DOCSDN: Dynamic and Optimal Configuration of Software-Defined Networks
Timothy Curry, Devon Callahan, Benjamin Fuller, Laurent Michel

TL;DR
This paper presents DOCSDN, a layered framework for optimizing software-defined network configurations to satisfy multiple conflicting requirements like security, performance, and reachability, with quick reconfiguration capabilities.
Contribution
The paper introduces a novel layered optimization framework for SDN configuration that jointly considers multiple network properties and constraints.
Findings
Configurations are generated within 1-5 minutes.
Framework effectively balances security and performance.
Validated on fat tree topology in data center networks.
Abstract
Networks are designed with functionality, security, performance, and cost in mind. Tools exist to check or optimize individual properties of a network. These properties may conflict, so it is not always possible to run these tools in series to find a configuration that meets all requirements. This leads to network administrators manually searching for a configuration. This need not be the case. In this paper, we introduce a layered framework for optimizing network configuration for functional and security requirements. Our framework is able to output configurations that meet reachability, bandwidth, and risk requirements. Each layer of our framework optimizes over a single property. A lower layer can constrain the search problem of a higher layer allowing the framework to converge on a joint solution. Our approach has the most promise for software-defined networks which can easily…
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
DOCSDN: Dynamic and Optimal Configuration of Software-Defined Networks
Timothy Curry, Devon Callahan, Benjamin Fuller and Laurent Michel
Department of Computer Science and Engineering
University of Connecticut Storrs, CT USA
{timothy.curry,devon.callahan,benjamin.fuller,laurent.michel}@uconn.edu
Abstract
Networks are designed with functionality, security, performance, and cost in mind. Tools exist to check or optimize individual properties of a network. These properties may conflict, so it is not always possible to run these tools in series to find a configuration that meets all requirements. This leads to network administrators manually searching for a configuration.
This need not be the case. In this paper, we introduce a layered framework for optimizing network configuration for functional and security requirements. Our framework is able to output configurations that meet reachability, bandwidth, and risk requirements. Each layer of our framework optimizes over a single property. A lower layer can constrain the search problem of a higher layer allowing the framework to converge on a joint solution.
Our approach has the most promise for software-defined networks which can easily reconfigure their logical configuration. Our approach is validated with experiments over the fat tree topology, which is commonly used in data center networks. Search terminates in between 1-5 minutes in experiments. Thus, our solution can propose new configurations for short term events such as defending against a focused network attack.
Index Terms:
network security, reachability, risk assessment, optimization, software defined networks.
I Introduction
Network configuration is a crucial task in any enterprise. Administrators balance functionality, performance, security, cost and other industry specific requirements. The resulting configuration is subject to periodic analysis and redesign due to red team recommendations, emerging threats, and changing priorities. Tools assist administrators with this complex task: existing work assesses network reachability [1], wireless conflicts [2], network security risk [3, 4], and load balancing [5, 6]. These tools assess the quality of a potential configuration. Unfortunately, current tools suffer from three limitations:
Most tools assess whether a single property is satisfied, making no recommendation if the property is not satisfied. This leaves IT personnel with the task of deciding how to change the network. 2. 2.
Networks are assessed with respect to an individual goal at a time. This means a change to satisfy a single property may break another property. There is no guidance for personnel on how to design a network that meets the complex and often conflicting network requirements. 3. 3.
These tools do not react to changing external information such as the publication of a new security vulnerability.
Our Contribution
This work introduces a new optimization framework that finds network configurations that satisfy multiple (conflicting) requirements. We focus on data center networks (DCN) that use software defined networking (SDN). Background on these settings is in Section II. Our framework is called DocSDN (Dynamic and Optimal Configuration of Software-Defined Networks).
DocSDN searches for network configurations that simultaneously satisfy multiple properties. DocSDN is organized into layers that consider different properties. The core of DocSDN is a multistage optimization that decouples search on “orthogonal” concerns. The majority of the technical work is to effectively separate concerns so the optimization problems remain tractable. Our framework is designed to continually produce network configurations based on changing requirements and threats. It frees IT personnel from the complex question of how to satisfy multiple requirements and can quickly incorporate new threat information.
DocSDN focuses on achieving functional requirements (such as network reachability and flow satisfaction) and limiting security risk (such as isolating high risk nodes and nodes under denial of service attack). Naturally, other layers such as performance or cost can be incorporated. The search for a good configuration could be organized in many ways. State-of-the-art approaches assess different properties in isolation, frustrating search for a solution that satisfies all requirements. Ideally, a framework should search for a configuration that simultaneously satisfies all requirements. This extreme is unlikely to be tractable on all but the smallest networks. DocSDN mediates between these approaches separating the functional and security search problems but introducing a feedback loop between the two search problems based on cuts.
In the proposed organization the functional layer is “above” the security layer. Through the feedback loop, the security layer describes a problematic part of the network to the functional layer. The functional layer then refines its model and searches for a functional configuration that satisfies an additional constraint. This has the effect of blocking the problematic part of the configuration. Currently, the feedback signal is a pair of nodes that should not be proximate in the network. After multiple iterations the two layers jointly produce a solution that optimizes the SDN configuration both with respect to functionality and security risks.
DocSDN provides solutions of improving quality before the final solution. Thus, the network can be reconfigured once the objective improves on the current configuration by a large enough amount (to justify the cost/impact of reconfiguration).
While the underlying optimization problems are NP-hard, optimization technology has seen tremendous advances in performance during the past few decades. Since 1991, mathematical programming solvers have delivered speedups of 11 orders of magnitude [7, 8]. The advent of hybrid techniques such as Benders decomposition [9, 10, 11, 12] and column generation [13, 14, 15] (aka, Dantzig-Wolfe decomposition [16]) made it possible to harness huge problems thanks to on-demand generation of macroscopic variables and the dynamic addition of critical constraints. Large Neighborhood Search [17] further contributed to delivering high-quality solution within constrained time budgets.
These techniques are beginning to see adoption in network security. Yu et al. recently applied stochastic optimization with Bender’s decomposition to assess network risk under uncertainty for IoT devices [4]. They used Bender’s decomposition on a scenario-based stochastic optimization model to produce a parent problem that chooses a deployment plan while children are concerned with choosing the optimal nodes to serve the demands in individual scenarios. In comparison, our approach addresses both functional and security requirements. It relies on Bender’s cuts from the security layer (child) to rule out vulnerable functional plans whose routing paths fail to adequately minimize risks and maximize served clients. We now briefly describe the framework (a formal description is in Section III) and present an illustrative example.
Overview of DocSDN
Figure 1 presents an overview of the framework. The functional layer takes as input a Functional Model that describes the network including the physical topology, link speeds, the allowable communication patterns and the demand requirements. Network reachability begins with a priming procedure that generates the -least cost paths to the optimizer for each source/destination pair in the demand requirements. The objective for the functional layer is to find a logical topology (a collection of routed paths) that meets all demand requirements while favoring shorter length routing paths and load balancing. The program is formulated as quadratic binary program (QBP). The solution as determined by the functional layer is passed to the security layer.
The output of the functional layer and a security model are the input for the security layer. The current configuration is fed to a module that uses risk assessments for the individual network devices (obtained for example using a vulnerability database) to assess the overall risk of the entire configuration. In our current implementation this risk calculation is based on a simple risk propagation model where a path’s risk is based on the risk of nodes on the path and close to the source and sink. The security layer can deploy firewalls and deep packet inspection as network defenses. Since these mechanisms affect route capacity, the security layer has a dual objective function: 1) maximizing the functional objective and 2) minimizing security risk. The security objective is formulated as a mixed integer program (MIP). When the security search completes, it proposes nodes to the functional layer that should be separated. As an example, a high value node with low risk may be placed in a different (virtual) LAN than a high risk node. These Benders cuts are designed to entice a better logical topology from a subsequent iteration in the functional layer. This feedback loop between the two layers can iterate multiple times. When no further cuts are available, the overall output is a set of configuration rules.
An example configuration
This section describes an application of our framework to automatically respond to a distributed denial of service (DDoS) attack. Current DDoS attacks demonstrate peak volume of 1 Tbps [18]. Many DDoS defense techniques require changes to the network behavior by rate limiting, filtering, or reconfiguring the network (see [19, 20, 21, 22, 23]). Recent techniques [24] leverage SDNs to react to DDoS attacks in a dynamic and flexible manner. We show how such a response would work in our framework using a toy network illustrated in Figure 2. A more realistic network and the framework’s response are described in Section V. We stress that DDoS attacks are often short in timescale making human diagnosis and reaction costly or impractical.
Consider a focused DDoS attack against a number of services in an enterprise but not the entirety of its publicly accessible address space. (The Great Cannon’s attack against GreatFire targeted two specific Github repositories [25].) We assume a service hosted by is targeted, while services on and are not.
Recall, the functional layer establishes a logical topology (forwarding rules) while the security layer adds network defenses (packet inspection modules and firewall rules). We elide how the attack is detected and assume it increases the risk score for in the security model.
The first iteration The functional layer proposes a candidate configuration where routes all traffic intended for and to which then forwards the traffic and routes traffic intended for and to which then forwards the traffic. This is the first candidate solution presented to the security layer.
Since is high risk the security layer proposes a firewall at to block all port traffic. This reduces risk at the cost of blocking all traffic to . Of course, in real firewalls more fine-grained rules are possible, this simplified example is meant to illustrate a case where collateral damage to the functional objective is necessary to achieve the security objective. Since traffic is being blocked to a node with low risk, the security layer asks the functional layer to separate and so does not suffer.
Repeated iterations The functional layer now has a constraint that and should not be collocated in the network. As such, it proposes a new configuration with and under and and under . This is then sent to the security layer. The security layer makes a similar assessment and proposes a firewall rule at , finds this recommendation hurts functionality and requests separation of and .
This process repeats with the functional layer proposing to collocate and . The security layer similarly asks to separate and . Finally, is segregated from all other nodes. This produces a configuration where is the only child of . Note that having and under a single switch may hurt performance but the effect is less than blocking traffic to one of the nodes entirely. DocSDN can then output the candidate solution as high level SDN fragments (using a high-level language like Pyretic [26]).
Recovery Importantly, when the DDoS abates, DocSDN automatically reruns with a changed risk for , outputting a binary tree.
Organization The rest of the work is organized as follows: Section II provides background on our application and discusses related work, Section III describes our framework and accompanying optimization models, Section IV describes our experimental setup, Section V evaluates the framework and finally Section VI concludes.
II Background and Related Work
Data Center Networks (DCN) host, process and analyze data in financial, entertainment, medical, government and military sectors. The services provided by DCNs must be reliable, accurate and timely. Services provided by DCNs (and the corresponding traffic) are heterogeneous. The network must adapt to changing priorities and requirements while protecting from emerging threats. They scale to thousands of servers linked through various interconnects. Protocols used for these services are split roughly 60 percent web (HTTP/HTPS) and 40 percent file storage (SMB/AFS) [27]. The interdependence of device configurations make modifying any single configuration difficult and possibly dangerous for network health. A seemingly simple update can cause significant collateral damage and unintended consequences.
Simultaneously, the network fabric is changing with the advent of Software Defined Networking (SDN) [28]. SDNs are flexible and programmable networks that can adapt to emergent functional or performance requirements. Openflow [29] is a common open source software stack. Researchers have proposed high-level languages and compilers [30, 31, 26, 32] that bridge the semantic gap between network administrators and the configuration languages used by SDN devices. These languages focus on compositional and parametric SDN software modules that execute specific micro-functions (e.g., packet forwarding, dropping, routing, etc.). The use of a high level language is prompted by a desire to be able to select, instantiate and compose SDN modules with guarantees.
Our framework is intended to be modular and allow integration of prior work on evaluating network configurations. As such there is a breadth of relevant work. Due to space constraints we focus on the most relevant works. In the conclusion we elaborate on the characteristics needed to integrate a prior assessment tool into our framework (see Section VI).
Measuring Network Risk Known threats against computer systems are maintained by governments and industry. Common Vulnerabilities and Exposures (CVE) is a publicly available dictionary including an identifier and description of known vulnerabilities [33], CVE does not provide a severity score or priority ranking for vulnerabilities. The US National Vulnerability Database (NVD) [34] is provided by the US National Institute of Standards and Technology (NIST). The NVD augments the CVE, adding severity scores and impact ratings for vulnerabilities in the CVE.
There are many mechanisms for measuring the security risk on a network [35, 36, 37, 38, 39]. Lippmann et al. present a network security model which computes risk based on a list of the most current threats [40]. This model implements a cycle of observe network state, compute risk, prioritize risk, and mitigate the risk.
This loop is often codified into an attack graph [3, 41, 42]. Attack graphs try to model the most likely paths that an attacker could use to penetrate a network. Attack Graphs often leverage one or more of the aforementioned vulnerability assessment tools as input, combined with a network topology and device software configurations to generate the graph. Current attack graph technologies provide recommendations to network administrators that effectively remove edges from the graph and trigger a re-evaluation of the utility for the attacker. To the best of our knowledge, current practice does not leverage network risk measurement into constraints used for the generation of new configurations.
Network Reachability The expansion of SDN has aided the applicability of formal verification to computer networks. Prior to SDN, the lack of clear separation between the data and control plain created an intractable problem when considering a network of any scale. Bounded model checking using SAT and SMT solvers [43, 44] can currently verify reachability properties in networks with several thousands of nodes.
Configuration Search Constraint Programming (CP) was introduced in the late 1980s [45] and is used for scheduling [46], routing, and configuration problems. Large-scale optimization problems are often decomposed including Benders [12] and Dantzig-Wolfe [16]. Soft constraints or Lagrangian relaxation are used for over-constrained problems or when the problem is too computationally expensive. Stochastic optimization techniques have been used for many applications in resilience [47, 48] and the underlying methodologies are a key part of this research. Prior work in configuration management with constraint programming [49, 50] focused on connectivity or security. We are not aware of any work that balances these two objectives in a meaningful way.
III Implementation
Figure 1 outlines the overall structure of the DocSDN framework. layer inter-connections as well as their internals. The functional layer uses a mathematical optimization model that is fed to a quadratic mixed Boolean programming (QBP) solver alongside an initial set of least-cost paths to be considered to service the required flows. The security layer receives the topology chosen by the functional layer and a security model to solve, with a mixed-integer programming (MIP) solver, the risk minimization problem. The output can result in low-risk flows being blocked as a consequence of deploying firewalls to mitigate high-risk flows. A result analysis module then produces a set of equivalence classes that is sent back to the functional layer to request the separation of specific flows that should not share paths, with the goal of minimizing the collateral damage to low-risk flows. These equivalence classes generate additional constraints, known as Bender’s cuts, that are added to the functional solver for a new iteration. The remainder of this section describes the major modules in Figure 1.
III-A Functional Layer
The mathematical optimization model in the functional layer is a quadratic mixed binary programming model. In constraint programming the four main components are Inputs, Variables, Constraints, and an Objective function. Inputs are below.
**Inputs
** – the set of all network devices
– the set of edges (pair of vertices) connecting network devices
– the set of types of traffic to be routed
– the set of tuples defining desired traffic flows of type from source node to sink node .
– the actual demand for each flow
– a subset of sets of network devices
– pairs of equivalence classes that segregate traffic from to .
– the set of all paths
– the set of all paths containing edge
– the set of all paths containing node
– the set of all paths containing a node in
– the set of nodes appearing in path
– the set of all paths
– gives the capacity of an edge .
**Variables
**, – for every path and traffic type , indicates whether path carries traffic of type
– for every path and traffic type , amount of flow of type that is sent along path
– does node appear in an active path together with a node in equivalence class
– indicates whether node appears on any active path with nodes in classes . Namely,
[TABLE]
if there is a type where
– the amount of flow that goes through node
– the sum of squares of all variables.
**Constraints
**
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
Equation 1 enforces the edge capacity constraint to service the demand of all paths flowing through it. Equation 2 ensures that enough capacity is available to meet the demand of an flow. Equation 3 ensures that some non-zero capacity is used if a specific path is activated (conversely, an inactive path can only have a 0 flow). Equation 4 states that a single path should be chosen to service a given flow . Equations 5 define the auxiliary variables as true if and only if node appears on an active path sharing a node with the equivalence class . Equation 6 defines an active path that shares at least one node with two classes. Finally, equation 7 defines the load of a node as the sum of the flows associated to active paths passing through node .
**Objective
**
[TABLE]
The objective function 8 in this model is a weighted sum of three terms. The first term captures the total flows which are penalized by the length of the path used to dispatch those flows (such policies are codified in OSFP [51] and BGP practice [52]). The second term gives a unit credit each time equivalence classes on the segregation list do not share a node. (Due to this term, the objective value of the final solution may change between iterations of the functional layer.) The third and final term contribute to a bias towards solutions that achieve load balancing thanks to the quadratic component which heavily penalizes nodes with large loads.
Solving the Functional Model The functional model starts with empty sets and which are augmented with each iteration of the framework. New sets of nodes are added to and new segregation rules are added to (by the security layer). In the current implementation, least cost paths between pairs of nodes are not generated “on demand”. Instead, the generation is limited to the first best such paths, for increasing values of . This process will ultimately be improved to use column generation techniques [16].
III-B Risk Calculation
After the functional layer finds an optimal solution, it passes this solution to the risk calculation procedure. This input is the set of active paths. This module calculates the effective risk to the network for each path and traffic type.
**Inputs
** – the risk inherit to network device for traffic of type ()
– the set of nodes at a distance at most from in the logical topology
**Calculation
**Given an active path with source and sink , the calculation proceeds by partitioning the set of nodes of the path into three segments: the nodes “close” to the source , “close” to the sink and the nodes “in between”. Closeness is characterized by the function and is meant to capture any connected node over the logical topology which sits no more that hops away. Given this partition, is:
[TABLE]
We use to model nodes on the same LAN. The rationale is to impart to source and sink risk resulting from lateral movement of attacks. All other nodes contribute to the overall path risk in proportion to the square of their own risks. We expect in most networks for (and ) to include nodes not directly on the path (like nodes on the same LAN). The input path risk calculation is modular and can be augmented using other risk calculation methods.
III-C Security Layer
The mathematical optimization model in the security layer is a mixed integer programming model. We similarly present the inputs, variables, constraints, and objective for the security layer. Its inputs are given below. Also note that all the variables from the functional model are constants.
**Inputs
** – the memory resources of SDN device
– the memory footprint for a firewall blocking traffic type
– the memory footprint for a packet inspection post
– the complexity footprint for adding a firewall
– the complexity footprint for adding a packet inspection post to the network
– the penalty for blocking a unit of flow of type along path
– the position of node in path
– above risk calculation
**Variables
** – does a firewall block traffic type at
– is there packet inspection at network device
– is there a block everything or block traffic of type firewall at network device
– is there a firewall on path
– risk factor for path servicing flow
– used in the riskFactor calculation
– used in the riskFactor calculation
**Constraints
**
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
Equation 9 is used to define the presence of a firewall that will block traffic of type at a node . Equation 10 ensures that the memory footprint in SDN node for the deployment of the firewall and the packet inspection logic does not exceed the device memory. Equation 11 links the presence of a firewall that will block traffic of type on a path with the presence of a firewall that will block traffic of type on any node along the active path.
Equation 12 defines the minimum risk factor associated to a firewall. The earlier on the path the firewall is deployed, the lower the risk. Equation 13 similarly defines the minimal risk. Equation 14 defines the composite risk factor.
**Objective
**
[TABLE]
The objective function defined in equation 15 is a weighted sum of four distinct terms that focus on minimizing the network complexity based on security resources deployed, the load induced by inspection posts, the penalties incurred from dropping desirable flows due to firewall placement and finally the residual risk. This model is a classic mixed integer programming formulation.
III-D Result Analysis
The result analysis module tries to generate cuts for the functional layer with the goal of improving both functionality and security. To generate cuts, this module will form equivalence classes of network nodes and pass back certain pairs of these classes, one at a time, to the functional layer. Each pair of classes describes a segregation rule, or a cut, to which to functional layer will adhere to as much as possible.
After the functional and security layers are re-optimized using the most recent cut, the result analysis module determines whether the cut was beneficial or harmful based on the objectives of each layer. If the cut is deemed to have been beneficial, we permanently keep it as a constraint, repopulate the cut queue, and continue the process.
If the cut is deemed to have been harmful, it is removed from the functional layer’s constraint pool. Then the next cut in the queue will be passed back to the functional layer. If the cut queue is empty, the feedback mechanism terminates and we output the best solution found.
We note that since this process only provides pairs of nodes it is a heuristic, it may be necessary for many nodes to simultaneously be separated to arrive at a global optimum. This mechanism performed well in our experiments.
III-E Layer Coordination
It is valuable to review how the layers coordinate. The functional layer sends to the security layer a set of paths that implements the routing within the network to serve the specified flows while satisfying a set of segregation requirements. The security layer first computes risks for these paths (in polynomial time) based on its knowledge of the traffic. The paths, their risk and the security model are then tasked with deploying packet inspection apparatus as well as firewalls within that logical topology to monitor the traffic and block threats (risky traffic). Once the security model is solved to optimality, an analysis can determine whether the proposed logical topology is beneficial or not (w.r.t. its objective) and even suggest further equivalence classes for network nodes as well as segregation rules to be sent back to the functional layer for another iteration. Fundamentally, the coordination signal boils down to additional equivalence classes to group nodes together with segregation rules to separate paths that include network nodes in “antagonistic” equivalence classes.
III-F Outputs
When the set of potential cuts is empty, the proposed configuration can be parsed and translated into SDN language fragments to be deployed on the network devices in order to obtain the desired logical network topology put forth by our framework.
IV Experimental Setup
A fundamental component of our work is the separation of the physical and logical networks. Our framework has potential in applications where many different logical topologies are possible from a single physical topology. Physical topology is an input to our framework and the empirical evaluation is based on a popular topology: Fat-Tree [53].
The instance of Fat-Tree we use is shown in Figure 3. The updated design avoids bottlenecks through multiple equal capacity links between layers. This design uses four layers of switches: gateway, core, aggregate and edge with hosts connected at the bottom.
Within our sample network, we consider having two main types of devices: switches/routers and hosts. In order to model traffic between internal and external entities we utilize two gateway switches which represent the boundary of our network. For generality we consider two traffic types A and B which could represent any types of traffic such as web and storage. We also classify traffic as internal and external, with external traffic traversing one of the gateways. We allow only half of our hosts to communicate with external sources by allowing them to connect to one of the two gateways. Further, all hosts are involved in internal communications. In our network we have 16 hosts and we generated 60 flows, 44 of them being internal and 16 being external.
Additionally, our setup simulates an emergent vulnerability/active attack. We select two hosts that are highly vulnerable to, or being targeted on, a specific type of traffic, resulting in a significant increase in their risk for the corresponding type of traffic. In particular, this could represent at DDoS attack on these two hosts.
We run multiple experiments providing the framework increasing numbers of starting paths between source and destination (from the priming procedure) to determine the impact on the solution quality.
Our implementation was built in Python 3.6 using the Gurobi 8.1 optimization library [54]. The experiments were run on a machine running Ubuntu 18.04 and equipped with an Intel Core i9-8950HK processor operating at 2.90 GHz with a 12 MB Cache and 32 GB of physical memory.
V Evaluation/Results
We begin with the model’s resolution on the above scenario using the 10 shortest paths per source and destination pair to prime the optimization. We assume equal demand for each of the 60 flows and two high risk hosts (in red in Figure 4). In the first iteration, the functional layer of the framework generates a candidate topology and passes this solution to the security layer. The security layer then calculates the network risk and deploys firewalls (represented with rectangles).
In the first iteration, the gateway on the right serves both low risk (shown in green) and high risk hosts (shown in red). Deploying a firewall on this gateway significantly reduces the network risk and is the output of the security layer. Importantly, this results in collateral damage as flows to low risk hosts are blocked. In total, the first iteration through the framework deploys 3 firewalls which block 12 flows, 8 of which are high risk.
Iteratively, the security layer proposes separation of these collateral nodes from the high-risk nodes. The solution of the last framework iteration (493 candidates cuts are proposed, 40 prove beneficial) is shown on the right. This configuration routes all high risk flows through one core switch where a firewall is now deployed. Meanwhile, all the low risk flows access the gateways through a separate core switch.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] A. Khurshid, W. Zhou, M. Caesar, and P. Godfrey, “Veriflow: Verifying network-wide invariants in real time,” in Proceedings of the first workshop on Hot topics in software defined networks . ACM, 2012, pp. 49–54.
- 2[2] P. Neves, R. Calé, M. R. Costa, C. Parada, B. Parreira, J. Alcaraz-Calero, Q. Wang, J. Nightingale, E. Chirivella-Perez, W. Jiang et al. , “The SELFNET approach for autonomic management in an NFV/SDN networking paradigm,” International Journal of Distributed Sensor Networks , vol. 12, no. 2, p. 2897479, 2016.
- 3[3] B. Schneier, “Attack trees,” Blog, 1999. [Online]. Available: http://tnlandforms.us/cs 594-cns 96/attacktrees.pdf
- 4[4] R. Yu, G. Xue, V. T. Kilari, and X. Zhang, “Deploying robust security in internet of things,” in IEEE Conference on Computer and Network Security , 2018.
- 5[5] R. Wang, D. Butnariu, J. Rexford et al. , “Openflow-based server load balancing gone wild.” Hot-ICE , vol. 11, pp. 12–12, 2011.
- 6[6] R. Skowyra, A. Lapets, A. Bestavros, and A. Kfoury, “A verification platform for SDN-enabled applications,” in Cloud Engineering (IC 2E), 2014 IEEE International Conference on . IEEE, 2014, pp. 337–342.
- 7[7] R. Bixby, M. Fenelon, Z. Gu, E. Rothberg, and R. Wunderling, System Modelling and Optimization: Methods, Theory, and Applications . Kluwer Academic Publishers, 2000, ch. MIP: Theory and practice – closing the gap, pp. 19–49.
- 8[8] B. Fourer, “Amazing solver speedups,” online, 2015, http://bob 4er.blogspot.com/2015/05/amazing-solver-speedups.html .
