Secure and Dependable Virtual Network Embedding

One of the fundamental problems in network virtualization is Virtual Network Embedding (VNE). The VNE problem deals with finding an effective mapping of the virtual nodes & links onto the substrate network. The recent advances in network virtualization gave cloud operators the ability to extend their cloud computing offerings with virtual networks. This trend, jointly with the increasing evidence of incidents in cloud facilities demonstrate that security and dependability is becoming a critical factor that should be considered by VNE algorithms. In this abstract we propose a VNE solution that considers security and dependability as first class citizens. The resiliency properties of our solution are enhanced by assuming a multiple cloud provider model.

💡 Research Summary

The paper addresses a critical gap in the Virtual Network Embedding (VNE) literature by incorporating security and dependability (fault‑tolerance) as first‑class design objectives. Traditional VNE formulations focus on maximizing provider revenue while respecting node processing capacity and link bandwidth constraints. However, the rapid adoption of network virtualization in cloud environments has exposed tenants to a growing range of threats, ranging from malicious insider attacks (e.g., side‑channel or replay attacks) to benign failures such as cloud outages. Existing security‑aware VNE work (e.g., Liu et al., ICC’14) does not consider dependability and assumes a single, fully trusted cloud provider, leaving the solution vulnerable to single points of failure.

The authors propose a novel VNE framework that (i) defines explicit security levels for physical resources and requires that each virtual node or link be placed on a substrate element whose security rating meets or exceeds the virtual demand, (ii) introduces dependability constraints by specifying a replication level for each virtual resource and ensuring that sufficient redundant computing and communication capacity is allocated, and (iii) adopts a multi‑cloud model that combines tenant‑owned private clouds with public cloud providers. In this model, sensitive virtual machines are forced to reside in the private cloud, while non‑sensitive workloads can be replicated across multiple public clouds to increase resilience and reduce the impact of a single provider outage.

The problem is mathematically formulated as a Mixed‑Integer Program (MIP). The objective remains cost minimization, but the constraint set is significantly expanded: (1) security‑level constraints for nodes and paths, (2) anti‑co‑location constraints to prevent potentially harmful virtual machines from sharing the same physical host, (3) replication constraints for dependability, and (4) placement restrictions that keep sensitive assets out of public clouds. While this formulation precisely captures the desired properties, the authors acknowledge that solving the MIP at realistic data‑center scales is computationally prohibitive.

Consequently, the paper states that ongoing work focuses on developing efficient greedy heuristics capable of producing near‑optimal embeddings in real time. The authors argue that such heuristics are essential for practical deployment, where embedding decisions must be made quickly as VN requests arrive.

Key contributions include: (a) the integration of security and dependability constraints into the VNE problem, (b) a multi‑cloud architecture that mitigates single points of failure and enables selective placement of sensitive workloads, and (c) a formal MIP model that can serve as a benchmark for future algorithmic research. The paper also provides a concise literature review, highlighting the novelty of considering both security and fault tolerance simultaneously.

However, the manuscript lacks an experimental evaluation. No simulation results, performance comparisons, or scalability analyses are presented, leaving open questions about the practical impact of the added constraints on embedding success rates and overall cost. Moreover, the methodology for quantifying security levels and replication requirements is not detailed, which could hinder reproducibility. Future work should therefore include (i) a thorough empirical study using realistic cloud topologies and attack/failure scenarios, (ii) concrete heuristic designs with complexity and approximation guarantees, and (iii) a systematic approach to mapping abstract security and dependability metrics onto measurable substrate attributes.

In summary, the paper makes a compelling case for extending VNE to address modern cloud security and reliability concerns, proposes a rigorous mathematical model, and outlines a path toward practical heuristics, but it remains an early‑stage contribution pending validation through experiments and detailed algorithmic development.