Professional Documents
Culture Documents
PII: S1084-8045(23)00182-0
DOI: https://doi.org/10.1016/j.jnca.2023.103763
Reference: YJNCA 103763
Please cite this article as: M. Alabbad, N. Mhaskar and R. Khedri, Two formal design solutions for
the generalization of network segmentation. Journal of Network and Computer Applications
(2023), doi: https://doi.org/10.1016/j.jnca.2023.103763.
This is a PDF file of an article that has undergone enhancements after acceptance, such as the
addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive
version of record. This version will undergo additional copyediting, typesetting and review before it
is published in its final form, but we are providing this version to give early visibility of the article.
Please note that, during the production process, errors may be discovered which could affect the
content, and all legal disclaimers that apply to the journal pertain.
of
Two Formal Design Solutions for the
Generalization of Network Segmentation
pro
1
Department of Computing and Software, McMaster University, Canada
pophlin@mcmaster.ca, khedri@mcmaster.ca
2
Cybersecurity Institute, King Abdulaziz City for Science and Technology
(KACST), Riyadh, 11442, Saudi Arabia
malabbad@kacst.edu.sa
Abstract. Computer networks are getting more and more complex with
re-
enormous number of resources, diverse access control policies, and span-
ning over different platforms and geographical regions. Clearly, these net-
works have multiple points of entry – as we see in the sliced 5G networks.
In networks with multiple entry points shared resources are accessed via
several paths through several subnetworks – thus increasing their attack
surface and opening it to several vulnerabilities. Hence, a secure design
of these networks poses a much greater challenge than the traditional
networks with only a single entry point.
In this paper, we propose two secure design solutions for the segmenta-
lP
tion of networks with multiple entry points. These solutions are based
on mathematical formalisms for network segmentation – thus enabling
automation and dynamic segmentation of these networks. Finally, we use
mininet, a Software Defined Network (SDN) emulator tool, to illustrate
the usage of the proposed algorithms to configure and govern networks
within three typical SDN architectures.
1 Introduction
the outer world. However, with the advent of modern network architectures
such as Software Defined Network (SDN), cloud computing, and Internet of
Things (IoT), and with the increasing sizes of networks, spanning over multiple
geographical locations, there is an increasing demand for multiple entry points
to the network.
⋆
Corresponding author
Journal Pre-proof
of
Many of the recent security breaches have been related to IT departments
failing to articulate and deploy adequate access control policies to govern ac-
cess to its network resources. Very often improper levels of access control and
lax or nonexistent enforcement policies were identified. Simple and seemingly
innocuous mistakes or omissions in articulating access control policies create un-
pro
intentional pathways to resources, which the intruders exploit. Despite the use
of advanced platforms (mostly based on heuristics) to design secure networks
by vendors such as Cisco, Aruba and HPE along with third-party solutions, it
remains quite challenging for network practitioners to articulate access control
policies for all the network firewalls even for a small network. These problems
only worsen for large networks with hundreds of firewalls [31].
To build a secure network and address security issues, network practitioners
use the Network segmentation [20] or compartmentalization [29], and Defence in
Depth (DD) [28] (also known as layered protection) strategies.
re-
Network segmentation is a strategy, in which the set of resources forming the
network is divided into clusters or groups of resources having similar security
requirements. It aims to place resources having different security levels/require-
ments in different clusters which are protected by firewalls implementing appro-
priate policies. Thus, when implemented properly, it reduces the attack surface
available to an intruder and thwarts the propagation of failures and errors in
the network. The importance of network segmentation to cybersecurity is high-
lighted in the executive order of the USA President that was issued on May 12,
lP
2021, [25, Page 26639, Item (i)]. The presidential document requires the leaders
of the National Institute of Standards and Technology (NIST), the Cybersecu-
rity and Infrastructure Security Agency (CISA), and the Office of Management
and Budget (OMB) to publish guidance outlining security measures for network
segmentation and proper configuration. It highlights the fact that improper net-
work segmentation leads to a significant threat to national security that must
be urgently tackled.
rna
2
Journal Pre-proof
of
that supports multi-services and multi-tenants [3]. Hence, network slicing, for
the purpose of isolating resources, decomposes a network based on criteria such
as shared resources, storage, security requirements, or bandwidth. Figure 1 il-
lustrates a couple of scenarios for network slicing.
pro
e1
e1
re- e2
Recently and with network slicing, the 5G of cellular networks aims to pro-
vide differentiated services, such as voice communication or video streaming,
by sharing among different providers the same infrastructure. Therefore, a 5G
network needs to adapt to the existing network infrastructures contributed by
rna
chitecture [7, 17] where each user has its own data/resources isolated from other
users. Yet they still can use shared resources made available by the cloud provider
such as a database consolidating data from multiple databases into one database
on one computer. Tenants can also be accessing their assigned tenant domains
from different entry points to the multi-tenant environment. For instance, ten-
ants having their resources primarily use only one runtime environment (e.g.,
3
Journal Pre-proof
of
Google Kubernetes Engine (GKE) cluster) can use a single entry point, while
the ones using many runtime environments can use multiple entry points.
pro
Although, network segmentation is an invaluable strategy, the literature on it is
not very rich having only a handful of publications [2, 21, 32–34]. Moreover, as
far as we know, there is an absence of literature on the segmentation of networks
with multiple entry points.
However, several results on network slicing [6] exist. Yuki et.al in [22] propose
an automated approach for network slicing for providing microservices. Kwan
et.al in [18] present a solution for dynamic network slicing. Guan et.al in [10]
propose mathematical models to generate network slicing requests which are
then mapped to the network infrastructure. In [7], we find a network slicing
framework for multi-tenant 5G IoT network.
re-
Furthermore, in [26], the authors describe the use of 5G NORMA approach
to achieve resource sharing in a 5G multi-tenant architecture. In [5] the authors
present an approach to slice a Radio Access Network (RAN) for multi-tenant
architecture. In this approach, a dynamic resource allocation is considered among
tenants based on a weighted proportionally fair objective. In [35], a paradigm is
introduced that leverages network slicing to enable third party to rent facilities.
A solution named M2 EC is used to allocate resources for tenants in compliant
with their service level agreements in a multi-tenant system.
lP
More recently, in [2, 21] the authors present a formal approach to network
segmentation that is based on the formalisms of Product Family Algebra (PFA)
and Guarded Commands. Their approach is fully automated and generates the
best possible segmentation from an access-control perspective. However, their
solution is limited to a single entry point network.
A network with multiple entry points provides many possibilities and flexibility.
However, designing such networks present enormous security challenges – for
instance, increased attack surface for its resources. Furthermore, the problems
listed in Section 1 for large single entry point networks increase significantly for
networks with multiple entry points. Although, in recent years extensive research
has been done on various classes of networks (see Section 1) which are instances
of networks with multiple entry points; the research on effective and security
enhancing segmentation of networks with multiple entry points, as far as we
know, does not exist.
Jou
With the increasing need for and use of networks with multiple entry points,
it is now more than ever critical to have robust and secure design solutions
for these networks. In this paper, we study this generalization of networks, and
propose secure and efficient design solutions for them. In particular, we use
the formalism for network segmentation introduced in [21] in conjunction with
the DD [16] strategy, to propose design solutions to segment networks with
4
Journal Pre-proof
of
multiple entry points and in the process generate robust and secure network
design solutions.
These design solutions are captured in two algorithms that are remarkably
simple and easy to implement. We prove the correctness of these solutions (in
Theorems 1 and 2) and present their complexity analysis (in Theorems 3 and 4).
pro
Since these solutions are based on mathematical formalisms for network segmen-
tation, they can easily be automated without requiring any human intervention.
Therefore, they can naturally be applied to dynamic networks with multiple en-
try points; for each change to the network topology, the proposed algorithms can
be used efficiently to automatically redesign the network. To highlight this, we
demonstrate the automation of the proposed solutions on three different SDN
architectures.
2 Illustrative Example
rna
and Simple Mail Transfer Protocol (SMTP) protocols from the internet. More-
over, they allow access for all internal resources within the branch and block
everything else. The File server is intended to be accessed by only internal re-
sources within branch A. The HR workstations allow access to each other only,
and the same applies to the finance workstations. Branch B consisted of the
same resources and requirements except that it does not have a File server (see
5
Journal Pre-proof
of
Section A.2 for the policies of resources in Branch B). Moreover, the organi-
zation has two HR servers that are accessed only by HR workstations in both
branches. It has also two finance servers that allow access to only finance work-
stations in both branches (see Section A.3 for the policies of the shared resources
in Branches A and B). The requirement is to structure the network of the orga-
pro
nization and to have an entry point for each of its branches A and B. If we seek
a network topology with a separate segment for shared resources (Finance and
HR servers), Figure 2 gives a possible solution.
Web server A Email server A File server A.1 File server A.2
10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2
HR A.1
10.0.4.1
Fw 7
Fw 3 Fw 4 Fw 5
HR A.2
10.0.4.2
Fw 1
Internet
Fw 8
Fw 9
Fw 10
Finance server1
10.0.8.1
Finance server2
10.0.8.1
re-Fw 6 Finance A.1
10.0.3.1
Finance A.2
10.0.3.2
Fw11
Fw2
Fw8
Fw1
Fw3
HR server1 Fw 14
10.0.9.1 HR B.1
10.0.7.1
WebB Em.B Fw12 Fw10 Fw9 Fw4 WebA Em.A
Fw 2
Internet
HR server2 HR B.2
lP
HRS1 HRS2 FinS1 FinS2
10.0.9.2 10.0.7.2
Finance B.1
10.0.6.1
FinB.1 FinB.2 HRB.1 HRB.2 Fw6 Fw7
Email server B Web server B Finance B.2 FinA.1 FinA.2 HRA.1 HRA.2
10.0.5.2 10.0.5.1 10.0.6.2
Fig. 2: Output of the Multiple Entry Point Networks 2 Algorithm for the illus-
trative example setup.
3 Mathematical Background
To formalize network segmentation, we use the theory of PFA which treats poli-
cies as a family of related products (in this case sets of policies), and the theory
of Guarded Commands which are used to specify access policies. Below we briefly
present these formalisms and their usage in our context. For more details, we
Jou
6
Journal Pre-proof
of
to their successor states, and a set of states that do not lead to failure. For a set
Σ of states, a command over Σ is a pair (R, P ), where R ⊆ Σ × Σ is a transition
relation, and P is a subset of Σ that is intended to characterize those states
from which the command cannot lead to abortion/failure. The command abort
is a command that offers no transition and does not guarantee the absence of
pro
def
abortion/failure for any state and is defined as abort = (∅, ∅).
For a command (R, P ) and a set of states Q ⊆ Σ, the guarded command
def
Q −→ (R, P ) (where Q is called the guard ) is defined as Q −→ (R, P ) = (Q ↓
def
R, Q∪P ), where Q↓R is the restriction of R to Q defined as Q↓R = R ∩ (Q×Σ)
and Q is the complement of Q w.r.t. Σ. The state is changed according to the
transition relation, and the guard ensures the satisfaction of the condition before
changing the state of the system.
For further information on guarded commands, we refer the reader to [14, 23].
re-
In [21], the reader will find further discussion on the usage of guarded commands
in verifying the consistency among policies using the notion of demonic meet of
relations, which is the dual of the above introduced demonic join.
7
Journal Pre-proof
of
Within the structure of PFA, we have a divisibility relation among families
(a | b) ⇐⇒ (∃ c | · b = a.c )‡ , which allows us to find divisors of families.
Therefore, one can define a notion of Greatest Common Divisor (GCD), which
is the common divisor that is divided by all other common divisors. Hence,
the following property holds: gcd(a, b) = d such that the following condition is
pro
satisfied, [(d | a) ∧ (d | b) ∧ ((∀ c | · (c | a) ∧ (c | b) ) =⇒ (c | d))].
Let IP be a set of policies. An element of the power set P(IP) is a family of
policies. The commutative idempotent structure F = (P(IP), ⊕, ⊙, 0F , 1F ) is
presented as a model for PFA (i.e., a product family algebra) in [16]. Hence, ⊕
is the union of families of policies and represents the choice among the families
given as arguments, and ⊙ is an extended notion of the demonic join, presented
previously, to the families of policies and it represents the composition/inte-
gration of policies within families. The constant 0F can be interpreted as an
“unexecutable” policy, and 1F is a policy family that imposes no constraints on
re-
the traffic (i.e., enforces nothing). Hence 0F is the annihilator element, and 1F
is the neutral element for the ⊙ operator.
On a product family, ⪯F denotes the natural order that comes with the
def
semiring structure for F . It is defined as a ⪯F b ⇔ a ⊕ b = b and it indicates
that the family a is a subfamily of family b. Then the notion of family refinement
def
of the elements of F is defined as follows: a ⊑F b ⇔ (∃ c | · a ⪯F b ⊙ c ). We
note that 1F is refined by any family of policies. The GCD defined under PFA
is equivalent to the demonic join of the families of policies and can be restated
lP
def
as follows: (∀ A, B | A, B ∈ P(IP) · gcd(A, B) = {a ⊔IP b | a ∈ A ∧ b ∈ B} ).
For more details on the use of PFA to specify access control policies, we refer
the reader to [16].
A network with one entry point r can be represented as a directed acyclic graph.
The leaves represent the resources and the internal vertices represent firewalls.
def
Let G = (V, E, r) be a rooted connected directed acyclic graph that represents
a resource network. The set V denotes the set of vertices or access control points
that enforce access policies (i.e., firewalls and resources). The set E is a set of
ordered pairs of vertices that represent the link between access control points.
The vertex r is the root/entry point of the graph and it represents the access
point between the network and the external world.
In the above, we considered networks with a single entry point r. A network
with several entry points can be represented in a similar way as above [1]. Instead
Jou
8
Journal Pre-proof
of
vertices, and E is the set of edges. For every r ∈ I, we can derive a network
def
graph Gr = (Vr , Er , r) from the G as follows:
– Vr = {v | (r, v) ∈ E ∗ } = {v | v is reachable from r}, where E ∗ is the
reflexive transitive closure of E.
pro
– Er = (Vr × Vr ) ∩ E is the set of edges in G belonging to paths starting at r.
With the above formulation of a network with several entry points, a network
G = (V, E, I) can be decomposed into several networks with a single entry point
each. For example, the network shown in Figure 3a can be decomposed to the
networks in Figures 3b and 3c. The Multiple Entry Points Network 1 (MEP1)
and Multiple Entry Points Network 2 (MEP2) algorithms, presented in Section 5,
use this fact to reason on a network with several entry points by reducing it into
several networks with only one entry point each.
v1
e1
v2
re-
e2
v3
e1 v2
e2
v3
v4 v5 v6
v1 v2 v4 v5 v6
lP
v7 v8 v9 v10 v7 v8 v9 v4 v8 v9 v10
Fig. 3: Decomposition of a graph G with two entry points e1 and e2 to two graphs
Ge1 and Ge2 with single entry point each
rna
9
Journal Pre-proof
of
successive nodes are equal. This allows us to ensure that firewalls with exactly
same polices do not exist in any path from the root to a leaf node.
In [16] a scheme is presented to generate the family of policies of the internal
nodes such that the network implements DD strategy. The scheme uses the gcd
operator such that the following property holds: p(v) = (gcd vi | (v, vi ) ∈
pro
E · p(vi ) )∓ . In other words, the policy p(v) at node v is the gcd of all the
policies of the immediate children of v.
We now state the formal definition of network segmentation based on the weights
(given in Appendix B.1) of the commonalities among the policies of the resources
in a segment, as presented in [21].
be a segment of R iff
re-
Definition 1 (Segment). Let R be a set of resources. A set S ⊆ R is said to
of the commonalities it shares with any other resource not in the segment. As a
result, this segmentation provides maximum access protection to its resources.
Superfluous Firewall Chaining exists in a network when a firewall has only
a single firewall attached to it. Such chaining of firewalls is a waste of network
resources. Therefore, a good network design should aim at removing these su-
perfluous firewalls.
10
Journal Pre-proof
of
1. G satisfies SDD strategy in every path from the root to the parent of a
resource,
2. G has a segmentation as defined in Definition 2, and
3. G has no superfluous firewall chaining.
pro
The first criterion for a robust network ensures that any two internal nodes
strictly refine each other. However, it allows a leaf node and its parent to have the
same policy. This can be seen when resources have 1F policy, and as a result, the
firewall protecting them; that is, the root will also have 1F policy. The second
criterion ensures that resources are segmented in a way such that maximum
access protection is provided to them. These segments are then placed in the
network at varying depths depending on their levels of security requirements.
Segments with high levels of security requirements are placed deep down in
the network and protected by layers of firewalls each adding an extra level of
security. And the segments with low levels of security are placed closer to the
re-
root; that is, the outer firewall. Therefore, traffic coming from the internet to
an internal segment is faced by layers of firewalls and traffic from segment to
segment is managed by internal firewalls. Consequently, segments consisting of
resources with high levels of security requirements are protected from internal
and external threats. Furthermore, if an unauthorized agent gains access to an
internal segment, it will not be able to easily gain access to another segment.
Finally, the third criterion ensures that we have the most effective strict defence
in depth and segmentation at a minimum cost.
lP
5 Network with Multiple Entry Points
In this section we present two solutions, which take n > 1 sets of resources
Q1 , Q2 , . . . , Qn as input, and generate a secure and robust network graph with
e1 , e2 , . . . , en entry points, such that the i-th entry point ei , protects the i-set of
resources Qi , 1 ≤ i ≤ n. While designing networks with multiple entry points, the
rna
intersection of the sets of the resources can be dealt with in two ways as presented
in Sections 5.1 and 5.2 by the MEP1 and MEP2 algorithms [1], respectively. Both
the algorithms use the Robust Network and Segmentation Algorithm (RNS) (see
Appendix B.2) as a sub-procedure.
The MEP1 algorithm generates a network design cumulatively (starting with
the resources in Q1 ) without separating common resources to form their own
segments. For example, for the following sets of resources Q1 = {r1 , r2 , r3 }, Q2 =
{r2 , r4 , r5 }, the MEP1 algorithm first generates a segment for resources in Q1
with entry point e1 . Then, it generates another segment for resources in Q2 with
entry point e2 , such that the two segments overlap and the overlap contains only
Jou
11
Journal Pre-proof
of
The MEP2 algorithm generates five segments s1 , s2 , . . . , s5 consisting of resource
sets {r1 }, {r2 }, {r3 }, {r4 }, {r5 , r6 }, respectively. Then the entry point e1 connects
to segments s1 , s4 , s5 ; e2 connects to segments s2 , s4 , s5 , and e3 connects to
segments s3 , s4 , respectively.
pro
5.1 Multiple Entry Points 1 (MEP1) Algorithm
The MEP1 algorithm [1] takes resource sets Q1 , Q2 , . . . , Qn , where n > 1 and
for i, j ̸= i ∈ [1..n] Qi ̸= Qj , as input to build a network graph with entry points
e1 , e2 , . . . , en , respectively. The outline of the algorithm is as follows:
– On input Q1 , Q2 , . . . , Qn , the MEP1 algorithm first generates a network
graph for resources in Q1 using the RNS algorithm.
– Then it loops through resource sets Q2 , . . . , Qn one at a time. At the i-
th iteration, the algorithm generates the network graph for resources in Qi
return G
end function
Proof. The graphs G1 , G2 , . . . , Gn are constructed using the RNS algorithm, and
Jou
12
Journal Pre-proof
of
Fw 7 File server A.1
10.0.2.1
pro
HR A.1
10.0.4.1
Fw 8
HR A.2
Fw 1 Fw 2 Fw 4 10.0.4.2
Internet
Finance A.1
10.0.3.1
Fw 9
HR server1
10.0.9.1 Finance server1 Fw10 Fw1
Finance A.2 10.0.8.1
Fw 5
10.0.3.2
Internet Fw 17
Web server B
10.0.5.1
Email server B
10.0.5.2
Fw 13
HR B.2
10.0.7.2
re- HRB.1 HRB.2 FinB.1
Fw17
FinB.2
FinS1
FinS2
FinA.1 FinA.2 HRA.1 HRA.2
Fw6
FileA.1 FileA.2
Fig. 4: Network Topology generated after implementing the MEP1 algorithm for
the illustrative example.
lP
Theorem 2. Let |Q1 | = ℓ1 , |Q2 | = ℓ2 , . . . , |Qn | = ℓn . Then, the running time of
MEP1 is O(ℓ21 + ℓ22 + . . . + ℓ2n ).
Proof. The MEP1 algorithm initially begins with an empty graph G = ∅. Then
for each Qi where 1 ≤ i ≤ n, starting with i = 1, it computes the subnetwork
rna
The MEP2 algorithm [1] builds a robust and secure network graph with entry
points e1 , e2 , . . . , en , given the sets of resources Q1 , Q2 , . . . , Qn . The network
graph generated by the MEP2 algorithm does not have any overlapping subnet-
works; that is, the set of resources in all subnetworks are disjoint. The outline
of the algorithm is as follows:
13
Journal Pre-proof
of
– Given an input of sets of resources Q1 , Q2 , . . . , Qn = Input Set, the MEP2
algorithm first adds all the entry points e1 , e2 , . . . , en protecting resources
Q1 , Q2 , . . . , Qn to G, using the Add entry points function.
– For each set Qi , 1 ≤ i ≤ n, the Add entry points function creates an
entry point ei , and sets its policy equal to the gcd of the resource policies in
pro
Qi . The other gcd object parameters for ei are set accordingly, and can be
seen in the Add entry points function.
– Then it generates the set Inter Set, which is a collection of disjoint sets,
obtained from the powerset of the set R = Q1 ∪ Q2 ∪ . . . ∪ Qn (P(R)) as
follows:
• Let Pd be the list consisting of all the sets in the powerset (P(R)), in
a non-increasing order of their sizes, such that the sets with the same
cardinality are placed together.
• For each set s ∈ Pd , starting from the largest set, remove each resource
r, contained in the sets of resources in s, from all sets in Pd − s; that is,
re-
for all s′ ∈ Pd − s, s′ = s′ − s.
• For each s ∈ Pd , where s = {Qi1 , Qi2 , . . . , Qik }, 1 ≤ k ≤ n, Qi1 ∩ Qi2 ∩
. . . ∩ Qik is added to Inter Sets if and only if Qi1 ∩ Qi2 ∩ . . . ∩ Qik ̸= ∅.
This step is to identify the resources that are going to form individual
segments of shared resources.
– For each s ∈ Inter Sets, the MEP2 algorithm computes the robust net-
work graph Gs for s using the RNS algorithm, and adds it to G using the
Concatenate function.
lP
– The Concatenate function, takes the graphs G and Gs as inputs. It loops
through every entry point ei , 1 ≤ i ≤ n, and adds and edge from ei to rs ,
only if, the policy of rs refines the policy of ei and rs .set ⊂ ei .set. If the
policies of rs and ei are equal and rs .set ⊆ ei .set, then it deletes the root rs ,
and all its outgoing edges and attaches its children to ei .
rna
return G
end function
14
Journal Pre-proof
of
function Add entry points(G, Set)
for each Qi ∈ Set do
Create node ei
ei .p ← GCD(Qi ) ▷ GCD of all resources in Qi
e.weight ← weight of e.p
pro
ei .set ← Qi ;
e.size ← |e.set|; e.is resource ← f alse
V ← (V ∪ ei ); I ← (I ∪ ei )
end for
return G
end function
function Concatenate(G, Gs )
for each ei ∈ I do
if rs .p ⊏ ei .p ∧ rs .set ⊂ ei .set then
re-
E ← E ∪ {(ei , ri )}
end if
if rs .p = ei .p ∧ rs .set ⊆ ei .set then
for each child c of ri do
E ← E − {(ri , c)}
E ← E ∪ {(ei , c)}
c.π = c.π − {rs } ∪ {ei }
end for
lP
V = V − {rs }
end if
end for
end function
Proof. The MEP2 algorithm creates all the entry points e1 , e2 , . . . , en and adds
it to G. At this point G consists of n disconnected vertices (entry points), and is
robust. Then, the algorithm uses the RNS algorithm to build a subnetwork graph
for each of the disjoint sets in Inter Set. By Theorem 5, all these sub-graphs
are robust network graphs. Further, when a subnetwork Gi , where 1 ≤ i < 2n ,
is added to G using the Concatenate function, an edge is added between ri
and an entry point ej , where 1 ≤ i ≤ n, only if the policy at ej is refined by the
policy at ri and rs .set ⊂ ei .set. If both the policies at ej and ri are the same and
and rs .set ⊆ ei .set, then the root ri is removed from G along with its outgoing
edges, and all its children are attached to ej . Thus, in both these cases the policy
Jou
at each child node of ei refines the policy at ei . Therefore the resulting graph G,
obtained after execution of the MEP2 algorithm, is a robust network graph.
15
Journal Pre-proof
of
Proof. The running time of MEP2 algorithm is dominated by the time required
to compute the power set (P(R)) of the set of resources R. Computing the
powerset of R requires exponential time; that is, O(2|R| ) time. Then, each iter-
ation of the for loop computes the secure and robust subnetwork graph Gs for
an s ∈ P(R) using the RNS algorithm. Since |s| ≤ ℓ, by Theorem 6, this step
pro
requires at most O(ℓ2 ) time. Then concatenating Gs with G implies adding Es
to E, merging Vi to V , and either adding the root rs to an existing entry point
e as its child or adding all its children to e instead. All these operations require
at most O(ℓ2i ) time. Therefore, the total running time of the MEP2 algorithm is
O(ℓ2 × 2|R| ).
In contrast to MEP1, the MEP2 creates a network design with individual
segments for shared resources, such that the set of resources in the segments
are disjoint – thus, resulting in a smaller attack surface that is limited to the
concerned segment.
6 SDN implementation
re-
SDN is a network architecture proposed to improve network packet analysis
and security functions. In recent years, SDNs have been proposed for dynamic
networks due to the flexibility they present in controlling the access to a network
based on the state of specific nodes or resources in the network. However, efficient
segmentation models or segmentation approaches remain a major issue that
lP
needs to be overcome in order to get the full potential of SDNs.
In this section, we present the implementations of MEP1 and MEP2 algo-
rithms in the SDN environment to demonstrate efficient segmentation of net-
works with multiple entry points [1]. The algorithms MEP1 and MEP2 can be
used to reconfigure the network as needed in a dynamic environment. They
can be used to re-calculate the topology each time resources are added or re-
moved from the network. They are also about managing the access policies as
rna
they calculate the access policies of the network firewalls for each new topology.
Therefore, in SDNs they have the role of dynamic configuration and governance
of the network.
In [2], a new plane called the Dynamic Configuration and Governance (DCG)
was proposed for the SDN architecture. The DCG plane separates the governance
and the dynamic configuration of the network from the control plane. The ob-
tained architecture for SDNs with its planes is illustrated in Figure 5a. The DCG
plane has two interfaces, one with the control plane and another with the data
plane. The data plane interface is used to structure or restructure the data plane
topology. The control plane interface is used to send policies to the architecture
Jou
16
Journal Pre-proof
of
Application Plane
Resource Policies
Application Application Application
pro
Northbound API
Segmentation Modules
Southbound API
Data Plane
Switch Switch
Server Host
Firewall Policies Topology File
given in Figure 5b. Each module takes as input, sets of policies of resources, that
lP
need to be accessed from their respective given entry points. For instance, if we
need n entry points, we need to input the n sets of policies of the resources,
such that the i-th entry point governs the i-set. Each of the modules generates a
topology of the data plane along with the policies to be enforced at each switch.
They also generate a single policy that combines the policies of the switches to
be used by the single firewall.
In [2], the authors proposed three different architectures for implementing
rna
17
Journal Pre-proof
of
Ryu SDN Framework Dynamic Config. & Gov. Plane
Firewall Policy
Seg
Module
Firewall Policy
FW
pro
Controller
Topology File
Southbound API
Mininet
Switch Switch
Server Host
re-
Fig. 6: Architecture 1 uses a single stateful firewall at the control plane
FW2 Policy
Dynamic Config. & Gov. Plane
Controller
FW1 Policy Topology File
FW1
lP
Southbound API
Mininet
Switch1 Switch2
Server Host
rna
In the operation phase, when the Architecture 1 data plane switches receive
a packet with no entry in their flow table to handle it, they forward the packet
to the firewall at the control plane. The firewall checks the state of the com-
munication and the policy to determine the action to be taken by the switch.
If the packet is denied by the policy or the communication is established, the
firewall instructs the switch to insert a flow entry to handle future traffic. The
Jou
18
Journal Pre-proof
of
Ryu SDN Framework Dynamic Config. & Gov. Plane
pro
Controller
Topology File
Southbound API
Mininet
Switch1 Switch2
Server Host
re-
Fig. 8: Architecture 3: data plane switches are transformed into stateful firewalls
ever, for a dynamic network where resources and policies change frequently, and
therefore the topology needs to be updated frequently, Architecture 2 is most
suitable. Since these architectures are related to network setup procedures and
lP
the way packets are exchanged between the switches and the controller they are
not affected by the algorithms used in the DCG plane.
The implementation environment consists of the SDN emulator tool mininet
which is used to create the data plane resources and switches. We also used
BEBA controller which is based on Ryu OpenFlow Controller. We have imple-
mented the MEP1 and MEP2 algorithms in all three architectures. In all cases,
after the setup of the environment, we performed a reachability test to confirm
the enforcement of the corrected policies as shown in Figure 9. The three archi-
rna
tectures using MEP1 and MEP2 algorithms show expected reachability results:
the policies are enforced correctly. The reachability test is carried using the com-
mand pingall, where every host tries to ping every other host in the data plane.
In Figure 9, the first line of the system response to pingall command starts with
filea2, which is the name of the resource initiating the ping request. Then we
have the arrow -> followed by the resource names such as fiela1, weba, and
emaila indicating a successful communication of filea2 with these resources.
An x indicates that the initiating resource is failing to access the target resource.
Jou
7 Discussion
We presented the MEP1 and MEP2 algorithms to design a network with mul-
tiple entry points. Each of the algorithms presents a design solution. In the
following, we review the strengths and the weaknesses of the network topol-
ogy generated by the two algorithms. The MEP1 algorithm generates a network
19
Journal Pre-proof
of
pro
Fig. 9: Reachability Test of Data Plane Resources
re-
that provides deep layered protection to all its resources. However, the enhanced
security offered by the topology given by the MEP1 algorithm induces a high
implementation cost (more firewalls). For example, the resource Finance server1
(10.0.8.1) is protected by four firewalls on each path from any of the two en-
try points in Figure 4 which illustrates the network topology generated by the
MEP1 algorithm. While in the topology given by the MEP2 algorithm and il-
lP
lustrated by Figure 2, the same resource (Finance server1) is protected by only
three firewalls.
Further, the network generated by the MEP1 algorithm has edges going
from a firewall in a subnetwork, to resources in other subnetworks, which could
potentially increase the attack surface in the network. For instance, in Figure 4,
firewall FW17 which is a part of the subnetwork of Branch B is connected
to the resource Finance server1, which belongs to the subnetwork of Branch
rna
A. This might lead to increasing the attack surface for an internal intruder;
through Finance server1 it can reach the two networks. On the other hand, in
the topology generated by the MEP2 algorithm and illustrated by Figure 2, the
resource Finance server1 is isolated in a subnetwork under one firewall FW9,
which reduces any contamination of the rest of the network, should an internal
attack be mounted starting from this resource.
Recall that the run time complexity of the MEP1 algorithm is linear in
the sum of sizes of the robust networks created for the input set of resources
Q1 , Q2 , . . . , Qn , plus the quadratic running time required by the RNS algorithm
on each resource set Qi 1 ≤ i ≤ n. The runtime of the MEP2 algorithm, on the
Jou
other hand, is exponential (caused due to the construction of the Inter Set set).
Sometimes it is desired to have multiple networks that are logically segregated
within shared infrastructure resources such as multi-tenants in a shared cloud
environment. Within SDNs, there is literature on Multi-domain SDNs [15] and
SDN network slicing [3]. There is a demand for isolating network resources based
on requirements such as speed, performance, and security. Resources can be part
20
Journal Pre-proof
of
of a specific slice or domain or shared between slices; to configure the network
for the former case we use MEP1 algorithm and MEP2 for the latter.
Conventional firewalls rely on enforcing traffic filtering at the entry points,
and on that each machine within the network is to be trusted [4]. However, due
to the latter assumption securing the entire network is hard in practice. Firewalls
pro
at the entry point do not protect the network from internal attacks. The RNS
algorithm (briefly stated in Section B.2), and consequently the MEP1 and MEP2
algorithms presented in Section 5, are based on the assumption that all nodes
are not to be trusted. Internal traffic has to satisfy the policies to be allowed
access to resources. If a node wants to communicate with another node, due to
defence in depth, it has to go through internal firewalls to access the destination.
SDNs commonly employ two planes: the data plane and the control plane.
They are designed based on separating control from data traffic. This is a direct
usage of the principle of separation of concern. The RNS, MEP1, and MEP2
re-
algorithms bring a new concern that is of configuring and governing a network
automatically – thus, a new plane becomes essential. It is the DCG plane, il-
lustrated in Figure 5a, that separates the governance of the network from the
control and the data traffic. It hides the issue related to how the topology changes
and what are the policies for each firewall. The algorithms MEP1 and MEP2
presented in this paper contribute to improving the machinery of DCG plane for
proposing different design solutions of the topology of SDNs.
In a typical SDN architecture, the control plane has two interfaces: a south-
lP
bound interface connecting the SDN controller to the network devices (switches
and routers) in the data plane, and a northbound interface connecting it to ex-
ternal applications and network management tools at the application plane. The
usage of a DCG plane would require the addition of a new interface to connect it
to the control plane. The new interface enables the DCG plane to communicate
new topology and policy changes to the control plane. This amendment to SDN
architecture increases the coupling of the control plane and its centrality in SDN
rna
architecture. This increase of coupling brings more burden on the control plane
that needs to be properly tackled in the detailed design of the control layer.
While for networks with low frequencies of change the communication between
the control and the governance planes is low, for more dynamic networks one
needs to carefully assess the effect of the communication between the DCG and
the control plane on the overall performance of the network.
With the advent of SDNs, many networks of large organizations became het-
erogeneous having legacy subnetworks and software defined subnetworks. The
proposed algorithms can be automatically applied using the DCG plane to the
software defined part of the network, while it can be manually used in legacy
Jou
21
Journal Pre-proof
of
policies and network topology at the desired place in the network configuration.
This limited role assigned to the manager significantly reduces the risk compared
to when the role involves calculating the policies of all the firewalls, segmenting
the network, and inputting the right network configuration. Adopting review of
network configuration practices and network testing techniques help catch some
pro
of the human induced errors while providing the network topology and firewall
policies as input.
re-
fully automated and dynamic solutions for networks with multiple entry points.
We illustrate this in Section 6.
As part of future work, we will work on addressing several questions related to
exploring the most suitable architectures for SDN implementing multiple entry
points. For example, we will explore whether it is better to have one controller
for each subnetwork related to an entry point or for each arbitrary subnetwork?
For instance, for the topology presented in Figure 2, is it better to have one
controller at the control plane for each of the subnetworks rooted at FW3, FW8,
lP
and FW11? Or, should we have more controllers inside subnetworks of the ones
rooted at FW3, FW8, and FW11? We think that an evaluation study, similar
to [2], which was done for the RNS applied to SDNs with a single entry point,
needs to be carried for robust SDNs with multiple entry points. The architectures
presented in Figures 6, 7, and 8 remain relevant, but we believe that better ones
can be proposed for SDNs with more than one entry point.
The weigh function that is used in the RNS algorithm is supposed to cap-
ture security requirements related to access control. There is a wide litera-
rna
ture (e.g., [34]) that uses heuristics in segmentation based on several security
requirements aspects. As part of future work, some of these requirements could
be included in the weight function. We intend to explore these questions in our
future work.
Aknowledgements
Funding: This work was funded by Natural Sciences and Engineering Research
Council of Canada (NSERC)[grant number: RGPIN-2020-06859].
Jou
References
1. Alabbad, M.: A Formal Approach to Secure the Segmentation and Configuration
of Dynamic Networks 2021. Ph.D. thesis, McMaster University (2021)
22
Journal Pre-proof
of
2. Alabbad, M., Khedri, R.: Configuration and governance of dynamic secure SDN.
In: The 12th International Conference on Ambient Systems, Networks and Tech-
nologies (ANT 2021). pp. 1–8. Procedia Computer Science series, Elsevier Science,
Warsaw, Poland (March 23 – 26 2021)
3. Barakabitze, A.A., Ahmad, A., Mijumbi, R., Hines, A.: 5G net-
pro
work slicing using SDN and NFV: A survey of taxonomy, architec-
tures and future challenges. Computer Networks 167, 106984 (2020).
https://doi.org/https://doi.org/10.1016/j.comnet.2019.106984, https:
//www.sciencedirect.com/science/article/pii/S1389128619304773
4. Bellovin, S.M.: Distributed firewalls (1999)
5. Caballero, P., Banchs, A., de Veciana, G., Costa-Pérez, X.: Multi-
tenant radio access network slicing: Statistical multiplexing of spatial
loads. IEEE/ACM Transactions on Networking 25(5), 3044–3058 (2017).
https://doi.org/10.1109/TNET.2017.2720668
6. Chochliouros, I.P., Spiliopoulou, A.S., Lazaridis, P., Dardamanis, A., Zaharis, Z.,
Kostopoulos, A.: Dynamic network slicing: Challenges and opportunities. In: Ma-
re-
glogiannis, I., Iliadis, L., Pimenidis, E. (eds.) Artificial Intelligence Applications
and Innovations. AIAI 2020 IFIP WG 12.5 International Workshops. pp. 47–60.
Springer International Publishing, Cham (2020)
7. Escolar, A.M., Alcaraz-Calero, J.M., Salva-Garcia, P., Bernabe, J.B., Wang, Q.:
Adaptive network slicing in multi-tenant 5G IoT networks. IEEE Access 9, 14048–
14069 (2021). https://doi.org/10.1109/ACCESS.2021.3051940
8. Fægri, T.E., Hallsteinsen, S.O.: A software product line reference ar-
chitecture for security. In: Software Product Lines - Research Issues
lP
in Engineering and Management, pp. 275–326. Springer Berlin Heidel-
berg (2006). https://doi.org/10.1007/978-3-540-33253-4“˙8, https://doi.org/10.
1007/978-3-540-33253-4_8
9. Gries, D., Schenider, F.B.: A Logical Approach to Discrete Math. Springer Texts
And Monographs In Computer Science, Springer-Verlag, New York (1993)
10. Guan, W., Wen, X., Wang, L., Lu, Z., Shen, Y.: A service-oriented deployment
policy of end-to-end network slicing based on complex network theory. IEEE Access
6, 19691–19701 (2018). https://doi.org/10.1109/ACCESS.2018.2822398
11. Höfner, P., Khedri, R., Möller, B.: Feature algebra. In: Misra, J., Nipkow, T., Sek-
rna
15. Katsalis, K., Rofoee, B., Landi, G., Riera, J., Kousias, K., Anastasopoulos, M., Ki-
raly, L., Tzanakaki, A., Korakis, T.: Implementation experience in multi-domain
SDN: Challenges, consolidation and future directions. Computer Networks 129,
142–158 (2017). https://doi.org/https://doi.org/10.1016/j.comnet.2017.09.005,
https://www.sciencedirect.com/science/article/pii/S1389128617303560
16. Khedri, R., Jones, O., Alabbad, M.: Defense in depth formulation and usage in
dynamic access control. In: Maffei, M., Ryan, M. (eds.) Principles of Security and
23
Journal Pre-proof
of
Trust: 6th International Conference, POST 2017, Held as Part of the European
Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala,
Sweden, April 22-29, 2017, Proceedings. pp. 253–274. Springer Berlin Heidelberg,
Berlin, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6“˙12, https:
//doi.org/10.1007/978-3-662-54455-6_12
pro
17. Kumar, R., Goyal, R.: On cloud security requirements, threats, vulnerabil-
ities and countermeasures: A survey. Computer Science Review 33, 1 –
48 (2019). https://doi.org/https://doi.org/10.1016/j.cosrev.2019.05.002, http://
www.sciencedirect.com/science/article/pii/S1574013718302065
18. Kwak, J., Moon, J., Lee, H.W., Le, L.B.: Dynamic network slicing and resource allo-
cation for heterogeneous wireless services. In: 2017 IEEE 28th Annual International
Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC).
pp. 1–5 (2017). https://doi.org/10.1109/PIMRC.2017.8292663
19. Lippmann, R., Ingols, K., Scott, C., Piwowarski, K., Kratkiewicz, K., Artz, M.,
Cunningham, R.: Validating and restoring defense in depth using attack graphs.
In: MILCOM 2006 - 2006 IEEE Military Communications conference. pp. 1 – 10
20.
21.
(Oct 2006)
re-
May, C.J., Hammerstein, J., Mattson, J., Rush, K.: Defense in depth: Foundations
for secure and resilient it enterprises. Tech. rep., Carnegie Mellon University (2006)
Mhaskar, N., Alabbad, M., Khedri, R.: A formal approach to
network segmentation. Computers & Security p. 102162 (2021).
https://doi.org/https://doi.org/10.1016/j.cose.2020.102162, http://www.
sciencedirect.com/science/article/pii/S0167404820304351
22. Minami, Y., Taniguchi, A., Kawabata, T., Sakaida, N., Shimano, K.: An architec-
lP
ture and implementation of automatic network slicing for microservices. In: NOMS
2018 - 2018 IEEE/IFIP Network Operations and Management Symposium. pp. 1–4
(2018). https://doi.org/10.1109/NOMS.2018.8406193
23. Möller, B., Struth, G.: wp is wlp. In: MacCaull, W., Winter, M., Düntsch, I. (eds.)
Relational Methods in Computer Science, Lecture Notes in Computer Science,
vol. 3929, pp. 200–211. Springer Berlin Heidelberg (2006)
24. Olimid, R.F., Nencioni, G.: 5G network slicing: A security overview. IEEE Access
8, 99999–100009 (2020). https://doi.org/10.1109/ACCESS.2020.2997702
25. of the President, E.O.: Executive order 14028 of may 12, 2021: Improving the
rna
24
Journal Pre-proof
of
In: Proceedings of the 50th Annual Simulation Symposium. pp. 1–12. ANSS ’17,
Society for Computer Simulation International, San Diego, CA, USA (2017)
33. Wagner, N., Şahin, C.Ş., Pena, J., Streilein, W.W.: Automatic generation
of cyber architectures optimized for security, cost, and mission performance:
A nature-inspired approach. In: Shandilya S., Shandilya S., N.A. (ed.) Ad-
pro
vances in Nature-Inspired Computing and Applications. Springer, Cham (2019).
https://doi.org/10.1007/978-3-319-96451-5“˙1
34. Wagner, N., Şahin, C.Ş., Winterrose, M., Riordan, J., Pena, J., Han-
son, D., Streilein, W.W.: Towards automated cyber decision support: A
case study on network segmentation for security. In: 2016 IEEE Sympo-
sium Series on Computational Intelligence (SSCI). pp. 1–10 (Dec 2016).
https://doi.org/10.1109/SSCI.2016.7849908
35. Zanzi, L., Giust, F., Sciancalepore, V.: M2 EC: A multi-tenant resource or-
chestration in multi-access edge computing systems. In: 2018 IEEE Wire-
less Communications and Networking Conference (WCNC). pp. 1–6 (2018).
A
re-
https://doi.org/10.1109/WCNC.2018.8377292
25
Journal Pre-proof
of
A.2 Policies of branch B resources
1 −A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT
2 −A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3 −A INPUT −p t c p −m s t a t e −−s t a t e NEW −m t c p −−d p o r t 80 −j ACCEPT
4 −A INPUT −p t c p −m s t a t e −−s t a t e NEW −m t c p −−d p o r t 25 −j ACCEPT
5 −A INPUT −s 1 0 . 0 . 5 . 0 / 2 4 −j ACCEPT
pro
6 −A INPUT −s 1 0 . 0 . 6 . 0 / 2 4 −j ACCEPT
7 −A INPUT −s 1 0 . 0 . 7 . 0 / 2 4 −j ACCEPT
8 −A INPUT −j DROP
Listing 1.5: Web and Email Servers policy
A.3
3
4
−A
−A
INPUT
INPUT
−s
−j DROP
26
Journal Pre-proof
of
that allow traffic from these sources ought to be given similar weights in order
to assign their resources into segments that take this threat into account. More-
over, sometimes we want to keep some resources completely confidential, and
we do not allow any notification originating from them. These resources ought
to be placed in segments that ensure this confidentiality. The weight function
pro
is intended to capture these security requirements. It is a function that takes a
policy and gives it a weight that is used in the segmentation.
We abstractly present this function as wP : P → N ∪ {−1}, where P is
the set of policies. It quantifies the security requirements of the access control
policies. For simplicity, in the remainder of the paper, we use the formulation
of wP presented in [21], which uses weights assigned to its rules to compute
the overall weight of the policy and explained in the following paragraphs. As
indicated above, the weight function can be complex and captures the results
of real-time security analytics. The segmentation solution that we propose can
re-
incorporate any given weight function. However, articulating the results of the
security assessment into a weight function is outside the scope of this paper.
Access control rules carry in their actions implicit security requirements. For
instance, the DROP action can be interpreted as implementing stricter security
requirements than the REJECT action. Hence the weight of a rule using the DROP
action can be deemed as higher than that of REJECT. Moreover, one can think
about considering a rule that allows only internal traffic as representing higher
security than a rule that allows external traffic; in this case, traffic that originated
lP
internally is considered safer than the one originating from outside the network.
The weight function presented below attempts to capture this aspect of security
requirements.
As mentioned above and in [21], an atomic rule is modelled as a guarded
command, which is a transition relation from a starting state to an end state(s).
Hence the computation of a weight of an atomic rule is based on the weights of
the end state(s). The simplest way to achieve this is by assigning weights to the
rna
different values of the chosen state attributes and using them to compute the
weight of an end state, such that the values having higher security requirements
are assigned higher weights. Furthermore, since a chain is as secure as its weakest
link, an atomic rule with a relation that maps a starting state to multiple end
states has a weight equal to the minimum weight of its end states.
Formally, let SAi , where 1 ≤ i ≤ m, be the different state attributes, and let
VSAi = {ai1 , ai2 , . . . , ain } be the set of all possible values assigned to SAi . Then
wVSAi : VSAi → Z is the weight function that assigns an integer value to each
element in VSAi , such that for any two elements aik , ail ∈ VSAi if the security
requirement of aik is less than that of ail , then wVSAi (aik ) < wVSAi (ail ). Let R
Jou
be the set of all atomic rules for all the resources in the organization. Then
wR : R → N ∪ {−1}, is the weight function which assigns to an atomic rule
r ∈ R its corresponding weight. The weight of 1F is taken to be −1, as it is
a rule that does not bring any security constraints. Furthermore, the weight
of a rule (r) with its domain mapped to multiple end states (say p), is the
minimum of the weights assigned to its end states. For each end state si , where
27
Journal Pre-proof
of
1 ≤ i ≤ p, vsi = eval(wVSA1 , wVSA2 , . . . , wVSAp ), where wVSAi is the weight of the
assigned value to the state attribute SAi . For a state si , the eval function takes
the weight of the attributes of si , and assigns to it and overall security weight
vsi . Then to compute the weight of such an atomic rule, we take the minimum
of all the values vsi . Therefore, for an atomic rule r that has p end states, we
pro
have wR (r) = min(vs1 , · · · , vsp ). The reader can find in [21] an example for
computing the weight function.
The weight of a policy or a combined rule r that is formed by the set Ar of
atomic rules is the sum of the weights of the atomic rules in Ar . Let P be the
set of all policies composed of the atomic rules in R. Then wP : P → N ∪ {−1},
is the weight function that assigns an integer value to each element in P based
on wR . The 1F policy is assigned a weight of −1, and the 0F policy is assigned
a weight of +∞.
As can be seen we measure the level of security requirements of a resource
by the weight of the policy governing it, such that its security requirements
re-
are directly proportional to the weight of its policies. For example, consider
two resources v1 and v2 , where the weights of their policies are wP (p(v1 )) and
wP (p(v2 )), respectively. If wP (p(v2 )) < wP (p(v1 )), it means that v1 has higher
level of security requirement than v2 .
Let wR be the partial order on the atomic rules based on their weights and
wP be the total order on the policies based also on their weights. Then there
exists an order preserving map f : wR → wP satisfying the following condition:
lP
(∀ i | 1 ≤ i ≤ n ∧ xi , yi are atomic rules · xi <wR yi )
⇔ f (P (x1 , x2 , . . . , xn )) <wP f (P (y1 , y2 , . . . , yn )),
28
Journal Pre-proof
of
s based on their weights. Note that, the weight of any segment containing s
is always less than or equal to s.weight, and so the maximum weight of any
segment containing s is s.weight. Therefore, when such a cluster of nodes is
identified, we create a gcd node to protect this segment and add it to the root
of G and attach the nodes forming this segment to it. Otherwise, we create a
pro
temporary node for the cluster and add it to F , so that it can be evaluated later
when the set (T ) having the weight of this cluster is being evaluated.
6:
7:
8:
with same polices
F =∅
re-
S1 , S2 , . . . , Sm ⊂ R such that
i=1
9: end for
10: while F ̸= ∅ do
11: wmax ← maximum weight of any s ∈ F .
lP
12: T ←∅
13: for each s ∈ F do
14: if s.weight = wmax then
15: T ← T ∪ s; F ← F − s
16: end if
17: end for
18: Add-Nodeset-to-G(G, F, T, wmax )
19: end while
20: end procedure
rna
29
Journal Pre-proof
of
and the IEEE Computer Society. He has authored over 80 peer-reviewed articles and
has supervised more than 20 graduate students. His research interests include
algebraic methods in software engineering, information security policies analysis,
cryptographic-key distribution scheme analysis, data cleansing, software product
families, and formal software requirements analysis, and medical device software.
pro
Dr. Neerja Mhaskar is an Assistant Professor at the department of Computing and
Software, McMaster University. She is a licensed professional engineer in the province
of Ontario and is a member of the Association for Computing Machinery (ACM). Her
research focuses on data structures and algorithms, and network security. In particular,
she is interested in algorithms on strings for pattern matching, algorithms for designing
a secure network, analyzing patterns in big data, developing tools and data structures
for data compression, and information retrieval.
re-
Dr. Mohammed Alabbad is an assistant research professor at Cybersecurity Institute,
King Abdulaziz City for Science and Technology (KACST), Riyadh, Saudi Arabia. He
received his Ph.D. and M.A.Sc from McMaster University, Hamilton, Ontario, Canada in
Software Engineering in 2021 and 2013, respectively. He received his B.Sc. degree in
Computer Science from King Saud University, Riyadh, Saudi Arabia, in 2006. His
research interests include cybersecurity, network security, network design and
lP
segmentation, formal methods, and software design .
rna
Jou
Journal Pre-proof
of
Mohammed Alabbad: Methodology, Software, Validation, Formal analysis, Writing
pro
Funding acquisition
re-
lP
rna
Jou
Journal Pre-proof
Declaration of interests
of
☐The authors declare that they have no known competing financial interests or personal relationships
that could have appeared to influence the work reported in this paper.
☒The authors declare the following financial interests/personal relationships which may be considered
as potential competing interests:
pro
Ridha Khedri reports financial support was provided by Natural Sciences and Engineering Research
Council of Canada. Neerja Mhaskar, Ridha Khedri, and Mohammed Alabbad has patent METHOD AND
SYSTEM FOR DETERMINING DESIGN AND SEGMENTATION FOR ROBUST NETWORK ACCESS SECURITY
pending to McMaster University.
re-
lP
rna
Jou