{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,25]],"date-time":"2025-10-25T14:17:54Z","timestamp":1761401874565,"version":"build-2065373602"},"reference-count":25,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2017,4,21]],"date-time":"2017-04-21T00:00:00Z","timestamp":1492732800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"For a Software Defined Network (SDN), security is an important factor affecting its large-scale deployment. The existing security solutions for SDN mainly focus on the controller itself, which has to handle all the security protection tasks by using the programmability of the network. This will undoubtedly involve a heavy burden for the controller. More devastatingly, once the controller itself is attacked, the entire network will be paralyzed. Motivated by this, this paper proposes a novel security protection architecture for SDN. We design a security service orchestration center in the control plane of SDN, and this center physically decouples from the SDN controller and constructs SDN security services. We adopt virtualization technology to construct a security meta-function library, and propose a dynamic security service composition construction algorithm based on web service composition technology. The rule-combining method is used to combine security meta-functions to construct security services which meet the requirements of users. Moreover, the RETE algorithm is introduced to improve the efficiency of the rule-combining method. We evaluate our solutions in a realistic scenario based on OpenStack. Substantial experimental results demonstrate the effectiveness of our solutions that contribute to achieve the effective security protection with a small burden of the SDN controller.<\/jats:p>","DOI":"10.3390\/s17040920","type":"journal-article","created":{"date-parts":[[2017,4,21]],"date-time":"2017-04-21T10:59:30Z","timestamp":1492772370000},"page":"920","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":12,"title":["Dynamic Construction Scheme for Virtualization Security Service in Software-Defined Networks"],"prefix":"10.3390","volume":"17","author":[{"given":"Zhaowen","family":"Lin","sequence":"first","affiliation":[{"name":"Network and Information Center, Institute of Network Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China"},{"name":"Science and Technology on Information Transmission and Dissemination in Communication Networks Laboratory, Beijing University of Posts and Telecommunications, Beijing 100876, China"},{"name":"National Engineering Laboratory for Mobile Network Security, Beijing University of Posts and Telecommunications, Beijing 100876, China"}]},{"given":"Dan","family":"Tao","sequence":"additional","affiliation":[{"name":"School of Electronic and Information Engineering, Beijing Jiaotong University, Beijing 100044, China"},{"name":"Jiangsu High Technology Research Key Laboratory for Wireless Sensor Networks, Nanjing 210003, China"}]},{"given":"Zhenji","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Electronic and Information Engineering, Beijing Jiaotong University, Beijing 100044, China"}]}],"member":"1968","published-online":{"date-parts":[[2017,4,21]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"4002","DOI":"10.1002\/sec.1582","article-title":"A speculative approach to spatial-temporal efficiency with multi-objective optimization in a heterogeneous cloud environment","volume":"9","author":"Liu","year":"2016","journal-title":"Secur. Commun. Netw."},{"key":"ref_2","unstructured":"(2017, April 21). Software-Defined Networking. Available online: https:\/\/www.opennetworking.org\/sdn-resources\/sdn-definition."},{"key":"ref_3","first-page":"69","article-title":"OpenFlow: Enabling Innovation in Campus Networks","volume":"38","author":"Dave","year":"2014","journal-title":"ACM SIGCOMM Comput. Commun. Rev."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"114","DOI":"10.1109\/MCOM.2013.6461195","article-title":"Improving network management with software defined networking","volume":"51","author":"Kim","year":"2013","journal-title":"IEEE Commun. Mag."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Hong, S., Xu, L., Wang, H., and Gu, G. (2015, January 8\u201311). Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures. Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, USA.","DOI":"10.14722\/ndss.2015.23283"},{"key":"ref_6","unstructured":"Cheung, S., Fong, M., Porras, P., Skinner, K., and Yegneswaran, V. (2015, January 8\u201311). Securing the Software-Defined Network Control Layer. Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"36","DOI":"10.1109\/MCOM.2013.6553676","article-title":"Are we ready for SDN Implementation challenges for software-defined networks","volume":"51","author":"Sezer","year":"2013","journal-title":"IEEE Commun. Mag."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Shin, S., and Gu, G. (2013, January 12\u201316). Attacking software-defined networks: A first feasibility study. Proceedings of the ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, China.","DOI":"10.1145\/2491185.2491220"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Wang, H., Xu, L., and Gu, G. (2015, January 22\u201325). FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks. Proceedings of the IEEE\/IFIP International Conference on Dependable Systems and Networks, Rio de Janeiro, Brazil.","DOI":"10.1109\/DSN.2015.27"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., and Gu, G. (2012, January 13\u201317). A security enforcement kernel for OpenFlow networks. Proceedings of the First Workshop on Hot Topics in Software Defined Networks, Elsinki, Finland.","DOI":"10.1145\/2342441.2342466"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"493","DOI":"10.1109\/SURV.2013.081313.00105","article-title":"Network Innovation using OpenFlow: A Survey","volume":"16","author":"Jervis","year":"2014","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Kreutz, D., Ramos, F.M.V., and Verissimo, P. (2013, January 12\u201316). Towards secure and dependable software-defined networks. Proceedings of the ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, China.","DOI":"10.1145\/2491185.2491199"},{"key":"ref_13","unstructured":"Xue, C., Ma, C.-Q., Liu, Z.-B., and Zhang, Q.-L. (2014). Design of Secure SDN controller Architecture. Netinfo Secur."},{"key":"ref_14","first-page":"2298","article-title":"VSA and SDS: Two Security Architectures in SDN","volume":"34","author":"Qiu","year":"2013","journal-title":"J. Chin. Comput. Syst."},{"key":"ref_15","first-page":"8","article-title":"Network Virtualization and Network Function Virtualization","volume":"23","author":"Zhao","year":"2014","journal-title":"ZTE Technol. J."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Kim, J., Firoozjaei, M.D., Jeong, J.P., and Kim, H. (2015, January 28\u201330). SDN-based security services using interface to network security functions. Proceedings of the 2015 International Conference on Information and Communication Technology Convergence (ICTC), Jeju Island, Korea.","DOI":"10.1109\/ICTC.2015.7354602"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"218","DOI":"10.1016\/j.ins.2014.04.054","article-title":"Web services composition: A decade overview","volume":"280","author":"Sheng","year":"2014","journal-title":"Inf. Sci."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"82","DOI":"10.1109\/TSC.2012.33","article-title":"A Scalable Architecture for Automatic Service Composition","volume":"7","author":"Paik","year":"2014","journal-title":"IEEE Trans. Serv. Comput."},{"key":"ref_19","unstructured":"Tambe, M., Kalp, D., and Rosenbloom, P. (1995). Uni-Rete: Specializing the Rete Match Algorithm for the Unique-Attribute Representation, Computer Science Department, Carnegie Mellon University."},{"key":"ref_20","first-page":"1202","article-title":"Some Thoughts About Network Security and Protection","volume":"16","author":"Hu","year":"2008","journal-title":"Comput. Knowl. Technol."},{"key":"ref_21","unstructured":"Noureddine, B. (2010). Security of Mobile Communications, CRC Press."},{"key":"ref_22","first-page":"676","article-title":"Intrusion Detection Systems","volume":"20","author":"Zhang","year":"2001","journal-title":"Appl. Res. Comput."},{"key":"ref_23","unstructured":"(2017, April 21). RETE Algorithm. Available online: https:\/\/en.wikipedia.org\/wiki\/Rete$_$algorithm."},{"key":"ref_24","first-page":"211","article-title":"A RETE Rule Reasoning Algorithm Based on the Audit Method Ontology","volume":"7","author":"Liu","year":"2014","journal-title":"Int. J. Hybrid Inf. Technol."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1016\/j.knosys.2016.10.016","article-title":"A belief propagation-based method for Task Allocation in Open and Dynamic Cloud Environments","volume":"115","author":"Kong","year":"2016","journal-title":"Knowl.-Based Syst."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/17\/4\/920\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T18:33:10Z","timestamp":1760207590000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/17\/4\/920"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,4,21]]},"references-count":25,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2017,4]]}},"alternative-id":["s17040920"],"URL":"https:\/\/doi.org\/10.3390\/s17040920","relation":{},"ISSN":["1424-8220"],"issn-type":[{"type":"electronic","value":"1424-8220"}],"subject":[],"published":{"date-parts":[[2017,4,21]]}}}