Today, Software-defined networking (SDN), which decouples the control plane from the data plane, has quickly emerged as a new promising networking architecture. In SDN, a centralized control plane (a.k.a., SDN controller) manages the entire network; hence, the security of this control plane has become increasingly important. One of the critical security issues, recently raised, is that an SDN application can unrestrictedly access SDN resources, manipulate the operations of an SDN controller, and finally destroy the network. To address this issue, researchers have proposed permission-based access control models for an SDN controller, and well-known SDN controllers have recently started employing these ideas. However, permission-based access control mechanisms can be evaded by excessively/insufficiently privileged applications (i.e., permission gap), and SDN controllers employing such mechanisms are no exception. In addition, it is possible that the permissions required for an application are not clearly presented to an administrator (i.e., semantic gap). Since an SDN controller directly manages a network, the damage caused by this problem would be much more serious. To address this issue, in this paper, we introduce a novel and usable security mechanism called ASTRAEA that can effectively help SDN operators avoid such potentially dangerous SDN applications. (C) 2019 Published by Elsevier.B.V.