    Time Dependent Diffusion Model for Security
         Driven Software Defined Networks

    Tadeusz Czachórski1      , Erol Gelenbe1 , Godlove Suila Kuaban1           , and
                                   Dariusz Marek2
                  1
                      Institute of Theoretical and Applied Informatics
                                Polish Academy of Sciences
                          ul. Baltycka 5, 44-100 Gliwice, Poland
                         2
                            The Silesian University of Technology
                         Akademicka 16, 44-100 Gliwice, Poland


       Abstract. We present a model of a Software Defined Network (SDN)
       where frequent changes in routing and traffic rates at routers are needed
       to respond to the security, quality of service (QoS), and energy savings re-
       quirements of applications such as the Internet of Things. Such frequent
       path and traffic changes introduce time-dependent network behaviours,
       and standard queueing models are not well adapted to analyse the tran-
       sient regime, we propose a tractable diffusion approximation for both the
       transient and steady-state behaviour. Our model can represent any net-
       work topology transmitting time-dependent flows with routing changes,
       and computes queue length and delay distributions at each network node
       and along complete paths between senders and receivers. Using realistic
       router parameters, we show that transients occupy a significant fraction
       of system time, so that the optimisation conducted with SDN controllers
       needs to include the effect of time-dependent behaviours.

       Keywords: SDN, IoT Networks, Security, QoS, Routing, Transients,
       Diffusion Approximation


1    Introduction

The Internet of Things (IoT) and its increasing volumes of traffic for new ser-
vices such as video related to security, server virtualisation of the Cloud and
Fog [38,8] and highly distributed data storage [22,9], create new challenges for
the Internet [26,35]. Indeed, expanding IoT applications such as Health Moni-
toring [32], Smart Homes [3] and Smart Vehicles [18], create large volumes of
intermittent traffic with stringent security, QoS and energy minimisation needs
[6].
     Thus network structures based on static switches are not well suited to deliver
high performance, energy efficiency and reliability in such dynamically chang-
ing environments, and are not flexible enough to maintain Quality of Service
(QoS) for increasingly complex networks. On the other hand, SDN [34,39] with
intelligent programmable controllers can be aware of the overall state of nodes


Copyright © 2020 for this paper by its authors. Use permitted under
Creative Commons License Attribution 4.0 International (CC BY 4.0).
and links, and dynamically manage the network and adapt to new conditions
[25]. Indeed, SDN provides flexible and scalable routing for intelligent networks
[14] by separating the control and data planes for traffic engineering, link failure
recovery, load balancing [40] and security issues [41]. Thus the concentration
of network intelligence and management in SDN controllers enables innovative
smart cognitive routing [17,21] to respond by changing network paths and traffic
levels to meet the dynamic security, QoS and energy savings requirements of the
IoT.
    Earlier studies of SDN switches have used steady-state queueing models such
as M/M/1, M/H2 /1, M/G/1, M/Geo/1, GI/M/1/K, based on Markov chains,
embedded Markov chains [29,2,36,28,16,31] or network calculus [4,5]. Thus they
do not consider the frequent traffic changes due to controller decisions. To ad-
dress this concern, we recently considered a single SDN forwarder and modelled
it with a diffusion approximation [13], and considered a network of forwarders
[12] to determine its transient behaviour. These studies have shown that under
certain conditions, the transient regime can become dominant so that SDN based
optimisation should consider the effect of transients.
    In SDN, paths are selected by a controller, and the SDN data plane routers
are then simple forwarding devices that follow the rules given by the controller.
An analysis of the performance of SDN switches and their cooperation with the
controller may be found in [33,27,40].
    Therefore this paper, we extend these studies to address a SDN based net-
work that supports IoT applications, and modifies its paths and traffic levels to
respond to unpredictable changes in security and QoS, so that the network has
time-dependent routing. To address this challenge we apply a diffusion approxi-
mation [24,20,30] which is well suited to investigate transient queueing problems
with general interarrival and service time distributions for realistic network data.
    The next section details the method for a single network node, while the
mathematical model of time-dependent routing in the network is presented in
Section 3 where the system equations such as (12), ... , (16) include routing
probabilities which are functions of time, leading to a novel approach in diffusion
models. Numerical examples are provided in Section 4 and conclusions are drawn
in Section 5.


2   Single Node Transient Analysis


The diffusion approximation replaces the number of packets in a queueing system
by the real-valued diffusion process {X(t)} ∈ [0, N ] where N is the maximum
size of the queue. Following the approach in [19,23], at the extremities x = 0
and x = N of the diffusion interval, two absorbing barriers are placed so that
when {X(t)} reaches a barrier, it stays there for a random time and jumps from
x = 0 to x = 1 with intensity λ and from x = N to x = N − 1 with intensity µ.
The resulting diffusion equation is:
          ∂f (x, t; x0 )   α ∂ 2 f (x, t; x0 )     ∂f (x, t; x0 )
                         =             2
                                               −β                 +
               ∂t          2       ∂x                  ∂x
                             +λp0 (t)δ(x − 1) + µpN (t)δ(x − N + 1) ,
                dp0 (t)           α ∂f (x, t; x0 )
                         = lim [                   − βf (x, t; x0 )] − λp0 (t) ,
                  dt       x→0 2          ∂x
               dpN (t)               α ∂f (x, t; x0 )
                         = lim [−                     + βf (x, t; x0 )] − µpN (t) ,   (1)
                  dt       x→N       2        ∂x
where δ(x) is the Dirac delta function, p0 (t), pN (t) are probabilities that the
process is at the barrires at x = 0 or x = N , respectively, and f (x, t; x0 ) is
probability density function (pdf) of the process {X(t)}
               f (x, t; x0 )dx = P [x ≤ X(t) < x + dx | X(0) = x0 ].
    The incremental changes of {X(t)}, dX(t) = X(t + dt) − X(t) are normally
distributed with the mean βdt and variance αdt where β, α are coefficients of
the diffusion equation. The changes of the process {N (t)} during an interval θ
                                                                    2 3     2 3
tend to normal distribution with mean (λ − µ)θ and variance (σA      λ + σB   µ )θ
                                                                        2    2
where 1/λ and 1/µ are the mean interarrival and service times, and σA , σB     are
the variances of the interarrival and service times, respectively. The choice
                                  2 3    2 3    2      2
               β = λ − µ and α = σA λ + σB µ = CA λ + CB µ,
           2     2
where CA     , CB  are squared coefficients of variation of interarrival and service
times, assures that the changes of both processes {X(t)} and {N (t)} have normal
distributions with the same parameters.
    To determine the solution of (1) we use the following appoach from [11]. First
we consider a diffusion process with two absorbing barriers at x = 0 and x = N ,
started at t = 0 from x = x0 . Its probability density function φ(x, t; x0 ) has the
following form [10]:
                    δ(x − x0 )
                  
                                                                         for t = 0
                              ∞ n       0                    0      2
                                                                        
                       1                  βx     (x  − x   − x   − βt)
                  
                                                         0
                              X
                  √                         n                 n
                                    exp        −
                  
  φ(x, t; x0 ) =      2Π αt n=−∞           α               2αt
                                         00
                                                 (x − x0 − x00n − βt)2 o
                                                                       
                  
                                         βxn
                  
                                 − exp        −                          for t > 0 ,
                                           α               2αt
                  
                                                                                    (2)
where x0n = 2nN , x00n = −2x0 − x0n .
If the initial condition is defined by a function ψ(x), x ∈ (0, N ), limx→0 ψ(x) =
limx→N ψ(x) = 0, then the pdf of the process is
                                        Z N
                           φ(x, t; ψ) =     φ(x, t; ξ)ψ(ξ)dξ.
                                          0

    The probability density function f (x, t; ψ) of the diffusion process with jumps
from the boundaries is composed of the function φ(x, t; ψ) referring to the dif-
fusion process before it reaches any barrier and of a spectrum of functions
φ(x, t − τ ; 1), φ(x, t − τ ; N − 1) representing diffusion processes with absorb-
ing barriers at x = 0 and x = N , started with densities g1 (τ ) and gN −1 (τ ) at
time τ < t at points x = 1 and x = N − 1 due to jumps from the barriers:
                            Z t                              Z t
f (x, t; ψ) = φ(x, t; ψ)+         g1 (τ )φ(x, t−τ ; 1)dτ +         gN −1 (τ )φ(x, t−τ ; N −1)dτ ,
                             0                                0
                                                                                      (3)
where the densities g1 (τ ), gN −1 (τ ), as well as p0 (t) and pN (t), are obtained from
the probability balance equations at the barriers.
   First, we compute densities γ0 (t), γN (t) of probability that at time t the
process enters to x = 0 or x = N are

                                                                    Z t
     γ0 (t) = p0 (0)δ(t) + [1 − p0 (0) − pN (0)]γψ,0 (t) +                   g1 (τ )γ1,0 (t − τ )dτ
                                                                        0
                 Z t
              +      gN −1 (τ )γN −1,0 (t − τ )dτ ,
                  0


                                                                        Z t
    γN (t) = pN (0)δ(t) + [1 − p0 (0) − pN (0)]γψ,N (t) +                     g1 (τ )γ1,N (t − τ )dτ
                                                                         0
               Z t
             +     gN −1 (τ )γN −1,N (t − τ )dτ ,                                                      (4)
                 0

where γ1,0 (t), γ1,N (t), γN −1,0 (t), γN −1,N (t) are densities of the first passage time
between corresponding points, e.g.

                                         α ∂φ(x, t; 1)
                      γ1,0 (t) = lim [                 − βφ(x, t; 1)] .                                (5)
                                    x→0 2     ∂x
For absorbing barriers

                        lim φ(x, t; x0 ) = lim φ(x, t; x0 ) = 0 ,
                        x→0                    x→N


hence γ1,0 (t) = limx→0 α2 ∂φ(x,t;1)
                                  ∂x    . The functions γψ,0 (t), γψ,N (t) denote densi-
ties of probabilities that the initial process, started at t = 0 at the point ξ with
density ψ(ξ) will end at time t by entering respectively x = 0 or x = N .
    Finally, we may express g1 (t) and gN (t) with the use of functions γ0 (t) and
γN (t):
                  Z τ                                      Z τ
        g1 (τ ) =     γ0 (t)l0 (τ − t)dt ,    gN −1 (τ ) =     γN (t)lN (τ − t)dt ,  (6)
                  0                                                 0

where l0 (x), lN (x) are the densities of sojourn times in x = 0 and x = N ; the
distributions of these times are not restricted to exponential ones as it is in Eq.
(1).
   Technicaly, it is easier to compute this solution in Laplace domain where
convolutions of functions become products. For any function h(t) we denote
by h̄(s) its Laplace transform. The Laplace transform f¯(x, s; ψ) of the density
function f (x, t; ψ) is
          f¯(x, s; ψ) = φ̄(x, s; ψ) + ḡ1 (s) φ̄(x, s; 1) + ḡN −1 (s) φ̄(x, s; N − 1) ,      (7)
and the Laplace transform of φ(x, t; x0 ) can be expressed as
                                                ∞
                             exp[ β(x−x  0)
                                                              |x − x0 − x0n |
                                                                                  
                                      α     ] X n
            φ̄(x, s; x0 ) =                          exp −                    A(s)
                                   A(s)      n=−∞
                                                                     α
                                         |x − x0 − x00n |
                                                              o
                            − exp −                       A(s) ,                           (8)
                                                α
                  p
where A(s) = β 2 + 2αs. For computational efficiency, we rearranged the Eq.
(8) to the form

                  exp[ β(x−x  0)
                                                                              
                           α     ]                      xA(s)              x0 A(s)
 φ̄(x, s; x0 ) =                     1(x≥x0 ) exp −               2 sinh
                       A(s)                                α                  α
                                                                  
                                          x0 A(s)              xA(s)
                  + 1(x0 <x) exp −                  2 sinh
                                              α                  α
                                                           X  ∞                     
                               xA(s)               x0 A(s)                          A(s)
                  − 2 sinh                2 sinh               ×      exp −2nN              .
                                   α                  α          n=1
                                                                                     α
                         RN
Similarily, φ̄(x, s; ψ) = 0 φ̄(x, s; ξ)ψ(ξ)dξ .
  Laplace transforms of Eqs. (4), (6) give us ḡ1 (s) and ḡN −1 (s):
                   n                                                  ¯lN (s)γ̄N −1,0 (s) o
       ḡ1 (s) =       p0 (0) + γ̄ψ,0 (s) + [pN (0) + γ̄ψ,N (s)]                            ·
                                                                   1 − ¯lN (s)γ̄N −1,N (s)
                            ¯l0 (s)            ¯l0 (s)γ̄1,N (s)     ¯lN (s)γ̄N −1,0 (s) −1
                   ·                       1−                                                 ,
                     1 − ¯l0 (s)γ̄1,0 (s)     1 − ¯l0 (s)γ̄1,0 (s) 1 − ¯lN (s)γ̄N −1,N (s)

                           ¯lN (s)
  ḡN −1 (s) =         ¯                  [pN (0) + γ̄ψ,N (s) + ḡ1 (s)γ̄1,N (s)] .
                   1 − lN (s)γ̄N −1,N (s)
      Probabilities that at the moment t the process has the value x = 0 or x = N
are
                   1                                1
            p̄0 (s) =[γ̄0 (s) − ḡ1 (s)] , p̄N (s) = [γ̄N (s) − ḡN −1 (s)] .  (9)
                   s                                s
    The inverse transforms of (7), (9) are obtained with the use of Stehfest’s
algorithm [37]. In this algorithm a function f (t) is obtained from its transform
f¯(s) for any fixed argument t as
                                                 H              
                                            ln 2 X         ln 2
                                  f (t) =          Vi f¯        i ,                          (10)
                                             2 i=1           t
where
                             min(i,H/2)
                     H/2+i
                                X                    k H/2+1 (2k)!
         Vi = (−1)                                                              .    (11)
                                          (H/2 − k)!k!(k − 1)!(i − k)!(2k − i)!
                             k=b i+1
                                  2 c


H is an even integer; we used H = 16, following Stehfest’s recommendations.
Theoretically (10) is an infinite series and the increase of H should increase the
accuracy of computations. However, considering the form of the functions being
inverted in our case, the values of elements of (10) become either very small or
very large with the increase of the index i and introduce numerical errors. After
some numerical experiments, we found H = 16 is satisfactory and we do not
need to introduce longer computer words for extra numerical precision.
    Note that the presented transient solution is valid for constant diffusion pa-
rameters. However, the values of flows, hence also model parameters, may vary
with time. Therefore in computations, we fix model parameters during small
intervals δ (of the order of a single mean service time) and the solution at the
end of one interval determines the initial conditions (i.e. function ψ in Eqs. (3),
(7)) for the next interval.
    The delay through the queue, including waiting and service time, is ob-
tained as a first passage time from an initial point taken with probability density
f (x, t; ψ) to the absorbing barrier placed at x = 0, see [13].
    It is known that lims→0 sf¯(s) = limt→∞ f (t) if sf¯(s) is an analytic function
for <(s) ≥ 0, therefore the above solution in form of Laplace transforms is
convergent to steady-state solution for real domain.

3    Network of Nodes, Transient Analysis
Consider a network of M stations type G/G/1/N with routing probabilities
rij (t). We follow the approach of [24] developed for the steady-state network
model, then adapted to transient analysis in [15]. Here we introduce additionally,
for the needs of SDN, the time-depending routing.
     The first objective of the network model is to decompose the network: to
determine the input flows at every station and then apply the single server
model of the previous section to each station separately.
     In the transient state, we should distinguish at any station i the input flow
λi−in (t) and the output flow λi−out (t)
                                λi−out (t) = [1 − p0i (t)]µi ,
which are different. p0i (t) denotes probability that the station i is idle at time t,
i.e. the diffusion process related to this station is inside the barrier at x = 0. The
term 1 − p0i (t) = %i presents probability that the station i is busy and customers
are leaving it with the rate µi .
     The traffic equations balancing the flows of stations are
                                   M
                                   X
           λi−in (t) = λ0i (t) +          λj−out (t)rji (t) ,    i = 1, . . . , M,   (12)
                                   j=1
where the first term λ0i represents traffic flow coming from the outside of the
network directly to station i.
    As mentioned earlier, routing probabilities rji (t) are changing each interval
∆ following decisions of the controler, remaining constant inside the interval,
and flow parameters may change every interval δ < ∆; we assume for simplicity
∆ = nδ, in numerical examples below n = 10. This way all model parameters
are constant witin intervals δ when the solution (3) is computed.
    Denote by fAj (x, t) and fBj (x, t) the density functions of interarrival and
service times distributions at station j. The pdf fDj (x, t) of the interdeparture
times from this node at time t may be expressed as
 fDj (x, t) = %j (t)fBj (x, t)+[1−%j (t)]fAj (x, t)∗fBj (x, t) ,             j = 1, . . . , M, (13)
where * denotes the convolution. The first term of the right side in (13) rep-
resents the interdepature times of packets when the node j is working and the
second term gives the interdeparture times when it is idle. The formula (13),
known as Burke’s theorem [7], is exact for Poisson input (the pdf of the idle
period distribution that should be used in the second term of (13) is the same
as fAj (x, t)) and approximate in other cases. From (13) we receive
              2
             CDj (t) = %2j (t)CBj
                               2         2
                                  (t) + CAj (t)(1 − %j (t)) + %j (t)[1 − %j (t)],             (14)
          2       2        2
where CDj   (t), CBj (t), CAj (t) are time-dependent square coefficients of variation
of interdeparture, service, and interarrival times, respectively. Packets leaving the
node j according to the distribution fDj (x, t) choose any node i with probability
rji (t) and the times between packets routed from node j to i has pdf fji (x, t)
       fji (x, t) = fDj (x, t)rji (t) + fDj (x, t) ∗ fDj (x, t)[1 − rji (t)]rji (t) +
                       fDj (x, t) ∗ fDj (x, t) ∗ fDj (x, t)[1 − rji (t)]2 rji + · · ·         (15)
i.e. a packet leaving station j goes to station i with probability rji (t) or with
probability 1 − rji (t) it goes elswhere but the second goes to i with proba-
bility rji (t), hence the gap has has pdf fDj (x, t) ∗ fDj (x, t) with probability
[1 − rji (t)]rji (t), etc, or, after Laplace transform
                 f¯ji (s, t) = f¯Dj (s, t)rji (t) + f¯Dj (s, t)2 [1 − rji (t)]rji +
                               + f¯Dj (s, t)3 (1 − rji (t))2 rji + · · ·
                                    rji (t)f¯i (s, t)
                           =                               ,
                               1 − [1 − rji (t)]f¯i (s, t)
and we compute the squared coefficient of variation
                                2                 2
                               Cji (t) = rji (t)[CDj (t) − 1] + 1,
and then the parameters of the input flow at station i are given by (12) and (16)

                        M                                                     2
  2              1      X
                                                 2                           C0i (t)λ0i (t)
 CAi (t) =                   rji (t)λi−out (t)[(CDi (t)−1)rji (t)+1] +                      , (16)
             λi−in (t) j=1                                                    λi−in (t)
                                     2
where the parameters λ0i and C0i       refer to the flow coming to station i from
outside of the network.
                                                                  2
    Eqs. (14), (16) form a system of linear equations yielding CAi  (t) and, in con-
sequence, the diffusion parameters βi (t), αi (t) for every node i. At each interval
δ, functions fi (x, t; ψi ) giving queue distributions at every station i for t ∈ δ
are computed. Their valuest at the end of the interval yield, among others, the
current utilisations %i used to determine the flow parameters and diffusion pa-
rameters for the next interval δ. This way the flow parameters change each δ
and routing changes each ∆ = nδ.
    The pdf fRi (x, t) of the current response time (waiting time plus service) is
determined using the first passage time from the end of the queue to zero.
    The first passage time of the diffusion process from x0 to x = 0 has the
density function [10]
                                                x0              (βt+1)2
                              γx0 ,0 (t) = √               e−     2αt      ,
                                               2Παt3
with the Laplace transform
                                                        √
                                                      β+    β 2 +2αs
                               γ̄x0 ,0 (s) = e−x0            α         .

The starting point x0 is determined by the function fi (x, t; ψi ) hence
                                         Z N
                          fRi (x, t) =         γξ,0 (x)fi (ξ, t; ψi )dξ.
                                          0

    If fRi (x, t) is the response time pdf at node i, then the response time pdf
fR (x, t) for the path 1, . . . , n of n stations is

             fR (x, t) = fR1 (x, t) ∗ fR2 (x, t) ∗ fR3 (x, t) ∗ · · · ∗ fRn (x, t),

or
                                                n
                                                Y
                                 f¯R (x, s) =         f¯Ri (x, s).
                                                i=1

     The loss probability ploss (t) for same entire path may be computed from

     1 − ploss (t) = (1 − pN 1 (t))(1 − pN 2 (t))(1 − pN 3 (t)) . . . (1 − pN n (t)),   (17)

where pN i (t) is probabiliity that the queue at station i is saturated at time t,
i.e. the diffusion process for this station is at time t at the barrier x = N .


4     Application to a SDN and a Numerical Experiment

Since the input and output hardware of a SDN forwarder is fast, the main com-
ponent to be considered is the queue of packets waiting until the node identifies
to which flow they belong and to what output port they are to be sent. Suppose
that the identification requires a linear search in a flow table with K entries,
and T is the constant time to check one entry.
    Ler p be the probability that the router’s flow table does not contain the
flow rule for a given packet; this will be discovered after going through all K
positions, i.e. after time KT . In this case, the service time is constant, with zero
variance.
    Otherwise, with probability (1 − p), the time to find the existing entry is
uniformly distributed in [T, KT ] and having

               mean (K + 1)T /2 and variance (K 2 − 1)T 2 /12.
                                                    2
The two cases define the first two moments 1/µ and σB of service time distribu-
tion in our G/G/1/N diffusion model.


                  Fig. 1: The example network being considered


    We consider a network composed of four switches, represented in Fig. 1. The
network performance is investigated during 1 second. Host 1 is sending a flow of
λ01 packets to Host 2. The intensity of the flow is changing in the range 500−2500
packets/sec, see Fig. 2. If the flow is below 1000 packets per second, it is sent
by the direct link S1 − S4, and if it exceeds the maximum capacity of this link,
the surplus is sent in equal share by paths S1 − S2 − S4 and S1 − S3 − S4.
    We assume at each station the buffers of N = 100 packets; in case of S1,
S2, S3 the time to check one entry in the list of connections is T = 8 · 10−7
sec, and in S4 this time is twice shorter T = 4 · 10−7 sec. The number of entries
K = 950, p = 0. It results in µ1 = µ2 = µ3 = 2628.8 packets/sec and µ4 = 5257.6
                                                                 2
packets/sec. Squared coefficient of variation of service time CBi   is in all stations
equal 0.33.
     In the interval [t = 0.450 sec, t = 0.705 sec], an additional flow λ02 of the
intensity 1500 packets per second appears at station S2 and is also sent to Host
2 via S2 − S4. We consider three values of the squared coefficient of variation
                                               2       2
of interarrival times in the first flow: CA1      = C01   = 1.02, 4.08 and 8.16. The
first value is obtained from our analysis of CAIDA data [1], and the others were
chosen to see the network behaviour if the flow is more irregular. For the second
         2
flow, C02  = 1.02.
     The SDN controller alters the routing to balance the load of nodes every 100
msec, hence at t = 500 msec it reacts on the presence of the second flow and
changes the routing r12 and r13 , see Fig. 3. In consequence, the load of stations
S2 and S3 is changed, Fig. 4. After the end of the flow λ02 the initial routing
is reestablished. The change of the utilisation influences the parameters of the
output flows: as it is expressed by Eq. (14), higher the utilisation of a station i,
                                                                            2
closer its squared coefficient of variation of interdeparture times CDi       (t) is to
   2                                     2                                         2
CBi (t) and it is less dependent on CAi (t). Fig. 5 displays the changes of CDi      (t)
following the pattern of input flows.
     The transient solution of diffusion equations is computed in intervals of the
length 10 msec, i.e. we have 100 intervals with fixed diffusion parameters; at the
end of each the equations (12), (16) are solved to determine new parameters
of flow for the single station models in the next interval. The diffusion density
function obtained for any station i at the end of an interval gives initial conditions
for the diffusion equation at the next one.
     The model helps us to analyse the dynamics of every node. In Fig. 6 we see
how the distribution of queue length (the queue is empty at the beginning, and
it starts to be filled) at station S1 evolves with time. Even minimal values of the
distributions are computed without numerical problems. As mentioned above,
                                       2
we used three different values of CA1      (t), the squared coefficient of variation of
interarrival times at station S1. In Fig. 7 the density function for S1 queue
distribution is displayed for these values and makes evident their impact on the
queue, note that the scale in Figs. 6, 7 is logarithmic.
                                                    2
     The next figures display the impact of CA1        on loss probability due to the
full buffer at station S1, Fig. 8, and on the mean queue at this station, Fig. 9,
following the changes of the flow intensity.
     The next curves compare the loss probability, Fig. 10 (note here minimal
values computed by the model), and mean queues for all four stations, Fig. 11,
              2
in case of CA1    = 1.04. We may observe the changes in mean queues in S2 and
S3 due to load balancing after the second flow becomes active. We see also,
observing mean queues at S1 and S2, that transient periods may be longer than
the time between the controller’s decisions. The length of the transient time
increases with a load of a station and variability of the input flow.
                                                                                  2
     Figures 12 and 13 refer to station S2. We see here a weak impact of CA1         on
the mean queue. It is evident: as this station is mainly supplied by the second
flow. However, if we consider loss probabilities which have here very small values
                                                              2
and are displayed in logarithmic scale, the impact of CA1         may be observed. It
is better seen at station S3, Fig. 14, and in station S4, Fig. 15, because they
receive much more of the first flow. Note that for greater variabilities of the first
flow, the path S1 − S3 − S4 becomes saturated, Fig. 16.
    Let us also consider a simple example of optimization. Suppose as pre-
viously that station S1 is forwarding a flow λ01 packets to nodes S2 and S3.
                                                  (loc)
Station S2 is additionally receiving a flow of λ02 packets directly from the
outside of the network. The controller is changing routing every ∆ = 100 msec
and needs do determine routing probabilities for the nearest ∆, knowing current
parameters of flows at the beginning of the interval, as well as the current queue
distributions at S1, S2, S3, representing previous behaviour of the network. The
goal is to minimise the mean backlog Ψ at S2 and S3 during ∆
                            (      Z ∆                           )
                               1
                  min       Ψ=           [E[N2 (t)] + E[N3 (t)]] dt .
                 r12 ,r13      ∆   0


We compute E[N2 (t)], E[N3 (t)] for t ∈ ∆ and minimize Ψ by choice of r12 ,
r13 = 1 − r12 , see Fig. 17.


5   Conclusions

The IoT provides large volumes of highly capillary traffic that includes data and
video, which has stringent QoS and security constraints. These large volumes of
traffic also create additional energy consumption in networks. Thus means are
needed to distribute traffic dynamically so that security and QoS are assured,
and energy consumpton is minimised.
    Fortunately, the advent of SDN allows the implementation of smart adaptive
routing [25] which allows network paths to change so that security incidents and
traffic overloads can be accomodated by taking advantage of alternate paths.
However this leads to an ineresting paradigm shift in network modeling which has
been traditionally addressed via steady-state “long term” modelling techniques.
However, when SDN intervenes dynamically to change paths and traffic levels,
the network is seldom at steady-state so that optimisation must take transients
into account.
    To achieve this, this paper uses diffusion approximations for the performance
evaluation of a network of SDN data plane switches with time-dependent rout-
ing. We show that this method is computationally operational, and that it can
provide quantitative results for models with realistic parameter values.
    Our analysis captures the interactions among the main parameters of the
network, and numerical examples display the dependence of the queue lengths
and queueing delays and their changing dynamics, on the flow intensity and
variance of interarrival times.
    Our approach confirms the fact that transient periods play a significant role
in the performance of SDN networks, and in future work we will use it to analyse
much larger networks.
Fig. 2: Input flows λ01 (t), λ02 (t), time in seconds


Fig. 3: Routing probabilities r12 (t), r13 (t), r14 (t)


          Fig. 4: λi (t)/µi for all stations
                                                      2
Fig. 5: S1, S2, S3: squared coefficient of variation CDi (t) for the output flow,
                                     2
                                  CA1 = 1.02


                                                                            2
Fig. 6: S1: density function f1 (x, t; 0), t = 0.15, 0.25, 0.35, 0.45 sec, CA1 = 1.02


                                                                             2
     Fig. 7: S1: density function f1 (x, t; 0), t = 0.45 sec, for different CA1
                                          2
        Fig. 8: S1: pN (t) for different CA1


                                           2
     Fig. 9: S1: mean queue for different CA1


                                           2
Fig. 10: Stations S1, S2, S3, S4: pN (t), CA1 = 1.02
                                               2
Fig. 11: Stations S1, S2, S3, S4: mean queue, CA1 = 1.02


                                                  2
       Fig. 12: Station S2: pN (t) for different CA1


                                                   2
    Fig. 13: Station S2: mean queue for different CA1
                                                        2
             Fig. 14: Station S3, pN (t) for different CA1


                                                        2
             Fig. 15: Station S4: pN (t) for different CA1


                                                                     2
Fig. 16: Total loss probability for path S1 − S3 − S4 for different CA1
 Fig. 17: Mean backlog Ψ during ∆ as a function of routing probabilities r12 ,
                               r13 = 1 − r12


Acknowledgements
The work presented in this paper was partially supported by the SerIoT Research
and Innovation Action, funded by the European Commission under the H2020-
IoT-2016-2017 (H2020-IoT-2017) Program through Grant Agreement 780139.

References
 1. https://data.caida.org/datasets/passive-2016/equinix-chicago/
    20160218-130000.UTC/
 2. Ansell et al., J.: Making queueing theory more palatable to sdn/openflow-based
    network practitioners. In: Proceedings of the 2016 IEEE/IFIP Network Opera-
    tions and Management Symposium. pp. 1119–1124. IEEE, Istanbul, Turkey (2016).
    https://doi.org/10.1109/NOMS.2016.7502973
 3. Augusto-Gonzalez et al., J.: From internet of threats to internet of things: A cyber
    security architecture for smart homes. In: 2019 IEEE 24th International Workshop
    on Computer Aided Modeling and Design of Communication Links and Networks
    (CAMAD). pp. 1–6. IEEE (2019)
 4. Azodolmolky, S., Wieder, P., Yahyapour, R.: Performance evaluation of a scalable
    software-defined networking deployment. In: Proceedings of the 2013 Second Euro-
    pean Workshop on Software Defined Networks. pp. 68–74. IEEE, Berlin, Germany
    (2013). https://doi.org/10.1109/EWSDN.2013.18
 5. Azodolmolky et al., S.: An analytical model for software defined network-
    ing: A network calculus-based approach. In: Proceedings of the IEEE Global
    Communications Conference. pp. 1397–1402. IEEE, Atlanta, USA (2013).
    https://doi.org/10.1109/GLOCOM.2013.6831269
 6. Baldini et al., G.: Iot network risk assessment and mitigation: The seriot approach.
    In: Soldatos, J. (ed.) Security Risk Management for the Internet of Things: Tech-
    nologies and Techniques for IoT Security, Privacy and Data Protection. p. 88–104.
    Now Publishers (2020). https://doi.org/DOI: 10.1561/9781680836837
 7. Burke, P.J.: The output of a queuing system. Operations Research 4(6), 699–704
    (1956)
 8. Buyya et al., R.: A manifesto for future generation cloud computing: Research
    directions for the next decade. ACM Computing Surveys (CSUR) 51(5), 1–38
    (2019)
 9. Chesnais et al., A.: On the modeling of parallel access to shared data. Communi-
    cations of the ACM 26(3), 196–202 (1983)
10. Cox, R.P., Miller, H.D.: The Theory of Stochastic Processes. Chapman and Hall,
    London, UK (1965)
11. Czachórski, T.: A method to solve diffusion equation with instantaneous return
    processes acting as boundary conditions. Bulletin of Polish Academy of Sciences,
    Technical Sciences 41(4) (1993)
12. Czachórski, T., Gelenbe, E., Kuaban, G.S., Marek, D.: Dynamics of software de-
    fined networks, diffusion model. Submitted to: Journal of Physics: Conference Se-
    ries (2020)
13. Czachórski, T., Gelenbe, E., Kuaban, G.S., Marek, D.: Transient behaviour of a
    network router, accepted. In: Herencsár, N., Benedetto, F., Hosek, J. (eds.) Pro-
    ceedings of International Conference on Telecommunications and Signal Processing
    TSP 2020, submitted. IEEE, Milano (2020)
14. Dobson et al., S.: A survey of autonomic communications. ACM Transactions on
    Autonomous and Adaptive Systems (TAAS) 1(2), 223–259 (2006)
15. Duda, A.: Diffusion approximations for time-dependent queueing systems. IEEE
    Journal on Selected Areas in Communications 4, 905–918 (1986)
16. Fahmin, A., Lai, Y.C., Hossain, S., Lin, Y.D., Saha, D.: Performance modeling of
    sdn with nfv under or aside the controller. In: Proceedings of the 5th International
    Conference on Future Internet of Things and Cloud Workshops. pp. 211–216. IEEE,
    Prague (2017). https://doi.org/10.1109/FiCloudW.2017.76
17. Francois, F., Gelenbe, E.: Towards a cognitive routing engine for soft-
    ware defined networks. In: Proceedings of the 2016 IEEE International
    Conference on Communications. pp. 1–6. IEEE, Kuala Lumpur (2016).
    https://doi.org/10.1109/ICC.2016.7511138
18. Frötscher et al., A.: Improve cybersecurity of c-its road side infrastructure in-
    stallations: the seriot-secure and safe iot approach. In: 2019 IEEE International
    Conference on Connected Vehicles and Expo (ICCVE). pp. 1–5. IEEE (2019)
19. Gelenbe, E.: On approximate computer system models. J. of the ACM 22(2), 261–
    269 (1975)
20. Gelenbe, E.: Probabilistic models of computer systems part ii: Diffusion approxi-
    mations, waiting times and batch arrivals. Acta Informatica 12, 285–303 (1979),
    https://doi.org/10.1007/BF00268317
21. Gelenbe, E., Domanska, J., Czachórski, T., Drosou, A., Tzovaras, D.: Security
    for internet of things: The seriot project. In: 2018 International Symposium on
    Networks, Computers and Communications (ISNCC). pp. 1–5. IEEE (2018)
22. Gelenbe, E., Hebrail, G.: A probability model of uncertainty in data bases. In: 1986
    IEEE Second International Conference on Data Engineering. pp. 328–333. IEEE
    (1986)
23. Gelenbe, E., Mang, X., Önvural, R.: Diffusion based statistical call admission con-
    trol in atm. Performance evaluation 27, 411–436 (1996)
24. Gelenbe, E., Pujolle, G.: The behaviour of a single-queue in a general queue-
    ing network. Acta Inf. 7, 123–136 (1976). https://doi.org/10.1007/BF00265766,
    https://doi.org/10.1007/BF00265766
25. Gelenbe et al., E.: Self-aware networks that optimize security, qos and energy.
    Proceedings of the IEEE, accepted for publication 108(7) (2020)
26. Hakiri et al., A.: Software-defined networking: Challenges and research opportuni-
    ties for future internet. Computer Networks 75, 453–471 (2014)
27. Kuźniar, M., Peresini, P., Kostić, D., Canini, M.: Methodology, measurement and
    analysis of flow tablee update characteristics in hardware openflow switches. Com-
    puter Networks 136, 22–36 (2018)
28. Lai, Y.C., Ali, A., Hassan, M., Hossain, S., Lin, Y.D.: Performance modeling and
    analysis of tcp connections over software defined networks. In: Proceedings of the
    2017 IEEE Global Communications Conference. pp. 1–6. IEEE, Singapore (2017).
    https://doi.org/10.1109/GLOCOM.2017.8254078
29. Mahmood, K., Chilwan, A., Osterbo, O., Jarschel, M.: Modelling of openflow-based
    software-defined networks: the multiple node case. IET Networks 4(5), 278–284
    (2015)
30. Marin, G.A., Mang, X., Gelenbe, E., Önvural, R.O.: Statistical call admission
    control. US Patent 6,222,824 (2001)
31. Miao, W., Min, G., Wu, Y., Wang, H., Hu, J.: Performance modelling and analy-
    sis of software defined networking under bursty multimedia traffic. ACM Transac-
    tions on Multimedia Computing, Communications, and Applications 12(55), 24–36
    (2018)
32. Natsiavas et al., P.: Comprehensive user requirements engineering methodology
    for secure and interoperable health data exchange. BMC medical informatics and
    decision making 18(1), 85 (2018)
33. Nguyen-Ngoc, A., Lange, S., Geissler, S., Zinner, T., Tran-Gia, P.: Estimating the
    flow rule installation time od sdn switches when facing control plane delay. LNCS
    10740, 113=126 (2018)
34. Paul, S., Pan, J., Jain, R.: Architectures for the future networks and the next
    generatio internet: A survey. Computer Communications 34, 2–42 (2011)
35. Rowshanrad et al., S.: A survey on sdn, the future of networking. Journal of Ad-
    vanced Computer Science & Technology 3(2), 232–248 (2014)
36. Singh et al., D.: Modelling software-defined networking: Software and hardware
    switches. Journal of Computer Network and Computer Applications 122, 24–36
    (2018)
37. Stehfest, H.: Numeric inversion of laplace transform. Communication of ACM
    13(1), 47–49 (1970)
38. Wang, L., Gelenbe, E.: Adaptive dispatching of tasks in the cloud. IEEE Transac-
    tions on Cloud Computing 6(1), 33–45 (2018)
39. Wibowo, F.X., Gregory, M.A., Ahmen, K., Gomez, K.M.: Multi-domain software
    defined networking: Research status and challenges. Journal of Network and Com-
    puter Applications 87, 32–45 (2017)
40. Wu, K.R., Liang, J.M., Lee, S.C., Tseng, Y.C.: Efficient and consistent flow update
    for software defined networks. IEEE Journal on Selected Areas in Communications
    36(3), 411–420 (2018)
41. Yoon, C., Park, T., Lee, S., Kang, H., Shin, S., Zhang, Z.: Enabling security func-
    tions with sdn: A feasibility study. Computer Networks 85, 19–35 (2015)