Search papers, labs, and topics across Lattice.
This paper investigates the phenomenon of security-induced Braess paradoxes in service function chain (SFC) orchestration, revealing that adding security measures can paradoxically degrade service performance by concentrating traffic on shared resources. Through a theoretical framework and a multi-tenant SFC experiment suite, the authors demonstrate that naive defensive expansions can increase service costs by up to 30.8% and significantly heighten risk concentration. In contrast, implementing paradox-aware orchestration strategies can reduce service costs by over 20% and dramatically lower the risk of concentrated attacks by nearly 94%.
Adding security measures can paradoxically worsen service performance, increasing costs and risk concentration in SFC orchestration.
NFV/SDN orchestration lets operators instantiate and steer traffic through virtual firewalls, IDS/IPS replicas, WAF clusters, zero-trust gateways, backup inspection paths, and migration targets on demand. Operators often treat these options as monotone improvements: more inspection capacity, lower nominal latency, or broader placement flexibility should not degrade the service. That intuition can fail even when the new option is locally attractive. We study a security-induced Braess paradox in service function chain (SFC) orchestration, where adding a defensive option worsens the post-adaptation equilibrium by concentrating traffic and adversarial value on shared security resources. We define Braessian security-management actions, derive a sufficient condition for paradox emergence under affine load-dependent VNF delay, and give a pre-deployment orchestration screen that rejects, caps, or reserves harmful options. A multi-tenant SFC experiment suite applies the model to four topology-derived settings: a fat-tree datacenter, NSFNET-style WAN, GEANT-style WAN, and edge/fog topology. Under default parameters in the Braessian regime identified by the theory, naive defensive expansion raises equilibrium service cost by 27.2-30.8% and increases risk concentration by factors of 6.1-9.7. Paradox-aware constrained use keeps the residual penalty below 1.9%, reduces service cost by 20.0-22.1% relative to naive expansion, and lowers a concentration-sensitive attack-loss proxy by 93.5% on average.