In the current 5G system architecture, the use cases around user plane security enforcement are oriented and limited to security configuration towards the NG-RAN, based on the integrity and/or ciphering protection activation or deactivation in the air interface between user equipment (UE) and gNB. Security features between gNB and User Plane Function (UPF) are optional, configured by the network provider, and there is no end-to-end protection for the user plane data. However, the gNB is more vulnerable to attacks due to its physical location, which leads to data and privacy leakage. Additionally, the mapping from service data flow to QoS flow is mainly based on QoS requirements rather than security, which means the service data flows with similar QoS but different security requirements will be mapped to the same QoS flow and then be processed with the same security protection on the air interface. Moreover, 3GPP only supports coarse-grained Packet Data Unit (PDU) session level integrity protection, i.e., all QoS flows in the same PDU session have to share the same security configuration at the UEgNB interface. This will lead to either high security overhead if only a few QoS flows need protection or inadequate protection if protection is disabled since the majority of the flows do not require it. In this paper, we propose a backward-compatible differentiated (per-QoS flow) end-to-end security mechanism allowing the protection of only those QoS flows that require ciphering and/or integrity protection. The security options can be changed dynamically during the QoS flow lifetime. Our numerical results show that the proposed solution allows us to decrease the computational burden imposed at UE.