An intelligent system is one of the types of automated information systems that are based on knowledge. An intelligent system is a complex of software, linguistic, and logic-mathematical tools for the implementation of the main task: providing support for human activity and information search in an extended dialogue mode using natural language. The architecture of modern intelligent systems is based on knowledge bases that are formed according to the subject domain in which the intelligent system is used. The issue of researching intelligent software systems and organizing knowledge bases becomes relevant, especially decision support systems in various fields, including network security.

Presently, the implementation of network architectures, such as Software-Defined Networking (SDN), confronts emerging cybersecurity risks necessitating the formulation and examination of innovative specialized approaches to fortify network security [ 1-4 ]. Although SDN architecture offers heightened flexibility and adaptability, it supplants conventional networks while simultaneously raising the likelihood of various network intrusion attempts, thereby engendering fresh security predicaments.

The growing interest in SDN and wide deployment of various types of software-defined networks allow for the identification of their vulnerabilities in process of combating

0000-0002-9391-5220 (O. Cherednichenko); 0000-0002-8161-552X (N. Sharonova); 0000-0002-6912-6520 (G. Pliekhova); 0000-0002-2200-7794 (N. Babkova) © 2024 Copyright for this paper by its authors.

Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). cybersecurity threats [ 4, 5 ]. It is obvious that security issues are closely related to characteristics of SDN networks themselves. In addition, security problems in SDN can be divided into three levels: data plane, control plane, and application plane.

At the same time, among the attack targets, there may be devices of different SDN levels. Therefore, according to the multilevel SDN architecture, security threats can be classified at the levels of data transmission, management, and applications. In turn, the data plane consists of switches and other network devices and is mainly responsible for data processing, forwarding, dropping, as well as collecting statistics. The operation of the data plane is based on flow rules provided by network controller. The main causes of security problems include the SDN architecture itself, external malicious attacks, insufficient access control, and encryption capabilities.

Today a significant role in the complex of network security measures, including SDN networks, is assigned to routing protocols that require systematic and coordinated interaction among multiple network elements simultaneously – SDN switches and network controllers – during formation (calculation) of paths and flow rules, along which the necessary level of security should be ensured according to selected indicators or criteria. An analysis of vulnerabilities in SDN data plane and functional capabilities of routing tools to counter potential attacks has demonstrated the prospect of using intelligent secure routing based on basic vulnerability criticality metrics to enhance the level of network security in SDN data plane. The analysis of CVSS standard for quantitative vulnerability assessment of network equipment justified its use in development and exploration of promising approaches to secure routing in the data plane of software-defined networks [ 5 ].

Thus, this work is dedicated to a relevant scientific-applied problem related to analysis of threats, attack targets, and improvement of potential solutions for enhancing level of network security in the data plane of SDN networks through the use of intelligent routing methods. The purpose of work is to research and improvement of existing methods of secure routing in software-defined networks using intelligent support tools.

A number of secure routing models have been developed and investigated, taking into account basic vulnerability criticality metrics. An existing model has been refined, leading to formulation of an optimization-based flow model for secure QoS routing (Figure 1). Numerical analysis has demonstrated the effectiveness and adequacy of proposed refinement.

Therefore, NFV consists of three main components [ 1 ]: 1. Virtualized Network Functions (VNF) are network functions implemented in software that can be deployed within a network function virtualization infrastructure (NFVI). 2. NFVI – common hardware and software components where they are deployed VNF. 3. Management and Orchestration Environment for NFV (MANO) is an architectural framework that includes functional blocks, data stores utilized by these blocks, and interfaces through which functional blocks exchange information for the management and orchestration of NFVI and VNF.

Key requirements and definitions regarding the security of NFV, SDN, and cloud technologies. To ensure the security of an object or system, there is a recognized need to provide five essential security functions – CIAAA [ 6-8 ]: • Confidentiality; • Integrity; • Availability; • Authenticity; • Accountability.

So, confidentiality ensures the privacy and confidentiality of information about data or individuals and prevents its disclosure to unauthorized users. Integrity ensures that information and the expected operation of system will not be accidentally or intentionally altered by unauthorized users. Availability guarantees that unauthorized users cannot access systems and services. Authenticity ensures that users can be verified and trusted as who they claim to be, and that incoming data comes from a reliable source. Accountability generates the requirement for the actions of subject to be traced exclusively to that subject [ 6 ]. Each of these stages requires a convenient interface based on intelligent data processing, especially when presented in textual form.

A system, organization or cyberspace consists of three key elements: • real and virtual objects (entities); • interconnection (communications) infrastructure; • interaction between objects through infrastructure.

Real and virtual entities encompass tangible objects and physical devices, such as people (users of system), computers, sensors, mobile phones, electronic devices and virtual abstractions of entities such as data/information, software and services. Infrastructure includes networks, databases, information systems and repositories that connect and support objects in system (space). Interaction, in turn, involves actions and interdependencies between objects in system (cyberspace) through interconnected infrastructure and information related to communication, policies, business and management [ 6 ].

Therefore, information or cybersecurity can be considered as systems, tools, processes, practices, concepts and strategies to prevent and protect cyberspace from unauthorized interaction by agents with elements of space to support and preserve the confidentiality, integrity, availability and other properties of the space and its resources that require protection.

Essentially, cybersecurity is related to identifying vulnerabilities in cyberspace, assessing the risks associated with threats exploiting these vulnerabilities and providing security solutions. Security vulnerability is a weak point in a system (component / product / system / cyberspace) that can allow an attacker to compromise the confidentiality, integrity, availability, authenticity or accountability of that system. Threats and risks are closely related but not equivalent. A threat is any entity, action or state that leads to harm, loss, damage, and / or deterioration of existing conditions. The risk associated with a threat is a characteristic that encompasses three components [ 6 ]: • impact or significance of threat incident; • probability or potential of a threat incident in future; • potential losses (damages) due to a threat incident.

The risk assessment associated with a threat contributes to the development of new security solutions and formulation of requirements for these solutions [ 6-8 ].

As network components are virtualized, NFV networks include a level of abstraction that is absent in traditional networks. Securing this complex and dynamic environment, covering both virtual and physical resources, management elements, protocols, as well as the boundaries between virtual and physical networks, is a challenging task for several reasons according to CSA [ 6 ]. Among the main security issues are hypervisor dependencies: hypervisors are available from multiple vendors. They must address security vulnerabilities in controlled software. Understanding the underlying architecture, deploying appropriate encryption types and applying patches diligently are critical for hypervisor security. Another identified issue is elastic network boundaries: in NFV, network fabric performs numerous functions. The physical and virtual boundaries are blurred or absent in NFV architecture, complicating the design of security systems. Dynamic workloads present another challenge: while NFV offers flexibility and dynamic capabilities, traditional security models are static and cannot adapt when network topology changes according to requirements. Adding NFV services provides elastic, transparent networks, as fabric intelligently routes packets based on configurable criteria. Traditional security management elements are deployed logically and physically. In NFV, there is often a lack of a socalled security service insertion point that has not yet been placed on hypervisors. Stateful / stateless verification: Security operations over the past decade have been based on the assumption that stateful verification is more advanced than stateless. However, NFV can add complexity when security control mechanisms cannot handle asymmetric flows created by multiple duplicating network paths and devices. Another problem is scalability of available resources: deep inspection technologies, such as next-generation firewalls and TLS protocol decryption, require resources and do not always scale without offloading capability. ETSI security expert group, focusing on software architecture security, identified potential security vulnerabilities in NFV and determined whether they are new issues or existing problems in various forms and manifestations.

Security issues in SDN can be divided based on three levels: data plane, control plane, and application plane [ 6-8 ]. The data plane may suffer from various security threats, such as malicious OpenFlow switches, flow rule injection, "flooding" attacks (e.g., flooding the switch's flow table), forged or fake traffic flows, credential management and malicious hosts. The application plane inherits security issues such as unauthorized or unauthenticated programs, fraudulent role addition, lack of authentication methods and so on. The control plane faces several security issues related to centralized SDN controller, communication interfaces, policy enforcement, flow rule modification for packet modification, "flooding" communication between the controller and switch, security issues in SDN at system level (related to lack of audit accountability mechanisms), and lack of trust between the SDN controller and third-party applications. As control plane in SDN architecture acts as heart of this virtual network infrastructure, security vulnerabilities at this level can cause a failure in the entire virtual network architecture.

So, security threats related to SDN infrastructure are classified based on affected level (interface) as follows: 1. Application layer. 2. Management layer. 3. Data layer. 4. Application management interface.

5. Management interface.

From perspective of intelligence third and fourth levels draw maximum attention as knowledge bases can be created by shaping this knowledge from system text messages.

At the current stage of SDN architecture development, both domestic and foreign researchers believe that typical security problems in software-defined networks primarily manifest in aspects such as malicious software, controller vulnerabilities, legitimacy and consistency of flow rules, standardization problem of northbound interface and security in communication process using southbound interface, etc. Within the scope of this work, typical security problems and attack objects within the data plane – network devices controlled by SDN controller – are analyzed. The results of analysis are presented in Table 1. Clearly, devices at various network levels can be objects of attack and according to well-defined multilevel architecture of SDN, security threats can be classified at different levels. This work is dedicated to analysis of threats, attack objects and potential solutions to enhance level of network security in data plane of SDN networks through routing means.

Despite the numerous security challenges in cloud computing, Cloud Security Alliance has identified twelve critical security threats related to nature of shared on-demand cloud computing that have the greatest impact on corporate business: 1. Data Breach. A data breach is an incident during which confidential, protected or private information is disclosed, viewed, stolen or used by an unauthorized person. 2. Weak management of identity data, credentials and access. Data breaches and activation of attacks can occur due to lack of scalable identity data access management systems, non-use of multi-factor authentication, weak password usage and absence of automated cryptographic key, password and certificate rotation. 3. Unprotected Application Programming Interfaces (APIs). Provisioning, management, orchestration and monitoring are performed using a set of user interfaces or application programming interfaces. These interfaces must be developed with proper control to protect against both accidental and malicious attempts to bypass security policies. 4. System and Application Vulnerabilities. System vulnerabilities are errors in programs that can be exploited to infiltrate a computer system for data theft, system control or service disruption. 5. Stolen account credentials. This is a serious threat and cloud users should be aware of and guard against methods such as phishing, fraud and software vulnerabilities to prevent account data theft. 6. Malicious insiders. A current or former employee, contractor or other business partner with authorized access to an organization's network, systems or data, who intentionally abuses this access in a way that negatively impacts the CIAAA of the organization's information system, poses a malicious insider threat. 7. Advanced Persistent Threats (APTs). APTs are a parasitic form of cyber-attacks that infiltrate systems to establish themselves in the computing infrastructure of target companies, from which they steal data and intellectual property. 8. Data Loss. Data stored in the cloud may be lost not only due to malicious attacks.

Accidental deletion by a cloud service provider or a physical disaster, such as fire or earthquake, can result in permanent data loss for the client. 9. Inadequate due diligence. An organization rushing to adopt cloud technologies and selecting cloud service providers without conducting proper due diligence exposes itself to numerous commercial, financial, technical, legal, and compliance risks. 10. Abuse and malicious use of cloud services. Poorly protected deployments of cloud services, free trial versions of cloud services, and fraudulent registration of accounts using payment fraud expose cloud computing models such as IaaS, PaaS, and SaaS to malicious attacks. Attackers may use cloud computing resources of users, organizations, or other cloud providers. 11. Denial of Service (DoS) Attacks. Denial-of-service attacks aim to interfere with users' access to their data or programs, forcing the target cloud service to consume an excessive amount of limited system resources, making service unable to respond to legitimate users. 12. Technology sharing issues. Cloud service providers deliver their services by sharing infrastructure, platforms, or applications. Infrastructure supporting the deployment of cloud services may not have been designed to provide robust isolation features for multi-tenant architectures (IaaS), redeployable platforms (PaaS), or multi-client applications (SaaS). This can lead to shared technological vulnerabilities that could potentially be exploited across all delivery models.

With the growing interest in Software-Defined Networking and widespread deployment of Software-Defined Networks, their vulnerabilities in combating cybersecurity threats are gradually becoming apparent. Security questions are closely related to characteristics of SDN. According to research the following aspects make Software-Defined Networks vulnerable to attacks. Within the SDN architecture, separate levels are implemented for control plane and data plane, unlike traditional networks where these planes operate in a single device. The control plane formulates flow rules, while the data plane is responsible only for forwarding data packets according to flow rules.

For example, the lexicon used in such systems, which is fundamental for creating knowledge bases in intelligent systems, is provided in Table . This stage is necessary for forming a system of features to create logical equations.

The specified indicators are basic metrics [10, 12] characterizing the overall complexity of implementing an attack using a particular vulnerability on the node of the network.

Representation and interpretation of knowledge play a crucial role in various fields of computer science. Different methods of discrete mathematics are used for formalizing information about objects and processes in knowledge bases. In cases where information about objects and processes is represented by discrete informational features and has a complex logical structure, various methods and models of discrete mathematics, including logical equations with Boolean variables, are used for its formal representation.

Logical classification methods typically involve the formulation and solution of logical equations with variables that take values of 1 and 0 depending on whether the object has a certain property or not. Solving such equations allows either identifying the object based on available sets of attribute variable values or determining the unknown properties of the object [15].

Logical classification methods for object categorization are applied to solving practical problems in various fields: biology, physics, meteorology, information security, etc. Their features can be revealed during the stage of constructing a mathematical model, taking into account specificities of data. Typically, propositional logic is used for this purpose. We propose an approach based on finite predicate algebra and method of comparison. The general form of such problems is built on basis of predicate equations.

Let the feature variables 1, 2 , … , denote certain properties of objects, for example, the metrics values for calculating basic vulnerability metrics of network elements (Table ). Each variable takes values from its domain. Unlike Boolean variables, predicate variables can take values from different domains.

Let discrete variables 1, 2 , … , be features, by set of which we can determine possible values of property variables. Properties and features can be related to each other in the form of complex logical dependencies, which can be represented as predicate equations: ( 1, 2 , … , ; 1, 2 , … , ) = 1, (1) where P is a finite predicate.

Classifying the considered object means determining, based on this predicate equation and experimental data about the features 1, 2 , … , which properties (values of features 1, 2 , … , ) this object has and which properties it does not correspond to [14, 15].

Then, based on the a priori dependency (1) and experimental data on the features 1, 2 , … , it is possible to determine to which class the given object belongs. As evident from the above considerations, the values of features are grouped into a matrix.

Suppose that as a result of the experiment, we obtained some data related to values of features 1, 2 , … , describing the classified object, and compiled the following predicate equation describing the relationships between them:

( 1, 2 , … , ) = 1. (2)

The task of object classification can be formalized as solving the following predicate equation by finding the unknown predicate f:

( 1, 2 , … , ) → ( 1, 2 , … , ). (3)

By solving this functional equation, one can determine the values of features 1, 2 , … , that characterize objects 1, 2 , … , .

In research related to logical inferences in knowledge bases, questions arise about the tightness of relationships between the features of these objects, as well as questions about their significance or insignificance [14, 15]. It has been proven that the formal relationship between features is stronger the fewer sets of values of these variables satisfy the equation. In this case, if any sets of values of these variables satisfy the original equation, it can be considered that there is no connection between these variables.

A comparative analysis of existing models of secure routing, a QoS routing model with a metric analogous to the OSPF protocol, and an improved model of secure QoS routing taking into account basic vulnerability criticality metrics has been conducted. The study proved the adequacy and effectiveness of the proposed model, the feasibility of using intelligent methods for secure routing.

To solve the formulated optimization problem, a program was used, written in the Python language, using Python IDLE, Python GEKKO Optimization Suite, and NumPy.

The article presents an important scientific and applied problem related to analysis of threats, attack objects and improvement of potential solutions to enhance level of network security in data plane of SDN networks using routing means with application of intelligent information processing methods and interface creation.

To achieve this goal standards for building software-defined networks were analyzed. It is noted that SDN is a modern approach to designing, building and operating information and communication networks by separating management and data forwarding planes. This distribution provides networks with direct programmability and dynamism as well as abstraction of functional capabilities from infrastructure layer. Network function virtualization has become a standardized way of developing, implementing and managing network services.

However, growing interest in SDN and their deployment has revealed their shortcomings in combating cybersecurity threats. At the current stage of SDN architecture development, it has been proven that typical security problems in software-configured networks primarily manifest in aspects such as malicious software, controller vulnerability, legitimacy and consistency of flow rules, standardization issues of northbound interface and communication security during the use of southbound interface. Thus, main causes of security problems are SDN architecture itself, external malicious attacks, insufficient access control and encryption means. Based on research of typical security problems, it becomes apparent that centralized control and SDN programmability features provide powerful and convenient channels for attackers.

The analysis of vulnerabilities in SDN data plane and functional capabilities of routing means to counter possible attacks showed the prospect of using secure routing tools based on basic vulnerability criticality metrics to enhance the network security level of SDN data plane. In turn, the analysis of CVSS standard for quantitative vulnerability assessment of network equipment proved feasibility of its use in development and research of promising approaches to secure routing in field of intelligent data processing in software-configured networks.

The paper proposed improvements to existing secure routing model, taking into account basic vulnerability criticality metrics. Thus, routing metrics were modified so that resulting model would have properties of secure QoS routing. In improved model, the optimal route was selected considering both basic vulnerability criticality metrics and bandwidth of communication channels constituting this route. Additionally, model employed a quadratic optimality criterion for balanced distribution of flows transmitted in data plane of a software-configured network into substreams, taking into account chosen strategy of multi-path routing.

The research study depicted in this paper is funded by the French National Research Agency (ANR), project ANR-19-CE23-0005 BI4people (Business intelligence for the people)