Conference Paper

Network Management and Operations are becoming increasingly more complex and rely on different types of workflows. To cope with the increased complexity, workflows are becoming more distributed, with tasks running closer to the elements they affect, leveraging edge environments for locality and other hardware for performance (such as GPUs for analytics or MLOps). Therefore, securing the infrastructure that hosts them becomes a foundational concern. In these dynamic and often heterogeneous systems, traditional methods of ensuring host trustworthiness can be impractical or incomplete. This paper proposes a lightweight behavior-based security solution designed to protect workflow execution by continuously observing the host environment. Instead of relying on static trust anchors or external attestation, our system monitors runtime behavior at the host level and triggers alerts when predefined rules are violated. These rules alert to clear security issues, such as unauthorized process activity, unusual file accesses, or network behavior irregularities. By anchoring workflow security in host observation, our approach enables early detection of compromised or misbehaving edge nodes. We evaluate the system in simulated edge deployments and demonstrate its ability to detect a range of security-relevant events with low overhead, offering a practical foundation for securing workflows through host-side observation.