Security and Privacy Issues in Software-Deﬁned Networking (SDN): A Systematic Literature Review

: Software-deﬁned network (SDNs) have fundamentally changed network infrastructure by decoupling the data plane and the control plane. This architectural shift rejuvenates the network layer by granting the re-programmability and centralized management of networks which brings about exciting challenges. Although an SDN seems to be a secured network when compared to conventional networks, it is still vulnerable and faces rigorous deployment challenges. Moreover, the bifurcation of data and control planes also opens up new security problems. This systematic literature review (SLR) has formalized the problem by identifying the potential attack scenarios and highlighting the possible vulnerabilities. Eighty-six articles have been selected carefully to formulize the SLR. In this SLR, we have identiﬁed major security attacks on SDN planes, including the application plane, control plane, and data plane. Moreover, this research also identiﬁes the approaches used by industry experts and researchers to develop security solutions for SDN planes. In this research, we have introduced an attack taxonomy and proposed a collaborative security model after comprehensively identifying security attacks on SDN planes. Lastly, research gaps, challenges, and future directions are discussed for the deployment of secure SDNs.


Introduction
The software-defined network (SDN) has become one of the top networking architectures for simplifying network management by enabling innovation in network communication. The fundamental characteristic of SDN architecture is to decouple the control plane from the data plane. A control plane is logically centralized to maintain the network state and gives instructions to the data plane [1]. In the data plane network, devices forward data packets by following the control instructions. However, this architectural transformation has received immense attention from the network industry and academic fields. Additionally, the advantages of SDNs have been proven in different scenarios, such as Google B4, NTT's edge gateways, and Microsoft's public cloud [2][3][4].
SDN also offers a standardized or consistent application programming interface (API) for adding up-to-date programmable features to the network to overcome flexibility and programmability issues in traditional networks. In addition, SDNs help network service providers to obtain a more flexible, manageable, and programmable network architecture [5]. These properties of SDNs help to empower the control plane and accomplish a global view of network topology to dynamically modify the functionalities of the network. Although SDNs manage networks in a more centralized way, it is now endorsed by both academic and industrial practitioners. This is because security has become a major concern at all levels, especially in newly designed network systems, such as cloud networks and peer-to-peer networks. Therefore, despite the number of advantages, SDNs have many inherent network security challenges, including scalability, reliability, controller placement, and latency [6]. Moreover, several security attacks were also investigated by other The application layer communicates with the control layer by using northbound API [11]. Although applications deploy multiple network services in SDN, there are still some major security challenges in SDN due to the emerging abilities of hackers. The most common security threats at this layer are authentication, authorization, access control, and accountability. The control layer is the mediator between the application layer and the data layer, which consists of the SDN controller or network operating system (NOS). The The application layer communicates with the control layer by using northbound API [11]. Although applications deploy multiple network services in SDN, there are still some major security challenges in SDN due to the emerging abilities of hackers. The most common security threats at this layer are authentication, authorization, access control, and accountability. The control layer is the mediator between the application layer and the data layer, which consists of the SDN controller or network operating system (NOS). The overall responsibility of this layer is to manage the functionality of the entire network by taking decisions on packet forwarding and routing [12]. The control layer communicates with its lower layer (data layer) by using southbound API. The logically centralized controller consists of node flows like flood light, POX, NOX, MUL, Jaxon, etc.
This layer is only responsible for decision making due to its logically centralized controller; therefore, it is easily targeted in order to perform malicious tasks across the Electronics 2023, 12, 3077 3 of 37 entire network. Major security challenges on this layer are unauthorized applications, flow rule modification, policy enforcement, and forwarding policy discovery. The data layer is responsible for packet forwarding, according to the assigned policies of forwarding devices, such as physical switches and virtual switches.
To deploy packet forwarding policies in SDN, OpenFlow switches are used to support the flow tables and flow rules, because OpenFlow is the most widely used southbound interface in SDN scenarios. Flow tables are the main data structure in OpenFlow devices that contain a set of flow entries. Packet forwarding devices analyze the incoming packets through flow tables and take corrective measures regarding the received information. However, flow rules are used to control the behavior of packet forwarding, which is identified via matching packet fields as well as other features, such as packet counters. When the first packet arrives from the new host at the open flow switch, it is necessary for the controller in the flow table to install a new flow rule. However, due to the space constraint, every switch has a limitation on flow table entries, which generates new security issues. The most common security challenges that arise at this layer are DoS, configuration errors, flow rule conflicts, and data leakage. Over the last few years, many meetings and conferences have been held to discuss security issues as well as solutions. Apart from this, researchers and practitioners have also presented some security solutions related to SDNs through authentication mechanisms and policy conflict resolutions. However, there is a need for an further degree of attention in order to achieve SDN deployment in data centers or individual organizations.
The objective of this research is to present a comprehensive systematic literature review related to security and privacy issues on SDN planes. This SLR provides contributions from four perspectives: • This review presents all major security attacks on SDN planes, including the application plane, control plane, and data plane.

•
The SLR identifies the approaches used by researchers and industry experts to present security solutions for SDN attacks on planes. • Moreover, SLR also presents a security model after identifying malicious attacks on the SDN application plane, control plane, and data plane. • Additionally, we also present challenges and research gaps as well as suggest future research directions to produce a sustained solution for SDN security.
describe the security issues in SDNs, Kreutz et al. [13] presented threat vectors, which demonstrated that there is no persuasive mechanism for building a trusted relationship between applications and the controller in SDNs. Thus, forged traffic flows can be injected into controllers and switches that can be triggered by a malicious user. In this way, an attacker will use network elements such as servers, switches, and computers to generate a DoS attack. Similarly, attacks on vulnerabilities in controllers and switches can wreak havoc on the network; therefore, malicious controllers compromise the whole network. The prevention of DDoS attacks has been a primary concern for researchers and network security administrators [14][15][16][17]. DDoS attacks are highly frequent; therefore, it is necessary to develop robust solutions that are effective in detecting and mitigating DDoS attacks [18,19]. From the literature, it can be seen that a DDoS security mechanism must be able to prevent attacks from within and outside the network [20]. Schehlmann et al. [21] presented an evaluation methodology for SDN security and a comparison with other conventional networks. SDN security measurement criteria consist of authenticity, availability, confidentiality, consistency, and integrity. Although authors argue that a number of attacks in SDN can also exist in conventional networks, they have not explored attacks on SDN layers and their impacts on the overall SDN architecture. Abdulkarem et al. [22] have identified the DDoS attack in the SDN data layer and proposed a solution for attack detection and mitigation by implementing python language. Moreover, the central controller is one of the most vulnerable components of SDN architecture due to weak authentication, information disclosure, and incomplete encryption. Hence, if the controller on the control plane is not properly secure, then the entire network will be badly affected [19]. Switches have the weakest performance in terms of hardware because an attacker attacks communication channels in order to destroy the link between switches and controllers. According to OpenFlow, standard switches will be changed into the standalone mode or fail-secure mode [23]. Further, the multi-controller implementation will divide the whole network into multiple networks, which leads to consistency and privacy issues [24]. However, the consistency and legitimacy of flow rules are the major security issues in the data layer. During the release process, malicious tampering or transmission delays cause inconsistency issues to take place between switches and controllers [25].
Furthermore, the northbound interface also faces a number of security challenges, the biggest security vulnerability at this interface is standardization [26][27][28]. There is no consistent provision regarding authentication and authorization methods due to diversity as well as regular updates in SDN applications. By exploiting the programmability and openness of the northbound interface, an attacker can launch the attack and access the important resources in the control to change or occupy the network status. In the past few years, studies have focused on passive differential power analysis (DPA) and active differential fault analysis (DFA) by measuring the consumption of power of one or more operations. However, some attacks are considered side-channel attacks in order to obtain patterns from extracted information [29].
Moreover, the southbound interface also suffers different security attacks due to the leakage of open flow protocols, because open flow uses TLS/SSL protocol for data encryption, which is not secure [30][31][32][33][34][35]. Additionally, the southbound interface also faces data leakage, controller spoofing, eavesdropping, and many other security attacks. Scott-Hayward et al. [36] presented a comprehensive survey on different security challenges in SDNs and identified the proposed solution as well as describing the holistic approaches that are necessary for SDN security. Ahmad et al. [37] identified the security threats in SDN at the application plane, data plane, and control plane along with security platforms that can secure each plane from different attacks. Table 1 shows already published SLRs, highlighting the contribution of our research. We have compared our defined research questions with already available solution where symbol indicates the matched contribution of the study and × symbol shows the gaps of their study.

Research Method
The primary objective of a SLR is to present inclusive knowledge from the literature in the research field in an organized and holistic way. Apart from that, a SLR can also help to identify existing research gaps as well as the consequent recognition of avenues for research in the future. In this section, we define the method used to conduct this SLR. The method involved research questions (RQ), search string, data sources, eligibility criteria (inclusion and exclusion criteria), screening and selection process, and quality assessment (QA) criteria.

Research Questions
The objective of this SLR is to provide a comprehensive review of security and privacy issues in SDNs. Therefore, we designed seven research questions in the first phase of this SLR. We evaluated the security attacks/threats on SDN layers/planes and proposed solutions for those attacks. The RQs are given in Table 2 with their corresponding motivations.

RQ1
How has the frequency of research approaches been changed over time in the field of SDN security?
To identify the published studies in the SDN security area over time.

RQ2
What are the primary publication channels for identifying security attacks and their solutions on SDN planes?
To identify the primary sources published in SDN security and privacy issue-related studies.

RQ3
What research approaches have been used by researchers to identify the security and privacy issues on SDN planes?
To identify the proposed research approaches related to SDN security issues, security solutions, and attack causes.

RQ4
What are the major attacks targeting planes in SDNs addressed by the literature?
To address the security attacks and proposed solutions for SDN planes.

RQ5
What are the major types of attacks identified by researchers?
To identify the attacks/threats on SDN planes.

RQ6
What are the major causes of attacks addressed in the literature on SDN planes?
To identify the causes of attacks on SDN planes.

RQ7
What proposed solutions have been implemented to address security attacks on SDN planes?
To identify the proposed solutions for security attacks on SDN planes addressed in the literature.

Search String
The search was conducted at the start of December 2020 by applying the search string to different databases. We applied the search string via the Boolean operators "ANDs" and "ORs" as follows: ("Software Defined Networks" OR "SDN") AND ("SDN security" OR "SDN threats") OR ("SDN Security Solutions" OR "SDN Layers").

Data Sources
The next phase was to search for the source references. In this phase, multiple search terms were implemented, such as search keyword, search source, relevant papers selection, and filtering. The main research was carried out by looking at the keywords, paper titles, and abstracts for each paper or journal. There were four types of publication, namely journals, conferences, symposiums, and reports. The obtained results from each database are shown in Figure 2. The digital search process was carried out by implementing the search query in seven different databases. The chosen databases were: To identify the proposed solutions for security attacks on SDN planes addressed in the literature.

Search String
The search was conducted at the start of December 2020 by applying the search string to different databases. We applied the search string via the Boolean operators "ANDs" and "ORs" as follows: ("Software Defined Networks" OR "SDN") AND ("SDN security" OR "SDN threats") OR ("SDN Security Solutions" OR "SDN Layers").

Data Sources
The next phase was to search for the source references. In this phase, multiple search terms were implemented, such as search keyword, search source, relevant papers selection, and filtering. The main research was carried out by looking at the keywords, paper titles, and abstracts for each paper or journal. There were four types of publication, namely journals, conferences, symposiums, and reports. The obtained results from each database are shown in Figure 2. The digital search process was carried out by implementing the search query in seven different databases. The chosen databases were:   • Secondary studies, Editorial, Short Papers (less than 6 pages) • Articles published before 2015.
• Non English manuscripts • Articles that address the SDN security vulnerabilities in other domains

Inclusion Criteria
• Articles focused on the security and privacy issues of SDN • Research is conducted in industrial and academic environment.
• Articles published between 2015-2022 • Articles published only in English language • Studies that propose SDN security solutions Final dataset 86 articles

Screening Process
After implementing the search string in different scientific databases, we used a search process defined by Dybå et al. [47] for screening relevant papers. In the first stage of screening, we selected the papers on the basis of their title and excluded papers that were not related to the research field. For example, the search query returned papers related to SDN security in different fields, such as the internet of things, cloud computing, blockchain, etc. Moreover, some phases make it difficult to measure the actual relevancy of screened papers on the basis of their title. To resolve this issue, we passed the papers to another screening phase. In the second phase of screening, we read the abstract of each paper selected in the first phase.

Inclusion and Exclusion Criteria
The selection of the published peer-reviewed articles is governed by defining the exclusion and inclusion criteria. Because all studies in searchers were not exactly related to the defined RQs, the selection of the papers was needed to identify their actual relevance. The exclusion and inclusion criteria for this SLR is shown in Figure 2. After applying the defined exclusion and inclusion criteria to the papers, we included the selected studies in the next screening and selection phase.

Study Selection Process
When the defined search query was applied in selected databases, 3642 papers were initially retrieved. The first screening phase was applied on the basis of the retrieved paper's title. The screening process based on the title was carried out by two authors, resulting in 756 papers. After the selection of 756 papers, we removed the duplicate papers by applying an abstract-based screening process and a total of 523 papers were selected. A high number of papers were excluded because they were not relevant to our research topic. For example, a number of papers were related to SDN security issues in the cloud, IoT, and blockchain. However, the focus of our research is to review the security issues and challenges on SDN planes (application plane, control plane, and data plane). In the last selection procedure, two authors read all selected papers and excluded 30 papers due to their focus on specific SDN security issue domains. Two authors read the final selected papers, which did not lead to any exclusions. The selection process results are presented in Figure 2.

Quality Assessment Criteria
QA is considered one of the most critical phases to evaluate the quality of selected studies. QA questions aim to assess the internal and external validity of reviewed articles and measure the scope that these articles address. We define the four QA questions as follows: QA1: Explicit discussion about data analysis and the possible answer will be: "Quantitative = +1" "Qualitative = +0.5" or "No analysis performed = +0". QA2: Discussed research concerns are valid according to the defined methodology and the topic of interest: "Yes = +1", "Partial = +0.5" and "No = +0". QA3: Discussion about challenges and advantages of selected topic: "Yes = +1", "Partial = +0.5" and "No = +0".

Analysis
Regarding the objective of this research, the findings of SLR are explained in this section. After the screening and selection processes, selected studies were used to identify the answers of each research question. This analysis formulates a fundamental contribution to identifying the security challenges in SDN along with their proposed solutions to make the network system more secure in the future.

Results Selection
The state-of-the-art analysis of multiple security threats on SDN planes is a key challenge due to their integration into multiple technologies, including cloud computing, IoT, big data, machine learning, blockchain, etc. However, according to the defined RQs, we focused only on three SDN planes (application plane, control plane, and data plane) and gathered 86 studies. After carrying out a deep analysis of the selected articles, we addressed all RQs according to the extracted information. The classification results of the selected studies and quality assessment scores are shown in Table 3.  The separation of the control plane and data plane is a major reason behind DDoS attacks.
Controller-to-controller protocol was proposed for the mitigation of DDoS attacks.   Proposed an authentication mechanism to secure the NDP. In order to identify the attacks on application layer, the content parser system called COPY is proposed.    The yearly distribution of selected primary studies is shown in Figure 3. We selected the articles published between 2015 and 2020, according to their publication channels.
Interestingly, all selected studies related to SDN security issues were published after the year 2014. This indicates that security issues in SDN as a research field are a recent and challenging area. A closer overview of the yearly distribution of selected studies shows that 6 papers (8%) were published in 2015, 16 papers (23%) in 2016, 11 papers (16%) in 2017, 11 papers (16%) in 2018, 17 papers in 2019 (24%), and 6 papers (13%) were published in 2020. This shows the growing demand for SDN each year and an increasing number of security challenges on SDN planes. It can be seen that few papers were published in 2020 because the initial search process was performed in November 2020.  Figure 4 shows the publication sources of selected studies, where we have identified seven different databases. The possible sources for selected studies are IEEE, MDPI, Springer, Science Direct, Wiley, Plos, and Hindawi. Furthermore, the selected channels for this SLR include journals, conferences, workshops, and symposiums. Our results showed that 66% of papers were published in journals, 27% in conferences, 3% in workshops, and 4% in symposia. Note that 44% of articles were published in IEEE journals, conferences, symposia, and workshops; however, 56% of the selected studies were published through other channels.  Figure 4 shows the publication sources of selected studies, where we have identified seven different databases. The possible sources for selected studies are IEEE, MDPI, Springer, Science Direct, Wiley, Plos, and Hindawi. Furthermore, the selected channels for this SLR include journals, conferences, workshops, and symposiums. Our results showed that 66% of papers were published in journals, 27% in conferences, 3% in workshops, and 4% in symposia. Note that 44% of articles were published in IEEE journals, conferences, symposia, and workshops; however, 56% of the selected studies were published through other channels. In this systematic literature review, we identified nine types of research approaches, including proposed solutions (26), proposed methods (17), proposed systems (10), architectures (9), frameworks (13), surveys (7), models (2), reviews (1), and schemes (1), as shown in Figure 5. The categorization of these approaches is shown in Table 3, according to their planes/layers. Moreover, identified approaches are discussed in this section:

Proposed Solution
Researchers have proposed a number of security solutions for SDN planes to identify, investigate, and mitigate the security threats in their actual contexts [85,86,90,95,96,101].
OF the multiple security threats in SDN, there is a considerable growth in DDoS attacks due to the isolation of the control plane and data plane [16,19,[51][52][53]58,65]. Celesova et al. [16] proposed a specter solution to mitigate DoS/DDoS attacks by using machine learning approaches and open flow possibilities, which cover a wide area of security on the control plane and data plane. In this systematic literature review, we identified nine types of research approaches, including proposed solutions (26), proposed methods (17), proposed systems (10), architectures (9), frameworks (13), surveys (7), models (2), reviews (1), and schemes (1), as shown in Figure 5. The categorization of these approaches is shown in Table 3, according to their planes/layers. Moreover, identified approaches are discussed in this section:  In this systematic literature review, we identified nine types of research approaches, including proposed solutions (26), proposed methods (17), proposed systems (10), architectures (9), frameworks (13), surveys (7), models (2), reviews (1), and schemes (1), as shown in Figure 5. The categorization of these approaches is shown in Table 3, according to their planes/layers. Moreover, identified approaches are discussed in this section:

Proposed Method and System
Different methods and systems have been investigated to detect and mitigate security attacks on SDN planes. As the decoupling of control and data plane provides centralized control, programmability, and flexibility, on the other hand, there are also many vulnerabilities due to communication conflicts between these planes. These vulnerabilities are leveraged due to the saturation of the control plane and buffer overflow attacks, which are introduced via TCP SYN flooding. To detect and mitigate the TCP SYN flooding attack, the SAFETY solution is presented, which determines the flow data randomness [95]. Additionally, another countermeasure, SLICOTS, also mitigates the TCP SYN flooding attack at the control plane by taking the advantage of the SDN's dynamic programmability nature [14].

Architecture and Framework
Researchers proposed a number of security architectures and frameworks to make the SDN architecture secure [57,119]. In this research, we identified the proposed architectures [78,84,93,93,94,94,100,117] and frameworks [62,64,89] in regard to each SDN plane (application plane, control plane, data plane). Mowla et al. [79] proposed an SDN-based CDNI network architecture to detect spoofed IPs and developed a defense to mitigate spoofing attacks. It also optimizes network services by evaluating packet handling, topology, and traffic paths to overcome IP spoofing attacks. Further, the application layer is protected from DDoS attacks by leveraging SDN and deep learning enablers. The proposed framework empowers fully autonomous attack detection and mitigation on the application layer.

Survey and Review
By using qualitative methods, researchers have presented comprehensive surveys on multiple security issues in SDN, such as DDoS attacks, link flooding attacks, and ARP poisoning attacks, along with their proposed solutions [88,104,105,111,112]. Shah et al. [83] presented a comprehensive survey on the solutions to ARP cache poisoning attacks. The identified solutions are divided into three categories, i.e., solutions on the basis of traffic patterns, IP-MAC address bindings, and flow graphs. Moreover, these solutions were also analyzed with respect to ARP response time, attack detection time, and delay calculation at the controller. Further, an extensive review of DDoS attack detection techniques is presented, which categorizes these detection techniques at a high level according to the methods used [21].

Model and Scheme
In the model research approach, researchers accomplished a provisional understanding of SDN security challenges by using controlled testing techniques to investigate the major causes and threats on SDN planes. Deepa et al. [14] proposed a hybrid machine learning model to detect and mitigate DDoS attacks on the controller. Further, to overcome the isolation attacks in SDN, two defense schemes were proposed, i.e., SpoofDefender and RSDetector [120]. The RSDetector scheme detects the rouge switches in the network and the SpoofDefender scheme protects the SDN planes from spoofing attacks.

Assessment of RQ4: What Are the Major Attacks Targeting Planes in SDNs
Addressed in the Literature?
SDNs have become some of the most promising and hottest technologies in terms of flexibility, scalability, and effectiveness due to their wide implementation in different areas, such as data centers, smart homes, smart grids, wireless LAN, etc. However, the architecture is not as mature as required and its centralized control nature has caused a wide variety of new security challenges. Table 3 shows that attack on different planes are different due to the multi-layer architecture of SDNs. Therefore, we classified the security issues on each plane along with their proposed solutions. Attack frequency on the application plane is 21.48%; on the control plane, it is 46.31%; and 32.21% on the data plane, as shown in Figure 6. Among the security threats on SDN planes, we noticed that there has been a significant rise in DDoS attacks. The frequency of DDoS attacks is higher in the control plane when compared to other planes because the controller is only responsible for packet-forwarding decision making in SDN architecture [14,16,21,48,49,51,52].
SDNs have become some of the most promising and hottest technologies in terms of flexibility, scalability, and effectiveness due to their wide implementation in different areas, such as data centers, smart homes, smart grids, wireless LAN, etc. However, the architecture is not as mature as required and its centralized control nature has caused a wide variety of new security challenges. Table 3 shows that attack on different planes are different due to the multi-layer architecture of SDNs. Therefore, we classified the security issues on each plane along with their proposed solutions. Attack frequency on the application plane is 21.48%; on the control plane, it is 46.31%; and 32.21% on the data plane, as shown in Figure 6. Among the security threats on SDN planes, we noticed that there has been a significant rise in DDoS attacks. The frequency of DDoS attacks is higher in the control plane when compared to other planes because the controller is only responsible for packet-forwarding decision making in SDN architecture [14,16,21,48,49,51,52]. In this section, we discuss the security threats that threaten SDN architecture. Moreover, Table 3 presents the classification of major security attacks that affect the SDN planes, i.e., application plane, control plane, and data plane. For more clarity on the taxonomy of attacks on SDN planes, see Figure 7 DDoS Attacks DoS/DDoS is the most challenging attack for SDNs. These attacks are intentional attempts to make network resources available to illegitimate users. In SDN architecture, the controller plays a vital role to determine the overall functionalities of the SDN network; therefore, the controller has become the central target for DoS/DDoS attacks. Some controllers that attract DoS/DDoS attacks have been identified, such as flood light-based controllers [123,124]. Shin et al. [125] described a DoS attack that exploits the separation logic of the control and data planes. Moreover, Fonseca et al. [126] suggested a secondary controller to deal with this problem, but the secondary controller is also vulnerable to these threats. Thus, multi-controller implementation is not a solution for DDoS because it leads to the failure of all controllers if the single controller fails [127].

Flooding Attack
Whenever an unmatched flow arrives at the virtual switch, it will send a request to the centralized controller to generate a forwarding rule for the new flow through the southbound interface. Attackers will send multiple packets to the virtual switch with In this section, we discuss the security threats that threaten SDN architecture. Moreover, Table 3 presents the classification of major security attacks that affect the SDN planes, i.e., application plane, control plane, and data plane. For more clarity on the taxonomy of attacks on SDN planes, see Figure 7.

DDoS Attacks
DoS/DDoS is the most challenging attack for SDNs. These attacks are intentional attempts to make network resources available to illegitimate users. In SDN architecture, the controller plays a vital role to determine the overall functionalities of the SDN network; therefore, the controller has become the central target for DoS/DDoS attacks. Some controllers that attract DoS/DDoS attacks have been identified, such as flood light-based controllers [123,124]. Shin et al. [125] described a DoS attack that exploits the separation logic of the control and data planes. Moreover, Fonseca et al. [126] suggested a secondary controller to deal with this problem, but the secondary controller is also vulnerable to these threats. Thus, multi-controller implementation is not a solution for DDoS because it leads to the failure of all controllers if the single controller fails [127].

Flooding Attack
Whenever an unmatched flow arrives at the virtual switch, it will send a request to the centralized controller to generate a forwarding rule for the new flow through the southbound interface. Attackers will send multiple packets to the virtual switch with spoofed IPs and compel the virtual switch to forward packet-in messages to the controller. The overflow of these fake flow requests overloads the controller and makes it inaccessible to legitimate users [128].

Flow Rule Conflicts
When open flow sends a request to the controller for a new flow rule, in response, the controller sends a new flow rule that is stored in the flow table of the switch. There is a timeout value for every flow rule and after that specified time, the switch evicts the old rules from the flow table [129]. Ternary content addressable memory has a very limited capacity to store flow table entries due to its high cost and power consumption [130]. Attackers overcome the switch by taking the advantage of this feature and sending fake flows to the switch. These fake flows cause the flow table of the switch to run out of memory and store only fake rules, which erase the legitimate entries and degrade the performance. 4.1.7. Assessment of RQ7: What Proposed Solutions Have Been Implemented to Address Security Attacks on SDN Planes? SDNs provide a dynamic security rule to define the security policy, implement the defined policy to network elements, and minimize the misconfiguration chances and policy conflicts. Due to the nature of global network visibility, multiple security systems, such as intrusion detection/prevention systems and firewalls, are implemented on specified traffic. In this section, we discussed the security measures, platforms, architectures, and proposed solutions for the application plane, control plane, and data plane. The identified security solutions from selected studies are shown in Figure 7.

Saturation Attacks
Saturation attacks degrade the network performance through controller saturation and buffer saturation: Controller Saturation: When packet-in requests (i.e., fake flows) arrive at the controller, then the controller makes a queue to handle the packet-in requests. Moreover, if fake packets arrive in bulk, the controller will be busy handling fake requests, which eventually downgrades the performance of SDN-based networks [131].
Buffer Saturation: When a packet-in message is transmitted by the switch to the controller, the maximum part of that packet is stored in the buffer memory. An attacker takes advantage of this feature and sends fake packet-in messages to the switch, and this leads to a buffer overflow. In this way, legitimate users are not able to process the flow requests and the attacker degrades the network performance without any difficulty.

Spoofing Attacks
In spoofing attacks, the actual identity of an attacker or traffic originator is hidden by forged network information, i.e., ARP, IP, MAC, etc. A user may use a spoofed addresses in order to access the network resources, which can be a part of a botnet designed to launch DDoS attacks. The most common spoofing threats are IP spoofing and ARP spoofing, which introduce larger attacks, such as smurf and TCP SYN flooding attacks [96,97].
ARP Spoofing: In ARP spoofing, the IP address of a legitimate user is linked to the attacker's MAC address. In this type of spoofing, traffic is hijacked from the originally anticipated receiver and knocked out the legitimate host or user from the network. Further, if SSL encryption is not specified in open flow, ARP poisoning may occur between switches and controllers. In ARP cache poisoning, the attacker exists in the same subnet of the victim network and uses the scanner to detect the network traffic among network components.
IP Spoofing: IP spoofing is creating many other security challenges on SDN planes, such as amplification and tampering. As the DNS directory associates an IP address with a domain name, by taking the advantage of this association, an attacker manipulates the DNS directory to reroute the traffic to illegal websites and launch flooding attacks.
Switch Spoofing: The IP address and control messages of the switch can be transmitted through the spoofed switch with a modified address. When a switch starts communicating with the controller by establishing a connection, at the same time, another malicious switch will activate and establish a connection with the controller. In this way, the controller will drop the connection with the legitimate switch and start communication with the malicious switch. This malicious communication can create fake requests and downgrade the performance of the network [124].

Tampering Attacks
Tampering is the unauthorized destruction or modification of network information, such as policies, access lists, flow rules, and topology. A malicious user may inject firewall rules or flow rules that will prohibit legitimate users and allow illegitimate users. Furthermore, attackers tamper with the topology information, which resultantly hijacks the traffic. Porras et al. [132] have described dynamic flow tunneling security challenges associated with conflicts in flow rules. These flows of tunneling security threats occur due to the evaluation of rules one by one. Attackers may organize multiple rules to violate the firewall rules because a single flow cannot violate the firewall rules.

Information Disclosure
Information disclosure security attacks never disrupt or destroy the network directly, they spy on network-sensitive information. Therefore, first of all, attackers will try to steal network information, such as communication between nodes or topology. The controller is the central location in SDN networks to control all switches of the entire network. Therefore, hackers can achieve a huge level of network access by invading the controller. Klöti et al. [133] described an attack scenario in which the attacker creates information about active flow rules. This is accomplished by defining the time between two connections. If the attempt of the second connection is faster when compared to the first, then an attacker may act as though the new flow rules. In this way, the attacker exploits the aggregation of flow in order to discover the flow table's content by observing the variances in the response time of the controller.

Scanning Attacks
An intruder is able to scan the SDN network remotely by sending probes to network IP addresses. When an adversary receives a response from its target point, it can be attacked or identified for a malicious purpose [21].

Cache Poisoning Attacks
A cache poisoning attack occurs due to the modification of flow rules in the flow table by an unauthorized user. Adversaries can add fake flow rules, which may lead to network failure. Hong et al. [7] presented an attack scenario in which an attacker produces fake LLDP packets by injecting a forged LLDP injection. Fake LLDP packets are produced into the open flow network to clarify the internal bogus links between two switches. By identifying the flow traffic from open flow switches, an attacker can access the actual LLDP packet.

Control Channel Hijacking
Hijacking occurs when a compromised open flow switch isolates itself from the authorized controller and connects with a malicious controller [134]. After connecting with the malicious controller, it redirects the traffic of the control channel to the malicious controller and spoofs messages to the legitimate controller.

Weak Authentication and Communication Attacks
Weak authentication and lack of trust between the controller and applications generate man-in-the-middle attacks and spoofing attacks at northbound and southbound APIs. Furthermore, inappropriate authentication may lead to malicious or unauthorized access to different applications. In this way, an attacker can easily eavesdrop on flows in order to analyze what kind of flows are implemented and what type of traffic is allowed through the network [89].
Cyber Attacks SDN is one of the most exciting domains for cyber-attacks due to the programmability and centralized nature of these networks. Therefore, cyber security has become a major challenge in the SDN environment for ensuring the continuity of required service [120][121][122] Researchers and security experts believe that typical SDN security threats involved are controller vulnerabilities, malicious applications, data leakage and modification, legality and consistency of flow rules, scalability, and configuration issues. We analyze the identified security threats and attack causes. The results of security analysis with respect to their affected SDN planes are shown in Table 3. From classification Table 3, it can be noted that the attack challenges of different planes are different. In this section, we discuss the causes of major security issues that exist on SDN planes.

Authorization and Authentication
Due to the centralized control nature of SDN architecture, the authentication and authorization of applications are major security issues in programmable networks. In open flow, control plane functionalities depend upon the applications running on the controller, which are developed by a third party rather than controller vendors. These applications restrict access to network resources and manipulate network behavior through malicious activities [135]. In this way, an attacker can easily gain access to network resources and impersonate the application/controller to influence network operations.

Data Modification
As previously discussed, the controller can reprogram the network devices in order to control the traffic flow in SDN. Therefore, an attacker can control the whole network by hijacking the controller and modifying or inserting flow rules in network devices. In this regard, the attacker generates a man-in-the-middle attack by intercepting messages between two victims to inject or alter messages into a communication channel. The FlowVisor approach was identified by Jarschel et al. [136], which allows the attacker to modify data on communication entities.

Threats from Malicious Applications
In SDN architectures, applications are implemented on top of the control plane, which opens the control plane to detrimental security attacks. Controller security is very challenging due to the integration of third-party applications in SDN architecture [137]. Therefore, malicious applications have a serious impact on the network as a compromised controller. Moreover, a buggy or poorly designed application also generates new security threats to the system.

Scalability Issues
Jarschel et al. [136] investigated whether implementations of the new controller are able to handle the high volume of flows during the integration of open flow with highspeed networks. Therefore, a lack of scalability introduces saturation attacks on the control plane, which is more detrimental in SDN architecture when compared to traditional networks [137].

Side-Channel Attack
As SDNs constantly carry confidential as well as private information, where each execution has different attributes, such as the time attribute [138]. At this level, an attacker may attack by using side-channel attacks to infer network state-related information. Sidechannel attacks not only affect the integrity, confidentiality, or availability of data but also trigger further attacks. Another open security challenge in the SDN framework is the security of stored credentials, such as certificates and keys. In the past, cross-virtual machine side-channel attacks occurred in cloud computing where malicious virtual machine identified a vulnerable virtual machine to extract secure information [139].

Configuration Issues
In order to detect network vulnerabilities, a number of security protocols and policies were developed. These policies and protocols were implemented on SDN planes for security purposes. If these security policies were implemented without understanding the security rules of the deployment scenario, there will be configuration issues.

Legality and Consistency of Flow Rules
Consistency and legality of flow rules is an incorrect or malicious flow rule injection at the data layer. In flow rules, consistency consists of three processes, i.e., generation process, the release process, and the update process [139]. The generation process overrides the flow rules by using multiple applications, whereas in the release process, malicious tampering or transmission delays cause the flow rules to be inconsistent between switches and controllers. Moreover, the update process originates the synchronization of flow rules among switches.

Data Leakage
A variety of possible actions in open flow switches has been described for packet handling including dropping, forwarding, and sending to the controller. An attacker analyzes the applied action of the specific packet through the timing analysis of packet processing. For example, the processing time of a redirected packet toward the controller will be longer when compared to a packet that is directly passed from an input port to an output port. Therefore, an attacker can discover the reactive/proactive configuration of the switch. After discovering the packet type, the attacker generates a fake or malicious flow request, which leads to a DoS attack [140].

Poor Deployment of the Controller
Network attacks overload the control layer by dominating it with malicious activities. Due to single points of failure and inefficiency in large-scale networks the researchers utilize multi-controller implementation schemes. However, in multi-controller implementation, the load of a failed controller is reassigned to another active controller [141]. Additionally, in a multi-controller scheme, the whole network is divided into multiple sub-networks, which leads to network privacy problems and consistency issues. An attacker hijacks the controller by using the admin station and rejects the user's legitimate request. However, attackers can use logical or physical methods to introduce severe attacks, which destroy the entire network. SDN security administrators can manage and configure the network using top-most layer applications, but this configuration introduces a new threat interface for unauthorized applications. Due to the centralized nature of the controller, SDN attacks will spread quickly to disrupt the entire network [142].

Fault and Power Analysis Attacks
A fault attack is the intentional manipulation of an integrated circuit with the objective of generating an attack within integrated circuits to push the device into an unintended state [143]. The objective of a fault attack is to access critical information and disable the internal mechanism of protection. However, power analysis is the form of a side-channel attack that enables the attacker to the consume power of a hardware device, which is cryptographic. Sun et al. [144] proposed the on-chip hybrid voltage scheme to enhance the cryptographic security of a circuit in order to overcome the power analysis attack by reducing the performance overhead. Furthermore, multiple fault detection architectures have been proposed for Ring-LWE by implementing FPGA [145][146][147] SDNs provide a dynamic security rule to define the security policy, implement the defined policy to network elements, and minimize the misconfiguration chances and policy conflicts. Due to the nature of global network visibility, multiple security systems, such as intrusion detection/prevention systems and firewalls, are implemented on specified traffic. In this section, we discussed the security measures, platforms, architectures, and proposed solutions for the application plane, control plane, and data plane. The identified security solutions from selected studies are shown in Figure 7.

Security Solutions on the Application Plane
In SDN architecture, the controller creates an intermediate layer among applications and network hardware to hide the complexity of the network from applications. The post-quantum cryptographic (PQC) method is one of the best solutions to secure communication devices in different technologies like IoT and SDN [147]. Post-quantum networking provides an advanced-level impact on communication networks for security and evaluates the existing protocols by performing the enhancement. Furthermore, it also evaluates the performance of PQ algorithms and overcomes through new designs [148][149][150][151][152]. Payless is an efficient, low cost, and flexible application-monitoring framework for SDN architecture [152]. The Payless framework is more efficient due to its proposed algorithm for flow statistics collection. The proposed algorithm uses a variable frequency technique for flow statistics collection to decrease the polling frequency for flows. This approach creates stability among network overheads and accuracy of statistics.
An open-flow security application framework FRESCO has been proposed to facilitate the modular composition of open flow-based security services [153]. The modular composition of this framework comes from challenges in security services, information deficiency, and attack response translation. FRESCO has the ability to reprogram the network infrastructure in order to secure the network from developing attacks. It has a scripting API that allows the developers to insert intrusion detection and monitoring algorithms, such as libraries. These algorithms can be integrated with other components to create more complex security applications. An intrusion detection system was proposed by Seeber et al. [154] to countermeasure the malicious traffic over the network. On the basis of required flow rules, SDN switches perform as lightweight intrusion detection systems. These switches collect information and report it to the controller for further analysis to detect malicious traffic. Nygren et al. [155] also proposed an architecture called anomaly-based intrusion, which is integrated as an open flow switch for malicious attack detection.
Moreover, a cloud-based solution is proposed for the detection and mitigation of DDoS attacks, which discussed alert generation and auto-correlation methods [156]. The Flover system was proposed for checking open flows, which authenticates whether flow policies are conflicting with the network's security policies [155]. This system is deployed as an open flow application on the controller to measure the consistency of new flow rules with an existing set of specified attributes. Further, the ndb framework acts as a debugging tool to detect the root causes of bugs in SDN architecture [157]. Another framework, OFRewind, traces the network anomalies by recording and replaying the selected traffic [158]. OFRewind and ndb frameworks can also be used to detect faulty applications that induce malicious security threats.
The proposed architectures, platforms, and frameworks discussed above help in improving and developing more security applications as well as providing robust security to the application plane from malicious attacks. However, the literature shows that there is only a very small effort being made to enhance the security of application data. Apart from this, there is no proper mechanism for a distinction between user applications, third-party applications, and network applications. Moreover, an accountability and access control mechanism for nested applications in SDNs has not yet been defined.

Security Solutions on Control Plane
In SDN architecture, applications obtain network resources and information through the control plane; therefore, the security of the control plane is highly recommended. Further, the control plane must be secure from faulty or malicious applications and ensure the access of legitimate applications with respect to their functional requirements. An extended version of the floodlight controller called the security-enhanced (SE) floodlight controller provides exceptional security on the control plane [159]. The SE-floodlight controller adds a secure northbound API into the controller, which acts as an arbitrator between the data plane and applications. The SE controller has introduced an open flow verification module for the application, which integrates the class modules to produce the flow rules. In the open flow standard, the controller installs unique rules for every client connection, which leads to the installation of a large number of flows in switches and a high load on the controller. Therefore, multiple solutions and techniques are suggested to reduce the load on the controller or enhance the memory and processing power of the controller. The McNettle controller has multiple central processing unit cores to support and scale the control algorithm [160]. McNettle can be enhanced by implementing a high-level programming language. However, to maximize the processing performance of the controller in order to achieve higher availability and scalability, parallelism has been proposed through multi-core processors [161]. Moreover, to provide the functionalities of the control plane to overlay heterogeneous, distributed networks, a DISCO solution has been presented [162]. It consists of two components, i.e., inter-domain and intra-domain. The inter-domain module manages the communication between controllers, which consists of agents and a messenger, whereas the intra-domain components enable the network monitoring for the controller to calculate paths of priority flows.
HyperFlow is a logically centralized and physically distributed control platform that enables network operators to implement multiple controllers [163]. HyperFlow has the capability of local decision making, which enhances control scalability and reduces the flow setup time. DDoS or DoS attacks can be alleviated by analyzing the flow behavior and statistics accumulated in open flow switches. Braga et al. [164] use three components, i.e., classifier, feature extractor, and flow collector. The flow controller collects flow entries from flow tables during fixed intervals. The fixture extractor component extracts those features that are necessary for DDoS attacks and forwards them to the classifier. Then, the classifier analyzes the extracted features by using SOM to classify traffic either normal traffic or malicious traffic [165].
The literature reviewed in this research has demonstrated that separation of the control plane and the data plane is not practical when it is essential to implement security services on a large scale and in cloud environments and datacenters due to specific shortcomings. Furthermore, all kinds of flows from switches must be forwarded to the controller in large-scale networks such as high-volume traffic that can cause a performance bottleneck. Additionally, multiple security applications, including a stateful firewall, requires historical network information in order to avoid communication overheads.

Security Solutions on Data Plane
In the data plane, malicious applications can install, modify, or change the flow rules in the data path; therefore, it must be protected from such malevolent applications. However, fine-grained mechanisms such as authorization and authentication are implemented to protect data from those applications that can modify or alter flow rules. FortNox is a platform that activates the NOX open flow controllers to evaluate the flow rule conflicts and authorize the applications [166]. FortNox provides security constraints through software extension and role-based authentication via digital signatures in a FortNox open flow controller. Moreover, the FlowChecker tool identifies inconsistencies in open flow rules inside the single switch or within data path elements [167]. FlowChecker is also deployed as a master controller or as an open flow application to analyze and validate the end-to-end configurations during run time. The VeriFlow tool is utilized to identify the faulty rules injected by malicious applications and to prevent the network from anomalous network behavior [25]. Further, the open flow protocol also provides the flexibility to configure the secondary connection along with the backup controller if the first controller fails. Zhang et al. [168] demonstrated that the length of the path between the controller and switch is directly proportional to the connectivity loss. Hence, the length of switches and controllers must be short enough to enhance the performance of the system, to improve the availability of content, and to make the security analysis fast. In addition, the SPHINX framework also detects known and unknown attacks on the data plane without assuming that forwarding devices are trusted or not [169]. It identifies and alleviates the attacks originating from malicious devices by isolating network operations with flow graphs and pre-defined security rules defined by the administrator.
Proper segmentation and network planning help to enhance the resilience of switches and increase the connectivity of controllers on the data plane. Different studies investigated whether the consistent connectivity among the controller and OpenFlow switch can protect the network from saturation attacks. Hence, this connectivity not only improves the performance of the system but also implements fast restoration and security analysis.

SDN Security Threat Model
The decoupling of data and control plane offers a defense solution to mitigate the multiple security threats via its programmability features. Still, there are many new security attacks that arise during the implementation of SDN. Furthermore, SDNs are frequently attacked due to their huge dependency on software/programs. Therefore, it jeopardizes the entire network system by making it easy for attackers to enter into the system. As we already discussed, SDNs are vertically divided into three planes, which are vulnerable to different security attacks, the most common of which are DDoS attacks. These vulnerabilities are discussed in classification Table 3. However, in this section, we propose a security model by identifying the location of typical security attack occurrences on SDN planes, as shown in Figure 8.

Attack Scenario on SDN Planes
The explanation of each security threat shown in Figure 8 is given below. In SDN architecture, the entire network is controlled via software and a centralized controller, which is the basis of multiple security challenges. The most common software-related security attacks that occur on the application plane are intrusion attacks, anomaly attacks, bugs, and malicious application injection. The reason behind these security threats is the lack of open APIs standards for applications to manage and control the network services and functionalities through the control plane [128,170]. Moreover, the applications that are deployed on this plane are developed by third parties that have the privilege of accessing and manipulating network resources [171]. Hence, in order to make the network secure, it is necessary to authenticate every request, which is very challenging due to the large number of applications.
Furthermore, the control plane is a highly targeted point for attackers due to its centralized control nature. Generally, the controller on this plane is responsible for the authentication of applications as well as the authorization of resources required for applications [135]. Therefore, it is necessary to separate the applications with respect to their se-

Attack Scenario on SDN Planes
The explanation of each security threat shown in Figure 8 is given below. In SDN architecture, the entire network is controlled via software and a centralized controller, which is the basis of multiple security challenges. The most common software-related security attacks that occur on the application plane are intrusion attacks, anomaly attacks, bugs, and malicious application injection. The reason behind these security threats is the lack of open APIs standards for applications to manage and control the network services and functionalities through the control plane [128,170]. Moreover, the applications that are deployed on this plane are developed by third parties that have the privilege of accessing and manipulating network resources [171]. Hence, in order to make the network secure, it is necessary to authenticate every request, which is very challenging due to the large number of applications.
Furthermore, the control plane is a highly targeted point for attackers due to its centralized control nature. Generally, the controller on this plane is responsible for the authentication of applications as well as the authorization of resources required for applications [135]. Therefore, it is necessary to separate the applications with respect to their security checks before allocating access to resources. To fulfill the responsibility of application authorization, there is a need for customized security checks. Such customization has not yet been developed [172]. Therefore, these applications introduce malicious threats to the control plane, for example anomaly and intrusion attacks. Additionally, the centralized controller also needs to implement the flow rules for all new flows in the data path.
In this way, the controller becomes a bottleneck due to a large number of new flows, which minimizes the controller scalability and maximizes the DoS/DDoS attacks [37]. The responsibility of network switches on the data plane is packet-forwarding, whereas rulemaking is performed on the control plane. Therefore, the identification of legitimate flow rules is the foremost security issue for the data plane. Every switch maintains the flow rules, but due to the limited memory, there are a large number of flows that lead to saturation attacks, for example buffer saturation.
Moreover, flow rules stay in the flow table for a specific length of time, which leads to the launch of DDoS attacks [173]. Due to this delay, the attacker sends multiple fake packets to the switch and the switch requests a new rule for every packet. In this way, new entries replace all old entries in the flow table and the memory becomes full of fake flow rules. Thus, legitimate entries are dropped due to space unavailability in the flow table. Furthermore, the switch also requests new flow rules for new traffic flow by using the packet-in message and receives a reply from the controller by using the packet-out message, which generates high traffic on the link and introduces link congestion. On the other hand, the virtual switch receives multiple packets with spoofed IPs and compels the virtual switch to forward packet-in messages, which overload the controller to generate packet-in flooding attacks. The defense solution for these attacks is shown in Figure 8 in the section below.

Search Strategy Proposed Security Solution against Attacks on SDN Planes
After reviewing and identifying the SDN security challenges on the application plane, control plane, and data plane in Section 2, we can see that SDN security challenges are not single-tier problems. Hence, the security issues in SDN architecture involve each plane of the entire system. Therefore, we need to propose a security solution that covers all aspects of security on each plane. In this regard, we proposed an ideal security model to mitigate these attacks. An overview of the proposed SDN security model is presented in Figure 8.

Solution against Attacks on the Application Plane
The application plane should set up a trusted network connection to achieve identity authentication on multiple components, i.e., platforms and terminals. After authentication verification, it evaluates the confidentiality level of the terminal platform. If evaluated results meet the security requirement, then it is acceptable for the terminal to access the network.

Solution against Attacks on the Control Plane
In SDN architecture, the controller receives the predefined network policies from logical functions, such as load balancer and automated security management, through the network management interface. Generally, the network management interface is an internal interface that may be more authenticated and trustable when compared to the northbound API. An automated security management function detects and mitigates the security attacks on the SDN controller. To provide security services at the control plane, a number of security components, such as the security policy component, the characteristics of defined policy components, the policy maker role component, packet scanning, and the detection component are implemented. The security policy component is configured to collect multiple policies from the application plane through the northbound interface and the network management interface. In order to confirm the security of received policies, these policies are verified through the authorization and authentication module of the SDN controller. The characteristic of the defined policy component is configured to evaluate whether the policy will be sent from the controller to switch or not.
The policymaker role component is designed to identify the role of the policymaker. Policymakers may be security administrators, general administrators, users, or agents. The packet scanning and detection component are configured to detect whether flows meet the conditions configured by applications or administrators. The flow table manager and traffic analyzer are configured to manage the searching, updating, adding, and deleting of the new traffic and flow entries from flow tables. The flow table manager and traffic analyzer investigate whether incoming flow entries are inserted correctly into flow tables. For example, the flow table manager identifies the conflict between old and new flow entries before inserting them into the flow table. If yes, then only new flow entries are allowed to replace the previous conflicting flow entries by following the policymaker's rules. In this way, the flow table stores flow entries for SDN switches.

Solution against Attacks on the Data Plane
In the data plane, it is necessary to implement an independently developed security processor for the encryption and decryption process. To ensure the confidentiality of data, we encrypt the data transmission method and utilize a hardware decoupling procedure to build a separate area in the memory. The utilized hardware consists of the secure device

Discussion
After an extensive review, we identified multiple research gaps and suggested future research directions by considering these research gaps.

Research Gaps
In order to secure SDN architecture, a number of security solutions have been proposed by researchers to secure the networks, but there are still many security challenges in SDNs that need to be addressed. In this section, we discussed the identified research gaps shown in Table 5.

Reference
Identified Gaps [14,16,18,19,48,49,51,52,58,62,64,74,76] After conducting a comprehensive review of SDN security issues, it has been demonstrated that most researchers provide security solutions for the control plane against DDoS attacks. Only a few studies presented security solutions for the data plane and application plane. Therefore, the provision of security solutions for other planes and SDN switches is an open research gap. [70] Although flow tables are easy to use to mitigate low-rate DoS attacks, they influence the effectiveness of those strategies, which are implemented to overcome low-rate DoS attacks. So, the efficient implementation of flow rules is a significant research gap.
[71] Khamaiseh et al. [71] identified saturation attacks by using supervised and unsupervised classifiers with a single controller. However, the approach is unrealistic for detecting known and unknown attacks for multiple controllers where the SDN environment is on a large scale. [75] Due to the continuous growth of SDNs, applications also grow rapidly, which puts increasing pressure on controllers. This leads to the development of load time as well as the CPU utilization of controllers. Therefore, a programmable switch is required to decrease the load of the controller and increase the throughput.

Reference
Identified Gaps [174,175] Many researchers implemented a single controller in their proposed solution. However, if the deployed controller is not stable or secure, this may lead to the failure of the entire network. To overcome this challenge, multi-controller implementation could be the best choice. [176] There are only a few studies in which flash event traffic is identified. Jiang et al. [176] identified this security threat by using a small network topology that consists of 11 hosts and making their proposed technique unrealistic.
[ [177][178][179] The information-based theory uses the predefined values of the threshold for anomaly detection. SDN is not yet implemented publicly; therefore, it is challenging to measure the behavior of the correct baseline. [180] Many researchers utilize virtual environments to authenticate their proposed defense approaches by using the Mninet emulator. This virtualization process drastically affects the results because the utilization of simulation tools with modeling of the internet is very complicated. To date, no solution has been proposed which represents internet behavior.
[ [181][182][183] Researchers embedded many security modules to increase the performance of SDN switches. Although these security solutions reduce the communication overhead between SDN planes and minimize the controller computation overheads, they increase the cost as well as the complexity of network devices. Hence, the implementation of efficient security solutions in switches to reduce communication overheads is a considerable research gap.
[184] Wang et al. [184] proposed an architecture by using multiple controllers to validate their proposed defense solution. Although the proposed solution enhances the performance of the network, the synchronization overheads of the controller are not considered. Therefore, efficient synchronization also an open research gap. [52,183] Many researchers used network traffic elements for DDoS attack detection in SDN and use open statistic techniques to collect network features, whereas the method of collection of network features by using open flow statistics increases the processing overheads for the control plane. Therefore, network statistics collection with minimal overheads is a challenging research gap. [56,185] The unavailability of benchmarked data to model the attack traffic and normal traffic is also another open research issue. However, experts use multiple traffic generator tools to represent normal traffic, but they are not productive. Hence, the prediction of an accurate baseline is also an open research gap in existing solutions. [64,80,81,[83][84][85]90,95,104,116] In many studies, a single virtual machine (VM) has been used to perform the experimental setup. However, results obtained from simulation or emulation environments will be different from real scenarios due to the limited availability of resources in a single VM. Although some researchers have implemented real switches, they have adopted small topologies to perform the experiment. Hence, real-time implementation to validate the research results is a challenging research gap. [67,69,70,74] In many studies, we investigated whether a local or an artificial traffic generator tool was used to generate normal traffic and attack. On the other hand, in some studies, a real dataset was used, containing only malevolent or malicious traffic and normal traffic was generated through other tools. These tools are not capable of generating traffic in real ways. So, testing with an actual dataset that contains malicious traffic is another considerable research gap. [75] There is a need to propose an efficient architecture or framework for the detection of network intrusion-detection systems by using complex deep learning algorithms. In this way, intruders will be easily detected on SDN planes by using intrusion-detection frameworks. There is a need to apply machine learning in a constrained scenario, and the use of multicast routing could be highly valuable. Moreover, it is necessary to consider network topologies, traffic patterns, and networking changes for future analysis.

Future Directions
Although a number of security solutions have been proposed to make SDN architecture more secure, but further extension of proposed solutions is possible. In this section, we recommended the directions for future work.
After presenting a detailed discussion on threats to SDNs' security in Section 4, we investigated whether the security problem in SDN is a single-tier problem. Security threats exist on each layer in SDN architecture; therefore, to perform research on each layer individually is far from enough. Hence, a perspective system is needed to make the entire network robust and secure.
The frequency of DDoS attacks in SDN architecture is at the top of all other security challenges. Therefore, it is highly recommended to develop a solution for DDoS attack detection and mitigation to minimize the overall overheads of a centralized controller.
Transport layer security (TLS) alleviates multiple security threats with mutual verification on the control switch. Therefore, TLS specification is mandatory between controllers and switches to secure transmitted data and links.
The integrity verification of software applications protects the network from malicious software attacks. Additionally, for integrity verifications, unambiguous malware detection approaches must also be developed. Moreover, malicious applications also introduce significant security risks. Hence, third-party applications must be scanned to protect the network from malicious code and other vulnerabilities. Thus, security solutions for third-party applications are an ongoing challenging research area.

Conclusions
A systematic review has been presented by providing a comprehensive discussion based on collected studies available in the field of SDN security and privacy issues. In this research, we highlighted the security issues of the application plane, control plane, and data plane of SDNs and presented a taxonomy of attacks. We also identified the causes of attacks on the basis of their impacts. Thereafter, we summarized the existing security solutions for these planes that were proposed by researchers. Based on the identified security issues and solutions, a collaborative security model was proposed. Then, we presented some ongoing security challenges and gaps on SDN planes. Lastly, we provided suggestions for future research that may be beneficial for researchers to mitigate security attacks on SDN layers. Such an extensive systematic review will surely help researchers and policymakers to provide more reliable and robust security solutions in SDNs.  Data Availability Statement: This is a review study; therefore, the data that support the findings of this study are available from the corresponding author upon reasonable request.