Yi Shen,Chunming Wu,Dezhang Kong,Qiumei Cheng

DOI: https://doi.org/10.3390/app13127210

2023-01-01

Applied Sciences

Abstract:Software-defined networking (SDN) enables dynamic management and flexible network control by employing reactive rule installation. Due to high power consumption and cost, current OpenFlow switches only support a limited number of flow rules, which is a major limitation for deploying massive fine-grained policies. This bottleneck can be exploited by attackers to launch saturation attacks to overflow the flow table. Moreover, flow table overflow can occur in the absence of malicious attackers. To cope with this, researchers have developed many proposals to relieve the load under benign conditions. Among them, the dynamic timeout mechanism is one of the most effective solutions. We notice that when the SDN controller adopts dynamic timeouts, existing flow table saturation attacks can fail, or even expose the attackers, due to inaccurate inferring results. In this paper, we extract the common features of dynamic timeout strategies and propose an advanced flow table saturation attack. We explore the definition of flow rule lifetime and use a timing-based side-channel to infer the timeout of flow rules. Moreover, we leverage the dynamic timeout mechanisms to proactively interfere with the decision of timeout values and perform an attack. We conduct extensive experiments in various settings to demonstrate its effectiveness. We also notice that some replacement strategies work differently when the controller assigns dynamic timeouts. The experiment results show that the attack can incur significant network performance degradation and carry out the attack in a stealthy manner.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Qi Li,Yanyu Chen,Patrick P. C. Lee,Mingwei Xu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2018.2853593

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) utilizes a centralized controller to distribute packet processing rules to network switches. However, rules are often generated by the applications developed by different organizations, so they may conflict with each other in data plane and lead to violations with security rules. The problem is similar to firewall conflicts in IP networks. Rule conflict resolution should incur negligible process delay, such that all rules can he correctly and safely enforced in the data plane in real time. However, since SDN allows users to use more than 35 fields to specify rules (including field transition rules), it is much more complicated to prevent enforcement of SDN rules from violating with security rules than to resolve firewall rule violation, and in particular, field transition rules are enforced. Therefore, it is extremely difficult to resolve such rule conflicts in real time before the rules are installed in SDN data plane. In this paper, we investigate the rule conflict problem in SDN and identify new covert channel attacks due to rule conflicts. To the end, we propose the covert channel defender (CCD) that prevents covert channel attacks by verifying and resolving rule conflicts. Specifically, CCD tracks all rule insertion and modification messages from applications running on the controller. It analyzes the correlation among rules based on multiple packet header fields and resolves any identified rule conflict in real time before rule installation. We implement CCD with the Floodlight controller and evaluate its performance with the real-world Stanford topology. We show that CCD can efficiently detect and prevent rule conflicts in the data plane that may raise covert channels within hundreds of microseconds and brings small overhead to the packet delivery.

Lei Wang,Qing Li,Yong Jiang,Yu Wang,Richard Sinnott,Jianping Wu

DOI: https://doi.org/10.1016/j.comnet.2018.07.027

IF: 5.493

2018-01-01

Computer Networks

Abstract:Software Defined Networking (SDN) enables network innovation and brings flexibility by separation of the control and data planes and logically centralized control. However, this network paradigm complicates flow rule management. Current approaches generally install rules reactively after table misses or pre-installs them by flow prediction. Such approaches consume nontrivial network resources during interactions between the controller and switches (especially for maintaining consistency). In this paper, we explore an intelligent rule management scheme (IRMS), which extends the one-big-switch model and employs a hybrid rule management approach. To achieve this, we first transform all rules into path-based and node-based rules. Path-based rules are pre-installed whilst the paths for flows are selected at the edge switches of the network. To maintain consistency of forwarding paths, we update path-based rules as a whole and employ a lazy update policy. Node-based rules are optimally partitioned into disjoint chunks by an intelligent partition algorithm and organized hierarchically in the flow table. In this way, we significantly reduce the interaction cost between the control and data planes. This scheme enforces an efficient sliding window policy to enhance the hit rate for the installed chunks. We evaluate our scheme by comprehensive experiments. The results show that IRMS reduces the total flow entries by more than 71% on average and the update time by over 56%. IRMS also reduces the flow setup requests by more than one order of magnitude.

Qing Li,Kun Zhao,Yong Jiang,Mingwei Xu,Shu-Tao Xia

DOI: https://doi.org/10.1016/j.comnet.2015.09.025

IF: 5.493

2015-01-01

Computer Networks

Abstract:In Software Defined Networks (SDN), the configuration inconsistency during updates is one main source of network instability. Even if the validity of the initial and final configurations is guaranteed, the interim complex and inconstant network states might cause routing conflicts and transmission disruption. Therefore, an efficient updating scheme with configuration consistency is required. Current schemes well guarantee the packet-level consistent update, but perform poorly for the flow-level case. In this paper, we present a Smart Approach of Rule Division (SARD) for fast flow-level consistent update in SDN. We first provide a simplified mathematical model of the network. Based on this model, we then propose SARD to guarantee the flow-level consistency during configuration updates. In SARD, the controller (1) collects the information of existing flows; (2) computes K optimal prefixes covering these flows, meanwhile with the minimized space; (3) installs the new rule and K old sub-rules with lower and higher priorities respectively. SARD preserves the flow-level consistent property and accelerates the process of configuration update in SDN. We evaluate the performance of SARD by comprehensive experiments. The results show that our scheme reduces the transition time to about 10% of the current method of periodical direct division.

Kai Bu,Minyu Weng,Junze Bao,Zhenchao Lin,Zhikui Xu

DOI: https://doi.org/10.1109/icdcsw.2016.16

2016-01-01

Abstract:This paper explores a RIGHT framework for reliable policy enforcement in Software-Defined Networking (SDN). Current SDN uses overlapping rules with common matching packets. Even if a packet's expectant rule is inactive, it might hit another rule and experience incorrect yet unnoticed processing. This leads to inconsistency between control plane and data plane, that is, unreliable policy enforcement. RIGHT advocates three adaptations to respectively mitigate, detect, and correct packet processing errors. It is challenging for RIGHT to maintain both accuracy and efficiency. We explore lightweight modifications to current SDN policy enforcement toward better reliability. For example, we decouple rules and priorities through tagging to mitigate matching ambiguity. We also use exact-match rules to efficiently, correctly process packets in the same micro-flow. RIGHT can remedy mis-forwarded packets as well. We expect that a comprehensive design and deployment of RIGHT helps ensure correct per-packet processing in real time for SDN.

Deze Zeng,Lin Gu,Shengli Pan,Song Guo

DOI: https://doi.org/10.1007/978-3-030-32942-6_4

2020-01-01

Abstract:Software defined network (SDN) is a newly emerging network architecture with the core concept of separating the control plane and data plane. Centralized controller is introduced to manage and configure network equipments to realize flexible control of network traffic and provide a good platform for application-oriented network innovation. It thus be able to improve network resource utilization, simplify network management, reduce operating cost, and promote innovation and evolution. Routing is always a major concern in network management. When SDN devices (e.g., OpenFlow switches) are introduced, routing becomes different. The flow table is usually implemented in expensive and power-hungry Ternary Content Addressable Memory (TCAM), which is thus capacity-limited. How to optimize the network performance in the consideration of limited TCAM capacity is therefore significant. For example, multi-path routing (MPR) has been widely regarded as a promising method to promote the network performance. But MPR is at the expense of additional forwarding rule, imposing burden on the limited flow table. On the other hand, a logical centralized programmable controller manages the whole SDN by installing rules onto switches. It is widely regarded that one controller is restricted on both performance and scalability. To address these limitations, pioneering researchers advocate deploying multiple controllers in SDNs where each controller is in charge of a set of switches. This raises the switch-controller association problem on a switch shall be managed by which controller. In this chapter, we first investigate how to schedule MPR with joint consideration of forwarding rule placement. Then, we study a minimum cost switch-controller association (MC-SCA) problem on how to minimize the number of controllers needed in an SDN while guaranteeing the flow setup time.

Dezhang Kong,Xiang Chen,Chunming Wu,Yi Shen,Zhengyan Zhou,Qiumei Cheng,Xuan Liu,Mingliang Yang,Yubing Qiu,Dong Zhang,Muhammad Khurram Khan

DOI: https://doi.org/10.1109/tifs.2024.3472477

IF: 7.231

2024-10-15

IEEE Transactions on Information Forensics and Security

Abstract:The flow table is a critical component of Software-Defined Networking (SDN). However, flow tables' limited capacity makes them highly vulnerable to flow table overflow attacks (FTOAs). Due to the low attack cost and highly flexible attack forms, it is hard to eradicate FTOAs. This paper addresses three unsolved problems for table security and proposes a robust defense accordingly. First, we reveal that the existing defenses with fixed defense speeds will cause severe packet loss when handling diverse traffic. We prove that deleting multiple rules can efficiently solve this problem and give a rigorous derivation to calculate the suitable deletion number according to the environment. Second, we illustrate that abnormal table occupancy squeezing is a constant characteristic of FTOAs regardless of attack forms. It can be used to identify attacked ports accurately in different scenarios. Third, we mathematically prove that random deletion can guarantee the continuous decrease of malicious flow rules after confirming attacked ports. It achieves fast speed and robust effectiveness in different environments. Based on these findings, we design rDefender, a robust and lightweight defense prototype. We evaluate its effect by designing diverse, powerful attacks and using real-world datasets and topology. The results demonstrate that it achieves the best overall performance compared to six existing mainstream defenses, providing stable security for switch flow tables.

computer science, theory & methods,engineering, electrical & electronic

Huawei Huang,Peng Li,Song Guo,Baoliu Ye

DOI: https://doi.org/10.1109/iwqos.2014.6914313

2014-01-01

Abstract:Software-Defined Network (SDN) is a promising network paradigm that separates the control plane and data plane in the network. It has shown great advantages in simplifying network management such that new functions can be easily supported without physical access to the network switches. However, Ternary Content Addressable Memory (TCAM), as a critical hardware storing rules for high-speed packet processing in SDN-enabled devices, can be supplied to each device with very limited quantity because it is expensive and energy-consuming. To efficiently use TCAM resources, we propose a rule multiplexing scheme, in which the same set of rules deployed on each node apply to the whole flow of a session going through but towards different paths. Based on this scheme, we study the rule placement problem with the objective of minimizing rule space occupation for multiple unicast sessions under QoS constraints. We formulate the optimization problem jointly considering routing engineering and rule placement under both existing and our rule multiplexing schemes. Finally, extensive simulations are conducted to show that our proposals significantly outperform existing solutions.

Yu-Fan Liu,Kate Ching-Ju Lin,Chien-Chao Tseng

DOI: https://doi.org/10.1109/tsc.2019.2943852

IF: 11.019

2022-01-01

IEEE Transactions on Services Computing

Abstract:Software-defined network (SDN) allows traffic engineering and flow management by decoupling the control and data planes. SDN has attracted a lot of attention recently because of its centralized control, flow programmability and flexible resource management. However, to support centralized control, flow programmability and flexible resource management, most of the advanced SDN designs require per-flow management, which would easily make the flow table of a software switch overflow and incur undesired processing overhead when a network scales up. To overcome such huge traffic demands, we propose a cluster-based macro-flow management framework to balance the trade-off between customized services and management costs. The key idea of our design is to group similar flows into a cluster and replace per-flow management with per-cluster management. To achieve this goal, we cluster flows with consideration of the similarity of their traffic patterns. To adapt to varying traffic load, we further propose a hierarchical cluster merging scheme to dynamically merge clusters and make the best tradeoff between flow entry saving and routing performance guarantee. Our evaluation demonstrates that the proposed cluster-based flow management framework can significantly reduce the flow table usage, while producing minimum negative impact on routing performance.

computer science, information systems, software engineering

Kai Bu,Xitao Wen,Bo Yang,Yan Chen,Li Erran Li,Xiaolin Chen

DOI: https://doi.org/10.1109/infocom.2016.7524333

2016-01-01

Abstract:Software-Defined Networking (SDN) promises un-precedentedly flexible network management but it is susceptible to forwarding faults. Such faults originate from data-plane rules with missing faults and priority faults. Yet existing fault detection ignores priority faults because they are not discovered on commercial switches until recently. In this paper, we present RuleScope, a more comprehensive solution for inspecting SDN forwarding. RuleScope offers a series of accurate and efficient algorithms for detecting and troubleshooting rule faults. They inspect forwarding behavior using customized probe packets to exercise data-plane rules. The detection algorithm exposes not only missing faults but also priority faults. Beyond simply detecting rule faults, the troubleshooting algorithms uncover actual data-plane flow tables. They help track real-time forwarding status and benefit reliable network monitoring. We explore various techniques for enhancing algorithm efficiency without sacrificing inspection accuracy. Experiments with our prototype on the Ryu SDN controller and Pica8 P-3297 switch show that RuleScope achieves accurate and efficient forwarding inspection with limited bandwidth and packet-switching overhead.

Rui Li,Yu Pang,Jin Zhao,Xin Wang

DOI: https://doi.org/10.1145/3337821.3337896

2019-01-01

Abstract:Software Defined Networking (SDN) enables flexible flow control by deploying fine-grained rules in OpenFlow switches. Modern commodity switches usually use TCAM to store these rules and perform high-speed parallel lookups. Though efficient, the TCAM capacity is limited because TCAM is expensive in cost and power-hungry. The explosive growth in the number of rules has exacerbated the limitation of TCAM. There have been considerable efforts in implementing hybrid flow tables with both TCAM and RAM, where the high-speed TCAM is regarded as a cache to store the most popular rules and the cheap RAM is used to handle cache miss. The primary challenges for designing hybrid TCAM/RAM flow tables lie in how to improve cache hit rate and how to handle wildcard rule dependency when allocating rules between TCAM and RAM.

Xianfeng Li,Haoran Sun,Yan Huang

DOI: https://doi.org/10.1007/s10922-024-09824-w

2024-06-19

Journal of Network and Systems Management

Abstract:Software-defined networks (SDN) rely on flow tables to forward packets from different flows with different policies. To speed up packet forwarding, the rules in the flow table should reside in the forwarding plane as much as possible to reduce the chances of consulting the SDN controller, which is a slow process. The rules are usually cached in the forwarding plane with a Ternary Content Addressable Memory (TCAM) device. However, a TCAM has limited capacity, because it is expensive and power-hungry. As a result, wise caching of a subset of flow rules in TCAM is needed. In this paper, we address two related issues that affect caching efficiency: rules to be cached and rules to be replaced . For the first issue, caching an active rule hit by a flow may need to cache inactive rules due to rule dependency. We propose a two-stage caching architecture called CRAFT, which reduces inactive rules in cache by cutting down long dependent chains and by partitioning rules with massive dependent rules into non-overlapping sub-rules. For the second issue, unawareness of the flow traffic characteristics may evict heavy hitters instead of mice flows. We propose RRTC to address this issue, which is a rule replacement policy taking the real-time network traffic characteristics into consideration. By recognizing the heavy hitters and protecting their matching rules in TCAM, RRTC performs better than least recently used(LRU) policy in terms of cache hit ratio. Simulation results show that our combined rule caching and replacement framework outperforms previous work considerably.

computer science, information systems,telecommunications

Kun Zhao,Qing Li,Yong Jiang

DOI: https://doi.org/10.1109/glocom.2014.7037083

2014-01-01

Abstract:In Software Defined Networks (SDN), the configuration inconsistency during updates is one main source of network instability. Even if the validity of the initial and final configurations is guaranteed, the interim complex and inconstant network states might cause routing conflicts and transmission disruption. Therefore, an efficient updating scheme of configuration consistency is required. Current schemes solve the problem of packet-level configuration consistency very well, but perform poorly for flow-level configuration consistency. In this paper, we provide a new scheme to guarantee flow-level consistency during configuration updates in SDN. In our scheme, the controller 1) collects the existing flow information; 2) computes K optimal prefixes covering the existing flows; 3) installs the new rule and K old sub-rules with lower and higher priorities respectively. We design the K-prefix covering algorithm by dynamic programming, which computes the K optimal prefixes with the minimum covering space. Therefore, the new rules will be activated for the maximum space. We evaluate our scheme and algorithm by comprehensive experiments. The results show that our scheme reduces the transition time to 10% of the current periodical direct division scheme.

Jiahao Cao,Renjie Xie,Kun Sun,Qi Li,Guofei Gu,Mingwei Xu

DOI: https://doi.org/10.14722/ndss.2020.23040

2020-01-01

Abstract:Software-Defined Networking (SDN) greatly meets the need in industry for programmable, agile, and dynamic networks by deploying diversified SDN applications on a centralized controller. However, SDN application ecosystem inevitably introduces new security threats since compromised or malicious applications can significantly disrupt network operations. Thus, a number of effective security enhancement systems have been developed to defend against potential attacks from SDN applications. In this paper, we identify a new vulnerability on flow rule installation in SDN, namely, buffered packet hijacking, which can be exploited by malicious applications to launch effective attacks bypassing all existing defense systems. The root cause of this vulnerability lies in that SDN systems do not check the inconsistency between buffer IDs and match fields when an application attempts to install flow rules. Thus, a malicious application can manipulate buffer IDs to hijack buffered packets even though they do not match any installed flow rules. We design effective attacks exploiting this vulnerability to disrupt all three SDN layers, i.e., application layer, data plane layer, and control layer. First, by modifying buffered packets and resending them to controllers, a malicious application can poison other applications. Second, by manipulating forwarding behaviors of buffered packets, a malicious application can not only disrupt TCP connections of flows but also make flows bypass network security policies. Third, by copying massive buffered packets to controllers, a malicious application can saturate the bandwidth of SDN control channels and their computing resources. We demonstrate the feasibility and effectiveness of these attacks with both theoretical analysis and experiments in a real SDN testbed. Finally, we develop a lightweight defense system that can be readily deployed in existing SDN controllers as a patch.

Zehua Guo,Yang Xu,Ruoyan Liu,Andrey Gushchin,Kuan-yin Chen,Anwar Walid,H. Jonathan Chao

DOI: https://doi.org/10.1016/j.future.2018.06.011

2018-01-01

Abstract:Software-Defined Networking (SDN) employs a centralized control with a global network view and provides great opportunities to improve network performance. However, due to the limitation of flow-table space at the switches and unbalanced traffic allocation on links, an SDN may suffer from flow-table overflow and inefficient bandwidth allocation among flows, increasing the controller’s burden and degrading network performance. In this paper, we present a dynamic routing scheme named DIFF that differentiates flows based on their impact on network resource and adaptively selects routing paths for them to mitigate the problems of flow-table overflow and inefficient bandwidth allocation. DIFF pre-generates a set of paths for each pair of source–destination edge switches and intelligently selects the paths from the pre-generated path-sets for new flows with an objective to balance flow-table utilizations. It adaptively reroutes some elephant flows to achieve maximum throughput under the rule of max–min fair bandwidth allocation. Simulation results show that DIFF simultaneously balances the flow-table and link utilizations, reduces the controller’s workload and packet delay, while increasing network throughput, compared with baseline schemes.

Jiaqi Zheng,Bo Li,Chen Tian,Klaus-Tycho Foerster,Stefan Schmid,Guihai Chen,Jie Wu,Rui Li

DOI: https://doi.org/10.1109/JSAC.2019.2906741

IF: 16.4

2019-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Software-Defined Networks (SDNs) introduce great flexibilities in how packet routes can be defined and changed over time, and enable a more fine-grained and adaptive traffic engineering. The recently introduced support for more accurate synchronization in SDNs further improves the degree of control an operator can have over the packets’ forwarding paths, and also allows to avoid disruptions and inconsistencies during network updates, i.e., during the rerouting of flows. However, how to optimally exploit such technology <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">algorithmically</italic> — to efficiently schedule the update of multiple flows in such timed SDNs — while accounting for possible interference and congestion, is not well-understood today. We, in this paper, initiate the study of the fundamental problem of how to reroute the updates of <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">multiple</italic> network flows in a synchronized SDN in a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">congestion-free</italic> manner. We rigorously prove that the problem is NP-hard for flows of unit size and network links with unit delay. We also show that a greedy approach to update the network can delay the update significantly. Our main contribution is the first solution to this problem: Chronicle. Our approach is based on time-extended network construction and the resource dependency graph, which is implemented by Openflow 1.5 using the <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">scheduled bundles feature</italic> . The evaluation results show that Chronicle can reduce the makespan by 63% and reduce the number of changed rules by 50% compared to state-of-the-art.

Chao Qi,Jiangxing Wu,Hongchao Hu,Guozhen Cheng,Wenyan Liu,Jianjian Ai,Chao Yang

DOI: https://doi.org/10.1109/INFCOMW.2016.7562109

2016-01-01

Abstract:Modifying flow rule attack is a type of attack against controllers in SDN, leading to severe influence on network. In this paper, we propose Mcad-SA, an aware decision-making security architecture with multi-controller, to deal with it. It schedules the controllers in a dynamic and random way and adopts the vote results from the majority of controllers to determine valid flow rules. Theory analysis proves its validity.