2016 International Conference on Circuit, Power and Computing Technologies [ICCPCT]
Improving Security in a Virtual Network by Using
Attribute Based Encryption Algorithm
Vinil Wilson
Department of Information Technology
Toc H Institute of Science and Technology
Kochi, Kerala, India.
vinil.w75@gmail.com
Abstract— The creation of a network for an organization or a
firm can be a multifarious task especially if there a large
number of nodes, middle-boxes and security nodes to be
integrated in the network. This paper introduces the
integration of the ABE algorithm into a virtual network
security called the NETSECVISOR in order to achieve
authentication of the users involved in the network and the
confidentiality of data transmitted or received. A virtual
network redeems the administrators and network designers
from its complexity not only by reducing the number of
devices required, to a specific workstation that will take as
input the various policies pertaining to the packets to be sent
but also by including various routing rules and response
techniques for malicious attacks. The Attribute Based
Encryption (ABE) algorithm is used to improve the security
on an existing virtual network security called the
NETSECVISOR. The ABE algorithm uses attributes that are
known to the participants involved in the transmission and
reception of packets. This helps ease the process of creation
and retrieval of keys for encryption and decryption
notwithstanding the performance of security that will be
enhanced for the virtual network.
Keywords—Virtual network; network security; Software
Defined Networking; Open Flow; Attribute Based Encryption
algorithm.
I. INTRODUCTION
Security in networks is mandatory at present due to various
new improvements in the field of communication. The
security provided in the network should be efficient in all
ways. Network security mainly consists of numerous policies
to keep the entire network with guaranteed security. A critical
part in providing security for network is network management
in which it varies in kinds of situations. Network security
involves the authorization of access to data in a network,
which is typically handled by a network administrator, or
system administrator who implements the security policy,
network software and hardware that is needed to protect a
network. The resources accessed through the network from
unauthorized access have to be quarantined and thus ensure
that authorized personnel have adequate access to the network
and resources to work upon. Users can choose or assigned
978-1-5090-1277-0/16/$31.00 ©2016 IEEE
Ajeesh G. Krishnan
Asst. Prof. Department of Information Technology
Toc H Institute of Science and Technology
Kochi, Kerala, India.
ajeeshgkrishnan@tistcochin.edu.in
with an ID and password or other authenticating information
that allows them access to information and programs within
their authority.
For instance Network intrusion Detection System (NIDS)
can be deployed to monitor the attacks and also network
anomaly detection system can be used to detect the DoS
attacks. The NIDS monitors traffic and reports its results to the
administrator, but it cannot automatically take action to
prevent the detected attack. Attackers are capable of exploiting
susceptibilities very quickly once they enter the network,
rendering the NIDS an inadequate deployment for prevention
device. The most common and simple way of protecting a
network resource is by assigning it a unique name and a
corresponding password. Even the data can be encrypted and
sent to the end user for the maintenance of security in the
network. The encryption techniques can be changed based on
the data transmission in the network.
Here, Network Security Virtualization (NSV) [1] that
leverages preinstalled, static security devices and provide
dynamic, flexible, and on-demand security services to the
users. The NSV technology delivers or redirects the flow to
the defined security middle boxes (regardless of its actual
physical location) automatically and transparently and each
user need not know about the location or the number of
security devices in the network. Network virtualization will
facilitate movement of virtual servers because the virtual
network is contemplated be hidden to the physical devices.
Implementing firewall helps to address every security problem
that is no longer a supported practice in security organizations
because of the various cocktail of techniques used by the
attackers. The use of virtualization technologies comes with
many benefits such as agility, flexibility and cost efficiency.
Networking in its primeval times was complicated as it had
to consider the various devices to be connected long with the
supporting topologies followed by the numerous amount of
hardware for its connections. The practice of using a network
of remote servers hosted on the Internet to store, manage, and
process data, rather than a local server or a personal computer
has formed the basis of cloud storage by which it is
implemented.
This new enhancement provided the grounds of integrating
the concept of networking into a virtual one. Network
 2016 International Conference on Circuit, Power and Computing Technologies [ICCPCT]
Virtualization is being adopted by many vendors and
organizations to ease the complexity of connecting the various
devices that can be both wired and wireless across an area. An
organization that deploys this sort of a network has to work
seamlessly regardless of the various attacks that can be
directed towards it.
Many organizations that contain physical networks can
cause work to come to a standstill if a fault occurs in its
operations. Being a virtual network, the security policies are
defined and only the tenants with the proper security access
are given the permission to access the network.
Though the virtualization of a network provides simplicity
and ease of operations, it is followed by various controversies
in the field of its security. In a physical implementation, the
concerned sub network deals with the attack or else the
administrator will have to handle the various attacks that come
its way. In the case of virtual networking, the device will have
to handle all the attacks that arise within the network by itself.
This calls for an improvised security that is to be integrated in
the virtual network to not only detect but also contain these
malicious attacks. Since the integrity of an organization or a
protected network rests on the shoulders of its security, it is
very important to ensure that it is not compromised. This
paper hence modifies an existing prototype of a virtual
network security by upgrading its security feature. This
involves the addition of an encryption algorithm to promote
higher and better security when packets are transmitted across
a respective network.
II. LITERATURE SURVEY
The existing systems make use of network security
virtualization (NSV) that can virtualize security
resources/functions and provide security response functions
from network devices when necessary. A prototype system
called the NETSECVISOR [1] is used to demonstrate the
utility of network security virtualization. It utilizes existing
pre-installed security devices located at fixed places and
implement the software-defined networking (SDN) technology
to virtualize network security functions in them. The
NETSECVISOR contains (i) a simple script language to
register security services and policies, (ii) a set of routing
algorithms to determine optimal routing paths for different
security policies based on different needs, and (iii) a set of
security response functions/strategies to handle security
incidents. Here security can be achieved with the help of
NETSECVISOR which contains security devices registration
maintenance of security throughout the network (successful
transmission).
a. Related Works
There are a few studies that contributed to the
development of this work. CloudNaaS [4] (Cloud Networking-
as-a-Service) contributes to providing services that extend
beyond the scope of online storage alone. With the boost in
network applications and requirements in the present
organizational scenarios, there arises a need for virtual
networks and functions that support it like network isolation,
custom addressing, service differentiation and deployment of
middleboxes to provide various other functions.
Sometimes the implementation of Software Defined
Networking (SDN) is applied in a network that expands
throughout an organization or between organizations. Here,
middleboxes help in creating a link between endpoints of a
network or perform other network management tasks. The con
of deploying a middlebox in the SDN context is that the
headers of the packets and contents of the packets can by
dynamically modified by them. To overcome this flaw, the
SDN was extended using the FlowTags architecture [3]. The
idea of FlowTags is to reduce the extensions used in
middleboxes and only include the necessary contextual
information required in the form of Tags inside packet
headers. SDN switches and other downstream middleboxes
use the Tag information as part of their routing and packet
processing operations.
A network in an organization is composed of
different devices that provide the communication and
connection to substantiate the network by managing the
various traffic which flows in the form of packets and other
data. To manage the network of its complexities, a “division
of labor” between the controller and the underlying switches is
made that involves the separation between the rules (in the
switches) and policies (in the controller). The DIFANE
(DIstributed Flow Architecture for Networked Enterprises)
architecture [5], has the following two main ideas:
• The controller distributes the rules across (a subset
of) the switches, called “authority switches” to scale
to large topologies with many rules.
• The switches handle all packets in the data plane. In
order to access the appropriate rules the packets will
have to be channeled through the authority switches.
In order to run experiments on a campus network for
the purpose of researching new ideas in the networking field,
an OpenFlow [7] Switch is deployed. It reconstructs TCAM
flowtables built in router and switch components of Ethernet,
integrating the feature of similarity between operations among
dissimilar vendor flowtables. The OpenFlow Switch comes
with a table that includes flow processing instructions to the
switch, a secure channel and an OpenFlow Protocol to ensure
secure communication modes. For excellent services of the
switch, the dataflow needs to be flexible, while at the same
time withstanding ongoing modifications by research. The
general overhead of programming the switch is overcome with
the OpenFlow Switch. The OpenFlow switch can be broadly
categorized into dedicated OpenFlow switches that do not
support normal Layer 2 and Layer 3 processing, and
OpenFlow-enabled general purpose commercial Ethernet
switches and routers, to which the OpenFlow protocol and
interfaces have been added as a new feature.
In order to enable security policies within the
OpenFlow community, the network control was to be
segmented or sliced into independent virtual machines. The
 2016 International Conference on Circuit, Power and Computing Technologies [ICCPCT]
network domain that is sliced or segmented is governed by a
self-consistent OF application, whose basic rule is not to
interfere with other OF applications. In scenarios where inter-
communication between OFs is required for well-defined
security policy enforcement, the FortNOX [8] is used as an
extension to the open source NOX OpenFlow controller. A
live conflict detection engine is implemented to arbitrate all
OpenFlow rule insertion requests. This works based on a
novel algorithm called the alias set rule reduction that detects
rule contradictions (even in the presence of dynamic flow
tunneling) using set and goto actions. Rule conflicts arise
when a candidate OpenFlow rule enables or disables a
network flow that is otherwise inversely prohibited (or
allowed) by existing rules. When such conflicts are detected,
FortNOX may choose to accept or reject the new rule,
depending on whether the rule insertion requester is operating
with a higher security authorization than that of the authors of
the existing conflicting rules. FortNOX implements role-based
authentication for determining the security authorization of
each OF applications.
To extend the security levels in cloud computing, the
ABE encryption algorithm has been crafted to meet its
demands. The multi-authority attribute based encryption [6]
allows the sender to specify for each authority ‘k’ a set of
attributes monitored by that authority and a number d so that
the message can be decrypted only by a user who has at least d
of the given attributes from every authority. Any number of
attribute authorities can be made to be corrupted, and yet
guarantee the security of encryption as long as the required
attributes cannot be obtained exclusively from those
authorities and the trusted authority remains honest. An
extension has been included into the basic multi-authority
scheme that describes techniques to allow the user who
encrypts the message, to determine for each cipher text that is
to be created, how many attributes to require from each
authority.
III. PROBLEM IDENTIFICATION AND
OBJECTIVES
a. Problem Statement
In the present scenario, the middleboxes are used to improve
the performance, robustness, and security of cloud networks.
Even though they provide benefits to the network they also
contribute to the complications that exist in a network. The
situation becomes more severe when there are additional
middleboxes installed to perform as security devices (e.g.
NIDS and firewalls). They not only complicate the network
configuration/management but also have many diverse
security functions to serve different purposes. The network
administrator is burdened with the task of choosing the
reasonable security devices and to deploy them into
reasonable places. This is gruesome task as prediction of
malicious attacks to tenants and being aware of the demands
of diverse tenants in advance is sometimes not possible by the
administrator. This would mean that the installed security
devices may not be in the best locations that can best serve the
diverse security needs of diverse network users.
Hence there is an urgent need to maximize the resource
utilization of those existing pre-installed devices/boxes, as
well as abstract these security resources to provide a simple
interface for network tenants to use.
b. Objectives
• To provide security among the dynamic tenants in cloud-
like networks, by using Network Security Virtualization
(NSV) and the prototype called NETSECVISOR.
• To introduce the practice of ABE encryption algorithm for
the NSV in cloud-like networks to help all tenants easily
uses security services. .
IV. METHODOLOGY
a. Proposed System
To realize network security virtualization (NSV) with
traditional network technology can be a monolithic task
because it lacks several features, such as network wide
monitoring, network configuration, network flow control, and
response management. To address this issue, a network
technique called Software-Defined Networking (SDN) and its
most popular realization OpenFlow is used which can help us
dynamically control network flows and monitor whole
network status easily. A prototype system, NETSECVISOR
(NSV services for a cloudlike network) based on SDN is
proposed, which can utilize existing pre-installed (fixed-
location) security devices and virtualize network security
functions. At its core, NETSECVISOR contains (i) a simple
script language to register security services and policies, (ii) a
set of routing algorithms to determine optimal routing paths
for different security policies based on different needs, and
(iii) a set of security response functions/strategies to handle
security incidents.
A cloud network consisting of 10 static routers, 40 mobile
tenants and a middlebox is created. The routers and the
middle-box form wired connections and the tenants are
wireless nodes. A typical operation of NETSECVISOR works
as follows. A network administrator registers network security
devices to NETSECVISOR. After registration, cloud tenants
need to create their security requests and submit them into
NETSECVISOR. Then, NETSECVISOR parses the submitted
security requests to understand the intention of tenants and
writes the corresponding security policies to policy table.
After this generation of policies, selection process of start
node and the end node takes place. Then encrypt the packets
generated by the start node using ABE (Attribute-based
Encryption) cryptographic encryption. Next, if
NETSECVISOR receives a new flow setup request from a
network device, it checks whether this flow is matched with
any submitted policies. If it is, NETSECVISOR will create a
new routing path and corresponding flow rules for the path. At
this time, NETSECVISOR guarantees that the routing path
includes required security devices that are defined in a
matched policy (i.e., the first NSV function). After this
 2016 International Conference on Circuit, Power and Computing Technologies [ICCPCT]
operation, it enforces flow rules to each corresponding
network device to forward a network flow. If any of security
devices detects malicious connection/content from monitored
traffic, they will report this information to NETSECVISOR.
Based on the report and submitted policies, NETSECVISOR
enables a security response function to respond to malicious
flows accordingly (i.e., the second NSV function).
b. System Architecture
Fig. 1. Architecture of the NETSECVISOR using ABE Algorithm
The NETSECVISOR consists of five main modules:
(i) Device and policy manager, (ii) Routing rule generator, (iii)
Flow rule enforcer, (iv) Response manager, and (v) Data
manager.
Device and policy manager is in charge of two main functions.
First, it receives the information of security devices from a
cloud administrator, and it stores that information into a
device table in NETSECVISOR for further usage. Second, this
module also receives security requests from each network
tenant, and it translates them into security policies and stores
the policies into a policy table. Thus, this module finally
provides us with the following information: (i) locations/types
of security devices from a cloud administrator and (ii) security
policies from each tenant. It makes our system handle network
security devices easily.
Response manager receives detection results from security
devices, and it enables security response strategies that are
defined in security policies, when it is needed. For example, if
a tenant defines a security policy to drop all corresponding
packets when a threat is detected by a NIDS, the response
manager will enable drop function to discard network packets
belonging to the detected network flows on a network device.
Enabled functions will be realized as a set of network flow
rules, which are sent to routers or switches, and thus we can
leverage each network device as a kind of security device
(e.g., firewall).
Routing rule generator creates routing paths to control each
network flow. When creating routing paths, this module
investigates security polices (from each tenant) to satisfy their
requirements. For example, if a tenant defines a security
policy that specifies all network flows to port 80 should be
inspected by a NIDS attached to a router A, then this module
produces (a) routing path(s) to let all network packets heading
to port 80 pass through the router A. It helps our system assign
security requirements to each security device based on
efficiency (in terms of security resource management) and
effectiveness (in terms of finding reasonable security devices).
Flow rule enforcer enforces flow rules to each OpenFlow
router and switch. If the response manager enables response
strategies or the routing rule generator produces routing paths,
this module translates them into flow rules that could be
understood by OpenFlow routers/switches. After translation, it
sends translated rules to corresponding routers or switches.
Data manager captures network packets from routers or
switches to hold until some security devices send their
detection results to NETSECVISOR. The reason why it holds
packets is to enable some in-line style security functions as
what generic Intrusion Prevention Systems provide. This
module does not hold packets all the time, but only captures
and stores when necessary (i.e., a security policy specifies an
inline mode action for response).
c. Proposed Prototype
The proposed prototype comprises of the
collaboration of the Network Formation, Device and policy
manager, the Response manager, the various routing
algorithms, Flow enforcer, the Data Manager and the
Encryption algorithm.
The following modules are described in the further
sections below: (i) Cloud network formation
(ii) NIDS
(iii) Encryption
i. Cloud Network Formation
Being at an experimental level, we consider the
possibility of wired and wireless connections. The network
formation includes the creation of 10 static router nodes and a
Network Intrusion Detection System (NIDS). By this the
various endpoints of a network is established. Since, these are
static routers they involve a wired connection or in other
words a duplex wired link between the router nodes and the
NIDS.
Fifty tenants are created that have wireless or wired
links between them. The next step that follows is to configure
mobile IPs in the wireless network created. Since the wired
devices are assigned an IP in a network, they need not be
bothered with that complication.
 2016 International Conference on Circuit, Power and Computing Technologies [ICCPCT]
ii. NIDS (Network Intrusion Detection System)
The NIDS is the combination of the following
modules: (i) Device and Policy Manager (ii) Routing Rule
Generator (iii) Response Manager (iv) Data Manager (v) Flow
Rule Enforcer.
I. Device And Policy Manager
The device and policy manager collects information of the
security devices and stores it in a table. Our experiment
may focus on a handful of security devices but when
implemented on a real world basis, there can be more than
just a handful of security devices. For this purpose we
include the table that will store the information of these
devices. After the storage of the security devices in the
table, the NIDS will receive security requests from tenants.
These have to be parsed into security policies that which is
understood by the NIDS and is stored into a policy table.
II. Response Manager
The response manager receives detection results from the
security devices. If the detection of a certain packet is found to
be malicious, the corresponding action is taken after the
determination of the packet flowing through a passive or an
online routing path.
The passive response strategies include only the Passive
Drop/Isolate.
The in-line response strategies include:
• In-line mode Forward
• In-line mode Drop/Isolate
• In-line mode Redirect.
III. Routing Rule Generator
The routing rule generator creates routing paths to
control each network Àow. There are 4 routing algorithms that
are implemented through the routing rule generator:
• Multipath Naïve
• Shortest-through
• Multipath shortest
• Shortest In-line
a) Multipath Naïve
First, we design a simple algorithm to visit each
security node regardless of the path between a start node and
an end node. In this algorithm, NETSECVISOR first finds the
shortest path between a start node and an end node. Then,
NETSECVISOR also discovers the shortest paths between a
start node and each security node. If NETSECVISOR has all
paths, it delivers packets to all obtained paths. This approach
is based on a function of OpenFlow, which can send network
packets to multiple output ports of a router. Thus,
NETSECVISOR can send network packets to different paths
simultaneously.
b) Shortest-through
The second approach is to find the shortest path
between a start node and an end node passing through each
intermediate security node. Finding this path is more
complicated than finding the shortest path between two nodes,
because in this case, we should make sure that the found path
includes all intermediate nodes. To do this, NETSECVISOR
finds all possible connection pairs.
c) Multipath-shortest
OpenFlow supports the function of sending out
network packets to multiple outports of a router
simultaneously, and Algorithm 1 is based on this function.
However, it may not be efficient, because it can create
multiple redundant network flows. Thus, we try to propose an
enhanced version of Algorithm 1. This approach does not find
the shortest path between a start node and each security node;
instead it finds a node, which is closest to a security node and
in the shortest path between a start node and an end node. If it
finds the node, it asks this node to send packets to multiple
output ports: (i) a port, which is connected to a next node in
the shortest path, and (ii) (a) port(s), which is (are) connected
to (a) node(s) heading to (a) security node(s). Thus, network
packets are delivered through the shortest path, and they are
delivered to each security node as well.
d) Shortest In-Line
For passive monitoring devices, we can simply find a
path passing through each security node, however, in the case
that there is a security device working in-line mode, we are
required to consider both of security nodes and security links
(between two nodes). Even though a path includes two nodes
for a link, it does not guarantee that the link is used for the
path, because each node could be linked to other nodes. To
address this issue, we modify our Algorithm 2 to make sure
that it should include security links in the generated path.
Thus, this Algorithm 4 has a routine checking whether
security links are included or not.
IV. Flow Rule Enforcer
The flow rule enforcer is used to receive the response
strategies from the response manager or the routing rules from
the routing rule generator and then translate it into flow rules
that can be understood by the OpenFlow routers/switches.
Once the translation has been completed, it is sent to the
corresponding routers or switches.
V. Data Manager
In the case of response of the response manager is in
the in-line mode action, certain packets have to be held until it
is proved to be malicious or harmless. For this purpose, the
data manager is used to hold the network packets that flow
from the routers or switches until some security device sends
its detection result to the NETSECVISOR.
 2016 International Conference on Circuit, Power and Computing Technologies [ICCPCT]
iii. Encryption
Attribute-based encryption (ABE) is a relatively recent
approach that reconsiders the concept of public-key
cryptography. In traditional public-key cryptography, a
message is encrypted for a specific receiver using the
receiver’s public-key. Identity-based cryptography and in
particular identity-based encryption (IBE) changed the
traditional understanding of public-key cryptography by
allowing the public-key to be an arbitrary string, e.g., the
email address of the receiver. ABE goes one step further and
defines the identity not atomic but as a set of attributes, e.g.,
roles, and messages can be encrypted with respect to subsets
of attributes (key-policy ABE - KP-ABE) or policies defined
over a set of attributes (ciphertext-policy ABE - CP-ABE).
The key issue is that someone should only be able to decrypt a
ciphertext if the person holds a key for "matching attributes"
where user keys are always issued by some trusted party. A
particular key can decrypt a particular ciphertext only if
associated attributes and policy are matched.
The Attribute Based Encryption (ABE) algorithm can be
implemented into the cloud computing scenarios where
provision of storage and software are provided as a service.
Being a virtual network, the cloud computing storage will be
separated into two different domains, the data owner and
cloud servers. The data content that is being outsourced [2] is
not to be accessed by the cloud servers for confidentiality and
the data owner does not physically have full control over the
data resources. By storing the security policies or data on the
cloud server it will lead to the need of an encryption
mechanism to protect the security policies or data, before
being outsourced to the cloud. To deal with the potential risks
of privacy exposure, instead of letting the service providers
encrypt the tenet’s data, the sharing services should give the
tenets (users / private network administrators) full control over
the selective sharing of their own data.
V. CONCLUSION
This paper brings to light the concept of security in a
virtual network that can be further endorsed with the help of
an ABE algorithm. The virtual network operates based on the
security policies that have been input to it by its trusted
tenants, hence providing the attack of non-repudiation to be
nullified. The response manager deals with the manner in
which the necessary actions have to be taken and rules
enforced based on the routing rules that have been initiated
upon dispatch of packets. Since a network can be both
dynamic and static in nature, both these methods have been
taken into consideration. To further improve the security of
packets that travel across the designated paths in a network,
the ABE encryption algorithm is used to encrypt the packet
based on the attributes of both the users and devices involved
in the particular transaction. This concept of promoting
security with the help of an encryption algorithm along with
the aforementioned security parameters is believed to be the
quintessential method to building more secure and trusted
virtual networks within an organization.
VI. SCOPE FOR FUTURE STUDY
Despite the various methods and strategies used for the
NETSECVISOR, there is always room for further
improvement and enhancements. First, the NETSECVISOR
has an improved security enhancement by the addition of an
encryption algorithm to its packets. While this may add to
security it can sometimes lead to delays caused if there are a
large number of packets involved for encryption and
decryption. A method to reduce delay and promote speed in
operations is required. Secondly, the case scenario is tested
with less than a 100 nodes that can be both wireless and wired.
In a real case scenario, there can be a larger number of nodes
present. Better tests and studies are yet to be made to decide
on whether it will succeed in the real world scenario. Followed
by the number of nodes involved, the number of security
nodes that are also to be present in a network can vary;
followed by the number of paths to a security node, number of
devices it can handle at a time, the network traffic etc. Only
after experimenting in the real world can it be decided whether
the number of security devices has to be increased or the
processing speed of each security device has to be boosted for
higher performance. Furthermore, the performance overhead
of the NETSECVISOR is to be considered also. These are a
few modifications that have to be considered in the future.
References
[1]. Seungwon Shin, Haopei Wang, and Guofei Gu. “A First Step Towards
Network Security Virtualization: From Concept to Prototype” In Proc
of IEEE, 2015.
[2]. Muhammad Asim, Milan Petkovic and Tanya Ignatenko “Attribute-
based encryption and decryption outsourcing”. In Proceedings of the
12th Australian Information Security Management Conference,
December 2014.
[3]. Seyed Kaveh Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, and
Jeffrey C. Mogul. “Enforcing network-wide policies in the presence of
dynamic middlebox actions using flowtags.” In 11th USENIX
Symposium on Networked Systems Design and Implementation (NSDI
14), 2014.
[4]. T. Benson and et al. “Cloudnaas: a cloud networking platform for
enterprise applications.” In Proceedings of the 2nd ACM Symposium
on Cloud Computing, 2011.
[5]. Michael J. Freedman, Minlan Yu, Jennifer Rexford and Jia Wang.
“Scalable flow-based networking with DIFANE.” In In Proceedings of
ACM SIGCOMM, August 2010.
[6]. Melissa Chase “Multi-authority Attribute Based Encryption”. In TCC,
volume 4392 of LNCS, pages 515–534. Springer, 2007.
[7]. Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar,
Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner.
“OpenFlow: enabling innovation in campus networks.” In Proceedings
of ACM SIGCOMM Computer Communication Review, April 2008.
[8]. Phillip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong,
Mabry Tyson, and Guofei Gu. “A security enforcement kernel for
openflow networks.” In Proceedings of ACM SIGCOMM Workshop
on Hot Topics in Software Defined Networking (HotSDN’12), August
2012.