{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,11]],"date-time":"2025-09-11T18:21:34Z","timestamp":1757614894585,"version":"3.44.0"},"reference-count":40,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2025,7,21]],"date-time":"2025-07-21T00:00:00Z","timestamp":1753056000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,7,21]],"date-time":"2025-07-21T00:00:00Z","timestamp":1753056000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100005366","name":"University of Oslo","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100005366","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2025,8]]},"abstract":"Abstract<\/jats:title>\n Conflicts between network policies are frequent in today\u2019s computer networks due to the increasing complexity of network configuration. Resolving policy anomalies usually requires network administrator intervention, which is a time-intensive and error-prone process. This paper presents inference systems for the automatic resolution of OpenFlow anomalies. The approach uses high-level policies to detect conflict correction without policy violations. Our approach is fully automated and does not require interaction with the network administrator. Although there is a multitude of research papers on detecting anomalies in SDN, research to correct those anomalies in an automatic manner is very scarce, if not non-existent. We have formally proven the soundness and completeness of our inference systems. Furthermore, we provide experimental results based on real-life network configurations involving more than 1200 rules. The detection and correction processes exhibit very low computation overhead, in the order of milliseconds, when parallelization is used.<\/jats:p>","DOI":"10.1007\/s10207-025-01035-x","type":"journal-article","created":{"date-parts":[[2025,7,21]],"date-time":"2025-07-21T18:10:15Z","timestamp":1753121415000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["A formal technique for automatic resolution of OpenFlow anomalies"],"prefix":"10.1007","volume":"24","author":[{"given":"Ramtin","family":"Aryan","sequence":"first","affiliation":[]},{"given":"Anis","family":"Yazidi","sequence":"additional","affiliation":[]},{"given":"Adel","family":"Bouhoula","sequence":"additional","affiliation":[]},{"given":"Paal E.","family":"Engelstad","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,7,21]]},"reference":[{"key":"1035_CR1","doi-asserted-by":"crossref","unstructured":"Aryan, R., Yazidi, A., Bouhoula, A., Engelstad, P.E.: Net auto-solver: a formal approach for automatic resolution of openflow anomalies. In: 2020 IEEE 45th Conference on Local Computer Networks (LCN), pp.\u00a0357\u2013360. IEEE (2020)","DOI":"10.1109\/LCN48667.2020.9314851"},{"key":"1035_CR2","doi-asserted-by":"crossref","unstructured":"Aryan, R., Yazidi, A., Engelstad, P.E., Kure, \u00d8.: A general formalism for defining and detecting openflow rule anomalies. In: 42nd IEEE Conference on Local Computer Networks. Institute of Electrical and Electronics Engineers (IEEE) (2017)","DOI":"10.1109\/LCN.2017.94"},{"key":"1035_CR3","doi-asserted-by":"crossref","unstructured":"Shaghaghi, A., Kaafar, M.A., Buyya, R., Jha, S.: Software-defined network (sdn) data plane security: issues, solutions, and future directions. In: Principles and Paradigms, Handbook of Computer Networks and Cyber Security, pp. 341\u2013387 (2020)","DOI":"10.1007\/978-3-030-22277-2_14"},{"key":"1035_CR4","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2022.108802","volume":"206","author":"R Deb","year":"2022","unstructured":"Deb, R., Roy, S.: A comprehensive survey of vulnerability and information security in sdn. Comput. Netw. 206, 108802 (2022)","journal-title":"Comput. Netw."},{"key":"1035_CR5","doi-asserted-by":"publisher","first-page":"364","DOI":"10.1016\/j.future.2022.03.014","volume":"133","author":"R Aryan","year":"2022","unstructured":"Aryan, R., Yazidi, A., Brattensborg, F., Kure, \u00d8., Engelstad, P.E.: Sdn spotlight: a real-time openflow troubleshooting framework. Future Gener. Comput. Syst. 133, 364\u2013377 (2022)","journal-title":"Future Gener. Comput. Syst."},{"key":"1035_CR6","unstructured":"Kazemian, P., Varghese, G., McKeown, N.: Header space analysis: static checking for networks. In: Presented as part of the 9th $$\\{$$USENIX$$\\}$$ Symposium on Networked Systems Design and Implementation ($$\\{$$NSDI$$\\}$$ 12), pp.\u00a0113\u2013126 (2012)"},{"key":"1035_CR7","unstructured":"Kazemian, P., Chang, M., Zeng, H., Varghese, G., McKeown, N., Whyte, S.: Real time network policy checking using header space analysis. In: Proceedings of 10th USENIX Conference in Networked System Design Implementation, pp. 99\u2013112 (2013)"},{"key":"1035_CR8","unstructured":"Khurshid, A., Zou, X., Zhou, W., Caesar, M., Godfrey, P.B.: Veriflow: verifying network-wide invariants in real time. In: Presented as part of the 10th $$\\{$$USENIX$$\\}$$ Symposium on Networked Systems Design and Implementation ($$\\{$$NSDI$$\\}$$ 13), pp.\u00a015\u201327 (2013)"},{"key":"1035_CR9","doi-asserted-by":"crossref","unstructured":"Yazidi, A., Bouhoula, A.: On assisted packet filter conflicts resolution: an iterative relaxed approach. In: 2016 IEEE 41st Conference on Local Computer Networks (LCN), pp.\u00a035\u201342 (2016)","DOI":"10.1109\/LCN.2016.15"},{"key":"1035_CR10","unstructured":"Zhou, W., Croft, J., Liu, B., Ang, E., Caesar, M.: Automatically correcting networks with neat. In: 15th $$\\{$$USENIX$$\\}$$ Symposium on Networked Systems Design and Implementation ($$\\{$$NSDI$$\\}$$ 18), pp.\u00a0595\u2013608 (2018)"},{"issue":"4","key":"1035_CR11","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1145\/2829988.2787506","volume":"45","author":"C Prakash","year":"2015","unstructured":"Prakash, C., Lee, J., Turner, Y., Kang, J.-M., Akella, A., Banerjee, S., Clark, C., Ma, Y., Sharma, P., Zhang, Y.: Pga: using graphs to express and automatically reconcile network policies. ACM SIGCOMM Comput. Commun. Rev. 45(4), 29\u201342 (2015)","journal-title":"ACM SIGCOMM Comput. Commun. Rev."},{"key":"1035_CR12","doi-asserted-by":"crossref","unstructured":"Al-Shaer, E.S., Hamed, H.H.: Firewall policy advisor for anomaly discovery and rule editing. In: IFIP\/IEEE Eighth International Symposium on Integrated Network Management, pp.\u00a017\u201330. IEEE (2003)","DOI":"10.1007\/978-0-387-35674-7_2"},{"issue":"9","key":"1035_CR13","doi-asserted-by":"publisher","DOI":"10.1002\/dac.4815","volume":"34","author":"AB Asif","year":"2021","unstructured":"Asif, A.B., Imran, M., Shah, N., Afzal, M., Khurshid, H.: Roca: auto-resolving overlapping and conflicts in access control list policies for software defined networking. Int. J. Commun Syst 34(9), e4815 (2021)","journal-title":"Int. J. Commun Syst"},{"key":"1035_CR14","doi-asserted-by":"crossref","unstructured":"Tian, B., Zhang, X., Zhai, E., Liu, H.H., Ye, Q., Wang, C., Wu, X., Ji, Z., Sang, Y., Zhang, M., et\u00a0al.: Safely and automatically updating in-network acl configurations with intent language. In: Proceedings of the ACM Special Interest Group on Data Communication, pp.\u00a0214\u2013226 (2019)","DOI":"10.1145\/3341302.3342088"},{"key":"1035_CR15","doi-asserted-by":"crossref","unstructured":"Kheradmand, A.: Automatic inference of high-level network intents by mining forwarding patterns. In: Proceedings of the Symposium on SDN Research, pp.\u00a027\u201333 (2020)","DOI":"10.1145\/3373360.3380831"},{"key":"1035_CR16","doi-asserted-by":"crossref","unstructured":"Fan, Z., Wu, H., Xu, J., Tang, Y.: An optimization algorithm for spatial information network self-healing based on software defined network. In: 2017 12th International Conference on Computer Science and Education (ICCSE), pp.\u00a0369\u2013374. IEEE (2017)","DOI":"10.1109\/ICCSE.2017.8085519"},{"key":"1035_CR17","doi-asserted-by":"crossref","unstructured":"B\u0103lu\u0163\u0103, A., Soare, R.M., Rughini\u015f, R., Turcanu, D.: Geckonet-self-healing sdn framework. In: 2024 23rd RoEduNet Conference: Networking in Education and Research (RoEduNet), pp.\u00a01\u20136. IEEE (2024)","DOI":"10.1109\/RoEduNet64292.2024.10722172"},{"key":"1035_CR18","unstructured":"Prometheus monitoring. https:\/\/grafana.com\/oss\/prometheus\/. Accessed 10 Jan 2025"},{"key":"1035_CR19","unstructured":"Grafana monitoring. https:\/\/grafana.com\/oss\/grafana\/. Accessed 10 Jan 2025"},{"key":"1035_CR20","unstructured":"Gember, A., Shrestha, R., Sun, X.: Localizing router configuration errors using minimal correction sets. arXiv:2204.10785 (2022)"},{"key":"1035_CR21","first-page":"1","volume":"75","author":"J Yao","year":"2023","unstructured":"Yao, J., Jiang, Z., Zou, K., Weng, S., Li, Y., Li, D., Li, Y., Cao, X.: Fast verification of network configuration updates. Comput. Mater. Contin. 75, 1 (2023)","journal-title":"Comput. Mater. Contin."},{"issue":"2","key":"1035_CR22","doi-asserted-by":"publisher","first-page":"1559","DOI":"10.1109\/TDSC.2022.3160293","volume":"20","author":"D Bringhenti","year":"2023","unstructured":"Bringhenti, D., Marchetto, G., Sisto, R., Valenza, F., Yusupov, J.: Automated firewall configuration in virtual networks. IEEE Trans. Depend. Secure Comput. 20(2), 1559\u20131576 (2023)","journal-title":"IEEE Trans. Depend. Secure Comput."},{"key":"1035_CR23","doi-asserted-by":"crossref","unstructured":"Shahriyar, M.M., Saha, G., Bhattacharjee, B., Reaz, R.: Deft: distributed, elastic, and fault-tolerant state management of network functions. In: 2023 19th International Conference on Network and Service Management (CNSM), pp.\u00a01\u20137. IEEE (2023)","DOI":"10.23919\/CNSM59352.2023.10327813"},{"issue":"3\u20134","key":"1035_CR24","first-page":"238","volume":"28","author":"H Sekar","year":"2024","unstructured":"Sekar, H., Vasudevan, S.K.: Openflow groups based fast failover mechanism for software defined networks. Int. J. Adv. Intell. Paradigms 28(3\u20134), 238\u2013252 (2024)","journal-title":"Int. J. Adv. Intell. Paradigms"},{"issue":"4","key":"1035_CR25","doi-asserted-by":"publisher","first-page":"83","DOI":"10.1007\/s10922-023-09772-x","volume":"31","author":"A Menaceur","year":"2023","unstructured":"Menaceur, A., Drid, H., Rahouti, M.: Fault tolerance and failure recovery techniques in software-defined networking: a comprehensive approach. J. Netw. Syst. Manag. 31(4), 83 (2023)","journal-title":"J. Netw. Syst. Manag."},{"key":"1035_CR26","unstructured":"Shi, L., Wang, Y., Alur, R., Loo, B.T.: Netrep: automatic repair for network programs (2021). arXiv preprint arXiv:2110.06303"},{"key":"1035_CR27","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1016\/j.jocs.2017.09.003","volume":"23","author":"A Sa\u00e2daoui","year":"2017","unstructured":"Sa\u00e2daoui, A., Souayeh, N., Bouhoula, A.: Fare: Fdd-based firewall anomalies resolution tool. J. Comput. Sci. 23, 181\u2013191 (2017)","journal-title":"J. Comput. Sci."},{"key":"1035_CR28","doi-asserted-by":"crossref","unstructured":"Hussain, M., Shah, N.: Automatic rule installation in case of policy change in software defined networks. Telecommun. Syst. 68(3), 461\u2013477 (2018)","DOI":"10.1007\/s11235-017-0404-2"},{"key":"1035_CR29","doi-asserted-by":"crossref","unstructured":"Aryan, R., Yazidi, A., Engelstad, P.E.: An incremental approach for swift openflow anomaly detection. In: 2018 IEEE 43rd Conference on Local Computer Networks (LCN), pp.\u00a0502\u2013510. IEEE (2018)","DOI":"10.1109\/LCN.2018.8638226"},{"key":"1035_CR30","doi-asserted-by":"crossref","unstructured":"Pere\u0161\u00edni, P., Ku\u017aniar, M., and Kosti\u0107, D.: Monocle: dynamic, fine-grained data plane monitoring. In: Proceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies, p.\u00a032. ACM (2015)","DOI":"10.1145\/2716281.2836117"},{"key":"1035_CR31","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2020.107706","volume":"184","author":"M Ibrar","year":"2021","unstructured":"Ibrar, M., Wang, L., Muntean, G.-M., Akbar, A., Shah, N., Malik, K.R.: Prepass-flow: a machine learning based technique to minimize acl policy violation due to links failure in hybrid sdn. Comput. Netw. 184, 107706 (2021)","journal-title":"Comput. Netw."},{"key":"1035_CR32","unstructured":"He, H., Yang, S., Zhou, X., Wang, J.: Smwt: a universal and lightweight sdn-based meter table watermarking traceback scheme. In: 2023 24st Asia-Pacific Network Operations and Management Symposium (APNOMS), pp.\u00a071\u201376. IEEE (2023)"},{"key":"1035_CR33","doi-asserted-by":"publisher","first-page":"140","DOI":"10.1016\/j.future.2022.04.006","volume":"134","author":"B Yan","year":"2022","unstructured":"Yan, B., Liu, Q., Shen, J., Liang, D.: Flowlet-level multipath routing based on graph neural network in openflow-based sdn. Future Gener. Comput. Syst. 134, 140\u2013153 (2022)","journal-title":"Future Gener. Comput. Syst."},{"key":"1035_CR34","unstructured":"Attarian, R., Mohammadi, E., Wang, T., Beni, E.H.: Mixflow: assessing mixnets anonymity with contrastive architectures and semantic network information. Cryptology ePrint Archive (2023)"},{"key":"1035_CR35","unstructured":"Piotrowska, A.M., Hayes, J., Elahi, T., Meiser, S., Danezis, G.: The loopix anonymity system. In: 26th Usenix Security Symposium (usenix security 17), pp.\u00a01199\u20131216 (2017)"},{"issue":"3","key":"1035_CR36","doi-asserted-by":"publisher","first-page":"318","DOI":"10.1109\/TDSC.2012.20","volume":"9","author":"H Hu","year":"2012","unstructured":"Hu, H., Ahn, G.-J., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Depend. Secure Comput. 9(3), 318\u2013331 (2012)","journal-title":"IEEE Trans. Depend. Secure Comput."},{"key":"1035_CR37","unstructured":"Rocketfuel. http:\/\/research.cs.washington.edu\/networking\/rocketfuel\/\/. Accessed 01 Jan 2025"},{"key":"1035_CR38","unstructured":"Stanford backbone. https:\/\/github.com\/wuyangjack\/standford-backbone. Accessed 25 Feb 2025"},{"key":"1035_CR39","unstructured":"Mininet. http:\/\/mininet.org\/. Accessed 01 Jan 2025"},{"key":"1035_CR40","unstructured":"Ryu. https:\/\/ryu-sdn.org\/. Accessed 01 Feb 2025"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01035-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-025-01035-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01035-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,5]],"date-time":"2025-09-05T11:33:19Z","timestamp":1757071999000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-025-01035-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,21]]},"references-count":40,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2025,8]]}},"alternative-id":["1035"],"URL":"https:\/\/doi.org\/10.1007\/s10207-025-01035-x","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2025,7,21]]},"assertion":[{"value":"21 July 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"All potential conflicts of interest related to the funding source were disclosed and managed in accordance with the policies of OsloMet University. All authors declare that they have no conflicts of interest related to this research.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"181"}}