Security-Aware Task Offloading in IoT Edge Networks Using Software-Defined Networking

Abstract

The rapid proliferation of Internet of Things (IoT) devices increases the demand for task offloading mechanisms that satisfy strict latency constraints while limiting security exposure in edge computing environments. This paper proposes a security-aware task offloading framework for IoT edge networks, using Software-Defined Networking (SDN) as a centralized control plane. The SDN controller combines real-time monitoring, threat-aware risk estimation, and a lightweight heuristic decision engine to assign tasks to heterogeneous edge nodes according to latency constraints, resource availability, and task security sensitivity. To avoid optimistic scalability assumptions, the evaluation explicitly models contention through load-dependent queueing delay at edge nodes and reduced effective bandwidth on shared links. Simulation results with realistic IoT task parameters and heterogeneous edge capacities show that the proposed framework achieves an average latency of approximately $125\pm 5$ ms, a task completion ratio (TCR) of about $92\pm 2$%, and a security success rate (SSR) near $95\pm 1.5$%, compared to the considered baselines. These results indicate that incorporating risk assessment into SDN-based offloading decisions can improve security-related outcomes while maintaining practical performance under contention. Limitations include the use of an analytical risk model and a single-controller SDN setting; future work will investigate multi-controller deployments, attack-trace-driven evaluation, and energy-aware extensions.

1. Introduction

The rapid proliferation of Internet of Things (IoT) devices has fundamentally transformed modern computing paradigms, enabling diverse applications in smart cities, industrial automation, healthcare systems, and autonomous transportation. These devices continuously generate large volumes of data that must be processed with low latency to support real-time decision making. Although cloud computing provides substantial computational and storage capabilities, exclusive reliance on remote cloud servers often results in increased communication delays and network congestion, which are unsuitable for latency-sensitive and mission-critical applications. Edge computing addresses these limitations by relocating computation closer to data sources, thereby reducing end-to-end latency and improving system responsiveness [1,2].

Despite its advantages, edge computing introduces several challenges related to task offloading, resource allocation, and security assurance. IoT devices are typically resource-constrained and highly heterogeneous, while edge nodes differ significantly in terms of computational capacity, connectivity, and trustworthiness. Offloading tasks without adequate consideration of security risks can expose sensitive data to cyberattacks and malicious entities. Conventional task offloading approaches primarily focus on minimizing latency or maximizing resource utilization, often neglecting security aspects, which leaves IoT edge environments vulnerable to various threats [3]. Furthermore, IoT networks are inherently dynamic, with fluctuating workloads, device mobility, and unpredictable traffic patterns, making it difficult to design offloading mechanisms that simultaneously ensure high performance and strong security guarantees.

Software-Defined Networking (SDN) introduces centralized control and global network visibility, enabling dynamic management of data flows and network resources. When integrated with edge computing, SDN facilitates intelligent task offloading decisions that jointly consider performance efficiency and security requirements. However, a significant research gap remains: relatively few studies address the joint optimization of latency and security in SDN-controlled IoT edge networks, and existing solutions are often evaluated under simplified assumptions or limited experimental settings. Addressing this gap is critical for building scalable, efficient, and secure IoT edge computing systems capable of operating under realistic network conditions [4,5].

Motivated by these challenges, this paper investigates security-aware task offloading in IoT edge networks using SDN-based control. Specifically, this study seeks to answer the following research questions:

• How can task offloading be optimized to achieve an effective balance between low latency and high security in heterogeneous IoT edge environments?
• What is the impact of incorporating security risk assessment into the offloading decision process on overall system performance and reliability?
• How can an SDN controller efficiently manage task distribution and network operations without incurring excessive computational overhead?
• How does the proposed framework perform under realistic IoT workloads and diverse network configurations compared to existing offloading strategies?

To address these questions, we propose a modular SDN-based security-aware task offloading framework that integrates real-time network monitoring, threat assessment, and a lightweight heuristic decision-making algorithm. The proposed approach is evaluated through extensive simulations, using realistic IoT workloads, heterogeneous edge devices, and dynamic network conditions. While recent research on IoT offloading and edge computing has increasingly adopted machine learning and deep reinforcement learning techniques, such approaches often incur substantial training and inference overhead, require large volumes of interaction data, and may be difficult to explain and tune in safety-critical environments. In contrast, the present work focuses on a lightweight heuristic strategy that can be executed by an SDN controller in real time, requires only current network and node state information, and yields decisions whose rationale is transparent in terms of latency and security risk components. This design choice emphasizes practical deployability and low control-plane cost in resource-constrained and highly dynamic IoT edge settings.

The main contributions of this work are summarized as follows:

• The design of an SDN-enabled security-aware task offloading framework that jointly optimizes latency, task completion rate, and security across IoT edge networks.
• The development of a heuristic offloading algorithm that considers task characteristics, edge node capabilities, and security risks to ensure efficient and secure task execution.
• A comprehensive performance evaluation using real-world IoT datasets and realistic network scenarios, demonstrating improvements in response time, security success rate, and task completion compared to latency-only and random offloading approaches.
• An analysis of SDN controller overhead and system scalability, confirming the feasibility of real-time deployment in large-scale IoT environments.
• Identification of open research challenges and future directions, including predictive offloading models, multi-controller SDN architectures, and energy-efficient offloading strategies.

The contribution of this work is primarily integrative. Rather than proposing a fundamentally new optimization paradigm, we bring together SDN-based centralized control, security risk modeling, and a lightweight heuristic offloading strategy within a unified framework and evaluate its effectiveness under realistic IoT workloads and heterogeneous edge resources.

The remainder of this paper is organized as follows. Section 2 reviews related work on IoT edge computing, SDN-based offloading, and security-aware task management. Section 3 presents the system model and problem formulation. Section 4 describes the proposed SDN-based security-aware offloading framework and its underlying algorithms. Section 5 reports the performance evaluation results, while Section 6 discusses the implications of the findings. Finally, Section 7 concludes the paper and outlines future research directions.

2. Related Work

Task offloading in Mobile Edge Computing (MEC) has attracted considerable research attention as a means of supporting resource-constrained IoT devices. Existing studies can be broadly categorized into three main classes: multi-objective optimization-based approaches, deep reinforcement learning (DRL)-based frameworks, and online task offloading strategies. These approaches aim to address challenges such as latency reduction, energy efficiency, and, in some cases, security enhancement. However, many existing solutions either neglect security considerations or lack centralized control mechanisms, such as Software-Defined Networking (SDN), which are essential for coordinated and security-aware decision making.

Peng et al. [6] proposed an optimization-based task offloading framework for smart city environments, referred to as MOCOSC. Their approach focuses on managing the heterogeneity and limited capacity of edge servers by jointly optimizing task execution delay, energy consumption, load balancing, and resource utilization. A multi-objective genetic algorithm (MOMBI) combined with multi-criteria decision making (MCDM) is employed to derive efficient offloading strategies for mobile devices. While the framework demonstrates notable performance improvements in terms of latency reduction and load distribution, it does not incorporate security considerations and operates without SDN-based centralized control, thus limiting its applicability in security-sensitive IoT scenarios.

Lu et al. [7] introduced a security-aware DRL-based task offloading framework that integrates data encryption to protect sensitive information during task transmission between IoT devices and edge servers. Their approach formulates the offloading decision process as a Markov Decision Process (MDP) and applies Proximal Policy Optimization (PPO) to determine whether tasks should be executed locally or offloaded. Experimental results show that the proposed method effectively reduces latency and energy consumption even under encrypted communication. Nevertheless, the framework relies on decentralized decision making at the device and edge levels and does not exploit SDN capabilities, making global security policy enforcement and network-wide monitoring more challenging.

Wu et al. [8] investigated task offloading in highly dynamic MEC environments characterized by variable task arrival patterns and heterogeneous user requirements. They model task arrivals using a Markovian Arrival Process (MAP) and propose an online task scheduling algorithm (Online-TS) based on DRL. The method supports differentiated service levels for regular and high-priority users and achieves lower average delay compared to offline scheduling approaches. However, similar to other DRL-based solutions, the approach does not utilize SDN for centralized coordination, and its security mechanisms are primarily limited to service differentiation rather than comprehensive threat assessment and risk-aware offloading.

In contrast to the aforementioned works, the approach proposed in this paper integrates SDN-based centralized control, security-aware task offloading, and real-time network monitoring within a unified framework. Unlike existing methods, the proposed solution (i) explicitly incorporates security risk metrics into the offloading decision process; (ii) leverages the global visibility of an SDN controller to enforce security policies; (iii) jointly optimizes latency, task completion rate, and security across heterogeneous IoT edge networks; (iv) is evaluated under realistic IoT workloads and dynamic network conditions. A comparative summary of representative MEC offloading approaches and the proposed framework is presented in

Table 1. Comparison of existing MEC offloading approaches with the proposed SDN-based framework.

Feature/Work	Reference [6] (MOCOSC)	Reference [7] (DRL with Encryption)	Reference [8] (Online-TS)	Proposed SDN-Based Framework
Optimization Goals	Latency, energy, load balancing, resource utilization	Latency, energy, security (encryption)	Latency, personalized security, adaptation to task arrivals	Latency, task completion rate, security, SDN resource management
Security Considerations	None	Encryption-based data protection	Differentiated security requirements	Centralized security risk assessment and policy enforcement
Control Mechanism	Distributed MEC-based control	Distributed DRL at device/edge level	Distributed DRL at device/edge level	Centralized SDN controller with modular monitoring and offloading engine
Adaptivity to Dynamic Workloads	Limited (static optimization)	Moderate (learning-based adaptation)	High (online scheduling with correlated arrivals)	High (heuristic offloading under realistic IoT dynamics)
Evaluation Scenarios	Smart city environments, varying device counts	Multiple devices and edge servers, encrypted traffic	Heterogeneous users, variable task arrival intensity	Heterogeneous IoT devices, realistic task loads, security-aware metrics
Methodology	Multi-objective genetic algorithm (MOMBI + MCDM)	DRL with PPO and MDP formulation	DRL-based online task scheduling with MAP modeling	Heuristic security-aware offloading with SDN control

.

Overall, the proposed approach should be viewed as a pragmatic integration and extension of existing ideas, including SDN-based control, security-aware task modeling, and heuristic offloading, into a coherent framework focused on the joint latency and security trade-off in IoT edge networks.

3. System Model and Problem Definition

This section presents the system model and formal definition of the security-aware task offloading problem addressed in this study. The objective is to translate the research questions into a precise technical framework that enables systematic analysis and evaluation. To this end, the architecture of an SDN-enabled IoT edge network is described, followed by models for task characteristics, computation and communication processes, and security risks. By explicitly capturing both performance-related and security-related factors, this section lays the foundation for the design of an SDN-driven offloading framework capable of balancing efficiency, robustness, and scalability under dynamic network conditions.

3.1. Network Architecture Model

An SDN-enabled IoT edge computing environment is composed of three logical layers: the IoT device layer, the edge computing layer, and the centralized network control layer. The IoT device layer consists of heterogeneous and resource-constrained devices that generate computationally intensive tasks with strict latency requirements. Due to limited processing capabilities and energy constraints, these devices rely on task offloading to nearby edge nodes for timely execution.

The edge computing layer comprises multiple edge nodes deployed in close proximity to IoT devices, providing computational and storage resources to support low-latency services. However, edge nodes are often exposed to open network environments and are therefore vulnerable to various security threats, including resource exhaustion attacks, malicious task execution, and network-level attacks that may degrade service quality and disrupt offloading operations [9].

A logically centralized SDN controller manages the network to enable coordinated control and security-aware decision making. The controller maintains a global view of the network topology, traffic conditions, and edge node states, and dynamically programs forwarding devices through standard SDN interfaces. This centralized control plane enables the enforcement of adaptive offloading and security policies that are difficult to realize in traditional distributed network architectures.

In this study, IoT devices are assumed to be static or to exhibit low mobility during each simulation episode, and a single logically centralized SDN controller manages the network. These assumptions simplify the analysis of latency and security trade-offs and isolate the impact of security-aware offloading from mobility-induced handovers and inter-controller synchronization effects.

The overall SDN-enabled IoT edge architecture, including IoT devices, SDN switches, edge nodes, and the centralized SDN controller, is illustrated in Figure 1.

3.2. Task and Computation Model

Each IoT device generates a set of independent computation tasks that can be executed either locally or offloaded to an edge node. A task is characterized by its input data size, required number of Central Processing Unit (CPU) cycles, latency constraint, and security sensitivity. The security sensitivity parameter reflects the level of protection required during task transmission and execution, as different IoT applications exhibit varying tolerance to security risks [10].

When a task is offloaded to an edge node, the total execution latency consists of the transmission delay between the IoT device and the selected edge node, the computation delay at the edge node, and any additional queuing or control delay introduced by SDN-based traffic management. Unlike conventional offloading models that focus solely on minimizing latency or energy consumption, the proposed task model explicitly incorporates security sensitivity, enabling offloading decisions that jointly consider performance and risk exposure.

For clarity and reproducibility, the notation and parameters used in the task and system model are summarized in

Table 2. Notation and description of task and system model parameters.

Symbol	Description
I	Set of IoT devices
E	Set of available edge nodes
$D_i$	Input data size of task generated by device i
$C_i$	Required CPU cycles of task i
$T_i^{max}$	Latency constraint of task i
$S_i$	Security sensitivity level of task i
$x_{i,e}$	Binary offloading decision variable for task i to edge node e
$L_{i,e}$	Total execution latency of task i on edge node e
$R_{i,e}$	Security risk metric for assigning task i to edge node e
$\alpha ,\beta$	Weighting factors for latency and security risk

.

3.3. Contention and Bottleneck Modeling

In practical IoT edge environments, many devices may offload tasks concurrently to the same edge node and traverse shared access and aggregation links. As a result, the end-to-end delay is not only determined by transmission and service times, but also by contention effects, including queueing at edge servers and congestion on shared links. Ignoring contention can lead to overly optimistic scalability claims and can mask the true source of deadline misses under high load.

To capture these effects while keeping the model lightweight, we explicitly include a load-dependent waiting-time term at each edge node. For a task i assigned to node j, the latency model is:

$$L_{i,j}={\displaystyle \frac{D_i}{B_{i,j}^{\mathrm{eff}}}}+{\displaystyle \frac{C_i}{f_j}}+W_j\left({\rho }_j\right)+{\delta }_j+{\displaystyle \frac{{\theta }_i}{f_j}},$$

(1)

where $B_{i,j}^{\mathrm{eff}}$ is the effective bandwidth seen by the task on the path to node j (reduced under link contention), $W_j\left({\rho }_j\right)$ is the queueing delay, ${\rho }_j$ is the node utilization, ${\delta }_j$ captures SDN-related control delay, and ${\theta }_i$ is the encryption overhead in CPU cycles.

We use a simple queue-inspired approximation for waiting time, consistent with contention-aware performance prediction in IoT and queue-based offloading studies [11,12]:

$$W_j\left({\rho }_j\right)=\left\{\begin{array}{cc}{\displaystyle \frac{\eta }{1-{\rho }_j}},\hfill & 0\le {\rho }_j<1,\hfill \\ W_{max},\hfill & {\rho }_j\ge 1,\hfill \end{array}\right.$$

(2)

where $\eta$ is a scaling factor and $W_{max}$ prevents numerical divergence. In the simulator, ${\rho }_j$ is computed from the currently assigned workload in each scheduling window, so $W_j\left({\rho }_j\right)$ increases naturally as more tasks contend for the same edge resources.

This contention-aware modeling enables the SDN controller to identify bottlenecks (edge CPU queueing versus shared-link congestion) and avoid allocations that would lead to excessive waiting time, improving scalability under realistic multi-device loads.

3.4. SDN-Based Monitoring and Threat Model

The SDN controller continuously collects network traffic statistics, flow-level information, and edge node resource states by querying programmable data-plane devices. By analyzing traffic patterns and resource utilization, the controller can detect abnormal behaviors such as sudden traffic surges, excessive packet loss, or persistent congestion, which may indicate ongoing attacks or compromised nodes. This global visibility enables the controller to dynamically adjust forwarding rules and task offloading decisions in response to detected threats [13].

The threat model considered in this work includes network-level attacks such as distributed denial-of-service (DDoS) attacks targeting edge nodes or communication links, compromised edge nodes that may manipulate or drop offloaded tasks, and malicious IoT devices attempting to overload edge resources. The SDN controller is assumed to be trusted and protected using standard isolation and authentication mechanisms, consistent with common assumptions in SDN security literature [14]. Integrating threat awareness into the offloading process allows the system to actively mitigate attacks while maintaining acceptable service performance.

The workflow of SDN-based monitoring, threat detection, and security-aware task offloading is depicted in Figure 2.

3.5. Problem Definition

Based on the system model described above, the security-aware task offloading problem is defined as selecting appropriate execution locations for IoT-generated tasks such that performance objectives are satisfied while security risks are minimized. Let I denote the set of IoT devices and E denote the set of available edge nodes. For each task generated by device $i\in I$, a binary decision variable $x_{i,e}$ is defined, where $x_{i,e}=1$ if the task is assigned to edge node $e\in E$, and $x_{i,e}=0$ otherwise.

The total execution latency of task i offloaded to edge node e is modeled as the sum of transmission delay, computation delay, and SDN-induced control delay, which depend on available bandwidth, processing capacity, and current network conditions. To capture security considerations, a security risk metric $R_{i,e}$ is associated with each potential task–edge assignment, reflecting the likelihood of attack or compromise as estimated by the SDN controller through continuous monitoring.

The objective is to minimize a weighted combination of execution latency and security risk across all tasks, subject to latency constraints, edge resource capacity constraints, and task security requirements. The optimization problem can be expressed as:

$$min\sum _{i\in I}\sum _{e\in E}{x}_{i,e}\left(\alpha L_{i,e}+\beta R_{i,e}\right),$$

(3)

where $\alpha$ and $\beta$ control the relative importance of performance efficiency and security. The highly dynamic nature of IoT workloads, fluctuating network conditions, and evolving threat patterns make this optimization problem computationally challenging to solve optimally in real time.

3.6. Motivation and Research Gap Formalization

Although extensive research has been conducted on task offloading and SDN-based security mechanisms independently, the above formulation reveals a fundamental limitation of existing approaches. Most offloading strategies do not incorporate security as a real-time decision context, while SDN-based security solutions typically operate at the traffic level without considering computation placement. Moreover, the combined impact of security-aware offloading on system performance under realistic and dynamic attack scenarios remains insufficiently explored [15].

These limitations motivate the development of an SDN-driven security-aware offloading framework that jointly addresses performance optimization, threat mitigation, and scalability. The proposed framework, presented in the following sections, aims to bridge this gap by integrating security risk assessment directly into the task offloading decision process.

4. SDN-Based Security-Aware Offloading Framework

This section presents a novel SDN-based security-aware task offloading framework for IoT edge networks. The proposed framework integrates centralized SDN control, task offloading decision making, and continuous security threat monitoring to jointly optimize system performance and reliability. By leveraging the global network view of the SDN controller, computation tasks are dynamically distributed among edge nodes according to latency requirements, security sensitivity, and resource availability. The incorporation of security awareness into the offloading process addresses key limitations of existing approaches and enables scalable operation in heterogeneous IoT environments.

4.1. Framework Architecture

The proposed framework consists of three tightly coupled modules operating within the SDN controller: the Monitoring Module, the Threat Assessment Module, and the Offloading Decision Engine. The Monitoring Module continuously collects real-time network statistics, flow-level information, and edge node status, enabling accurate tracking of resource utilization and detection of abnormal behavior. The Threat Assessment Module evaluates the security risk of each edge node by analyzing abnormal traffic patterns, historical reliability, and known attack signatures. Based on this information, the Offloading Decision Engine determines suitable execution locations for incoming tasks by jointly considering latency constraints, computational requirements, and security sensitivity.

Edge nodes execute tasks assigned by the SDN controller and periodically report their status. Offloading decisions are enforced through programmable SDN switches, allowing traffic to be routed along secure and efficient paths. The overall framework architecture and module interactions are illustrated in Figure 3.

4.2. Security-Aware Offloading Algorithm

Task offloading is formulated as a multi-objective optimization problem that balances execution latency and security risk. Rather than pursuing computationally expensive optimal or learning-based solutions, this work adopts a lightweight heuristic decision strategy designed for real-time SDN-controlled environments. The contribution lies in integrating security risk assessment, global SDN visibility, and resource-aware decision making into a unified offloading framework, rather than in proposing a new heuristic optimization technique. Let I denote the set of IoT devices, E the set of edge nodes, $L_{i,e}$ the estimated latency of task i executed on node e, and $R_{i,e}$ the corresponding security risk. The objective function is given by:

$$min\sum _{i\in I}\sum _{e\in E}{x}_{i,e}\left(\alpha L_{i,e}+\beta R_{i,e}\right),$$

(4)

where $x_{i,e}\in \{0,1\}$ denotes the offloading decision variable, and $\alpha$ and $\beta$ control the trade-off between latency and security.

To enable real-time operation, a lightweight heuristic algorithm is employed. For each task, available edge nodes are ranked according to a combined latency and security score, and the task is assigned to the best feasible node. The procedure is summarized in Algorithm 1.

Algorithm 1 Security-Aware Task Offloading

Input: Set of IoT tasks $T=\{T_1,T_2,\dots ,T_m\}$; set of edge nodes $E=\{e_1,e_2,\dots ,e_k\}$; task parameters $\{D_i,C_i,T_i^{max},S_i\}$. Output: Optimal task assignment matrix $X=\left[x_{i,e}\right]$ balancing latency and security constraints. Step 1: For each task $T_i\in T$: Step 1.a: Score Computation Phase: For each edge node $e\in E$: Estimate execution latency: $$L_{i,e}={\displaystyle \frac{D_i}{B_{i,e}^{\mathrm{eff}}}}+{\displaystyle \frac{C_i}{f_e}}+W_e\left({\rho }_e\right)+{\delta }_e$$ Evaluate security risk $R_{i,e}$ using the Threat Assessment Module. Compute combined latency and security score: $$S_{i,e}=\alpha L_{i,e}+\beta R_{i,e}$$ Step 1.b: Offloading Decision Phase: Sort edge nodes in ascending order of $S_{i,e}$. Assign task $T_i$ to the first edge node satisfying latency, security, and resource constraints. Update edge node resource availability. Step 2: Repeat Step 1 until all tasks are assigned and matrix X is fully populated.

In the current implementation, Algorithm 1 is executed in a batch-based, event-driven manner. Incoming tasks are collected during a short scheduling window (e.g., 50 to 100 ms), and the algorithm is triggered at the end of each window to assign all pending tasks to edge nodes based on the latest monitoring and risk information. This design avoids the overhead of running the algorithm for every single task arrival while still reacting promptly to changes in workload and network state.

4.3. Mathematical Modeling of Security Risk

Each task ${\tau }_i$ is characterized by data size $D_i$, computational requirement $C_i$, and sensitivity factor ${\alpha }_i$. Edge node j has processing capacity $f_j$, available bandwidth $B_{i,j}$, and vulnerability index ${\beta }_j\in [0,1]$. The security risk of executing task ${\tau }_i$ on node j is defined as:

$$S_{i,j}=P_{\mathrm{attack},i,j}·\left(1-P_{\mathrm{encryption},i}\right),$$

(5)

where

$$P_{\mathrm{attack},i,j}=1-e^{-{\alpha }_i{\beta }_j},P_{\mathrm{encryption},i}=1-e^{-{\gamma }_i}.$$

(6)

Thus,

$$S_{i,j}=\left(1-e^{-{\alpha }_i{\beta }_j}\right)e^{-{\gamma }_i}.$$

(7)

The aggregate network security risk is:

$$S_{\mathrm{total}}=\sum _{i\in I}\sum _{j\in E}{x}_{i,j}{S}_{i,j}.$$

(8)

In this study, the task sensitivity level $S_i$ is modeled as an ordinal variable taking integer values in $\{1,\dots ,5\}$, where larger values indicate higher protection requirements. The corresponding sensitivity factor ${\alpha }_i$ used in the risk model is obtained via a simple monotonic mapping (e.g., ${\alpha }_i=0.2S_i$), which ensures that more sensitive tasks contribute more strongly to the risk term without implying a strict linear notion of “twice as risky.” Similarly, node vulnerability indices ${\beta }_j\in [0,1]$ represent relative susceptibility to compromise, for example, based on historical reliability, patching level, or exposure to external networks. The combination of ${\alpha }_i$ and ${\beta }_j$ in the exponential form of the risk model yields a non-linear increase in risk with sensitivity and vulnerability, avoiding the assumption that a task with level 10 is exactly twice as risky as one with level 5. The continuous monitoring process is implemented using periodic polling of flow statistics and edge-node status at fixed intervals (every 100 ms), and the resulting traffic is included in the total SDN control messages M used to compute the controller overhead metric. Thus, the reported controller overhead reflects both monitoring traffic and messages used to install or update flow rules.

4.4. Latency and Security-Constrained Optimization

The combined latency and security optimization problem is formulated as:

$$\underset{x_{i,j}}{min}\lambda \sum _{i\in I}{L}_i+(1-\lambda )S_{\mathrm{total}},$$

(9)

subject to:

$$\begin{array}{cc}\hfill \sum _{j\in E}{x}_{i,j}& =1,\forall i\in I,\hfill \end{array}$$

(10)

$$\begin{array}{cc}\hfill \sum _{i\in I}{x}_{i,j}{C}_i& \le C_j^{max},\forall j\in E,\hfill \end{array}$$

(11)

$$\begin{array}{cc}\hfill x_{i,j}& \in \{0,1\}.\hfill \end{array}$$

(12)

The expected latency for offloaded tasks includes encryption overhead:

$$L_i={\displaystyle \frac{D_i}{B_{i,j}}}+{\displaystyle \frac{C_i}{f_j}}+W_j\left(n_j\right)+{\displaystyle \frac{{\theta }_i}{f_j}},$$

(13)

Here, $W_j\left(n_j\right)$ represents a load-dependent waiting time that captures contention effects at edge node j, where $n_j$ denotes the number of tasks concurrently assigned to the node. This term increases as resource contention grows and models queueing delay in a simplified manner, consistent with recent contention-aware MEC studies [16,17].

4.5. Computational Complexity Analysis

The offloading problem is combinatorial with solution space $\mathrm{\Omega }={\left|E\right|}^{\left|I\right|}$, resulting in exponential complexity $O\left(\right|E{|}^{\left|I\right|})$ for exact solutions. The proposed heuristic computes scores for each task–node pair and performs iterative refinements, yielding polynomial complexity:

$$O\left(\right|I|·|E|+k),$$

(14)

where k is the number of refinement iterations. This reduction enables real-time SDN-based offloading even in large-scale IoT deployments [18]. Because the heuristic recomputes assignments periodically from the latest network state rather than maintaining long-lived policies, it can adapt to moderate fluctuations in workload and link conditions. Extremely rapid, large-scale changes in traffic patterns or node availability may require shorter scheduling windows or further algorithmic refinements, which we identify as future work.

4.6. Evaluation Metrics

Performance evaluation is based on the metrics summarized in

Table 3. Performance and security evaluation metrics.

Metric	Symbol	Definition	Description
Average latency	$\overline{L}$	${\displaystyle \frac{1}{\left|I\right|}}{\sum }_i{L}_i$	Mean execution time per task
Task completion ratio	TCR	${\displaystyle \frac{1}{\left|I\right|}}{\sum }_{i}1(L_i\le T_i^{max})$	Fraction of tasks meeting deadlines
Security success rate	SSR	${\displaystyle \frac{1}{\left|I\right|}}{\sum }_i(1-S_i)$	Probability of secure execution
Total energy	$E_{\mathrm{total}}$	${\sum }_i(E_i^{\mathrm{tx}}+E_i^{\mathrm{proc}}+E_i^{\mathrm{enc}})$	Energy consumption
Controller overhead	$O_C$	$M/\left|I\right|$	SDN control messages per task

.

Here, $\left|I\right|$ denotes the total number of tasks generated during the simulation horizon; a single IoT device may generate multiple tasks over time, so the metric reflects the average number of control messages per task rather than per physical device.

4.7. Addressing Research Questions with the SDN Framework

The proposed SDN-based framework directly addresses the research questions by integrating real-time threat assessment into task offloading decisions. It achieves low latency, robust security, and scalable operation through centralized control and lightweight heuristics. The framework enables systematic evaluation of performance–security trade-offs under realistic IoT workloads, as demonstrated in the subsequent simulation results [19,20].

5. Performance Evaluation and Results

This section presents a comprehensive performance evaluation of the proposed SDN-based security-aware task offloading framework for IoT edge networks. The objective is to demonstrate the effectiveness of the framework in jointly managing task latency, security performance, and SDN controller efficiency under realistic and dynamic IoT workloads.

5.1. Simulation Setup

All experiments were conducted using Python 3.10. An event-driven simulation environment was implemented using SimPy (Version 4.0.1, SimPy Developers—Open Source Community), while NetworkX (Version 3.2.1, Python Software Foundation, Wilmington, NC, USA) was employed for network topology modeling and Matplotlib (Version 3.7.1, NumFOCUS, Austin, TX, USA) for result visualization. The offloading heuristic and security risk computations were implemented using NumPy (Version 1.26.4, NumFOCUS, Austin, USA) and SciPy (Version 1.11.4, NumFOCUS, Austin, USA). Simulations were executed on a system equipped with an Intel Core i9 processor, 32 GB of RAM, and Ubuntu 22.04, ensuring stable and reproducible results.

The network topology is generated using NetworkX as a two-tier structure in which IoT devices connect to access switches, which in turn connect to edge nodes and upstream aggregation switches. Unless otherwise stated, we use a random geometric graph for the access layer to emulate spatially distributed IoT devices and a small, fixed core connecting the edge nodes and the SDN controller. The same class of topology is used across all experiments to ensure comparability, and all generation parameters (e.g., node density and connection radius) are kept constant unless explicitly varied.

Task workloads were synthetically generated based on the IoTEdgeSim dataset [21] and recent edge computing benchmarks [22]. Each task is characterized by an input data size ranging from 50 KB to 500 KB, required CPU cycles between $1\times {10}^6$ and $5\times {10}^6$, latency constraints from 50 ms to 200 ms, and security sensitivity levels from 1 (low) to 5 (high). Network parameters, including bandwidth (5–50 Mbps), propagation delay (5–20 ms), and packet loss probability (0.5 to 2%), were sampled from realistic distributions to reflect practical IoT communication conditions.

The simulated network consists of 100 IoT devices and three heterogeneous edge nodes with computational capacities of 2.5, 3.0, and 3.5 GHz, respectively. Each simulation scenario was repeated ten times to account for stochastic variations.

The scheduling window length, and thus the frequency of Algorithm 1 execution, is configured to 100 ms in the simulations, which provides a trade-off between responsiveness and control-plane overhead. Controller CPU utilization results in Section 5.5 show that this configuration keeps the average overhead below 20% while preserving stable latency and task completion performance.

To evaluate scalability, additional experiments were conducted by varying the number of edge nodes from 3 to 10 and increasing the number of IoT devices up to 300. These scenarios aim to assess SDN controller overhead, latency stability, and task completion performance under higher network density and increased resource contention. These scalability experiments allow us to observe how average latency, TCR, SSR, and controller overhead evolve as both the number of tasks and the number of edge nodes increase. The main simulation parameters are summarized in

Table 4. Main simulation parameters used in the performance evaluation.

Parameter	Value/Range
Number of IoT devices	100 (up to 300 in scalability tests)
Number of edge nodes	3 (3–10 in scalability tests)
Edge CPU capacities	2.5, 3.0, 3.5 GHz
Task input data size	50–500 KB
Task CPU cycles	$1\times {10}^6$–$5\times {10}^6$ cycles
Task latency constraints	50–200 ms
Security sensitivity level	1 (low) to 5 (high)
Link bandwidth	5–50 Mbps
Propagation delay	5–20 ms
Packet loss probability	0.5–2%
Simulation repetitions	10 runs per scenario
Controller CPU/memory	Intel Core i9, 32 GB RAM host system

to provide a concise overview of the experimental setup.

Unless stated otherwise, the weighting factors in the objective function are set to $\alpha =0.7$ and $\beta =0.3$, placing slightly higher emphasis on latency than on security risk. The security model parameters are chosen as follows: the sensitivity factor ${\alpha }_i$ is mapped from the discrete security sensitivity level $S_i\in \{1,\dots ,5\}$ by setting ${\alpha }_i=0.2S_i$, the vulnerability index ${\beta }_j$ for each edge node is drawn uniformly from $[0.1,0.9]$, and the encryption-related parameter ${\gamma }_i$ is fixed to 0.7 for all tasks unless specified otherwise. Task arrivals follow a Poisson process with a rate of $\lambda =20$ tasks per second, which is truncated to match the finite simulation horizon, and we simulate 200 s of virtual time with the first 20 s treated as warm-up and excluded from metrics. All random experiments are repeated with 10 different seeds, and results are reported as the mean and standard deviation across these runs. The chosen mappings from sensitivity levels to model parameters are intended to reflect an ordering of risk rather than an exact ratio scale; that is, higher levels induce higher risk contributions, but we do not assume that a level-4 task is exactly twice as risky as a level-2 task. More sophisticated calibration based on empirical threat data is left for future work.

In this study, we focus on a single representative class of edge and access topologies rather than exploring multiple topology types. The heuristic offloading algorithm itself depends only on the instantaneous connectivity and resource states (latency and bandwidth estimates, node capacities, and risk scores) and is therefore agnostic to the specific topology generation method, as long as these parameters can be measured or estimated. Nevertheless, different topological structures could affect path lengths and congestion patterns and thus indirectly influence observed latency and controller overhead; a systematic evaluation across multiple topology families is left for future work.

5.2. Baseline Methods and Evaluation Metrics

The proposed framework is compared against the following baseline offloading strategies:

• Latency-only offloading: Tasks are assigned to minimize execution latency without considering security risk or threat exposure.
• Random offloading: Tasks are randomly assigned to available edge nodes without performance or security awareness.
• Queue-aware heuristic offloading: Tasks are assigned using a load-aware heuristic in which execution delay increases as more tasks contend for the same edge resources, following a dynamic waiting-time model inspired by queueing-based MEC studies [16,17].
• Learning-based benchmark (PPO-inspired): To position the proposed framework relative to state-of-the-art DRL-based approaches, we include a benchmark inspired by PPO-based task offloading strategies reported in recent literature. This benchmark is used as a qualitative reference: we adopt reported performance trends and map them to our simulation settings rather than re-implementing the full DRL algorithm. Consequently, the comparison to DRL-based methods is indicative rather than strictly quantitative, and implementing complete DRL baselines is left as future work.

Among policy-gradient DRL methods, Proximal Policy Optimization (PPO) is widely adopted because it stabilizes training via constrained (clipped) policy updates while remaining relatively simple to implement and tune compared to trust-region methods. This makes PPO a common baseline for continuous-control and networking/control problems where the action space is large and the environment is stochastic. Beyond task offloading, PPO has been used in robotics and control as well as in communications/network protocol design; for example, Miuccio et al. employed multi-agent reinforcement learning with PPO-style policy optimization to enable automated wireless MAC protocol emergence and generalization [23,24]. We therefore use PPO-inspired learning behavior as a representative DRL reference point when discussing the gap between lightweight heuristics and learning-based approaches.

Performance evaluation focuses on average task latency, task completion ratio, security success rate, and SDN controller resource utilization, as defined in Section 4.

5.3. Performance Comparison

Table 5. Comparison of performance metrics for the proposed SDN-based framework and baseline offloading strategies.

Metric	Proposed Framework	Latency-Only Offloading	Random Offloading	Queue-Aware Heuristic
Average latency (ms)	$125\pm 5$	$118\pm 6$	$220\pm 15$	$135\pm 7$
Task completion ratio (%)	$92\pm 2$	$88\pm 3$	$70\pm 5$	$90\pm 3$
Security success rate (%)	$96\pm 1.5$	$65\pm 4$	$55\pm 6$	$78\pm 4$
Controller CPU utilization (%)	$18\pm 2$	$15\pm 2$	$10\pm 1$	$17\pm 2$

summarizes the performance comparison between the proposed framework and baseline approaches.

The proposed framework achieves an average task latency of approximately $125\pm 5$ ms, which is slightly higher than the latency-only approach due to the inclusion of security checks, but significantly lower than the random offloading strategy. Despite this modest latency increase, the task completion ratio remains high at $92\pm 2$%, outperforming both baseline methods. These results indicate that incorporating security awareness does not compromise system reliability.

5.4. Security Performance Analysis

Figure 4 illustrates the average task latency across different offloading strategies. The proposed framework closely approaches the optimal latency achieved by the latency-only method while maintaining enhanced security guarantees.

Security performance under varying task loads is shown in Figure 5. As the number of concurrent tasks increases, contention effects become dominant: queueing at edge nodes and reduced effective bandwidth on shared links increase waiting time and deadline misses. This phenomenon is explicitly modeled in our simulator through the load-dependent waiting-time term $W_j\left({\rho }_j\right)$ and the effective bandwidth $B_{i,j}^{\mathrm{eff}}$ (Section 3.3). Consequently, the observed degradation trend under higher load reflects realistic contention rather than an assumption of fixed service times [11,12].

To identify the primary bottleneck, we track (i) the fraction of latency contributed by queueing delay $W_j\left({\rho }_j\right)$ and (ii) the fraction contributed by transmission time $D_i/B_{i,j}^{\mathrm{eff}}$. Under light load, transmission and service times dominate; under heavy load, queueing becomes the main contributor for the most-utilized edge node(s). This bottleneck behavior and the importance of contention-aware prediction are consistent with prior IoT contention analysis and queue-aware offloading studies [11,12]. The SDN controller mitigates this effect by redistributing tasks away from nodes with high ${\rho }_j$ and away from congested paths when alternative routes are available.

It is important to note that the reported security success rates are derived from the proposed analytical risk model, where risk is quantified as a function of task sensitivity, node vulnerability, and encryption parameters, rather than from explicit attack traces or emulated adversarial traffic. As a result, the absolute values of the security metrics depend on the modeling assumptions, and the present study focuses on comparing relative trends between offloading strategies under a consistent risk formulation.

5.5. SDN Controller Overhead

The additional overhead introduced by the proposed framework is modest. SDN controller CPU utilization remains below $20\%$, and memory consumption is maintained at approximately 450 MB. Although slightly higher than baseline methods, these values demonstrate that the heuristic offloading algorithm is computationally efficient and scalable, enabling real-time decision making in large IoT deployments [25]. Scalability results indicate that as the number of edge nodes increases, the SDN controller maintains stable CPU utilization below 25%, while average task latency decreases due to improved load distribution. These findings confirm that the centralized SDN-based control remains feasible under higher node density and supports scalable operation in large-scale IoT environments. To more explicitly capture the trade-off between performance and computational overhead, we define a simple hybrid metric that combines latency and controller utilization:

$$\mathrm{Latency}-\mathrm{Overhead}\mathrm{Index}=\overline{L}\times {\mathrm{CPU}}_{\mathrm{ctrl}},$$

(15)

where $\overline{L}$ denotes the average task latency and ${\mathrm{CPU}}_{\mathrm{ctrl}}$ is the average SDN controller CPU utilization (in normalized form). Lower values indicate better combined performance and overhead. Under this metric, the proposed framework achieves a Latency–Overhead Index that is only slightly higher than the latency-only scheme, while being substantially lower than random offloading and comparable to the queue-aware heuristic. This confirms that the security and reliability gains of our approach are obtained at a modest additional computational cost, in line with security–complexity trade-offs discussed in related work.

5.6. Discussion

Overall, the simulation results demonstrate that the proposed SDN-based security-aware offloading framework significantly enhances the robustness of IoT edge networks. By integrating real-time threat assessment into task offloading, sensitive tasks are executed securely with minimal latency overhead. Compared to latency-only and random offloading, the framework achieves higher security success rates by roughly 30 percentage points in the experiments, while preserving comparable latency and task completion. These gains are obtained under the adopted probabilistic risk model and the considered baselines. The results under increased scale indicate that the framework maintains stable latency and task completion performance while keeping controller CPU utilization below 25%, suggesting that the heuristic remains viable at the tested larger scales.

6. Discussion and Insights

The results from Section 5 show that our SDN-based security-aware offloading system strikes a good balance between speed, reliability, and security for different kinds of IoT edge networks. On average, tasks take about $125\pm 5$ ms (see Table 5 and Figure 4), which is close to the best possible times and only slightly slower than a setup that just focuses on low latency. This slight increase is because highly sensitive tasks are sent to trusted edge nodes, which might not always be the closest or fastest, but ensure security without significantly degrading performance.

The security success rate remains above $95\pm 1.5\%$ across different task loads (see Figure 5), demonstrating the system’s ability to mitigate threats in IoT networks effectively. By integrating real-time monitoring, threat assessment, and intelligent offloading decisions, the SDN controller can detect risky nodes and prevent tasks from being executed on untrusted devices. Compared to latency-only or random offloading methods, which achieve around $65\pm 4\%$ and $55\pm 6\%$ success rates, respectively, our framework improves security performance by over 30% [26,27].

Task completion and SDN controller workload metrics also indicate robust performance. Even with varying workloads and high task arrival rates, more than $92\pm 2\%$ of tasks are completed successfully. Incorporating security measures does not compromise quality of service (QoS). Controller CPU and memory utilization remain moderate ($18\pm 2\%$ CPU and $450\pm 10$ MB memory), confirming that the framework is scalable and suitable for real-time operation in large-scale IoT networks [28,29].

The study also provides insights for practical IoT edge network design. First, SDN allows centralized visibility and control, enabling monitoring of nodes and dynamic adjustment of security policies. Second, the modular controller design, comprising monitoring, threat assessment, and offloading decision modules, facilitates the addition of new security measures or optimization goals without extensive system redesign. Third, the framework performs reliably under dynamic workloads and changing network conditions, making it suitable for the unpredictable nature of IoT environments [30].

In practical IoT edge environments, multiple devices may simultaneously offload tasks to the same edge node, leading to resource contention and increased execution delay. While early offloading models often assume fixed execution times, recent studies demonstrate that modeling execution latency as a function of system load yields more realistic performance evaluation.

By incorporating a load-dependent waiting time into the latency model, the proposed framework partially captures contention effects without sacrificing computational efficiency. The centralized SDN controller further mitigates congestion by dynamically redistributing tasks away from overloaded or high-risk nodes. Future extensions may adopt more detailed stochastic queueing models or probabilistic execution-time distributions to further enhance realism. Similar contention-aware modeling approaches have been shown to improve realism and decision accuracy in MEC and IoT edge environments [16,17].

Finally, these findings highlight the feasibility and benefits of optimizing both latency and security simultaneously in SDN-enabled IoT edge networks. The proposed approach addresses gaps in prior research, such as limited security-aware task handling and insufficient evaluation of controller overhead under realistic workloads. These insights can guide the design of next-generation IoT edge systems that need to be fast, reliable, and secure at the same time.

Despite its promising results, the proposed framework has several limitations. First, the security model is assumption-driven and probabilistic: security risk is estimated from task sensitivity, node vulnerability, and encryption factors, and explicit attack scenarios or adversarial traces are not emulated. Second, the evaluation scale, while including up to 300 devices and 10 edge nodes, remains moderate relative to very large IoT deployments, and the baselines consist of heuristic and simplified schemes plus a qualitative DRL benchmark rather than fully implemented state-of-the-art learning-based methods. Third, the SDN controller is assumed to be fully trusted and protected using standard isolation and authentication mechanisms, and attacks targeting the control plane itself are out of scope. Finally, the behavior of the framework may be sensitive to the choice of model parameters such as the latency and security weighting factors and risk coefficients; a systematic parameter sensitivity and robustness analysis is left for future work.

7. Conclusions and Future Work

This paper presented an SDN-based security-aware task offloading framework for IoT edge networks that integrates real-time monitoring, threat-informed risk estimation, and a lightweight heuristic decision strategy. The proposed model captures the joint impact of execution latency and security risk on offloading decisions and enables centralized task allocation across heterogeneous edge nodes. Simulation results based on synthetic workloads derived from IoT edge benchmarks show that the framework can achieve average delays on the order of $125\pm 5$ ms, task completion ratios above $92\pm 2$%, and security success rates exceeding $95\pm 1.5$% under the considered baselines and risk model. These findings suggest that it is possible to incorporate security awareness into SDN-based offloading mechanisms without incurring prohibitive performance penalties. Future work will extend the framework to multi-controller SDN architectures and high-mobility scenarios, investigate explicit attack emulation and more detailed threat models, and integrate energy consumption and parameter sensitivity analysis into the decision process.