDoS attack instigated by compromised switches on SDN controller by analyzing the flow rule request traffic. Int. J. Eng. Technol. 2018, 7, 46–49. [Google Scholar] [CrossRef]
  241. Shaghaghi, A.; Kaafar, M.A.; Jha, S. WedgeTail: An intrusion prevention system for the data plane of software defined networks. In Proceedings of the Asia Conference on Computer and Communications Security (ASIA CCS17), Abu Dhabi, United Arab Emirates, 2 April 2017. [Google Scholar]
  242. Dinh, P.T.; Lee, T.; Canh, T.N.; Dang, S.P.; Noh, S.C.; Park, M. Abnormal SDN switches detection based on chaotic analysis of network traffic. In Proceedings of the 25th Asia-Pacific Conference on Communications (APCC), Ho Chi Minh City, Vietnam, 6–8 November 2019. [Google Scholar]
  243. Dinh, P.T.; Park, M. ECSD: Enhanced compromised switch deteciton in an SDN-based cloud through multivariate time-series analysis. IEEE Access 2020, 8, 119346–119360. [Google Scholar] [CrossRef]
  244. Hessam, G.; Saba, G.; Alkhayat, M.I. A new approach for detecting violation of data plane integrity in software defined networks. J. Comput. Secur. 2021, 29, 341–358. [Google Scholar] [CrossRef]
  245. Reddy, B.A.; Sahoo, K.S.; Bhuyan, M. Securing P4-SDN data plane against flow table modification attack. In Proceedings of the IEEE Symposium on Network Operations and Management, Seoul, Republic of Korea, 6–10 May 2024. [Google Scholar]
  246. Deng, S.; Gao, X.; Lu, Z.; Gao, X. Packet injection attack and its defense in software-defined networks. IEEE Trans. Inf. Forensics Secur. 2018, 13, 695–705. [Google Scholar] [CrossRef]
  247. Alshra’a, A.S.; Seitz, J. Using INSPECTOR device to stop packet injection attack in SDN. IEEE Commun. Lett. 2019, 33, 1174–1177. [Google Scholar] [CrossRef]
  248. Antikainen, M.; Aura, T.; Särelä, M. Spook in your network: Attacking an SDN with a compromised OpenFlow switch. In Proceedings of the Nordic Conference on Secure IT Systems (NordSec 2014), Tromsø, Norway, 15–17 October 2014. [Google Scholar]
  249. Zhou, Y.; Chen, K.; ZHang, J.; Leng, J.; Tang, Y. Exploiting the vulnerability of flow table overflow in software-defined network: Attack model, evaluation and defense. Secur. Commun. Netw. 2018, 2018, 4760632. [Google Scholar] [CrossRef]
  250. Sathya, R.; Thangarajan, R. Efficient anomaly detection and mitigation in software defined networking environment. In Proceedings of the 2nd International Conference on Electronics and Communication Systems (ICECS), Coimbatore, India, 26–27 February 2015. [Google Scholar]
  251. Pang, C.; Jiang, Y.; Li, Q. FADE: Detecting forwarding anomaly in software-defined networks. In Proceedings of the IEEE International Conference on Communications (ICC), Kuala Lumpur, Malaysia, 22–27 May 2016. [Google Scholar]
  252. Li, Q.; Liu, Y.; Liu, Z.; Zhang, P.; Pang, C. Efficient forwarding anomaly detection in software-defined networks. IEEE Trans. Parallel Distrib. Syst. 2021, 32, 2676–2690. [Google Scholar] [CrossRef]
  253. Aryan, R.; Yazidi, A.; Engelstad, P.E.; Kure, O. A general formalism for defining and detecting OpenFlow rule anomalies. In Proceedings of the IEEE 42nd Conference on Local Computer Networks (LCN), Singapore, 9–12 October 2017. [Google Scholar]
  254. Aryan, R.; Yazidi, A.; Engelstad, P.E. An incremental approach for swift OpenFlow anomaly detection. In Proceedings of the IEEE 43rd Conference on Local Computer Networks (LCN), Chicago, IL, USA, 1–4 October 2018. [Google Scholar]
  255. Zhang, P.; Xu, S.; Yang, Z.; Li, H.; Li, Q.; Wang, H.; Hu, C. FOCES: Detecting forwarding anomalies in software defined networks. In Proceedings of the IEEE International Conference on Distributed Computing Systems (ICDCS 2018), Vienna, Austria, 2–6 July 2018. [Google Scholar]
  256. Zhang, P.; Zhang, F.; Xu, S.; Yang, Z.; Li, H.; Li, Q.; Wang, H.; Shen, C.; Hu, C. Network-wide forwarding anomaly detection and localization in software-defined networks. IEEE/ACM Trans. Netw. 2021, 29, 332–345. [Google Scholar] [CrossRef]
  257. Li, Q.; Zou, X.; Huang, Q.; Zheng, J.; Lee, P.P.C. Dynamic packet forwarding verification in SDN. IEEE Trans. Dependable Secur. Comput. 2019, 16, 915–929. [Google Scholar] [CrossRef]
  258. Kausar, N.; Latif, Z.; Lee, C.; Iqbal, U. Towards Detection and Mitigation of Traffic Anomalies in SDN. In Proceedings of the International Conference on Information and Communication Technology Convergence (ICTC), Jeju Island, Republic of Korea, 20–22 October 2021. [Google Scholar]
  259. Xi, S.; Bu, K.; Mao, W.; Zhang, X.; Ren, K.; Ren, X. RuleOut forwarding anomalies for SDN. IEEE/ACM Trans. Netw. 2022, 31, 395–407. [Google Scholar] [CrossRef]
  260. Zhibin, Z.; Chang, C.; Zhu, X. A software-defined networking packet forwarding verification mechanism based on programmable data plane. J. Electron. Inf. Technol. 2020, 42, 1110–1117. [Google Scholar]
  261. Zhang, W.; Jing, S.; Guo, L.; Zhao, C. P4-DVPF: Dynamic Verification of Packets Forwarding Based on P4 for SDN. In Proceedings of the International Conference on Intelligent Computing and Next Generation Networks (ICNGN), Singapore, 12–14 December 2023. [Google Scholar]
  262. Dey, S.K.; Rahman, M.M. Flow based anomaly detection in software defined networking: A deep learning approach with feature selection method. In Proceedings of the 4th International Conference on Electrical Engineering and Information & Communication Technology (iCEEiCT), Dhaka, Bangladesh, 13–15 September 2018. [Google Scholar]
  263. Sridharan, V.; Gurusamy, M.; Leon-Garcia, A. Anomalous rule detection using machine learning in software defined networks. In Proceedings of the IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), Dallas, TX, USA, 12–14 November 2019. [Google Scholar]
  264. Lai, Y.-C.; Zhou, K.-Z.; Lin, S.-R.; Lo, N.-W. F1ow-based anomaly detection using multilayer perceptron in software defined networks. In Proceedings of the 42nd International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija, Croatia, 20–24 May 2019. [Google Scholar]
  265. Phan, T.V.; Nguyen, T.G.; Dao, N.-N.; Huong, T.T.; Thanh, N.H.; Bauschert, T. DeepGuard: Efficient anomaly detection in SDN with fine-grained traffic flow monitoring. IEEE Trans. Netw. Serv. Manag. 2020, 17, 1349–1362. [Google Scholar] [CrossRef]
  266. Khurshid, A.; Zhou, W.; Caesar, M.; Godfrey, B. VeriFlow: Verifying network-wide invariants in real time. In Proceedings of the 1st ACM International Workshop on Hot Topics in Software Defined Networks (HotSDN12), Helsinki, Finland, 13 August 2012. [Google Scholar]
  267. Dhawan, M.; Poddar, R.; Mahajan, K.; Mann, V. SPHINX: Detecting security attacks in software-defined networks. In Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA, 8–11 February 2015. [Google Scholar]
  268. Chaudhary, R.; Kumar, N. LOADS: Load optimisation and anomaly detection scheme for software-defined networks. IEEE Trans. Veh. Technol. 2019, 68, 12329–12344. [Google Scholar] [CrossRef]
  269. Flauzac, O.; González, C.; Hachani, A.; Nolot, F. SDN based architecture for IoT and improvement of the security. In Proceedings of the 29th International Conference on Advanced Information Networking and Applications Workshops, Gwangju, Republic of Korea, 24–27 March 2015. [Google Scholar]
  270. Qin, Q.; Poularakis, K.; Tassiulas, L. A learning approach with programmable data plane towards IoT security. In Proceedings of the IEEE 40th International Conference on Distributed Computing Systems (ICDCS 2020), Singapore, 29 November–1 December 2020; pp. 410–420. [Google Scholar]
  271. Guo, X.; Lin, H.; Li, Z.; Peng, M. Deep-reinforcement-learning based QoS-aware secure routing for SDN-IoT. IEEE Internet Things 2020, 7, 6242–6251. [Google Scholar] [CrossRef]
  272. Cui, L.; Yu, F.R.; Yan, Q. When big data meets software-defined networking: SDN for big data and big data for SDN. IEEE Netw. 2016, 30, 58–65. [Google Scholar] [CrossRef]
  273. Yao, J.; Han, Z.; Sohail, M.; Wang, L. A robust security architecture for SDN-based 5G networks. Future Internet 2019, 11, 85. [Google Scholar] [CrossRef]
  274. Han, B.; Yang, X.; Sun, Z.; Huang, J.; Su, J. OverWatch: A cross-plane DDoS attack defense framework with collaborative intelligence in SDN. Secur. Commun. Netw. 2018, 2018, 9649643. [Google Scholar] [CrossRef]
  275. Yang, X.; Wang, D.; Tang, W.; Feng, W.; Zhu, C. IPsec cryptographic algorithm invocation considering performance and security for SDN southbound interface communication. IEEE Access 2020, 8, 181782–181795. [Google Scholar] [CrossRef]
  276. Salman, F.; Jedidi, A. Trust-aware security system for dynamic southbound communication in software defined network. In Proceedings of the International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT), Sakheer, Bahrain, 20–21 November 2022. [Google Scholar]
  277. Sebbar, A.; Zkik, K.; Baddi, Y.; Boulmalf, M.; Kettani, M.D.E.-C.E. MitM detection and defense mechanism CBNA-RF based on machine learning for large-scale SDN context. J. Ambient Intell. Humaniz. Comput. 2022, 11, 5875–5894. [Google Scholar] [CrossRef]
  278. Silva, E.G.d.; Knob, L.A.D.; Wickboldt, J.A.; Gaspary, L.P.; Granville, L.Z.; Schaeffer-Filho, A. Capitalizing on SDN based SCADA systems: An anti-eavesdropping case-study. In Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management (IM2015), Ottawa, ON, Canada, 11–15 May 2015. [Google Scholar]
  279. Mohan, P.; Gurusamy, M.; Lim, T. Dynamic attack-resilient routing in software defined networks. IEEE Trans. Netw. Serv. Manag. 2018, 15, 1146–1160. [Google Scholar] [CrossRef]
  280. Tapolcai, J.; Retvari, G.; Babarczi, P.; Berczi-Kovacs, E. Scalable and efficient multipath routing via redundant trees. IEEE J. Sel. Areas Commun. 2019, 37, 982–996. [Google Scholar] [CrossRef]
  281. Wang, Z.; Lu, Z.; Li, C. Research on deep reinforcement learning multi-path routing planning in SDN. In Proceedings of the 2nd International Conference on Electronic Engineering and Informatics, Lanzhou, China, 17–19 July 2020. [Google Scholar]
  282. Chiu, K.-C.; Liu, C.-C.; Chou, L.-D. Reinforcement learning-based service-oriented dynamic multipath routing in SDN. Wirel. Commun. Mob. Comput. 2022, 2022, 1330993. [Google Scholar] [CrossRef]
  283. Zhang, Y.; Qiu, L.; Xu, Y.; Wang, X.; Wang, S.; Paul, A.; Wu, Z. Multi path routing algorithm based on deep reinforcement learning for SDN. Appl. Sci. 2023, 13, 12520. [Google Scholar] [CrossRef]
  284. Sanchez, L.P.A.; Shen, Y.; Guo, M. MDQ: A QoS-congestion aware deep reinforcement learning approach for multi-path routing in SDN. J. Netw. Comput. Appl. 2025, 235, 104082. [Google Scholar] [CrossRef]
  285. Yin, S.; Huang, S.; Liu, H.; Guo, B.; Gao, T.; Li, W. Survivable multipath virtual network embedding against multiple failures for SDN/NFV. IEEE Access 2018, 6, 76909–76923. [Google Scholar] [CrossRef]
  286. Wang, Q.; Shou, G.; Liu, Y.; Hu, Y.; Guo, Z.; Chang, W. Implementation of multipath network virtualization with SDN and NFV. IEEE Access 2018, 6, 32460–32470. [Google Scholar] [CrossRef]
  287. Xiaolong, X.; Yun, C.; Liuyun, H.; Anup, K. MTSS: Multi-path traffic scheduling mechanism based on SDN. J. Syst. Eng. Electron. 2019, 30, 974–984. [Google Scholar] [CrossRef]
  288. Zhou, C.; Quan, W.; Gao, D.; Liu, Z.; Yu, C.; Liu, M.; Xu, Z. AMS: Adaptive Multipath Scheduling Mechanism against Eavesdropping Attacks with Programmable Data Planes. In Proceedings of the IEEE Advanced Information Technology, Electronic and Automation Control Conference (IAEAC), Chongqing, China, 12–14 March 2021. [Google Scholar]
  289. Qi, H.; Guo, Y.; Hou, D.; Xing, Z.; Ren, W.; Cong, L.; Di, X. SDN-based dynamic multi-path routing strategy for satellite networks. Future Gener. Comput. Syst. 2022, 133, 254–265. [Google Scholar] [CrossRef]
  290. Ma, H.; Wang, M.; Lv, H.; Liu, J.; Di, X.; Qi, H. A SDN improvement scheme for multi-path QUIC transmission in satellite networks. Comput. Intell. 2024, 40, e12650. [Google Scholar] [CrossRef]
  291. Cheng, Y.; Jia, X. NAMP: Network-aware multipathing in software-defined data center networks. IEEE/ACM Trans. Netw. 2020, 28, 846–859. [Google Scholar] [CrossRef]
  292. Amaral, P.; Pinto, P.; Bernardo, L. Achieving correct hop-by-hop forwarding on multiple policy-based routing paths. IEEE Trans. Netw. Sci. Eng. 2020, 7, 1226–1238. [Google Scholar] [CrossRef]
  293. Betge-Brezetz, S.; Kamga, G.-B.; Joutei, A.; Maalmi, O. Control of sensitive traffic in the cloud based on OpenFlow. In Proceedings of the IEEE Third International Conference on Cloud Networking (CloudNet), Luxembourg, Luxembourg, 8–10 October 2014. [Google Scholar]
  294. Betgé-Brezetz, S.; Kamga, G.-B.; Tazi, M. Trust support for SDN controllers and virtualized network applications. In Proceedings of the IEEE Conference on Network Softwarization (NetSoft), London, UK, 13–17 April 2015. [Google Scholar]
  295. Betge-Brezetz, S.; Kamga, G.-B.; Balla, M.; Criton, T.; Jebalia, H. SDN-based trusted path in a multi-domain network. In Proceedings of the IEEE International Conference on Cloud Engineering Workshop, Berlin, Germany, 4–8 April 2016. [Google Scholar]
  296. Ermis, O.; Bahtiyar, S.; Caglayan, M.; Bulbul, N.; Alagoz, F. Trust Enhanced Security for Routing in SDN. In Proceedings of the 2022 1st International Conference on 6G Networking (6GNet), Paris, France, 6–8 July 2022. [Google Scholar]
  297. Kalkan, K. SUTSEC: SDN utilized trust based secure clustering in IoT. Comput. Netw. 2020, 178, 107328. [Google Scholar] [CrossRef]
  298. Raschella, A.; Eiza, M.H.; Mackay, M.; Shi, Q.; Banton, M. A trust-based cooperative system for efficient Wi-Fi radio access networks. IEEE Access 2023, 11, 136136–136149. [Google Scholar] [CrossRef]
  299. Quinn, T.; Shah, S.D.A.; Bouhafs, F.; den Hartog, F. Towards trust-based routing for data plane security in heterogeneous Software-Defined Wireless Networks. In Proceedings of the IEEE Conference on Network Softwarization (NetSoft), Saint Louis, MO, USA, 24–28 June 2024. [Google Scholar]
  300. Kreutz, D.; Ramos, F.M.V.; Veríssimo, P. Towards secure and dependable software-defined networks. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN ’13), Hong Kong, China, 16 August 2013. [Google Scholar]
  301. Darabseh, A.; Al-Ayyoub, M.; Jararweh, Y.; Benkhelifa, E.; Vouk, M.; Rindos, A. SDSecurity: A software defined security experimental framework. In Proceedings of the Workshop on Cloud Computing Systems, Networks, and Applications (CCSNA) (IEEE ICC 2015), London, UK, 8–12 June 2015. [Google Scholar]
  302. Chowdhary, A.; Huang, D.; Alshamrani, A.; Kang, M.; Kim, A.; Velazquez, A. TRUFL: Distributed trust management framework in SDN. In Proceedings of the IEEE International Conference on Communications (ICC), Seoul, Republic of Korea, 20–24 May 2019. [Google Scholar]
  303. Tan, S.; Li, X.; Dong, Q. A trust management system for securing data plane of ad-hoc networks. IEEE Trans. Veh. Technol. 2016, 65, 7579–7592. [Google Scholar] [CrossRef]
  304. Mao, M.; Yi, P.; Hu, T.; Zhang, Z.; Lu, X.; Lei, J. Hierarchical hybrid trust management scheme in SDN-enabled VANETs. Mob. Inf. Syst. 2021, 2021, 7611619. [Google Scholar] [CrossRef]
  305. Yan, Z.; Zhang, P.; Vasilakos, A.V. A security and trust framework for virtualized networks and software-defined networking. Secur. Commun. Netw. 2016, 9, 3059–3069. [Google Scholar] [CrossRef]
  306. Karmakar, K.K.; Varadharajan, V.; Hitchens, M.; Tupakula, U.; Sariputra, P. A trust-aware OpenFlow switching framework for software defined networks (SDN). Comput. Netw. 2023, 237, 110109. [Google Scholar] [CrossRef]
  307. Wang, L.; Ma, H.; Jiang, Y.; Tang, Y.; Zu, S.; Hu, T. A data plane security model of segmented routing based on SDP trust enhancement architecture. Sci Rep 2022, 12, 8762. [Google Scholar] [CrossRef]
  308. Ashraf, U.; Al-Naeem, M.; Bhutta, M.N.M.; Yuen, C. ZFort: A scalable zero-trust approach for trust management and traffic engineering in SDN based IoTs. Internet Things 2024, 28, 101419. [Google Scholar] [CrossRef]
  309. Yao, G.; Bi, J.; Xiao, P. Source address validation solution with OpenFlow/NOX architecture. In Proceedings of the 19th IEEE International Conference on Network Protocols, Vancouver, BC, Canada, 17 October 2011. [Google Scholar]
  310. Liu, J.; Zhang, H.; Guo, Z. A defense mechanism of random routing mutation in SDN. IEICE Trans. Inf. Syst. 2017, 100, 1046–1054. [Google Scholar] [CrossRef]
  311. Wang, M.; Liu, J.; Mao, J.; Cheng, H.; Chen, J.; Qi, C. RouteGuardian: Constructing secure routing paths in software-defined networking. Tsinghua Sci. Technol. 2017, 22, 400–412. [Google Scholar] [CrossRef]
  312. Albu-Salih, A.T.; Mohammed, S.J.; Seno, S.A.H. Dynamic routing method over hybrid SDN for flying ad hoc networks. Baghdad Sci. J. 2018, 15, 361–368. [Google Scholar] [CrossRef]
  313. Xu, X.; Hu, H.; Liu, Y.; Tan, J.; Zhang, H.; Song, H. Moving target defense of routing randomization with deep reinforcement learning against eavesdropping attack. Digit. Commun. Netw. 2022, 8, 373–387. [Google Scholar] [CrossRef]
  314. Cascone, C.; Sanvito, D.; Pollini, L.; Capone, A.; Sanso, B. Fast failure detection and recovery in SDN with stateful data plane. Int. J. Netw. Manag. 2017, 27, e1957. [Google Scholar] [CrossRef]
  315. Li, Z.; Hu, Y.; Wu, J.; Lu, J. P4Resilience: Scalable resilience for multi-failure recovery in SDN with programmable data plane. Comput. Netw. 2022, 208, 108896. [Google Scholar] [CrossRef]
  316. Li, L.; Li, K.; Meng, X.; Wang, Y.; Wang, X. Dynamic weight routing and optical-code algorithm based on SDN. Heliyon 2023, 9, e12407. [Google Scholar] [CrossRef]
  317. Santana, P.; Moura, J. A Bayesian Multi-Armed Bandit algorithm for dynamic end-to-end routing in SDN-based networks with piecewise-stationary rewards. Algorithms 2023, 16, 233. [Google Scholar] [CrossRef]
  318. Becherer, M.; Hussain, O.K.; Zhang, Y.; den Hartog, F.; Chang, E. On trust recommendations in the social Internet of Things—A survey. ACM Comput. Surv. 2024, 56, 1–35. [Google Scholar] [CrossRef]
Futureinternet 17 00503 g001
Figure 1. Structure of the paper.
Figure 1. Structure of the paper.
Futureinternet 17 00503 g001
Futureinternet 17 00503 g002
Figure 2. Architectural planes of an SDN.
Figure 2. Architectural planes of an SDN.
Futureinternet 17 00503 g002
Futureinternet 17 00503 g003
Figure 3. Paper selection process.
Figure 3. Paper selection process.
Futureinternet 17 00503 g003
Futureinternet 17 00503 g004
Figure 4. Research domains and sub-domains in SDN data plane security.
Figure 4. Research domains and sub-domains in SDN data plane security.
Futureinternet 17 00503 g004
Futureinternet 17 00503 g005
Figure 5. A hybrid SDN utilizing a programmable data plane.
Figure 5. A hybrid SDN utilizing a programmable data plane.
Futureinternet 17 00503 g005
Futureinternet 17 00503 g006
Figure 6. A heterogeneous SDN utilizing wired and wireless media.
Figure 6. A heterogeneous SDN utilizing wired and wireless media.
Futureinternet 17 00503 g006
Futureinternet 17 00503 g007
Figure 7. A conceptual view of a hybrid SDN with OpenFlow and P4 support.
Figure 7. A conceptual view of a hybrid SDN with OpenFlow and P4 support.
Futureinternet 17 00503 g007
Futureinternet 17 00503 g008
Figure 8. ML-based DDoS detection in a programmable data plane (based on [94]).
Figure 8. ML-based DDoS detection in a programmable data plane (based on [94]).
Futureinternet 17 00503 g008
Futureinternet 17 00503 g009
Figure 9. SDN-NFV with VNF deployment in an SDN data plane.
Figure 9. SDN-NFV with VNF deployment in an SDN data plane.
Futureinternet 17 00503 g009
Futureinternet 17 00503 g010
Figure 10. DoS attack on a SDN with SBI congestion (based on [183]).
Figure 10. DoS attack on a SDN with SBI congestion (based on [183]).
Futureinternet 17 00503 g010
Futureinternet 17 00503 g011
Figure 11. An attacker (red) installs a malicious rule (red) (based on [236]).
Figure 11. An attacker (red) installs a malicious rule (red) (based on [236]).
Futureinternet 17 00503 g011
Futureinternet 17 00503 g012
Figure 12. Packet Forwarding Verification (PFV) using SDN (based on [257]).
Figure 12. Packet Forwarding Verification (PFV) using SDN (based on [257]).
Futureinternet 17 00503 g012
Futureinternet 17 00503 g013
Figure 13. Multi-path routing using SDN (based on [279]).
Figure 13. Multi-path routing using SDN (based on [279]).
Futureinternet 17 00503 g013
Futureinternet 17 00503 g014
Figure 14. A conceptual view of trust-based routing (based on [293]).
Figure 14. A conceptual view of trust-based routing (based on [293]).
Futureinternet 17 00503 g014
Table 1. Threats to the SDN data plane [6,7].
Table 1. Threats to the SDN data plane [6,7].
Plane ComponentThreatsMitigations
Southbound InterfaceSide-channel vulnerabilitiesMonitoring and logging
Data spill (data leak)Monitoring and logging; data loss prevention; traffic filtering (firewall, intrusion detection, and prevention)
Malicious software (malware)Monitoring and logging
EavesdroppingTraffic encryption; secure routing
Man-in-the-middleTraffic encryption; secure routing
Replay attacksSession and token management; monitoring and logging; traffic filtering (firewall, intrusion detection, and prevention)
Switch SoftwareSide-channel vulnerabilitiesMonitoring and logging
Data spill (data leak)Secure programming; patching; adherence to standards; monitoring and logging
Malicious software (malware)Monitoring and logging
Switch FirmwareSide-channel vulnerabilitiesMonitoring and logging
Malicious software (malware)Forwarding anomaly detection; exclusionary routing for malicious or compromised nodes
SwitchesMalicious infrastructureForwarding anomaly detection; exclusionary routing for malicious or compromised nodes; authentication; network access control
Side-channel vulnerabilitiesMonitoring and logging
Poisoned forwarding rulesForwarding rule auditing; forwarding anomaly detection
Denial-of-service/Distributed denial-of-serviceExclusionary routing for malicious or compromised nodes; traffic filtering (firewall, intrusion detection, and prevention)
Communications LinksMan-in-the-middleTraffic encryption; forwarding anomaly detection; secure routing
EavesdroppingTraffic encryption; secure routing
Replay attacksSession and token management; monitoring and logging; traffic filtering (firewall, intrusion detection, and prevention)
EndpointsMalicious infrastructureForwarding anomaly detection; exclusionary routing for malicious or compromised nodes; authentication; network access control
Denial-of-service/Distributed denial-of-serviceExclusionary routing for malicious or compromised nodes; traffic filtering (firewall, intrusion detection, and prevention)
Table 2. Previous reviews.
Table 2. Previous reviews.
ReferenceYearTopicData Plane Security
[8]2025Data plane security
[9]2017Stateful data plane security
[10]2020Stateful data plane security
[11]2021Stateful data plane
[12]2021P4 security
[13]2022P4 security
[14]2023P4
[15]2019Programmable data planes
[16]2021Programmable data planes
[17]2021P4 switches
[18]2023P4 applications
[19,20,21]2015SDN security
[22,23]2016SDN security
[24,25]2019SDN security
[26,27]2020SDN security
[28]2021SDN security
[29]2021SDN security
[6]2022SDN security
[30]2022SDN security
[31]2024SDN security
[32]2023SDN security
[33]2024SDN security
[34]2023SDN security and privacy
[35]2017SDN security architecture
[36]2018SDN security architecture
[37]2020SDN security architecture
[38]2020SDN security architecture
[39]2013SDN
[40,41]2014SDN
[42,43]2015SDN
[44]2016SDN
[45]2020SDN for resilient networking
[46]2022SDN for resilient networking
[47]2017Heterogeneous SDN
[48]2020Heterogeneous SDN
[49]2019ML applications in SDN
[50]2019ML applications in SDN
[51]2023ML applications in SDN
[52]2025AI, ML and blockchain in SDN
[53]2024AI for programmable data planes
[54]2015SDN-NFV
[55,56]2019SDN-NFV
[57]2020MTD
[58]2015Programmable networks
[59]2022Denial-of-service attacks
[60]2023In-band control for SDN
● Addresses data plane security. ◉ Partially addresses data plane security. ○ Does not address data plane security.
Table 3. Research strengths and weaknesses of existing reviews.
Table 3. Research strengths and weaknesses of existing reviews.
IdentifierSummaryReferences
RSTR-1P4 security applications have been subject to significant investigation.[12,13,14,15,16,17,18,53]
RSTR-2Cross-plane security for SDN has been subject to significant investigation.[19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,61]
RWKN-1No comprehensive review exists for SDN data plane security research.[8]
RWKN-2Security of the P4 architecture is underinvestigated.[9,10]
RWKN-3Heterogeneous SDN is underinvestigated.[26,47,48]
Table 4. Programmable data plane implementations and applications.
Table 4. Programmable data plane implementations and applications.
ReferenceYearImplementationApplication
[4]2014P4Novel language and compiler
[62]2014FASTNovel architecture
[63]2014OpenState (OpenFlow)Novel architecture
[64]2017SDPA (OpenFlow)Novel architecture
[65,66,67,68,69,70,71,72]2020P4DoS mitigation
[73,74]2021P4DoS mitigation
[75,76]2019P4DoS mitigation
[77]2021P4DoS mitigation
[78]2022P4DoS mitigation
[79]2017P4Heavy-hitter detection
[80]2018P4Telephony DoS mitigation
[81]2019P4Telephony DoS mitigation
[82]2019P4ML-based DoS mitigation
[83]2021P4ML-based DoS mitigation
[84,85]2020P4ML-based DoS mitigation
[86]2023P4ML-based DoS mitigation
[87]2018OpenFlow, P4Intrusion detection
[88]2019P4Intrusion detection
[89]2021P4Intrusion detection
[90]2023P4Intrusion detection
[91]2024P4Intrusion detection
[92]2021P4Anomaly detection
[93]2020P4ML-based intrusion detection
[94]2021P4ML-based intrusion detection
[95,96]2024P4ML-based intrusion detection
[97,98]2025P4ML-based intrusion detection
[99]2024OpenFlowML-based network monitoring
[100]2024P4ML-based traffic classification
[101]2017P4Deep packet inspection
[102]2020P4Deep packet inspection
[103]2022P4Deep packet inspection
[104]2023P4Deep packet inspection
[105]2016P4Firewall
[106]2018Novel (CoFilter)Packet filtering
[107]2018P4Firewall
[108]2019P45G firewall
[109]2017OpenFlow, P4Anti-spoofing
[110,111]2020P4Anti-spoofing
[112]2019P4Anti-spoofing
[113]2019P4Anti-eavesdropping
[114]2019OpenFlow, P4Anti-eavesdropping
[115,116]2020P4Anti-eavesdropping
[117]2021P4Anti-eavesdropping
[118]2018P4Topology obfuscation
[119,120]2019P4Network anonymity
[121]2019P4Data plane authentication
[122]2021P4Data plane edge authentication
[123]2020P4Data plane authentication
[124]2020OpenFlow, P4Encryption
[125]2020P4Encryption
[126]2021P4Encryption
[127]2020P4MACsec
[128]2020P4IPsec
[129]2019P4Cryptographic hashing
[130,131,132,133]2019P4Network defense
[134]2023P4Network defense
[135]2022P4Network defense
[136,137,138]2023P4Network defense
[139]2019P4Edge network defense
[140]2018OpenFlow, P4Security framework
[141]2018P4Application layer security
[142]2020P4BYOD
[143]2020P4P4 performance
[144]2020P4Covert channel defense
[145]2020P4Explicit congestion notification
[146]2021P4ML-based network defense
[147]2022P4OS fingerprinting
[148]2020P4Blockchain
[149]2021OpenFlow, P4Distributed network functions
Table 5. SDN-NFV implementations and applications.
Table 5. SDN-NFV implementations and applications.
ReferenceYearImplementationApplication
[151]2013OpenFlowCost-based placement
[152]2014OpenFlowSecure routing
[153]2015OpenFlowIntrusion detection
[154]2017OpenFlowAdaptive routing
[155]2017Novel (OpenSDWN)SDWN
[156]2018Novel (OpenFunction)Middleboxes
[157]2019OpenFlowData plane functions
[158]2023OpenFlowData plane functions
[159]2015Novel (VNGuard)Firewall management
[160]2020OpenFlowNetwork deception
[161]2021OpenFlow, P4Programmable edge networking in 5G
[162]2023OpenFlowBlockchain in 5G
Table 6. Traditional security capabilities in the SDN data plane.
Table 6. Traditional security capabilities in the SDN data plane.
ReferenceYearImplementationApplication
[176]2016OpenFlowFirewall
[177]2020OpenFlowFirewall
[178]2017OpenFlowDeep packet inspection
[179]2018OpenFlowDeep packet inspection
[180]2021OpenFlowDeep packet inspection
[181]2020OpenFlowDeep packet inspection
[182]2016OpenFlowDoS mitigation
[183,184]2017OpenFlowDoS mitigation
[185]2017OpenFlowEntropy-based DoS mitigation
[186]2020OpenFlowEntropy-based DoS mitigation
[187]2021OpenFlowEntropy-based DoS mitigation
[188]2020OpenFlowEntropy-based DoS mitigation
[189]2019OpenFlowDoS mitigation
[190]2018OpenFlowDoS mitigation
[191]2019OpenFlowDoS mitigation
[192,193]2020OpenFlowDoS mitigation
[194]2023OpenFlowDoS mitigation
[195]2016OpenFlowML-based DoS mitigation
[196]2017OpenFlowML-based DoS mitigation
[197]2018OpenFlowML-based DoS mitigation
[198,199]2019OpenFlowML-based DoS mitigation
[200]2018OpenFlowML-based DoS mitigation
[201,202]2020OpenFlowML-based DoS mitigation
[203,204]2021OpenFlowML-based DoS mitigation
[205,206]2021OpenFlowML-based DoS mitigation
[207]2022OpenFlowML-based DoS mitigation
[208]2024OpenFlowML-based DoS mitigation
[209]2018OpenFlowLow-rate DoS mitigation
[210,211,212,213]2023OpenFlowLow-rate DoS mitigation
[214,215,216,217]2024OpenFlowLow-rate DoS mitigation
[218]2025OpenFlowLow-rate DoS mitigation
[219]2015Novel (EmPOWER)Wireless monitoring
[220]2019OpenFlowIntrusion detection
[221]2020OpenFlowIntrusion detection
[222]2023OpenFlowIntrusion detection
[223]2018OpenFlowTraffic classification
[224]2020OpenFlowTraffic classification
[203]2021OpenFlowTraffic classification
[225]2024OpenFlowTraffic classification
[226]2016OpenFlowNetwork access control
[227]2021OpenFlowDevice-to-device
[228]2021OpenFlowNetwork defense
[229,230]2024OpenFlowNetwork defense
[231]2021OpenFlowMoving target defense
[232]2016OpenFlowEncryption
[233]2022OpenFlowEncryption
[234]2022OpenFlowAnti-spoofing
[235]2022OpenFlowBlockchain
Table 7. Research strengths and weaknesses for security capabilities within the data plane.
Table 7. Research strengths and weaknesses for security capabilities within the data plane.
IdentifierSummaryReferences
RSTR-3A range of security applications have been implemented using a programmable data plane.[12,13,14,15,16,17,18,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149]
RSTR-4Programmable data planes may support mitigation of DoS and DDoS attacks at line rate.[69]
RWKN-4There is a disproportionate focus on availability in SDN security.[65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218]
RWKN-5There is disproportionate focus on DoS and DDoS attacks on SDN.[182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218]
RWKN-6Weaknesses of the decentralized model in programmable data planes are underinvestigated.Nil
RWKN-7Hybrid SDN is underinvestigated.[75,87,97,109,123]
RWKN-8In-network (in-band) control is underinvestigated.[60]
RWKN-9Novel attacks on P4 switches are underinvestigated.Nil
RWKN-10Software security for SDN and programmable data planes is underinvestigated.Nil
Table 8. Device compromise in the SDN data plane.
Table 8. Device compromise in the SDN data plane.
ReferenceYearImplementationApplication
[236]2015OpenFlowCompromise detection
[237]2016OpenFlowCompromise detection
[238,239,240,241]2017OpenFlowCompromise detection
[242]2019OpenFlowCompromise detection
[243]2020OpenFlowCompromise detection
[244]2021OpenFlowCompromise detection
[245]2024P4Compromise detection
[246]2018OpenFlowAnti-packet injection
[247]2019OpenFlowAnti-packet injection
[248]2014OpenFlowNovel attacks
[249]2018OpenFlowNovel attacks
Table 9. Forwarding anomaly detection.
Table 9. Forwarding anomaly detection.
ReferenceYearImplementationApplication
[250]2015OpenFlowForwarding anomaly detection
[251]2016OpenFlowForwarding anomaly detection
[252]2021OpenFlowForwarding anomaly detection
[253]2017OpenFlowForwarding anomaly detection
[254,255]2018OpenFlowForwarding anomaly detection
[256]2021OpenFlowForwarding anomaly detection
[257]2019OpenFlowForwarding anomaly detection
[258]2021OpenFlowForwarding anomaly detection
[259]2022OpenFlowForwarding anomaly detection
[260]2020OpenFlow, P4Forwarding anomaly detection
[261]2023P4Forwarding anomaly detection
[262]2018OpenFlowML-based forwarding anomaly detection
[263,264]2019OpenFlowML-based forwarding anomaly detection
[265]2020OpenFlowML-based forwarding anomaly detection
[266]2012OpenFlowNetwork invariant detection
[267]2015OpenFlowNetwork defense
[268]2019OpenFlowLoad optimization and anomaly detection
Table 10. Heterogeneous SDN.
Table 10. Heterogeneous SDN.
ReferenceYearImplementationApplication
[269]2015OpenFlowIoT and ad hoc networks
[270,271]2020OpenFlowIoT
[272]2016OpenFlowBig Data
[273]2019OpenFlow5G
Table 11. Secure southbound communication.
Table 11. Secure southbound communication.
ReferenceYearImplementationApplication
[274]2018OpenFlowCross-plane defense
[275]2020OpenFlowIPsec for SDN security
[276]2022OpenFlowTrust-aware security
[277]2022OpenFlowMITM mitigation
Table 12. Research strengths and weaknesses for security of the data plane infrastructure.
Table 12. Research strengths and weaknesses for security of the data plane infrastructure.
IdentifierSummaryReferences
RSTR-5Device compromise in SDN has been the subject of significant investigation.[236,237,238,239,240,241,242,243,244,245,246,247,248,249]
RSTR-6Forwarding anomaly detection in SDN has been the subject of significant investigation.[250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268]
RWKN-11Security of the SBI is underinvestigated.[274,275,276,277]
RWKN-12There are no widely accepted security frameworks for the SDN data plane.Nil
RWKN-13There is a lack of SDN mechanisms for data plane monitoring and observability.Nil
RWKN-14SDN-based MTD is underinvestigated.[31,57,231]
RWKN-15Trust management for SDN data plane devices is underinvestigated.[276]
Table 13. Multi-path routing.
Table 13. Multi-path routing.
ReferenceYearImplementationApplication
[278]2015OpenFlowMulti-path routing
[279]2018OpenFlowMulti-path routing
[280]2019OpenFlowMulti-path routing
[281]2020OpenFlowML-based multi-path routing
[282]2022OpenFlowML-based multi-path routing
[283]2023OpenFlowML-based multi-path routing
[284]2025OpenFlowML-based multi-path routing
[285,286]2018OpenFlowMulti-path routing using SDN-NFV
[287]2019OpenFlowMulti-path scheduling
[288]2021P4Multi-path scheduling
[289]2022OpenFlowMulti-path for satellite networks
[290]2024OpenFlowMulti-path for satellite networks
[291]2020OpenFlowMulti-path routing for datacenters
[292]2020OpenFlowMulti-path hop-by-hop forwarding
Table 14. Trust-based routing.
Table 14. Trust-based routing.
ReferenceYearImplementationApplication
[293]2014OpenFlowTrust-based routing for cloud
[294]2015OpenFlowMulti-controller trust-based routing
[295]2016OpenFlowTrust-based routing for multi-domain networks
[296]2022OpenFlowTrust-based routing
[297]2020OpenFlowTrust-based clustering in IoT
[298]2023OpenFlowTrust-based cooperative system for Wi-Fi
[299]2024OpenFlowTrust-based routing for heterogeneous networks
[300]2013NilTrust management
[301]2015OpenFlowSecurity framework
[302]2019OpenFlowTrust management
[303]2016OpenFlowTrust management for heterogeneous networks
[304]2021OpenFlowTrust management for VANETs
[305]2016OpenFlowTrust for virtualized and software-defined networks
[306]2023OpenFlowTrust-aware switching framework
[307]2022OpenFlowSegment routing
[308]2024OpenFlowZero-trust-based trust and traffic engineering
Table 15. Resilient routing.
Table 15. Resilient routing.
ReferenceYearImplementationApplication
[309]2011OpenFlowSource address validation
[310]2017OpenFlowRandom route mutation
[311]2017OpenFlowCapability-based routing
[312]2018OpenFlowDynamic routing for VANETs
[313]2022OpenFlowML-based moving target defense
[314]2017OpenFlowFast failure recovery
[315]2022P4Fast failure recovery
[316]2023OpenFlowOptical transport networking
[317]2023OpenFlowML-based routing optimization
Table 16. Research strengths and weaknesses for dynamic routing within the data plane.
Table 16. Research strengths and weaknesses for dynamic routing within the data plane.
IdentifierSummaryReferences
RSTR-7Dynamic routing in SDN, including multi-path routing, has been the subject of significant investigation.[278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,309,310,311,312,313,314,315,316,317]
RWKN-16Trust-based routing is underinvestigated.[293,294,295,296,297,298,299,301,302,303,304]
RWKN-17Dynamic routing in heterogeneous SDN is underinvestigated.[26,47,48,299,303]
RWKN-18Capability-based routing is underinvestigated.Nil
RWKN-19Time-sensitive routing is underinvestigated.Nil
Table 17. Summary of research strengths identified in this review.
Table 17. Summary of research strengths identified in this review.
IdentifierResearch Strengths
RSTR-1P4 security applications have been subject to significant investigation.
RSTR-2Cross-plane security for SDN has been subject to significant investigation.
RSTR-3A range of security applications have been implemented using a programmable data plane.
RSTR-4Programmable data planes may support mitigation of DoS and DDoS attacks at line rate.
RSTR-5Device compromise in SDN has been the subject of significant investigation.
RSTR-6Forwarding anomaly detection in SDN has been the subject of significant investigation.
RSTR-7Dynamic routing in SDN, including multi-path routing, has been the subject of significant investigation.
Table 18. Summary of research weaknesses identified in this review.
Table 18. Summary of research weaknesses identified in this review.
IdentifierResearch Weaknesses
RWKN-1No comprehensive review exists for SDN data plane security research.
RWKN-2Security of the P4 architecture is underinvestigated.
RWKN-3Heterogeneous SDN is underinvestigated.
RWKN-4There is a disproportionate focus on availability in SDN security.
RWKN-5There is disproportionate focus on DoS and DDoS attacks on SDN.
RWKN-6Weaknesses of the decentralized (control) model in programmable data planes are underinvestigated.
RWKN-7Hybrid SDN is underinvestigated.
RWKN-8In-network (in-band) control is underinvestigated.
RWKN-9Novel attacks on P4 switches are underinvestigated.
RWKN-10Software security for SDN and programmable data planes is underinvestigated.
RWKN-11Security of the SBI is underinvestigated.
RWKN-12There are no widely accepted security frameworks for the SDN data plane.
RWKN-13There is a lack of SDN mechanisms for data plane monitoring and observability.
RWKN-14SDN-based MTD is underinvestigated.
RWKN-15Trust management for SDN data plane devices is underinvestigated.
RWKN-16Trust-based routing is underinvestigated.
RWKN-17Dynamic routing in heterogeneous SDN is underinvestigated.
RWKN-18Capability-based routing is underinvestigated.
RWKN-19Time-sensitive routing is underinvestigated.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Quinn, T.; Bouhafs, F.; den Hartog, F. Securing the SDN Data Plane in Emerging Technology Domains: A Review. Future Internet 2025, 17, 503. https://doi.org/10.3390/fi17110503

AMA Style

Quinn T, Bouhafs F, den Hartog F. Securing the SDN Data Plane in Emerging Technology Domains: A Review. Future Internet. 2025; 17(11):503. https://doi.org/10.3390/fi17110503

Chicago/Turabian Style

Quinn, Travis, Faycal Bouhafs, and Frank den Hartog. 2025. "Securing the SDN Data Plane in Emerging Technology Domains: A Review" Future Internet 17, no. 11: 503. https://doi.org/10.3390/fi17110503

APA Style

Quinn, T., Bouhafs, F., & den Hartog, F. (2025). Securing the SDN Data Plane in Emerging Technology Domains: A Review. Future Internet, 17(11), 503. https://doi.org/10.3390/fi17110503

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop