ProvGuard: Detecting SDN Control Policy Manipulation via Contextual Semantics of Provenance Graphs
Ziwen Liu
Network and Distributed System Security (NDSS) Symposium 2025 · Day 2 · Network Security 2
This article delves into "ProvGuard," a novel system designed to detect subtle control policy manipulations (CPM) within Software-Defined Networks (SDN). Presented by Ziwen Liu at the NDSS Symposium, this work introduces a system-centric approach that leverages **provenance graphs** and **contextual semantics** to monitor SDN controllers. The talk highlights a critical gap in existing SDN security mechanisms: while SDN's flexibility offers significant advantages, it also creates new avenues for attackers to manipulate network behavior in ways that traditional policy verification or anomaly detection systems often miss.
AI review
Legitimate academic systems-security work applied to an underserved problem — SDN controller-internal attack detection via provenance graphs. The core idea is sound and the contribution is real, but the scope is narrow (single controller, simulated environment), the overhead numbers are uncomfortable, and the threat model leans heavily on a world where attackers already have meaningful controller-adjacent access.