Moustapha Awwalou Diouf (SnT, University of Luxembourg), Maimouna Tamah Diao (SnT, University of Luxembourg), El-hacen Diallo (SnT, University of Luxembourg), Samuel Ouya (Cheikh Hamidou KANE Digital University), Jacques Klein (SnT, University of Luxembourg), Tegawendé F. Bissyandé (SnT, University of Luxembourg)
Software-defined networking (SDN) is widely adopted in enterprise networks, data centers, and wide-area networks. These infrastructures are often federated into multiple administrative domains managed by distinct organizations. In this context, forensic analysis of cross-domain attacks remains a major challenge: fragmented causal visibility across domains and privacy constraints prevent effective tracing of threat propagation. Although prior work has focused on centralized provenance systems offering causal traceability, these approaches do not scale
in multi-domain contexts with heterogeneous policies. We propose G-Prove, a decentralized forensic framework for multi-domain SDN environments. G-Prove builds local provenance graphs and anchors cross-domain events via a cryptographically signed DAG, enabling causal analysis without exposing each domain’s internal data. Our results on a cross-domain attack scenario demonstrate the feasibility and effectiveness of G-Prove, and allow us to identify areas for improvement for more complex deployments.