Table of Contents
Fetching ...

A Protocol-Aware P4 Pipeline for MQTT Security and Anomaly Mitigation in Edge IoT Systems

Bui Ngoc Thanh Binh, Pham Hoai Luan, Le Vu Trung Duong, Vu Tuan Hai, Yasuhiko Nakashima

TL;DR

The paper tackles the security of MQTT in edge IoT deployments where cloud IDS latency and generic firewalls fail to enforce MQTT semantics. It presents a protocol-aware P4 data-plane pipeline that performs parser-safe MQTT header extraction, session validation, topic-prefix ACLs, per-client rate limiting, and lightweight anomaly detection at line rate. Experiments on a BMv2 Mininet testbed show delivery above 99.9% for 100–5kpps, 99.8% at 10kpps, and 99.6% at 16kpps with sub-millisecond latency; enforcement accuracy is 99.8% and anomaly detection sensitivity is 98%. This demonstrates the practicality of protocol-aware MQTT filtering in programmable data planes and lays groundwork for hardware validation and threshold adaptation using machine learning.

Abstract

MQTT is the dominant lightweight publish--subscribe protocol for IoT deployments, yet edge security remains inadequate. Cloud-based intrusion detection systems add latency that is unsuitable for real-time control, while CPU-bound firewalls and generic SDN controllers lack MQTT awareness to enforce session validation, topic-based authorization, and behavioral anomaly detection. We propose a P4-based data-plane enforcement scheme for protocol-aware MQTT security and anomaly detection at the network edge. The design combines parser-safe MQTT header extraction with session-order validation, byte-level topic-prefix authorization with per-client rate limiting and soft-cap enforcement, and lightweight anomaly detection based on KeepAlive and Remaining Length screening with clone-to-CPU diagnostics. The scheme leverages stateful primitives in BMv2 (registers, meters, direct counters) to enable runtime policy adaptation with minimal per-packet latency. Experiments on a Mininet/BMv2 testbed demonstrate high policy enforcement accuracy (99.8%, within 95% CI), strong anomaly detection sensitivity (98\% true-positive rate), and high delivery >99.9% for 100--5~kpps; 99.8% at 10~kpps; 99.6\% at 16~kpps) with sub-millisecond per-packet latency. These results show that protocol-aware MQTT filtering can be efficiently realized in the programmable data plane, providing a practical foundation for edge IoT security. Future work will validate the design on production P4 hardware and integrate machine learning--based threshold adaptation.

A Protocol-Aware P4 Pipeline for MQTT Security and Anomaly Mitigation in Edge IoT Systems

TL;DR

The paper tackles the security of MQTT in edge IoT deployments where cloud IDS latency and generic firewalls fail to enforce MQTT semantics. It presents a protocol-aware P4 data-plane pipeline that performs parser-safe MQTT header extraction, session validation, topic-prefix ACLs, per-client rate limiting, and lightweight anomaly detection at line rate. Experiments on a BMv2 Mininet testbed show delivery above 99.9% for 100–5kpps, 99.8% at 10kpps, and 99.6% at 16kpps with sub-millisecond latency; enforcement accuracy is 99.8% and anomaly detection sensitivity is 98%. This demonstrates the practicality of protocol-aware MQTT filtering in programmable data planes and lays groundwork for hardware validation and threshold adaptation using machine learning.

Abstract

MQTT is the dominant lightweight publish--subscribe protocol for IoT deployments, yet edge security remains inadequate. Cloud-based intrusion detection systems add latency that is unsuitable for real-time control, while CPU-bound firewalls and generic SDN controllers lack MQTT awareness to enforce session validation, topic-based authorization, and behavioral anomaly detection. We propose a P4-based data-plane enforcement scheme for protocol-aware MQTT security and anomaly detection at the network edge. The design combines parser-safe MQTT header extraction with session-order validation, byte-level topic-prefix authorization with per-client rate limiting and soft-cap enforcement, and lightweight anomaly detection based on KeepAlive and Remaining Length screening with clone-to-CPU diagnostics. The scheme leverages stateful primitives in BMv2 (registers, meters, direct counters) to enable runtime policy adaptation with minimal per-packet latency. Experiments on a Mininet/BMv2 testbed demonstrate high policy enforcement accuracy (99.8%, within 95% CI), strong anomaly detection sensitivity (98\% true-positive rate), and high delivery >99.9% for 100--5~kpps; 99.8% at 10~kpps; 99.6\% at 16~kpps) with sub-millisecond per-packet latency. These results show that protocol-aware MQTT filtering can be efficiently realized in the programmable data plane, providing a practical foundation for edge IoT security. Future work will validate the design on production P4 hardware and integrate machine learning--based threshold adaptation.
Paper Structure (17 sections, 5 equations, 4 figures, 3 tables)

This paper contains 17 sections, 5 equations, 4 figures, 3 tables.

Figures (4)

  • Figure 1: Edge MQTT security with protocol-aware P4 enforcement and Anomaly cloning to control-plane
  • Figure 2: Simplified ingress-data flow illustrating table order and pipeline logic.
  • Figure 3: Five-node P4 BMv2 testbed: broker (Port 1), telemetry (Port 2), control (Port 3), publishers (Ports 4 to 5).
  • Figure 4: Performance evaluation across: (top) Scenario A: delivery ratio vs. load (benign traffic); (middle) Scenario B: drop accuracy for $16,000$ PUBLISH with $15,000$ soft limit; (bottom) Scenario C: latency percentiles ($N{=}5$; 95% CI).