308 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 17, NO.
1, MARCH 2020
SDN-Based Security Enforcement Framework for
Data Sharing Systems of Smart Healthcare
Yunfei Meng , Zhiqiu Huang, Guohua Shen, and Changbo Ke
Abstract—As novel healthcare paradiagm, smart healthcare
can provide more efficient and high quality medical services for
patients. However, smart healthcare needs patients to share their
physiological information for online diagnoses, if the data sharing
system of smart healthcare lacks effective security mechanisms,
these sensitive information might be abused by illegal or mali-
cious users. Moreover, smart healthcare needs to confront some
brand-new challenges, such as resource-constrained IoT things,
identity theft attacks and insider attacks. To tackle these prob-
lems, we propose a SDN-based security enforcement framework
for data sharing systems of smart healthcare. In our framework,
each patient has a dedicated virtual machine in data sharing
system, each virtual machine provides a group data services
which can be released to those authorized service consumers
or IoT things. In additon, virtual machine is protected by the
SDN-based gateway which provides a firewall mechanism and
guarantees only authorized things can access patient’s virtual
machine. Since each thing has a unique MAC address, thus
our framework can effectively authenticate resource-constrained
IoT things and tackle the problems caused by identity theft. To
validate the effectiveness and feasibility of our framework, we
implement an experimental system using POX controller and
Mininet emulator. The experimental results illustrate our frame-
work is effective under different test scenarios. As increasing the
scale of information flow model, the framework can still work
well and its performance can be still acceptable.
Index Terms—Smart healthcare, SDN, access control, virtual
machine, firewall.
I. I NTRODUCTION
S NOVEL healthcare paradiagm, smart healthcare
A can provide more efficient and high quality medical
services for patients. Specifically, the benefits of adopt-
ing smart healthcare can be concluded as three perspec-
tives [1], [2], [3], [4], [5]: (1) Lifetime monitoring and
disease prediction. In smart healthcare, patient’s physiologi-
cal information collected by body sensors will be sent to the
data sharing system for monitoring or diagnoses. By means of
Manuscript received October 1, 2018; revised February 2, 2019, June 15,
2019, and September 2, 2019; accepted September 10, 2019. Date of publica-
tion September 13, 2019; date of current version March 11, 2020. This paper
has been sponsored and supported by National Natural Science Foundation of
China (Grant No.61772270), partially supported by National Natural Science
Foundation of China (Grant No.61602262). The associate editor coordinat-
ing the review of this article and approving it for publication was C. Fung.
(Corresponding author: Yunfei Meng.)
Y. Meng, Z. Huang, and G. Shen are with the College of Computer
Science and Technology, Nanjing University of Aeronautics and Astronautics,
Nanjing 211106, China (e-mail: [email protected]).
C. Ke is with the College of Computer Science and Technology, Nanjing
University of Post and Telecommunications, Nanjing 210003, China.
Digital Object Identifier 10.1109/TNSM.2019.2941214
1932-4537 c 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.
advanced data analyzing services, consultant physicians can
monitor patient’s health status in real time and predict some
diseases (e.g., cancers, infections, cardiac diseases and etc.)
before they really occur. (2) More comfortable and cost reduc-
tion. By means of remote monitoring technologies, patients
can enjoy the best medical services just staying at home,
which can help patients reduce large amount of hospitaliza-
tion cost. (3) Better information management and international
collaborations. Patients can obtain their comprehensive health
information on past, present and future by accessing the med-
ical data center in anywhere and anytime. In addition, their
electronic medical records (EMR), electronic health records
(EHR) and electronic medical images (EMI) stored in cloud
can be shared with global medical experts rapidly, which can
accelerate the diagnoses of some difficult diseases. That is
because of so much unprecedented advantages, Grand View
Research predicts that the global market of smart healthcare
will appear explosive growth in next decades, especially in
north America, it will be expanded to 300 Billion U.S. dol-
lar by 2022 [2]. However, smart healthcare needs patients to
share their physiological information for real-time monitor-
ing or online analyzing. Since all physiological information
are of extremely sensitive information for patients, thus if the
data sharing system of smart healthcare lacks effective secu-
rity mechanisms, these information might be accessed by those
illegal users or malicious insiders, whereby it will incur serious
privacy leakage accidents and cause more serious psycholog-
ical harms to patients. According to the survey [6], only in
the United States, the economic losses due to medical identity
theft has been nearly 41.3 billion dollars per year. And more
than 78% participants worry about the leakage or misusing of
their medical personal information [6].
Moreover, compared with traditional networks, data sharing
system of smart healthcare need to confront some brand-new
challenges. First, smart healthcare is a giant system based on
Internet of Things (IoT), thus a large amount of data in sharing
system are produced by IoT things, such as medical devices
or body sensors. The services tightly coupled with IoT things
are always called as real-world services [7], [8]. By means
of real-world services, service consumers can get information
from things in real time or send instructions to operate an IoT
thing remotely. Thus, data sharing system of smart healthcare
not only need to consider the accesses of human, but also need
to consider the accesses of IoT things. Due to constrained
resources, how to effectively authenticate IoT things is a big
challenge for data sharing system because it is nearly impos-
sible for a sensor to send a password or verification code to
 MENG et al.: SDN-BASED SECURITY ENFORCEMENT FRAMEWORK FOR DATA SHARING SYSTEMS OF SMART HEALTHCARE
system. Second, encryption-based data sharing mechanisms,
such as attribute-based encryption (ABE) [9], [10], [11], [12],
are insufficient to define fine-grained data operations, i.e., if a
user decrypts an encrypted file, then the user can do anything
towards the decrypted file. But in some cases, we hope some
data can only be explored online, can’t be copied or down-
loaded by users. Third, authentication-based access control
techniques [13], [14], [15], [16], such as role-based access con-
trol (RBAC) [17] or identity-based access control (IBAC) [18],
are vulnerable when facing identity theft, that is if a legal
user’s identities (private key) have been cracked by an attacker,
then attacker will obtain all of legal authorizations accordingly.
To tackle these problems, we are motivated by the fol-
lowing efforts. First, each patient should have a dedicated
virtual machine in data sharing system. Since virtual machine
is an enclosed system, thus only patients can access their
personal data stored in virtual machine, while any others
(including storage provider) can not. Meanwhile, each vir-
tual machine provides a group data services for patient, and
patient can define which service could be accessed by which
external service consumers or IoT thing. Second, patient’s
virtual machine should be protected by a specific gateway.
The gateway provides a firewall mechanism which guaran-
tees only the authorized IoT things can access patient’s virtual
machine while any unauthorized accesses will be prohibited
automatically. Since each IoT thing has a unique MAC address
and MAC is difficult to be captured and forged in wide area
network (WAN), thus our framework can effectively authen-
ticate those resource-constrained IoT things and tackle the
problems caused by identity theft attacks.
In summary, this paper makes the following contributions:
(1) We propose a SDN-based security enforcement framework
for data sharing system of smart healthcare. (2) We propose a
service releasing policy by which service provider can strictly
regulate which data service could be released to which service
consumer or IoT thing in system. (3) We propose a SDN-based
gateway to protect patient’s virtual machine in system, which
provides a firewall mechanism and can guarantee only legal
service consumers or IoT things can access patient’s virtual
machine, while others can not. (4) We implement a proof-
of-concept experimental system and evaluate the effectiveness
and feasibility of our framework.
The remainder of the paper is structured as follows.
Section II is preliminary, Section III is the proposed system
model. Section IV is the main body of this paper, which
presents our framework in detail. Section V implements the
framework and evaluates its effectiveness and performance.
Section VI discusses the threat models and countermeasures.
Section VII reviews some related works and compares them
with our framework. Finally, Section VIII concludes this paper.
II. P RELIMINARY
A. P-Spec Policy Language
We first propose P-Spec policy specification language
in [19] and further develop it in this paper. The detailed
definitions of the language are as follows.
Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.
309
Grammar: The grammar of P-Spec language is defined as a
4-tuple: G P −Spec = N , T , R, S, where S is the start symbol
of P-Spec language. N = { Subject, Policy } is the finite set
of nonterminal symbols. T is the finite set of terminal symbols.
Let T = {OP, K, V, C}, where OP = {=, +, ||, →, (, )}
is the finite set of operation symbols, = represents semantical
equal, + represents logical and, || represents logical or, and →
represents logical imply to. K is the finite set of keywords. V is
the finite set of variables. C is the finite set of policy words. R
is the finite set of production rules, each production rule of R
is a relation from N to (N ∪T )∗ , where the asterisk represents
the Kleene star operation. Given ϕ ∈ N , k ∈ K, v ∈ V, c ∈
C, thus R can be defined with backus naur forms as follows.
ϕ ::= v = c
k = v |k = c|(ϕ)|ϕ||ϕ|ϕ + ϕ|ϕ → ϕ (1)
P-Spec Language: The P-Spec language is defined as a set:
∗
L(G P −Spec ) = {ω ∈ T ∗ |S =⇒ ω}, where T ∗ is the universal
∗
set of strings produced by T . S =⇒ ω represents from the start
symbol S, the string ω can be derived with relevant production
rules of R within limited steps.
In further step, any model of a formal language can be
defined as an interpretation under a specific universe of A
for the formal language [20]. Hence, we have the following
definitions.
Interpretation: An interpretation of L(G P −Spec ) is a pair
A, I, where A is nonempty set and I is a func-
tion which maps the N , T , R, S of L(G P −Spec ) into the
I(N ), I(T ), I(R), I(S) under A.
P-Spec Model: Given an interpretation of A, I, if A, I
has mapped the N , T , R, S of P-Spec language into the
I(N ), I(T ), I(R), I(S) under A. Thus, the P-Spec model
is defined as: MP −Spec = A, I(N ), I(T ), I(R), I(S),
where A is the universe (or domain) of model MP −Spec .
B. Software Defined Networking
Software-defined networking (SDN) is an approach which
facilitates network management and enables more efficient
network configurations [21]. The framework of SDN can
be decomposed as application plane, control plane and data
plane [22]. SDN suggests to centralize network intelligence
in one network component by decoupling the controlling pro-
cess (control plane) from the forwarding process (data plane).
OpenFlow switch is the core of data plane, which consists of
three parts: flow table, OpenFlow protocol and secure chan-
nel. The architecture of OpenFlow switch can be depicted in
Figure 1.
In this configuration, when a new packet arrives through in-
ports, switch compares the header field of the packet against
all flow entries in flow table. If this packet matches an
existed entry, the switch updates its counters and executes
the associated actions of entry, otherwise the packet will be
sent to SDN controller through secure channel. By means
of preloaded applications, the controller decides how to deal
with the incoming packets. If packets can to be forwarded,
controller inserts a new entry into flow table with relevant
information of the packet, then forwards it. If packets need to
 310 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 17, NO. 1, MARCH 2020
Fig. 1. Architecture of OpenFlow Switch.
be dropped, controller first clear counter of the packet, then
drops it directly. OpenFlow Protocol regulates the format of
information flows transmitted between OpenFlow switch and
controller. The format of flow entry is defined as three parts:
header fields, counters and actions. As shown in Figure 1, each
header field can be further decomposed as 12 subfields, such
as source IP, destination IP and some others.
Controller plane consists of three parts: secure channel,
network operating system (NOS) and network applications.
Secure channel is the interface in which controller can com-
municate with switch. Network applications are deployed
on NOS platform, and implement some customized secu-
rity or performance policies towards network management,
such as firewall, VM migrations, intrusion detections and
etc. Currently mainstream SDN controllers include of open-
source POX [23], NOX [24], Floodlight [25] and some
other commercial controllers, such as NSX controller [26] of
VMware.
III. S YSTEM M ODEL
Data sharing system of smart healthcare is a giant fusion
system which combines human, hosts, IoT things and cloud
services. In order to formalize such a system, we introduce
a group formal system models in this section. Here human
is formalized as service consumer model (SCM) and service
provider model (SPM), host is formalized as virtual machine
model (VMM), thing is formalized as thing model (TM),
service is formalized as service model (SM). The detailed
definitions are as follows.
Thing Model (TM): Each IoT thing is formalized as: Ti =
maci , where maci is the MAC address of thing in system.
Given two different things Ti , Tj , it holds maci = macj , i.e.,
each thing can only have one unique MAC address in system.
Thing model is defined as: TM = {T0 , T1 , . . . , Tn }.
Virtual Machine Model (VMM): Each virtual machine is
formalized as: VMi = ipi , where ipi is the IP address of vir-
tual machine in system. Given two different virtual machines
VMi , VMj , it holds ipi = ipj , i.e., each VM can only have
one unique IP address in system. Virtual machine model is
defined as: VMM = {VM0 , VM1 , . . . , VMn }.
Service Model (SM): Each service is formalized as: Si =
urii , VMi , where urii is the uniform resource identifier
Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.
(URI) of service in system. VMi ∈ VMM is the virtual
machine of service in system. Given two different services
Si , Sj , it holds urii = urij , i.e., each service can only
have one unique URI in system. Service model is defined as:
SM = {S0 , S1 , . . . , Sn }.
Service Provider Model (SPM): Each service provider is the
owner of services run in a virtual machine. It is formalized as:
SPi = pki , Ti , VMi , where pki is the private key of service
provider in system. Ti ∈ TM is the thing of service provider
in system, VMi ∈ VMM is the virtual machine of service
provider in system. Given two different service provider SPi ,
SPj , it holds (pki = pkj ) ∩ (Ti = Tj ) ∩ (VMi = VMj ),
i.e., each service provider can only have unique private key,
thing and virtual machine in system. Service provider model
is defined as: SPM = {SP0 , SP1 , . . . , SPn }.
Service Consumer Model (SCM): Each service consumer
is the user of services run in a virtual machine. It is for-
malized as: SCi = cki , Ti , where cki is the private key
of service consumer in system. Ti ∈ TM is the thing of
service consumer in system. Given two different service con-
sumer SCi , SCj , it holds (cki = ckj ) ∩ (Ti = Tj ), i.e.,
each service consumer can only have unique private key
and thing in system. Service consumer model is defined as:
SCM = {SC0 , SC1 , . . . , SCn }.
IV. SDN-BASED S ECURITY E NFORCEMENT F RAMEWORK
Based on the aforementioned system model, we propose a
SDN-based security enforcement framework for data sharing
systems of smart healthcare in this paper. In the following of
this section, we first overview the entire framework. Then we
introduce an important formal model, service releasing policy
(SRM). Next, we present SDN-based gateway in framework,
which consists of information flow model (IFM) and IFM-
based virtual machine access control algorithm.
A. Overview of Framework
The proposed framework is depicted in Figure 2. In our
framework, each patient has a dedicated virtual machine in
data sharing system, thus patient is a service provider (SP),
i.e., the owner of services run in the virtual machine. Each
physician or an IoT thing is a service consumer (SC), i.e.,
the user of services run in the virtual machine. As service
provider, patient can regulate which service in her/his virtual
machine could be released to which physician or which thing.
Only through the indicated service interfaces can physicians
access patient’s personal data stored in virtual machine.
Specifically, the framework can be decomposed as two
main layers, i.e., virtual machine (VM) layer and SDN-based
gateway (Gateway) layer. The purpose of introducing virtual
machine layer is to tackle the problems caused by insider
attacks. Since virtual machine is an enclosed system, thus
only patient can access the data stored in VM while any oth-
ers (including storage provider) can not. In this way, we can
prevent those malicious insiders from accessing patient’s per-
sonal data illegally. The virtual machine layer can be further
decomposed as two sub-layers, policy layer and service layer.
Service releasing policy (SRM) is created by service provider
 MENG et al.: SDN-BASED SECURITY ENFORCEMENT FRAMEWORK FOR DATA SHARING SYSTEMS OF SMART HEALTHCARE
Fig. 2. The proposed framework. The yellow components represent the
services or models created by service provider, the deep blue components
represent the system models or system components.
in policy layer, which strictly regulates which service could be
accessed by which service consumer or which thing in system.
After that, SRM and relative system models, such as service
model (SM), service consumer model (SCM) or thing model
(TM), will be converted into a corresponding information flow
model (IFM) by system automatically. IFM is a formal model
which has underlying information of network, such as MAC
address of thing or IP address of virtual machine, which can
assist the gateway to identify which IoT thing is authorized
or unauthorized. Patient doesn’t need to know these underly-
ing network information because they are provided by system
models, and all system models are created and updated by
system not by patients. Service layer manages patient’s per-
sonal data and a group services, such as online exploring data
service, updating data service, downloading data service or
etc. Patient leverages SRM to regulate which service could be
released or not.
The purpose of introducing SDN-based gateway is to tackle
the problems caused by identity theft attacks. In our frame-
work, each dedicated virtual machine of patient is protected
by the SDN-based gateway. The gateway provides a firewall
mechanism which can identify the MAC address of consumers
who want to access patient’s virtual machine. Since each ser-
vice consumer (physician or IoT thing) can only have a unique
MAC address in system and MAC address is difficult to be
forged, thus our framework can effectively authenticate those
resource-constrained IoT things and prevent those malicious
Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.
311
users who have stolen the identities (private key) of legal con-
sumers from accessing patient’s virtual machine in system.
Specifically, SDN-based gateway layer can be further decom-
posed with SDN controller and OpenFlow virtual switches
(OVS). Firstly, any accesses to patient’s virtual machine will
be intercepted as suspicious flows by OVS and sent to the con-
troller for analyzing. Then, IFM-based virtual machine access
control algorithm integrated in the controller will check the
header fields of the incoming flow against those information
flow rules defined in IFM. If matching successfully, that indi-
cates the flow is sent from those authorized things, controller
will update the flow table in OVS and forwards the flow to
the patient’s virtual machine. If matching failed, the controller
will drop the incoming flow directly because the flow is sent
from those misusing or malicious consumers or IoT things.
In this way, our framework can guarantee only the authorized
IoT things in system can access patient’s VM, while those
unauthorized can not.
B. Service Releasing Policy
Based on the particular requirements of smart healthcare,
we propose a service releasing policy (SRM) in this paper.
SRM is defined by service provider of data sharing system,
and can strictly regulate which service in system could be
released to which service consumer or which IoT thing. The
detailed definitions are as follows.
Service Releasing Rule: Each service releasing rule RRi can
be defined as a P-Spec policy model (MP −Spec ) and I(R)
is defined as follows.
RRi ::= Subject → Object
Subject ::= (SC = SCi )|(T = Tj )
Object ::= (∗)|(Service = Sk )
|Object + Object|Object||Object (2)
where SCi ∈ SCM is a service consumer, Tj ∈ TM is a
thing, symbol ∗ represents all services, Sk ∈ SM is a service,
symbol + represents logical and, symbol || represents logical
or, and 0 ≤ i, j, k ≤ n, n ∈ N. Semantically, service releasing
rule represents the service Sk or some other services of service
provider can be released to the service consumer SCi or the
thing Tj .
Service Releasing Policy (SRM): Service releasing policy
is a set of service releasing rules and defined as: SRM =
{RR0 , RR1 , . . . , RRn }.
For example, we assume that patient Bob has a dedicated
virtual machine VM1 ∈ VMM in data sharing system. As
service provider, his SPM is defined as SP0 = pk0 , T1 ,
VM1 , where pk0 is Bob’s private key in system, T1 ∈ TM
is Bob’s thing in system, VM1 is Bob’s virtual machine
in system. Meanwhile, as service consumer, Bob can also
access all of services in his VM1 , whose SCM is defined
as SC0 = pk0 , T1 . Mike is a cardiologist, whose SCM is
defined as SC1 = ck1 , T2 , where ck1 is Mike’s private key
in system, T2 ∈ TM is Mike’s thing in system. Mary is an
internist, whose SCM is defined as SC2 = ck2 , T3 , where
ck2 is Mary’s private key in system, T3 ∈ TM is Mary’s thing
in system. If Bob regulates only electrocardiogram (ECG)
 312 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 17, NO. 1, MARCH 2020

TABLE I TABLE II
E STABLISHED SRM IFM C ONVERTED F ROM SRM S HOWN IN TABLE I

online exploring service and X-Ray online exploring service

could be released to Mike, and only X-Ray online exploring
service could be released to Mary, then SRM of the example
can be established and shown in Table I. Here S0 = uri0 ,
VM1  is ECG online exploring service, S1 = uri1 , VM1  is
X-Ray online exploring service.
C. SDN-Based Gateway
Leveraging software-defined networking (SDN), we pro-
pose a SDN-based gateway in our framework, which provides
a firewall mechanism and guarantees only authorized IoT
things (e.g., hosts, terminals, devices or sensors) defined by
IFM can access patient’s virtual machine, while unautho-
rized things can not. In the following, we first present how
to establish information flow model (IFM), then we give
the detailed description of IFM-based virtual machine access
control algorithm used in the gateway.
1) Information Flow Model: Information flow model is a
formal model converted from SRM and system models dynam-
ically, which implies that IFM can be evolved synchronously
with the changes of SRM or relative system models. The
detailed definitions of IFM are as follows.
Information Flow Rule: Each information flow rule RFi
is defined as 5-tuple: Subject, Src, Dst, Action, Role, where
Subject is the creator of the information flow. Src is the source
(MAC address) of the information flow. Dst is the destina-
tion (IP address) of the information flow. Action = {F, D}, F
represents this information flow can be forwarded to its des-
tination, B represents this information flow must be blocked.
Role = {A, U}, A represents this rule is created by administra-
tor, U represents this rule is created by normal users. Here we
define the role’s priority as: A>U, i.e., when two information
flow rules appear policy conflictions, the rule of A can override
the rule of U, but not vice versa.
Convert IFM from SRM: Given service releasing policy
SRM, for ∀ RRt ∈ SRM , the RRt can be converted into a
group corresponding RFi rules, and the conversion procedure
can be defined as a function.
 the operations (forward/block) of the entry.
SPi , mack , ipj , F , U 
RRt → (3)
SPi , ipj , mack , F , U 
where SPi is the service provider who creates the service
releasing rule, mack ∈ Tk ∈ SCk is the MAC address of
consumer SCk ’s thing in system, ipj ∈ VMj ∈ Sj is the IP
address of service Sj ’s virtual machine in system, F represents
the action is forward, U represents the rule is created by user,
and 0 ≤ i, j, k, t ≤ n, n ∈ N. Semantically, each RRt rule
can be converted into its corresponding two RFi rules. The
first rule represents the information flow sent from consumer
SCk ’s thing to service Sj ’s virtual machine. The second one
is the flow sent from service Sj ’s virtual machine to consumer
SCk ’s thing. Hence, each information flow is bidirectional.
Information Flow Model (IFM): Given service releasing
model SRM = {RR0 , RR1 , . . . , RRn }, we denote the IFM
converted from the SRM as IFMSRM , then IFMSRM is
defined as follows.

n
IFMSRM = {RF }RRi (4)
i=0
where {RF }RRi is the set of information flow rules converted
from each RRi ∈ SRM using equation (3), and 0 ≤ i ≤ n,
n ∈ N.
By means of equation (3) and equation (4), SRM shown in
Table I can be converted into its corresponding IFM shown in
Table II. Here SP0 is Bob who creates these information flow
rules, ip1 ∈ VM1 is IP address of VM1 , mac1 ∈ T1 ∈ SC0
is the MAC address of thing T1 used by Bob, mac2 ∈ T2 ∈
SC1 is the MAC address of thing T2 used by Mike, mac3 ∈
T3 ∈ SC2 is the MAC address of thing T3 used by Mary. F
represents actions forward, U represents the rule is created by
a user.
2) IFM-Based Virtual Machine Access Control Algorithm:
IFM-based virtual machine access control algorithm is run
in SDN controller and plays as the core of SDN-based
gateway. In order to describe the algorithm accurately, we
introduce a group formal models related with software-defined
networking. The detailed definitions are as follows.
Flow: Each OpenFlow protocol-based flow in SDN can be
formalized as a 3-tuple: FL = FLSrc , FLDst , FLdata , where
FLSrc represents the source address of the flow, FLDst rep-
resents the destination address of the flow, FLdata represent
the transmitting data of the flow.
Entry: Each entry of flow table can be formalized as a
3-tuple: Ei = ESrc , EDst , EAction , where ESrc represents
the source address of the entry, EDst represents the destination
address of the entry, EAction = {forward , block } represent
Flow Table: Flow table is a set of entries and defined as:
FT = {E0 , E1 , . . . , En }.
Based on the introduced formal models, IFM-based vir-
tual machine access control algorithm can be described as
Algorithm 1 in pseudo code. The working process of the
algorithm can be concluded as the following steps.
Step 1: OVS captures a suspicious incoming flow FL and
sends it to the controller for analyzing.
Step 2: Controller compares the header fields of FL with
existed RFi ∈ IFM . (Case 1:) If finding there exists a rule
which makes Src equals the source MAC address of FL, Dst
equals the destination IP address of FL, and Action equals F,
then incoming flow FL is sent from an authorized consumer

Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.
 MENG et al.: SDN-BASED SECURITY ENFORCEMENT FRAMEWORK FOR DATA SHARING SYSTEMS OF SMART HEALTHCARE 313

Algorithm 1 IFM-Based VM Access Control Algorithm

Input: IFM, FL, FT;
Output: FT;
1: While(IFM = ∅) {
2: ∃RFi ∈ IFM ;
3: // Case 1: it is from authorized users
4: If(Src = FLSrc and Dst = FLDst and Action = F )
5: //Update Flow Table
6: FTSrc = FLSrc ;
7: FTDst = FLDst ;
8: FTAction = forward ;
9: Insert  FTSrc , FTDst , FTAction  into FT;
10: Return FT;
11: // Case 2: it is from malicious users
12: If(Src = FLSrc and Action = B )
13: //Update Flow Table
14: FTSrc = FLSrc ;
15: FTDst = FLDst ;
16: FTAction = block ;
17: Insert  FTSrc , FTDst , FTAction  into FT;
18: Drop FLdata ;
19: Return FT;
20: Read next RFj ∈ IFM ; Fig. 3. The experimental system.
21: }
22: // Case 3: it is from misusing users
23: Drop FL;
A. Experimental System
24: Return FT;
25: End. Leveraging open-source POX controller [23] and Mininet
emulator [32], we implemented an experimental system based
on the proposed framework. As depicted in Figure 3, the
system consists of virtual machine layer and gateway layer.
In gateway layer, we set one SDN controller (POX), one
and can be permitted to access the VM. In this case, con-
edge switch (Edge), three OpenFlow virtual switch instances
troller will update the flow table FT of OVS and let OVS to
(OVS1, OVS2 and OVS3) supporting OpenFlow protocol
forward the flow. (Case 2:) If finding there exists a rule which
1.1.0. We also implemented IFM-based virtual machine access
can match FL but its Action equals B, then FL is sent from
control algorithm (Algorithm 1) with Python and integrate it
malicious users. In this case, the controller will updates FT
into the core of POX controller. In virtual machine layer, we
of OVS and let OVS to block all flows sent from the same
set three virtual machines (VM1, VM2 and VM3). In addition,
source MAC address. (Case 3:) If finding no any rules in IFM
we also set five service consumers in system, i.e., Physician1,
can match FL, the controller will drop FL directly because
Physician2, Physician3, patient Bob and Hacker. We run POX
it is sent from unauthorized or misusing users, but it doesn’t
controller on a PC with Windows 7 platform, Intel Core i5
update FT in this case.
2.50 GHz processor and 4 Gbytes of RAM. We run Mininet
Step 3: OVS executes the instructions sent from the
emulator on Raspberry Card PC with Linux platform, ARMv7
controller.
processor and 945 Mbytes of RAM. Raspberry Card PC
is connected with Windows 7 platform directly by Ethernet
cable.
V. I MPLEMENTATION AND E VALUATIONS
To validate the effectiveness and feasibility of proposed
framework, we implement a proof-of-concept experimental B. Evaluation
system to conduct the relevant experiments. The primary goal 1) Test Scenario: We assume that patient Bob has his
of experiments consists of three perspectives: First, we want dedicated virtual machine VM3 in data sharing system. Bob
to evaluate the effectiveness of our framework, i.e., according leverages SRM to regulate only Physician1 can access ser-
to the definition of IFM, only authorized things could access vice1 and service2 in his VM3 , while other physicians can not.
service provider’s virtual machine, while unauthorized things Meanwhile, as service provider, Bob’s thing can access all of
can not. Second, we want to evaluate whether our framework services in VM3 . If Bob has system identity SP0 ∈ SPM and
can make effective dynamic responses towards IFM’s modifi- SC0 ∈ SCM , Physician1 has system identity SC1 ∈ SCM ,
cation in run time. Third, we want to evaluate the performance S1 = service1, S2 = service2, then SRM of the test scenario
of our framework as increasing the scale of IFM continuously. can be defined in Table III.

Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.
 314 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 17, NO. 1, MARCH 2020
TABLE III
E STABLISHED SRM OF T EST S CENARIO
TABLE IV
E STABLISHED IFM OF T EST S CENARIO
Fig. 4. The screenshot of system after executing pingall instruction in
Mininet.
Leveraging equation (3) and (4) mentioned in Section IV,
the created SRM in Table III can be converted into its cor-
responding information flow model. As shown in Figure 3,
Bob’s thing has MAC address 00:00:00:00:00:01, Physician1’s
thing has MAC address 00:00:00:00:00:03, VM3 has IP
address 10.0.0.8 and Bob’s identity is SP0 , then IFM of
the test scenario can be established and shown in Table IV.
Here mac0 = 00:00:00:00:00:01, mac1 = 00:00:00:00:00:03,
ip0 = 10.0.0.8.
2) Effectiveness Evaluation: To evaluate the effectiveness
of our framework, we design two independent experiments
based on test scenario. The experiment 1 is to evaluate
whether our framework is effective after loading IFM defined
in Table IV. The experiment 2 is to evaluate whether our
framework can make effective dynamic responses towards the
modification of IFM in run time.
The process of experiment 1 is designed as follows. First
of all, we establish the IFM in Table IV using a Text file and
load the IFM into POX controller, then we restart POX con-
troller. After that, we execute pingall instruction in Mininet
CLI and observe the reachability of entire system. If experi-
mental result is consistent with the security requirements of
test scenario, then our framework is effective, otherwise it is
invalid. Figure 4 is the screenshot of the system after executing
pingall instruction. As it is shown, we can observe that only
Physician1 and Bob can access VM3 while other consumers
can not. And most of misusing or malicious flows, approxi-
mately 92% of total flows, have been denied by the gateway.
The result has proofed that our framework is truly effective
under the test scenario.
The process of experiment 2 is designed as follows. We
first assume Bob changes his service releasing policy (SRM)
in test scenario, i.e., only Physician3 can access his VM3 ,
while any other consumers (including Physician1) can not.
Accordingly, new SRM will be converted into a new IFM
Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.
TABLE V
T HE N EW I NFORMATION F LOW M ODEL IFM’
synchronously. We denote the new IFM as IFM’, and show
it in Table V. Here mac3 = 00:00:00:00:00:05 and it is the
MAC address of Physician3’s thing in system. Obviously, it is
easy to update POX controller though shutting down it, loading
new IFM, and restarting it again. But it is unacceptable in real
data sharing system because stopping controller will severely
effect the normal services of other users in system. Hence, we
want to further evaluate the effectiveness of our framework
in case of IFM being changed in run time, i.e., whether our
framework can make effective dynamic responses towards the
modification of IFM and keep system effective after IFM being
changed.
To achieve this goal, we design a new experimental pro-
cess. We first establish IFM’ using a Text file. Next, we
utilize xterm instruction to activate the observing windows
of VM3, Physician1 and Physician3 respectively, then utilize
iperf instruction to send TCP packets to VM3 from Physician1
and Physician3 at the same time. After 40 seconds of execut-
ing iperf, we load new created IFM’ into POX controller in
run time and keep the system going on. When time is up
to 100 seconds, we stop the experiment, and extract the data
recorded in VM3. After data processing, we plot these data in
Figure 5. As it is shown, due to the interceptions of POX con-
troller, TCP bandwidth of system fluctuates violently. Before
loading IFM’, VM3 can only receive TCP packets sent from
Physician1 and packets from Physician3 is zero. After load-
ing IFM’ at 40 seconds, VM3 doesn’t receive the flows sent
from Physician3 immediately. Almost at 45 seconds, VM3
begins to receive packets from Physician3, while TCP band-
width from Physician1 goes down sharply. After 46 seconds,
TCP packets from Physician1 tends to be zero and VM3 can
only receive the packets sent from Physician3. Hence, the final
experimental result has clearly illustrated that our framework
can make effective dynamic responses towards IFM modifica-
tion in run time, and the latency of dynamic response is nearly
5∼6 seconds.
After that, we continue to utilize pingall instruction to
observe the reachability of the entire system after IFM being
changed, i.e., we want to validate whether the system can
keep effective after IFM being changed. Figure 6 is the
screenshot of system after executing pingall. As it is shown,
only Physician3 and Bob can access VM3, while other hosts
can not. Hence, the result proofs that our framework is still
effective after IFM being changed in run time.
3) Performance Evaluation: The primary goal of
performance evaluation is to validate whether our framework
can still work well as increasing the scale of IFM continu-
ously, and its overhead can be still acceptable. We think this
evaluation is important for multi-tenant data sharing system,
because with the increasing of virtual machines, the scale
 MENG et al.: SDN-BASED SECURITY ENFORCEMENT FRAMEWORK FOR DATA SHARING SYSTEMS OF SMART HEALTHCARE 315

TABLE VI
A LL R ESPONSE T IME OF S IX G ROUP OF E XPERIMENTS

Fig. 5. The final result recorded in VM3 under executing iperf instruction from Physician1 and Physician3 at the same time. The red line represents the TCP
flow sent from Physician1, blue line represents the TCP flow sent from Physician3, black dash line is a boundary of loading new IFM into POX controller.

growing number of information flow rules and all of time can

be still acceptable.

VI. T HREAT M ODELS AND C OUNTERMEASURES

Fig. 6. The screenshot of system after executing pingall instruction in
Mininet.
of IFM will be increased definitely. To achieve this goal,
based on IFM shown in Table IV, we conduct six groups
of testings, where we set the total number of IFM rules as
2, 10, 50, 100, 500 and 1000 respectively. For each group
testing, we utilize ping instruction to send ICMP packets
from Physician1 to VM3 and repeat it for 10 times (T1 ∼
T10), then we record all of response time in Mininet. After all
testings finished, we show all of response time created by six
groups of experiments in Table VI. Following, we leverage
MATLAB toolkits to calculate the corresponding cumulative
distribution functions (CDF) based on the data set shown in
Table VI, and plot the calculated results in Figure 7. As it is
depicted, as increasing the scale of IFM from 2 rules up to
1000 rules, our framework can still work well, the response
time of ping is increased linearly in accordance with the
In this section, we first discuss the main threat models
and the relevant countermeasures. Then we discuss some
limitations existed in our present framework.
Identity Theft Attack: An identity theft attack is attackers
illegally obtain legal user’s privileges by forging the identity
information of legitimate users [30]. Normally, traditional
authentication-based access control mechanisms utilized in
present data sharing system are mainly based on the user’s
identity (ID) and private key (PK). If an attacker can crack
or capture the pair ID, PK of legal user, the attacker can
easily pass the authentication of system using the forged iden-
tity, whereby obtain all of authorizations and sensitive data
of legal users. To tackle the threats caused by identity theft,
in our framework, patient’s virtual machines in data sharing
system are well protected by the SDN-based gateway. The
gateway provides a firewall mechanism which can identify
the requiring pair Src, Dst  of service consumers in real
time. Meanwhile, we bind each authorized service consumer
(or IoT thing) with a unique MAC address. Here we assume
that attacker hacker has cracked the pair ID, PK of legal user
Bob. When hacker wants to enter the Bob’s virtual machine
using the identities of Bob, the access request will be denied

Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.
 316 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 17, NO. 1, MARCH 2020
Fig. 7. Based on the recorded data shown in Table VI, we leverage the related MATLAB toolkits to create the corresponding cumulative distribution function
(CDF). From the result, we can observe that, as increasing the scale of IFM from 2 flow rules to 1000 flow rules, the response time of system is nearly linear
with respect to the number of flow rules in IFM.
by our gateway automatically because the MAC address of
hacker is different from the MAC address of Bob. Since MAC
address is difficult to be captured and forged in wide area
network (WAN), thus our framework can effectively authenti-
cate those resource-constrained IoT things and prevent those
malicious users who have stolen the identities (private key) of
legal consumers from accessing to the virtual machines.
Insider Attack: An insider attack is a malicious threat to
an organization that comes from people within the orga-
nization, such as employees, former employees, contractors
or business associates. The threats may involve fraud, the
theft of confidential or commercially valuable information,
the theft of intellectual property, or the sabotage of computer
systems [31]. Encryption-based access control mechanism is
one of countermeasures which can tackle the problems caused
by insider attacks. But encryption can’t prevent those autho-
rized users from disclosing patient’s data because they can do
anything towards those decrypted files. In our framework, each
patient has dedicated virtual machines in system. Since virtual
machine is an enclosed system, thus only patient can access
to the data stored in VM while any others (including stor-
age provider) can not. In virtual machine, patient can define
fine-grained data operations for different authorized users by
means of defining the service releasing policy (SRM). In this
case, if an authorized user is only granted to the right to read
online, then these data could not be disseminated by this user.
Hence, our framework can well tackle the problems caused by
insider attacks.
However, there still exists some limitations in our present
framework. That is now we don’t consider the potential threats
caused by distributed denial of service (DDoS) attacks [27]
or flooding attacks. Due to heavily depending on the SDN
controller to defend those unauthorized accesses, thus the
controller might be a potential vulnerability in our present
framework. Especially, when attackers launch flooding attacks
Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.
or DDoS attacks, the system will probably incur single-point-
of-failure in some cases. Hence in the future, we need to
further improve the robustness of our framework by integrating
the intrusion detecting functions towards DDoS attacks, such
as the toolkits introduced by the proposals of [28], [29]. In that
way, when DDoS attack occurs, the gateway can timely detect
the malicious access behaviors and block all of requests sent
from those malicious hosts automatically, whereby improve
the robustness of our framework. Although we don’t address
this concern in this paper, yet integrating such intrusion detect-
ing abilities into our framework will be an important task as
our ongoing works.
VII. R ELATED W ORK
The SDN-based gateway of our framework provides a fire-
wall mechanism which guarantees only authorized things can
access service providers’s virtual machine, while those unde-
fined things can not. Hence, in this section, we want to discuss
some research works concerning how to implement dynamic
firewall mechanism using SDN, and compare these proposals
with our framework.
Hu et al. [33] proposed a comprehensive framework,
Flowguard, to facilitate accurate detection as well as flexible
resolution of firewall policy violations in dynamic OpenFlow
networks. In addition, authors implemented a prototype using
Floodlight. The experimental results show that Flowguard
has the manageable performance overhead to enable realtime
monitoring network. Similarly, Porras et al. [34] proposed a
security enforcement controller, FortNOX, which is an exten-
sion on NOX controller. FortNOX is designed to enable a
network flow to be blocked (or allowed) by security applica-
tions. They also proposed a conflict resolving mechanism used
in case of appearing policy conflicts. Exactly, we are inspired
by the ideas of Flowguard and FortNOX in some sense, we
 MENG et al.: SDN-BASED SECURITY ENFORCEMENT FRAMEWORK FOR DATA SHARING SYSTEMS OF SMART HEALTHCARE
also design the relevant policy resolving mechanism in our
framework, i.e., the information flow rules of administrator
(Role = A) can override those rules of users (Role = U).
Moreover, we design all entries in OVS can be automatically
updated per t minutes, which can also be used to resolve the
policy conflicts.
Suh et al. [35] leveraged POX controller to implement a
firewall application. Each firewall rule can be defined by 6
actions and 12 conditions, and the final experimental results
illustrate the firewall is effective. But this mechanism requires
network operators to know the details of underlying network,
and input the firewall rules into the controller manually. While
in our framework, all of information flow rules of IFM are
converted from SRM automatically, service providers just need
to know which service could be released to which consumer or
which thing, other details of underlying network can be created
from system models automatically. Therefore, any normal user
can leverage our framework to rapidly define their security
policies.
Koerner and Kao [36] proposed a MAC-based VLAN tag-
ging mechanism using SDN. The virtual local area network
(VLAN) has been widely used in enterprise networks where
the security policy is always defined by VLAN address. But
some mobile laptop-based workstations often change their
locations, which will leads to the frequent changing of its
VLAN address and incur security policy conflicts. To address
this problem, authors leverage Floodlight controller to map the
MAC address of laptop into its corresponding VLAN address
in network. Since MAC address is static, thus it can guarantees
the laptops can access the network successfully in different
locations. In our framework, the controller use information
flow rule to recognize an authorized user, i.e., the pair Src,
Dst. Here Src is MAC address of service consumer, Dst is
VLAN address of VM, but we don’t need to convert MAC
address into a VLAN address.
In addition, Javid et al. [37] implemented a 2-layer firewall
using POX controller. CloudWatcher [38] is a security mon-
itoring framework by which network operators can define a
policy to describe a network traffic and describe which secu-
rity services must be applied to it. Koorevaar [39] proposed
an framework for leveraging SDN for automatic security pol-
icy enforcement using EEL-tags. These tags are added into
the VM’s flow by hypervisor. By means of these added
EEL tags, they can implement the associated security pol-
icy. However, this work heavily relies on trustful hypervisor,
thus the portability of method is a big problem need to be
considered.
VIII. C ONCLUSION
In this paper, we propose a SDN-based security enforce-
ment framework for data sharing system of smart healthcare.
We first establish the system model of data sharing system.
Then based on the system model, we present the SDN-based
security enforcement framework in detail. We introduce an
important formal model, service releasing model (SRM), by
which service provider can regulate which data services in
virtual machine could be released to which authorized service
Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.
317
consumer or which IoT thing. Next, we present SDN-based
gateway in our framework which consists of information flow
model (IFM) and IFM-based virtual machine access control
algorithm. In order to evaluate the effectiveness and feasi-
bility of our framework, we implement a proof-of-concept
experimental system using POX controller and Mininet emula-
tor, and implement IFM-based virtual machine access control
algorithm with Python. The final results has proofed that our
framework is truly effective after loading different test sce-
narios. When IFM is changed in run time, our framework can
make effective dynamic responses towards these modifications,
and the latency of dynamic response is only 5 ∼ 6 seconds. In
further, as increasing the scale of IFM from 2 rules up to 1000
rules, our framework can still work well, the response time of
system is increased linearly in accordance with the growing
number of information flow rules and all of time can be still
acceptable. Finally, we discuss the threat models towards the
system and the relevant countermeasures.
In our present framework, we don’t consider the potential
threats caused by flooding attacks, especially the distributed
denial of service (DDoS) attacks. Thus, the SDN controller
might be a potential vulnerability in our framework. Hence
in the future, we need to further improve the robustness of
our framework by integrating with intrusion detecting func-
tions towards DDoS attacks. In that way, when DDoS attack
occurs, the gateway can timely detect the malicious behav-
iors and block all of requests sent from those malicious hosts
automatically.
R EFERENCES
[1] B. Farahani, F. Firouzi, V. Chang, M. Badaroglu, N. Constant, and
K. Mankodiya, “Towards fog-driven IoT eHealth: Promises and chal-
lenges of IoT in medicine and healthcare,” Future Gener. Comput. Syst.,
vol. 48, pp. 659–676, Jan. 2018.
[2] F. Firouzi et al., “Internet-of-Things and big data for smarter healthcare:
From device to architecture, applications and analytics,” Future Gener.
Comput. Syst., vol. 78, pp. 583–586, Jan. 2018.
[3] H. Alemdar and C. Ersoy, “Wireless sensor networks for healthcare: A
survey,” Comput. Netw., vol. 54, no. 15, pp. 2688–2710, 2010.
[4] W. Sun, Z. Cai, Y. Li, L. Fang, S. Fang, and G. Wang, “Security and
privacy in the medical Internet of Things: A review,” Security Commun.
Netw., vol. 2018, pp. 1–9, Mar. 2018.
[5] F. Firouzi, B. Farahani, M. Ibrahim, and K. Chakrabarty, “From
EDA to IoT eHealth: Promises, challenges, and solutions,” IEEE
Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 37, no. 12,
pp. 2965–2978, Dec. 2018.
[6] (2011). EHR. [Online]. Available: http://healthcaremgmt.net/blog/2011/
08/are-you-educating-patients-on-ehr
[7] D. Guinard, V. Trifa, S. Karnouskos, P. Spiess, and D. Savio, “Interacting
with the SOA-based Internet of Things: Discovery, query, selection,
and on-demand provisioning of Web services,” IEEE Trans. Services
Comput., vol. 3, no. 3, pp. 223–235, Jul.–Sep. 2010.
[8] I. R. Chen, J. Guo, and F. Bao, “Trust management for SOA-based
IoT and its application to service composition,” IEEE Trans. Services
Comput., vol. 9, no. 3, pp. 482–495, May/Jun. 2016.
[9] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proc. Int.
Conf. Theory Appl. Cryptograph. Techn., vol. 3494, 2005, pp. 457–473.
[10] L. Guo, C. Zhang, J. Sun, and Y. Fang, “A privacy-preserving attribute-
based authentication system for mobile health networks,” IEEE Trans.
Mobile Comput., vol. 13, no. 9, pp. 1927–1941, Sep. 2014.
[11] A. Lounis, A. Hadjidj, A. Bouabdallah, and Y. Challal, “Healing on the
cloud: Secure cloud architecture for medical wireless sensor networks,”
Future Gener. Comput. Syst., vol. 55, pp. 266–277, Feb. 2016.
 318 IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 17, NO. 1, MARCH 2020

[12] X. Liang, M. Barua, R. Lu, X. Lin, and X. Shen, “Healthshare: Yunfei Meng received the B.S. and M.S. degrees in
Achieving secure and privacy-preserving health information sharing computer science from Shandong University, China,
through health social networks,” Comput. Commun., vol. 35, no. 15, in 2001 and 2004, respectively. He is currently pur-
pp. 1910–1920, 2012. suing the Ph.D. degree with the College of Computer
[13] D. S. Allison, H. F. E. Yamany, and M. A. M. Capretz, “A fine-grained Science and Technology, Nanjing University of
privacy structure for service-oriented architecture,” in Proc. IEEE Int. Aeronautics and Astronautics, China. He ever was a
Comput. Softw. Appl. Conf., Seattle, WA, USA, 2009, pp. 634–635. Software Engineer with the Department of OSS/BSS
[14] Q. Ni, A. Trombetta, E. Bertino, and J. Lobo, “Privacy-aware role based Enterprise Planning, Shandong Telecom Inc., China.
access control,” in Proc. 12th ACM Symp. Access Control Mod. Technol., His research interests mainly include privacy-aware
vol. 41, 2007. system, SDN/NFV techniques, cloud computing, and
[15] C. A. Ardagna, M. Cremonini, S. D. C. D. Vimercati, and P. Samarati, formal methods.
“A privacy-aware access control system,” J. Comput. Security, vol. 16,
no. 4, pp. 369–397, 2008.
[16] M. Li, X. Sun, H. Wang, Y. Zhang, and J. Zhang, “Privacy-aware access
control with trust management in Web service,” World Wide Web Internet
Web Inf. Syst., vol. 14, no. 4, pp. 407–430, 2011.
[17] R. Wonohoesodo and Z. Tari, “A role based access control for Web
services,” in Proc. IEEE Int. Conf. Services Comput., 2004, pp. 49–56.
[18] W. J. Tolone, G. J. Ahn, T. Pai, and S. P. Hong, “Access control in
collaborative systems,” ACM Comput. Surveys, vol. 37, no. 1, pp. 29–41,
2005.
[19] Y. Meng, Z. Huang, Z. Yu, and C. Ke, “Privacy-aware cloud ser-
vice selection approach based on P-spec policy models and privacy
sensitivities,” Future Gener. Comput. Syst., vol. 86, pp. 1–11, Sep. 2018. Zhiqiu Huang received the B.S. and M.S. degrees
[20] C. C. Chang and H. J. Keisler, Continuous Model Theory. Princeton, in computer science from the National University of
NJ, USA: Princeton Univ. Press, 1966. Defense Technology, China, and the Ph.D. degree
[21] K. Benzekki, A. El Fergougui, and A. E. Elalaoui, “Software-defined in computer science from the Nanjing University
networking (SDN): A survey,” Security Commun. Netw., vol. 9, no. 18, of Aeronautics and Astronautics, China, where he
pp. 5803–5833, 2016. is currently a Full Professor with the College of
[22] N. Mckeown et al., “OpenFlow: Enabling innovation in campus Computer Science and Technology. His research
networks,” ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, interests mainly include formal method, cloud com-
pp. 69–74, 2008. puting, network security, and privacy preservation.
[23] (2017). POX. [Online]. Available: https://github.com/noxrepo/pox
[24] (2018). NOX. [Online]. Available: https://github.com/noxrepo
[25] (2018). Floodlight. [Online]. Available: https://www.projectflood
light.org
[26] (2018). NSX. [Online]. Available: https://www.vmware.com/products/
nsx.html
[27] C. Douligeris and A. Mitrokotsa, “DDoS attacks and defense mecha-
nisms: Classification and state-of-the-art,” Comput. Netw., vol. 44, no. 5,
pp. 643–666, 2004.
[28] R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack
detection using NOX/OpenFlow,” in Proc. IEEE Conf. Local Comput.
Netw., Denver, CO, USA, 2010, pp. 408–415.
[29] Y. Li, T.-B. Lu, L. Guo, Z.-H. Tian, and Q-W. Nie, “Towards lightweight Guohua Shen received the Ph.D. degree in com-
and efficient DDoS attacks detection for Web server,” in Proc. Int. Conf. puter science from the Nanjing University of
World Wide Web, 2009, pp. 1139–1140. Aeronautics and Astronautics, China, where he is
[30] B.-Z. He, C.-M. Chen, Y.-P. Su, and H.-M. Sun, “A defence scheme currently an Assistant Professor with the College
against identity theft attack based on multiple social networks,” Expert of Computer Science and Technology. His research
Syst. Appl., vol. 41, no. 5, pp. 2345–2352, 2014. interests mainly include semantic Web, cloud com-
[31] M. B. Salem, S. Hershkop, and S. J. Stolfo, “A survey of insider attack puting, and formal method.
detection research,” in Insider Attack and Cyber Security. Boston, MA,
USA: Springer, 2008.
[32] (2012). Mininet. [Online]. Available: http://www.mininet.org
[33] H. Hu, W. Han, G.-J. Ahn, and Z. Zhao, “Flowguard: Building robust
firewalls for software-defined networks,” in Proc. ACM SIGCOMM
Workshop Hot Topics Softw. Defined Netw., 2014, pp. 97–102.
[34] P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu,
“A security enforcement kernel for OpenFlow networks,” in Proc. 1st
Workshop Hot Topics Softw. Defined Netw., 2012, pp. 121–126.
[35] M. Suh, S. H. Park, B. Lee, and S. Yang, “Building firewall over the
software-defined network controller,” in Proc. Int. Conf. Adv. Commun.
Technol., 2014, pp. 744–748.
[36] M. Koerner and O. Kao, “MAC based dynamic VLAN tagging with Changbo Ke received the B.S. and M.S. degrees in
OpenFlow for WLAN access networks,” Procedia Comput. Sci., vol. 94, computer science from the Kunming University of
pp. 497–501, 2016. Science and Technology, China, in 2008 and 2010,
[37] T. Javid, T. Riaz, and A. Rasheed, “A layer2 firewall for software defined respectively, and the Ph.D. degree in computer sci-
network,” in Proc. IEEE Inf. Assurance Cyber Security, 2014, pp. 39–42. ence from the Nanjing University of Aeronautics
[38] S. Shin and G. Gu, “Cloudwatcher: Network security monitoring using and Astronautics, China, in 2014. He is currently
OpenFlow in dynamic cloud networks,” in Proc. IEEE Int. Conf. Netw. a Lecturer with the Nanjing University of Posts and
Protocols, Austin, TX, USA, 2012, pp. 1–6. Telecommunications, China. His research interests
[39] T. Koorevaar, “Dynamic enforcement of security policies in multi- mainly include security enforcement and privacy
tenant cloud networks,” M.S. thesis, Dept. Genie Comput., Genie Softw. preservation of information system, and cloud com-
Polytech. School, Univ. Montreal, QC, Canada, 2012. puting and ontology-based software engineering.

Authorized licensed use limited to: SLIIT - Sri Lanka Institute of Information Technology. Downloaded on May 01,2023 at 16:07:07 UTC from IEEE Xplore. Restrictions apply.