軟體定義網路(Software Defined Network,SDN)為近幾年推出的一種新型態網路架構，由於軟體定義網路是一種非常有彈性且低成本的網路架構，使得近年來軟體定義網路的市場逐漸擴增，越來越多企業會透過虛擬化網路來部署自家公司的內部網路，甚至將此技術開發為新產品來營利。隨著使用者數量的提升這項技術在現今已可以說有著非常重要的地位，但也因為這項技術的蓬勃發展其安全問題也隨著市場的擴增逐漸浮出檯面，越來越多種針對軟體定義網路的攻擊手法被發展出來，同樣的也越來越多相關的論文被發表，而在此篇論文中我們希望能更大程度的保護整個軟體定義網路環境的安全，因此我們針對應用層以及控制層提出了 一個新的網路安全架構，透過限制應用層的操作權限來大幅降低來自惡意應用程式的威脅，以及透過偵測控制層中非法的系統提權操作來防止軟體定義網路的核心(Controller)被惡意入侵。最終我們提出的網路架構不僅可以抵禦來自應用層的威脅，更可以在保證系統效能的基礎上即時的偵測到惡意的系統提權操作來保護我們的網路安全。

Software Defined Network (SDN) is a new type of network architecture in recent years. Becau software-defined network provide a flexible and low-cost network environment, software-defined network market is gradually expanding and more and more companies will deploy internal networks through virtualized networks, and even develop this technology into new products for profit. As the number of users increases, this technology has a very important position in recent years. Because of the vigorous development of this technology, more and more security issues are exposed. More and more attacks on software-defined networks have been developed. Many papers related with SDN security have been published. In this paper, we hope to protect the entire software-defined network environment as possible. Therefore, we propose a new network security architecture for defending the application layer and the control layer. The architecture greatly reduces the threat from malicious applications by restricting the operation permissions of the application layer, and prevents the core of the software-defined network (Controller) from being maliciously operate by detecting illegal system privilege escalation in the control layer. Finally, the network architecture we proposed not only protects against threats from the application layer, but also protects our network security by detecting malicious system privilege escalation and ensuring the protection mechanism will not affect the performance in our system.

1.AEGIS: An Automated Permission Generation and Verification System for SDNs
2.A Secure Northbound Interface for SDN Applications
3.nternet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
4.Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
5.A security-mode for carrier-grade SDN controllers
6.Sdnshield: Reconciliating configurable application permissions for sdn app markets
7.Early Detection of DDoS Attacks against SDN Controllers
8.A Novel Distributed Denial-of-Service Attack Detection Scheme for Software Defined Networking Environments
9.A Survey on Distributed Denial of Service (DDoS) Attacks in SDN and Cloud Computing Environments
10.Studying the DDoS Attack Effect over SDN Controller Southbound Channel
11.A policy-based security architecture for software-defined networks
12.A Survey: Typical Security Issues of Software-Defined Networking
13.CMD: A convincing mechanism for MITM detection in SDN
14.ONOS: towards an open, distributed SDN OS
15.Securing the software defined network control layer
16.A Big Switch Networks. 2013. Project Floodlight
17.Rosemary: A robust, secure, and high-performance network operating system
18."OpenFlow Switch Specification Version 1.4.0" Open Networking Foundation.
19.OpenFlow vulnerability assessment
20.A Man-in-the-Middle attack against OpenDayLight SDN controller
21.Sdn rootkits: Subverting network operating systems of software-defined networks
22.SDN Ro2tkits: A Case Study of Subverting A Closed Source SDN Controller
23.Preventing malicious SDN applications from hiding adverse network manipulations
24.A comprehensive security architecture for SDN
25.Buffer overflow and format string overflow vulnerabilities
26.SDN-Guard: Protecting SDN controllers against SDN rootkits
27.Preventing Privilege Escalation.
28.Privtrans: Automatically partitioning programs for privilege separation
29.Implementing SELinux as a Linux security module