The growing complexity of modern networks necessitates innovative approaches to managing both Quality of Service (QoS) and security [ 1, 2, 3 ]. Software-defined networks (SDNs) enable flexible trafic management, integrating QoS and security requirements [ 2 ]. However, this flexibility presents challenges for routing protocols, which must adaptively meet diverse QoS and security demands to determine optimal trafic routes. Efective adaptability to network changes is essential in complex environments, enabling fast failure recovery and maintaining high QoS and security levels within an integrated trafic management framework [ 3, 4 ].

The use of mathematical tools is essential for developing optimized routing solutions that address load balancing and security challenges, forming the basis for new strategies suited to modern, programmable networks. Traditional IP routing protocols, such as RIP and OSPF, rely on graph models and shortest path algorithms, which, while efective with limited computing power, do not consider flow characteristics or security [ 5, 6, 7 ]. Advances in softwarized network architecture now allow for more sophisticated routing models that handle multi-flow trafic and optimize both QoS and security, prompting recent research to focus on QoS methods incorporating security indicators [ 8, 9, 10, 11, 12 ].

A promising direction in secure routing is the application of Trafic Engineering (TE) principles to balance network resource usage, avoiding overload on individual network segments and preventing QoS degradation [ 13, 14, 15 ]. Several solutions in this area adapt load balancing to include security considerations [16, 17, 18, 19, 20]. The secure TE routing model proposed for the developed framework in this paper advances solutions [21, 22, 23, 24, 25] by focusing on load balancing and trafic blocking under potential network link compromises.

This paper addresses a critical scientific and applied problem in developing a secure Trafic Engineering routing framework under normalized link-blocking constraints in softwarized networks. The proposed framework aims to optimize network performance by incorporating enhanced load balancing conditions and a normalized model for blocking compromised communication links, thereby increasing the overall levels of both QoS and security.

Building on the research results of various secure Trafic Engineering routing models in communication networks [21, 22, 23, 24, 25] and an analysis of current technological solutions [ 2, 13, 14 ], this paper proposes recommendations for the structural and functional design of advanced SDN solutions. Fig. 1 illustrates a modular representation of the secure Trafic Engineering routing framework architecture, designed with normalized link-blocking constraints to enhance QoS and network security in softwarized networks. This framework is based on the practical implementation of the NormSecTE model [26].

The generalized modular architecture depicted in Figure 1 operates across three functional levels, each responsible for distinct tasks: • the data plane (network infrastructure); • the control plane (represented by the controller); • the application plane (implemented as the NormSecTE Application).

Within the controller architecture, data from modules monitoring network topology, communication link bandwidth, and security metrics, as well as trafic characteristics, are transmitted to the NormSecTE Application. This information enables the application to formulate routing solutions according to the secure Trafic Engineering routing model [26].

The data collected from monitoring modules is essential for establishing conditions to ensure flow conservation and prevent link overload. The processed results are subsequently transmitted to a module responsible for minimizing the upper bound of network link utilization. Through optimized secure routing processes with load balancing, routing solutions are calculated and subsequently translated into flow tables by the controller, which then distributes them to the network‘s forwarding elements (Figure 1).

Next, this paper presents the rationale for selecting the exponential normalized link-blocking model for use within a secure Trafic Engineering routing framework. The model’s performance is assessed through simulation and compared with existing models.

This section explains the basics of the secure TE routing model under exponential normalized linkblocking constraints and Table 1 contains a model notation summary.

The multipath routing constraints have a form [21]: (5) (1) (2) (3) (4) (6) , = ∑︀∈

, . {︃0, if , = max;

1, if , = min,

The function , (, ) models link blocking during secure TE routing, indicating the portion of link capacity used or blocked due to increased compromise probability.

We proposed the modifications of the conditions [ 26] when compromise scenarios and link probability bounds are known:

The flow conservation conditions ensuring the route connectivity [21, 26]:

0 ≤ , ≤ 1. ⎧∑︀:,∈ , − ⎪ ⎪ ⎨∑︀:,∈ , − ⎪⎪⎩∑︀:,∈ , − ∑︀:,∈ , = 0, ∈ , ̸= , ; ∑︀:,∈ , = 1, ∈ , = ; ∑︀:,∈ , = −1, ∈ , = .

The next formula estimates link utilization [26]: The enhanced load balancing conditions are the following [21, 26]: 22 Routing variables (portion of a flow’s intensity on a specific link , ∈ )

Figure 2 illustrates the dependencies of , (, ) (9) for ≥ 1 and the values of min = 0.3 and This study analyzed and compared four TE routing models: • the Sec model, which identifies the most secure route for packet transmission; • the TE model, which does not consider network security parameters [27]; • the SecTE model, which incorporates network security parameters across the full range of link compromise probabilities (min = 0 and max = 1) [21, 22]; • the NormSecTE model, an enhanced version of the SecTE model that incorporates normalized network security parameters (Figure 2), represented by the model (1)–(9) (min = 0.3 and max = 1).

Further research enabled a comparison of the efectiveness of the proposed secure TE routing model with existing models based on three key indicators: the upper bound of network link utilization max [21]; the end-to-end packet compromise probability for the th flow the average end-to-end packet delay of the th flow 2 [21, 23].

To illustrate the approach to secure TE routing, we consider the network structure shown in Figure 3. This model simulates the routing of a single packet flow, where packets are transmitted from the first 2 across all utilized paths; and router to the fifth. Consequently, the flow number is omitted in the analysis below. Table 2 lists the bandwidths of the communication links and their respective compromise probabilities. Based on the network structure (Figure 3) and link characteristics, Table 3 displays the available routes between the source 1 and destination 5 routers, along with their compromise probabilities.

Thus, based on the data in Table 2, the dependencies shown in Figure 2 apply to the example under study. Table 4 presents the calculation results for the TE routing models under analysis at a rate of = 250 packets per second and = 7, simulating the routing of a single packet flow. For the Sec model, all packets were transmitted via the first route, as it was the most secure option among the available paths.

Based on the network structure (Figure 3 and Table 2), the flow rate of specific network links determines the packet flow rate on each route: link 2,5 afects the first route ( 1), link 1,3 afects the second route ( 2), link 2,3 afects the third route ( 3), and link 2,4 afects the fourth route ( 4).

Table 5 presents the calculated performance metrics for each routing model, highlighting loadbalancing eficiency and aspects related to network security and quality of service. A comparative analysis is provided for = 7, aligning with the results shown in Table 5 for packet flow rates of = 250 pps and = 200 pps.

The comparative analysis (Table 5) shows that the Sec model prioritizes the most secure paths, limited by available bandwidth. The TE routing model focuses on improving QoS metrics (Figure 4), such as average end-to-end delay. In contrast, the SecTE (Figure 5) and NormSecTE (Figure 6) models balance both QoS and security (Table 5). Under the exponential link blocking model (9), link blocking intensifies as increases (Figure 2), leading the SecTE and NormSecTE models to prioritize security. Conversely, as decreases, QoS considerations gain importance in load balancing. The NormSecTE model achieved a higher level of network security than the SecTE or TE models, although with a slight trade-of in QoS.

The Sec model achieved the highest network security level ( 2 = 0.58), while the TE model increased packet compromise probability by 34%. The SecTE and NormSecTE models ofered intermediate security, increasing packet compromise probability by 15.83% and 13.4%, respectively. Although the TE model minimized average end-to-end delay (6.1 ms and 5.8 ms), the Sec model significantly increased it by 1.96 to 3.5 times. The SecTE and NormSecTE models resulted in moderate delay increases of 13.21% to 20.41% and 21.75% to 39.57%, respectively.

The findings of this study highlight the critical role of integrating security considerations into Trafic Engineering routing models to enhance network resilience and performance. The proposed model

This research presents the NormSecTE model as a significant advancement in secure Trafic Engineering, integrating both QoS and security metrics within a single framework to enhance routing in softwarized networks. The model’s linear programming formulation supports eficient computational processing, ensuring low resource demands while efectively prioritizing security in routing decisions. Comparative results highlight the limitations of conventional TE models, which, although optimized for performance metrics like delay and utilization, neglect critical security considerations. In contrast, the NormSecTE model reduces the probability of packet compromise through load balancing and trafic redistribution toward more secure links.

The study validates the NormSecTE model’s efectiveness in balancing network performance and security and emphasizes the need for further research to expand its capabilities. Future work should incorporate a broader range of link-blocking models and explore diverse network topologies and compromise scenarios. These developments will strengthen the model’s ability to address complex routing demands in softwarized networks, supporting a robust and secure infrastructure that balances QoS with enhanced security.

NormSecTE model ofers valuable insights for the broader cybersecurity ecosystem. In case when security metrics are included in routing decisions, compromise prevention becomes an integral part of the logic behind routing, rather than an additional task requiring a separate solution. This approach can serve as the basis for designing cyber-resilient infrastructures with proactive cybersecurity logic. In this way, the NormSecTE model supports the development of secure-by-design networks, which are crucial to the growth and development of a robust cybersecurity ecosystem.

This paper was published due to work on the Erasmus+ Project Jean Monnet module “Integrating the future-proof EU cybersecurity ecosystem in Ukraine” Project No.: 101177024 – ERASMUS-JMO2024-HEI-TCH-RSCH. Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Education and Culture Executive Agency (EACEA). Neither the European Union nor EACEA can be held responsible for them.

The authors have not employed any Generative AI tools.