134 SDN Analytics Architecture

In 60 Seconds

SDN analytics architecture has seven layers from data collection (switch counters) through processing (time-series, statistical, graph analysis) to automated action (flow rule updates). Four-stage pipelines handle collection (1-30s polling intervals), correlation (multi-source fusion), detection (threshold and ML-based), and response (automated or operator-approved). Time-series analysis of traffic patterns enables predictive capacity planning with 24-hour forecast windows.

134.1 Learning Objectives

By the end of this chapter, you will be able to:

Differentiate SDN Analytics Layers: Identify the seven layers of SDN analytics architecture and justify each layer’s function within the ecosystem
Trace Analytics Data Flow: Map the path data takes from switches through controller to automated actions
Classify Key Metrics: Categorize traffic, performance, security, topology, energy, and application metrics collected by SDN
Construct Analytics Pipelines: Design four-stage processing workflows from collection to action for a given IoT scenario
Select Traffic Analysis Methods: Evaluate and apply time-series, statistical, graph, and signature-based analysis techniques to specific network problems

134.2 Prerequisites

Before diving into this chapter, you should be familiar with:

SDN Fundamentals and OpenFlow: Understanding the control and data plane separation, OpenFlow protocol, and flow table structure is essential for implementing analytics features
Networking Basics: Knowledge of network protocols, packet headers, and routing fundamentals provides the foundation for traffic analysis

For Beginners: Software-Defined Networking (SDN)

Imagine if you could reprogram your home’s wiring on the fly - turning a light switch into a thermostat control, or routing water pipes differently based on usage patterns. That’s what SDN does for networks. Instead of each network switch making independent decisions (like traditional networking), SDN has a central “controller brain” that programs all switches dynamically.

Everyday Analogy: Traditional networking is like a city where each traffic light operates independently based on timers. SDN is like having a smart city control center that monitors all traffic cameras in real-time and adjusts every traffic light dynamically to prevent jams. When an accident happens, the controller instantly reroutes traffic through alternative routes by reprogramming the lights.

Term	Simple Explanation
SDN Controller	The “brain” that manages all network switches centrally, like air traffic control
Flow Table	Rules telling a switch what to do with different types of traffic
Data Plane	The actual movement of packets through switches (the workers)
Control Plane	The decision-making about where packets should go (the manager)
Network Slicing	Creating multiple virtual networks on the same physical infrastructure
Traffic Engineering	Optimizing how data flows through the network to avoid congestion

Why This Matters for IoT: IoT generates diverse traffic - a fire alarm needs instant delivery, while a temperature log can wait. SDN lets you prioritize critical IoT traffic, block suspicious devices instantly, and optimize routes based on real-time conditions.

Common Misconception: “SDN Controllers Can Monitor Every Packet in Real-Time”

The Misconception: Many believe SDN’s centralized control means the controller inspects every packet flowing through the network, providing perfect visibility with zero overhead.

The Reality: SDN controllers monitor flow-level statistics aggregated by switches, NOT individual packets. Controllers poll switches every 15-30 seconds (not real-time), and switches provide counters (packets, bytes, duration) rather than packet contents.

Real-World Example: In a 1000-device smart factory deployment at Bosch, the SDN controller collected statistics from 250 switches managing 50,000 active flows:

Polling interval: 20 seconds per switch
Controller load: ~12,500 statistics messages/second during collection windows
Detection latency: 20-40 seconds (1-2 polling cycles) for anomalies
Visibility: Flow-level metadata only; deep packet inspection requires separate IDS/IPS appliances

Design Implication: Plan analytics with 30-60 second detection latency, use sampling for very high flow counts (>100k), and redirect suspicious traffic to IDS for deep inspection rather than overloading the controller.

134.3 Analytics Ecosystem Overview

Understanding Control Plane Separation

Core Concept: Control plane separation moves the “brain” of the network (routing decisions, policy enforcement) out of individual switches into a centralized controller, leaving switches to perform only fast packet forwarding based on controller-provided rules. Why It Matters: In traditional networks, each router independently runs complex routing protocols (OSPF, BGP) to make forwarding decisions - this distributed intelligence makes network-wide changes slow, error-prone, and difficult to coordinate. With separation, the controller has a global view of all traffic, topology, and device states, enabling optimal routing decisions that individual devices could never make alone. Key Takeaway: The controller handles slow-path decisions (new flows, policy changes, topology updates) while switches handle fast-path forwarding at line rate - understand this division to avoid overloading the controller with data plane traffic.

SDN analytics transforms network management from reactive troubleshooting to proactive optimization by leveraging centralized visibility and programmable control planes.

SDN Analytics Ecosystem showing seven interconnected layers: Data Plane with OpenFlow switches forwarding packets, Control Plane with SDN controller managing flows, Analytics Layer performing anomaly detection, traffic engineering, predictive maintenance, and security monitoring, Applications Layer implementing DDoS mitigation, QoS optimization, energy management, and device profiling, Data Storage containing time-series database with flow history and baselines and ML models, Visualization Layer with dashboards alerts reports and graphs, and External Systems including SIEM, IDS/IPS, network monitors, and ticket systems; data flows from switches via 15-30 second statistics polls to controller to analytics layer which uses historical baselines from storage to drive applications that install flow rules back to controller, with analytics feeding visualization and integrating with external systems — Figure 134.1: SDN Analytics Ecosystem: Seven-Layer Network Intelligence Architecture

The SDN analytics ecosystem consists of multiple integrated layers working together to provide comprehensive network intelligence:

Data Plane: OpenFlow switches collect flow-level statistics and forward packets according to installed rules
Control Plane: SDN controller maintains network topology, manages flow tables, and provides API access to network state
Analytics Layer: Core intelligence performing real-time analysis, anomaly detection, and predictive modeling
Applications: Domain-specific functions leveraging analytics insights to implement automated responses
Storage: Persistent time-series databases maintaining historical baselines and trained ML models
Visualization: Human-friendly dashboards and reporting for network operators
External Integration: Connections to enterprise security and monitoring infrastructure

134.4 Analytics Data Flow

SDN Analytics Data Flow showing OpenFlow switches in data plane sending statistics via collection layer to SDN controller in control plane, processing layer performing aggregation and feature extraction, analytics engine applying anomaly detection and ML models while comparing against time-series storage baselines, triggering automated actions like flow rule installation, rate limiting, and traffic redirection back to switches — Figure 134.2: SDN Analytics Data Flow: Statistics Collection to Automated Response

SDN analytics creates a comprehensive monitoring and optimization ecosystem by collecting data from the network infrastructure, applying machine learning models, and automating responses through programmable flow rules.

134.5 Key Analytics Metrics

SDN provides rich telemetry data that enables sophisticated network analysis:

Metric Category	Specific Metrics	IoT Relevance	Collection Method
Traffic	Bytes, packets, flows, bandwidth	Device activity monitoring, usage patterns	OpenFlow statistics (per-flow, per-port)
Performance	Latency, jitter, packet loss, throughput	QoS for real-time IoT applications	Active probing, timestamp analysis
Security	Anomalies, DDoS patterns, scan attempts	IoT botnet detection, device compromise	Flow pattern analysis, rate monitoring
Topology	Link utilization, path diversity, failures	Network optimization, resilience	LLDP, switch connectivity queries
Energy	Power consumption, battery levels (SD-WSN)	Sensor network lifetime optimization	Custom TLVs, application reporting
Application	Protocol distribution, QoS violations	Service-level monitoring, SLA compliance	Deep packet inspection, flow matching

SDN orchestration architecture showing how multiple controllers coordinate across domains with east-west interfaces for controller federation and north-south interfaces connecting applications to infrastructure — SDN Orchestration Architecture

134.6 Analytics Pipeline Architecture

SDN Analytics Pipeline showing four stages: 1) Data Collection with 15-30 second poll intervals, 2) Processing for aggregation and normalization and feature extraction, 3) Analysis applying rule-based thresholds, ML models, and correlation, 4) Action including logging, alerts, and automated flow rule installation, with feedback loop from Action back to Collection — Figure 134.4: SDN Analytics Pipeline: Four-Stage Processing from Collection to Action

Pipeline Stages:

Data Collection: Gather metrics from switches using OpenFlow statistics messages, with configurable polling intervals or event-driven triggers
Processing: Aggregate data over time windows, normalize features, and extract statistical metrics (mean, variance, percentiles)
Analysis: Apply rule-based thresholds, machine learning models for anomaly detection, and correlate multiple signals
Action: Log events, generate alerts, or automatically install flow rules to mitigate detected issues

134.7 Traffic Analysis Methods

SDN controllers can perform sophisticated traffic analysis using centralized visibility:

Traffic Analysis Methods diagram showing network traffic data analyzed by four parallel methods: Time-Series Analysis for trends, seasonality, and forecasting; Statistical Analysis for outlier detection, clustering, and hypothesis testing; Graph Analysis for topology modeling, centrality metrics, and community detection; Signature Matching for attack patterns, protocol anomalies, and device profiling; all methods converge to produce actionable insights — Figure 134.5: Traffic Analysis Methods: Time-Series, Statistical, Graph, and Signature Matching

SDN rule placement showing decision logic for where to install flow rules whether at edge switches for local traffic, aggregation switches for inter-domain, or core switches for backbone optimization balancing latency and scalability — Rule Placement in SDN

Challenges in SDN rule placement showing TCAM capacity limits per switch, rule conflicts between overlapping match fields, consistency delays during multi-switch updates, and scalability bottlenecks when thousands of IoT devices each require unique flow entries — Rule Placement Challenges

Time-Series Analysis:

Track metrics over time to identify trends, seasonality, and sudden changes
Forecasting for capacity planning and proactive scaling
Change point detection for identifying network state transitions

Statistical Analysis:

Outlier detection using z-scores, interquartile ranges, or isolation forests
Clustering to group similar traffic patterns or device behaviors
Hypothesis testing to validate performance improvements

Graph Analysis:

Model network topology as a graph with switches as nodes and links as edges
Calculate centrality metrics to identify critical infrastructure components
Detect community structure to optimize traffic engineering

Signature Matching:

Compare observed patterns against known attack signatures
Protocol anomaly detection (malformed packets, unexpected sequences)
Behavioral signatures for IoT device profiling

Quick Check: Analytics Pipeline Stages

134.7.1 Interactive: Polling Interval vs. Controller Load Calculator

Explore how polling intervals affect controller overhead and detection latency.

Show code

total_stats = num_switches * flows_per_switch
msgs_per_sec = total_stats / poll_interval
ctrl_load_pct = (msgs_per_sec / controller_capacity) * 100
detection_latency_min = poll_interval
detection_latency_max = poll_interval * 2

Show code

html`<div style="background: var(--bs-light, #f8f9fa); padding: 1rem; border-radius: 8px; border-left: 4px solid ${ctrl_load_pct > 80 ? '#E74C3C' : ctrl_load_pct > 50 ? '#E67E22' : '#16A085'}; margin-top: 0.5rem;">
<p><strong>Total statistics records per cycle:</strong> ${total_stats.toLocaleString()}</p>
<p><strong>Messages per second:</strong> ${msgs_per_sec.toLocaleString('en-US', {maximumFractionDigits: 0})}</p>
<p><strong>Controller load:</strong> ${ctrl_load_pct.toFixed(1)}% ${ctrl_load_pct > 100 ? '-- OVERLOADED' : ctrl_load_pct > 80 ? '-- WARNING: near capacity' : '-- OK'}</p>
<p><strong>Detection latency:</strong> ${detection_latency_min}--${detection_latency_max} seconds</p>
</div>`

Key Concepts

SDN (Software-Defined Networking): An architectural approach separating the network control plane (routing decisions) from the data plane (packet forwarding), centralizing control in a software controller for programmable network management
Control Plane: The network intelligence layer making routing and forwarding decisions, centralized in an SDN controller rather than distributed across individual switches as in traditional networking
Data Plane: The network forwarding layer physically moving packets based on rules installed by the control plane — in SDN, this is the switch hardware executing OpenFlow flow table entries
OpenFlow: The foundational SDN protocol enabling communication between an SDN controller and network switches, allowing the controller to install, modify, and delete flow table entries that govern packet forwarding
sFlow: A network telemetry standard sampling 1-in-N packets and exporting samples to a collector, enabling network-wide traffic analysis with predictable bandwidth overhead proportional to sampling rate
IPFIX (IP Flow Information Export): An IETF standard (RFC 7011) for exporting flow records from network devices to collectors, providing detailed flow-level traffic visibility for SDN analytics and billing
Network Digital Twin: A software model of an SDN network that is continuously synchronized with live flow table state, enabling what-if analysis of routing changes without impacting production traffic

134.8 Why SDN Analytics Over Traditional Network Monitoring?

Traditional SNMP-based network monitoring polls devices independently, producing isolated per-device metrics with no cross-device correlation. SDN analytics fundamentally changes this by combining centralized visibility with programmable responses.

Quantified comparison for a 500-device smart building:

Capability	Traditional SNMP	SDN Analytics
Detection latency	5-15 minutes (trap-based)	20-40 seconds (flow-based)
Root cause isolation	Manual (hours)	Automated correlation (minutes)
Automated remediation	None (operator intervenes)	Flow rule update in <1 second
Cross-device correlation	Separate tool required	Native in controller
Bandwidth visibility	Per-port counters only	Per-flow, per-application
Annual operations cost	~$180K (3 FTE network ops)	~$95K (1.5 FTE + tooling)

Decision Framework: When to Invest in SDN Analytics

Under 50 devices: Traditional monitoring is sufficient – the cost of SDN infrastructure exceeds the benefit
50-500 devices: SDN analytics pays for itself through reduced troubleshooting time (Cisco reports 60% faster MTTR in campus deployments)
500-5,000 devices: Essential – manual monitoring cannot scale, and network-wide traffic engineering delivers 20-40% better link utilization
5,000+ devices: Critical infrastructure requirement – automated anomaly detection prevents cascade failures that human operators cannot catch in time

Real-World ROI: AT&T Domain 2.0 SDN Analytics

AT&T’s Domain 2.0 initiative deployed SDN analytics across their wide-area network serving IoT enterprise customers:

Scale: 75,000+ network elements, 5 million flow rules
Investment: $200M over 3 years for SDN transformation (analytics was ~15% of total)
Results: 40% reduction in network provisioning time (weeks to minutes), 50% fewer truck rolls for troubleshooting, $1.2B annual savings in operational costs by 2019
Key insight: The analytics layer enabled “zero-touch provisioning” where new IoT customer connections were automatically configured, monitored, and optimized without human intervention

AT&T found that 70% of the operational savings came from analytics-driven automation, not from the SDN infrastructure itself. The controller was necessary but insufficient – the analytics layer is where the business value concentrates.

Putting Numbers to It

Polling Interval vs. Detection Latency Trade-off

An SDN controller manages 100 switches, each with average 500 active flows. Calculate controller load for different polling intervals:

Statistics messages per poll cycle:

Switches polled: 100
Flow stats per switch: 500
Total statistics records: $100 \times 500 = 50{,}000$ per cycle

Controller processing capacity: 10,000 stats/second (measured benchmark)

Option 1: 15-second polling

Messages/second: $50{,}000 / 15 = 3{,}333$ stats/sec
Controller load: $3{,}333 / 10{,}000 = 33.3\%$
Detection latency: 15–30 seconds (1–2 poll cycles)

Option 2: 5-second polling (aggressive) - Messages/second: $50{,}000 / 5 = 10{,}000$ stats/sec - Controller load: $10{,}000 / 10{,}000 = 100\%$ ✗ saturated - Detection latency: 5–10 seconds

Option 3: 30-second polling (conservative) - Messages/second: $50{,}000 / 30 = 1{,}667$ stats/sec - Controller load: $1{,}667 / 10{,}000 = 16.7\%$ - Detection latency: 30–60 seconds

Optimal choice: 15-second polling provides 20–30s detection latency at 33% controller load, leaving 67% headroom for flow installations and topology updates. Tiered polling (high-priority flows every 5s, others every 30s) can optimize further by tracking critical IoT traffic more frequently.

134.9 Worked Example: Detecting a Rogue IoT Device via Flow Analytics

A university campus deploys 2,400 IoT sensors across 12 buildings on an SDN-managed network with an ONOS controller. One morning, the analytics pipeline flags an anomaly. This example walks through the four-stage detection and response process using real flow statistics.

Given

Controller polls 48 switches every 20 seconds
Baseline traffic profile (learned over 30 days): average IoT device sends 2-8 packets/min, 50-400 bytes each
Anomaly threshold: any device exceeding 3 standard deviations from its 7-day rolling average
Total active flows: ~35,000

Stage 1: Data Collection

At 09:14:20, the controller collects flow statistics from Building 7’s aggregation switch (SW-B7-AGG):

Flow ID	Source MAC	Packets (20 s)	Bytes (20 s)	Protocol
18472	AA:BB:CC:11:22:33	6	480	MQTT
18473	AA:BB:CC:11:22:34	4	320	MQTT
18474	AA:BB:CC:44:55:66	2,847	1,423,500	TCP:80
18475	AA:BB:CC:11:22:35	8	640	MQTT

Flow 18474 immediately stands out: 2,847 packets in 20 seconds = 142 packets/second from a device registered as a temperature sensor.

Stage 2: Processing

The processing layer computes features:

Device AA:BB:CC:44:55:66 (registered: temperature sensor, Building 7, Room 714)
  7-day rolling average: 5.2 packets/min, mean packet size 87 bytes
  Current rate: 8,541 packets/min (1,642x above average)
  Current packet size: 499 bytes (5.7x above average)
  Standard deviation (7-day): 1.8 packets/min
  Z-score: (8541 - 5.2) / 1.8 = 4,742 (far exceeds 3-sigma threshold)
  Protocol change: MQTT → HTTP (previously never used HTTP)
  Destination analysis: 94% of traffic to external IP 203.0.113.47 (not a campus or cloud endpoint)

Stage 3: Analysis

The analytics engine applies three detection methods:

Statistical: Z-score = 4,742 – exceeds threshold of 3.0. ALERT: Volume anomaly.
Signature: Outbound HTTP traffic to unknown external IP from a sensor-class device matches botnet command-and-control communication pattern. ALERT: Possible compromise.
Graph: Device centrality increased from 0.002 (leaf node) to 0.18 (highly connected) – it initiated connections to 47 other campus IoT devices in the last hour. ALERT: Lateral scanning.

Combined threat score: 0.97 (threshold for automated response: 0.85).

Stage 4: Automated Response

At 09:14:41 (21 seconds after collection), the controller installs three flow rules:

Rule 1: QUARANTINE - Block all traffic from AA:BB:CC:44:55:66 to external networks
  Switch: SW-B7-AGG, Priority: 65000, Action: DROP

Rule 2: MONITOR - Mirror remaining local traffic to IDS appliance
  Switch: SW-B7-AGG, Priority: 64000, Action: FORWARD port 48 (mirror)

Rule 3: NOTIFY - Redirect device management traffic to honeypot
  Switch: SW-B7-ACC, Priority: 63000, Action: FORWARD port 12 (honeypot)

Outcome

Metric	Value
Time from anomaly start to detection	~40 seconds (2 polling cycles)
Time from detection to automated quarantine	21 seconds
Total response time	~61 seconds
Packets blocked (first hour)	427,350
Lateral spread prevented	47 devices contacted but 0 compromised (quarantine before payload delivery)
Estimated manual detection time (SNMP monitoring)	4-6 hours (based on campus incident history)

Post-incident investigation revealed that a temperature sensor in Room 714 had a factory-default password. An attacker gained access, installed a botnet agent, and began scanning other campus IoT devices. The SDN analytics pipeline detected the compromise 100x faster than the previous SNMP-based monitoring would have, preventing lateral spread across the 2,400-device network.

Key Insight: The detection succeeded not because any single metric was unusual in isolation, but because the analytics pipeline correlated three independent signals (volume spike, protocol change, connection fan-out) within one polling cycle. Traditional per-device SNMP monitoring would have flagged only the bandwidth spike, likely hours later, after the botnet had already spread.

134.10 Concept Relationships

Concept	Relationship to SDN Analytics	Importance
Polling Intervals	Determines detection latency and controller overhead; 15-30s typical	High - balances speed vs load
Flow Statistics	Per-flow packet/byte counters enable traffic pattern analysis	Critical - foundation for analytics
Baseline Establishment	24-72 hour training period creates “normal” thresholds; enables anomaly detection	High - prevents false positives
Z-Score Anomaly Detection	Statistical method flagging deviations >3 standard deviations	High - quantifies abnormality
Automated Response	Flow rule installation mitigates threats in <1 second; vs hours with manual intervention	Critical - key SDN security advantage
Time-Series Analysis	Tracks metrics over time for forecasting; enables proactive capacity planning	Medium - supports long-term planning

Match the Analytics Layer to Its Function

Order the Analytics Pipeline Stages

Common Pitfalls

1. Sampling Rates Too Low for Anomaly Detection

Configuring sFlow at 1:10,000 sampling rate expecting to detect low-volume DDoS attacks generating 100 packets/second against IoT devices. At 10,000:1 sampling, a 100 pps attack produces only 0.01 samples/second on average. Increase sampling rate to 1:1,000 for security analytics use cases.

2. Not Considering Analytics Platform Scalability

Deploying a single-node analytics instance receiving OpenFlow statistics from a 10,000-switch SDN network. Analytics platforms must scale horizontally to handle the telemetry volume. Use streaming analytics (Apache Flink, Kafka Streams) rather than batch processing for real-time SDN analytics.

3. Mixing Control Plane and Analytics Plane Networks

Running SDN analytics traffic (sFlow, IPFIX exports) on the same network as OpenFlow control messages. Heavy analytics export can delay controller-to-switch flow installations, causing forwarding delays. Separate analytics and control plane traffic on dedicated networks.

4. Using Full Flow Records Instead of Sampled Analytics

Storing complete flow records for every IoT device session to avoid missing any traffic. At 100,000 IoT device connections per day with average 10 flows each, storage requirements reach 1 million records/day. Use sampled flow records and aggregation for cost-effective analytics at scale.

Label the Diagram

💻 Code Challenge

134.11 Summary

This chapter introduced the foundational architecture for SDN analytics:

Analytics Ecosystem:

Seven interconnected layers: Data Plane, Control Plane, Analytics Layer, Applications, Storage, Visualization, and External Integration
Each layer serves a specific function in transforming raw network data into actionable intelligence

Data Flow:

Statistics collection from switches via OpenFlow messages (15-30 second polling intervals)
Processing pipeline aggregates, normalizes, and extracts features
Analytics engine applies rule-based and ML-based detection
Automated actions install flow rules to mitigate issues

Key Metrics:

Traffic metrics (bytes, packets, flows, bandwidth) for activity monitoring
Performance metrics (latency, jitter, loss) for QoS management
Security metrics (anomalies, DDoS patterns) for threat detection
Topology metrics (utilization, failures) for network optimization
Energy metrics (battery levels) for sensor network lifetime

Traffic Analysis Methods:

Time-series analysis for trend detection and forecasting
Statistical analysis for outlier detection and clustering
Graph analysis for topology patterns and centrality
Signature matching for known attack patterns

134.12 See Also

SDN Anomaly Detection - Detection methods and response actions
SDN Analytics with OpenFlow - Statistics collection implementation
SDN Controllers and Use Cases - Controller comparison and advanced applications
SDN Fundamentals and OpenFlow - OpenFlow protocol basics
Network Security - Broader security monitoring concepts

For Kids: Meet the Sensor Squad!

SDN analytics is like having a super-smart detective who watches all the traffic in your city and spots problems before they become emergencies!

134.12.1 The Sensor Squad Adventure: The Network Detective

The Sensor Squad’s network was running great thanks to Connie the Controller. But Sammy the Sensor noticed something weird. “My messages are taking MUCH longer to arrive than usual. Something is wrong!”

That’s when the squad hired Detective Data – an analytics program that watches ALL the traffic patterns in the network.

“I collect clues every 15 seconds,” Detective Data explained. “I check how many messages each sensor sends, how fast they travel, and whether any switches are overloaded.”

Detective Data had four special investigation tools: 1. Time Detective: “I compare today’s traffic to yesterday’s. If something changes suddenly, I notice!” 2. Number Cruncher: “I calculate averages and spot numbers that are way too high or low.” 3. Map Maker: “I draw the whole network and find which switches are most important.” 4. Pattern Matcher: “I know what attacks look like and can recognize them instantly!”

Sure enough, Detective Data found the problem: one switch was handling too much traffic, causing delays. Connie the Controller immediately rerouted some messages through a different path, and everything sped up again!

“Analytics saved the day!” cheered Lila the LED.

134.12.2 Key Words for Kids

Word	What It Means
Analytics	Using data and math to understand what is happening in the network
Baseline	Knowing what “normal” looks like so you can spot “abnormal”
Pipeline	Steps that data goes through: collect, process, analyze, act

Knowledge Check: SDN Analytics Architecture

134.13 What’s Next

If you want to…	Read this
Study SDN anomaly detection	SDN Anomaly Detection
Learn about SDN controllers and use cases	SDN Controllers and Use Cases
Explore OpenFlow statistics	SDN OpenFlow Statistics
Review SDN production deployment	SDN Production Framework
Study SDN data centers and security	SDN Data Centers and Security