MQTT is the dominant lightweight publish--subscribe protocol for IoT deployments, yet edge security remains inadequate. Cloud-based intrusion detection systems add latency that is unsuitable for real-time control, while CPU-bound firewalls and generic SDN controllers lack MQTT awareness to enforce session validation, topic-based authorization, and behavioral anomaly detection. We propose a P4-based data-plane enforcement scheme for protocol-aware MQTT security and anomaly detection at the network edge. The design combines parser-safe MQTT header extraction with session-order validation, byte-level topic-prefix authorization with per-client rate limiting and soft-cap enforcement, and lightweight anomaly detection based on KeepAlive and Remaining Length screening with clone-to-CPU diagnostics. The scheme leverages stateful primitives in BMv2 (registers, meters, direct counters) to enable runtime policy adaptation with minimal per-packet latency. Experiments on a Mininet/BMv2 testbed demonstrate high policy enforcement accuracy (99.8%, within 95% CI), strong anomaly detection sensitivity (98\% true-positive rate), and high delivery >99.9% for 100--5~kpps; 99.8% at 10~kpps; 99.6\% at 16~kpps) with sub-millisecond per-packet latency. These results show that protocol-aware MQTT filtering can be efficiently realized in the programmable data plane, providing a practical foundation for edge IoT security. Future work will validate the design on production P4 hardware and integrate machine learning--based threshold adaptation.

翻译：MQTT是物联网部署中主流的轻量级发布-订阅协议，然而边缘安全仍显不足。基于云的入侵检测系统会引入不适用于实时控制的延迟，而受CPU性能限制的防火墙和通用SDN控制器缺乏MQTT协议感知能力，无法有效执行会话验证、基于主题的授权以及行为异常检测。我们提出了一种基于P4的数据平面执行方案，用于在网络边缘实现协议感知的MQTT安全与异常检测。该设计结合了以下特性：解析安全的MQTT头部提取与会话顺序验证；字节级主题前缀授权与每客户端速率限制及软上限执行；以及基于KeepAlive和Remaining Length筛查的轻量级异常检测，并辅以克隆至CPU的诊断功能。该方案利用BMv2中的有状态原语（寄存器、计量器、直接计数器）实现运行时策略自适应，同时保持极低的每包处理延迟。在Mininet/BMv2测试平台上的实验表明，该方案具有较高的策略执行准确率（99.8%，95%置信区间内）、较强的异常检测灵敏度（98%真阳性率），以及在高吞吐量下的高交付率（100–5 kpps时>99.9%；10 kpps时99.8%；16 kpps时99.6%），且每包延迟低于毫秒级。这些结果表明，协议感知的MQTT过滤可以在可编程数据平面中高效实现，为边缘物联网安全提供了实用基础。未来工作将在生产级P4硬件上验证该设计，并集成基于机器学习的阈值自适应机制。