Object Oriented Policy Conflict Checking Framework in Cloud Networks (OOPC)

Ankur Chowdhary, Abdulhakim Sabur, Dijiang Huang, Myong Kang, James Kirby

Research output: Contribution to journalArticlepeer-review


Software-Defined Networking (SDN) provides a programmable framework for multi-tenant cloud network management and orchestration. The end-to-end packet processing induced by virtual network functions (VNFs) like stateless firewall, load balancer, intrusion detection, and prevention system (IDPS) in a network involves the processing of network traffic through security policies matching the traffic pattern defined in security rules of individual VNF. The conflicting rules in terms of traffic match and conflicting actions can lead to a) violation of security requirements (authentication and authorization bypass) b) mission requirements-the presence of redundant rules (increased latency, reduced throughput). We present a new object-oriented policy conflict detection and resolution framework (OOPC), which analyzes the rule dependency relationships between the rules of heterogeneous virtual network functions (VNFs) and creates a VNF-Graph. The rules are analyzed using object-oriented dependencies between the address space and actions of VNF rules. OOPC utilizes a compact VNF-Graph, which leads to a reduction in search complexity when analyzing new security policies. Our security policy composition in our framework OOPC achieves 37 percent lower latency in policy graph composition than previous work. The proposed solution performs 20 percent faster security policy conflict detection on a cloud network with 60k OpenFlow rules than prior frameworks that serve a similar purpose.

Original languageEnglish (US)
Pages (from-to)2890-2906
Number of pages17
JournalIEEE Transactions on Dependable and Secure Computing
Issue number5
StatePublished - 2022


  • OpenFlow
  • Software-defined networking (SDN)
  • object oriented paradigm (OOP)
  • policy composition
  • policy conflict detection
  • policy conflict resolution
  • policy graph
  • service function chaining (SFC)
  • virtual network functions (VNFs)

ASJC Scopus subject areas

  • Computer Science(all)
  • Electrical and Electronic Engineering


Dive into the research topics of 'Object Oriented Policy Conflict Checking Framework in Cloud Networks (OOPC)'. Together they form a unique fingerprint.

Cite this