INSPIRE-5GPlus High level architecture
In a recent video the team INSPIRE-5GPlus explains its high level architecture which consists of 20 security enablers and 6 security management domains. Check the complete video here
INSPIRE-5Gplus framework is devised to support fully automated E2E network and service security management in 5G environments across multiple technological domains (e.g., RAN, CN, and MEC) owned by the same legal entity. The framework enables not only protection but also trustworthiness and liability in managing virtualized network infrastructures across multi-domains.
The high-level architecture (HLA) of the INSPIRE-5Gplus framework follows the key design principles of the ETSI ZSM reference architecture [1] by supporting the separation of security management concerns per domain, enabling AI-based software-defined security management closed loops, and adopting a service-based architecture whereby the provided security management services are exposed and dynamically consumed through an integration fabric as needed. As portrayed in Figure 1, INSPIRE-5Gplus HLA consists of several security management domains (SMDs), each of them overseeing the intelligent security automation of resources and services within its scope. The E2E SMD is a special SMD that coordinates between domains to manage security of E2E services (e.g., E2E network slice). Each SMD, including the E2E SMD, comprises a set of functional modules, including:
- Security Data Collector (SDC), which aims to gather all the data coming from the security enablers at the domain level, needed by the security management functions (e.g., Security Analytics Engine).
- Security Analytics Engine (SAE), which derives insights and predictions on a domain’s security conditions based on data collected in that specific domain or even from other domains. In the context of INSPIRE-5Gplus, the SAE provides Anomaly Detection and Root Cause Analysis (RCA) services.
- Decision Engine (DE), which oversees the different actions emitted by the security assets and the SAE to select the best decisions which can be applied for securing a running targeted service.
- Security Orchestration (SO), which oversees the different security enablers to enforce the security requirements specified by the adopted security policies. The SO drives the security management by interacting, through the integration fabric, with different SDN controllers, NFV MANO and security management services.
- Policy and SSLA Management (PSM), which transforms the abstract Protection Level and Security Level requirements and constraints expressed by consumers as intents and providers into specific parameters that indicate, to the SO, the security services to configure, deploy and manage.
- Trust Management (TM), which provides various services for the trust related functions, such as trust reputation calculation, component certification, and Ordered Proof of Transit (oPoT).
- Security Agent (SA), a security asset or enabler for monitoring and managing security at a local point in network, with traffic capture and security packet processors. The SAs communicate with the INSPIRE-5Gplus management plane to provide security data to the analysis and management functions from the traffic control and data plane (e.g., an active or passive probe).
It is worth mentioning that the separation of security management concerns per domain and the adoption of service-based and software-defined security models allow to build robust and sustainable security measures that can adapt to dynamic changes in threat landscape and security requirements in future mobile networks.
Although the INSPIRE-5Gplus framework is developed with a focus on single operator environment requirements, the inter-domain integration fabric provides an inherent capability to extend security management to multi-operator and Over-The-Top (OTT) environments in the near future.
More details on INSPIRE-5Gplus framework HLA can be found in [2, 3, 4].
[1]ETSI GS ZSM 002. Zero-touch network and Service Management (ZSM); Reference Architecture. V1.1.1, August 2019. [2]Benzaid, P. Alemany, R. Artych, R. Asensio, G. Chollon, C. Kalalas, E. Montes de Oca, N. Pérez Palma, A. M. Zarca, H. R. Pascual, W. Soussi, T. Taleb, A. Pastor. White Paper: Intelligent Security Architecture for 5G and Beyond Networks, version 2.0. INSPIRE-5Gplus, Oct. 2022. [3]Initial Report on Security Use Cases, Enablers and Mechanisms for Liability-aware Trustable Smart 5G Security. INSPIRE-5Gplus, 2021. [4] Final Report on Enablers and Mechanisms for Liability-aware Trustable Smart 5G Security Management Framework. INSPIRE-5Gplus, 2022.