Conference PaperPDF Available

INSPIRE-5Gplus: intelligent security and pervasive trust for 5G and beyond networks

Authors:

Abstract and Figures

The promise of disparate features envisioned by the 3GPP for 5G, such as offering enhanced Mobile Broadband connectivity while providing massive Machine Type Communications likely with very low data rates and maintaining Ultra Reliable Low Latency Communications requirements, create a very challenging environment for protecting the 5G networks themselves and associated assets. To overcome such complexity, future 5G networks must employ a very high degree of network and service management automation, which is a security challenge by itself as well as an opportunity for smarter and more efficient security functions. In this paper, we present the smart, trustworthy and liable 5G security platform being designed and developed in the INSPIRE-5Gplus1 project. This platform takes advantage of new techniques such as Machine Learning (ML), Artificial Intelligence (AI), Distributed Ledger Technologies (DLT), network softwarization and Trusted Execution Environment (TEE) for closed-loop and end-to-end security management following a zero-touch model in 5G and Beyond 5G networks. To this end, we specifically elaborate on two key aspects of our platform, namely security management with Security Service Level Agreements (SSLAs) and liability management, in addition to the description of the overall architecture.
Content may be subject to copyright.
INSPIRE-5Gplus: Intelligent Security and Pervasive Trust for 5G
and Beyond Networks
Jordi Ortiz, Ramon
Sanchez-Iborra, Jorge Bernal
Bernabe, Antonio Skarmeta
University of Murcia
{jordi.ortiz,ramonsanchez,
jorgebernal,skarmeta}@um.es
Chaka Benzaid, Tarik Taleb
Aalto University
{chaka.benzaid,tarik.taleb}@aalto.
Pol Alemany, Raul Muñoz,
Ricard Vilalta
Centre Tecnològic de
Telecomunicacions de Catalunya
(CTTC/CERCA)
{pol.alemany,raul.munoz,ricard.
vilalta}@cttc.es
Chrystel Gaber, Jean-Philippe
Wary
Orange
{chrystel.gaber,jeanphilippe.wary}@
orange.com
Dhouha Ayed, Pascal Bisson
Thales
{dhouha.ayed,pascal.bisson}@
thalesgroup.com
Maria Christopoulou, George
Xilouris
NCSR Demokritos
{maria.christopoulou,xilouris}@iit.
demokritos.gr
Edgardo Montes de Oca
Montimage
edgardo.montesdeoca@montimage.
com
Gürkan Gür
Zurich University of Applied Sciences
gueu@zhaw.ch
Gianni Santinelli, Vincent
Lefebvre
Solidshield
gianni,vincent@solidshield.com
Antonio Pastor, Diego Lopez
Telefonica R&D
{antonio.pastorperales,diego.r.
lopez}@telefonica.com
ABSTRACT
The promise of disparate features envisioned by the 3GPP for 5G,
such as oering enhanced Mobile Broadband connectivity while
providing massive Machine Type Communications likely with very
low data rates and maintaining Ultra Reliable Low Latency Commu-
nications requirements, create a very challenging environment for
protecting the 5G networks themselves and associated assets. To
overcome such complexity, future 5G networks must employ a very
high degree of network and service management automation, which
is a security challenge by itself as well as an opportunity for smarter
and more ecient security functions. In this paper, we present the
smart, trustworthy and liable 5G security platform being designed
and developed in the INSPIRE-5Gplus
1
project. This platform takes
advantage of new techniques such as Machine Learning (ML), Ar-
ticial Intelligence (AI), Distributed Ledger Technologies (DLT),
network softwarization and Trusted Execution Environment (TEE)
for closed-loop and end-to-end security management following a
1https://www.inspire-5gplus.eu
Permission to make digital or hard copies of part or all of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for third-party components of this work must be honored.
For all other uses, contact the owner/author(s).
ARES 2020, August 25–28, 2020, Virtual Event, Ireland
©2020 Copyright held by the owner/author(s).
ACM ISBN 978-1-4503-8833-7/20/08.
https://doi.org/10.1145/3407023.3409219
zero-touch model in 5G and Beyond 5G networks. To this end, we
specically elaborate on two key aspects of our platform, namely
security management with Security Service Level Agreements (SS-
LAs) and liability management, in addition to the description of the
overall architecture.
CCS CONCEPTS
Networks Network architectures
;
Security and privacy
Distributed systems security
;Trusted computing;Virtualiza-
tion and security;Mobile and wireless security;
KEYWORDS
5G, Security, ZSM, Cognitive security, liability
ACM Reference Format:
Jordi Ortiz, Ramon Sanchez-Iborra, Jorge Bernal Bernabe, Antonio Skarmeta,
Chaka Benzaid, Tarik Taleb, Pol Alemany, Raul Muñoz, Ricard Vilalta,
Chrystel Gaber, Jean-Philippe Wary, Dhouha Ayed, Pascal Bisson, Maria
Christopoulou, George Xilouris, Edgardo Montes de Oca, Gürkan Gür, Gi-
anni Santinelli, Vincent Lefebvre, and Antonio Pastor, Diego Lopez. 2020.
INSPIRE-5Gplus: Intelligent Security and Pervasive Trust for 5G and Beyond
Networks. In The 15th International Conference on Availability, Reliability
and Security (ARES 2020), August 25–28, 2020, Virtual Event, Ireland. ACM,
New York, NY, USA, 10 pages. https://doi.org/10.1145/3407023.3409219
ARES 2020, August 25–28, 2020, Virtual Event, Ireland
1 INTRODUCTION
5G networks will play a fundamental role in the implementation
of pervasive and digital services with anytime-anywhere connec-
tivity. They will enable a wide range of applications ranging from
ubiquitous broadband connectivity to autonomous vehicles. Appar-
ently, the utility and importance of communication systems and
connected services have been corroborated in the current COVID-
19 pandemic era. This role is expected to become more crucial for
realization of future digital society with Beyond 5G systems, pro-
viding novel services such as holographic communications, Virtual
Reality (VR), and fully-autonomous transportation infrastructures.
For secure and trustworthy 5G networks, there is a need to de-
liver more ecient and smarter end-to-end security while exploit-
ing the emerging technologies such as Articial Intelligence (AI),
Machine Learning (ML), Distributed Ledger Technologies (DLT)
and hardware-supported liability mechanisms [
2
]. This end-to-end
paradigm needs to expand also over multiple verticals, markets and
across multiple administrative domains. Furthermore, the security
challenges are expected to be exacerbated in Beyond 5G networks
with more automated and diverse service environments and in-
frastructure. Actually, full automation, while desirable as a way to
enhancing capabilities and services, may introduce new vectors of
attack by replicating small security issues, and thus magnifying
their impact [6].
To address the security challenges and realize a well-founded
security vision in 5G and Beyond networks, there are important
technological aspects to be considered. The promising AI-driven
Software-Dened Security (SD-SEC) is still in its infancy and there
is a need to build smart SD-SEC solutions that cover the whole
cybersecurity spectrum [
7
]. The smart, autonomic and closed-loop
architecture should be seamlessly integrated into security manage-
ment [
14
]. Unfortunately, zero-risk security can not be achieved
even with these advances. Therefore, dening liability and respon-
sibilities when the security breaches happen is also imperative
to support condence between parties. Policy management based
on Security Service Level Agreements (SSLAs) in an important
instrument to dene and manage the commitments and security
provisioning agreed between 5G entities. Additionally, liability
management should be supported with manifest formalizations
and hardware-based enablers such as Trusted Execution Environ-
ment (TEE) for trustworthy monitoring, execution and attestation.
In fact, TEE is envisioned as a game-changer to provide integrity
and condentiality in virtualized environments even in the pres-
ence of malicious operators or even a malicious and vulnerable
kernel [15].
This paper presents the work carried out by the INSPIRE-5Gplus
project to realize this 5G and Beyond security vision as a smart,
trustworthy and liable security platform. We describe our plat-
form’s overall architecture, highlighting the core components and
functions. We also specically elaborate on two key aspects of our
system, namely security management with SSLAs and liability man-
agement. The remainder of this work is structured as follows. Sec-
tion 2 presents an overview of the INSPIRE-5Gplus project. Section
3 explains the technical approach to realize the envisaged security
platform, followed by the description of policy management via
SSLAs and liability management in 4. Section 5 provides the ratio-
nale behind the integration of INSPIRE-5Gplus architecture into
Zero-touch and Service Management (ZSM) architecture proposed
by ETSI. Section 6 addresses liability in the context of liable and
trustworthy future networks including 5G. Finally, conclusions are
presented with a discussion on future work in Section 7.
2 INSPIRE-5GPLUS OVERVIEW
The INSPIRE-5Gplus approach proposes an step ahead in the 5G
and beyond security vision by progressing 5G security and by devis-
ing a smart, trustworthy and liability-aware 5G security platform
for future connected system (Figure 1). The developed system will
contribute to the advancement of 5G security through the adoption
of a set of emerging trends and technologies, such as ZSM, SD-SEC
models, AI-based techniques and TEEs. In this line, INSPIRE-5Gplus
platform enables that the provided security level is in conformance
to legislations’, verticals’ and standards’ security requirements. Be-
sides, trust and liability is fostered through the integration of novel
mechanisms supporting condence between parties and compli-
ance with regulation.
To achieve the aforementioned security vision, the INSPIRE-
5Gplus platform relies on key emerging trends and technologies,
including:
A conceptual architecture for supporting zero-touch end-to-
end smart network and service security management in 5G
and beyond networks. This architecture leverages on exi-
bility of softwarization technologies (e.g., Software Dened
Networks (SDN)/Network Function Virtualization (NFV))
and AI/ML techniques.
SD-SEC orchestration and management that enforce and
control security policies in real-time and adapt to dynamic
changes in threats landscape and security requirements in
5G and beyond networks.
Novel AI-driven security models, including AI-empowered
Moving Target Defense (MTD) mechanisms, Root Cause
Analysis (RCA) and Cyber Threat Intelligence (CTI) to em-
power smart security management with proactive defensive
posture.
Advanced mechanisms to foster trustworthiness of smart
SD-SEC solutions in a multi-tenant/multi-domain setting
by empowering trust in software components (e.g., VNFs)
and AI/ML techniques. Trust in software components will
be based on TEEs, new Digital Rights Management (DRM)
approaches, novel AI-powered validation tools, and a new
labelling scheme.
New mechanisms to enforce liability of involved parties
when security breaches occur and/or system fail, including
smart contracts and potentially VNF package Manifest to
dene Trust Level Agreement (TLA), mechanisms to enable
AI-based liability and RCA techniques.
Therefore, INSPIRE-5Gplus platform contributes to enforce se-
curity, trust and liability features, in smart and autonomous way,
for 5G and beyond services. The security management in INSPIRE-
5Gplus leverages on advanced and emerging enablers as detailed
in the following sections.
ARES 2020, August 25–28, 2020, Virtual Event, Ireland
Trustable Data
Collection
Management
Domain
Security
Orchestrator Policy &SLA
Management
Cross
Domain
Data
Services
OTT
Other
Operators
E2E
Service
Management
Domain E2E
Security
Intelligence
Service
E2E
Security
Orchestrator
E2E
Policy &
SSLA
Domain Integration Fabric
E2E
Management
Functions
Security
Unified API
Domain
Infrastructure
Resources
vCORE
TENANT1
TENANT2
Security
ENABLER
Security
ENABLER
Security
ENABLER
Physical Virtual
RAN
CONTROLLER
vCORE
CONTROLLER
SDN
CONTROLLER
Management
Domain
...
Management
Domain
...
Management
Domain
...
Management
Domain:
RAN
CORE
EDGE
Transport Network
etc...
Security
Data
Collector
Security
Enablers
E2E
Trust
Management
Trustable Data
Collection
Service Management
Domain
NFVO
VNFM
Service
Orchestrator
Net
Service
Slice
Service
Service
Orchestrator
Net
Service
Slice
Service
Trust Mgmt
SW HW
Steward
Steward
Steward
Data
Services
Trustable Data
Collection
Security
UnifiedAPI
Security Analytics
Engine
Anomaly
Detection
Service
RCA Service
Cross/Inter Domain Integration Fabric
Domain Integration Fabric
Text
Data Services
A
B
C
D
Decision
Engine
Cognitive
LT
Reactive
ST
Decision
Engine
Cognitive
LT
Reactive
ST
Figure 1: INSPIRE-5Gplus security oriented architecture.
3 TECHNICAL APPROACH
5G is being designed to address the diverse requirements of a mul-
titude of use cases, including enhanced Mobile Broadband (eMBB),
Ultra Reliable Low Latency Communications (URLLC) and massive
Machine Type Communications (mMTC), by providing a unied
and interoperable ecosystem of dierent and complementary tech-
nologies. The pervasive utility and importance of 5G networks
necessitates a secure and trustworthy system to meet the strin-
gent requirements that envisages use cases and services. As such,
INSPIRE-5Gplus aspires to deliver an innovative platform for 5G
security management by adopting advanced technology enablers,
including Zero-touch end-to-end security management, Smart se-
curity management leveraging ML, as well as SD-SEC and trust.
As shown in Figure 1, INSPIRE-5Gplus has an End-To-End (E2E)
security management architecture supporting the separation of
security management concerns. In fact, the decoupling of the E2E
security management domain from the other domains allows es-
caping from monolithic systems, reducing the overall system’s
complexity, and enabling the independent evolution of security
management at both domain and cross-domain levels. Each secu-
rity management domain, including the E2E domain, comprises a
set of functional modules (e.g. security intelligence engine, security
orchestrator, trust manager) that operate in an intelligent closed-
loop way to provide SD-SEC orchestration and management, such
as the one dened by Marin et al. [
17
] in the context of IETFs I2NSF
working group to distribute keying material for IPSec tunneling
from a central entity (I2NSF controller) in a coordinated way, that
enforces and controls security policies of network resources and
services in real-time. Each functional module provides a set of se-
curity management services that can be exposed inside the same
domain or cross-domain using the domain integration fabric or the
cross-domain integration fabric, respectively.
3.1 The Key Attributes of INSPIRE-5Gplus
Approach
INSPIRE-5Gplus considers an E2E view for the network services as
well as for the security architecture it brings forth. This is reected
in the multi-resolution nature of the design of the INSPIRE-5Gplus
ARES 2020, August 25–28, 2020, Virtual Event, Ireland
security architecture: the security elements go beyond the micro-
scale of domain-specic security and cover multi-domains (e.g.
RAN, core, and transport) as shown in Figure 1. This is crucial since
a robust and ecient security architecture should guarantee secure
delivery of data and service in an E2E manner.
To enable a holistic security approach, the INSPIRE-5Gplus ar-
chitecture also considers the technological factors since emerging
technologies, such as NFV, SDN, Edge Computing and Network
Slicing, introduce challenges and additional complexities on the
way networks and services are deployed, managed and orches-
trated. Software-driven and programmable networks lead to the
creation of new business models and use cases with diverse and
stringent requirements in terms of capacity, latency, reliability and
availability. Conventional network operations require excessive
human intervention when introducing new services or coping with
operational errors. They introduce the need for trade-os between
reliability, scalability and eciency. As a result, the shift towards
full Automation of Network and Service Management and Opera-
tion (ANSMO) has become imperative for both Network Operators
and Digital Service Providers [
9
]. To this end, ETSI established
the Zero-touch and Service Management (ZSM) Industry Specica-
tion Group (ISG) in 2017, whose main objective is the denition of
technical specications on network and service automation [
14
].
“Zero-touch” refers to minimizing or eliminating human interven-
tion when managing the lifecycle of networks and services across
the Radio Access, Transport, Core, and Cloud domains [
5
]. The
main target is not removing completely humans from operations
or reducing costs, but to introduce agility in adhering to Service
Level Agreements (SLAs), while meeting the requirements of new
services [4] by supporting human decisions.
The smart and exible security architecture is realized via the
integration of novel and emerging enabler technologies, includ-
ing AI/ML, TEE and DLT. AI, supported by ML and Big Data ana-
lytic techniques, plays a pivotal role in empowering autonomic
cyber-capabilities (e.g. self-protection, self-healing). Indeed, AI
has the power of unveiling hidden patterns from a large-scale
and time-varying data, while providing faster and accurate de-
cisions. INSPIRE-5Gplus leverages on emerging AI/ML techniques
to empower key security functions, such as intelligent security
enforcement, ecient prediction of security anomalies and e-
cient decisions on mitigation mechanisms to deploy. Furthermore,
for trusted data sharing, it utilizes blockchains as part of data col-
lection functions. TEEs are hardware-based solutions providing
data and code integrity and condentiality even in high adver-
sary conditions. INSPIRE-5Gplus takes advantage of TEE to oer a
trusted environment to execute critical software components in a
multi-tenant/multi-domain setting, allowing to address introspec-
tion issue and foster both VNF’s security and trust.
In addition to a multi-domain design, the INSPIRE-5Gplus se-
curity architecture is essentially extensible to multi-operator and
OTT environments by considering their security threats and re-
quirements. Although it is developed with a focus on single operator
environment needs, the inter-domain fabric provides an inherent
capability for security management among disparate networks,
as shown in Figure 1. In the following subsections, we detail the
INSPIRE-5Gplus architecture at the intra-domain and then inter-
domain level with concise descriptions of key modules and func-
tions.
3.2 Intra-domain Architectural Approach
In INSPIRE-5Gplus, the nomenclature "domain" refers to network
constituents such as radio access network, Mobile Edge Computing
(MEC) environment and core network, i.e. the decked representa-
tion on the right side of the Figure 1. Each management domain in-
cludes the closed-loop security functions in the architecture (
A
in
Figure 1). The domain integration fabric is the communication sub-
strate for messaging based on extensible interfaces dened accord-
ing to security requirements and scenarios adopted in the project
(Bin Figure 1).
Security data collector
uses telemetry and probing to collect
security related data from a domain.
Trustable data collection
uses permissioned blockchains for
trusted multiparty data collection. This function provides data ser-
vice to other security related functions via the integration fabric.
The use of stewards is envisioned, these nodes are capable of par-
ticipation in the validation process and help maintaining the DLT.
3.2.1 Smart security enablers. INSPIRE-5Gplus relies on smart
security enablers to implement the ZSM based security architecture.
Therefore, the domain specic implementation includes:
The Security Analytics Engine (SAE):
The main function of
SAE is to derive insights and predictions on the domain’s conditions
based on data collected in the specic domain or even other do-
mains. As shown in Figure 1, in the context of INSPIRE-5Gplus, SAE
provides the Anomaly Detection and RCA services, although the
set of oered services can be extended in case the need arises. The
Anomaly Detection service identies patterns in data or behaviour
not conforming to the ones expected, which are usually designated
as outliers or anomalies. The service detects anomalous conditions
which may correspond to security incidents or malfunctions and
utilizes data aggregated from the managed entities of the domain
with regards to their performance, usage, conguration and status.
The RCA service identies the cause of the observed incidents by
analyzing and correlating data collected by the Anomaly Detection
service or other services. One of the ambitions of INSPIRE-5Gplus
is to develop RCA techniques based on network trac analytics,
ML techniques, remote attestation, path proof mechanisms and
model-based root cause algorithms for identifying the cause and
determining responsibilities when security breaches occur.
Security Intelligence Engine (SIE):
SIE is responsible for de-
cision making and action planning as part of the intelligent closed-
loop automation formed inside a security management domain,
as dened in [
14
]. SIE services include assessment and manage-
ment of deployed AI models and their training data in order to
ensure the operational and up-to-date state, despite changes in
incoming data and domain network conditions. These evolving
models allow more adaptive and exploratory security functions
than conventional reactionary models. Decision making takes place
based on data collected by SAE and the Security Data Collector or
other domain specic services deemed necessary. SIE also provides
services pertaining to action planning, including the management
of lifecycle of services of the specic domain through automated
ARES 2020, August 25–28, 2020, Virtual Event, Ireland
work-ows and conguring of domain managed entities and ser-
vices. The cognitive aspect of this engine provides more extensible
security provisioning beyond pre-dened action portfolios.
These functions rely on the
Security Data Collector
for obtain-
ing the data that is needed for the analysis and training/inference
functions.
3.2.2 Security orchestration. The architecture is endowed with a
policy-based security orchestrator in charge of driving the security
management in 5G and beyond networks, by interacting, through
the integration fabric, with the dierent SDN Controllers, NFV
controllers and management security services. The orchestrator will
enforce proactively or reactively the security policies through the
allocation, chaining and conguration of dedicated virtual network
security functions (VSF) such as vFirewall, vChannelProtection,
virtual Intrussion Detection System (vIDS), virtual Authentication,
Authorization and Accounting (vAAA) and vProxy. The security
orchestration will be fed by the evolving system model, the trust
and reputations indicators coming from the Trust Management
component, as well as the conclusions and evolved plans inferred
by the Security Intelligence engine. This cognitive behaviour will
provide self-healing and self-protection capabilities to the entire
managed system, allowing the orchestrator to react automatically
according to the actual context, and trigger the countermeasures
to mitigate ongoing attacks or threats in the 5G network. This
reactions encompass, among other, applying security policies which
will control the trac (e.g. by dropping or diverting it) through the
SDN controllers; and deploying, decommissioning, re-conguring
or migrating the VSFs.
3.2.3 Policy and SSLA management. SSLAs represent the se-
curity policies in terms of commitments and requirements, and
thus enable their management in a multi-party environment for
maintaining a certain Level of Security (LoS). The Policy and SSLA
management function in INSPIRE-5Gplus architecture provides
specication and monitoring capabilities to dene SSLAs based
on policies and assess them in real-time in cooperation with other
INSPIRE-5Gplus functions. Network slicing oriented security poli-
cies and SSLA is a specic use-case addressed in the architecture.
The policy and SSLA management are presented in more detail in
Section 4.
3.2.4 Trust management (HW, SW). INSPIRE-5Gplus uses soft-
ware and hardware enablers for trust management for domain
elements. It provides risk analysis framework that enables to super-
vise risks in complex and distributed systems in relation trust. This
function uses risk analysis techniques, specically Risk Assessment
Graphs (RAGs) as a graph-based model for risk, which is adapt-
able to the system evolution or temporal dynamicity. It models
mathematical propagation of impacts and risk analysis between
components and allows dynamic representation and re-evaluation
of security exposure of the network and service infrastructure.
Moreover, a Trust and Reputation Management System (TRM) sub-
function assigns reputation values to management entities in the
5G softwarised networks based on the impact of their actions on
the network. This impact is measured with anomaly detection al-
gorithms able to detect network state deviations impacting the
resilience level.
3.3 Inter-domain Architectural Approach
E2E service management domain entails security functions provid-
ing this management across the dierent domains (
C
in Figure 1).
For achieving this, INSPIRE-5Gplus builds on an inter-domain inte-
gration fabric (
D
in Figure 1). This lightweight communication
bus denes message exchange interfaces, as well as message ows,
at a higher level compared to the domain integration fabric. There
are also architectural elements which reside in cross-domain space,
namely data repositories which can serve dierent domains. This
inter-domain fabric also provides an integration interface with
other operators and over-the-top (OTT) providers.
The functions in this domain act as counterparts of the corre-
sponding ones in the domain scope. The data from a given manage-
ment domain, that needs to be shared with the cross-domain fabric,
will be collected and distributed by a special distribution function
using trustable data collection based on blockchain technology.
This function will interact with the domain-resident functions to
provide security orchestration at E2E level.
4 INSPIRE-5GPLUS POLICY MANAGEMENT
BASED ON SSLAS
SSLAs provide the means to specify the security requirements or
policies and assessing or enforcing their fulllment to obtain the
desired Quality of Service (QoS) from a Security point of view.
They can be selected and applied specifying the required security
properties of the network slices that will be deployed or they can
be used for assessing the 5G services during operation.
4.1 Real-time SSLAs monitoring and
enforcement
SSLA monitoring relies on the specication of rules that can repre-
sent what should happen (security properties) or what should not
happen (attacks anomalies, vulnerabilities) as well as the denition
of reaction mechanisms when threats are detected and how they
should be activated (e.g. manually by the operator or automatically
by interacting with the orchestrators and controllers). Instead of the
traditional SLAs dealing with network performance parameters (i.e.
bandwidth consumed or the latency oered by a service), SSLAs
consider security parameters such as the correct functioning of the
security services (e.g. the frequency of a security analysis such as
vulnerability scanning, delay in applying patches, time it takes to
switch instances), the integrity of the information (e.g. an unau-
thorized actor modies a certain content), and the detection and
mitigation of unwanted network trac situations (e.g. Distributed
Denial of Service attacks, resilience to an attack meaning that the
service continues with a certain quality).
4.2 SSLAs for Network Slicing
Each slice provided by the INSPIRE-5Gplus Framework has to be de-
ned with respect to the SSLAs that species the security properties
and guarantees that are needed.
INSPIRE-5Gplus framework manages the whole SSLA lifecycle
in a slice: a) it collects security requirements from verticals/end-
users; b) deploys the security controls that are needed to enforce
the agreed SSLAs by enriching the services of SPs or conguring
ARES 2020, August 25–28, 2020, Virtual Event, Ireland
them; c) monitors in real-time the fulllment of SSLAs; d) detects
violations in the security provisioning level based on an analytics
engine and noties both end-users and Service Providers; and, e)
reacts in real-time to adapt the provided level of security or to apply
proper countermeasures.
In order to automate the SSLA life cycle in a slice, a machine
readable format for SSLAs is adopted based on the SPECS SSLA
model that has been extended to support slicing. This model is
based on a WS-Agreement XML schema extended with security-
related information allowing to specify the following sections in a
slice term description:
Slice resource providers that describes the available infras-
tructure of the resource providers (e.g. appliances, networks);
Security capabilities required in a slice. A capability is de-
ned as a set of security controls. In our case, the NIST’s
Control Framework is used to specify these security controls;
Security Metrics referenced in the slice service properties
and used to dene Security Service Level Objectives (SLOs) in
the guarantee terms section. A metric specication includes
information about it and also information to process the
SLOs, such as the metric name and denition, its scale of
measurement, and the expressions used to compute its value.
4.3 Network Slicing SSLAs management
One of the enablers under discussion in the INSPIRE-5Gplus con-
text is a SSLA Manager for Network Slices. Using the previously
presented SSLA model -i.e. Slice resource providers, Slice required
security capabilities and security metrics-, the enabler must ensure
that the SSLAs associated to the slice are accomplished and if they
are not, to apply the correct solution.
This enabler will control the complete SSLAs lifecycle as long as
the slices are running, so its responsibilities are:
Based on the vertical’s request, to associate the SSLA(s) se-
lected with the chosen slice when the last one is requested
to be deployed.
Once the slice is instantiated, the deployment of all the Se-
curity Functions (SFs) -i.e. probes and security controls- to
have the proper context elements that will gather the data
from the slice and its components (slice-subnets) for the
monitoring action.
Slice monitoring in order to determine whether the QoS from
a security point of view is fullled by the slice as a unit and
by each slice internal component.
While the slice is running and being monitored, it must try
to apply the best of the available policies to resolve to each
possible SSLA violation that may occur.
5 BUILDING SECURITY ON TOP OF ETSI’S
ZSM
INSPIRE-5Gplus denes its zero-touch security approach to net-
work and service automation based on ETSI’s ZSM framework [
14
].
The ZSM framework’s reference architecture is designed to em-
power full automated network and service management in multi-
domain environments that include operations across legal oper-
ational boundaries [
6
]. As illustrated in Figure 2, the ZSM archi-
tecture comprises multiple management domains (MDs) including
E2E service MD, intra- and cross-domain integration fabrics, and
cross-domain data services. Each MD is responsible for intelligent
automation of management and orchestration of resources and
services within its scope. The E2E service MD is a special MD that
manages E2E, customer-facing services across multiple administra-
tive domains. It is worth mentioning that the decoupling of MDs
from the service MD reduces the overall system’s complexity and
allows independent evolution of domains and E2E management
operations. Each MD, including the E2E service MD, encompasses
several management functions grouped into logical groups (e.g.,
domain collection services, domain analytics services, domain intel-
ligence services, domain control services, and domain orchestration
services) and supplies a set of management services via service in-
terfaces. The services are provided and consumed through either
the intra-domain integration fabric (for services local to a domain)
or the cross-domain integration fabric (for services that can be
exposed cross-domain). The Cross-domain Data Services facilitate
access to data and its cross-domain exposure. The data can be used
by intelligence services to enable AI-based closed-loop automation
at domain-level and cross-domain.
Physical Virtual XaaS
Domain
Control
Domain
Orchestration
Domain
Intelligence
Domain
Analytics
Domain
Data Collection
Management Functions
Cross-domain
Data Services
Domain Managed Infrastructure Resources
Data
Services
Data
Services
Management Functions Data
Services
E2E
Orchestration
E2E
Intelligence
E2E
Analytics
E2E
Data Collection
Management Domain
E2E Service Management Domain
ZSM framework consumers
(e.g., Digital Storefront, BSS Applications, Another ZSM Framework Instance)
ZSM Scope
Legend
Interface
Closed-loop
Cross-Domain Integration Fabric
Domain Integration Fabric
Domain Integration Fabric
Figure 2: The ZSM Reference Architecture [6].
In INSPIRE-5Gplus, the ZSM framework architecture is extended
by adding security modules that integrate the End-to-End service
management domain level and each service management domain
level so that the ZSM concept can span over multiple domains in
parallel.
Working beyond 5G to provide liable end-to-end 5G services
means considering an inter-operator and cross-domain environ-
ment. ZSM architecture can be extended by integrating and relying
on closed-loop automation. The INSPIRE-5Gplus approach adopts
ARES 2020, August 25–28, 2020, Virtual Event, Ireland
existing closed-loops concepts to allow the denition of specic
security oriented closed-loops.
End-to-End operations can also involve several operators where
each of them can be seen as a management domain. This greatly
simplies the technical actions and allows to smoothly map the
ZSM concept into 5G. Nonetheless, multi-operator environments
depend on political issues that complicate the straightforward map-
ping between architectures. As such, considering ZSM end-to-end
management domain as a single operator brings the desired inde-
pendence of how the ZSM architecture is nally implemented by
an operator. To maintain the capability of providing multi-operator
end-to-end secure 5G services requires dening the interfaces that
allow the interaction between the operators or even other OTT
providers and third parties. From INSPIRE-5Gplus’ point of view,
these interactions, interfaces and service producer and consumers
need to be attached to the cross-domain integration fabric (as shown
in Figure 1. This interaction is foreseen to be dened and provided
through SSLAs, giving the operators the freedom on how to nally
implement the enforcement of the requested SSLAs.
Distributed liability is highly tied to the concept of Distributed
Ledger Technology (DLT) and how audition of chain modications
can be enforced. These DLTs may be operated by Stewards[
13
],
which are nodes capable of participating in the validation process
and maintaining the DLT providing stability aligned to the operator
interests. Some security functions may need a higher degree of lia-
bility on the data being consumed by the Data Services at any level
(domain, cross-domain or end-to-end) from the ZSM architecture.
Therefore, INSPIRE-5Gplus denes the Trustable Data Collection
as the Data produced and processed or analysed by the security
architecture.
The criticity and vectors of attack on ZSM are introduced and
exposed in section 6.2.1 to provide the relation of Liability and ZSM.
6 LIABILITY
As zero-risk security cannot be achieved, dening liability and
responsibilities when security breaches occur is of paramount im-
portance to support condence between parties and compliance
with regulation.
Following the example of the “Y2k Act” [
20
] in the US, one can as-
sume that legal and nancial responsibility in 5G contexts will have
to be distributed proportionately among any liable companies and
claimants will need solutions to gather proofs of any malfunction
or wrongdoing. However, with 5G worldwide deployment, multi-
ple stakeholders with dierent requirements and security levels
will interact, and complex interconnections of hardware, software,
plane levels (e.g. data or control planes) will defy the appreciation
of the stakeholder’s liabilities.
INSPIRE-5Gplus aims at dening new mechanisms to allow li-
able end-to-end delivery of 5G services, dening and enforcing
liabilities as well as detecting the cases of security breaches. This
section details how INSPIRE-5Gplus plans to leverage manifests
and TEEs as cornerstones of these mechanisms.
6.1 Liabilities formalization with manifests
Opening up infrastructure to third parties, such as IoT devices
or VNF providers, outside of direct and bilateral contractual re-
lationships raises questions regarding the responsibilities of the
infrastructure operator. Indeed, while it has no prior trust relation-
ship with these third parties and no control or guarantees over the
third-party components that will be loaded into its infrastructure,
the operator always bears the cost, impact and image of the risks
towards his customers and users.
This problem, already encountered for mobile devices [
10
] and
web services [
11
], can be solved by formalizing mutual obligations
and benets through a manifest[12].
The INSPIRE-5Gplus manifest shall generalize the notion of 5G
components to include VNFs, IoT or physical equipment, with or
without hosting capacities, and leverage existing descriptions such
as MUD proles[16], SUIT manifests [18] or NFV manifests[1].
As depicted in gure 3, the INSPIRE-5Gplus manifest shall dene
and assign dierent levels of responsibilities. It shall be modular and
follow the 5G infrastructure component throughout its lifecycle:
Manufacturing
. The manufacturer builds the component
by using building blocks provided by software editors, hard-
ware manufacturers or Service Providers. The manufacturer
provides a rst version of the manifest based on the descrip-
tion of features and preliminary usage recommendations,
Testing
. The validator tests the component, evaluates risks
and compliance to applicable requirements. Based on his
observations, the validator can add properties or describe
controls or requirements, called usage constraints, that need
to be enforced by the infrastructure operator to guarantee
normal functioning or avoid exploitation of a known vulner-
ability,
Listing
. The infrastructure operator lists the component in
its Catalog and may perform additional tests. It identies
operation constraints, similar to usage constraints, except
that they express conditions to comply with specic infras-
tructure requirements, company policy or local regulation
and are not available to other stakeholders,
Deploying
. The infrastructure operator uses the manifest to
decide whether to use the Component in a particular subset
of its infrastructure and under which conditions,
Exploiting
. The infrastructure operator uses the Manifest
to decide whether and how to observe and manage the Com-
ponent. It can also be used as a baseline to dene expected
behavior for monitoring.
Thus, each stakeholder is able to express its commitments and
expectations from other parties. In turn, this will help 5G infrastruc-
ture operators to formalize its risks and take decisions in order to
manage the level of risk of its infrastructure. A perspective of this
work is to propose organizational and technical mechanisms that
allow infrastructure operators to publish their extensions to mani-
fests and experts or risk managers from authorized stakeholders to
share information.
6.2 Secured slicing main threats and security
assets
ARES 2020, August 25–28, 2020, Virtual Event, Ireland
Figure 3: Lifecycle of a 5G component and its manifest
6.2.1 Threats on slices and ZSM criticity. Security threats on a
slice are listed below (generic, basic and non exhaustive theats):
User or service impersonation.
DoS or degradation of quality of service.
Data integrity and condentiality.
Slice isolation loss (cross-slice data transfer-inference)
Non repudiation and attribution
Regarding the attack modus operandi, they are either mounted from
a payload (Container or Virtual Machine (VM) embedded applica-
tion) or from a poor security parameter conguration, typically
exposing the processing memory to malicious eyes (on the cloud-
based machine). Attacks can exploit a vulnerability from one of the
executed applications (VNF or CNF) or exploit system conguration
vulnerabilities introduced by weak policy enforcement. ETSI ZSM
is designed with a motivation of delivering secured slices (end-to-
end single domain or cross domain slice). To reach that goal, ZSM
orchestrates all resources and security functions where they must
be implemented.As stated by ETSI ZSM working group, automatic
management function must feature the highest trustworthiness
as its decisions impact the security of all slices in any of the key
threats given above.
There are three main core security assets for secure slicing: TEE,
Trusted Processing Modules and kernel-level virtualization tech-
niques. These solutions bring dierent security guaranties and main
operational features and can be used either independently or in
combination. We will specically focus on how TEE can be used to
bring more security above the other two.
6.2.2 TEE and secure slicing. TEE concept is to deliver isolation
to a process (application and its data) against any other process
including the operating system or any other kernel modules. In
fact, the original goal of processor manufacturers with TEE is to
deliver full trustfulness to cloud processing to swallow the legiti-
mate security concerns when transferring critical processing and
data to an external party. TEE creates fully isolated silos that no
one can violate, including high privilege supervisors. TEE could
be viewed as a key asset of slice isolation, as it delivers isolation
to the slice process. In fact, various practical reasons (TEE market
fragmentation, workow and performance) and even a security
motivation coincide to refrain using TEE for sheltering complete
slices. Conversely, it shall be smartly used on a restricted safe code
perimeter, typically dealing with slice security instead. Slice VSFs
are good targets for being processed in part ideally in TEE. To the
best of our knowledge and as of today, the ideal balance and e-
cient modus operandi to leverage TEE in SDN networking is still
be dened today (as in other domains).
6.2.3 Remote aestation by TPM. Remote attestation is a tech-
nique that has gain momentum in Telco NFV environment because
it generates trust and liability for the NFVI and VNFs. Indeed, this
technology has been standardized by ETSI NFV-SEC group as a
clear statement of intentions to be adopted. Remote attestation
is another strong asset for secure slicing as it makes certain that
deployment software (including kernel) are as expected. It is in
fact imperative step to take for secure slicing. Remote attestation
leverages Trusted Processing Modules (TPM) separate chipsets,
dedicated for checking software integrity and capable to create a
chain of trust of any software modules, successively loaded then
executed.TPM-based Remote Attestation is an essential pillar to
construct software trust in ZSM.TPM integrity however does not
handle memory footprint of the process (but only cold storage le).
Introspection attacks subverting in-memory process integrity dur-
ing run time are possible.
This security threat is where TEE brings an extra security edge.
6.2.4 Kernel level Isolation by virtualization. The future of cloud
infrastructure will leverage either the lightweight hardware-level
virtualization (aka, lightweight virtual machine which embarks
one single bare minimal guest kernel) or operating system-level
virtualization (aka, containers). Both technologies are backed by
intense researches and industrial deployments by I.T leaders (Intel,
IBM, Amazon, Google among others) resulting from internal devel-
opments and rst running deployments. The relative strengths on
the two techniques are accepted as follows: Virtual machines bring
higher process isolation and deployment exibility but at higher
memory costs (i.e., replication of dierent feature-rich guest oper-
ating systems in each VM) and are slower to start. However, none
of these techniques protect against a malicious operator with root
access credentials. This is where TEE could bring an extra security
but with their own diculties and limitations as stated below. A
co-lateral area of research is to protect the system calls (container to
host) or hyper-calls (virtual machine to hypervisor) ltering policy
enforcement module. Enforcing the policy management inside a
TEE is the ultimate security scheme.
ARES 2020, August 25–28, 2020, Virtual Event, Ireland
6.2.5 Workflow diiculties in using TEE. TEE are undeniably
strong security enablers but the obstacles to use them are several
and serious. They relate to the performance overhead, eort to
setup, compilation requirement and source level code change re-
quirement (for the emblematic Intel SGX at least). More importantly,
they are not cross compatible. Typically, the TEE-protected VNF
cloud deployment becomes troublesome as the VNF will run only
on a special type of processor. Abstraction layer frameworks break
this fragmentation with a unique API based setup. In the mean-
time, easier setup frameworks targeting specically Intel SGX have
emerged. Simplication and abstraction come with higher perfor-
mance impact and lower security as distorting architectural vendor
designs. At INSPIRE-5Gplus, we will work on the workow aspect
as we consider that this is a crucial aspect for adoption. We do this
without distorting Intel’s small size Trusted Computing Basis (i.e.,
the size of code and data inserted in the TEE) concept and which
radically diverts from AMD complete V.M insertion (i.e., extra large
TCB).
6.2.6 Liability shortcomings by use of TEE. An important aspect
to keep in mind with TEE is that it does not cope with vulnerabilities.
A vulnerable code inside a TEE is still 1:1 vulnerable inside or
outside the TEE. TEE is the best place to be for exploits as they
will not reveal with binary scanners. This backside can only be
minimized by inserting there safe code only. No formal proof (if
it would bring a trust guaranty) has been delivered to any system
code dealing with TEE. However, this system code had obviously
been carefully specied and crafted by processor vendor security
architect. As TEE contain any selected application code, the best
practice is to limit the code size. Hence, low TCB (i.e., code size)
scheme as developed with Intel SGX is interesting. Conversely, one
should look carefully new easier TEE setup frameworks which tend
to expand the TCB dramatically.
6.2.7 Non repudiation and aribution. Slice creation and de-
nition requires secure interactions between multiple actors from
(potentially) multiple administrative domains (e.g., RAN, 5G core
or Edge) to provide vertical oriented activities over public and non-
public networks. Those interactions and the actions derivated from
them need to be performed by a veriable and trustable orches-
tration and control stack that oversees request-response messages
between actors and components. In order to have some liability of
the slice implementation, non-repudiation and attribution mecha-
nisms need to be dened and integrated into the platform for those
messages. The non-repudiation principle is the ability of demon-
strating that the message has been originated by its trustworthy
sender, therefore creating a consistent temporal line when relating
them to previous messages of the same conversation. That ability
provides with the means for external verication that in turn leads
to system auditability and liability. One promising technique is
using permissioned DLTs to provide a trusted store for the trusted
message interaction history.
6.2.8 Path proofs. If we think in terms of dynamicity of 5G
resources allocation, multiples slices per user or per service and
multiple distributed locations, then it will be necessary to provide
trust on implementation of the service function chain (SFC) that
connect multiple intermediate nodes (some of them out of the
control of the operator). Proof of the trac paths can be dened as
a complementary to the TEE based isolation technology, securing
that the routing paths in the data plane cross critical nodes within
the SFC ( e.g. a rewall). To mitigate this problem a new standard
denition, proof-of-transit technique [
8
], is being developed as
part of the IETF to verify that a packet is traversing the list of
nodes predened. The steps described in the IETF’s PoT working
group can be sumarized as follows. A centralize entity (i.e. INSPIRE-
5Gplus security orchestrator) create a secret and use the Shamir
Secret Sharing (SSS) cryptographic method to create and a set of
shares of the secret. The property of this mechanism is that the
original secret can only be reconstructed only if all the shared are
combined together. The orchestrator prepares a set of metadata
based on previous algorithm and distribute to all nodes involved in
the data path. The rst node designated in the path, when receive
a packet, add a header based on the metadata received, before
delivering the packet. Each node in the data path make verications
of incoming packets, alter the metadata to increment the shared
information and forward the packet. The last node in the path,
make the nal verication and deliver the packet without metadata.
This mechanism can be enhanced to verify the order of the nodes
being traversed with additional techniques[3].
6.3 INSPIRE-5Gplus TEE special focus
For the avoidance of confusion, TEE do not remove software vul-
nerabilities which are still exploitable, even if the code is within
the TEE. Other points that need to be stressed about TEE follow:
Remote code attestation is the baseline security for ZSM,
bringing a guarantee that at least, the loaded code (i.e., CNF,
VNF) corresponds to what it is supposed to be. It is not
enough however to ensure that running code has not been
tampered (locally, through code introspection) once duly
loaded, after attestation verication check and through pro-
cess memory access and violation. At INSPIRE-5Gplus, we
will consider bringing a zero-touch integrity solution that
checks any application during run time. For that, we are
considering the interesting work of [
19
] that leverages Intel
SGX and a distant remote attestation server. Our approach
will be focused on a stand alone (local) layout as a loss of
transmission link to the remote verication server could
become an attack path.
Virtualization technique domain is plenty of competing emerg-
ing technologies for hardening containers and virtual ma-
chines, solving the equation of isolation versus overhead.
System calls between the payload and the host is where max-
imum control shall be placed. Security policy monitor can
possibly be tampered or abused. At INSPIRE-5Gplus, we will
devise (syscalls/hypercalls) security policy monitor under
the shielding of Trusted Execution.
ZSM centralized management functions highly expose new
security risks. These functions whether based on ML or tra-
ditional empirical status analysis decision taking, must be
protected against all types of attacks, including introspection
by a high adversary malicious maintenance operator with
root access on the machine. The probability of suering that
ARES 2020, August 25–28, 2020, Virtual Event, Ireland
kind of attack worsens with VM and container escape de-
rived from kernel-land vulneravilities among others. Against
all of these introspection attacks (either directly triggered
from the host or from a malicious payload), TEE are ecient
barriers. Guarding ZSM function inside a TEE is a question of
design, by a security architect which shall identify what part
deserve more security and at which acceptable performance
impact. This work can be done with or without ML-based
orchestration. Hardening ML is a concern of many and ad-
dressed at ETSI Secure AI working group. This matter will
be duly considered in INSPIRE-5Gplus.
7 CONCLUSIONS
The architecture presented is focused in introducing zero-touch
secure operations into 5G leveraging on novel techniques such as
AI and, TEE or DLT. The ANSMO like management of such an au-
tomated architecture justies the integration of security functions
and components inside ZSM and the use of SSLAs to extend the
traditional concept securing and hardening the QoS provisioning
promised by 5G. There is no bullet-proof solution, therefore liability
is mandatory to enforce obligations and pursue outlawers.
INSPIRE-5Gplus is now on the verge of starting the integration
of the dierent enablers described in previous sections and will
continue evolving the architecture and deepening into the solutions
aforementioned and yet to come.
ACKNOWLEDGMENTS
The research leading to these results received funding from the Eu-
ropean Union’s Horizon 2020 research and innovation programme
under grant agreement no 871808 (5G PPP project INSPIRE-5Gplus).
The paper reects only the authors’ views. The Commission is not
responsible for any use that may be made of the information it
contains.
REFERENCES
[1]
[n. d.]. ETSI GS NFV-SOL007 Network Service Descriptor File Structure Speci-
cation. ([n. d.]). https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/007/02.
06.01_60/gs_NFV-SOL007v020601p.pdf
[2]
5G PPP Security Work Group. 2017. 5G PPP Phase 1 Secu-
rity Landscape. Technical Report. 5G PPP Security WG. 1–68
pages. https://5g-ppp.eu/wp- content/uploads/2014/02/5G-PPP_
White-Paper_Phase- 1-Security-Landscape_June- 2017.pdfhttps://5g-ppp.
eu/new-security- group-5g-ppp- white-paper-phase- 1-security-landscape/
[3]
A. Aguado, D. R. Lopez, A. Pastor, V. Lopez, J. P. Brito, M. Peev, A. Poppe, and V.
Martin. 2020. Quantum cryptography networks in support of path verication
in service function chains. IEEE/OSA Journal of Optical Communications and
Networking 12, 4 (2020), B9–B19.
[4]
Silvia Lins Allan Vidal, Pedro Henrique Gomes. 2018. Next stop: Zero-
touch automation standardization. https://www.ericsson.com/en/blog/2018/11/
next-stop- zero-touch-automation- standardization. (2018). [Online; accessed
04-June-2020].
[5]
Chaka Benzaid and Tarik Taleb. 2020. AI-driven Zero Touch Network and
Service Management in 5G and Beyond: Challenges and Research Directions.
IEEE Network 34, 2 (2020), 186–194.
[6]
C. Benzaid and T. Taleb. 2020. ZSM Security: Threat Surface and Best Practices.
IEEE Network Magazine 34, 3 (May/June 2020), 124 – 133.
[7]
Gregory Blanc, Nizar Kheir, Dhouha Ayed, Vincent Lefebvre, Edgardo Montes de
Oca, and Pascal Bisson. 2018. Towards a 5G Security Architecture. (2018), 1–8.
https://doi.org/10.1145/3230833.3233251
[8]
Frank Brockners, Shwetha Bhandari, Tal Mizrahi, Sashank Dara, and Stephen
Youell. 2020. Proof of Transit. Internet-Draft draft-ietf-sfc-proof-of-transit-
05. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/
draft-ietf- sfc-proof-of-transit- 05 Work in Progress.
[9]
China Unicom, Deutsche Telekom, DOCOMO, NTT, Sprint, Telefonica). 2017.
Zero-touch Network and Service Management - Introductory White Paper . ZSM
Operator white paper. (2017). https://portal.etsi.org/Portals/0/TBpages/ZSM/
Docs/ZSM%20Operator%20white%20paper.pdf?ver=2017-12-07-142037-453 Ac-
cessed on 25.05.2020.
[10]
G. Costa, N. Dragoni, A. Lazouski, F. Martinelli, F. Massacci, and I. Matteucci.
2010. Extending Security-by-Contract with Quantitative Trust on Mobile Devices.
In 2010 International Conference on Complex, Intelligent and Software Intensive
Systems. 872–877.
[11]
Nicola Dragoni and Fabio Massacci. 2007. Security-by-contract for web services.
SWS (2007).
[12]
N. Dragoni, F. Massacci, C. Schaefer, T. Walter, and E. Vetillard. 2007. A Security-
by-Contract Architecture for Pervasive Services. In Third International Workshop
on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU
2007). 49–54.
[13]
P. Dunphy and F. A. P. Petitcolas. 2018. A First Look at Identity Management
Schemes on the Blockchain. IEEE Security Privacy 16, 4 (2018), 20–29.
[14]
ETSI INDUSTRY SPECIFICATION GROUP (ISG) ZERO TOUCH NETWORK
AND SERVICE MANAGEMENT (ZSM). 2019. Zero-touch network and Ser-
vice Management (ZSM); Reference Architecture . ETSI GS ZSM 002 V1.1.1.
(2019). https://www.etsi.org/deliver/etsi_gs/ZSM/001_099/002/01.01.01_60/gs_
ZSM002v010101p.pdf Accessed on 24.05.2020.
[15]
European Telecommunications Standards Institute. 2013. Network Functions
Virtualisation (NFV); Terminology for Main Concepts in NFV. 1, GS
NFV
003
V1.1.1 (2013), 1–13. https://doi.org/DGS/NF V-0011
[16]
Eliot Lear, Ralph Droms, and Dan Romascanu. 2019. RFC 8520 - Manufacturer
Usage Description Specication. https://tools.ietf.org/html/rfc8520, last visited
on 31 07 2019. (March 2019). https://tools.ietf.org/html/rfc8520#page- 5
[17]
Rafael Lopez, Gabriel Lopez-Millan, and Fernando Pereniguez-Garcia. 2020.
Software-Dened Networking (SDN)-based IPsec Flow Protection. Internet-Draft
draft-ietf-i2nsf-sdn-ipsec-ow-protection-08. IETF Secretariat. http://www.
ietf.org/internet-drafts/draft- ietf-i2nsf-sdn- ipsec-ow-protection- 08.txt http://
www.ietf.org/internet-drafts/draft-ietf-i2nsf-sdn-ipsec-ow-protection- 08.txt.
[18]
B. Moran, H. Tschofenig, and H. Birkholz. 2019. SUIT CBOR manifest se-
rialisation format (draft). (July 2019). https://www.ietf.org/archive/id/
draft-moran- suit-manifest-05.txt
[19]
M. Morbitzer. 2019. Scanclave: Verifying Application Runtime Integrity in Un-
trusted Environments. 2019 IEEE 28th International Conference on Enabling
Technologies: Infrastructure for Collaborative Enterprises (WETICE) (2019).
[20]
Dylan Mulvin. 2020. The legal and political battles of Y2K. IEEE Annals of the
History of Computing (2020).
... 5G-ENSURE involved partners defined trust as a decision to accept (or not) risks arising from one or more threats by means of their Trust Builder tool. Another EU research project focused on trust establishment is INSPIRE-5G Plus [15]. Its project consortium is working on an automated end-to-end security management framework that allows not only protection but also trustworthiness in managing 5G cross-domains scenarios. ...
... In that sense, most of the analyzed frameworks focus on IoT scenarios, and only Suomalainen et al. in [28] apply the framework to 5G and network slicing environments. Nevertheless, they also do not consider a zero-touch automated approach as the rest of frameworks presented in Section 2. Given that automation is clearly the path for future frameworks [60], the one presented in this article considers the automation of security and trust frameworks for 5G and beyond 5G, just as other under development frameworks in INSPIRE-5G Plus [15] and MonB5G [16] projects. Furthermore, this path involves many technical improvements regarding AI and network orchestration, such as the integration of AI and orchestration softwares, model optimization for real-time data processing, or the application and development of new algorithms. ...
Article
Full-text available
With the expansion of 5G networks, new business models are arising where multi-tenancy and active infrastructure sharing will be key enablers for them. With these new opportunities, new security risks are appearing in the form of a complex and evolving threat landscape for 5G networks, being one of the main challenges for the 5G mass rollout. In 5G-enabled scenarios, adversaries can exploit vulnerabilities associated with resource sharing to perform lateral movements targeting other tenant resources, as well as to disturb the 5G services offered or even the infrastructure resources. Moreover, existing security and trust models are not adequate to react to the dynamicity of the 5G infrastructure threats nor to the multi-tenancy security risks. Hence, we propose in this work a new security and trust framework for 5G multi-domain scenarios. To motivate its application, we detail a threat model covering multi-tenant scenarios in an underlying 5G network infrastructure. We also propose different ways to mitigate these threats by increasing the security and trust levels using network security monitoring, threat investigation, and end-to-end trust establishments. The framework is applied in a realistic use case of the H2020 5GZORRO project, which envisions a multi-tenant environment where domain owners share resources at will. The proposed framework forms a secure environment with zero-touch automation capabilities, minimizing human intervention.
... They leveraged the characteristics of blockchain technology such as smart contracts and distributed ledger technologies to enhance the security amongst non-trusted parties. A hypothetical architecture for E2E security management in 5G networks based on ZSM principles was proposed in [128]. Their hypothetical framework leverages the characteristics of distributed ledgers, ML, and a trusted execution environment to achieve the desired security levels and meet the requirements of security service level agreements. ...
Article
Full-text available
Faced with the rapid increase in smart Internet-of-Things (IoT) devices and the high demand for new business-oriented services in the fifth-generation (5G) and beyond network, the management of mobile networks is getting complex. Thus, traditional Network Management and Orchestration (MANO) approaches cannot keep up with rapidly evolving application requirements. This challenge has motivated the adoption of the Zero-touch network and Service Management (ZSM) concept to adapt the automation into network services management. By automating network and service management, ZSM offers efficiency to control network resources and enhance network performance visibility. The ultimate target of the ZSM concept is to enable an autonomous network system capable of self-configuration, self-monitoring, self-healing, and self-optimization based on service-level policies and rules without human intervention. Thus, the paper focuses on conducting a comprehensive survey of E2E ZSM architecture and solutions for 5G and beyond networks. The article begins by presenting the fundamental ZSM architecture and its essential components and interfaces. Then, a comprehensive review of the state-of-the-art for key technical areas, i.e., ZSM automation, cross-domain E2E service lifecycle management, and security aspects, are presented. Furthermore, the paper contains a summary of recent standardization efforts and research projects toward the ZSM realization in 5G and beyond networks. Finally, several lessons learned from the literature and open research problems related to ZSM realization are also discussed in this paper.
... Zero Touch Network and Service Management (ZSM) was established by ETSI to achieve selfmanaging capabilities. ZSM reference architecture aims to specify an E2E service and network management services that are fully automated, without the intervention of humans [109]. ...
Preprint
Full-text available
When 5G began its commercialisation journey around 2020, the discussion on the vision of 6G also surfaced. Researchers expect 6G to have higher bandwidth, coverage, reliability, energy efficiency, lower latency, and, more importantly, an integrated "human-centric" network system powered by artificial intelligence (AI). Such a 6G network will lead to an excessive number of automated decisions made every second. These decisions can range widely, from network resource allocation to collision avoidance for self-driving cars. However, the risk of losing control over decision-making may increase due to high-speed data-intensive AI decision-making beyond designers and users' comprehension. The promising explainable AI (XAI) methods can mitigate such risks by enhancing the transparency of the black box AI decision-making process. This survey paper highlights the need for XAI towards the upcoming 6G age in every aspect, including 6G technologies (e.g., intelligent radio, zero-touch network management) and 6G use cases (e.g., industry 5.0). Moreover, we summarised the lessons learned from the recent attempts and outlined important research challenges in applying XAI for building 6G systems. This research aligns with goals 9, 11, 16, and 17 of the United Nations Sustainable Development Goals (UN-SDG), promoting innovation and building infrastructure, sustainable and inclusive human settlement, advancing justice and strong institutions, and fostering partnership at the global level.
... Zero Touch Network and Service Management (ZSM) was established by ETSI to achieve selfmanaging capabilities. ZSM reference architecture aims to specify an E2E service and network management services that are fully automated, without the intervention of humans [109]. ...
Article
Full-text available
When 5G began its commercialisation journey around 2020, the discussion on the vision of 6G also surfaced. Researchers expect 6G to have higher bandwidth, coverage, reliability, energy efficiency, lower latency, and, more importantly , an integrated "human-centric" network system powered by artificial intelligence (AI). Such a 6G network will lead to an excessive number of automated decisions made every second. These decisions can range widely, from network resource allocation to collision avoidance for self-driving cars. However, the risk of losing control over decision-making may increase due to high-speed data-intensive AI decision-making beyond designers and users' comprehension. The promising explainable AI (XAI) methods can mitigate such risks by enhancing the transparency of the black box AI decision-making process. This survey paper highlights the need for XAI towards the upcoming 6G age in every aspect, including 6G technologies (e.g., intelligent radio, zero-touch network management) and 6G use cases (e.g., industry 5.0). Moreover, we summarised the lessons learned from the recent attempts and outlined important research challenges in applying XAI for building 6G systems. This research aligns with goals 9, 11, 16, and 17 of the United Nations Sustainable Development Goals (UN-SDG) 1 , promoting innovation and building infrastructure, sustainable and inclusive human settlement, advancing justice and strong institutions, and fostering partnership at the global level.
... Ortiz et al. [47] considered TEEs as a game-changing technology in the security of virtualized environments in 5G networks, mainly in integrity and confidentiality perspectives. Here, TEEs are envisioned as a solution for virtual machine or container isolation mechanisms, preventing introspection attacks into the host machine. ...
Chapter
Full-text available
With the deployment of 5G networks and the beginning of the design of beyond 5G communications, new critical requirements are emerging in terms of performance, security, and trust for leveraged technologies, such as Software Defined Networking (SDN) and Network Function Virtualization (NFV). One of the requirements at the security and trust level is that when delegating critical tasks and data to the infrastructure deployed in an external domain, the client needs guarantees that the execution has been carried out securely, without data breaches or compromises during computing tasks. To meet this need, this chapter proposes a framework that uses Trusted Execution Environments (TEEs), processing environments isolated from the rest of the system to guarantee the security of the data and tasks processed in them, in order to improve the security of 5G environments. This framework enables the deployment of TEE as a cloud service, also denoted as TEE-as-a-Service or TEEaaS, allowing customers to take advantage of its benefits without having to deal with the configuration of the environment and hardware. Furthermore, this chapter also discusses current trends as well as future challenges related to the deployment of TEEs in 5G environments, providing key aspects for future solutions in the area.
... The 5G E2E user services may draw physical resources (5G devices, radio access nodes, edge cloud nodes, core networks nodes and related links) from multiple tenants in a transparent way to the user [39]. However, with the expansion of 5G technologies enablers and the diversity of services provided in a multi-operator/multi-tenant environment, security issues are expected to worsen particularly among heterogeneous systems [24]. Thus, in addition to the need of security support of 5G E2E services involving multiple stakeholders, and knowing that risk can rarely be reduced to zero, it is imperative to define liability in case of security incident. ...
Article
Full-text available
Network slicing is promising to provide the most cost-effective way of supporting 5G and beyond End-to-End (E2E) services in a multi-domain/mulit-tenant environment. However, security issues are expected to worsen. Indeed, a 5G E2E service could be provided among participation of multiple stakeholders deploying each its security mechanism, which would reduce the flexibility and efficiency that are supposed to characterize 5G services. Also, fierce competition for market share may lead some stakeholders to cheat in the processing of individuals’ data and thus infringe on privacy, and undermine the trust between stakeholders. Public Key Cryptography is widely used where the main challenge is how to ensure the authenticity of cryptographic keys. Thus, a trusted third party is the most common way to assure binding a public–private key pair to the identity of the owner, where the word trusted differs from a public key scheme to another. In Public Key Infrastructure, the Certification Authority is trusted for not forging users’ certificates. In Identity-Based Public Key Cryptography, the Private Key Generator is trusted for not decrypting entities’ ciphertext, let alone forging their signatures. Similarly, in Certificateless Public Key Cryptography, the Key Generator Center (KGC) is trusted for not replacing entities’ public keys. In this paper, we propose an aggregation of several Certificateless Public Key systems in a 5G multi-domain/multi-tenant environment to merge them into a virtual cryptosystem without requiring any sort of trustiness in KGCs. The only assumption is that KGCs do not collude through sharing their secret keys. We have put this new cryptosystem into concrete encryption, signature, and authenticated key agreement schemes, and proved their security against a new adversarial model based on new underlying computational and bilinear hardness assumptions about Diffie–Hellman problem in the random oracle model. We believe that this new cryptosystem enables and ensures a secure management of multi-domain/multi-tenant 5G E2E services, even if at most (n-1) KGCs do collude.
Article
Full-text available
The ongoing quest for the tight integration of network operation and the network service provisioning initiated with the introduction of 5G often clashes with the capacity of current network architectures to provide means for such integration. Owing to the traditional design of mobile networks, which barely required a tight interaction, network elements offer capabilities for their continuous optimization just within their domain (eg, access, or core), allowing for a “silo‐style” automation that falls short when aiming at closed‐loop automation that embraces all the actors involved in the network, from network functions up to the service‐provider network functions. To this end, in this article, we make the case for the network‐wide capability exposure framework for closed‐loop automation by (i) defining the different entities that shall expose capabilities, and (ii) discussing why the state of the art solutions are not enough to support this vision. Our proposed architecture, which relies on registration and discovery, and exposure functions, allows for enhanced use cases that are currently not possible with state of the art solution. We prove the feasibility of our solution by implementing it in a real‐world testbed, employing Artificial Intelligence algorithms to close the loop for the management of the radio access network. In this article, we motivate the need for an enhanced network exposure functionality for network automation. We motivate it by revising the state of the art, propose a candidate architecture, and proof its feasibility with a real world testbed.
Article
6G networks will take the digital services offered by 5G to a whole new level with considerably higher bit rates, lower latency, and ultra-re-liability. However, the security of these systems is crucial to fulfill the promise of 6G. A critical element of this requirement is the efficient and pervasive protection of 6G infrastructure and services. In this article, we propose Moving Target Defense (MTD) as a key proactive defense element and elaborate on how it can be integrated into beyond 5G systems. We also present the standardization perspective, the relevant research challenges, and future research directions.
Article
The exponential growth of mobile applications and services during the last years has challenged the existing network infrastructures. Consequently, the arrival of multiple management solutions to cope with this explosion along the end-to-end network chain has increased the complexity in the coordinated orchestration of different segments composing the whole infrastructure. The Zero-touch Network and Service Management (ZSM) concept has recently emerged to automatically orchestrate and manage network resources while assuring the Quality of Experience (QoE) demanded by users. Machine Learning (ML) is one of the key enabling technologies that many ZSM frameworks are adopting to bring intelligent decision making to the network management system. This paper presents a comprehensive survey of the state-of-the-art in the application of ML-based techniques to improve the ZSM performance. To this end, the main related standardization activities and the aligned international projects and research efforts are deeply examined. From this dissection, the skyrocketing growth of the ZSM paradigm can be observed. Concretely, different standardization bodies have already designed reference architectures to set the foundations of novel automatic network management functions and resource orchestration. Aligned with these advances, diverse ML techniques are being currently exploited to build further ZSM developments in different aspects, including multi-tenancy management, traffic monitoring, and architecture coordination, among others. However, different challenges, such as the complexity, scalability, and security of ML mechanisms are also identified, and future research guidelines are provided to accomplish a firm development of the ZSM ecosystem.
Article
Full-text available
The foreseen complexity in operating and managing 5G and beyond networks has propelled the trend toward closed-loop automation of network and service management operations. To this end, the ETSI Zero-touch network and Service Management (ZSM) framework is envisaged as a next-generation management system that aims to have all operational processes and tasks executed automatically, ideally with 100 percent automation. Artificial Intelligence (AI) is envisioned as a key enabler of self-managing capabilities, resulting in lower operational costs, accelerated time-tovalue and reduced risk of human error. Nevertheless, the growing enthusiasm for leveraging AI in a ZSM system should not overlook the potential limitations and risks of using AI techniques. The current paper aims to introduce the ZSM concept and point out the AI-based limitations and risks that need to be addressed in order to make ZSM a reality.Abstract
Article
Full-text available
The ETSI's Zero touch network and Service Management (ZSM) framework is a prominent initiative to tame the envisioned complexity in operating and managing 5G and beyond networks. To this end, the ZSM framework promotes the shift toward full Automation of Network and Service Management and Operation (ANSMO) by leveraging the flexibility of SDN/NFV technologies along with Artificial Intelligence, combined with the portability and reusability of model-driven, open interfaces. Besides its benefits, each leveraged enabler will bring its own security threats, which should be carefully tackled to make the ANSMO vision a reality. This paper introduces the ZSM's potential attack surface and recommends possible mitigation measures along with some research directions to safeguard ZSM system security.
Conference Paper
Full-text available
5G is envisioned as a transformation of the communications architecture towards multi-tenant, scalable and flexible infrastructure, which heavily relies on virtualised network functions and programmable networks. In particular, orchestration will advance one step further in blending both compute and data resources, usually dedicated to virtualisation technologies, and network resources into so-called slices. Although 5G security is being developed in current working groups, slice security is seldom addressed. In this work, we propose to integrate security in the slice life cycle, impacting its management and orchestration that relies on the virtualization/softwarisation infrastructure. The proposed security architecture connects the demands specified by the tenants through as-a-service mechanisms with built-in security functions relying on the ability to combine enforcement and monitoring functions within the software-defined network infrastructure. The architecture exhibits desirable properties such as isolating slices down to the hardware resources or monitoring service-level performance.
Article
Full-text available
The emergence of distributed ledger technology (DLT) based upon a blockchain data structure, has given rise to new approaches to identity management that aim to upend dominant approaches to providing and consuming digital identities. These new approaches to identity management (IdM) propose to enhance decentralisation, transparency and user control in transactions that involve identity information; but, given the historical challenge to design IdM, can these new DLT-based schemes deliver on their lofty goals? We introduce the emerging landscape of DLT-based IdM, and evaluate three representative proposals: uPort; ShoCard; and Sovrin; using the analytic lens of a seminal framework that characterises the nature of successful IdM schemes.
Conference Paper
Full-text available
ABSTRACT The classical approach to access control of Web Services is to present a number,of credentials for the access to a ser- vice and possibly negotiate their disclosure using a suitable negotiation protocol and a policy to protect them. In practice a “Web Service” is not really a single service but rather a set of services that can be accessed only through a suitable conversation. Further, in real-life we are often willing to trade the disclosure of personal attributes (fre- quent flyer number, car plate or AAA membership etc.) in change of additional services and only in a particular order. In this paper we propose a novel negotiation framework where services, needed credentials, and behavioral constraints on the disclosure of privileges are bundled together and that clients and servers have a hierarchy of preferences among the different bundles. While the protocol supports arbitrary negotiation strate- gies we sketch two concrete strategies (one for the client and one for the service provider) that make,it possible to successfully complete a negotiation when dealing with a co- operative partner and to resist attacks by malicious agent to ”vacuum-clean” the preference policy of the honest par- ticipant. Categories and Subject Descriptors K.6.5 [Management of Computing and Information Systems]: Security and Protection; H.3.5 [Information Storage and Retrieval]: On-line Information Services— Web-based services, Commercial services; I.2.11 [Artificial Intelligence]: Distributed Artificial Intelligence—Multia-
Conference Paper
Full-text available
Future pervasive environments will be characterised by pervasive client downloads: new (untrusted) clients will be dynamically downloaded in order to exploit the computational power of the nomadic devices to make a better use of the services available in the environment. To address the challenges of this paradigm we propose the notion of security-by-contract (SxC), as in programming-by-contract, based on the notion of a mobile contract that a pervasive download carries with itself. It describes the relevant security features of the application and the relevant security interactions with its nomadic host. In this paper we describe the layered security architecture of the SxC paradigm for pervasive security, the threats and mitigation strategies of security services and sketch some interaction modalities of the security services layer.
Article
In 1999 the United States Congress passed the Y2K Act, a major—but temporary— effort at reshaping American tort law. The Act strictly limited the scope and applicability of lawsuits related to liability for the Year 2000 Problem. This paper excavates the process that led to the Act, including its unlikely signature by President Clinton. The history presented here is based on a reconsideration of the Y2K crisis as a major episode in the history of computing. The Act, and the Y2K crisis more broadly, expose the complex interconnections of software, code, and law at the end of the 20th century, and, taken seriously, argue for the appreciation of the role of liability in the history of technology.
Article
Quantum key distribution (QKD) is a physical technology that enables the secure generation of bit streams (keys) in two separated locations. This technology is designed to provide a solution for very secure (quantum-safe) key agreement, which is nowadays at risk due to advances in quantum computing. The recent demonstration of a QKD network in the metropolitan area of Madrid shows how these networks can be deployed in current production infrastructure by following existing networking paradigms, such as software-defined networking. In particular, a three-node QKD network is implemented on the metropolitan area network using existing infrastructure and coexisting with other data and control services. On the other hand, telecommunication networks are drastically changing the way services are architectured. Users of the operator’s infrastructure are moving from traditional connectivity services (e.g., virtual private networks) to a set of interconnected network functions, either physical or virtual, in the shape of service function chaining (SFC). However, SFC users do not have a method to validate that the traffic flow is appropriately forwarded across the nodes in the network, a situation that may lead to very critical security breaches (e.g., a security node or a firewall in the chain that is bypassed). This work presents a method for validating ordered proof-of-transit (OPoT) on top of the Madrid Quantum Network. We first provide a general description of the QKD network deployed in Madrid. Then, we describe an existing security protocol for PoT in packet networks, analyzing its issues and vulnerabilities. Finally, this work presents a protocol for alleviating the security breach found in this work and for providing OPoT in SFC. Finally, an example of the real implementation is shown, where nodes being part of the OPoT scheme are provisioned with QKD-derived keys.
Next stop: Zerotouch automation standardization
  • Allan Silvia Lins
  • Pedro Henrique Vidal
  • Gomes
Silvia Lins Allan Vidal, Pedro Henrique Gomes. 2018. Next stop: Zerotouch automation standardization. https://www.ericsson.com/en/blog/2018/11/ next-stop-zero-touch-automation-standardization. (2018). [Online; accessed 04-June-2020].