DUELMIPs: Optimizing SDN Functionality and Security

Authors Timothy Curry, Gabriel De Pace, Benjamin Fuller, Laurent Michel, Yan (Lindsay) Sun

Thumbnail PDF


  • Filesize: 0.85 MB
  • 18 pages

Document Identifiers

Author Details

Timothy Curry
  • University of Connecticut, Storrs, CT, USA
Gabriel De Pace
  • University of Rhode Island, Kingston, RI, USA
Benjamin Fuller
  • University of Connecticut, Storrs, CT, USA
Laurent Michel
  • University of Connecticut, Storrs, CT, USA
Yan (Lindsay) Sun
  • University of Rhode Island, Kingston, RI, USA

Cite AsGet BibTex

Timothy Curry, Gabriel De Pace, Benjamin Fuller, Laurent Michel, and Yan (Lindsay) Sun. DUELMIPs: Optimizing SDN Functionality and Security. In 28th International Conference on Principles and Practice of Constraint Programming (CP 2022). Leibniz International Proceedings in Informatics (LIPIcs), Volume 235, pp. 17:1-17:18, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2022)


Software defined networks (SDNs) define a programmable network fabric that can be reconfigured to respect global networks properties. Securing against adversaries who try to exploit the network is an objective that conflicts with providing functionality. This paper proposes a two-stage mixed-integer programming framework. The first stage automates routing decisions for the flows to be carried by the network while maximizing readability and ease of use for network engineers. The second stage is meant to quickly respond to security breaches to automatically decide on network counter-measures to block the detected adversary. Both stages are computationally challenging and the security stage leverages large neighborhood search to quickly deliver effective response strategies. The approach is evaluated on synthetic networks of various sizes and shown to be effective for both its functional and security objectives.

Subject Classification

ACM Subject Classification
  • Theory of computation → Network optimization
  • Networks → Network security
  • Security and privacy → Trust frameworks
  • Network security
  • mixed integer programming
  • large neighborhood search


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. Alfarez Abdul-Rahman and Stephen Hailes. A distributed trust model. In Proceedings of the 1997 workshop on new security paradigms, pages 48-60, 1998. Google Scholar
  2. Sugam Agarwal, Murali Kodialam, and TV Lakshman. Traffic engineering in software defined networks. In 2013 Proceedings IEEE INFOCOM, pages 2211-2219. IEEE, 2013. Google Scholar
  3. Mohammad Al-Fares, Alexander Loukissas, and Amin Vahdat. A scalable, commodity data center network architecture. In Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication, SIGCOMM '08, pages 63-74, New York, NY, USA, 2008. ACM. URL: https://doi.org/10.1145/1402958.1402967.
  4. Saeed Al-Haj and Ehab Al-Shaer. Measuring firewall security. In 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG), pages 1-4. IEEE, 2011. Google Scholar
  5. Ehab S Al-Shaer and Hazem H Hamed. Firewall policy advisor for anomaly discovery and rule editing. In International Symposium on Integrated Network Management, pages 17-30. Springer, 2003. Google Scholar
  6. Rashid Amin, Nadir Shah, Babar Shah, and Omar Alfandi. Auto-configuration of acl policy in case of topology change in hybrid sdn. IEEE Access, 4:9437-9450, 2016. Google Scholar
  7. Giovanni Apruzzese, Fabio Pierazzi, Michele Colajanni, and Mirco Marchetti. Detection and Threat Prioritization of Pivoting Attacks in Large Networks. IEEE Transactions on Emerging Topics in Computing, 8(2):404-415, April 2020. URL: https://doi.org/10.1109/TETC.2017.2764885.
  8. Randall J Boyle and Raymond R Panko. Corporate computer security. Pearson, 2015. Google Scholar
  9. Jin-Hee Cho, Kevin Chan, and Sibel Adali. A survey on trust modeling. ACM Computing Surveys (CSUR), 48(2):1-40, 2015. Google Scholar
  10. Timothy Curry, Devon Callahan, Benjamin Fuller, and Laurent Michel. DOCSDN: Dynamic and optimal configuration of software-defined networks. In Australasian Conference on Information Security and Privacy, pages 456-474. Springer, 2019. Google Scholar
  11. George B. Dantzig and Philip Wolfe. Decomposition principle for linear programs. Oper. Res., 8(1):101-111, February 1960. URL: https://doi.org/10.1287/opre.8.1.101.
  12. Rup Kumar Deka, Kausthav Pratim Kalita, Dhruba K Bhattacharya, and Jugal K Kalita. Network defense: Approaches, methods and techniques. Journal of Network and Computer Applications, 57:71-84, 2015. Google Scholar
  13. Ron S Dembo. Scenario optimization. Annals of Operations Research, 30(1):63-80, 1991. Google Scholar
  14. Diego Gambetta et al. Can we trust trust. Trust: Making and breaking cooperative relations, 13:213-237, 2000. Google Scholar
  15. Ramanthan Guha, Ravi Kumar, Prabhakar Raghavan, and Andrew Tomkins. Propagation of trust and distrust. In Proceedings of the 13th international conference on World Wide Web, pages 403-412, 2004. Google Scholar
  16. Guibing Guo, Jie Zhang, and Neil Yorke-Smith. Leveraging multiviews of trust and similarity to enhance clustering-based recommender systems. Knowledge-Based Systems, 74:14-27, 2015. Google Scholar
  17. Jun He and Wei Song. Achieving near-optimal traffic engineering in hybrid software defined networks. In 2015 IFIP Networking Conference (IFIP Networking), pages 1-9. IEEE, 2015. Google Scholar
  18. Lance J Hoffman, Kim Lawson-Jenkins, and Jeremy Blum. Trust beyond security: an expanded trust model. Communications of the ACM, 49(7):94-101, 2006. Google Scholar
  19. MHR H.R. Khouzani, Zhengliang Liu, and Pasquale Malacaria. Scalable min-max multi-objective cyber-security optimisation over probabilistic attack graphs. European Journal of Operational Research, 278(3):894-903, 2019. URL: https://doi.org/10.1016/j.ejor.2019.04.035.
  20. Ansam Khraisat, Iqbal Gondal, Peter Vamplew, and Joarder Kamruzzaman. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, 2(1):1-22, 2019. Google Scholar
  21. Ahmed Khurshid, Xuan Zou, Wenxuan Zhou, Matthew Caesar, and P Brighten Godfrey. Veriflow: Verifying network-wide invariants in real time. In 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13), pages 15-27, 2013. Google Scholar
  22. Man Yue Mo. One day short of a full chain: Real world exploit chains explained, March 2021. URL: https://github.blog/2021-03-24-real-world-exploit-chains-explained/.
  23. John Moy. Rfc2328: Ospf version 2, 1998. Google Scholar
  24. Xuan-Nam Nguyen, Damien Saucez, Chadi Barakat, and Thierry Turletti. Officer: A general optimization framework for openflow rule allocation and endpoint policy enforcement. In 2015 IEEE Conference on Computer Communications (INFOCOM), pages 478-486. IEEE, 2015. Google Scholar
  25. Ahmed Patel, Qais Qassim, and Christopher Wills. A survey of intrusion detection and prevention systems. Information Management & Computer Security, 2010. Google Scholar
  26. Jon Postel. Internet protocol―darpa internet program protocol specification, rfc 791, 1981. Google Scholar
  27. Yakov Rekhter, Tony Li, Susan Hares, et al. A border gateway protocol 4 (bgp-4), 1994. Google Scholar
  28. Myriana Rifai, Nicolas Huin, Christelle Caillouet, Frédéric Giroire, D Lopez-Pacheco, Joanna Moulierac, and Guillaume Urvoy-Keller. Too many sdn rules? compress them with minnie. In 2015 IEEE Global Communications Conference (GLOBECOM), pages 1-7. IEEE, 2015. Google Scholar
  29. Karen Scarfone, Wayne Jansen, Miles Tracy, et al. Guide to general server security. NIST Special Publication, 800(123), 2008. Google Scholar
  30. P. Shaw. Using Constraint Programming and Local Search Methods to Solve Vehicle Routing Problems. In Proceedings of Fourth International Conference on the Principles and Practice of Constraint Programming (CP'98), pages 417-431. Springer Verlag, October 1998. Google Scholar
  31. Yan Lindsay Sun, Wei Yu, Zhu Han, and KJ Ray Liu. Information theoretic framework of trust modeling and evaluation for ad hoc networks. IEEE Journal on Selected Areas in Communications, 24(2):305-317, 2006. Google Scholar
  32. Stefano Vissicchio, Laurent Vanbever, Luca Cittadini, Geoffrey G Xie, and Olivier Bonaventure. Safe update of hybrid sdn networks. IEEE/ACM Transactions on Networking, 25(3):1649-1662, 2017. Google Scholar
  33. Artem Voronkov, Leonardo A Martucci, and Stefan Lindskog. Measuring the usability of firewall rule sets. IEEE Access, 8:27106-27121, 2020. Google Scholar
  34. John Wack, Ken Cutler, and Jamie Pole. Guidelines on firewalls and firewall policy. Technical report, BOOZ-ALLEN AND HAMILTON INC MCLEAN VA, 2002. Google Scholar
  35. Lei Wang, Qing Li, Yong Jiang, and Jianping Wu. Towards mitigating link flooding attack via incremental sdn deployment. In 2016 IEEE Symposium on Computers and Communication (ISCC), pages 397-402. IEEE, 2016. Google Scholar
  36. Wen Wang, Wenbo He, and Jinshu Su. Enhancing the effectiveness of traffic engineering in hybrid sdn. In 2017 IEEE International Conference on Communications (ICC), pages 1-6. IEEE, 2017. Google Scholar
  37. Yonghong Wang and Munindar P Singh. Formal trust model for multiagent systems. In IJCAI, volume 7, pages 1551-1556, 2007. Google Scholar
  38. Tina Wong. On the usability of firewall configuration. In Symposium on usable privacy and security, 2008. Google Scholar
  39. Avishai Wool. A quantitative study of firewall configuration errors. Computer, 37(6):62-67, 2004. Google Scholar
  40. Cai-Nicolas Ziegler and Georg Lausen. Analyzing correlation between trust and user similarity in online communities. In International Conference on Trust Management, pages 251-265. Springer, 2004. Google Scholar