SDNFV Based Threat Monitoring and Security Framework for Multi-Access Edge Computing Infrastructure Prabhakar Krishnan 1 & Subhasri Duttagupta 2 & Krishnashree Achuthan 1 # Springer Science+Business Media, LLC, part of Springer Nature 2019 Abstract DDoS botnet attacks such as Advanced Persistent & Ransom DoS assaults, Botnets and Application DDoS flood attacks are examples of multi-vector, sophisticated application-layer attacks. Conventional IT security approaches are centralized and have limitations in terms of scale, network-wide monitoring and resources for distributed detection. This paper proposes a newer approach that integrates multi-layer cooperative security intelligence on to a converged Software-Defined-Networking/Network- Function-Virtualization architecture in typical Multi-access Edge Computing (MEC) scenario. The key features of framework include: a) distributed lightweight real-time DDoS Threat Analytics and Response Framework (DTARS), to identify DDoS/botnets closer to the source of attacks b) behavioral monitoring and profiling functions in data plane and validation of control plane operations, c) advanced correlation, signature, and anomaly detection techniques, d) real-time threat analytics system e) scalable and agile mitigation mechanisms based on a stateful-data plane and security-aware SDN stack. We evaluate the performance of DTARS framework within three practical MEC case studies: SDN enabled Mobile LTE MEC network, SDN enabled IoT MEC network and Software-Defined Datacenter Edge network. In comparison to legacy MEC network, DTARS incurs about 60% less overhead than the Legacy LTE and 40% lesser than a prior OVS SDN based MEC-LTE solution, detection speed that was about 10x faster, detection accuracy of about 96% at different attack intensities and improves the overall end-to- end connection management performance under rapid scaling of end users. Keywords MEC . LTE . SDN . NFV . SDNFV . OpenFlow . IoT . Cloud . Edge networks . DDoS . Botnet . Network Security . Threat Analytics . Security . Network Intrusion Detection system . NIDS 1 Introduction With the rise of Internet-of-Thing/Everything(IoT/E) comes the need for higher security. Some of the hardest problems in security have been the “Distributed Denial of Service (DDoS)” and incidents of DDoS attacks have been increasing. DDoS attacks have become more complex over the years, and multi-vector attacks consisting of two or more vectors are the most commonly employed in recent times. According to Corero’ s DDoS Trends report [1], the reason for a rapid surge in DDoS attacks is attributed to the proliferation of the unse- cured IoT devices. IoT devices come with little to no security features, open ports, default security credentials and are poorly maintained/not updated regularly. In 2016, Mirai botnet [2] was the first reported massive DDoS-attack on IoTs, bringing down the Internet services in the US and was caused due to hacked surveillance cameras. These series of attacks illustrate the need for securing IoT or smart devices and improving the trustworthiness of associated applications. According to the Symantec report [3], the Mirai worm remained an active threat and, with 16% of the attacks, was the third most common IoT threat in 2018. The report [3] fur- ther said that routers and connected cameras were the most infected devices and the emergence of VPNFilter malware in 2018 represented an evolution of persistent IoT threats, with its ability to survive a reboot making it very difficult to remove. Kaspersky researchers [4] report that the distribution of attacks by type in the last quarter underwent a bit of a shakeup, with SYN flooding remains the most common, UDP flooding to increase its share to almost a third of all types of DDoS * Prabhakar Krishnan kprabhakar@am.amrita.edu 1 Center for Cybersecurity Systems and Networks, Amrita Vishwa Vidyapeetham, Amritapuri Campus Clappana PO, Kollam, Kerala 690525, India 2 Department of Computer Science and Engineering, Amrita Vishwa Vidyapeetham, Amritapuri Campus Clappana PO, Kollam, Kerala 690525, India Mobile Networks and Applications https://doi.org/10.1007/s11036-019-01389-2