Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024
Kim, et al. Expires 9 January 2025 [Page]
Workgroup:
Network Management Research Group
Internet-Draft:
draft-suk-nmrg-sdaf5g-ibn-00
Published:
Intended Status:
Informational
Expires:
Authors:
H-K. Kim
Kookmin University
M-G. Kim
Kookmin University
J-H. Jeong
Sangmyung University
M-S. Kim
Sangmyung University

Security Data Analytics Function Based on 5G Service-Based Architecture for Intent-Based Network Management

Abstract

This document is derived from the architecture and detailed functions of SDAF. It is a network function to perform a security analysis and provide analysis results in a 5G system with a service-based architecture (SBA). To this end, the concept of SDAF, the structure of internalizing the 5G system, and the communication interface used by SDAF are defined. It also defines the use cases that can utilize SDAF. This standard is based on the service and operation requirements for a 5G system with SBA.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 2 January 2025.

Table of Contents

1. Introduction

To respond to large-scale attacks on 5G communication infrastructure based on hyper-performance, hyperspace, and advanced security threats targeting new convergence services and intended super-trust-based security technology. It can ensure constant security throughout B5G infrastructure and relate to the foundation aim to acquire skills. For ibn management to optimize an adaptive 5G network, there are a lot of research fields to secure intent-based super-trust security skills and related technology. AI-based autonomous security and control framework to provide safe new convergence services, 5G-based station security to ensure availability of 3D mobile communication, and quantum security technologies (PQC, QKD) of conversion methodology for B5G encryption system application. This document outlines the architecture and specific functions of SDAF, a network function designed to conduct security analysis and deliver analysis results within 5G systems utilizing a Service-Based Architecture (SBA). To this end, we define the concept of SDAF, the structure for internalizing the 5G system, the communication interface SDAF uses, and a use case that can utilize it. This is also based on the service and operation requirements for a 5G system with SBA (3GPP).

2. Convention and Terminology

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.

3. Background

3.1. Terminology

NWDAF (Network Data Analytics Function): As one of the components of the 5G service-based architecture, SDAF analyzes past events for NFs in the 5G core network (statistics or predictions) and provides the results. Consequently, this enables overall management and performance improvement of the 5G network. (Technical Specification (TS) 23.288)

SBA (Service Based Architecture): A structure of a 5G system defined in Release 15 by 3GPP allows control plane NFs to interact with each other based on services. The NFs of the SBA interact using a service-based interface (SBI). (TS 23.501)

SBI (Service Based Interface): A structure of a 5G system defined in Release 15 by 3GPP enables control plane NFs to interact with each other based on services. The NFs within the SBA interact using a service-based interface (SBI). (TS 23.501)

3.2. Abbreviations Theorem

3GPP: The 3rd Generation Partnership Project

AF: Application Function

AMF: Access and Mobility Management Function

AUSF: Authentication Server Function

DN: Data Network

gNB: Next Generation Node B

NF: Network Function

NRF: Network Repository Function

PCF: Policy Control Function

(R)AN: Radio Access Network

UDM: Unified Data Management

UDR: Unified Data Repository

UE: User Equipment

UPF: User Plane Function

3.3. Purpose of Research

3.3.1. Definition of 5G/6G Security Internalization Element Technology Analysis and Detail Function

1. 5G/6G Wireless Access/D2D/Infrastructure Virtualization Element Technical Analysis and Definition of Security Requirements

2. 5G/6G Global Network Security Intelligence Internalization Element Technology Analysis and Detail Functional Definition

3. Analysis of Flying Base Station Security Vulnerabilities and Security Requirements

4. Analysis of Quantum Security Element Technology for Application of 5G/6G Cryptosystem

3.3.2. Conceptual Design of 5G/6G Security Internalization Element Technology

1. 5G/6G Wireless Access/D2D/Infrastructure Virtualization Element Technical Analysis and Definition of Security Requirements

2. 5G/6G Global Network Security Intelligence Internalization Element Technology Analysis and Detail Functional Definition

3. Analysis of Flying Base Station Security Vulnerabilities and Security Requirements

4. Analysis of Quantum Security Element Technology for Application of 5G/6G Cryptosystem

4. Design of SDAF Features and SBI Interface

4.1. SDAF Definition and Key Features

The 5G system architecture is based on the software and virtualization of network functions (NF). An NF that performs a specific network function is defined, and the interworking between NFs is carried out using a service-based interface (SBI). The SBA structure aims for a service-oriented architecture that provides independent micro-services by modularizing network functions such as Session Management Functions (SMF), Access and Mobility Management Functions (AMF), and User Plane Data Processing (UPF). In addition, each NF adopted a standardized communication interface through the RESTful API based on HTTP/2 and JSON, enabling them to operate as a 'Provider and Consumer' structure for interconnection and communication between the two NFs. SDAF is an application function for internalizing real-time security analysis functions according to 5G service-based architecture standards. The purpose of SDAF is to collect network information, security event information, and log information from the 5G system structure, create a response security policy through various security analyses, and apply it to the 5G system structure in real-time.


 +-----+     +---+    +---+   +---+   +---+   +---+
   NSSF       NEF      NRF     PCF     UDM      AF
 +-----+     +---+    +---+   +---+   +---+   +---+
    |Nnssf     |Nnef   |Nnrf    |Npef    |Nudm   |Naf
-------------------------------------------------------
                 |Nausf         |Namf         |Nsmf
               +------+      +-----+       +-----+
                 AUSF          AMF           SMF
               +------+      +-----+       +-----+
                               |              |
                      ------------          ------
                   N1|         N2|           N4|
                     +---+     +------+      +----+      +---+
                      UE  ----  (R)AN  -N3-   UPF  -N6-   DN
                     +---+     +------+      +----+      +---+

Figure 1: 5G Service Based Architecture

SDAF interacts with other NFs through the SBI interface as shown in (Fig1). At this time, SDAF collects security-related data in response to the consumer NF's security analysis service request, uses it to perform security analysis, and derives the results. SDAF's core functions include security data collection, security analysis, and security policy creation and enforcement.


 +-----+     +---+    +---+   +---+   +------+
   NDAF       NRF      UDM      AF      NWDAF
 +-----+     +---+    +---+   +---+   +------+
    |Nsdaf     |Nnrf   |Nudm    |Naf     |Nnwdaf
----------------------------------------------------
        |Npcf       |Namf      |Nsmf    |Nudr
      +-----+    +----+     +----+   +----+
        PCF       AMF        SMF       UDR
      +-----+    +----+     +----+   +----+
                   |            |
        ------------
     N1|         N2|          N4|
     +---+     +-----+      +----+      +---+
       UE  ---   gNB   -N3-   UPF  -N6-   DN
     +---+     +-----+      +----+      +---+


Figure 2: SDAF Application Position in the 5G SBA Structure

Security data collection is a function of collecting security data information from NFs connected to SBA structures such as AMF, SMF, PCF, UPF, etc. The security analysis function analyzes correlations based on collected security data (logs, security events, etc.) to detect specific patterns or anomalies and identify potential security threats. The security policy creation and enforcement function generate policies through the security analysis function by defining response methods for specific security events or behaviors. For example, it can automatically block or send warnings when a specific type of attack is detected and enforce these policies accordingly.

4.2. SBI Interface Standard

SDAF follows the SBI API Design Guide TS 29.501 (5G System; Principles and Guidelines for Services Definition) standard and defines Nsdaf as a communication interface name for interworking with other NFs.

4.2.1. Service Consumer and Service Producer Structure

The SBI communication service uses a service producer and service consumer model. A service producer plays a role in providing a specific service among NFs within the SBA structure. A service consumer, on the other hand, can be any NF that utilizes or requests a specific service provided by the service producer. As depicted in Fig 3, SDAF can function as a service producer that provides security analysis services or as a service consumer that utilizes services from other NFs.


 SDAF                any NF           SDAF                any NF
--------           ---------         ---------           ---------
Service             Service           Service             Service
Producer  --Nsdaf-- Consumer          Consumer  --Nnf--  Producer
--------           ---------         ---------           ---------

          .......                              .......
          .  a  .                              .  b  .
          .......                              .......


Figure 3: Service Procedure for SDAF and NFs

SDAF message transmission and reception methods provide two methods (a. Request/Response method and b. Subscribe/Notify method) depending on the purpose of using the SDAF service (Fig 4). The request/response method is a synchronized communication method used for one-off service provision and utilization. In contrast, the subscription/notification method is an asynchronous communication method. When a service consumer subscribes to a specific service, the service producer sends notifications or updates asynchronously.


------------                            --------------
 NF Service   ---Request/Response--->      NF Service
  Consumer    ---Subscribe/Norify--->       Producer
------------                            --------------


Figure 4: Purpose of SDAF Service (a. Request/Response, b. Subscribe/Notify)

5. SDAF Security Analysis Service and Communication Interface

5.1. SDAF Security Data Collection Function

5.1.1. Security Data Collection Service

The security data collection function involves SDAF gathering data potentially utilized for security analysis from other NFs. SDAF may collect two types of data: general data and security data. General data collection involves gathering event data from NFs within the SBA, following the guidelines of 3GPP TS 23.502. In the data collection function, the producer NF is the NFs that provides data, and the SDAF operates as the consumer NF. The security data type is a function of collecting the security data of each NF. For example, network data (PCAP, flow information, etc.) of the NF, system logs, and security equipment detection logs may be collected.

5.1.2. Request/Response Communication Interface

In the request/response method, the service operation name of SDAF is defined as "Nsdaf_DataExposure". The service operations for collecting security data include IDS LogTransfer, NF log data transfer, and network packet data transfer.

5.2. SDAF Security Data Analysis Feature

5.2.1. Security Data Analysis Service

The security analysis function provides various security analysis services requested by other NFs while SDAF acts as a service producer. SDAF's analysis-enabled services include SIEM analysis, AI analysis, and CTI analysis services. The SIEM analysis service is a service that monitors and analyzes security events and log data collected from NFs, manages logs, and determines whether there is a security threat. The AI analysis service performs security analysis using a machine learning model to identify and assess potential security threats. The CTI analysis function is a function of analyzing CTI such as malicious IP and malicious URLs and determining whether there is a security threat because it has a database that stores information on security threats (malicious IP, etc.). The three detailed functions of the security analysis function operate through the services provided by SDAF. SDAF acts as the producer NF, while the NF receiving the security analysis result serves as the consumer NF. The services utilized by SDAF are categorized according to their specific functions, and these functions operate via either request/response or subscription/notification methods.

5.2.2. Subscription/Notify Communication Interface

TBD

5.3. SDAF security policy creation and enforcement

5.3.1. Security Policy Creation and Implementation Service

SDAF's security policy creation and enforcement function involve creating and implementing policies to respond to security threats. This function operates based on the security analysis results derived from the security analysis function. In the security policy creation and enforcement function, the producer NF is SDAF, which creates the security policy, while the consumer NF is the NF responsible for implementing the security policy. This function operates through request/response or subscription/notification methods.

5.3.2. Subscribe/Notify Bunk Communication Interface

TBD

6. IANA Considerations

There are no IANA considerations related to this document.

7. Security Considerations

[TBD]

8. Acknowledgements

[TBD]

9. Informative References

[TS_23.501]
"System architecture for the 5G System (5GS)", .
[TS_23.288]
"Architecture enhancements for 5G System (5GS) to support network data analytics services", .
[TS_29.508]
"Access and Mobility Management Services", .
[TS_29.510]
"Network Function Repository Services", .
[TS_29.518]
"Access and Mobility Management Services", .
[TS_29.520]
"Network Data Analytics Services", .
[TR23.791]
"Study of Enablers for Network Automation for 5G", .
[TR28.809]
"Study on enhancement of Management Data Analytics (MDA)", .
[TR28.810]
"Study on concept, requirements and solutions for levels of autonomous network", .
[TR28.100]
"Management and orchestration; Levels of autonomous network", .
[TR28.812]
"Telecommunication management; Study on scenarios for Intent driven management services for mobile networks", .
[TR28.312]
"Intent driven management services for mobile networks", .
[TR28.805]
"Telecommunication management; Study on management aspects of communication services", .
[TR28.535]
"Management and orchestration; Management services for communication service assurance; Requirements", .
[TR28.536]
"Management and orchestration; Management services for communication service assurance; Stage 2 and Stage 3", .
[TR28.861]
"Study on the Self Organizing Networks (SON) for 5G networks", .
[ITU-T_Y.3172]
"Architectural framework for machine learning in future networks including IMT-2020", .
[ITU-T_Y.3173]
"Framework for evaluating intelligence level of future networks including IMT-2020", .
[ITU-T_Y.3174]
"Framework for data handling to enable machine learning in future networks including IMT-2020", .
[ITU-T_Y.3176]
"Machine learning marketplace integration in future networks including IMT-2020", .
[FG-ML5G_spec1]
"Requirements, architecture and design for machine learning function orchestrator", .
[FG-ML5G_spec2]
"Machine Learning Sandbox for future networks including IMT-2020 requirements and architecture framework", .
[Y.ML_IMT2020-RAFR]
"Architecture framework for AI based network automation of resource adaptation and failure recovery for future networks including IMT 2020", .

Authors' Addresses

Hwankuk Kim
Kookmin University
77, Jeongneung-ro, Seongbuk-gu
Seoul
Min-Gyu Kim
Kookmin University
77, Jeongneung-ro, Seongbuk-gu
Seoul
Jaehyeok Jeong
Sangmyung University
31, Sangmyeongdae-gil, Dongnam-gu
Cheonan
Min-Suk Kim
Sangmyung University
31, Sangmyeongdae-gil, Dongnam-gu
Cheonan