Journal Pre-proof

Two formal design solutions for the generalization of network

segmentation

Mohammed Alabbad, Neerja Mhaskar, Ridha Khedri

PII: S1084-8045(23)00182-0
DOI: https://doi.org/10.1016/j.jnca.2023.103763
Reference: YJNCA 103763

To appear in: Journal of Network and Computer Applications

Received date : 24 May 2023

Revised date : 27 August 2023
Accepted date : 30 September 2023

Please cite this article as: M. Alabbad, N. Mhaskar and R. Khedri, Two formal design solutions for
the generalization of network segmentation. Journal of Network and Computer Applications
(2023), doi: https://doi.org/10.1016/j.jnca.2023.103763.

This is a PDF file of an article that has undergone enhancements after acceptance, such as the
addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive
version of record. This version will undergo additional copyediting, typesetting and review before it
is published in its final form, but we are providing this version to give early visibility of the article.
Please note that, during the production process, errors may be discovered which could affect the
content, and all legal disclaimers that apply to the journal pertain.

© 2023 Published by Elsevier Ltd.

 Journal Pre-proof

REVISED Manuscript (text UNmarked) Click here to view linked References

of
Two Formal Design Solutions for the
Generalization of Network Segmentation

Mohammed Alabbad2 , Neerja Mhaskar1⋆ , and Ridha Khedri1

pro
1
Department of Computing and Software, McMaster University, Canada
pophlin@mcmaster.ca, khedri@mcmaster.ca
2
Cybersecurity Institute, King Abdulaziz City for Science and Technology
(KACST), Riyadh, 11442, Saudi Arabia
malabbad@kacst.edu.sa

Abstract. Computer networks are getting more and more complex with

re-
enormous number of resources, diverse access control policies, and span-
ning over different platforms and geographical regions. Clearly, these net-
works have multiple points of entry – as we see in the sliced 5G networks.
In networks with multiple entry points shared resources are accessed via
several paths through several subnetworks – thus increasing their attack
surface and opening it to several vulnerabilities. Hence, a secure design
of these networks poses a much greater challenge than the traditional
networks with only a single entry point.
In this paper, we propose two secure design solutions for the segmenta-
lP
tion of networks with multiple entry points. These solutions are based
on mathematical formalisms for network segmentation – thus enabling
automation and dynamic segmentation of these networks. Finally, we use
mininet, a Software Defined Network (SDN) emulator tool, to illustrate
the usage of the proposed algorithms to configure and govern networks
within three typical SDN architectures.

Keywords: network security, multiple entry points, network segmen-

rna

tation, layered protection, defence in depth, product family algebra,

guarded commands, Software Defined Networks, 5G networks, network
slicing.

1 Introduction

A conventional network has a single doorway or access point, often referred

to as an entry point, that allows data to flow in and out of the network. The
entry point is therefore a perimeter gateway which connects the network to
Jou

the outer world. However, with the advent of modern network architectures
such as Software Defined Network (SDN), cloud computing, and Internet of
Things (IoT), and with the increasing sizes of networks, spanning over multiple
geographical locations, there is an increasing demand for multiple entry points
to the network.
⋆
Corresponding author
 Journal Pre-proof

of
Many of the recent security breaches have been related to IT departments
failing to articulate and deploy adequate access control policies to govern ac-
cess to its network resources. Very often improper levels of access control and
lax or nonexistent enforcement policies were identified. Simple and seemingly
innocuous mistakes or omissions in articulating access control policies create un-

pro
intentional pathways to resources, which the intruders exploit. Despite the use
of advanced platforms (mostly based on heuristics) to design secure networks
by vendors such as Cisco, Aruba and HPE along with third-party solutions, it
remains quite challenging for network practitioners to articulate access control
policies for all the network firewalls even for a small network. These problems
only worsen for large networks with hundreds of firewalls [31].
To build a secure network and address security issues, network practitioners
use the Network segmentation [20] or compartmentalization [29], and Defence in
Depth (DD) [28] (also known as layered protection) strategies.

re-
Network segmentation is a strategy, in which the set of resources forming the
network is divided into clusters or groups of resources having similar security
requirements. It aims to place resources having different security levels/require-
ments in different clusters which are protected by firewalls implementing appro-
priate policies. Thus, when implemented properly, it reduces the attack surface
available to an intruder and thwarts the propagation of failures and errors in
the network. The importance of network segmentation to cybersecurity is high-
lighted in the executive order of the USA President that was issued on May 12,
lP
2021, [25, Page 26639, Item (i)]. The presidential document requires the leaders
of the National Institute of Standards and Technology (NIST), the Cybersecu-
rity and Infrastructure Security Agency (CISA), and the Office of Management
and Budget (OMB) to publish guidance outlining security measures for network
segmentation and proper configuration. It highlights the fact that improper net-
work segmentation leads to a significant threat to national security that must
be urgently tackled.
rna

Network segmentation is more and more implemented in combination with

the DD strategy [8, 29]. The latter states that resources should be protected by
multiple layers of defences, such that when an attacker succeeds in passing one
layer, they are challenged by other layers; thus limiting their movement within
the network. As a result, the security of a network is not dependent on a single
access control point but is dependent on layers, where each layer protects the
layers beneath it. The DD strategy is formalized in [16] and discussed in [16, 19,
27, 30].
Some of the known instances of networks having multiple entry points are
networks with slices, Fifth Generation (5G) networks, and multi-tenant cloud
Jou

architecture. Network slicing [6] involves running multiple logical networks on a

single common infrastructure. It uses virtualization networking paradigm, SDN,
and Network Function Virtualization (NFV) [24]. The latter employs the vir-
tualization technologies to construct virtual-based network and virtual network
elements, which brings to network operators several capabilities that are ex-
tremely needed. A network slice is a self-contained, isolated, end-to-end network

2
 Journal Pre-proof

of
that supports multi-services and multi-tenants [3]. Hence, network slicing, for
the purpose of isolating resources, decomposes a network based on criteria such
as shared resources, storage, security requirements, or bandwidth. Figure 1 il-
lustrates a couple of scenarios for network slicing.

pro
e1

e1

re- e2

(a) A graph representa-

tion of the network slicing
e2

(b) A graph representa-

tion of the network slicing
without separating shared with separating shared re-
resources sources
lP
Fig. 1: Network Slicing

Recently and with network slicing, the 5G of cellular networks aims to pro-
vide differentiated services, such as voice communication or video streaming,
by sharing among different providers the same infrastructure. Therefore, a 5G
network needs to adapt to the existing network infrastructures contributed by
rna

the service providers. The enabling technology of 5G network is that of slicing.

It allows them to adapt to the existing network infrastructure. The slicing of
the network decomposes the virtual overall network into several slices each is an
independent end-to-end logical network that runs on a shared physical infras-
tructure capable of providing a negotiated service with the required quality. This
leads to having multiple logically separated networks (i.e., slices) on a common
physical environment. Each separated network (or slice) can have a single entry
point and therefore the whole network with several slices will have multiple entry
points.
A multiple entry points network can also be seen in a multi-tenant cloud ar-
Jou

chitecture [7, 17] where each user has its own data/resources isolated from other
users. Yet they still can use shared resources made available by the cloud provider
such as a database consolidating data from multiple databases into one database
on one computer. Tenants can also be accessing their assigned tenant domains
from different entry points to the multi-tenant environment. For instance, ten-
ants having their resources primarily use only one runtime environment (e.g.,

3
 Journal Pre-proof

of
Google Kubernetes Engine (GKE) cluster) can use a single entry point, while
the ones using many runtime environments can use multiple entry points.

1.1 Related Work

pro
Although, network segmentation is an invaluable strategy, the literature on it is
not very rich having only a handful of publications [2, 21, 32–34]. Moreover, as
far as we know, there is an absence of literature on the segmentation of networks
with multiple entry points.
However, several results on network slicing [6] exist. Yuki et.al in [22] propose
an automated approach for network slicing for providing microservices. Kwan
et.al in [18] present a solution for dynamic network slicing. Guan et.al in [10]
propose mathematical models to generate network slicing requests which are
then mapped to the network infrastructure. In [7], we find a network slicing
framework for multi-tenant 5G IoT network.
re-
Furthermore, in [26], the authors describe the use of 5G NORMA approach
to achieve resource sharing in a 5G multi-tenant architecture. In [5] the authors
present an approach to slice a Radio Access Network (RAN) for multi-tenant
architecture. In this approach, a dynamic resource allocation is considered among
tenants based on a weighted proportionally fair objective. In [35], a paradigm is
introduced that leverages network slicing to enable third party to rent facilities.
A solution named M2 EC is used to allocate resources for tenants in compliant
with their service level agreements in a multi-tenant system.
lP
More recently, in [2, 21] the authors present a formal approach to network
segmentation that is based on the formalisms of Product Family Algebra (PFA)
and Guarded Commands. Their approach is fully automated and generates the
best possible segmentation from an access-control perspective. However, their
solution is limited to a single entry point network.

1.2 Motivation and contribution

rna

A network with multiple entry points provides many possibilities and flexibility.
However, designing such networks present enormous security challenges – for
instance, increased attack surface for its resources. Furthermore, the problems
listed in Section 1 for large single entry point networks increase significantly for
networks with multiple entry points. Although, in recent years extensive research
has been done on various classes of networks (see Section 1) which are instances
of networks with multiple entry points; the research on effective and security
enhancing segmentation of networks with multiple entry points, as far as we
know, does not exist.
Jou

With the increasing need for and use of networks with multiple entry points,
it is now more than ever critical to have robust and secure design solutions
for these networks. In this paper, we study this generalization of networks, and
propose secure and efficient design solutions for them. In particular, we use
the formalism for network segmentation introduced in [21] in conjunction with
the DD [16] strategy, to propose design solutions to segment networks with

4
 Journal Pre-proof

of
multiple entry points and in the process generate robust and secure network
design solutions.
These design solutions are captured in two algorithms that are remarkably
simple and easy to implement. We prove the correctness of these solutions (in
Theorems 1 and 2) and present their complexity analysis (in Theorems 3 and 4).

pro
Since these solutions are based on mathematical formalisms for network segmen-
tation, they can easily be automated without requiring any human intervention.
Therefore, they can naturally be applied to dynamic networks with multiple en-
try points; for each change to the network topology, the proposed algorithms can
be used efficiently to automatically redesign the network. To highlight this, we
demonstrate the automation of the proposed solutions on three different SDN
architectures.

1.3 Paper Organization

re-
We organize the paper as follows: In Section 2 we present a very simple setup
requiring a network with multiple entry points. We use it as a running example
throughout the paper to explain concepts and solutions introduced in the paper.
In Section 3 we present the mathematical background required to explain the
novel results in the paper. Then, in Section 4 we present the formalism for
segmentation and define a robust network design based on it. In Section 5 we
present the main results of the paper; that is, the two secure design solutions
lP
for networks with multiple entry points along with their complexity analysis.
Then, we illustrate the automation of the proposed design solutions on three
different SDN architectures in Section 6. Finally, in Section 7 we compare and
contrast the two design solutions and discuss the strengths and weaknesses of
the segmentation achieved in both.

2 Illustrative Example
rna

In this section, we present a simple setup requiring multiple entry points to

access its resources. We use it throughout the paper to illustrate our solutions
and the network topologies generated by them.
We consider an organization’s network resources which belong to two branches:
A and B. Branch A consists of a Web server , an Email server , two File servers,
two Human Resources (HR) workstations, and two finance workstations. The
policies of the resources in Branch A is presented in Section A.1. The Web
server and Email server allow access for HyperText Transfer Protocol (HTTP)
Jou

and Simple Mail Transfer Protocol (SMTP) protocols from the internet. More-
over, they allow access for all internal resources within the branch and block
everything else. The File server is intended to be accessed by only internal re-
sources within branch A. The HR workstations allow access to each other only,
and the same applies to the finance workstations. Branch B consisted of the
same resources and requirements except that it does not have a File server (see

5
 Journal Pre-proof

of
Section A.2 for the policies of resources in Branch B). Moreover, the organi-
zation has two HR servers that are accessed only by HR workstations in both
branches. It has also two finance servers that allow access to only finance work-
stations in both branches (see Section A.3 for the policies of the shared resources
in Branches A and B). The requirement is to structure the network of the orga-

pro
nization and to have an entry point for each of its branches A and B. If we seek
a network topology with a separate segment for shared resources (Finance and
HR servers), Figure 2 gives a possible solution.

Web server A Email server A File server A.1 File server A.2
10.0.1.1 10.0.1.2 10.0.2.1 10.0.2.2

HR A.1
10.0.4.1

Fw 7

Fw 3 Fw 4 Fw 5
HR A.2
10.0.4.2

Fw 1
Internet

Fw 8
Fw 9

Fw 10
Finance server1
10.0.8.1

Finance server2
10.0.8.1
re-Fw 6 Finance A.1
10.0.3.1

Finance A.2
10.0.3.2

Fw11
Fw2

Fw8
Fw1

Fw3

HR server1 Fw 14
10.0.9.1 HR B.1
10.0.7.1
WebB Em.B Fw12 Fw10 Fw9 Fw4 WebA Em.A

Fw 2

Internet
HR server2 HR B.2
lP
HRS1 HRS2 FinS1 FinS2
10.0.9.2 10.0.7.2

Fw 11 Fw 12 Fw 13 Fw13 Fw14 Fw5 FileA.1 FileA.2

Finance B.1
10.0.6.1
FinB.1 FinB.2 HRB.1 HRB.2 Fw6 Fw7

Email server B Web server B Finance B.2 FinA.1 FinA.2 HRA.1 HRA.2
10.0.5.2 10.0.5.1 10.0.6.2

(a) A topological representation of (b) A graph representation of the net-

the network work
rna

Fig. 2: Output of the Multiple Entry Point Networks 2 Algorithm for the illus-
trative example setup.

3 Mathematical Background
To formalize network segmentation, we use the theory of PFA which treats poli-
cies as a family of related products (in this case sets of policies), and the theory
of Guarded Commands which are used to specify access policies. Below we briefly
present these formalisms and their usage in our context. For more details, we
Jou

refer the reader to the detailed explanation presented in [21].

3.1 Guarded Commands

We use a variant of Dijkstra’s guarded command introduced in [14, 23] and used
in [16] to model policies. A command is a transition relation from starting states

6
 Journal Pre-proof

of
to their successor states, and a set of states that do not lead to failure. For a set
Σ of states, a command over Σ is a pair (R, P ), where R ⊆ Σ × Σ is a transition
relation, and P is a subset of Σ that is intended to characterize those states
from which the command cannot lead to abortion/failure. The command abort
is a command that offers no transition and does not guarantee the absence of

pro
def
abortion/failure for any state and is defined as abort = (∅, ∅).
For a command (R, P ) and a set of states Q ⊆ Σ, the guarded command
def
Q −→ (R, P ) (where Q is called the guard ) is defined as Q −→ (R, P ) = (Q ↓
def
R, Q∪P ), where Q↓R is the restriction of R to Q defined as Q↓R = R ∩ (Q×Σ)
and Q is the complement of Q w.r.t. Σ. The state is changed according to the
transition relation, and the guard ensures the satisfaction of the condition before
changing the state of the system.
For further information on guarded commands, we refer the reader to [14, 23].

re-
In [21], the reader will find further discussion on the usage of guarded commands
in verifying the consistency among policies using the notion of demonic meet of
relations, which is the dual of the above introduced demonic join.

3.2 Firewall Policies as Product Families

lP
In the context of access control policies, an atomic rule is a feature (and hence
indivisible) and is modelled as a guarded command. Below we formally present
the notions of divisibility/indivisibility and feature. A policy is a set of rules or
a single rule obtained by combining various rules. Let us consider that we are
designing the network in a building of an organization and that this network
rna

is related to a network in another building on the site of the organization. To

focus our attention on the network to be designed and reduce the complexity
of the problem, one can consider the network in the related building as a node
that is governed by a family of policies. Another situation where we can see the
relevance of the family approach for reasoning on access control policies is when
we have a local network in a room (e.g., a lab) containing a large number of
machines running similar policies. The resources of this room can be considered
as a node running a family of policies. Therefore, we can think of these policies
as a family of policies.
To utilize this aspect of family in reasoning on network access policies, we use
Jou

PFA (e.g., [11–13]), which is a commutative idempotent semiring (S, +, ·, 0, 1),

where S is a set of product families. The binary operators + and · are interpreted
as the alternative choice between two product families and the mandatory com-
position of two product families, respectively. The constant 0 corresponds to
an empty product family, and the constant 1 corresponds to a product family
consisting of only a pseudo-product with no features.

7
 Journal Pre-proof

of
Within the structure of PFA, we have a divisibility relation among families
(a | b) ⇐⇒ (∃ c | · b = a.c )‡ , which allows us to find divisors of families.
Therefore, one can define a notion of Greatest Common Divisor (GCD), which
is the common divisor that is divided by all other common divisors. Hence,
the following property holds: gcd(a, b) = d such that the following condition is

pro
satisfied, [(d | a) ∧ (d | b) ∧ ((∀ c | · (c | a) ∧ (c | b) ) =⇒ (c | d))].
Let IP be a set of policies. An element of the power set P(IP) is a family of
policies. The commutative idempotent structure F = (P(IP), ⊕, ⊙, 0F , 1F ) is
presented as a model for PFA (i.e., a product family algebra) in [16]. Hence, ⊕
is the union of families of policies and represents the choice among the families
given as arguments, and ⊙ is an extended notion of the demonic join, presented
previously, to the families of policies and it represents the composition/inte-
gration of policies within families. The constant 0F can be interpreted as an
“unexecutable” policy, and 1F is a policy family that imposes no constraints on

re-
the traffic (i.e., enforces nothing). Hence 0F is the annihilator element, and 1F
is the neutral element for the ⊙ operator.
On a product family, ⪯F denotes the natural order that comes with the
def
semiring structure for F . It is defined as a ⪯F b ⇔ a ⊕ b = b and it indicates
that the family a is a subfamily of family b. Then the notion of family refinement
def
of the elements of F is defined as follows: a ⊑F b ⇔ (∃ c | · a ⪯F b ⊙ c ). We
note that 1F is refined by any family of policies. The GCD defined under PFA
is equivalent to the demonic join of the families of policies and can be restated
lP
def
as follows: (∀ A, B | A, B ∈ P(IP) · gcd(A, B) = {a ⊔IP b | a ∈ A ∧ b ∈ B} ).
For more details on the use of PFA to specify access control policies, we refer
the reader to [16].

3.3 Modelling Networks with Multiple Entry Points

rna

A network with one entry point r can be represented as a directed acyclic graph.
The leaves represent the resources and the internal vertices represent firewalls.
def
Let G = (V, E, r) be a rooted connected directed acyclic graph that represents
a resource network. The set V denotes the set of vertices or access control points
that enforce access policies (i.e., firewalls and resources). The set E is a set of
ordered pairs of vertices that represent the link between access control points.
The vertex r is the root/entry point of the graph and it represents the access
point between the network and the external world.
In the above, we considered networks with a single entry point r. A network
with several entry points can be represented in a similar way as above [1]. Instead
Jou

of having r as an entry point, we will have a set I of entry points. Hence, we

def
have G = (V, E, I), where I is a set of roots/entry points, V is the set of
‡
In this paper, we adopt the notation used by Gries and Schneider in [9] for quantifiers.
An example of the notation is (+ i | 1 ≤ i ≤ 3 · i2 ) = 12 + 22 + 32 , where + is a
quantifier.

8
 Journal Pre-proof

of
vertices, and E is the set of edges. For every r ∈ I, we can derive a network
def
graph Gr = (Vr , Er , r) from the G as follows:
– Vr = {v | (r, v) ∈ E ∗ } = {v | v is reachable from r}, where E ∗ is the
reflexive transitive closure of E.

pro
– Er = (Vr × Vr ) ∩ E is the set of edges in G belonging to paths starting at r.
With the above formulation of a network with several entry points, a network
G = (V, E, I) can be decomposed into several networks with a single entry point
each. For example, the network shown in Figure 3a can be decomposed to the
networks in Figures 3b and 3c. The Multiple Entry Points Network 1 (MEP1)
and Multiple Entry Points Network 2 (MEP2) algorithms, presented in Section 5,
use this fact to reason on a network with several entry points by reducing it into
several networks with only one entry point each.

v1
e1

v2
re-
e2

v3
e1 v2
e2

v3

v4 v5 v6
v1 v2 v4 v5 v6
lP
v7 v8 v9 v10 v7 v8 v9 v4 v8 v9 v10

(a) Graph G (b) Graph Ge1 (c) Graph Ge2

Fig. 3: Decomposition of a graph G with two entry points e1 and e2 to two graphs
Ge1 and Ge2 with single entry point each
rna

3.4 Defence in Depth Strategy

A robust network is a network that employs DD strategy. In our context, this
def
strategy has been defined in [16] for a network of access control points G =
(V, E, r). If we denote by p(v) the family of policies enforced at vertex v in
G, then the network G (with a single entry point) employs a DD strategy if
p(r) ̸= 0F ∧ (∀ a, b | (a, b) ∈ E · p(b) ⊑F p(a) ). This understanding of DD
can be made stronger by strengthening the refinement condition to obtain the
Strict Defence in Depth (SDD) strategy introduced in [21]. The above condition
Jou

is transformed into the following:

p(r) ̸= 0F ∧ (∀ a, b | (a, b) ∈ E · p(b) ⊏F p(a) ),

where p(b) ⊏F p(a) ⇐⇒ (p(b) ⊑F p(a) ∧ p(a) ̸= p(b)). By using SDD to

build the network graph, we exclude the case where the families of policies on

9
 Journal Pre-proof

of
successive nodes are equal. This allows us to ensure that firewalls with exactly
same polices do not exist in any path from the root to a leaf node.
In [16] a scheme is presented to generate the family of policies of the internal
nodes such that the network implements DD strategy. The scheme uses the gcd
operator such that the following property holds: p(v) = (gcd vi | (v, vi ) ∈

pro
E · p(vi ) )∓ . In other words, the policy p(v) at node v is the gcd of all the
policies of the immediate children of v.

4 Network Segmentation and Robust Network

We now state the formal definition of network segmentation based on the weights
(given in Appendix B.1) of the commonalities among the policies of the resources
in a segment, as presented in [21].

be a segment of R iff
re-
Definition 1 (Segment). Let R be a set of resources. A set S ⊆ R is said to

(∀ r, r′ | r ∈ S ∧ r′ ∈ (R − S) · wP (gcd(p(r), p(r′ ))) ≤

wP (gcd( r | r ∈ S · p(r) )) )
lP
Definition 2 (Segmentation). Let R be a set of resources, and let F be a set
of subsets of R such that (∪ A | A ∈ F · A ) = R. Then F is a segmentation
of R iff
(∀ A | A ∈ F · A is a segment of R ).

In the above definition of segmentation, a resource is placed within a group of

resources if and only if the commonalities it has with the members of the group is
more strict; that is, the commonalities have equal or more weight than the weight
rna

of the commonalities it shares with any other resource not in the segment. As a
result, this segmentation provides maximum access protection to its resources.
Superfluous Firewall Chaining exists in a network when a firewall has only
a single firewall attached to it. Such chaining of firewalls is a waste of network
resources. Therefore, a good network design should aim at removing these su-
perfluous firewalls.

4.1 Robust Network Definition

Jou

Below we state the definition of a robust network as presented in [21].

A network graph G is said to be (access control) robust if the following criteria
hold:
∓
If the range of the quantification is empty then the quantification returns the neutral
value L for gcd; that is, gcd(x, L) = x, which is the universal relation on the space
of the policies, as mentioned in Section 3.1.

10
 Journal Pre-proof

of
1. G satisfies SDD strategy in every path from the root to the parent of a
resource,
2. G has a segmentation as defined in Definition 2, and
3. G has no superfluous firewall chaining.

pro
The first criterion for a robust network ensures that any two internal nodes
strictly refine each other. However, it allows a leaf node and its parent to have the
same policy. This can be seen when resources have 1F policy, and as a result, the
firewall protecting them; that is, the root will also have 1F policy. The second
criterion ensures that resources are segmented in a way such that maximum
access protection is provided to them. These segments are then placed in the
network at varying depths depending on their levels of security requirements.
Segments with high levels of security requirements are placed deep down in
the network and protected by layers of firewalls each adding an extra level of
security. And the segments with low levels of security are placed closer to the

re-
root; that is, the outer firewall. Therefore, traffic coming from the internet to
an internal segment is faced by layers of firewalls and traffic from segment to
segment is managed by internal firewalls. Consequently, segments consisting of
resources with high levels of security requirements are protected from internal
and external threats. Furthermore, if an unauthorized agent gains access to an
internal segment, it will not be able to easily gain access to another segment.
Finally, the third criterion ensures that we have the most effective strict defence
in depth and segmentation at a minimum cost.
lP
5 Network with Multiple Entry Points
In this section we present two solutions, which take n > 1 sets of resources
Q1 , Q2 , . . . , Qn as input, and generate a secure and robust network graph with
e1 , e2 , . . . , en entry points, such that the i-th entry point ei , protects the i-set of
resources Qi , 1 ≤ i ≤ n. While designing networks with multiple entry points, the
rna

intersection of the sets of the resources can be dealt with in two ways as presented
in Sections 5.1 and 5.2 by the MEP1 and MEP2 algorithms [1], respectively. Both
the algorithms use the Robust Network and Segmentation Algorithm (RNS) (see
Appendix B.2) as a sub-procedure.
The MEP1 algorithm generates a network design cumulatively (starting with
the resources in Q1 ) without separating common resources to form their own
segments. For example, for the following sets of resources Q1 = {r1 , r2 , r3 }, Q2 =
{r2 , r4 , r5 }, the MEP1 algorithm first generates a segment for resources in Q1
with entry point e1 . Then, it generates another segment for resources in Q2 with
entry point e2 , such that the two segments overlap and the overlap contains only
Jou

the common resource {r2 }.

The MEP2 algorithm, on the other hand, separates the resources occurring in
multiple sets to form a segment of their own - thus, forming a separate segment
for each set of shared resources. For example, consider the following sets of
resources Q1 = {r1 , r4 , r5 , r6 }, Q2 = {r2 , r4 , r5 , r7 }, Q3 = {r3 , r4 , r6 , r7 } with the
only non-empty intersections being Q1 ∩ Q2 ∩ Q3 = {r4 }, Q1 ∩ Q2 = {r5 , r6 }.

11
 Journal Pre-proof

of
The MEP2 algorithm generates five segments s1 , s2 , . . . , s5 consisting of resource
sets {r1 }, {r2 }, {r3 }, {r4 }, {r5 , r6 }, respectively. Then the entry point e1 connects
to segments s1 , s4 , s5 ; e2 connects to segments s2 , s4 , s5 , and e3 connects to
segments s3 , s4 , respectively.

pro
5.1 Multiple Entry Points 1 (MEP1) Algorithm
The MEP1 algorithm [1] takes resource sets Q1 , Q2 , . . . , Qn , where n > 1 and
for i, j ̸= i ∈ [1..n] Qi ̸= Qj , as input to build a network graph with entry points
e1 , e2 , . . . , en , respectively. The outline of the algorithm is as follows:
– On input Q1 , Q2 , . . . , Qn , the MEP1 algorithm first generates a network
graph for resources in Q1 using the RNS algorithm.
– Then it loops through resource sets Q2 , . . . , Qn one at a time. At the i-
th iteration, the algorithm generates the network graph for resources in Qi

G constructed so far. re-

using the RNS algorithm and merges it (adds Vi , Ei , ri to G) with the graph

Algorithm 1 Multiple Entry Points 1 Algorithm

function Multi Entry Points 1(Q1 , Q2 , . . . , Qn ) ▷ Q1 , Q2 , . . . , Qn ̸= ∅
G = NULL ▷ G = (V, E, I)
lP
(G1 , r1 ) = RNS(Q1 )
V = V ∪ V1 ; E = E ∪ E1 ; I = I ∪ {r1 }
Q = Q1
for i = 2 to n do
(Gi , ri ) = RNS(Qi )
V = V ∪ Vi ; E = E ∪ Ei ; I = I ∪ {ri }
Q = Q ∪ Qi
end for
rna

return G
end function

Figure 4 presents the topology of the network generated after implementing

the MEP1 algorithm on the resources of the illustrative example.

Theorem 1. MEP1 algorithm constructs a robust network graph G, with entry

points e1 , e2 , . . . , en protecting resources in the sets Q1 , Q2 , . . . , Qn , respectively.

Proof. The graphs G1 , G2 , . . . , Gn are constructed using the RNS algorithm, and
Jou

by Theorem 5, they all are robust. Merging the subgraph Gi , 2 ≤ i ≤ n with

G, still preserves the robustness of the network as no new vertices are added to
G (as Vi ⊂ V ). Furthermore, since Gi is robust, the edges in Ei preserve this
robustness when added to G. Therefore the resulting graph G, obtained after
execution of the MEP1 algorithm, is a robust network graph.

12
 Journal Pre-proof

of
Fw 7 File server A.1
10.0.2.1

File server A.2

Fw 6 10.0.2.2
Web server A Email server A
10.0.1.1 10.0.1.2 Fw 3

pro
HR A.1
10.0.4.1

Fw 8
HR A.2
Fw 1 Fw 2 Fw 4 10.0.4.2

Internet

Finance A.1
10.0.3.1
Fw 9
HR server1
10.0.9.1 Finance server1 Fw10 Fw1
Finance A.2 10.0.8.1
Fw 5
10.0.3.2

Finance server2 WebA Em.A

10.0.8.1
WebB Em.B Fw11 Fw2
Fw 15

Fw13 Fw12 Fw5 Fw4 Fw3

Fw 14 Finance B.1 HR server2
Fw 12 10.0.6.1 10.0.9.2
Fw7
Finance B.2
10.0.6.2 Fw16 Fw14 Fw15 Fw9 Fw8
Fw 10 Fw 11

Internet Fw 17

Web server B
10.0.5.1
Email server B
10.0.5.2
Fw 13

(a) A topological representation of the

network
Fw 16
HR B.1
10.0.7.1

HR B.2
10.0.7.2
re- HRB.1 HRB.2 FinB.1

Fw17
FinB.2

(b) A graph representation of the net-

work
HRS1 HRS2

FinS1

FinS2
FinA.1 FinA.2 HRA.1 HRA.2

Fw6
FileA.1 FileA.2

Fig. 4: Network Topology generated after implementing the MEP1 algorithm for
the illustrative example.
lP
Theorem 2. Let |Q1 | = ℓ1 , |Q2 | = ℓ2 , . . . , |Qn | = ℓn . Then, the running time of
MEP1 is O(ℓ21 + ℓ22 + . . . + ℓ2n ).

Proof. The MEP1 algorithm initially begins with an empty graph G = ∅. Then
for each Qi where 1 ≤ i ≤ n, starting with i = 1, it computes the subnetwork
rna

graph Gi using the RNS algorithm. By Theorem 6, at iteration i, this step

requires O(ℓ2i ) time. By assumption, for i, j ̸= i ∈ [1..n] Qi ̸= Qj merging
Gi with G implies adding Ei , ri to E, V respectively, and merging Vi to V .
This requires at most O(ℓ2i ) time. Therefore, the total running time of MEP1 is
O(ℓ21 + ℓ22 + . . . + ℓ2n ).

By Theorem 2, the MEP1 algorithm is suitable for dynamic (almost real-

time) networks requiring multiple entry points.

5.2 Multiple Entry Points 2 (MEP2) Algorithm

Jou

The MEP2 algorithm [1] builds a robust and secure network graph with entry
points e1 , e2 , . . . , en , given the sets of resources Q1 , Q2 , . . . , Qn . The network
graph generated by the MEP2 algorithm does not have any overlapping subnet-
works; that is, the set of resources in all subnetworks are disjoint. The outline
of the algorithm is as follows:

13
 Journal Pre-proof

of
– Given an input of sets of resources Q1 , Q2 , . . . , Qn = Input Set, the MEP2
algorithm first adds all the entry points e1 , e2 , . . . , en protecting resources
Q1 , Q2 , . . . , Qn to G, using the Add entry points function.
– For each set Qi , 1 ≤ i ≤ n, the Add entry points function creates an
entry point ei , and sets its policy equal to the gcd of the resource policies in

pro
Qi . The other gcd object parameters for ei are set accordingly, and can be
seen in the Add entry points function.
– Then it generates the set Inter Set, which is a collection of disjoint sets,
obtained from the powerset of the set R = Q1 ∪ Q2 ∪ . . . ∪ Qn (P(R)) as
follows:
• Let Pd be the list consisting of all the sets in the powerset (P(R)), in
a non-increasing order of their sizes, such that the sets with the same
cardinality are placed together.
• For each set s ∈ Pd , starting from the largest set, remove each resource
r, contained in the sets of resources in s, from all sets in Pd − s; that is,
re-
for all s′ ∈ Pd − s, s′ = s′ − s.
• For each s ∈ Pd , where s = {Qi1 , Qi2 , . . . , Qik }, 1 ≤ k ≤ n, Qi1 ∩ Qi2 ∩
. . . ∩ Qik is added to Inter Sets if and only if Qi1 ∩ Qi2 ∩ . . . ∩ Qik ̸= ∅.
This step is to identify the resources that are going to form individual
segments of shared resources.
– For each s ∈ Inter Sets, the MEP2 algorithm computes the robust net-
work graph Gs for s using the RNS algorithm, and adds it to G using the
Concatenate function.
lP
– The Concatenate function, takes the graphs G and Gs as inputs. It loops
through every entry point ei , 1 ≤ i ≤ n, and adds and edge from ei to rs ,
only if, the policy of rs refines the policy of ei and rs .set ⊂ ei .set. If the
policies of rs and ei are equal and rs .set ⊆ ei .set, then it deletes the root rs ,
and all its outgoing edges and attaches its children to ei .
rna

Algorithm 2 Multiple Entry Points 2 Algorithm

function Multiple Entry Points 2(Q1 , Q2 , . . . , Qn ) ▷ Q1 , Q2 , . . . , Qn ̸= ∅
Input Set = {Q1 , Q2 , . . . , Qn }
G = NULL ▷ G = (V, E, I)
G = Add entry points(G, Input Set)
Inter sets = Disjoint intersection sets without empty sets
for each s ∈ Inter set do
(Gs , rs ) = RNS(s)
G = Concatenate(G, Gs )
end for
Jou

return G
end function

Figure 2, presents the topology of the network generated after implementing

the MEP2 algorithm on the set of resources of the illustrative example.

14
 Journal Pre-proof

of
function Add entry points(G, Set)
for each Qi ∈ Set do
Create node ei
ei .p ← GCD(Qi ) ▷ GCD of all resources in Qi
e.weight ← weight of e.p

pro
ei .set ← Qi ;
e.size ← |e.set|; e.is resource ← f alse
V ← (V ∪ ei ); I ← (I ∪ ei )
end for
return G
end function
function Concatenate(G, Gs )
for each ei ∈ I do
if rs .p ⊏ ei .p ∧ rs .set ⊂ ei .set then

re-
E ← E ∪ {(ei , ri )}
end if
if rs .p = ei .p ∧ rs .set ⊆ ei .set then
for each child c of ri do
E ← E − {(ri , c)}
E ← E ∪ {(ei , c)}
c.π = c.π − {rs } ∪ {ei }
end for
lP
V = V − {rs }
end if
end for
end function

Theorem 3. MEP2 algorithm constructs a robust network graph G, with entry

points e1 , e2 , . . . , en , protecting resource sets Q1 , Q2 , . . . , Qn respectively.
rna

Proof. The MEP2 algorithm creates all the entry points e1 , e2 , . . . , en and adds
it to G. At this point G consists of n disconnected vertices (entry points), and is
robust. Then, the algorithm uses the RNS algorithm to build a subnetwork graph
for each of the disjoint sets in Inter Set. By Theorem 5, all these sub-graphs
are robust network graphs. Further, when a subnetwork Gi , where 1 ≤ i < 2n ,
is added to G using the Concatenate function, an edge is added between ri
and an entry point ej , where 1 ≤ i ≤ n, only if the policy at ej is refined by the
policy at ri and rs .set ⊂ ei .set. If both the policies at ej and ri are the same and
and rs .set ⊆ ei .set, then the root ri is removed from G along with its outgoing
edges, and all its children are attached to ej . Thus, in both these cases the policy
Jou

at each child node of ei refines the policy at ei . Therefore the resulting graph G,
obtained after execution of the MEP2 algorithm, is a robust network graph.

Theorem 4. Let R = Q1 ∪ Q2 ∪ . . . ∪ Qn be the set of resources protected by

G, and let ℓ be the largest cardinality of any set in Q1 , Q2 , . . . , Qn . Then, MEP2
algorithm runs in O(ℓ2 × 2|R| ) time.

15
 Journal Pre-proof

of
Proof. The running time of MEP2 algorithm is dominated by the time required
to compute the power set (P(R)) of the set of resources R. Computing the
powerset of R requires exponential time; that is, O(2|R| ) time. Then, each iter-
ation of the for loop computes the secure and robust subnetwork graph Gs for
an s ∈ P(R) using the RNS algorithm. Since |s| ≤ ℓ, by Theorem 6, this step

pro
requires at most O(ℓ2 ) time. Then concatenating Gs with G implies adding Es
to E, merging Vi to V , and either adding the root rs to an existing entry point
e as its child or adding all its children to e instead. All these operations require
at most O(ℓ2i ) time. Therefore, the total running time of the MEP2 algorithm is
O(ℓ2 × 2|R| ).
In contrast to MEP1, the MEP2 creates a network design with individual
segments for shared resources, such that the set of resources in the segments
are disjoint – thus, resulting in a smaller attack surface that is limited to the
concerned segment.

6 SDN implementation
re-
SDN is a network architecture proposed to improve network packet analysis
and security functions. In recent years, SDNs have been proposed for dynamic
networks due to the flexibility they present in controlling the access to a network
based on the state of specific nodes or resources in the network. However, efficient
segmentation models or segmentation approaches remain a major issue that
lP
needs to be overcome in order to get the full potential of SDNs.
In this section, we present the implementations of MEP1 and MEP2 algo-
rithms in the SDN environment to demonstrate efficient segmentation of net-
works with multiple entry points [1]. The algorithms MEP1 and MEP2 can be
used to reconfigure the network as needed in a dynamic environment. They
can be used to re-calculate the topology each time resources are added or re-
moved from the network. They are also about managing the access policies as
rna

they calculate the access policies of the network firewalls for each new topology.
Therefore, in SDNs they have the role of dynamic configuration and governance
of the network.
In [2], a new plane called the Dynamic Configuration and Governance (DCG)
was proposed for the SDN architecture. The DCG plane separates the governance
and the dynamic configuration of the network from the control plane. The ob-
tained architecture for SDNs with its planes is illustrated in Figure 5a. The DCG
plane has two interfaces, one with the control plane and another with the data
plane. The data plane interface is used to structure or restructure the data plane
topology. The control plane interface is used to send policies to the architecture
Jou

application at the control plane. Moreover, it is used to receive notifications

from the control plane if the topology changes. In which case the DCG plane
responds by re-executing the selected module to generate an updated topology
and firewall policies.
We host the RNS, MEP1, and MEP2 modules in the DCG plane to implement
them in an SDN environment. The design of the MEP1 and MEP2 modules is

16
 Journal Pre-proof

of
Application Plane

Resource Policies
Application Application Application

pro
Northbound API

Control Plane Dynamic Config. & Gov. Plane

Segmentation Modules

RNS MEP1 MEP2 Seg

Module Module Module
Module
Controller

Southbound API

Data Plane

Switch Switch
Server Host
Firewall Policies Topology File

(a) SDN Architecture

with DCG plane
re-
Fig. 5: DCG plane and the input/output of the RNS module
(b) Structure of the RNS module and
its input and output

given in Figure 5b. Each module takes as input, sets of policies of resources, that
lP
need to be accessed from their respective given entry points. For instance, if we
need n entry points, we need to input the n sets of policies of the resources,
such that the i-th entry point governs the i-set. Each of the modules generates a
topology of the data plane along with the policies to be enforced at each switch.
They also generate a single policy that combines the policies of the switches to
be used by the single firewall.
In [2], the authors proposed three different architectures for implementing
rna

RNS in SDN. They are presented in Figures 6, 7, and 8. Architecture 1 uses a

single stateful firewall at the control plane. Architecture 2 uses multiple stateful
firewalls at the control plane where each switch in the data plane is assigned
to a firewall in the control plane. In Architecture 3, the data plane switches
are transformed into stateful firewalls using the data plane abstraction BEBA
software switch. We configure the three architectures given in [2] to implement
the MEP1 and MEP2 algorithms.
When we use Architecture 1, at the setup phase the architecture application
at the control plane creates a single firewall. The firewall reads and stores the
single policy generated by the DCG plane. In Architecture 2, when the data
Jou

plane switches register at the controller, the architecture application creates a

firewall assigned for each switch. The firewall processes and stores the policy
generated by the DCG plane for its assigned switch. In Architecture 3, when
data plane switches register at the controller, the architecture application reads
and processes their generated policy from the DCG plane and pushes down their
policies to the flow tables of the switches.

17
 Journal Pre-proof

of
Ryu SDN Framework Dynamic Config. & Gov. Plane

Firewall Policy
Seg
Module
Firewall Policy
FW

pro
Controller
Topology File

Southbound API
Mininet

Switch Switch
Server Host

re-
Fig. 6: Architecture 1 uses a single stateful firewall at the control plane

Ryu SDN Framework

FW2 Policy
Dynamic Config. & Gov. Plane

Firewall Policies Seg

FW2 Module

Controller
FW1 Policy Topology File
FW1
lP
Southbound API
Mininet

Switch1 Switch2
Server Host
rna

Fig. 7: Architecture 2 uses multiple stateful firewalls at the control plane

In the operation phase, when the Architecture 1 data plane switches receive
a packet with no entry in their flow table to handle it, they forward the packet
to the firewall at the control plane. The firewall checks the state of the com-
munication and the policy to determine the action to be taken by the switch.
If the packet is denied by the policy or the communication is established, the
firewall instructs the switch to insert a flow entry to handle future traffic. The
Jou

same happens in Architecture 2 except here every switch traffic is handled by a

unique firewall at the control plane. However, in Architecture 3, traffic is handled
completely by the switches without forwarding any traffic to the controller.
After implementing and executing the MEP1 and MEP2 algorithms on Ar-
chitectures 1, 2, and 3 we conclude that for a network that is stable in terms
of resource and policy change, Architecture 3 is the most suitable one. How-

18
 Journal Pre-proof

of
Ryu SDN Framework Dynamic Config. & Gov. Plane

Firewall Policies Seg

Module

pro
Controller
Topology File

Southbound API
Mininet

FW1 Policy FW2 Policy

FW1 FW2

Switch1 Switch2
Server Host

re-
Fig. 8: Architecture 3: data plane switches are transformed into stateful firewalls

ever, for a dynamic network where resources and policies change frequently, and
therefore the topology needs to be updated frequently, Architecture 2 is most
suitable. Since these architectures are related to network setup procedures and
lP
the way packets are exchanged between the switches and the controller they are
not affected by the algorithms used in the DCG plane.
The implementation environment consists of the SDN emulator tool mininet
which is used to create the data plane resources and switches. We also used
BEBA controller which is based on Ryu OpenFlow Controller. We have imple-
mented the MEP1 and MEP2 algorithms in all three architectures. In all cases,
after the setup of the environment, we performed a reachability test to confirm
the enforcement of the corrected policies as shown in Figure 9. The three archi-
rna

tectures using MEP1 and MEP2 algorithms show expected reachability results:
the policies are enforced correctly. The reachability test is carried using the com-
mand pingall, where every host tries to ping every other host in the data plane.
In Figure 9, the first line of the system response to pingall command starts with
filea2, which is the name of the resource initiating the ping request. Then we
have the arrow -> followed by the resource names such as fiela1, weba, and
emaila indicating a successful communication of filea2 with these resources.
An x indicates that the initiating resource is failing to access the target resource.
Jou

7 Discussion
We presented the MEP1 and MEP2 algorithms to design a network with mul-
tiple entry points. Each of the algorithms presents a design solution. In the
following, we review the strengths and the weaknesses of the network topol-
ogy generated by the two algorithms. The MEP1 algorithm generates a network

19
 Journal Pre-proof

of
pro
Fig. 9: Reachability Test of Data Plane Resources
re-
that provides deep layered protection to all its resources. However, the enhanced
security offered by the topology given by the MEP1 algorithm induces a high
implementation cost (more firewalls). For example, the resource Finance server1
(10.0.8.1) is protected by four firewalls on each path from any of the two en-
try points in Figure 4 which illustrates the network topology generated by the
MEP1 algorithm. While in the topology given by the MEP2 algorithm and il-
lP
lustrated by Figure 2, the same resource (Finance server1) is protected by only
three firewalls.
Further, the network generated by the MEP1 algorithm has edges going
from a firewall in a subnetwork, to resources in other subnetworks, which could
potentially increase the attack surface in the network. For instance, in Figure 4,
firewall FW17 which is a part of the subnetwork of Branch B is connected
to the resource Finance server1, which belongs to the subnetwork of Branch
rna

A. This might lead to increasing the attack surface for an internal intruder;
through Finance server1 it can reach the two networks. On the other hand, in
the topology generated by the MEP2 algorithm and illustrated by Figure 2, the
resource Finance server1 is isolated in a subnetwork under one firewall FW9,
which reduces any contamination of the rest of the network, should an internal
attack be mounted starting from this resource.
Recall that the run time complexity of the MEP1 algorithm is linear in
the sum of sizes of the robust networks created for the input set of resources
Q1 , Q2 , . . . , Qn , plus the quadratic running time required by the RNS algorithm
on each resource set Qi 1 ≤ i ≤ n. The runtime of the MEP2 algorithm, on the
Jou

other hand, is exponential (caused due to the construction of the Inter Set set).
Sometimes it is desired to have multiple networks that are logically segregated
within shared infrastructure resources such as multi-tenants in a shared cloud
environment. Within SDNs, there is literature on Multi-domain SDNs [15] and
SDN network slicing [3]. There is a demand for isolating network resources based
on requirements such as speed, performance, and security. Resources can be part

20
 Journal Pre-proof

of
of a specific slice or domain or shared between slices; to configure the network
for the former case we use MEP1 algorithm and MEP2 for the latter.
Conventional firewalls rely on enforcing traffic filtering at the entry points,
and on that each machine within the network is to be trusted [4]. However, due
to the latter assumption securing the entire network is hard in practice. Firewalls

pro
at the entry point do not protect the network from internal attacks. The RNS
algorithm (briefly stated in Section B.2), and consequently the MEP1 and MEP2
algorithms presented in Section 5, are based on the assumption that all nodes
are not to be trusted. Internal traffic has to satisfy the policies to be allowed
access to resources. If a node wants to communicate with another node, due to
defence in depth, it has to go through internal firewalls to access the destination.
SDNs commonly employ two planes: the data plane and the control plane.
They are designed based on separating control from data traffic. This is a direct
usage of the principle of separation of concern. The RNS, MEP1, and MEP2

re-
algorithms bring a new concern that is of configuring and governing a network
automatically – thus, a new plane becomes essential. It is the DCG plane, il-
lustrated in Figure 5a, that separates the governance of the network from the
control and the data traffic. It hides the issue related to how the topology changes
and what are the policies for each firewall. The algorithms MEP1 and MEP2
presented in this paper contribute to improving the machinery of DCG plane for
proposing different design solutions of the topology of SDNs.
In a typical SDN architecture, the control plane has two interfaces: a south-
lP
bound interface connecting the SDN controller to the network devices (switches
and routers) in the data plane, and a northbound interface connecting it to ex-
ternal applications and network management tools at the application plane. The
usage of a DCG plane would require the addition of a new interface to connect it
to the control plane. The new interface enables the DCG plane to communicate
new topology and policy changes to the control plane. This amendment to SDN
architecture increases the coupling of the control plane and its centrality in SDN
rna

architecture. This increase of coupling brings more burden on the control plane
that needs to be properly tackled in the detailed design of the control layer.
While for networks with low frequencies of change the communication between
the control and the governance planes is low, for more dynamic networks one
needs to carefully assess the effect of the communication between the DCG and
the control plane on the overall performance of the network.
With the advent of SDNs, many networks of large organizations became het-
erogeneous having legacy subnetworks and software defined subnetworks. The
proposed algorithms can be automatically applied using the DCG plane to the
software defined part of the network, while it can be manually used in legacy
Jou

networks. In legacy networks the network manager manually implements the

topology and the firewall policies calculated by the algorithms to ensure the ac-
cess control security of the legacy part of the network is secure. While humans
interventions are usually prone to errors due to, for example, lack of training, fa-
tigue, stress, or distractions, in this case these possible errors are significantly re-
duced. The network manager’s role is only limited to input the computed firewall

21
 Journal Pre-proof

of
policies and network topology at the desired place in the network configuration.
This limited role assigned to the manager significantly reduces the risk compared
to when the role involves calculating the policies of all the firewalls, segmenting
the network, and inputting the right network configuration. Adopting review of
network configuration practices and network testing techniques help catch some

pro
of the human induced errors while providing the network topology and firewall
policies as input.

8 Conclusion and Future Work

Based on PFA formalism, we leverage the formalism presented in [21] for net-
works with single entry points to networks with multiple entry points. Then we
present the MEP1 and MEP2 algorithms and prove their correctness and discuss
their running times. Analogous, to the RNS algorithm, these algorithms enable

re-
fully automated and dynamic solutions for networks with multiple entry points.
We illustrate this in Section 6.
As part of future work, we will work on addressing several questions related to
exploring the most suitable architectures for SDN implementing multiple entry
points. For example, we will explore whether it is better to have one controller
for each subnetwork related to an entry point or for each arbitrary subnetwork?
For instance, for the topology presented in Figure 2, is it better to have one
controller at the control plane for each of the subnetworks rooted at FW3, FW8,
lP
and FW11? Or, should we have more controllers inside subnetworks of the ones
rooted at FW3, FW8, and FW11? We think that an evaluation study, similar
to [2], which was done for the RNS applied to SDNs with a single entry point,
needs to be carried for robust SDNs with multiple entry points. The architectures
presented in Figures 6, 7, and 8 remain relevant, but we believe that better ones
can be proposed for SDNs with more than one entry point.
The weigh function that is used in the RNS algorithm is supposed to cap-
ture security requirements related to access control. There is a wide litera-
rna

ture (e.g., [34]) that uses heuristics in segmentation based on several security
requirements aspects. As part of future work, some of these requirements could
be included in the weight function. We intend to explore these questions in our
future work.

Aknowledgements
Funding: This work was funded by Natural Sciences and Engineering Research
Council of Canada (NSERC)[grant number: RGPIN-2020-06859].
Jou

References
1. Alabbad, M.: A Formal Approach to Secure the Segmentation and Configuration
of Dynamic Networks 2021. Ph.D. thesis, McMaster University (2021)

22
 Journal Pre-proof

of
2. Alabbad, M., Khedri, R.: Configuration and governance of dynamic secure SDN.
In: The 12th International Conference on Ambient Systems, Networks and Tech-
nologies (ANT 2021). pp. 1–8. Procedia Computer Science series, Elsevier Science,
Warsaw, Poland (March 23 – 26 2021)
3. Barakabitze, A.A., Ahmad, A., Mijumbi, R., Hines, A.: 5G net-

pro
work slicing using SDN and NFV: A survey of taxonomy, architec-
tures and future challenges. Computer Networks 167, 106984 (2020).
https://doi.org/https://doi.org/10.1016/j.comnet.2019.106984, https:
//www.sciencedirect.com/science/article/pii/S1389128619304773
4. Bellovin, S.M.: Distributed firewalls (1999)
5. Caballero, P., Banchs, A., de Veciana, G., Costa-Pérez, X.: Multi-
tenant radio access network slicing: Statistical multiplexing of spatial
loads. IEEE/ACM Transactions on Networking 25(5), 3044–3058 (2017).
https://doi.org/10.1109/TNET.2017.2720668
6. Chochliouros, I.P., Spiliopoulou, A.S., Lazaridis, P., Dardamanis, A., Zaharis, Z.,
Kostopoulos, A.: Dynamic network slicing: Challenges and opportunities. In: Ma-

re-
glogiannis, I., Iliadis, L., Pimenidis, E. (eds.) Artificial Intelligence Applications
and Innovations. AIAI 2020 IFIP WG 12.5 International Workshops. pp. 47–60.
Springer International Publishing, Cham (2020)
7. Escolar, A.M., Alcaraz-Calero, J.M., Salva-Garcia, P., Bernabe, J.B., Wang, Q.:
Adaptive network slicing in multi-tenant 5G IoT networks. IEEE Access 9, 14048–
14069 (2021). https://doi.org/10.1109/ACCESS.2021.3051940
8. Fægri, T.E., Hallsteinsen, S.O.: A software product line reference ar-
chitecture for security. In: Software Product Lines - Research Issues
lP
in Engineering and Management, pp. 275–326. Springer Berlin Heidel-
berg (2006). https://doi.org/10.1007/978-3-540-33253-4“˙8, https://doi.org/10.
1007/978-3-540-33253-4_8
9. Gries, D., Schenider, F.B.: A Logical Approach to Discrete Math. Springer Texts
And Monographs In Computer Science, Springer-Verlag, New York (1993)
10. Guan, W., Wen, X., Wang, L., Lu, Z., Shen, Y.: A service-oriented deployment
policy of end-to-end network slicing based on complex network theory. IEEE Access
6, 19691–19701 (2018). https://doi.org/10.1109/ACCESS.2018.2822398
11. Höfner, P., Khedri, R., Möller, B.: Feature algebra. In: Misra, J., Nipkow, T., Sek-
rna

erinski, E. (eds.) FM 2006: Formal Methods. Lecture Notes in Computer Science

series, vol. 4085, pp. 300 – 315. Springer, 14th International Symposium on Formal
Methods, McMaster University, Hamilton, Ontario, Canada (August 21 – 27 2006)
12. Höfner, P., Khedri, R., Möller, B.: Algebraic view reconciliation. In: 6th IEEE
International Conferences on Software Engineering and Formal Methods. pp. 85 –
94. Cape Town, South Africa (November 10 – 14, 2008)
13. Höfner, P., Khedri, R., Möller, B.: An algebra of product families. Software &
Systems Modeling 10(2), 161–182 (2011)
14. Höfner, P., Khedri, R., Möller, B.: Supplementing product families with behaviour.
International Journal of Software and Informatics pp. 245–266 (2011)
Jou

15. Katsalis, K., Rofoee, B., Landi, G., Riera, J., Kousias, K., Anastasopoulos, M., Ki-
raly, L., Tzanakaki, A., Korakis, T.: Implementation experience in multi-domain
SDN: Challenges, consolidation and future directions. Computer Networks 129,
142–158 (2017). https://doi.org/https://doi.org/10.1016/j.comnet.2017.09.005,
https://www.sciencedirect.com/science/article/pii/S1389128617303560
16. Khedri, R., Jones, O., Alabbad, M.: Defense in depth formulation and usage in
dynamic access control. In: Maffei, M., Ryan, M. (eds.) Principles of Security and

23
 Journal Pre-proof

of
Trust: 6th International Conference, POST 2017, Held as Part of the European
Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala,
Sweden, April 22-29, 2017, Proceedings. pp. 253–274. Springer Berlin Heidelberg,
Berlin, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6“˙12, https:
//doi.org/10.1007/978-3-662-54455-6_12

pro
17. Kumar, R., Goyal, R.: On cloud security requirements, threats, vulnerabil-
ities and countermeasures: A survey. Computer Science Review 33, 1 –
48 (2019). https://doi.org/https://doi.org/10.1016/j.cosrev.2019.05.002, http://
www.sciencedirect.com/science/article/pii/S1574013718302065
18. Kwak, J., Moon, J., Lee, H.W., Le, L.B.: Dynamic network slicing and resource allo-
cation for heterogeneous wireless services. In: 2017 IEEE 28th Annual International
Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC).
pp. 1–5 (2017). https://doi.org/10.1109/PIMRC.2017.8292663
19. Lippmann, R., Ingols, K., Scott, C., Piwowarski, K., Kratkiewicz, K., Artz, M.,
Cunningham, R.: Validating and restoring defense in depth using attack graphs.
In: MILCOM 2006 - 2006 IEEE Military Communications conference. pp. 1 – 10

20.

21.
(Oct 2006)
re-
May, C.J., Hammerstein, J., Mattson, J., Rush, K.: Defense in depth: Foundations
for secure and resilient it enterprises. Tech. rep., Carnegie Mellon University (2006)
Mhaskar, N., Alabbad, M., Khedri, R.: A formal approach to
network segmentation. Computers & Security p. 102162 (2021).
https://doi.org/https://doi.org/10.1016/j.cose.2020.102162, http://www.
sciencedirect.com/science/article/pii/S0167404820304351
22. Minami, Y., Taniguchi, A., Kawabata, T., Sakaida, N., Shimano, K.: An architec-
lP
ture and implementation of automatic network slicing for microservices. In: NOMS
2018 - 2018 IEEE/IFIP Network Operations and Management Symposium. pp. 1–4
(2018). https://doi.org/10.1109/NOMS.2018.8406193
23. Möller, B., Struth, G.: wp is wlp. In: MacCaull, W., Winter, M., Düntsch, I. (eds.)
Relational Methods in Computer Science, Lecture Notes in Computer Science,
vol. 3929, pp. 200–211. Springer Berlin Heidelberg (2006)
24. Olimid, R.F., Nencioni, G.: 5G network slicing: A security overview. IEEE Access
8, 99999–100009 (2020). https://doi.org/10.1109/ACCESS.2020.2997702
25. of the President, E.O.: Executive order 14028 of may 12, 2021: Improving the
rna

nation’s cybersecurity. Federal Register 86(93), 26633–26647 (2021)

26. Rates Crippa, M., Arnold, P., Friderikos, V., Gajic, B., Guerrero, C., Holland,
O., Labrador Pavon, I., Sciancalepore, V., Hugo, D.v., Wong, S., Yousaf, F.Z.,
Sayadi, B.: Resource sharing for a 5G multi-tenant and multi-service architecture.
In: European Wireless 2017; 23th European Wireless Conference. pp. 1–6 (2017)
27. Rubel, P., Ihde, M., Harp, S., Payne, C.: Generating policies for defense in depth.
In: 21st Annual Computer Security Applications Conference (ACSAC’05). pp. 10
pp.–514 (Dec 2005). https://doi.org/10.1109/CSAC.2005.26
28. Stawowski, M.: The principles of network security design. ISSA (2007)
29. Stawowski, M.: Network security architecture. ISSA (2009)
Jou

30. U.S. Department of Homeland Security: Recommended Practice: Improving Indus-

trial Control Systems Cybersecurity with Defense-in-Depth Strategies (September
2016)
31. Vacca, J.R., Ellis, S.R.: Firewalls Jumpstart for Network and Systems Adminis-
trators. Elsevier (2005)
32. Wagner, N., Ş. Şahin, C., Pena, J., Riordan, J., Neumayer, S.: Capturing the
security effects of network segmentation via a continuous-time markov chain model.

24
 Journal Pre-proof

of
In: Proceedings of the 50th Annual Simulation Symposium. pp. 1–12. ANSS ’17,
Society for Computer Simulation International, San Diego, CA, USA (2017)
33. Wagner, N., Şahin, C.Ş., Pena, J., Streilein, W.W.: Automatic generation
of cyber architectures optimized for security, cost, and mission performance:
A nature-inspired approach. In: Shandilya S., Shandilya S., N.A. (ed.) Ad-

pro
vances in Nature-Inspired Computing and Applications. Springer, Cham (2019).
https://doi.org/10.1007/978-3-319-96451-5“˙1
34. Wagner, N., Şahin, C.Ş., Winterrose, M., Riordan, J., Pena, J., Han-
son, D., Streilein, W.W.: Towards automated cyber decision support: A
case study on network segmentation for security. In: 2016 IEEE Sympo-
sium Series on Computational Intelligence (SSCI). pp. 1–10 (Dec 2016).
https://doi.org/10.1109/SSCI.2016.7849908
35. Zanzi, L., Giust, F., Sciancalepore, V.: M2 EC: A multi-tenant resource or-
chestration in multi-access edge computing systems. In: 2018 IEEE Wire-
less Communications and Networking Conference (WCNC). pp. 1–6 (2018).

A
re-
https://doi.org/10.1109/WCNC.2018.8377292

Policies of the resources used in the illustrative

example

A.1 Policies of branch A resources

lP
1 −A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT
2 −A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3 −A INPUT −p t c p −m s t a t e −−s t a t e NEW −m t c p −−d p o r t 80 −j ACCEPT
4 −A INPUT −p t c p −m s t a t e −−s t a t e NEW −m t c p −−d p o r t 25 −j ACCEPT
5 −A INPUT −s 1 0 . 0 . 1 . 0 / 2 4 −j ACCEPT
6 −A INPUT −s 1 0 . 0 . 2 . 0 / 2 4 −j ACCEPT
7 −A INPUT −s 1 0 . 0 . 3 . 0 / 2 4 −j ACCEPT
8 −A INPUT −s 1 0 . 0 . 4 . 0 / 2 4 −j ACCEPT
9 −A INPUT −j DROP
rna

Listing 1.1: Web and Email Servers policy

1 −A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT

2 −A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3 −A INPUT −s 1 0 . 0 . 2 . 0 / 2 4 −j ACCEPT
4 −A INPUT −s 1 0 . 0 . 3 . 0 / 2 4 −j ACCEPT
5 −A INPUT −s 1 0 . 0 . 4 . 0 / 2 4 −j ACCEPT
6 −A INPUT −j DROP
Listing 1.2: File Servers policy

1 −A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT

2 −A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3 −A INPUT −s 1 0 . 0 . 3 . 0 / 2 4 −j ACCEPT
4 −A INPUT −j DROP
Jou

Listing 1.3: Finance Workstations policy

1 −A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT

2 −A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3 −A INPUT −s 1 0 . 0 . 4 . 0 / 2 4 −j ACCEPT
4 −A INPUT −j DROP
Listing 1.4: HR workstations policy

25
 Journal Pre-proof

of
A.2 Policies of branch B resources
1 −A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT
2 −A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3 −A INPUT −p t c p −m s t a t e −−s t a t e NEW −m t c p −−d p o r t 80 −j ACCEPT
4 −A INPUT −p t c p −m s t a t e −−s t a t e NEW −m t c p −−d p o r t 25 −j ACCEPT
5 −A INPUT −s 1 0 . 0 . 5 . 0 / 2 4 −j ACCEPT

pro
6 −A INPUT −s 1 0 . 0 . 6 . 0 / 2 4 −j ACCEPT
7 −A INPUT −s 1 0 . 0 . 7 . 0 / 2 4 −j ACCEPT
8 −A INPUT −j DROP
Listing 1.5: Web and Email Servers policy

1 −A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT

2 −A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3 −A INPUT −s 1 0 . 0 . 6 . 0 / 2 4 −j ACCEPT
4 −A INPUT −j DROP
Listing 1.6: Finance Workstations policy

1 −A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT

2 −A INPUT −m s t a t e −−s t a t e INVALID −j DROP

A.3
3
4
−A
−A
INPUT
INPUT
−s
−j DROP

Policies of shared servers

re-
1 0 . 0 . 7 . 0 / 2 4 −j ACCEPT

Listing 1.7: HR Workstations policy

1 −A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT

2 −A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3 −A INPUT −s 1 0 . 0 . 3 . 0 / 2 4 −j ACCEPT
−A −s 1 0 . 0 . 6 . 0 / 2 4 −j ACCEPT
lP
4 INPUT
5 −A INPUT −s 1 0 . 0 . 8 . 0 / 2 4 −j ACCEPT
6 −A INPUT −j DROP
Listing 1.8: Finance Servers policy

1 −A INPUT −m s t a t e −−s t a t e RELATED, ESTABLISHED −j ACCEPT

2 −A INPUT −m s t a t e −−s t a t e INVALID −j DROP
3 −A INPUT −s 1 0 . 0 . 4 . 0 / 2 4 −j ACCEPT
4 −A INPUT −s 1 0 . 0 . 7 . 0 / 2 4 −j ACCEPT
5 −A INPUT −s 1 0 . 0 . 9 . 0 / 2 4 −j ACCEPT
6 −A INPUT −j DROP
rna

Listing 1.9: HR Servers policy

B Network Segmentation and Robust Network

Architecture
In this section, we present the weight function and robust network architecture
as presented in [21] for completeness.
Jou

B.1 Weight Function

The security situation is a changing aspect of networks. For example, by corre-
lating (in near real-time) events based on aggregated data from logs and traffic,
we can get an idea about potential threats to the network and its resources. If
the analytics reveal the existence of potential attacks from some traffic sources,
then the segmentation needs to take this fact into account. Hence, the policies

26
 Journal Pre-proof

of
that allow traffic from these sources ought to be given similar weights in order
to assign their resources into segments that take this threat into account. More-
over, sometimes we want to keep some resources completely confidential, and
we do not allow any notification originating from them. These resources ought
to be placed in segments that ensure this confidentiality. The weight function

pro
is intended to capture these security requirements. It is a function that takes a
policy and gives it a weight that is used in the segmentation.
We abstractly present this function as wP : P → N ∪ {−1}, where P is
the set of policies. It quantifies the security requirements of the access control
policies. For simplicity, in the remainder of the paper, we use the formulation
of wP presented in [21], which uses weights assigned to its rules to compute
the overall weight of the policy and explained in the following paragraphs. As
indicated above, the weight function can be complex and captures the results
of real-time security analytics. The segmentation solution that we propose can

re-
incorporate any given weight function. However, articulating the results of the
security assessment into a weight function is outside the scope of this paper.
Access control rules carry in their actions implicit security requirements. For
instance, the DROP action can be interpreted as implementing stricter security
requirements than the REJECT action. Hence the weight of a rule using the DROP
action can be deemed as higher than that of REJECT. Moreover, one can think
about considering a rule that allows only internal traffic as representing higher
security than a rule that allows external traffic; in this case, traffic that originated
lP
internally is considered safer than the one originating from outside the network.
The weight function presented below attempts to capture this aspect of security
requirements.
As mentioned above and in [21], an atomic rule is modelled as a guarded
command, which is a transition relation from a starting state to an end state(s).
Hence the computation of a weight of an atomic rule is based on the weights of
the end state(s). The simplest way to achieve this is by assigning weights to the
rna

different values of the chosen state attributes and using them to compute the
weight of an end state, such that the values having higher security requirements
are assigned higher weights. Furthermore, since a chain is as secure as its weakest
link, an atomic rule with a relation that maps a starting state to multiple end
states has a weight equal to the minimum weight of its end states.
Formally, let SAi , where 1 ≤ i ≤ m, be the different state attributes, and let
VSAi = {ai1 , ai2 , . . . , ain } be the set of all possible values assigned to SAi . Then
wVSAi : VSAi → Z is the weight function that assigns an integer value to each
element in VSAi , such that for any two elements aik , ail ∈ VSAi if the security
requirement of aik is less than that of ail , then wVSAi (aik ) < wVSAi (ail ). Let R
Jou

be the set of all atomic rules for all the resources in the organization. Then
wR : R → N ∪ {−1}, is the weight function which assigns to an atomic rule
r ∈ R its corresponding weight. The weight of 1F is taken to be −1, as it is
a rule that does not bring any security constraints. Furthermore, the weight
of a rule (r) with its domain mapped to multiple end states (say p), is the
minimum of the weights assigned to its end states. For each end state si , where

27
 Journal Pre-proof

of
1 ≤ i ≤ p, vsi = eval(wVSA1 , wVSA2 , . . . , wVSAp ), where wVSAi is the weight of the
assigned value to the state attribute SAi . For a state si , the eval function takes
the weight of the attributes of si , and assigns to it and overall security weight
vsi . Then to compute the weight of such an atomic rule, we take the minimum
of all the values vsi . Therefore, for an atomic rule r that has p end states, we

pro
have wR (r) = min(vs1 , · · · , vsp ). The reader can find in [21] an example for
computing the weight function.
The weight of a policy or a combined rule r that is formed by the set Ar of
atomic rules is the sum of the weights of the atomic rules in Ar . Let P be the
set of all policies composed of the atomic rules in R. Then wP : P → N ∪ {−1},
is the weight function that assigns an integer value to each element in P based
on wR . The 1F policy is assigned a weight of −1, and the 0F policy is assigned
a weight of +∞.
As can be seen we measure the level of security requirements of a resource
by the weight of the policy governing it, such that its security requirements
re-
are directly proportional to the weight of its policies. For example, consider
two resources v1 and v2 , where the weights of their policies are wP (p(v1 )) and
wP (p(v2 )), respectively. If wP (p(v2 )) < wP (p(v1 )), it means that v1 has higher
level of security requirement than v2 .
Let wR be the partial order on the atomic rules based on their weights and
wP be the total order on the policies based also on their weights. Then there
exists an order preserving map f : wR → wP satisfying the following condition:
lP
(∀ i | 1 ≤ i ≤ n ∧ xi , yi are atomic rules · xi <wR yi )
⇔ f (P (x1 , x2 , . . . , xn )) <wP f (P (y1 , y2 , . . . , yn )),

P (x1 , x2 , . . . , xn ), and P (y1 , y2 , . . . , yn ) are the policies consisting of atomic rules

x1 , x2 , . . . , xn and y1 , y2 , . . . , yn respectively. Since wR is a partial order, some
values of the atomic rules might not have a weight assigned. In this case, the
mapping f assigns zero, the neutral value for addition.
rna

Based on the illustrative example and to express that we are considering

internal traffic to be safer than an external one, we also assign a weight of 0
to the policies of the resources that allow traffic originating from outside the
network.

B.2 RNS Algorithm

In this section, we give an outline of the RNS algorithm (Algorithm 3) proposed

in [21] to build a robust network graph G, given a set of resources with their
Jou

policies R, in quadratic time to the length of the input for completeness.

In the RNS algorithm, the root is added first to G, and nodes are added in
batches (set T ) to G in decreasing order of their weights. Hence at any given
time, when a node s is evaluated to see where it can be added to G, the weights
of all the nodes in G is greater than or equal s.weight. While adding s to G,
clusters of resources are evaluated to see if they can form a segment containing

28
 Journal Pre-proof

of
s based on their weights. Note that, the weight of any segment containing s
is always less than or equal to s.weight, and so the maximum weight of any
segment containing s is s.weight. Therefore, when such a cluster of nodes is
identified, we create a gcd node to protect this segment and add it to the root
of G and attach the nodes forming this segment to it. Otherwise, we create a

pro
temporary node for the cluster and add it to F , so that it can be evaluated later
when the set (T ) having the weight of this cluster is being evaluated.

Algorithm 3 Robust Network and Segmentation (RNS) Algorithm

1: procedure Segmentation(R) ▷ R = {r1 , r2 , . . . , rn }
2: G ← N U LL ▷ G = (V, E, r)
3: r ← Create-node(R) ▷ Create root r
4: Add-node-to-G(G, r, ∅, f alse) ▷ Add root r to G
S
m
5:

6:
7:
8:
with same polices
F =∅
re-
S1 , S2 , . . . , Sm ⊂ R such that
i=1

for each s ∈ {S1 , S2 , . . . , Sm } do

F = F ∪ Create-node(s)
Si = R, and no two subsets have resources

9: end for
10: while F ̸= ∅ do
11: wmax ← maximum weight of any s ∈ F .
lP
12: T ←∅
13: for each s ∈ F do
14: if s.weight = wmax then
15: T ← T ∪ s; F ← F − s
16: end if
17: end for
18: Add-Nodeset-to-G(G, F, T, wmax )
19: end while
20: end procedure
rna

Below we provide the Theorem statements of the results [21, Theorems 2, 3]

for completeness.
Theorem 5. [21, Theorem 2] The RNS Algorithm constructs a robust network
graph.

Theorem 6. [21, Theorem 3] Let R = {r1 , r2 , . . . , rn } be the input of size n to

the RNS Algorithm. Then, the running time of RNS is O(n2 ).
Jou

29
 Journal Pre-proof

Dr. Ridha Khedri is a Professor of Software Engineering at the department of

Computing and Software, McMaster University. He is a licensed professional engineer
in the province of Ontario and is a member of the Association for Computing Machinery

of
and the IEEE Computer Society. He has authored over 80 peer-reviewed articles and
has supervised more than 20 graduate students. His research interests include
algebraic methods in software engineering, information security policies analysis,
cryptographic-key distribution scheme analysis, data cleansing, software product
families, and formal software requirements analysis, and medical device software.

pro
Dr. Neerja Mhaskar is an Assistant Professor at the department of Computing and
Software, McMaster University. She is a licensed professional engineer in the province
of Ontario and is a member of the Association for Computing Machinery (ACM). Her
research focuses on data structures and algorithms, and network security. In particular,
she is interested in algorithms on strings for pattern matching, algorithms for designing
a secure network, analyzing patterns in big data, developing tools and data structures
for data compression, and information retrieval.
re-
Dr. Mohammed Alabbad is an assistant research professor at Cybersecurity Institute,
King Abdulaziz City for Science and Technology (KACST), Riyadh, Saudi Arabia. He
received his Ph.D. and M.A.Sc from McMaster University, Hamilton, Ontario, Canada in
Software Engineering in 2021 and 2013, respectively. He received his B.Sc. degree in
Computer Science from King Saud University, Riyadh, Saudi Arabia, in 2006. His
research interests include cybersecurity, network security, network design and
lP
segmentation, formal methods, and software design .
rna
Jou
 Journal Pre-proof

Credit Author Statement

Neerja Mhaskar: Methodology, Validation, Formal analysis, Writing

of
Mohammed Alabbad: Methodology, Software, Validation, Formal analysis, Writing

Ridha Khedri: Conceptualization, Methodology, Formal analysis, Writing, Supervision,

pro
Funding acquisition

re-
lP
rna
Jou
 Journal Pre-proof

Declaration of Interest Statement

Declaration of interests

of
☐The authors declare that they have no known competing financial interests or personal relationships
that could have appeared to influence the work reported in this paper.

☒The authors declare the following financial interests/personal relationships which may be considered
as potential competing interests:

pro
Ridha Khedri reports financial support was provided by Natural Sciences and Engineering Research
Council of Canada. Neerja Mhaskar, Ridha Khedri, and Mohammed Alabbad has patent METHOD AND
SYSTEM FOR DETERMINING DESIGN AND SEGMENTATION FOR ROBUST NETWORK ACCESS SECURITY
pending to McMaster University.

re-
lP
rna
Jou