Edge computing is crucial for many of the new 5G business vertical use-cases, such as Industry 4.0 robots, safety-critical communications, and highly-efficient smart grids. However, the tighter integration of such impactful businesses into previously core network operations raises significant security, trustworthiness, and reliability issues. A business vertical must not compromise the Edge platform to other business verticals. Likewise, the vertical Network Services (NSs) entrusted to the Edge should not be compromisable by adversary action. Inspired by the existing Internet Services Two-Factor Authentication (2FA) systems, we propose a Moving Target Defense (MTD) mechanism that protects sensitive NSs using a port mutation akin to a seamless Time-based One-Time Password (TOTP) authentication. Our architecture leverages Software-Defined Networking (SDN) to perform the mutations, having the option of working exclusively as a Virtual Network Function (VNF) that can be instantiated on-demand, or in conjunction with OpenFlow hardware-accelerated switches for smarter resource usage. The straightforward Proof-of-Concept implementation showed the approach was viable, with good forwarding plane performance (exceeding the current Network Interface Controllers capabilities), and effective at stopping the unauthorized interactions with the NS being protected. Because the TOTP approach depends on time and there is commonly occurring jitter (e.g., network), the Threat Detection must make a trade-off between minimizing false-positives (too many alarms) and having false-negatives (attempts that go unreported). We have struck a balance that reduces the probability of a rogue probe reaching the NS to nearly 0.0045%, while the probability of stopping an attack but not generating the alarm is approximately 2%. Future work, such as adaptive delay compensation or the use of AI/ML, may further improve the effectiveness of the solution.

边缘计算对于许多新的5G业务垂直用例至关重要，例如工业4.0机器人，安全关键型通信和高效智能电网。但是，这种有影响力的业务与以前的核心网络运营的更紧密集成带来了重大的安全性，可信赖性和可靠性问题。业务垂直部门一定不能将Edge平台与其他业务垂直部门妥协。同样，委托给Edge的垂直网络服务（NS）也不应受到对手的攻击。受现有Internet服务两要素身份验证（2FA）系统的启发，我们提出了一种移动目标防御（MTD）机制，该机制使用类似于无缝的基于时间的一次性密码（TOTP）身份验证的端口突变来保护敏感的NS。我们的架构利用软件定义的网络（SDN）来执行突变，可以选择专门用作可以按需实例化的虚拟网络功能（VNF），也可以与OpenFlow硬件加速的交换机结合使用，以更智能地使用资源。简单的概念验证实施表明，该方法是可行的，具有良好的转发平面性能（超过了当前的网络接口控制器功能），并且可以有效地阻止与受保护的NS的未经授权的交互。因为TOTP方法取决于时间，并且经常发生抖动（例如，网络），所以威胁检测必须在最小化误报（警报过多）和误报（尝试未报告的情况）之间做出权衡。我们已经取得了一种平衡，可以将流氓探针到达NS的可能性降低到接近0.0045％，而停止攻击但不生成警报的可能性大约为2％。诸如自适应延迟补偿或AI / ML的使用之类的未来工作可能会进一步提高解决方案的有效性。