INTRODUCTIONOver the past few years, anywhere, anytime wirelessconnectivity has gradually become a realityand has resulted in remarkably increased mobiletraffic. Mobile data traffic from prevailing smartterminals, multimedia-intensive social applications,video streaming, and cloud services is predictedto grow at a compound annual growthrate of 61 percent before 2018, and is expectedto outgrow the capabilities of the current fourthgeneration (4G) and Long Term Evolution(LTE) infrastructure by 2020 [1]. This explosivegrowth of data traffic and shortage of spectrumhave necessitated intensive research and developmentefforts on 5G mobile networks. However,the relatively narrow usable frequency bandsbetween several hundred megahertz and a fewgigahertz have been almost fully occupied by avariety of licensed or unlicensed networks,including 2G, 3G, LTE, LTE-Advanced (LTEA),and Wi-Fi. Although dynamic spectrum allocationcould provide some improvement, theonly way to find enough new bandwidth for 5Gis to explore idle spectrum in the millimeterwaverange of 30~300 GHz [2].NETWORK ARCHITECTURE OF 5GDue to the poor signal propagation characteristicsat extremely high frequencies, future 5G networkswill be heterogeneous with small celldeployment and overlay coverage, as shown inFig. 1. Cellular networks operating at low frequencies(e.g., 2G, 3G, LTE, LTE-A) could providewide area coverage, mobility support, andcontrol, while small cells operating at higher frequenciesguarantee high data rates in the area ofspectral and energy efficiency.This heterogeneous paradigm with multi-tiercoverage in 5G not only follows the natural evolutionfrom existing cellular technologies, butalso satisfies the requirements of increased datatraffic, with small cells providing very highthroughput and underlying macrocells providingextensive coverage. Therefore, network densificationusing low-power small cells is widely consideredto be a critical element toward low-costhigh-capacity 5G communications.SECURITY CHALLENGES IN 5GAlong with the advantages of 5G architecture inFig. 1, there also come several major technicalchallenges. The massive deployment of smallcells poses potential challenges in network management,including interference alignment,extensive backhauling, and inconsistent securitymechanisms over heterogeneous networks (Het-Nets). Network management and service provisioningare challenging in this multi-tier modeldue to the increased number of base stationsand complexity of network architecture. Therefore,new technologies are needed to provideintelligent control over HetNets for consistentand effective resource allocation as well as securitymanagement.Moreover, 5G users may leave one cell andjoin another more frequently with reduced cellsize, which could introduce excessive handoverinducedlatency in 5G. Future 5G applicationslike interactive gaming and tele-operationsrequire 5G latency to be an order of magnitudesmaller than 4G, with 1 ms target round-triptime [2]. However, due to smaller cell deployment,users and different access points (APs) in5G need to perform more frequent mutualauthentications than in 4G to prevent imperson-ABSTRACTRecently, densified small cell deploymentwith overlay coverage through coexisting heterogeneousnetworks has emerged as a viable solutionfor 5G mobile networks. However, thismulti-tier architecture along with stringent latencyrequirements in 5G brings new challenges insecurity provisioning due to the potential frequenthandovers and authentications in 5G smallcells and HetNets. In this article, we reviewrelated studies and introduce SDN into 5G as aplatform to enable efficient authentication hand -over and privacy protection. Our objective is tosimplify authentication handover by global managementof 5G HetNets through sharing of userdependentsecurity context information amongrelated access points. We demonstrate thatSDN-enabled security solutions are highly efficientthrough its centralized control capability,which is essential for delay-constrained 5G communications.SECURITY AND PRIVACY IN EMERGING NETWORKSXiaoyu Duan and Xianbin Communications Magazine • April 2015 29ation and man-in-the-middle (MitM) attacks. Onthe other hand, the power and resource constraintsof small cell APs require low complexityand highly efficient handover authentication procedures.Therefore, faster, efficient, and robusthandover authentication and privacy protectionschemes need to be developed for complex 5GHetNets.THE SCOPE OF THIS ARTICLEIn this article, we first introduce the 5G backgroundand identify the challenges in 5G Het-Nets, especially in security management. Existingrelated studies are overviewed, providing a summaryof the previous security solutions and stateof-the-art related technologies. Based on oursurvey and analysis, we believe that new solutionsmeeting the latency and complexity requirementsof 5G HetNet communications are yet tobe developed.Based on this observation, we introduce anew 5G network structure enabled by softwaredefinednetworking (SDN) to bring intelligenceand programmability into 5G networks for efficientsecurity management. With SDN, the controllogic is removed from the underlyinginfrastructures to a controller in the controllayer [3] so that software can be implemented onthe central SDN controller to provide consistentand efficient management over the whole 5GHetNet. With this paradigm, we propose anSDN-enabled user-specific secure context informationtransfer for efficient authenticationhand over and privacy protection in 5G to achieveseamless authentication during frequent hand -overs, while at the same time meeting the privacyand latency requirements effectively.STATE OF THE ART INHANDOVER AUTHENTICATION ANDCHALLENGES IN 5GRELATED WORK ON HANDOVERAUTHENTICATION AND 5G CHALLENGESTo support increased data traffic, 5G networksneed to have high capacity and efficient securityprovisioning mechanisms. Densification of heterogeneousnetworks and massive deployment ofsmall base stations become the natural choicefor 5G. On the other hand, many applicationssupported by 5G, such as mobile banking andcloud-based social applications, require higherdata confidentiality and reliable authenticationagainst malicious attacks.The common practice for secure communicationsin 3G and later wireless networks is basedon admission control and cryptographicexchange. Figure 2 gives an overview of thehand over authentication procedures between differentnetworks and within one network [9]. Theinvolved network components here are the userequipment (UE), access points (APs) or basestations (BSs), and an authentication server. Itcan be seen from Fig. 2 that mutual authenticationduring handover between the user and anew network (i.e., procedure 1) is realized by thepairing of specific hashing output. Each time theinvolved vector includes RAND, a random numberknown by the server, AUTH, an authenticationtoken sent by the server, a pairwise key, andso on. For mobility within the same network(i.e., procedure 2), the current serving AP willinform the target AP of the possible handover sothat the latter can retrieve the user authenticationand key context from the server. In the following,we analyze existing handoverauthentication procedures and identify the challengesin 5G HetNets based on Fig. 2.To enable handover between different wirelessnetworks (i.e., procedure 1 in Fig. 2), variousauthentication servers and protocols areinvolved due to the closed nature and structureof each network in a HetNet, rendering frequentestablishments of trust relationships and authenticationsduring mobility, especially in a 5Gsmall cell scenario [2]. The Third GenerationPartnership Project (3GPP) has provided specifickey hierarchy and handover message flows forvarious mobility scenarios [10]. However, thespecific key designed for handover and differenthandover procedures for various scenarios willincrease handover complexity when applied to5G HetNets. As the authentication server isoften located remotely, the delay due to frequentenquiries between small cell APs and theauthentication server for user verification maybe up to hundreds of milliseconds [5], which isunacceptable for 5G communications. Theauthors of [6, 7] have proposed simplified hand -over authentication schemes involving directauthentication between UE and APs based onpublic cryptography. These schemes realizemutual authentication and key agreements withnew networks through a three-way handshakewithout contacting any third party, like anauthentication, authorization, and accounting(AAA) server. Although the handover authenticationprocedure is simplified, computation costand delay are increased due to the overhead forexchanging more cryptographic messagesthrough a wireless interface [5]. For the samereason, carrying a digital signature is secure butnot efficient for dynamic 5G wireless communications.For handover within the same network (i.e.,procedure 2 in Fig. 2), existing security mechanismsutilize complex context transfer, and it hasFigure 1. 5G heterogeneous network structure with densified small cellsand overlay coverage.Cellular 2G, 3G, LTE, LTE-AHeterogeneousoverlay coverageSmall cells (high frequencies)Macrocell (low frequencies)FemtocellMicrocell(e.g. Wi-Fi)Picocell30 IEEE Communications Magazine • April 2015been found that most of the handover latency isdue to the scanning time for identifying the targetAP and round-trip time to the authenticationserver. Related work in [8] proposed a userassistedauthentication context transfer scheme,by which the current AP transfers a signedauthentication certificate as a security context tothe user, and then to the target AP through theuser. The UE is actively involved in handoverauthentication with its existing connections withthe current and next target APs to reduce latency.However, mutual trust between APs isassumed in these solutions, which could be infeasiblefor 5G HetNets due to the lack of directinterfaces between different networks. In addition,the transferred security context, which isjust a combination of identity and signature, maynot be secure enough to prevent 5G wirelesscommunication from potential attacks.In light of these challenges, robust and efficienthandover authentication and secure contextinformation transfer is crucial in securing5G networks. The unique link characteristicsexperienced by each UE can be explored as asecurity context to accelerate authenticationhandover. Such user-specific attributes includephysical layer attributes (clock skew, signalstrength, channel state information), location,and even moving speed and direction [11], someof which have already been reported to APs forthe purpose of resource allocation and seamlesshandover. It is believed that by taking advantageof these unique attribute combinations as noncryptographicsolutions, authentication can befaster, more robust, and less complex comparedto widely used cryptographic exchange mechanisms[12].SOFTWARE-DEFINED-NETWORKING-ENABLED5G NETWORKSSoftware-defined networking [3] is considered asa radical new network structure to centralizenetwork management, and enable innovationthrough network programmability in meeting theneeds of emerging applications. One main featureof SDN is decoupling the control plane anddata plane by taking control logic from theunderlying switches and routers to the centralizedSDN controller in the control plane.When introducing SDN into 5G networks,the SDN controller will have global control overthe network, while SDN switches will simply followdata forwarding instructions from the controller.Applications are implemented on top ofthe controller to define the behavior of theswitches and APs, thus creating a reconfigurable5G HetNet, as shown in Fig. 3. The separationof data forwarding switches and the controlplane enables easier implementation of new protocoland functions, consistent network policy, aswell as straightforward network management.In supporting SDN-enabled 5G, appropriateSDN protocols, such as Openflow and SimpleNetwork Management Protocol (SNMP), will beadded to base stations, access points, and wirelessswitches through an external standardizedapplication programming interface (API) [4].Figure 2. Authentication processes of handover procedure 1, between different networks, and handoverprocedure 2, within the same network.Target APHandover within same network Handover authentication between networksServing APProcedure 2 Procedure 1UE Authentication serverCheck:AUTHConfirmpairwise keyAssociatePairwise keyStart authentication, send identityTarget AP list for handoverRetrieve UE state: authentication context, keyDisconnectPossible handover, UE (identity, QoS)AssociateAccess permit: global identity,encryption/integrity keyAuthentication vectors(RAND, AUTH, pairwise key)RAND, AUTHWhen introducingSDN into 5G networks,the SDN controllerwill haveglobal control overthe network, whileSDN switches simplyfollow data forwardinginstructions fromthe controller. Applicationsare implementedon top ofthe controller todefine the behaviorof the switches andAPs, thus creating areconfigurable 5GHetNet.IEEE Communications Magazine • April 2015 31Importantly, OpenFlow is in charge of data pathcontrol, and SNMP can be used for device control.As the SDN controller is just a programrunning on a server, it can be placed anywherein the 5G network — even in a remote data center.An SDN-based 5G network structure enablesflexible ubiquitous connection, fast rerouting,and real-time network management with thesoftware controller. Users are able to access networkservices anywhere and anytime regardlessof the network type [4] (e.g., Wi-Fi, 3G, LTE,LTE-A) as long as these networks belong to thesame operator or there are agreements betweenoperators. Furthermore, consistent authenticationand privacy protection are also manageable.In this article, we explore SDN as a promisingplatform to introduce intelligence into 5Gand address the security challenges. Specifically,we discuss SDN-enabled authentication hand -over, which provides control over HetNet infrastructuresand helps the network to reduceredundant authentications across HetNets.Hand over authentication thus becomes a morecontrolled and prepared process instead of multipleindependent procedures. By sharing securecontext information along moving direction ofthe user and choosing multiple network paths totransmit data concurrently, the SDN structure iscapable of facilitating 5G security provisioningmore efficiently. In doing so, user-specificattributes are utilized as the shared security contextto reduce handover complexity. To furtherachieve privacy protection, SDN-enabled datatransmission over different network paths in 5GHetNets is also investigated in order to guaranteeprivacy.SDN-ENABLED5G AUTHENTICATION HANDOVERIn this section, we introduce SDN into 5G toenable the proposed authentication handoverscheme in coping with the frequent handoverauthentication in small cells and HetNets, asshown in Fig. 4. We implement an authenticationhandover module (AHM) in the SDN controllerto monitor and predict the location ofusers, and then prepare the relevant cells beforethe user arrives to guarantee seamless handoverauthentication. Using a traffic flow template(TFT) filter [13] (source/destination IP addressesand port numbers) and related quality of service(QoS) description, secure contextinformation (SCI) is collected by the AHM toshare along a projected user moving path (i.e.,from cell A to cell B, C in Fig. 4). The relevantcell APs thus prepare resource in advance andensure seamless user experience during mobility.Specifically, user specific attributes includingidentity, location, direction, round-trip time(RTT), and physical layer characteristics havebeen considered as reliable SCI to assist securehandover in 5G networks, instead of using complexcryptographic exchange mechanisms. As anon-cryptographic method, user-specificattributes are able to simplify the authenticationprocedure by providing the unique fingerprint ofthe specific device without additional hardwareand computation cost [12]. In this article, wefocus on using user-specific attributes as SCI(location, direction, etc.) to realize SDN-enabledauthentication handover. Based on the proposedauthentication context handover, security inSDN-enabled 5G networks becomes a monitoredseamless procedure instead of multiple independentverifications, which could significantlyreduce the possibility of impersonation andMitM attacks.More precisely, the way in which the SDNcontroller shares the user’s SCI to next cell APsalong the predicted path is just like a trustworthyintroduction from a previous AP before hand -over. The future cell APs thus finish authenticationwith the user quickly and begin to monitorthe user to prepare service according to the SCI.As the trace of the user is monitored, the risk ofimpersonation is significantly, if not entirely,reduced. More importantly, there would be riskof service disruption in previous networks if theconnection between APs and the authenticationserver is broken. Under similar network conditions,however, our mechanism will not loseglobal network connectivity because a new AP ismonitoring the user, which can help the controllerretrieve the necessary information accordingto the pre-shared SCI. Thus, theSDN-enabled security handover possesses highlevels of tolerance to network failures. In the following,a description of the authentication hand -over mechanism in terms of assumptions anddesigns is presented in detail.ASSUMPTIONS AND DESIGN GOALSWe assume that the SDN controller is a programrunning in a mobile operator’s data center withan AHM for user authorization. The AHM is incharge of both authentication and handover,which maintains user information specifyingwhat the user can access. The AHM also pos-Figure 3. SDN-enabled 5G wireless HetNet structure with control planedesign.Wi-FiWi-FiWiMAXLTEUEInternetWireless corenetworkApplicationsControl plane(controller placedin server)InterfaceOpenFLow SNMPMoving path…OpenFlowwirelessswitchDatapath plane32 IEEE Communications Magazine • April 2015sesses a master public-private key pair (K, K–1),with a public key K that is known to users andAPs. Both APs and UEs need to be verifiedbefore gaining access to network services toreduce security risks.Our design goal for the authentication hand -over mechanism is to accelerate authenticationin 5G HetNets by enabling SCI transfer usingSDN. In further reducing the overall authenticationdelay, the AHM in the controller couldperiodically authenticate the APs in off-peaktimes using its master key to avoid leakage ofprivacy caused by compromised APs. If certified,a key pair (KN, KN–1) with a signature [KN, T]K–1is distributed to the AP, where T is the timeoutof the signature; if the AP is detected as compromised,it will be blacked out from furtheroperation. This way, some of the authenticationprocedures are moved to off-peak times andrelieves the SDN controller burden.SDN-ENABLED AUTHENTICATIONHANDOVER MECHANISM DESIGNWith the assumptions and design goalsdescribed above, we can design the SDNenabledauthentication handover mechanism.User-specific SCI, such as ID, physical layerattributes, location, speed, and direction, can becollected and shared easily with SDN flow-basedforwarding [3]. According to the UE locationinformation from SCI, the SDN controller usesan ascending index to indicate the sequentialorder of next cells in the moving direction.Once authenticated by one cell AP, an appropriatecombination of user attributes is thenshared as SCI by the SDN controller along thisuser’s future path. This way, the UE is able toenjoy seamless service without complex operationduring authentication hand over, thus savingtime for data communications.For example, we assume that user U is in cellA, and the future cells are B and C, as shown inFig. 4. The authentication procedure betweenuser U and cell A follows the commonly usedauthentication protocol [10], and the proposedSDN-enabled authentication handover procedureis described in Algorithm 1.The SCI attributes in the proposed SDNenabledauthentication handover could includeidentity, physical layer attributes, location, movingspeed, and direction. The number ofattributes to be used is based on the securitylevel of the information requested. For example,if the user is requesting banking or email services,a higher security level can be achieved bytransferring more SCI attributes; if it is justInternet browsing or video gaming, the securitylevel can be lower, and few SCI attributes areneeded.The aforementioned authentication handovermethod requires no changes to the existing UEand AP hardware, and significantly simplifies theauthentication procedure and reduces handoverlatency through a non-cryptographic technique.By predicting the user moving path and shiftingthe authentication of APs to off-peak times, theSDN-enabled 5G networks can always be wellprepared for other service requests. Moreover,operators can choose to switch off/on lightlyloaded cells if the users approaching these cellsare not going to exceed a certain thresholdaccording to the SCI information to save moreenergy.SDN-ENABLED5G PRIVACY PROTECTIONData privacy means the right of network usersto seclude themselves from prying and eavesdropping.Due to the reduced cell size in 5GHetNets, users might move through multiplesmall cells before completing one communicationsession. Thus, the privacy protection ismore challenging in 5G due to the possibleinvolvement of untrusted or compromised APsduring handover. Existing privacy protectionschemes use complex key agreements and interactionsor additional watermarking to protectdata privacy. Such cryptographic methods bringcomputation burden and complexity to boththe AP and client sides [9], which is undesirablefor 5G low-power small cell infrastructures.On the other hand, privacy protectionrequires that no link can be establishedFigure 4. SDN enabled secure context information transfer between 5G UE, APs and AHM in SDNcontroller.Authenticationhandovermodule (AHM)Privacyprotectionmodule (PPM)Authenticate SCISecure context flowSecure context flowBase station AUserBCSmall cellsMoving directionDue to the reducedcell size in 5G Het-Nets, users mightmove through multiplesmall cells beforecompleting one communicationsession.Thus, the privacyprotection is morechallenging in 5Gdue to the possibleinvolvement ofuntrusted or compromisedAPs duringhandover.IEEE Communications Magazine • April 2015 33between information and the owner, whileauthentication requires an identity providedfor the purpose of authentication. Previously,these contradictory requirements were metthrough a trusted third party. However, multipleenquiries to the remote third party cause anetwork bottleneck, which is not suitable for5G low-latency communications.We introduce an SDN-enabled privacy protectionscheme, which employs partial transmissionover different SDN-controlled networkpaths to guarantee privacy and offload traffic in5G cellular networks at the same time. Withthe proposed privacy protection scheme, SDNcontroller is able to choose multiple networkpaths to transmit different parts of the datastream (i.e., partial transmission) according tothe HetNet coverage. The number of networkpaths is decided by the sensitivity level of thedata stream. As long as the UE has beenauthenticated and is covered by the HetNets(e.g., Wi-Fi, femtocell, or cellular), the induceddata stream can be routed through these networkbackhauls under the control of an SDNcontroller. Only the receiver can decrypt thedata using its private key and then re-organizethe data stream coming from multiple networkpaths, which avoids privacy leakage via compromisedAPs. Moreover, the proposed scheme isable to realize traffic offloading through theother network paths, which is desirable giventhe fact that a 5G cellular network will be floodedby a huge volume of mobile traffic [1]. Simplyby choosing nearby Wi-Fi or femtocells asdifferent paths for data offloading, the trafficload of a 5G cellular network is relievedthrough either the unlicensed band of Wi-Fi orreusing the femtocell’s band. The proposedSDN-enabled privacy protection mechanism isdescribed in Algorithm 2.In Algorithm 2, n is the number of networkpaths that an SDN controller chooses for datatransmission, and dn is the different part of datathat will be transmitted in the nth network concurrently.tr is the data transfer time within theinvolved networks. Ts is the delay threshold of5G applications, which means to achieve concurrentprivacy protection, this kind of serviceneeds to be finished before Ts to guarantee userexperience. For example, email transfer can toleratelong latency, while real-time video andtwo-way gaming have a very low delay threshold.bn is the bandwidth allocated by the SDN controlleraccording to the traffic situation of differentnetworks, and Vsn is the volume of data thatcan be transferred in the multiple paths (i.e.,offloading networks) within the application delaythreshold.More importantly, the number of paths nhere is decided by a trade-off between privacylevel, offloading revenue, and system complexity,which is reconfigurable and can easily be set upthrough an SDN controller application by 5Goperators. User privacy protection thus becomesprogrammable and under the control of SDN,which is especially desirable for future highlydiverse communication requirements and applicationneeds.Algorithm 1. User-SCI-based authentication handover.Algorithm 2. Partial data offloading over different SDN-controlled network paths.State(A, U): Authenticated.State(B, U): Not Authenticated.State(C, U): Not Authenticated.AHM ® B: (index = 1, ID, SCI)AHM ® C: (index = 2, ID, SCI)Ascending index number shows the direction of user movement. ID is the identity of U and SCI is the secure context information of U.B ® A: Handoff REQ(ID, SCI).When B discovers U in its coverage, B sends handoff request to A until receives reply from A.A ® B: Handoff ACK(ID, SCI¢).A replies with handoff acknowledgement. SCI¢ is the secure context information which is more recent than previous shared SCI.B ® U: Update REQ().After matching SCI¢ from A with U, B authenticates U and starts to associate with U.U ® B: Update ACK(SCI¢¢).Here U is connected with B. SCI¢¢ is the latest secure context information.State(B,U): Authenticated.B ® AHM: Update(SCI¢¢).B updates the UE secure context information to AHM. AHM then shares secure information to next cell APs according to the locationand direction information in new SCI¢¢.C ® B: C keeps on monitoring U and follows similar procedure.1: procedure PDO(n)2: Ts: delay threshold3: Vsn = bn min(tr; Ts): size in bytes to be transferred in nearby Wi-Fi, Femtocell or cellular within Ts4: for d1 < Vs1, d2 < Vs2, … dn < Vsn and d = d1 + d2 + … + dn do5: Encrypt d1, d2, … dn separately, send them on n networks concurrently and update d6: end for7: Receiver decrypt d1 ~ dn using private key and re-organize data8: end procedure34 IEEE Communications Magazine • April 2015PERFORMANCE ANALYSISMATLAB simulations of a 5G network withcommonly used hexagonal cells are adopted toevaluate the performance of the aforementionedmechanisms in terms of the secure level andlatency. A total of 19 small cells in Fig. 5 with aninter-site distance (i.e., distance between twoAPs) of 300 m is considered in the simulation.Users are randomly distributed around APs,while each UE takes a random walk and changesdirection every 5 s. The wrap-around technique(i.e., users moving out of the predefined servicearea are assumed to enter the area from theother side of the network) is used to avoidboundary effects. The specific simulation parametersare listed in Table 1.In simulating the proposed SDN-enabledauthentication handover, we consider the separationdistance between UE and APs, and themoving direction of the UE as the transferredSCI to verify the reliability of the proposed SCIbasedauthentication handover scheme. Fromthe simulation results, we find that during themonitored user handover process, the probabilitythat any two users have the same distance(with accuracy to the first decimal) to the closestAP is 44 percent. When it comes to the sameAP, the probability of two users having the samedistance to this AP decreases to 11 percent.Combined with moving direction, signal strength,channel state information, and other user-specificattributes, the probability of UEs with thesame SCI could be reduced to virtually 0. Therefore,we believe that the SDN-enabled authenticationhandover mechanism using SCI transfer isrobust to guarantee security with enough SCIattributes. Moreover, it is flexible in setting asecurity level by different combinations of userspecificattributes.Authentication handover delays from SDNenabledhandover and the traditional methodsare simulated and compared in evaluating thelatency performance of the proposed schemes.Without loss of generality, we assume that thedata of each user following Poisson arrivals andnew users initiate the authentication processwhen the UE is on the move. In simulating theproposed authentication handover, user-specificSCI is collected and transferred to relevant cellson the projected moving path of the UE underthe coordination of the SDN controller. On theother hand, traditional authentication handoverprotocol requires separate authentication in eachnetwork involved in the handover. Here we usetwo publicly available OpenFlow controllers asrepresentatives to show the performance [14],NOX-MT and Beacon. NOX-MT is a multithreadedsuccessor of NOX, while Beacon is aJava controller built by David Erickson at Stanford[3].Figure 6 shows the comparison of authenticationdelay vs. 5G network utilization rates. Herenetwork utilization is defined as the ratio of totaldata arrival rate and controller processing rate.Network utilization rate is used as it reflects thedifferent load situations of the network. We cansee from Fig. 6 that when the network load isfairly low, authentication delay is not a problemfor all different methods. With more arrivals andincreased network load, SDN-enabled authenticationhandover still keeps the latency under 1 msmost of the time, which meets the 5G latencyrequirement. NOX-MT- and Beacon-enabledsolutions perform 30 and 14.29 percent betterthan traditional handover authentication protocolin latency reduction with the commonly useddeployment of an eight-core machine, 2 GHzCPUs, and 32 switches in [14]. It is obvious thatthe SDN-enabled authentication handover andprivacy protection scheme meet the critical latencyrequirement in 5G, while maintaining the SDNflexibility, programmability, and data offloadingcapability in further improving the energy efficiencyand network management of 5G networks.CONCLUSIONWith the upcoming multi-tier architecture andsmall cell deployment, challenges emerge insecurity provisioning and privacy protection in5G heterogeneous networks. 5G network securityhandover needs to be fast, with low complexitydue to the reduced cell size and stringentlatency constraint. In this article, we review theexisting studies and identify current challengeson authentication handover and privacy protectionin 5G. In addressing these challenges, weFigure 5. Simulation layout of 5G small cells with proportional axis(1 = 300 m).-3 -2-2-3-10123-1 0 1 2 3Scattered usersAPCell centerTable 1. Simulation parameters of 5G networks.Cell layoutHexagonal grid, 19 cellsites, with wraparoundtechniqueCell radius 150mUser mobility speed 3 km/hUser mobility direction RandomTotal number of users 570IEEE Communications Magazine • April 2015 35propose SDN-enabled authentication handoverand privacy protection through sharing of userspecificsecurity context information amongrelated access points. The proposed SDNenabledsolution not only provides a reconfigurablenetwork management platform, but alsosimplifies authentication handover in achievingreduced latency. The performance of the proposedschemes have been demonstrated throughnumerical simulations and examples. We expectthat more progress could be made by usingemerging SDN-enabled 5G architecture andnon-cryptographic techniques to address the 5Gchallenges of reduced cell size and coexistenceof heterogeneous networks. Many interestingrelated topics, including network complexity,security performance under different attacks,and effective use of security context information,could be explored for SDN-enabled 5G securitymechanisms.