Mobile Edge Computing Security Risk Analysis and Solutions

As a new 5G-oriented technology that sinks cloud computing capabilities to edge nodes, mobile edge computing has three unique characteristics that distinguish it from typical cloud platforms: routing control, wireless network capability opening, and platform management. While providing low-latency distributed computing capabilities and intelligent energy-saving operating modes for terminals, edge computing is not only facing the cloud due to its proximity to terminal devices, limited operating resources, access to terminal device data, and support for device mobility. In addition to the ubiquitous security problems of computing systems, there are also new security threats in terms of infrastructure, virtualization features, data resources, device interaction, and terminal device mobility. This article starts with the new features that distinguish edge computing from general cloud platforms, analyzes the security issues brought about by the new features of technology, and provides solutions.


1. Mobile edge computing

At the end of 2018, China Electronics Standardization Research Institute, Alibaba Cloud and other units jointly compiled and released a "Edge Cloud Computing Technology and Standardization White Paper", which defined the concept of edge cloud computing [1], and deployed mobile edge computing devices At the edge of the mobile network, within the radio access network (RAN), and close to the terminal, it provides IT service capabilities and cloud computing functions for nearby mobile devices. Mobile edge computing devices can directly access the context information of the device, such as precise geographic location, device network status and even terminal device mobile behavior information. Because edge computing directly sinks the computing power close to the device terminal and does not perform long-distance transmission in the network, it can reduce the risk of sensitive information being leaked and stolen [2]. However, edge computing devices are the direct entrance to terminal device data and can obtain a large amount of user sensitive information data, which puts forward higher requirements on the privacy protection mechanism of edge computing devices.

Mobile edge computing limits the deployment of edge computing platforms to mobile network infrastructures such as 5G. In some cases, the device itself can participate in the service provision process. In mobile edge computing, there are several different user entities: cloud service providers, edge computing service providers, and users. Telecom operators can become providers of mobile edge computing because they have the mobile network infrastructure to deploy edge data centers. Third-party service providers can work closely with operators to develop dedicated services for mobile edge computing. Such services can be tested extensively and may be integrated in a customized manner. Faced with different user entities, their access rights to resources are different. Under the large-scale Internet of Things connection, it is necessary to realize the management of user access rights on the basis of meeting the needs of different user entities to maximize the enjoyment of resource sharing. , To prevent unauthorized tampering and misuse of information.

Mobile edge computing is a high-performance and carrier-grade cloud platform adjacent to the RAN, allowing computing at the edge of the network. It simultaneously processes the downstream data from the cloud service host to the mobile terminal and the upstream data from the mobile terminal to the cloud host. The mobile edge computing platform can be composed of standard IT servers and network equipment inside and outside the base station. Third-party applications are deployed and executed in virtual machines interconnected by network equipment. It is also possible to simply use standard IT servers to build a mobile edge computing platform, where network devices are implemented as software entities.

The basic functions of the mobile edge computing platform include routing module, network capability opening module and platform management module [3]. The routing module is responsible for packet forwarding between the mobile edge computing platform, the RAN and the mobile core network, and within the mobile edge computing platform. The network capability opening module allows the authorization functions of the wireless network information service (RNIS) and the radio resource management (RRM) to be opened. The platform management module supports authentication, authorization, billing, and management of third-party applications [4], which involves the orchestration of application deployment and the authorization to open network capabilities.



The following analyzes the security problems in the three modules involved in the mobile edge computing framework and gives solutions.

2. Routing control module

2.1 Security risk analysis

Through the routing control module, the user plane traffic (uplink or downlink) is passed to an application, which can monitor, modify or control the traffic, and then send it back to the original connection. Terminal equipment in the edge environment has strong mobility, so the routing module should achieve business continuity. The routing module should have the ability to interrupt and eliminate the session when the mobile terminal switches to an access point connected to a different mobile edge computing platform.

The routing module is responsible for forwarding traffic between virtual machines within the mobile edge computing platform, supporting network virtualization to promote a flexible packet forwarding backplane, and assigning network and security services to virtual machines that can be programmed and managed in the backplane as needed.

2.2 Solution

When forwarding traffic, it is recommended to divide traffic types and set up firewalls between the center and branches. In some cases, edge computing devices may not need to be connected to the corporate network at all. For example, using edge sites to operate farms or automated factories does not require access to customer data. The edge micro data center should have a cluster of redundancy protection level, and protect the confidentiality and integrity of the transmitted data, and prevent replay. The API of the mobile edge computing platform should be authenticated and authorized. The mobile edge computing platform should Carry out security protection, realize the principle of minimization, close all unnecessary ports and services, and sensitive data (such as user location information, wireless network information, etc.) should be stored safely and unauthorized access is prohibited. Mobile edge computing stations should have DDoS protection functions, etc.

For virtual machines deployed in a virtualized edge environment, the isolation between virtual machines can be strengthened, and insecure devices can be strictly isolated to prevent user traffic from flowing into malicious virtual machines. In addition, the running status of virtual machines can be monitored in real time, and malicious virtual machine behavior can be effectively monitored to prevent malicious virtual machine migration from infecting other edge data centers.

3. Open wireless network capabilities

3.1 Security risk analysis

In the mobile edge computing architecture, edge devices can safely provide services and functions extracted from the underlying mobile network to third-party applications through open network capabilities using homogeneous application programming interfaces (APIs). At the same time, these open APIs have also brought certain security threats to mobile edge computing.

It is mentioned in reference [6] that the API set that provides services to various participants such as users, virtual machines and other data centers and the access points of other network applications provide attackers with a considerable attack surface and increase Attack vector dimension. The smarter the edge computing client is, the more vulnerable it is to malware and security breaches. At the same time, the highly dynamic environment at the edge of the network also makes the network more fragile and unprotected, leading to security issues such as privacy leakage, privilege escalation, and service manipulation.


3.2 Solution

On the basis of providing external service interfaces, it is necessary to strengthen the security of the data plane gateway, ensure interface security, protect sensitive data, and protect against physical contact attacks, so that user data can be correctly forwarded in accordance with the offloading strategy. Specifically, mutual authentication should be carried out between the data plane and mobile edge computing, the data plane and the core network elements that interact; the interface between the data plane and the mobile edge computing, and the data plane and the core network elements that interact Confidentiality, integrity and anti-replay protection should be carried out on the communication content on the interface; the sensitive information on the data plane (such as the offload strategy) should be protected safely; the data plane is the data forwarding function network element of the core network, from the core network Sinking into the access network should prevent attackers from tampering with the configuration data of the data plane network elements and reading sensitive information.

Regarding the issue of privilege escalation and service manipulation, a blockchain-based trust security architecture can be considered. The central idea is not to automatically trust any internal or external users or terminals, and to verify any devices trying to access before authorization to restrict hackers Lateral movement to prevent the attacker from infiltrating the endpoint device successfully, moving laterally in the entire environment or using phishing to obtain access credentials to directly reach the data center where the target asset is located.

4. Platform management

4.1 Security Risk Analysis

The platform management module manages other modules and local IT infrastructure, and supports the authentication, authorization, and billing operations of the network capability opening module and the local IT infrastructure resources allocated to third-party applications. The management of local IT infrastructure is mainly deployed as Infrastructure as a Service (IaaS) [8], such as OpenStack. The platform management module is composed of interrelated components that control the hardware pools of computing, storage, and network resources, so that IT resources can be planned and coordinated according to the requirements of third-party applications. In the platform-managed IaaS, there are two security issues: terminal data security and data security between different terminals. Since the edge device is the direct entry of data, the public data and private data of the end user are directly transmitted and processed by the edge device. This requires the edge device to process these data separately, and encrypt and protect the private data to ensure the data Security and isolation to avoid leakage and theft of private data. The data between different terminals is different, and some terminal data cannot be leaked. This requires the isolation of data between different terminals to ensure the accuracy and safety of the data between each terminal.


4.2 Solution

The security management of the platform is the same as the security management of the traditional network, involving account and key security, authorization management and log security, etc. It is necessary to ensure that only authorized users can perform operations. The key used to access the device cannot be a simple or default key. Strong passwords or multi-factor authentication should be used, especially for administrators and root-access accounts.

Because edge computing sinks computing power to the edge, some operations and computing processes do not pass through the core network, but perform calculations and data transmission in a small area, and there is no supervision of these operations. When edge computing includes the ability to make critical decisions, it needs to pay extra attention to the data or commands it receives, including checking for traditional network security threats such as input errors, and it must also include checking the integrity of valid data. At the same time, it is recommended to regularly audit the log data of the edge computing platform in order to discover the above-mentioned attack events and security issues in time.