Scalable Node-Centric Route Mutation for Defense of Large-Scale Software-Defined Networks

Exploiting software-defined networking techniques, randomly and instantly mutating routes can disguise strategically important infrastructure and protect the integrity of data networks. Route mutation has been to date formulated as NP-complete constraint satisfaction problem where feasible sets of routes need to be generated with exponential computational complexities, limiting algorithmic scalability to large-scale networks. In this paper, we propose a novel node-centric route mutation method which interprets route mutation as a signature matching problem. We formulate the route mutation problem as a three-dimensional earth mover’s distance (EMD) model and solve it by using a binary branch and bound method. Considering the scalability, we further propose that a heuristic method yields significantly lower computational complexities with marginal loss of robustness against eavesdropping. Simulation results show that our proposed methods can effectively disguise key infrastructure by reducing the difference of historically accumulative traffic among different switches. With significantly reduced complexities, our algorithms are of particular interest to safeguard large-scale networks.


Introduction
Instantly mutating route is a promising technique to provide the integrity of large data networks [1].It can disguise strategically located important network infrastructures and delay or prevent potential reconnaissance attacks [2].This is of particular interest to many practical networks delivering security-sensitive data, such as military networks [3] and banking systems [4].On the other hand, software-defined network (SDN) has been increasingly deployed.Centralized control in SDN facilitates mutating routes to disguise the strategically important switches and protect the network.
In general, route mutation is NP-complete constrained path selection in the presence of quality-of-service (QoS) consideration [5].It has been formulated to be a constraint satisfaction problem and solved by using the satisfiability modulo theory (SMT) [6].The constraints include the QoS of traffic flows and physical bandwidth of routers [6].The final routes are randomly chosen from the results of SMT that satisfy constraints.However, the routes can hardly claim optimality in any sense, and the complexity of SMT is prohibitively high [7].Although some heuristics have been developed to solve this problem within pseudo-polynomialtime [8][9][10][11], these algorithms concern network optimality rather than security.
In this paper, we propose new node-centric route mutation methods which are able to effectively change routes of flows at substantially reduced complexities.The key idea is that we propose interpreting route mutation as a signature matching problem and developing a three-dimensional earth mover's distance (EMD) model with network connectivity and QoS constraints to suppress the traffic difference among switches.Another important aspect of our algorithm is that we solve the new node-centric problem as a threedimensional transportation problem and develop suboptimal algorithms with polynomial time-complexities.Simulation results show that our algorithms are able to suppress the traffic difference among strategically important switches and also achieve fast convergence with substantially reduced complexities.
The rest of paper is organized as follows.Section 2 presents related work.Section 3 describes the system and network model.In Section 4, we discuss the details of designed algorithm.We present the computational efficient heuristics that can apply to large-scale networks in Section 5. Section 6 evaluates the experiment results and performance of our algorithm.In Section 7, we conclude the paper.

Related Work
In [12], randomly mutating route or host address was proposed to protect key network infrastructures from exposure to attackers and prevent potential attacks.Only a few structured algorithms have been designed for route or host address mutation, all of which formulated NP-complete constrained satisfaction problems under the constraints of the mutation rate [13], the address range [14], and the range distribution for host address mutation [6,15].These algorithms were solved by using SMT [6,[13][14][15].However, constraint satisfaction problems are NP-complete with exponential complexities [16].As far as the routing problem is concerned, there are  = ∑ −1 =1 (( − 2)!/( −  − 1)!) possible routes with lengths shorter than  hops in an -node complete network [17].Choosing  routes out of  yields a complexity of !/( − )!!, limiting the scalability of the designs to large-scale networks.
More efforts have been spent demonstrating the concept of route mutations.Route mutation was first implemented under IPv6, referred to as "Moving Target IPv6 Defense (MT6D)," by continually rotating the IPv6 addresses between the senders and recipients [18].A new transport layer protocol was designed to enable multiple addresses per network socket and support the rotations of IPv6 addresses [19].Route mutation was later applied to mobile ad hoc networks [20], by repurposing a classic attack mechanism, the Sybil attack, for effective defense.Most recently, route mutation was demonstrated using Cisco's SDN platform, One Platform Kit [21].With the flexibility of SDN, a deception system that mutates the topologies virtually was proposed to defend against reconnaissances [22].A double hopping communication approach was designed to combine the IP address mutation and the route mutation methods in SDN [23], in which routes were selected from all paths within even lengths between sources and destinations.Game theory was adopted for route mutation in [24].Route mutation was proposed to apply to traditional networks where links were selected using stochastic game routing policies of next-hop probability distribution.In [25], a virtual network embedding framework was proposed to satisfy the capacity, delay, and cycle-free constraints when mutating links by game theoretic routing policies.In [1], a randomized multipath routing method was developed to circumvent black holes and minimize the overall energy consumption in wireless sensor networks.in a network topology and forwarding traffic.We assume that all the switches are connected to a SDN controller in a star topology.The SDN controller is responsible for route discovery and mutation.The switches forward traffic along the routes specified by the SDN controller.The bandwidth of each switch, that is, switch , is   .

System Model
Each of the switches is also connected to end-hosts which generate routing requests through the switch to the SDN controller.An end-host can request sending traffic flows to any other end-host.Each traffic flow is assumed to be randomly generated and last for a certain period of time.Without loss of generality, we assume that there are at most  routing requests at any instant.The data rate of the th flow is denoted by   ( = 1, . . ., ).
Consider a practical network with hundreds of switches and nontrivial topologies (as opposed to fully connected complete graphs).Some of the switches have more connections than the others.These switches are strategically located and handle more traffic than other switches.In the example of Figure 1, switches  and  are such strategically located nodes.The exposure of these switches to adversaries poses critical threats to the integrity of the network.
The topology of the network can be described by an undirected graph (N, E), where N collects the vertexes (i.e., switches) and E collects the edges (i.e., the links connecting the switches).The size of N is |N| = , where | ⋅ | stands for cardinality.Also define A to be the adjacent matrix of .A(, ) = 1 ( ̸ = ), if vertices  and  are connected; or A(, ) = 0, otherwise.
Reconnaissance attacks [26] are considered, where an adversary keeps monitoring (or eavesdropping) the switches until strategically located switches are identified and attacks (such as DDoS) are initiated.The difference of historically accumulative traffic among switches is typically used by the adversary to identify strategically located switches, for example,  and  in Figure 1.The exposure of the strategically located switches would facilitate the potential attacks.Consider the worst-case scenario that the adversary is able to access each individual switch, install invasive software, accumulate the traffic volume handled at the switch, and collect the traffic volumes of all the switches.In practice, this can be implemented by remotely installing monitoring software, such as Cacti [27], to get the switches to collect and report the SNMP information to the adversary.

The Proposed Route Mutation for Large-Scale Networks
In this section, we propose mutating routes on a node basis to leverage between the robustness against reconnaissance attacks and the computational complexity.Particularly, routing requests from end-hosts are responded to independently from one another using classical routing techniques, such as OSPF [28].The exponentially increasing complexity of joint routing, such as the one proposed in [6], can be avoided.
Given the routes, we propose that the SDN controller identifies historically heavily loaded nodes with high exposure risks and detours their traffic flows via other historically lightly loaded nodes.A node is identified to be historically heavily or lightly loaded, based on the accumulative traffic of the node.By this means, the strategically located nodes can be disguised and protected, delaying or even preventing potential attacks.
The detours bypassing a historically heavily loaded node can be multihop.Figure 2 gives the examples of two-, three-, and four-hop detours that are considered, where node  is a strategically located node.The possible detours for a traffic flow currently passing node  must connect the nodes one hop away from node  along the traffic flow, that is, nodes  and .Such detours can be readily obtained using depth-first search (i.e., search for the closed loops passing node ) [29].The lengths of the detours are 2, 3, and 4 (in numbers of hops) in Figures 2(a We also propose interpreting the route mutation as a signature matching problem.The accumulative traffic loads of the nodes are visualized as a signature, and routes are mutated to conform the signature to the one with even loads across all the nodes.Widely used to measure the difference of two images [30], EMD [31] is extended to measure the difference between the two signatures.The difference, or more specifically, the EMD, is reduced recursively by detouring flows around historically heavily loaded nodes, as described earlier. The proposed route mutation is able to substantially reduce the computationally complexity.Assume that the detours are limited to two hops.The worst-case complexity is O( 2 2  ), consisting of detour discovery for every switch and redirecting at most  traffic flows from every switch, where  represents for the number of variables.In this case,  ⩽ ( − 3).In contrast, the state-of-the-art joint mutation of all routing paths, using SMT [6], would result in prohibitive exponential complexity and limited scalability to networks with hundreds of nodes.

Nodewise Route Mutation for Delay-Tolerant Traffic.
First consider delay-tolerant traffic.The total number of current traffic flows is , consisting of existing ongoing flows collected in the set K  and new flows collected in the set ,  ∈ N, and V  (in bytes) to be the accumulative traffic of each individual node  and their average, respectively, before a round of route mutation.
V  and V are the accumulative traffic of node ,  ∈ N, and the average, respectively, after the round of route mutation.V = (1/) ∑  =1 V  .The proposed route mutation redirects the  traffic flows, attempting to conform the pictorial signature of the accumulative traffic of the nodes to a uniform signature with even traffic of V at every node.To do this, we construct two signatures, that is, two one-dimensional distributions: , ∀ ∈ N} provides the traffic volumes that can detour.The second signature {V − V   , ∀ ∈ N} denotes the demand of each node to achieve traffic uniformity among the nodes, as illustrated in Figure 3.
The EMD can be defined to quantify the difference between the two signatures, as given by   are the historically accumulative traffic volumes of node  at the current and the previous instants, respectively, and V and V  are the averages of the historically accumulative traffic volumes at the current and the previous instants, respectively.V   and V  are the results of the route mutation at the previous instant.V  and V are the values before the current route mutation is executed.
where [⋅] + = max(⋅, 0);  is the maximum allowed length of a detour (in numbers of hops);  j = 1 if the current flow  is to be offloaded from node  to detour j, or  j = 0, otherwise;   = 1, if flow  currently goes through node , or   = 0, otherwise;  j is given by L  (, ) is the set of detours with length of  ≤ , and each of the detours connects to the two nodes one hop away from node  along the current route of flow .For any j ∈ L  (, ), j ∈ N ×1 ; that is, |j| = .Let j  ( = 1, . . ., ) denote the th element of j.We have Here,  j is the cost of offloading traffic flows from node  to detour j ∈ L  (, ).Keep in mind that our goal is to minimize the difference of accumulative traffic among the nodes.Meanwhile, the EMD is inherently defined to minimize the difference.For this reason,  j is defined as the normalized total difference of node  and detour j from V, as specified by for j ∈ N ×1 . ( Our EMD has a different form to the conventional definition for image processing applications [31].An auxiliary variable  is defined to indicate the gap between the total traffic load that is expected to detour and the total traffic that can detour, whereas there is no such gap for image applications.This is due to the fact that route mutation (or, in other words, route reselection) is discrete and these two loads do not equate in most cases.(1a) and (1b) provide the average cost to minimize the difference between the total traffic load expected to be detoured and the total traffic load that can be detoured.
Predicted before a round of mutation, V is unnecessarily equal to the one actually achieved after the mutation.This is due to the dependence of traffic between the nodes imposed by traffic flows.Particularly, a detour needs to be taken across multiple nodes and increases the traffic of the nodes evenly.Therefore, the average traffic load is expected to increase as a result of mutation.However, the difference of V before and after a round of mutation can be iteratively reduced by increasing the rounds and diminishes as the routes stabilize.Once stabilized, the routes are implemented into the network.The convergence of the iterations can be guaranteed, since V does not decrease during the iterations while it is also obviously bounded.Figure 3 gives a detailed illustration on our signature matching method.
Here, constraint (4b) restricts a flow that can only be offloaded from a node to one detour; (4c) and (4d) restrict the amounts of traffic that can be supplied and demanded by the first and the second signatures, respectively; (4e) specifies the total maximum traffic amount that can detour; and (4f) specifies the variables to be binary.
Algorithm 1 summarizes the proposed route mutation, where  ≪ 1 is a predetermined positive threshold for the termination of the algorithm.This algorithm resides in the SDN controller and runs periodically or on-demand.As described, the kernel of the algorithm is the EMD problem (4a), (4b), (4c), (4d), (4e), and (4f) solved using the binary branch and bound/cut method in Step (11).The optimal solution for (4a), (4b), (4c), (4d), (4e), and (4f) is used to update   , or, in other words, to find the detours of the routes, as depicted in Step (12).By repeating these steps, the existing routes gradually move away and increase lengths, until the uniformity of all the nodes as regards accumulative traffic cannot be further improved; see the loop from Steps (2) to (13).
The majority of the complexity in Algorithm 1 lies in Step (11), that is, binary branch and bound/cut.Given a network (N, E), we can precompute all possible loops using depth-first search.Consider the worst-case scenario where the network is a complete graph.Let  denote the maximum number of detours that a node can take, and  =  − 3 + ∑  =2 (( − 3)!/2( − 3 − )!), where  is the length of detours in node numbers.As a result, the complexity of Steps (3) to (9) is O().In the best-case and worst-case of branch and bound/cut, the members of branches are ∑  =1  and ∑  =1 2  , respectively, where  = .As per each branch, the complexity is O(min( 2 ,  2 )), where  is the number of constraints [34,35]. ⩾ , as (4f) limits each variable to be smaller than 1.Thus, the complexity is O( 2 ).As a result, the Input: (N, E); A; ; the accumulative traffic of each node V   ; the current route of each flow  ∈ K;   ; and the initial   ( ∈ N;  ∈ K).

Route Mutation for Delay-Bounded Traffic
. Algorithm 1 can be extended to the case with QoS constraints on traffic flows.For illustration convenience, we assume that the QoS requirement of a traffic flow, say flow, is characterized by the maximum allowed route length of the flow, denoted by   (in numbers of hops).To this end, the following constraint is added to (4a), (4b), (4c), (4d), (4e), and (4f): j ≤ Δ  , for any  = 1, . . ., , (5) where Δ  =   −   .  is the route length of traffic flow  ∈ K  or is the length of the route discovered using OPSF for a new flow  ∈ K  .Equation (5) limits the total length of the detours that each flow  can take.
The finite bandwidth of switches can also be considered in the proposed algorithm.We can incorporate a new constraint of the bandwidth of each link into a node-centric optimization problem, as shown as follows: where (, ) denotes the maximum bandwidth of link (, ), and  is connected to node  in one hop; that is, A(, ) = 1.For any node  in the network,   denotes the link bandwidth, which is computed as the minimum one among all bandwidths of the links connecting node .∑  =1     accounts for the traffic load of node  before mutation; after we mutate the flows out of node , that is, ∑ j∈L  (,) ∑  =1      j , and move flows to it, that is, ∑ j∈L  (,) ∑  =1 ∑  =1  j      j , its traffic load is within the range of   .
In practice, the maximum number of flow entries on an SDN switch is limited by the physical resources of the switch, such as CAM and SRAM.We can add constraint (7) into Algorithm 1 to restrain the maximum number of flow rules that the switches can install.Without loss of generality, we denote the average size of a flow rule as .The number of flow rules at each switch depends on the total number of flows passing through it, as given by Input: (N, E); A; ; the accumulative traffic of each node V   ; the current route of each flow  ∈ K;   ; the initial   ;   ; and the initial   ( ∈ N;  ∈ K).Output:   , ∀ ∈ N,  ∈ K (1) Let V  = V   + ∑ ∈K     and Δ  =   −   .( 2) repeat (3) Run Steps (3) to (10) of Algorithm 1.
(4) substitute V  , V, V   ( ∈ N), V  ,  j ,   and Δ  into the EMD problem (4a), (4b), (4c), (4d), (4e), and (4f) incorporating (5), and solve the problem optimally using the binary branch and bound/cut method; (5) update j ; ( ∈ N;  ∈ K) (6) until   stops changing; or in other words, |ΔV| ≤ .where, for any switch  in the network, the size of its flow table is bounded by   .Thus, the maximum number of flow entries that a switch can install is   /.The left-hand side of inequality (7) shows the number of flow rules of switch  after mutation, which is bounded by   /.

Computationally Efficient Heuristics
As described in Section 4, binary linear programming is formulated and the binary branch and bound/cut method is required.This has the worst-case complexity of O(min( 2 ,  2 ) ∑  =1 2  ).In this section, we propose a simplified version of Algorithms 1 and 2, which decouples traffic allocation and flow selection into two concatenated subproblems.The traffic allocation can be formulated as a linear programming transportation problem.The flow selection can be achieved by using the aforementioned binary branch and bound/cut algorithm, but with a substantially smaller number of variables, that is, less than .As a result, the complexity can be significantly reduced to the complexity of solving (8a), (8b), (8c), and (8d).
First consider delay-tolerant traffic.We begin with optimizing the total traffic  j ,  ∈ N, j ∈ ⋃  =1 (⋃  =1 L  (, )), which needs to move from one of the nodes, that is, node , to a detour, that is, detour j ( ∉ j).Following the EMD criterion, a linear programming problem can be formulated to determine the total traffic that needs to detour from the heavily loaded nodes, as given by min  j , ∀∈S,j for any  ∈ N; j  j ≤ ; (8d) which can be solved using the Simplex method [36].The optimal solution for (8a), (8b), (8c), and (8d) is denoted by { * j , ∀ ∈ N; j ∈ ⋃  =1 (⋃  =1 L  (, ))}, or { * j } for short.A bisection search can also be taken to identify the minimum value of  to preserve the feasibility of (8a), (8b), (8c), and (8d).
Input: (N, E); A; ; the accumulative traffic of each node V   ; the current route of each flow  ∈ K;   ; and the initial   ( ∈ N;  ∈ K). 3) to (10) of Algorithm 1.
Algorithm 3: Heuristic route mutation for delay-tolerant traffic.
Given { * j }, we proceed to select the traffic flows for redirecting from node  to detour j and formulate a binary linear program, as given by max which can be readily solved using binary branch and bound/cut.We start by offloading the traffic flows of the node with max ∈N (V  ).And ( 9) is used to offload the flows first to the detour with min j∈⋃  =1 L |j| (,) ((1/|j|) ∑ ∈j V  ) and then to the other detours in increasing order of (1/|j|) ∑ ∈j V  .This repeats for the other nodes in decreasing order of V  .
Proceed with delay sensitive traffic, where the route lengths of traffic flows are strictly bounded.Algorithm 3 can be readily extended to this case by evaluating the route lengths on-the-go.The constraints of bandwidth and switch capacity can also be considered in the same way in Algorithm 2, as discussed in Section 4.2.
Algorithm 4: Heuristic route mutation for delay-bounded traffic.
we can also add (11) to (9) The extension is summarized in Algorithm 4, where only the differences between the two algorithms are highlighted.

Simulation and Evaluation
In this section, simulations are carried out to evaluate the proposed algorithms.We generate different random regular graphs by using Python package NetworkX (NX) [37], where the degrees of all the nodes are .Nodes have the same probabilities of requesting new routes at any instant.The routes between these nodes are initially generated by the Dijkstra algorithm [38] before our algorithms are carried out.The traffic loads of the routes are randomly and uniformly distributed within [0, 1].The simulations run in a computer with 32 GB RAM and 6 cores of Intel Xeon CPU.We use IBM-CPLEX to solve linear programming problems.
We assume that adversaries can identify strategically important nodes by monitoring historically accumulative traffic of the nodes.Dynamic eavesdropping or interception is considered where, after every interval of monitoring, the eavesdropper acquires network information and  updates the identification of targets accordingly.Under this eavesdropping model, we consider different numbers of nodes that the eavesdroppers can identify and the upper bound of traffic difference that eavesdroppers use to identify strategically important nodes.The upper bound reflects the eavesdropping capability and therefore is referred to as "node interception probability."We also consider different time intervals for the eavesdroppings.The performance of the algorithms are measured by two metrics.
(1) Coefficient of Variation (CV).A more disperse distribution of traffic can facilitate eavesdroppers recognizing heavily loaded nodes in network.Coefficient of variation is a metric to evaluate the dispersion of distribution, which is defined as the ratio of standard deviation  to the mean , (  fast diminishes.Moreover, with the increasing upper bounds of QoS constraints, Algorithm 2 approaches Algorithm 1. Figure 5 compares Algorithms 2 and 4. For comparison purpose, we also simulate the random route mutation proposed in [6].Two cases are considered.The first case is to choose the optimal combination of routes to minimize the CV of traffic at any instant, referred to as "RRM-O."The second case is to randomly choose routes as long as the QoS requirements are met and therefore referred to as "RRM-R."Clearly, RRM-O is optimal in the sense of minimized CV of accumulative traffic.Unfortunately, RRM-O requires exhaustive search of all possible combinations of routes, with a prohibitive complexity.Figure 5 also demonstrates that Algorithm 2 outperforms Algorithm 4 and RRM-R.This is due to the fact that Algorithm 2 carefully designs the routes in a structured way to reduce the CV, where RRM-R does not. Table 1 shows the average running time for each instant of the proposed algorithms with 50-node 6-regular graph, and the probability to request new routes is 10%.In this table, |j| represents the length of detour j, that is, the upper bound of QoS.As Algorithms 1 and 3 are designed without QoS constraints, we marked their |j| as \.Comparing the proposed heuristic methods with the method of [6], Table 1 shows that the increase of the upper bounds of QoS constraints has less influence on our algorithms.RRM-R degrades, when the length of a detour increases from a single hop to two hops.Here, we only plot the tightest QoS constraints of RRM-O in Table 1.This is because the complexity of RRM-O becomes too high to be practical, when the maximum allowed detour length is longer than ( + 1) hops.As mentioned in Section 3, the eavesdroppers can identify nodes by the differences of accumulative traffic.Figure 6 plots the distribution of "safe" traffic, that is, the traffic that does not pass through any compromised node, under the aforementioned dynamic interception model.In this figure, Algorithm 4 with the constraints of QoS of one-hop increment performs worst.This is because the first step of computing the traffic value to move, as given by (8a), (8b), (8c), and (8d), overlooks flows.As a result, a scenario that, for any  ∈  * j , there is no detour, that is, j, to move, may occur.When the number of flows increases, for example, the curve of "Algorithm 4-QoS 3" in Figure 6, the probability of flows to move also increases.Therefore it can outperform RRM-R with the upper bound of QoS constraint is three hops, that is, the line of "RRM-R-QoS 3." We can also conclude from this figure that the results of this metric are consistent with Figure 5.
Figure 7 shows the convergent variance for networks with increasing numbers of nodes.The topologies of the networks are 5-regular random graphs.Each line in Figure 7 corresponds to a different probability that nodes are assigned as sources or destinations for some route.We see that, with the increasing network size and the increasing number of routes to mutate, the difference of nodes traffic becomes smaller.Algorithm 3 increasingly approaches Algorithm 1.In other words, the low-complexity heuristic, Algorithm 4, becomes increasingly robust against eavesdroppings.
Figure 8 shows the convergent CV in the networks with different connectivities.The probability of nodes initiating or receiving routing requests is all set to be 10%.Each line corresponds to the nodes having the same degree.As the network size gets larger, the difference of nodes traffic reduces.Figure 9 shows the CV of 40 nodes with connectivities of 3, 4, 5, and 6, respectively.With the increasing of network connectivities, there are more available detours to move to for sources, and the variations are getting smaller.
Figure 10 shows the average running time of the algorithms corresponding to Figure 7.As compared with RRM, our proposed algorithms are far more tolerant against the growth of the network size.As a matter of fact, the convergence time of the proposed algorithms remains almost      unchanged, as the network grows.In contrast, the RRM algorithms suffer from exponentially increasing complexity and convergence delay.Our methods are time efficient and suitable to larger-scale networks.

Figure 1 Figure 1 :
Figure1illustrates the software-defined network under consideration, where there are  number of switches connected

Figure 2 :
Figure 2: Illustrations of multihop detours around a strategically located node, say node  in this example, where the lengths of the detours are 2, 3, and 4, respectively.

Figure 3 :
Figure3: An illustration of the proposed application of signature matching to route mutation, where V  and V   are the historically accumulative traffic volumes of node  at the current and the previous instants, respectively, and V and V  are the averages of the historically accumulative traffic volumes at the current and the previous instants, respectively.V   and V  are the results of the route mutation at the previous instant.V  and V are the values before the current route mutation is executed.

Algorithm 2 :
Route mutation for delay-bounded traffic.

Figure 4 :
Figure4: Results of four algorithms that we proposed, with and without QoS constraints.The networks are all generated as 6-regular graph with 50 nodes.The probability of initiating requests is 10%.There are 5000 instants and 50 rounds of iterations.

Figure 5 :
Figure 5: Results of Algorithms 2 and 4; random route mutation methods proposed in [6].The configurations of this simulation are the same as Figure 4.

Figure 6 :
Figure6: The CDFs of the probabilities of traffic that do not pass through any node which is monitored or eavesdropped.The difference of traffic to identify strategically located nodes is 0.01.The interval of monitoring or eavesdropping is 10.

Figure 7 :
Figure 7: Results of Algorithms 1 and 3 with different networks and different probabilities to choose nodes, where the connectivities of networks are all five.

Figure 8 :
Figure 8: Results of Algorithms 1 and 3 with different sizes of networks and different connectivities.

Figure 9 :
Figure 9: Results of Algorithms 1 and 3 with 40 nodes and different connectivities.
to restrain the number of flow entries per switch .

Table 1 :
Average computational time for different algorithms.