IEEE SYSTEMS JOURNAL, VOL. 12, NO. 3, SEPTEMBER 2018 2473

Novel Framework of Risk-Aware Virtual NetworkEmbedding in Optical Data Center NetworksWeigang Hou , Member, IEEE, Zhaolong Ning , Member, IEEE, Lei Guo , Member, IEEE,

Zhikui Chen , and Mohammad S. Obaidat, Fellow, IEEE

Abstract—The traffic between geographically distributed datacenters (DCs) becomes bandwidth hungry. Since the opticalinterconnection has a high capacity, the optical data centernetwork (ODCN)—where DCs are located at the edge of the opti-cal backbone—emerges. By virtualization, the virtual networks—representing service requirements—are embedded onto the samepart of the substrate ODCN. Each virtual network has vir-tual machine (VM) nodes interconnected by virtual links (VLs).Therefore, a virtual network embedding (VNE) operation includestwo components: 1) the VM mapping for putting a VM into theserver of an appropriate DC and 2) the VL mapping for establish-ing one substrate path to support inter-VM communications. Inthis paper, we focus on a risk-aware VNE framework because ablind VNE operation would result in severe information leakageamong coresident VMs in the server. By evaluating VM threat andvulnerability, risky VMs are identified according to experimentalresults. To perform physical isolation between risky and securityVMs, a risk-aware VNE heuristic algorithm is proposed. The sim-ulation results show that our heuristic algorithm performs betterthan the benchmark in terms of maintaining ODCN security andearning rental revenue. There is also a good match between ouralgorithm solution and the problem bound.

Index Terms—Optical data center network (ODCN), risk detec-tion and isolation, virtual network embedding.

I. INTRODUCTION

H IGH-CAPACITY optical interconnection is very suit-able for switching bandwidth-hungry traffic between ge-

ographically distributed data centers (DCs). Therefore, the

Manuscript received November 10, 2016; revised January 16, 2017; acceptedFebruary 7, 2017. Date of publication March 15, 2017; date of current ver-sion August 23, 2018. This work was supported in part by the National Nat-ural Science Foundation of China under Grant 61401082, Grant 61471109,Grant 61502075, Grant 61672123, Grant 91438110, and Grant U1301253, inpart by the Fundamental Research Funds for Central Universities under GrantN161604004, Grant N161608001, and Grant N150401002, in part by the Liaon-ing BaiQianWan Talents Program, Liaoning Province Doctor Startup Fund un-der Grant 201501166, in part by the China Post-Doctoral Science FoundationProject under Grant 2015M580224, and in part by the National High-Level Per-sonnel Special Support Program for Youth Top-Notch Talent. (Correspondingauthors: Zhaolong Ning; Lei Guo.)

W. Hou and L. Guo are with the Key Laboratory of Medical Image Computingof Northeastern University, Ministry of Education, Shenyang 110819, China,and also with the School of Computer Science and Engineering, Northeast-ern University, Shenyang 110819, China (e-mail: houweigang@cse.neu.edu.cn;guolei@cse.neu.edu.cn).

Z. Ning and Z. Chen are with the School of Software, Dalian Univer-sity of Technology, Dalian 116024, China (e-mail: zhaolongning@dlut.edu.cn;zkchen@dlut.edu.cn).

M. S. Obaidat is with the Department of Computer and Information Science,Fordham University, Bronx, NY 10458 USA (e-mail: msobaidat@gmail.com).

Digital Object Identifier 10.1109/JSYST.2017.2673828

Fig. 1. VNE in an ODCN instance.

optical data center network (ODCN)—where DCs are locatedat the edge of the optical backbone—emerges. To well achievethe sharing of substrate ODCN resources, virtualization is apromising solution. By virtualization, a service requirement canbe presented as the virtual network where virtual machine (VM)nodes are interconnected by virtual links (VLs). The servicerequirement can be satisfied once the corresponding virtual net-work is successfully embedded onto the substrate ODCN. Ineach virtual network, the weight of the VM node denotes theamount of computation resource which should be provided byone server, while the VL weight represents the bandwidth re-quired by inter-VM communications. Thus, the virtual networkembedding (VNE) operation includes two components: 1) TheVM mapping for putting a VM into the server of an appropriateDC and 2) the VL mapping for establishing one substrate pathto support inter-VM communications.

Fig. 1 gives a specific ODCN instance where four DCs areinterconnected by the fiber links of the optical backbone. Thereare two service requirements’ virtual networks, each of whichhas two VM nodes and one VL. In the virtual network, one VMnode should be mapped onto the source optical cross-connect(OXC), and another VM node should be mapped onto the mostappropriate server in the destination DC. In general, the sourceOXC is premapped by the VM node where the service request isgenerated. Thus, the destination DC—which has the most appro-priate server to hold another VM node—needs to be determined.The VL mapping is invoked based on the VM-mapping result,i.e., we compute the substrate path from the source OXC tothe determined destination DC. In Fig. 1, the VM nodes VM2and VM3—which come from two different virtual networks—are mapped onto the same server within DC4; two substratepaths (from OXC1 to DC4, and from OXC2 to DC4) share one

1937-9234 © 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications standards/publications/rights/index.html for more information.

2474 IEEE SYSTEMS JOURNAL, VOL. 12, NO. 3, SEPTEMBER 2018

Fig. 2. Our design framework.

common fiber link. Obviously, the sharing of the substrate re-sources is well achieved by using efficient VNE operations. Notethat, the VNE service based on inter-DC communication is notwithin the scope of this paper.

A. Motivation

However, a blind VNE operation results in severe informationleakage among coresident VMs in the server. This vulnerabilitypersists even if VMs are running on different cores of the sameserver. We take the cross-VM covert channel risk [1], [2] forexample. When the transmission rates of cross-VM channels are215.11 b/s and 85.86 b/s, the corresponding error rates are 5%and 1%, respectively. Thus, if risky VMs cannot be identifiedin prior, the following blind VNE operation will lead to theabove-mentioned problem and even hardware attacks [3]. Theseproblems threaten the ODCN security.

There have been two kinds of models, depending on the lo-cation of VM measurement. In-VM monitoring and Out-of-VMmonitoring [4]. The In-VM measuring approach detects possi-ble attacks which affect or modify executable contents, but it ishard to adapt to dynamic attacks. As to Out-of-VM monitoring,although it is safer to place security applications out of VMs,the frequent VM switch brings a huge overhead. Therefore, anovel risk assessment (RA) model should be developed to iden-tify VM threat and vulnerability based on historical data, beforeexecuting VNE operations, i.e., measurement before execution.

On the other hand, there have been many works investigat-ing VNE in ODCNs [5]–[14]. In [5] and [6], to well realize

coordinated VM and VL mapping, the authors designed VNEalgorithms by using auxiliary graphs. The authors further pro-posed VNE algorithms in [7], so as to satisfy explicit availabilityrequirements of VM and VL. However, the study of specializedrisk-aware VNE is overlooked in ODCNs [15].

B. Contributions

Our design framework is shown in Fig. 2. Main contributionsare summarized as follows.

1) We develop a novel RA model that detects risky VMs ina particular future time epoch based on historical data.Through evaluating VM threat and vulnerability, riskyVMs are identified according to experimental results.

2) Next, we execute an offline risk-aware VNE heuris-tic algorithm to perform the physical isolation betweenrisky and security VMs. In this heuristic algorithm: riskyVMs are mapped onto specialized servers, then the otherservers—holding security VMs—become safe; next, theVL mapping is invoked based on the VM-mapping result.

3) Third, to verify the optimality of our design framework,the upper bound—the maximal number of safe servers—isderived by us.

4) The simulation results show that: a) Our solution performsbetter than the benchmark in terms of maintaining ODCNsecurity and earning rental revenue, with the improvementratios 19.5% and 7.8%, respectively, and b) there is a goodmatch between our algorithm solution and the problembound, with the convergence ratio 80.2%.

HOU et al.: NOVEL FRAMEWORK OF RISK-AWARE VIRTUAL NETWORK EMBEDDING IN ODCNs 2475

C. Organization

The rest of this document is structured as follows. We providea general overview of our RA model in Section II. In Section III,we give a detail description of our problem, mainly includingmathematical problem formulation, proof of NP-hardness, andbound analysis. In Section IV, we propose a novel heuristicalgorithm to solve our problem in a short span of time. Theexperimental and simulation results are given in Section V. Weconclude this paper in Section VI,

Thi =

⎧⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎩

5, F ij ≥ 1 ∀j = “one day”

4, F ij ≥ 1 ∀j = “one week”

3, F ij ≥ 1 ∀j = “one month”

2, F ij ≥ 1 ∀j = “six months”

1, else

(1)

Vi =

⎧⎪⎨

⎪⎩

Vi ← Vi + 1, 30% < Peri ≤ 60%Vi ← Vi + 2, 60% < Peri ≤ 80%Vi ← Vi + 3, Peri > 80%.

(2)

II. RISK ASSESSMENT MODEL

In this section, a novel RA model is developed. There arethree elements in our RA model.

1) Asset is the valuable resource, i.e., the predetermined VMsize.

2) Threat is the factor that threatens the ODCN security.3) Vulnerability is the resource preempted by threats.We consider that every element is evaluated as an integer

lying between 1 and 5.

A. Threat Evaluation

Threat is defined as the frequency of dynamic attacks on oneVM type. Given a time period, we measure the threat by usingthe software OSSEC installed on the CentOS6.5 operating sys-tem. Once one VM type is attacked, the attack information issent to a local host and then it is transferred to the destinationemail in the form of “/etc/mail” file. Fig. 2(a) shows a list ofe-mail notifying attacks on different types of VMs (from guest0to guest4). F i

j records the frequency of the occurrence of thethreat Thi within a historical time period j, then Thi is deter-mined by (1).

B. Vulnerability Evaluation

Vulnerability changes with the historical resource utilizationof VMs. The dynamic resource utilization can be captured byNagios software. Since the original software version has theability to monitor local information instead of resource us-age, an additional component—NRPE—is deployed in the soft-ware. Fig. 2(b) shows the corresponding monitoring interface,where the magnifier button can be pushed to observe the detailvariation of CPU utilization. For example, the variation of CPUutilization—owned by “guest0” type of VMs—is displayed bythe PnP graph shown in Fig. 2(c). We let the average utilizationratio—owned by the ith type of VM resource (e.g., CPU)—Peri = Avei

Maxi. Here, Avei and Maxi are the average and maximal

amount of the type-i resource occupied by all VMs, respectively.The historical data of Avei and Maxi can be captured from PnPgraphs, and we update the vulnerability Vi according to (2). Ifthe updated value of Vi is bigger than 5, then Vi = 5.

C. Risk Assessment

The multiplication approach is utilized to compute therisk value once the mapping relation U(Th) = {V } isdetermined. Here, Th is a threat, and V is the set ofvulnerability degrees despitefully exploited by the threatTh. As an example, for the VM type which has map-ping relations U(Th1) = {V1}, U(Th2) = {V2 , V3}, andU(Th3) = {V4}, we determine threats {Th1 , Th2 , Th3}and vulnerability degrees {V1 , V2 , V3 , V4} according to themonitoring results of the software above. Then, this VMtype has four categories of risk values: R1 = R(A, Th1 , V1)=√

Th1 · V1 ×√

A · V1 , R2 = R(A, Th2 , V2) =√

Th2 · V2×√A · V2 , R3 = R(A, Th2 , V3) =

√Th2 · V3 ×

√A · V3 ,

and R4 = R(A, Th3 , V4) =√

Th3 · V4 ×√

A · V4 . Here, Adenotes the VM asset. Finally, the risky VMs—which haveunacceptable risk values—are identified in a particular futuretime epoch based on historical data. Here, we consider thatan unacceptable risk value has a specified threshold standard,which determines what level of risk we cannot tolerate. In thefollowing sections, the risk-aware VNE problem is formulatedand solved, in order to achieve the physical isolation betweenrisky and safe VMs.

III. PROBLEM STATEMENTS FOR RISK-AWARE VIRTUAL

NETWORK EMBEDDING

In this section, the system model is firstly introduced. Next,we mathematically formulate the risk-aware VNE (RVNE)problem, and we analyze the problem bound.

A. System Model

To model the optical backbone of the substrate ODCN, wedenote N as a set of OXCs, and E as a set of bidirectionalfiber links. In addition, D represents a set of DCs located atthe edge of the optical backbone. Each fiber link has W wave-lengths, each of which has an initial bandwidth provisioningLC. Every DC has P networked servers, each of which hasan initial capacity SC. The entire system has a time windowwhich includes T sequential future time epochs, and it acceptsC types of VMs during each future time epoch. The service re-quirement is represented by a 6-tuple: < s, d, c, Ac , rc , bc >. sis the VM node mapped onto the substrate source OXC. d is theVM node mapped onto an appropriate server in the destinationDC. c (c ∈ [1, C]) is a type index. Ac is the asset proportionalto the size rc of type-c VMs. bc is the link bandwidth require-ment which is lower than LC. Some important notations andvariables are listed in Table I.

B. Problem Formulation

Based on the system model, we investigate the RVNE problemin ODCNs.

2476 IEEE SYSTEMS JOURNAL, VOL. 12, NO. 3, SEPTEMBER 2018

TABLE ILIST OF NOTATIONS

Notation Definition

N The set of OXCs in the optical backbone of the substrateODCN.

E The set of bidirectional fiber links in the optical backboneof the substrate ODCN.

D The set of DCs located at the edge of the optical backbonein the substrate ODCN, and |D | < |N |.

LC The initial bandwidth provisioning of the wavelengthdeployed in a fiber link.

P The number of networked servers in each DC.SC The initial capacity of the networked server deployed in

each DC.T The number of sequential future time epochs within a

time window.C The number of VM types in each future time epoch.s The VM node mapped onto the substrate source OXC.d The VM node mapped onto an appropriate server in the

destination DC.c The type index, and c ∈ [1, C ].Ac The asset of type-c VMs.rc The size of type-c VMs.bc The link bandwidth requirement of supporting

communications among type-c VMs, and bc < LC .W The number of wavelengths in each fiber link.δ t

s r The set of service requirements that have identifiedrisky VMs during the future time epoch t (t ∈ [1, T ]).

sr i , tc The it h service requirement—which has an identified risky

type-c VM—during the future time epoch t, andi ∈ [1, |δ t

s r |].� t

s r The set of service requirements that have security VMsduring the future time epoch t.

s srj , tc The j t h service requirement—which has a security type-c

VM—during the future time epoch t, and j ∈ [1, |� ts r |].

αp , d ci , c , t A binary variable. It is 0 if the risky type-c VM—owned

by the it h service requirement from δ ts r —is mapped onto

the pt h server (p ∈ [1, P ]) in the destination DC dc

(dc ∈ [1, |D |); otherwise it is 1.βp , d c

j , c , t A binary variable. It is 1 if the security type-c VM—ownedby the j t h service requirement from � t

s r —is mapped ontothe pt h server in the destination DC dc; otherwise it is 0.

ϕs , d c , λi , c , t A binary variable. It is 1 if the service requirement sr i , t

c

subscribes the substrate path lλs , d c consuming the wavelengthλ (λ ∈ [1, W ]) from the source OXC—mapped by s—to dc;otherwise it is 0.

φs , d c , λj , c , t A binary variable. It is 1 if the service requirement s srj , t

c

subscribes the substrate path lλs , d c consuming the wavelengthλ from the source OXC—mapped by s—to dc; otherwiseit is 0.

First of all, for the server p in the destination DC dc, it is safeif all of its carried VMs are safe. Thus, for a safe server, we havethe following constraint:

∀p, dc :[Πi∈δ t

s rΠj∈� t

s rΠc∈[1,C ]Πt∈[1,T ](α

p,dci,c,t · βp,dc

j,c,t)]

= 1.

(3)Next, our objective is to maximize the number of safe servers.

Therefore, we formulate the problem by using the followingobjective function:

Maximize:∑

dc∈D

∑

p∈[1,P ]

[Πi∈δ t

s rΠj∈� t

s rΠc∈[1,C ]Πt∈[1,T ](α

p,dci,c,t · βp,dc

j,c,t)].

(4)The above objective shall satisfy a number of constraints.

1) Wavelength-Continuity Constraints:

W∑

λ=1

ϕs,dc,λi,c,t ≤ 1 ∀i, c, s, dc, t (5)

W∑

λ=1

φs,dc,λj,c,t ≤ 1 ∀j, c, s, dc, t. (6)

Here, (5) and (6) mean that only one wavelength is allocated forthe substrate path. The service requirement may be satisfied bythe substrate path—which includes a sequential group of shortersubstrate paths—from the source OXC to the destination DC.Under this case, we allow these shorter paths have differentwavelengths. In other words, the wavelength conversion can beperformed at the intermediate node between two shorter paths.

2) Bandwidth Constraint:

∀s, dc, λ : bc ·⎡

⎣T∑

t=1

∑

i∈δ ts r

C∑

c=1

ϕs,dc,λi,c,t

+T∑

t=1

∑

j∈� ts r

C∑

c=1

φs,dc,λj,c,t

⎤

⎦ ≤ LC. (7)

Here, (7) means that the maximal number of service require-ments on a substrate path is constrained by the wavelengthcapacity.

3) VM-Integrity Constraints:

P∑

p∈dc,p=1

(1− αp,dc

i,c,t

)≤ 1 ∀i, c, t, dc, (8)

P∑

p∈dc,p=1

βp,dcj,c,t ≤ 1, ∀j, c, t, dc. (9)

Here, (8) and (9) indicate that no VM can be divided into smallerparts accommodated by different servers in the destination DC.

4) DC-Resource Constraint:

∀p, dc : rc ·⎡

⎣T∑

t=1

∑

i∈δ ts r

C∑

c=1

(1− αp,dci,c,t)

+T∑

t=1

∑

j∈� ts r

C∑

c=1

βp,dcj,c,t

⎤

⎦ ≤ SC. (10)

Here, (10) indicates that the maximal number of VMs—mappedonto a server—is constrained by the server capacity.

C. Problem Transformation

First of all, the cloud provider earns the following total rentalrevenue:

T∑

t=1

∑

i∈δ ts r

C∑

c=1

∑

dc∈D

P∑

p=1

W∑

λ=1

Ac · (1− αp,dci,c,t) · ϕs,dc,λ

i,c,t

+T∑

t=1

∑

j∈� ts r

C∑

c=1

∑

dc∈D

P∑

p=1

W∑

λ=1

Ac · βp,dcj,c,t · φs,dc,λ

j,c,t . (11)

HOU et al.: NOVEL FRAMEWORK OF RISK-AWARE VIRTUAL NETWORK EMBEDDING IN ODCNs 2477

In (11), the first term is the total revenue of renting substrateODCN resources for service requirements that have risky VMs;the second term is the total revenue of renting substrate ODCNresources for service requirements that have safe VMs.

As expressed by (4), the condition αp,dci,c,t = βp,dc

j,c,t = 1 shouldbe satisfied to get more safe servers. Once the condition hasbeen satisfied by (11), the objective function is transformedinto (12).

Maximize:T∑

t=1

∑

j∈� ts r

C∑

c=1

∑

dc∈D

P∑

p=1

W∑

λ=1

Ac · βp,dcj,c,t · φs,dc,λ

j,c,t . (12)

D. Proof of NP-Hard

Theorem 1: The RVNE problem is NP-hard.Proof: As shown in (12), if the decision variable φs,dc,λ

j,c,t

is skipped, the problem will be degenerated into an NP-hardknapsack problem. Similarly, our problem will be degeneratedinto an NP-hard graph coloring problem if the decision variableβp,dc

j,c,t is skipped. Therefore, our problem is NP-hard. �

E. Bound Analysis

By using our RA model, the risky VMs—which have unac-ceptable risk values—are identified in a particular future timeepoch t. We let Mt

c denote the number of type-c risky VMs at aparticular future time epoch t, then � =

∑Tt=1

∑Cc=1(M

tc · rc)

is the total computing-resource requirement of identified riskyVMs. Next, assuming that servers are replaced by one singleserver with aggregated computing resources, we obtain the min-imal number of servers that hold risky VM(s)

ℵmin =�

SC=

∑Tt=1

∑Cc=1(M

tc · rc)

SC. (13)

Then, the maximal number of safe servers—which only holdsafe VMs—is given in the following:

ℵmax = |D| × P − ℵmin . (14)

Equation (14) is the upper bound that demonstrates the opti-mality of our RVNE heuristic algorithm.

IV. HEURISTIC ALGORITHM

Since the RVNE problem is NP-hard by nature, we propose aheuristic algorithm to solve it. Note that, we first identify riskyVMs before executing this offline heuristic algorithm.

A. Algorithm Description

The steps of executing our RVNE heuristic algorithm—whosemain body is in Algorithm 1—are described as follows.

1) (Line 2 of Algorithm 1) We initialize δtsr which is the set

of service requirements that have risky VMs identified byour RA model; we initialize �t

sr which is the set of servicerequirements that have safe VMs. So we make differentVNE operations on two groups of service requirements.

2) (Lines 3–9 of Algorithm 1) The safe service require-ment is processed by the 1∗ VNE operation that includes

destination DC selection, traffic grooming and serverconsolidation.

3) As to the destination DC selection shown in Algorithm 2,the determined destination DC dc is the nearest DC thathas one server p owning enough residual capacity rcp tohold the corresponding VM.

4) As to the traffic grooming shown in Algorithm 3, thesubstrate path ph should be found from the source OXC todc. The link bandwidth requirement is always smaller thanone wavelength capacity LC. Then the traffic grooming isutilized so that as many service requirements as possiblecan share the same substrate path. For instance, given bc =10 and LC = 40, at most 3 following service requirementscan share the substrate path phprebuilt(dc) prebuilt for thefirst service requirement. Note that 3 following servicerequirements should have the same source OXC and thesame destination DC dc. If phprebuilt(dc) cannot be found,the service requirement is allowed to occupy the substratepath that includes a sequential group of prebuilt shortersubstrate paths phprebuilts(dc).

5) As to the server consolidation shown in Algorithm 4, theVM is mapped onto the first server—which can hold thisVM—within the destination DC dc.

6) (Lines 10–15 of Algorithm 1) The risky service require-ment is processed by the 2∗ VNE operation. The 2∗ VNEoperation has the same procedure of performing trafficgrooming and server consolidation. As presented above,one server will become dangerous once it carries a riskyVM. Therefore, the selected server should have a riskyattribute or it has no VM launch, in order to minimize thenumber of risky servers.

By using our heuristic algorithm, each dangerous servercontains only risky VMs (2∗ VNE operation), and theother servers—which accommodate only safe VMs (1∗ VNEoperation)—become safe.

B. Complexity Analysis

As shown in Algorithm 1, executing 1∗ VNE operation in-volves running DC selection, traffic grooming, and server con-solidation (T · |�t

sr |) times. As illustrated in Algorithm 2, thetime complexity of DC selection is (|D| · P ). Then, the to-tal time complexity of executing 1∗ VNE operation is aboutO(T · |�t

sr | · |D| · P ). Similarly, the time complexity of execut-ing 2∗ VNE operation is approximately O(T · |δt

sr | · |D| · P ).

V. EXPERIMENT AND SIMULATION RESULTS

In this section, we experimentally demonstrate the feasibilityof our RA model. Next, we test the performance of the proposedheuristic algorithm by using simulations.

A. Experiment Results

The software OSSEC and NRPE-supported Nagios are con-figured in our KVM+Centos6.5 experimental environment, inorder to identify the VM threat and vulnerability. We thenidentify risky VMs—which have unacceptable risk values ina particular future time epoch—by using our RA model. An

2478 IEEE SYSTEMS JOURNAL, VOL. 12, NO. 3, SEPTEMBER 2018

Algorithm 1: Main Body.

Require: N,E,D, P, LC, SC, T,W,Mtc , and settings of

service requirements with C types of VMs at each timeepoch.

1: Initialize the set of safe servers �← ∅;2: for t = 1, . . . , T do3: Initialize two sets: δt

sr ← {sri,tc |c ∈ [1, C], i ∈

[1,Mtc ]},

�tsr ← {s srj,t

c |c ∈ [1, C], j ∈ [1, |�tsr |]};

4: while |�tsr | �= 0 do

5: s srj,tc ← �t

sr .top;6: Execute (Algorithm 2) destination DC selection

for s srj,tc ;

7: Execute (Algorithm 3) traffic grooming fors srj,t

c ;8: Execute (Algorithm 4) server consolidation for

s srj,tc ;

9: �tsr .pop;

10: end while11: while |δt

sr | �= 0 do12: sri,t

c ← δtsr .top;

13: dc← {dc ∈ D, p ∈ dc, rcp ≥ rc , p property =risky} ∪ {dc ∈ D, p ∈ dc, rcp = SC};

14: Execute (Algorithm 3) traffic grooming for sri,tc ;

15: Execute (Algorithm 4) server consolidation forsri,t

c ;16: end while17: end for18: �← {p|p ∈ dc, dc ∈ D, p property = safe};19: Return the number of safe servers ℵ ← |�|;20: Return the total revenue according to (11).

unacceptable risk value has a specified threshold standard, whichdetermines what level of risk we cannot tolerate. In our experi-ments, this threshold is 90%. As mentioned in Section II-C, oneVM type may have different categories of risk values since it hasmore than one mapping relations. To simplify our experiment,we use the software LOIC (Low Orbit Ion Cannon) to emulate aunique DoS attack corresponding to only one mapping relation.In other words, each VM type has only one category of riskvalues. Five types (i.e., C = 5) of VMs (from guest0 to guest4)orderly have {3, 1, 2, 2, 1} CPUs, {2048, 1024, 1024, 2048,2048} memory size, and {A1 = 5, A2 = 1, A3 = 2, A4 = 4,A5 = 3} asset.

In Fig. 3(a)–(e), where T = 24: the “guest0” type of VMshas an unacceptable risk value at the 12th and the 22th futuretime epochs, respectively; the “guest1” type of VMs is safe;the “guest2” type of VMs has an unacceptable risk value at the6th future time epoch; the “guest3” type of VMs has an unac-ceptable risk value at the 2th and the 20th future time epochs,respectively; the “guest4” type of VMs has an unacceptable riskvalue at the 8th and the 23th future time epochs, respectively.

Next, our heuristic algorithm will be offline executed to per-form the physical isolation between risky and safe VMs.

Algorithm 2: Destination DC Selection.1: for k ∈ D do2: ∀dck ;3: for p ∈ dck do4: if rcp ≥ rc then5: The candidate destination DCs: ADS ← {dck};6: Break;7: end if8: end for9: end for

10: while |ADS| �= 0 do11: dck ← ADS.top;12: Compute the shortest substrate path Phk from the

source OXC to dck ;13: ADS.pop;14: Ph∗k ← argminPhk ;15: end while16: Return dc← Ph∗k .destination.

Algorithm 3: Traffic Grooming.

1: if phprebuilt(dc) is found then2: ph← phprebuilt(dc);3: end if4: if phprebuilt(dc) is not found then5: phprebuilts(dc)← Dijkstra(source OXC, dc);6: ph← phprebuilt(s)(dc);7: end if8: Return ph.

Algorithm 4: Server Consolidation.1: for p ∈ dc do2: if rcp ≥ rc then3: Put VM into server p of the destination DC dc;4: Break;5: end if6: end for

B. Simulation Settings

To demonstrate the effectiveness of our RVNE heuristic al-gorithm by using simulations, we compare the number of safeservers between VNE (benchmark) [5], [6] and our RVNE; wealso compare the total rental revenue between RVNE and theVNE (benchmark) that considers the denial of risky service re-quirements (i.e., VNE’). The total rental revenue is calculatedby (11).

1) In benchmarks [5], [6], virtual networks have differentnumbers of VM nodes that are embedded onto variousDCs. To ensure fairness, each virtual network is assumedto have two VM nodes when we perform benchmarks [5],[6], and one of VM nodes is mapped onto the source OXCinstead of the source DC.

2) The test ODCN topology is the 14-node (|N | = 14) and21-edge (|E| = 21) NSFNET deployed with four DCs

HOU et al.: NOVEL FRAMEWORK OF RISK-AWARE VIRTUAL NETWORK EMBEDDING IN ODCNs 2479

Fig. 3. Experimental results.

(|D| = 4). These four DCs are located at positions, eachof which has the largest node degree.

3) We make a normalization processing for the sizeof five VM types: r1 = 3(CPUs)× [ 2048

1024 (Memory)] =6; r2 = 1× ( 1024

1024 ) = 1; r3 = 2× ( 10241024 ) = 2; r4 = 2×

( 20481024 ) = 4; r5 = 1× ( 2048

1024 ) = 2.4) The number of five service types—generated during each

time epoch—follows {20, 20, 20, 20, 20}. In other words,each type has M = 20 service requirements.

Fig. 4. Number of safe servers versus number of servers per DC.

5) We let LC =OC-96, i.e., a wavelength has 96 opticalcarriers. We deploy W = 12 wavelengths for each fiberlink. All service requirements have the same requirementof link bandwidth, i.e., bc = OC-1, c ∈ [1, C].

6) In simulations, we consider Ac = rc , c ∈ [1, C]. Thus, weserve large-scale VMs in prior since the earned rentalrevenue is proportional to the VM size. In other words,the “guest0” type of VMs—which has the size r1 = 6—will be served first.

7) All simulation results are obtained from the C++language-based simulator customized by us.

C. Simulation Results

In Fig. 4, we compare the number of safe servers amongRVNE, VNE (benchmark) and the upper bound mentioned inSection III. Given SC = 120, we increase the value of P startingfrom Pmin calculated in the following:

Pmin =

[T ·∑c∈[1,C ](M · rc)

]

SC · |D| = 15. (15)

Here, the term [T ·∑c∈[1,C ](M · rc)] denotes the total require-ment of computing resources; the term (SC · |D|) is the totalserver capacity. Thus, at least Pmin = 15 servers should be de-ployed at each DC so as to guarantee that all service require-ments can be served. In other words, at least (pmin · |D|) = 60servers should be deployed in the entire ODCN infrastructure.

In Fig. 4, the simulation results show that RVNE has a largernumber of safe servers with the improvement ratio 19.9% overVNE (benchmark). This is because that dangerous servers onlycarry risky VMs as many as possible, then the other servers be-come safe in RVNE. However, in VNE (benchmark), without thephysical isolation between risky and security VMs, many serversbecome dangerous once they carry a risky VM. Moreover, thenumber of safe servers—which is obtained by RVNE—is veryclose to the upper bound, with the convergence ratio 79%. Thisdemonstrates the optimality of our RVNE.

In addition, Fig. 5 shows the protection ratio PR of RVNEby using the same parameter setting as Fig. 4. The protection

2480 IEEE SYSTEMS JOURNAL, VOL. 12, NO. 3, SEPTEMBER 2018

Fig. 5. Protection ratio versus number of servers per DC.

Fig. 6. Number of safe servers versus server capacity.

ratio PR is evaluated in the following:

PR =ℵ

P · |D| . (16)

Here, ℵ is the number of safe servers. Obviously, we have0 ≤ PR ≤ 1. When PR = 1, we have the best performanceof maintaining ODCN security.

In Fig. 5, the simulation results show that the average protec-tion ratio reaches up to 0.738. The protection ratio is improvedwith the increasing number of deployed servers. The reason ofthis situation is that the number of dangerous servers remainsunchanged once the server capacity is given, which can be seenin (13). As a result, there will be more safe servers if we have alarger number of deployed servers, leading to a higher protectionratio.

In Fig. 6, we also compare the number of safe servers amongRVNE, VNE (benchmark) and the upper bound mentioned inSection III. However, given P = 20, we increase the value ofSC starting from SCmin calculated in the following:

SCmin =

[T ·∑c∈[1,C ](M · rc)

]

P · |D| = 90. (17)

Thus, the server capacity is at least 90 so as to guaranteethat all service requirements can be served. In Fig. 6, the sim-ulation results show that RVNE has a larger number of safeservers with the improvement ratio 19.2% over VNE (bench-mark). Moreover, the number of safe servers—which is obtainedby RVNE—is very close to the upper bound, with the conver-gence ratio 81.4%. This also demonstrates the optimality of our

Fig. 7. Protection ratio versus server capacity.

Fig. 8. Total rental revenue versus server capacity.

RVNE. In Fig. 7, we use the same parameter setting as Fig. 6,and the average protection ratio arrives up to 0.769. Moreover,the number of servers remains constant in Fig. 7, which meansthat the denominator of (16) is also constant. As for the upperpart of (16), the number of safe servers remains unchanged ifthe server capacity is within a small variation scope [90, 110].Therefore, the protection ratio remains unchanged within thescope of [90, 110] in Fig. 7. This reason also can explain thephenomenon within the scopes of [130, 160] and [170, 180].

Next, in Fig. 8, given P = 15, the total rental revenue ofRVNE and VNE’ is compared with the increment of SC startingfrom SCmin calculated as follows:

SCmin =

[T ·∑c∈[1,C ](M · rc)

]

P · |D| = 120. (18)

In Fig. 8, simulation results show that RVNE has a higher to-tal rental revenue with the improvement ratio 7.8% over VNE’.This is because that RVNE lets dangerous servers carry riskyVMs without the denial of services. Additionally, the total rentalrevenue basically remains unchanged because no service re-quirement is rejected.

In Fig. 9, given SC = 120, the total rental revenue is com-pared between RVNE and VNE’ with the increment of P startingfrom Pmin calculated in the following:

Pmin =

[T ·∑c∈[1,C ](M · rc)

]

SC · |D| = 15. (19)

HOU et al.: NOVEL FRAMEWORK OF RISK-AWARE VIRTUAL NETWORK EMBEDDING IN ODCNs 2481

Fig. 9. Total rental revenue versus number of servers per DC.

Fig. 10. Running time versus server capacity.

We obtain the same simulation result as Fig. 8. The simulationsettings are the same (SC = 120 and P = 15) at the first testpoint, which ensures that we have the same total rental revenuein Figs. 8 and 9. After that, no service requirement is rejected,thus, leading to unchanged total rental revenue at the followingtest points in two figures. In addition, since we have the sametraffic distribution for services requirements, then the total rentalrevenue is identical in two figures.

Finally, RVNE has an acceptable running time in the levelof second as shown in Fig. 10. By using the same parametersetting as Fig. 8, we obtain a steady system status—where allservice requirements can be satisfied—after the first test point,thus leading to a smooth time alteration. Moreover, the runningtime—evaluated by a random simulation clock—is not destinedto have a linear variation trend.

VI. CONCLUSION AND FUTURE WORK

In this paper, we have designed a novel RA model to iden-tify risky VMs during a particular future time epoch. Next, anovel RVNE heuristic algorithm has been proposed to performthe physical isolation between risky and safe VMs. The simula-tion results have demonstrated that RVNE well guaranteed theODCN security with a good average protection ratio 0.75. Morespecifically, our RVNE has obtained a larger number of safeservers compared with the benchmark. The algorithm solutionis very close to the upper bound derived by us, which has welldemonstrated the algorithm optimality. In the future work, wewill focus on designing a new offline heuristic algorithm which

can overcome the reply attack that results in excessive opticalbandwidth between any two risky VMs. In addition, we willfurther verify the prediction accuracy of our RA model in newapplication scenarios such as Internet of Things [16], [17].

REFERENCES

[1] Y. Xu, M. Bailey, F. Jahanian, K. Joshi, M. Hiltunen, and R. Schlichting,“An exploration of l2 cache covert channels in virtualized environments,”in Proc. 3rd ACM Workshop Cloud Comput. Security Workshop, 2011,pp. 29–40.

[2] R. Zhang, W. Qi, and J. Wang, “Cross-VM covert channel risk assessmentfor cloud computing: An automated capacity profiler,” in Proc. IEEE Int.Conf. Netw. Protocol, 2014, pp. 25–36.

[3] D. Brumley and D. Boneh, “Remote timing attacks are practical,” Comput.Netw., vol. 48, no. 5, pp. 701–716, 2005.

[4] Y. Wang, Y. Mao, and Y. Luo, “An in-out-VM measurement architectureagainst dynamic attacks in clouds,” in Proc. IEEE 14th Int. Conf. Commun.Technol., 2012, pp. 761–767.

[5] L. Gong and Z. Zhu, “Virtual optical network embedding (VONE) overelastic optical networks,” J. Lightw. Technol., vol. 32, no. 3, pp. 450–460,Feb. 2014.

[6] L. Gong, W. Zhao, Y. Wen, and Z. Zhu, “Dynamic transparent virtualnetwork embedding over elastic optical infrastructures,” in Proc. IEEEInt. Conf. Commun., 2013, pp. 3466–3470.

[7] H. Jiang, Y. Wang, L. Gong, and Z. Zhu, “Availability-aware survivablevirtual network embedding in optical datacenter networks,” IEEE/OSA J.Opt. Commun. Netw., vol. 7, no. 12, pp. 1160–1171, Dec. 2015.

[8] J. Zhang et al., “Dynamic virtual network embedding over multilayeroptical networks,” IEEE/OSA J. Opt. Commun. Netw., vol. 7, no. 9,pp. 918–927, Sep. 2015.

[9] J. Zhang, B. Mukherjee, J. Zhang, and Y. Zhao, “Dynamic virtual networkembedding scheme based on network element slicing for elastic Opt.networks,” in Proc. Eur. Conf. Opt. Commun., 2013, pp. 1–3.

[10] S. Shakya, N. Pradhan, X. Cao, Z. Ye, and C. Qiao, “Virtual networkembedding and reconfiguration in elastic optical networks,” in Proc. IEEEGlobal Commun. Conf., 2014, pp. 2160–2165.

[11] L. Nonde, H. El-Gorashi, and H. Elmirghani, “Green virtual networkembedding in optical OFDM cloud networks,” in Proc. 16th Int. Conf.Transparent Opt. Netw., 2014, pp. 1–5.

[12] C. Yu, L. Guo, and W. Hou, “Novel elastic optical network em-bedding using re-optimized VCAT framework accompanied by hitlessPPSM function,” J. Lightw. Technol., vol. 34, no. 22, pp. 5199–5213,Nov. 2016.

[13] C. Yu, W. Hou, W. Qi, and L. Guo, “Virtual concatenation-based elasticnetwork embedding for inter-cloud-data-center networks,” in Proc. IEEEInt. Conf. Commun., 2015, pp. 1813–1819.

[14] X. Gong, Z. Ning, L. Guo, X. Wei, and Q. Song, “Location-recommendation-aware virtual network embedding in energy-efficientoptical-wireless hybrid networks supporting 5G Models,” IEEE Access,vol. 4, pp. 3065–3075, 2016.

[15] W. Hou, L. Guo, C. Yu, and Y. Zong, “Risk-aware virtual network em-bedding in optical data center networks,” in Proc. Optoelectron. Commun.Conf., 2016, pp. 1–3.

[16] T. Qiu et al., “A greedy model with small world for improving the ro-bustness of heterogeneous internet of things,” Comput. Netw., vol. 101,pp. 127–143, 2016.

[17] T. Qiu et al., “An efficient tree-based self-organizing protocol for internetof things,” IEEE Access, vol. 4, pp. 3535–3546, 2016.

Weigang Hou (M’13) received the Ph.D. degree incommunication and information systems from North-eastern University, Shenyang, China, in 2013.

He is currently an Associate Professor with theSchool of Computer Science and Engineering, North-eastern University, Shenyang, China. He has authoredor co-authored more than 70 technical papers in theabove areas in international journals and conferences.His research interests include Internet of Things, opti-cal network+traffic grooming, optical network+SDN,optical network+cloud data center, and optical net-

work+chip.Dr. Hou is a member of the OSA.

2482 IEEE SYSTEMS JOURNAL, VOL. 12, NO. 3, SEPTEMBER 2018

Zhaolong Ning (M’14) received the M.S. and Ph.D.degrees from Northeastern University, Shenyang,China.

He was a Research Fellow with Kyushu Univer-sity, Japan. He is an Assistant Professor with theSchool of Software, Dalian University of Technology,China. His research interests include social comput-ing, big scholarly data, and network optimization.

Lei Guo (M’06) received the Ph.D. degree from theUniversity of Electronic Science and Technology ofChina, Chengdu, China, in 2006.

He is a Professor with Northeastern University,Shenyang, China. He has authored or co-authoredmore than 200 technical papers in international jour-nals and conferences. His current research interestsinclude communication networks, optical communi-cations, and wireless communications.

Dr. Guo is currently serving as an Editor for fiveinternational journals including Photonic Network

Communications and The Open Optics Journal. He is a Senior Member ofthe CIC.

Zhikui Chen received the M.S. degree in mechanicsand Ph.D. degree in digital signal processing fromChongqing University, Chongqing, China, in 1993and 1998, respectively.

He is currently a Full Professor with the DalianUniversity of Technology, China. He leads the Insti-tute of Ubiquitous Network and Computing, DalianUniversity of Technology. His research interests arebig data processing, mobile cloud computing, andubiquitous network and its computing.

Dr. Chen was a General Program Chair for a dozenconferences.

Mohammad S. Obaidat (S’85–M’86–SM’91–F’05)received the M.S. and Ph.D. degrees in computer en-gineering (with a minor in computer science) fromThe Ohio State University, Columbus, OH, USA.

He is currently the Chair and Full Professor ofcomputer and information science with Fordham Uni-versity, Bronx, NY, USA. He has received exten-sive research funding and has authored more than40 books and more than 650 refereed technical pa-pers in scholarly international journals and proceed-ings of international conferences. His research inter-

ests include wireless communications and networks, telecommunications andnetworking systems, and security of networks.

Dr. Obaidat is the Editor-in-Chief of the Wiley International Journal ofCommunication Systems, the FTRA Journal of Convergence, and the KSIPJournal of Information Processing. He is also an Editor of IEEE WIRELESS

COMMUNICATIONS. He is an Associate Editor/Editorial Board member of sevenother refereed scholarly journals including two IEEE TRANSACTIONS, and someElsevier journals.