A 5G Perspective of an SDN-Based Privacy-Preserving Scheme for IoT Networks

The ever-increasing needs of Internet of Things networks (IoTn) present considerable issues in computing complexity, security, trust, and authentication, among others. This gets increasingly more challenging as technology advances, and its use expands. As a consequence, boosting the capacity of these networks has garnered widespread attention. As a result, 5G, the next phase of cellular networks, is expected to be a game-changer, bringing with it faster data transmission rates, more capacity, improved service quality, and reduced latency. However, 5G networks continue to confront difficulties in establishing pervasive and dependable connections amongst high-speed IoT devices. Thus, to address the shortcomings in current recommendations, we present a unified architecture based on software-defined networks (SDNs) that provides 5G-enabled devices that must have complete secrecy. Through SDN, the architecture streamlines network administration while optimizing network communications. A mutual authentication protocol using elliptic curve cryptography is introduced for mutual authentication across certificate authorities and clustered heads in IoT network deployments based on IoT. Again, a dimensionality reduction intrusion detection mechanism is introduced to decrease computational cost and identify possible network breaches. However, to leverage the method’s potential, the initial module’s security is reviewed. The second module is evaluated and compared to modern models.


Introduction
Internet of Things (IoTs) network concerning the next generation is nearing the end of its development cycle, paving the way for large-scale global implementation. Smart and sustainable communications may profit from technical advancements in the technology sector, such as usage-based insurance and greater income through IoT data monetization. This includes IEEE 802.11p, long-term evolution (LTE), the 5G Narrowband Internet of Things (NB IoT) [1], and Wi-Fi [2]. These technologies, however, have challenges in terms of data rates, latency, dependability, and, more importantly, connectivity due to a scarcity of spectrum and a complex surrounding environment. Furthermore, with the rising resilience of connected IoT devices, the IoTs network faces many issues, including high bandwidth requirements. The fifth generation (5G) networks were created to meet the stringent needs of IoT networks. Due to its spectrum coherence and energy economy, it is predicted to boost system capacity by 1000 times, data rate by 10 -100 times, battery life by ten times, and latency by five times compared to 4G [3]. As a result, 5G-based IoT Networks may overcome the issues posed by the enormous demands and data flow generated by connected devices. Despite its various benefits, 5G networks confront challenges in offering ubiquitous and dependable IoT connections. As a result, a contemporary network technology, software-defined network (SDN), has evolved to provide intelligence, resilience, and flow programmability into 5G IoT networks [4].
It enhances the capability of 5G networks while supporting the dynamic nature of IoTn. To conceptually concentrate the network state and intelligence in SDNs, data and the control plane are decoupled from each other [5]. On the data plane, all forwarding devices (FDs) are gateways, switches, and routers that use the OpenFlow (OF) protocol. The control plane is responsible for data routing and allocating resources. Executing SDN controller directives, the control plane is also instrumental in providing information on security, identity, authentication, and mobility to the network [6] [7]. SDN has been connected with VNs in some preliminary studies to improve their flexibility, programmability, and efficiency.
For example, [8] presented an IoT architecture based on 5G and SDN, in the Hidden Pattern (THP), which combines A visible password and a digital challenge value are used together to guard against various kinds of authentication threats. Researchers in [9] integrated NFV and SDN management of IoT bootstrapping for large networks. Finally, [10]  and public key cryptology [11] [12]. Furthermore, potential security flaws in IoT networks could lead to attacks like black holes, selective forwarding, packet duplication, wormholes, Sybil attacks and resource exhaustion. As a result, security must be built into such programs in order to preserve the data's integrity and ensure its correctness. Intrusion detection systems (IDSs) have demonstrated their effectiveness in detecting suspected events designed to disrupt network communication in this area [13] [14]. In order to solve security challenges in virtual networks, several IDSs have been developed in the literature [15] [16].
Despite the fact that numerous strategies for preserving IoTn's data integrity and accuracy are still issues that haven't been completely addressed in the literature, despite several proposals to this effect. Hence, we proposed a unified architecture based on software-defined networks (SDNs) that provides 5G-enabled IoT networks, with complete confidentiality.
The following are the major contributions of this research: 1) Authentication and intrusion detection is used in a composite architecture to enable end-to-end encryption in 5G-SDIoTN deployments. By demanding joint authentication amid the involved organizations before data transmission can commence, the former helps to identify any breaches in the underlying network.
2) It is the ECC concatenation, one-way hash, XOR and multiplication operations that underlie the authentication module's effectiveness. Furthermore, it is unique in that the certificate authority (CA), cluster head (CH), and IoT devices are all mutually authenticated.
3) Our suggested intrusion detection scheme takes advantage of pre-processing the raw dataset, tensor-based dimensionality reduction, with a Fuzzy C-means (FCM) clustered to detect intrusions. Our subsystem is unique in that it handles the clustering issue effectively using multi-objective dynamic programming with decomposition (MOEA/D). The proposed intrusion detection scheme's performance is also improved by reducing the dimensions using tensor-based.
The following is the structure of the rest of the manuscript: Section 2 discusses the relevant work. In Section 3, the suggested scheme's system model in the context of IoTNs backed by SDN and 5G is presented. Section 4 examines the developed authentication module, followed by Section 5 intrusion detection system (IDS). In Section 6, the corresponding simulation output is plotted against the current state of technology. Section 7 wraps up summarizes the results and makes suggestions for more investigation.

Related Work
In this segment, we will provide a quick overview of the relevant work presented by the scholars along certain areas. The existing techniques have been divided into two categories for clarity's sake: authentication of protocols in SDNs and models for detecting intrusion for IoT networks.
[17] presented a secure SDN deployed across a network of nodes architecture for IoT using the blockchain technique (DistBlockNet). The researchers stated that X. M. Jiang et al. Int. J. Communications, Network and System Sciences their proposed model follows the requirements when it comes to creating a network architecture that is both safe and scalable. In the DistBlockNet IoT architectural concept, SDN and blockchains combine their benefits. Although the researchers claim their model outperformed the existing schemes, their model failed to include authentication protocols concerning the IoT networks. In [18], communication with or without the infrastructure known as an SDN domain is now possible, according to researchers. There was a single domain in their concept that had a wired, a wireless, and Ad-Hoc network. Border Controllers are used to facilitate communication across domains in their suggested approach. In the event of a failure, the Border Controllers must work together in a novel distributed way to ensure that each domain remains independent. The researchers claim their proposed model ensure the network's reliability as a whole. However, their model failed to tackle the computational cost and authenticate the protocols involved. [19] proposes the use of edge computing to allow an external service provider to offer scalability for a Blockchain as a Service (BaaS) to address the additional attack vectors provided by an increasing number of linked susceptible devices connected to the network, along with a severance between the control and data planes of SDN By using an efficient, edge-distributed blockchain system, the suggested approach validates the added flows. Their results demonstrated the suggested algorithm's potential to optimize the combined earnings of BaaS plus SDN operators in relation to IoT networks. However, the researchers indicated that they would consider the numerous flow conformance rules that might be applied in a smart contract for future use. The authors [20] proposed IoT network intrusion detection and prevention system (IDPS) based on software-defined networking (SDN). An IoT network and collocated fog computing are at the heart of their design, which gives the proposed IDPS the ability to detect numerous attack types in near real-time and neutralize them with SDN-controlled efficiency. The researchers claim their model is more effective than the traditional techniques of IDPS in IoT networks. However, the model also failed to tackle the computational and scalability of the intrusion system.
In [21], an SDN-based autonomous security architecture based on blockchain technology is given for the IoT environment. This research intends to reduce current problems and identify assaults more effectively. It makes use of blockchain technology to dynamically update the threat detection framework and reward fog nodes based on "Proof-of-Work." However, their work did not take into concentration the authentication of the protocols involved. [22] propose a blockchain-based controller to protect against fraudulent flow rule injection, with an emphasis on SDN controller authentication. Although their proposed model effectively authenticated the SDN controller, the scalability of their model is in question, and their model could not resolve the problem with intrusions.
[23] introduce a new system to eliminate the need for recurrent re-authentication across heterogeneous cells in 5G, a new authentication handover using blockchain in an SDN-based 5G network is proposed. The researchers claim their model Things paradigm with several SDN controllers. To gather and synchronize network-wide views across multiple SDN controllers, a blockchain-based consensus system is described. The Q-learning approach is used in this study to simultaneously optimize view modification, access selection, and computing resources.
Although their model was effective, it failed to address SDIIoT nodes and controllers' trustworthiness may be assessed in a number of ways. The researchers stated the limitations of measuring the trust features in their future work.
Although the above-related literature effectively performed its task they failed to resolve the above limitations as stated, hence, we propose a composite architecture that combines two sets of security modules to enable end-to-end security in 5G-SDIoTN deployments.

System Model
This section discusses the VN that is considered in SDN configurations that is 5G technology-enabled. The envisioned IoTN is supposed to be guarded with cutting-edge 5G and SDN technologies. A more comprehensive version of the scheme is seen in the concept [7]. The control plane's SDN takes responsibility to enforce global rules such as intrusion detection, routing, authentication, and mobility management; whereas the data plane is composed of base stations/access points (BSs/APs) that execute the controller's logic. Additionally, the participating IoT devices form clusters depending on their speed, direction of travel, and other parameters. Additionally, a cluster head (CH) is selected from inside before executing the control layer's logic.

Proposed System
This section contains background knowledge on ECC as well as how it has been incorporated into the proposed mutual authentication arrangement between the devices or networks involved. The readers are urged to consult [24] for more information about ECC. The mutual authentication process amongst the participating entities, namely CA, CH, and IoT devices, has been divided into three sections:

Preliminary Generation of Key
It refers to the initial stage of the authentication procedure. It includes the creation of keys for all units, including the CA, CH, and IoT devices. The CA is in charge of this phase. The CA sets the general parameters linked G, p and the other ECC members, a, b, to produce the keys. Using these settings, random number extraction and ECC multiplication are used to produce the CA's public (K) as well as private (k) key pairs. The same procedure is used for the IoT devices, with K and k denoting their public and private keys, respectively. Each IoT device is also assigned an individual ID (ID j ). The information about all of the IoT device public and private keys is communicated to each device via a secure connection. In Figure 1, detailed procedure was shown. The value of TKCH is obtained by performing a multiplication operation concerning X and L i . CH produces the corresponding value of its ID (ID i ) using this value and the value of A.
The equivalence concerning ID i and ID i is then verified by CH. If they are deemed to be comparable, the authentication process continues; otherwise, the connection   Table 1 depicts the authentication procedure with the CA and the CHs. The following steps will help you understand the procedure in detail:

Process of Authentication between CA and CH
Step 1: The CH creates a randomly generated number r1 in the domain of Zp to start the authentication procedure. The corresponding random number equivalent R1 is then computed using ECC multiplication, as well as the hash of where CH is right now (Loci) to the CA, i.e. L i . The R 1 , ID i , Li values are subsequently relayed to the CA by the CH.
Step 2: The CA responds by taking the actions below. CA first creates a random integer xZp and then uses the multiplication method to generate its corresponding counterpart X. The value of Y is then computed using the approach of summing up L i and G. The value of TKCA is calculated using the values of X and Y. The XOR operation is then performed on TKCA and ID i , and the result is stored in A. Then, using the hash operation over ID i , R1.k, and CAś current time-stamp TSCA, the intermediatevaluesoftokensTK 1 , TK 2 , and TK 3 are estimated.
Finally, utilizing CA performs concatenation and encryption operations on the interim tokens to provide an authentication token for CH to validate (Auth-CA). Following that, the CA generates a random number r 2 Zp, which is multiplied by G to get R 2 . This step's final responsibility is to provide the values to the following CH: A, X, AuthCA, T SCA, R 2 .
Step 3: When CH receives the above-mentioned tokens (A, X, AuthCA, T SCA, R 2 ), it validates the time stamp TSCA and processes the following steps if it falls within the acceptable range; otherwise, it tears down the connection. The authentication token AuthCA is then created for CA to validate using TK 3 , TK 5 , and TS i (the ith CH generates a time-stamp). Furthermore, The value of X is generated by multiplying a random integer x by G, which is generated by the CH. The CH then creates the value of TKCH using these parameters and the value of L i . It also uses the XOR technique to construct A from T KCH and ID i .
Finally, the CA receives the following set of tokens: A, X, AuthCH, TS i .
Step 4: The CA then uses the processes below to verify CH's legitimacy. It validates the received time-stamp TS i in the first run. The value of ID i is then used to execute the second step of validation. Finally, the authentication token Auth is used to verify CH's legitimacy. If the parties are confirmed to be similar, mutual authentication is established between them, followed by the CA generating a group ID for the ith cluster (GI D4 i ). Finally, this GI D i is forwarded to CH for further correspondence. Table 2 depicts the authentication procedure between the ith CH and the jth IoT device. The following steps will help you understand the procedure in detail:

Authentication Process between CH and IoT Devices
Step 1: The IoT device generates its Locj and communicates it to its CH to begin the authentication procedure. Step 2: Using the geographical information data, the CH determines whether the devices belong to its cluster. If the connection is verified to be legitimate, it continues; otherwise, the connection has been disrupted. It then creates a random number r2 in the domain of Zp and uses ECC multiplication to compute the associated R 2 . It also generates TS i , a time-stamp token, and sends R 2 and TS i to the device.
Step 3: After receiving the above-mentioned tokens, the device validates the time stamp TS i and, if it falls within the permissible range, proceeds to the next step: if not, tears down the line of communication. The device then uses its respective time-stamp TS j to compute the intermediate tokens TK 7 and TK 8 , as well as the related authentication token Authveh. It also generates a random number r 3 Zp and uses the multiplication method to obtain its corresponding counterpart R 3 . Finally, the CH receives the parameters Authveh, R 3 , and TS j for authentication.
Step 4: The CH responds by taking the following actions. It first verifies the received time-stamp. Then, using hash operations over ID i , r 2 , K j , and CHś current time-stamp TS j , the intermediate values of tokens TK 8 and TK 9 are estimated. Finally, concatenation and hashing of intermediary tokens is used by CH to create an authentication token (Authveh) to verify the device's legitimacy. Finally, the authentication tokens are compared for equivalency; if they are determined to be identical, the jth device's legitimacy is verified, and the procedure continues. The CH then creates an authentication token (AuthCH) for the device to authenticate using a time stamp TS i and tokens (TK 8 and TK 10 ). It also produces a second token, GCH, for verification purposes. Finally, the device receives the following set of tokens: AuthCH, ID j , GCH, TS i .
Step 5: The device then uses the processes below to verify CHś legitimacy. It validates the received time-stamp TS i in the first run. The value of TK 7 , TK 11 , and TS i are then used to accomplish the final level of validation. If the parties are confirmed to be similar, mutual authentication is established between them, followed by the CA generating a group ID for the ith cluster (GID i ). Finally, the device stores this GID i for future communication.

Intrusion Detection System
This section describes the intended intrusion detection system (IDS) in the perspective of VNs in detail. The suggested method detects attack vectors such as preferential forwarding, black hole, packet duplication, resource depletion, wormhole, and Sybil attacks in VN traffic. It is divided into three stages:

Phase I: Pre-Processing of Data
The existence of missing values in the IoT traffic dataset has a significant impact on the model's learning, inference, and prediction capabilities. Transmitter connections are unreliable due to the failure of the OBU, cluster overlapping, or unannounced system maintenance can all cause inconsistencies in such data. In the ments. Methods such as ignoring, substituting, interpolating, and using the closest neighbor are the most prevalent. However, interpolating approaches outperform other methods in terms of accuracy [25]. As a result, the interpolation approach is used to evaluate missing values in this study. Required information is first validated to ensure that it correctly reflects the situation being studied. Following that, interpolation was employed to check that the data was correct and to restore the missing or incorrect values. The goal of this method is to interpolate unknown values using neighboring known values. It's calculated like this: Next that, the preparation of data is subjected to reducing dimensionalities using tensors, as explained in the section as follows.

Phase II: Tensor-Based Dimensionality Reduction
The overall dimensionality of the dataset is decreased using the tensor-based technique at this phase before it can be analyzed for any potential invasions. During the data analytics phase, higher-dimensional data causes complex processing challenges such as over-fitting, under-fitting, and poor model interoperability [26].
By improving accuracy, searching speed, storage, and computational cost, lowering the dimensions of incoming data helps to ease and speed up the intrusion investigation process. Essentially, a tensor is a multi-way array that is used to represent higher-dimensional data with multiple attributes. These tensors denote different types of datasets namely unstructured (D us ), semi-structured (D ss ) and structured (D s ). A particular tensor of n-order is expressed as [27] [28]: The union operation is also used on the sub-tensors to make a single tensor.
This is done to get rid of redundant and redundant transactions throughout the collected dataset. "Unified data tensorization" is the name given to this procedure. Following that, unified tensors' dimensionality is lowered by reducing them to lower-order tensors (also called reduced tensors). The steps below are used to do this. The nth ordering tensor is first turned into n matrix, a process known as "tensor unfolding or matricization" [27] [28]. A complex-valued matrix may then be factorized using the singular value decomposition (SVD) method. SVD is iteratively deployed to all mode-i matrices (M i ) that have been unfolded, which are expressed using the following equation: U and V signify the set of unitary matrices that are orthogonal to each other in the above equation. The diagonal matrix S is used here, and V * is the conjugate transpose of V. Then, for each Mis, the rank computation process is run, and the undesirable values are deleted to generate reduced tensors. These reduced tensors have fewer dimensions, yet they nonetheless provide the same useful information as the original tensor. To detect potential intrusions, the acquired dataset is fed into the FCM Clustering method.

Phase III: Fuzzy C-Means (FCM) Clustering
where, l is the number of iterations and cluster centers c j are computed in Equation (8) as: The fuzzy membership matrix U is generated using Equation (7) and the corresponding centroids are evaluated using Equation (8) in each iteration of the FCM algorithm, after which the sum of squared errors is computed using Equation (6). In FCM, the minimization of Equation (6)  , , where F(x) consists of k objective functions, x ∈ Ω denotes a decision variable vector where Ω corresponds to the decision space, and n is the dimension of variable x. Accordingly, the fuzzy clustering problem is converted into a MOP which is defined as follows: and ( ) ( ) ( ) Here, * * * 1 , , m z z z =  refers to the ideal point in the objective space. For each Pareto optimal point * x , there exists a weight vector λ such that * x is the optimal solution of Equation (13) and each optimal solution of Equation (13) is a Pareto optimal to Equation (9).

Experimental Analysis
The experimental evaluation details of the suggested strategy in this section and compares the results to the current state of the art. A thorough explanation of the simulation setup, current strategies, and assessment settings is provided. The evaluation findings for both the authentication and intrusion detection modules are shown in this section.

Authentication Module
Security Analysis: This part emphasizes the proposed protocols' resistance to various cyberattacks, such as cloning and de-synchronization attacks. In this paper, we looked at scenarios in which the suggested module of authentication integrity can be compromised, putting the system at risk. The proposed protocol is capable of smoothly resisting the attack vectors listed below.
Mutual Authentication Supports: The developed authentication system allows for mutual authentication between the CA and the CH, as well as between the CH and the IoT devices. As a result, the validity of the involved entities can be verified before the data transmission can commence. The ECC-enabled verification module's second and third stages, as previously indicated, demonstrate this. Validation tokens are used in each of these stages (Auth CA , Auth CA and Auth veh ) the ECC duplication of certain text data is used to create (R 1 , R 2 , R 3 ) with the corresponding private keys (k, k i , k j ) of the entities involved. As a result, it assures that only authorized persons with real a private and personal key participating in the whole process. Furthermore, in the realm of ECC, extracting separating shared key from private ones is a difficult operation. Furthermore, the developed security protocol resists eavesdropping attempts even on unsecured channels, preventing the opponent from extracting/decrypting the exchanged communications. This is due to the whole authentication process's utilization of random integers (r 1 , r 2 , r 3 ), location attributes (Loc i , Loc j ), time-stamps (TS CA , TS i , TS j ) information, and private keys.
Supports Anonymity: Our authentication mechanism is also intended to accommodate the idea of anonymity. The complexity of the underlying decryption procedure is increased by the usage of the following new characteristics (r 1 , r 2 , r 3 ) This improves the security of the underlying communications. As a result, even if the adversary has current knowledge about the system, he cannot derive the prior communications.
Using SPAN for Formal Security Verification: This section shows how the suggested authentication protocol was formalized using the AVISPA's commonly used Security Protocol ANimator (SPAN) [31]. It has been implemented on SPAN to validate the security elements of the specified protocol, with high-level programming done using High Level Protocol Specification Language (HLPSL). In a combination of "session" and top-level role "environment," three basic roles (CA, CH, and IoT devices) have been defined. The basic roles are specified in detail by the following parameters: information they can use at first (represented as "parameters"), their initial state (kept by the parameter "State"), and state changes (denoted by one or more "transition"). In HLPSL, each transition is accompanied by RCV or SND parameters. The former denotes a message that is being sent out on the channel "dy," whereas the latter denotes a message that has been received by an agent. These transitions are followed by state changes, and they are the same as the execution steps listed in Table 1 and

Overhead Analysis
In terms of computation time and communication costs, Table IV summarizes the findings. We did not include the cost of the initial key generation step in our evaluation since it is a one-time activity. Authors are advised to see [14] for further details on the simulation setup.
For the computational cost, let us assume that T ecm , T eca , T h , T mac , T inv ,T bp , T sig-BOOS , T sig-IBS , T enc , and T dec relate to the time necessary to execute ECC point multiplication, ECC point addition, one-way hash function, message decryption, IBOOS signature generation, modular inverse, IBS signature generation, bi-linear pairing, symmetric encryption and authentication code, etc. The suggested approach requires a total of 6T ecm + 12T h ; wherein 3T ecm + 6T h and 3T ecm + 6T h for authentication between CH and IoT devices. The overall computing cost for the suggested approach is 0.1061 seconds where T h and T ecm were equivalent to 0.00032 and 0.0171 seconds, respectively.
The following assumptions were used in the communicational overhead study.
The output of location, Identity, timestamp, and hash was calculated to be 160 bits, 32 bits, 32 bits, and 160 bits, respectively. In addition, a 160 bit ECC was used, but an elliptic curve point requires a total of 320 bits. According to these facts, the suggested scheme's communicational overhead was quantified in terms of the number of messages exchanged between CH and the IoT device. In addi-

Intrusion Detection Module
Various attack vectors, including selective forwarding, DoS assaults, black holes, wormholes, resource exhaustion, Sybil, and packet duplication, were purposely added into the sample space to compare the proposed intrusion detection approache's performance to the current state-of-the-art. Existing-Schemes: AECFV [36], WEKNN [32], T-Claids [37] and PSOGSA [34] All of them have been tho- The variables D i , T i , and n in the preceding equation denote the time it takes to detect a prospective adversary A i , the time it takes for the A i to launch an attack vector, and how many adversaries there are in total.
Communication Overhead: It refers to the total number of messages triggered by the IoT device to achieve a high level of security.
Performance Evaluation: Figure 2 compare the planned intrusion detection network efficiency to already installed systems. The tests were carried out on a variety of IoT devices (ranging from 50 to 300) using various assault vectors. The DR comparisons, for example, are shown in Figures 2(a)-(e) The collected data show that as the number of IoT devices increases, all of the systems reach a peak in their DR capabilities. The proposed approach, on the other hand, is best in the above case, and has the least variation in DR as the number of IoT devices fluctuates. Furthermore, given the studied setup, IDFV with T-CLAIDS have the poorest performance. Figure 2(a) depicts the corresponding results related to accuracy, which are also similar. Figure 2

Conclusion
Future IoTNs are expected to face additional challenges as a result of the combination of SDN plus 5G cellular connection. In such situations, it is critical to give an all-encompassing security solution for IoT networks in order to protect them from unanticipated effects. In this regard, many models are created in the literature that enable either detection mechanism or authentication protocols. Furthermore, these existing methods fail to meet a variety of evaluation criteria. For example, authentication techniques fall short of providing acceptable security, while intrusion detection solutions have significant FPR when traffic increases on the IoT devices. As a result, this paper presents a modular security framework for current IoTNs. Its integrated features, such as authentication. In future, we will research into applying blockchain in the area of security to enhance the scheme.