Network Management Research Group H-K. Kim Internet-Draft M-G. Kim Intended status: Informational Kookmin University Expires: 9 January 2025 J-H. Jeong M-S. Kim Sangmyung University July 2024 Security Data Analytics Function Based on 5G Service-Based Architecture for Intent-Based Network Management draft-suk-nmrg-sdaf5g-ibn-00 Abstract This document is derived from the architecture and detailed functions of SDAF. It is a network function to perform a security analysis and provide analysis results in a 5G system with a service-based architecture (SBA). To this end, the concept of SDAF, the structure of internalizing the 5G system, and the communication interface used by SDAF are defined. It also defines the use cases that can utilize SDAF. This standard is based on the service and operation requirements for a 5G system with SBA. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 2 January 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. Kim, et al. Expires 9 January 2025 [Page 1] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Convention and Terminology . . . . . . . . . . . . . . . . . 3 3. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 3.2. Abbreviations Theorem . . . . . . . . . . . . . . . . . . 4 3.3. Purpose of Research . . . . . . . . . . . . . . . . . . . 4 3.3.1. Definition of 5G/6G Security Internalization Element Technology Analysis and Detail Function . . . . . . . 4 3.3.2. Conceptual Design of 5G/6G Security Internalization Element Technology . . . . . . . . . . . . . . . . . 5 4. Design of SDAF Features and SBI Interface . . . . . . . . . . 5 4.1. SDAF Definition and Key Features . . . . . . . . . . . . 5 4.2. SBI Interface Standard . . . . . . . . . . . . . . . . . 7 4.2.1. Service Consumer and Service Producer Structure . . . 7 5. SDAF Security Analysis Service and Communication Interface . 8 5.1. SDAF Security Data Collection Function . . . . . . . . . 8 5.1.1. Security Data Collection Service . . . . . . . . . . 8 5.1.2. Request/Response Communication Interface . . . . . . 8 5.2. SDAF Security Data Analysis Feature . . . . . . . . . . . 9 5.2.1. Security Data Analysis Service . . . . . . . . . . . 9 5.2.2. Subscription/Notify Communication Interface . . . . . 9 5.3. SDAF security policy creation and enforcement . . . . . . 9 5.3.1. Security Policy Creation and Implementation Service . . . . . . . . . . . . . . . . . . . . . . . 9 5.3.2. Subscribe/Notify Bunk Communication Interface . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 9. Informative References . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 Kim, et al. Expires 9 January 2025 [Page 2] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 1. Introduction To respond to large-scale attacks on 5G communication infrastructure based on hyper-performance, hyperspace, and advanced security threats targeting new convergence services and intended super-trust-based security technology. It can ensure constant security throughout B5G infrastructure and relate to the foundation aim to acquire skills. For ibn management to optimize an adaptive 5G network, there are a lot of research fields to secure intent-based super-trust security skills and related technology. AI-based autonomous security and control framework to provide safe new convergence services, 5G-based station security to ensure availability of 3D mobile communication, and quantum security technologies (PQC, QKD) of conversion methodology for B5G encryption system application. This document outlines the architecture and specific functions of SDAF, a network function designed to conduct security analysis and deliver analysis results within 5G systems utilizing a Service-Based Architecture (SBA). To this end, we define the concept of SDAF, the structure for internalizing the 5G system, the communication interface SDAF uses, and a use case that can utilize it. This is also based on the service and operation requirements for a 5G system with SBA (3GPP). 2. Convention and Terminology The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119. 3. Background 3.1. Terminology NWDAF (Network Data Analytics Function): As one of the components of the 5G service-based architecture, SDAF analyzes past events for NFs in the 5G core network (statistics or predictions) and provides the results. Consequently, this enables overall management and performance improvement of the 5G network. (Technical Specification (TS) 23.288) SBA (Service Based Architecture): A structure of a 5G system defined in Release 15 by 3GPP allows control plane NFs to interact with each other based on services. The NFs of the SBA interact using a service-based interface (SBI). (TS 23.501) SBI (Service Based Interface): A structure of a 5G system defined in Release 15 by 3GPP enables control plane NFs to interact with each other based on services. The NFs within the SBA interact using a service-based interface (SBI). (TS 23.501) Kim, et al. Expires 9 January 2025 [Page 3] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 3.2. Abbreviations Theorem 3GPP: The 3rd Generation Partnership Project AF: Application Function AMF: Access and Mobility Management Function AUSF: Authentication Server Function DN: Data Network gNB: Next Generation Node B NF: Network Function NRF: Network Repository Function PCF: Policy Control Function (R)AN: Radio Access Network UDM: Unified Data Management UDR: Unified Data Repository UE: User Equipment UPF: User Plane Function 3.3. Purpose of Research 3.3.1. Definition of 5G/6G Security Internalization Element Technology Analysis and Detail Function 1. 5G/6G Wireless Access/D2D/Infrastructure Virtualization Element Technical Analysis and Definition of Security Requirements 2. 5G/6G Global Network Security Intelligence Internalization Element Technology Analysis and Detail Functional Definition 3. Analysis of Flying Base Station Security Vulnerabilities and Security Requirements 4. Analysis of Quantum Security Element Technology for Application of 5G/6G Cryptosystem Kim, et al. Expires 9 January 2025 [Page 4] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 3.3.2. Conceptual Design of 5G/6G Security Internalization Element Technology 1. 5G/6G Wireless Access/D2D/Infrastructure Virtualization Element Technical Analysis and Definition of Security Requirements 2. 5G/6G Global Network Security Intelligence Internalization Element Technology Analysis and Detail Functional Definition 3. Analysis of Flying Base Station Security Vulnerabilities and Security Requirements 4. Analysis of Quantum Security Element Technology for Application of 5G/6G Cryptosystem 4. Design of SDAF Features and SBI Interface 4.1. SDAF Definition and Key Features The 5G system architecture is based on the software and virtualization of network functions (NF). An NF that performs a specific network function is defined, and the interworking between NFs is carried out using a service-based interface (SBI). The SBA structure aims for a service-oriented architecture that provides independent micro-services by modularizing network functions such as Session Management Functions (SMF), Access and Mobility Management Functions (AMF), and User Plane Data Processing (UPF). In addition, each NF adopted a standardized communication interface through the RESTful API based on HTTP/2 and JSON, enabling them to operate as a 'Provider and Consumer' structure for interconnection and communication between the two NFs. SDAF is an application function for internalizing real-time security analysis functions according to 5G service-based architecture standards. The purpose of SDAF is to collect network information, security event information, and log information from the 5G system structure, create a response security policy through various security analyses, and apply it to the 5G system structure in real-time. Kim, et al. Expires 9 January 2025 [Page 5] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 +-----+ +---+ +---+ +---+ +---+ +---+ NSSF NEF NRF PCF UDM AF +-----+ +---+ +---+ +---+ +---+ +---+ |Nnssf |Nnef |Nnrf |Npef |Nudm |Naf ------------------------------------------------------- |Nausf |Namf |Nsmf +------+ +-----+ +-----+ AUSF AMF SMF +------+ +-----+ +-----+ | | ------------ ------ N1| N2| N4| +---+ +------+ +----+ +---+ UE ---- (R)AN -N3- UPF -N6- DN +---+ +------+ +----+ +---+ Figure 1: 5G Service Based Architecture SDAF interacts with other NFs through the SBI interface as shown in (Fig1). At this time, SDAF collects security-related data in response to the consumer NF's security analysis service request, uses it to perform security analysis, and derives the results. SDAF's core functions include security data collection, security analysis, and security policy creation and enforcement. +-----+ +---+ +---+ +---+ +------+ NDAF NRF UDM AF NWDAF +-----+ +---+ +---+ +---+ +------+ |Nsdaf |Nnrf |Nudm |Naf |Nnwdaf ---------------------------------------------------- |Npcf |Namf |Nsmf |Nudr +-----+ +----+ +----+ +----+ PCF AMF SMF UDR +-----+ +----+ +----+ +----+ | | ------------ N1| N2| N4| +---+ +-----+ +----+ +---+ UE --- gNB -N3- UPF -N6- DN +---+ +-----+ +----+ +---+ Kim, et al. Expires 9 January 2025 [Page 6] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 Figure 2: SDAF Application Position in the 5G SBA Structure Security data collection is a function of collecting security data information from NFs connected to SBA structures such as AMF, SMF, PCF, UPF, etc. The security analysis function analyzes correlations based on collected security data (logs, security events, etc.) to detect specific patterns or anomalies and identify potential security threats. The security policy creation and enforcement function generate policies through the security analysis function by defining response methods for specific security events or behaviors. For example, it can automatically block or send warnings when a specific type of attack is detected and enforce these policies accordingly. 4.2. SBI Interface Standard SDAF follows the SBI API Design Guide TS 29.501 (5G System; Principles and Guidelines for Services Definition) standard and defines Nsdaf as a communication interface name for interworking with other NFs. 4.2.1. Service Consumer and Service Producer Structure The SBI communication service uses a service producer and service consumer model. A service producer plays a role in providing a specific service among NFs within the SBA structure. A service consumer, on the other hand, can be any NF that utilizes or requests a specific service provided by the service producer. As depicted in Fig 3, SDAF can function as a service producer that provides security analysis services or as a service consumer that utilizes services from other NFs. SDAF any NF SDAF any NF -------- --------- --------- --------- Service Service Service Service Producer --Nsdaf-- Consumer Consumer --Nnf-- Producer -------- --------- --------- --------- ....... ....... . a . . b . ....... ....... Kim, et al. Expires 9 January 2025 [Page 7] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 Figure 3: Service Procedure for SDAF and NFs SDAF message transmission and reception methods provide two methods (a. Request/Response method and b. Subscribe/Notify method) depending on the purpose of using the SDAF service (Fig 4). The request/response method is a synchronized communication method used for one-off service provision and utilization. In contrast, the subscription/notification method is an asynchronous communication method. When a service consumer subscribes to a specific service, the service producer sends notifications or updates asynchronously. ------------ -------------- NF Service ---Request/Response---> NF Service Consumer ---Subscribe/Norify---> Producer ------------ -------------- Figure 4: Purpose of SDAF Service (a. Request/Response, b. Subscribe/Notify) 5. SDAF Security Analysis Service and Communication Interface 5.1. SDAF Security Data Collection Function 5.1.1. Security Data Collection Service The security data collection function involves SDAF gathering data potentially utilized for security analysis from other NFs. SDAF may collect two types of data: general data and security data. General data collection involves gathering event data from NFs within the SBA, following the guidelines of 3GPP TS 23.502. In the data collection function, the producer NF is the NFs that provides data, and the SDAF operates as the consumer NF. The security data type is a function of collecting the security data of each NF. For example, network data (PCAP, flow information, etc.) of the NF, system logs, and security equipment detection logs may be collected. 5.1.2. Request/Response Communication Interface In the request/response method, the service operation name of SDAF is defined as "Nsdaf_DataExposure". The service operations for collecting security data include IDS LogTransfer, NF log data transfer, and network packet data transfer. Kim, et al. Expires 9 January 2025 [Page 8] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 5.2. SDAF Security Data Analysis Feature 5.2.1. Security Data Analysis Service The security analysis function provides various security analysis services requested by other NFs while SDAF acts as a service producer. SDAF's analysis-enabled services include SIEM analysis, AI analysis, and CTI analysis services. The SIEM analysis service is a service that monitors and analyzes security events and log data collected from NFs, manages logs, and determines whether there is a security threat. The AI analysis service performs security analysis using a machine learning model to identify and assess potential security threats. The CTI analysis function is a function of analyzing CTI such as malicious IP and malicious URLs and determining whether there is a security threat because it has a database that stores information on security threats (malicious IP, etc.). The three detailed functions of the security analysis function operate through the services provided by SDAF. SDAF acts as the producer NF, while the NF receiving the security analysis result serves as the consumer NF. The services utilized by SDAF are categorized according to their specific functions, and these functions operate via either request/response or subscription/notification methods. 5.2.2. Subscription/Notify Communication Interface TBD 5.3. SDAF security policy creation and enforcement 5.3.1. Security Policy Creation and Implementation Service SDAF's security policy creation and enforcement function involve creating and implementing policies to respond to security threats. This function operates based on the security analysis results derived from the security analysis function. In the security policy creation and enforcement function, the producer NF is SDAF, which creates the security policy, while the consumer NF is the NF responsible for implementing the security policy. This function operates through request/response or subscription/notification methods. 5.3.2. Subscribe/Notify Bunk Communication Interface TBD 6. IANA Considerations There are no IANA considerations related to this document. Kim, et al. Expires 9 January 2025 [Page 9] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 7. Security Considerations [TBD] 8. Acknowledgements [TBD] 9. Informative References [TS_23.501] "System architecture for the 5G System (5GS)", 2022. [TS_23.288] "Architecture enhancements for 5G System (5GS) to support network data analytics services", 2022. [TS_29.508] "Access and Mobility Management Services", 2022. [TS_29.510] "Network Function Repository Services", 2022. [TS_29.518] "Access and Mobility Management Services", 2022. [TS_29.520] "Network Data Analytics Services", 2022. [TR23.791] "Study of Enablers for Network Automation for 5G", 2021. [TR28.809] "Study on enhancement of Management Data Analytics (MDA)", 2021. [TR28.810] "Study on concept, requirements and solutions for levels of autonomous network", 2021. [TR28.100] "Management and orchestration; Levels of autonomous network", 2021. [TR28.812] "Telecommunication management; Study on scenarios for Intent driven management services for mobile networks", 2021. [TR28.312] "Intent driven management services for mobile networks", 2021. Kim, et al. Expires 9 January 2025 [Page 10] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 [TR28.805] "Telecommunication management; Study on management aspects of communication services", 2021. [TR28.535] "Management and orchestration; Management services for communication service assurance; Requirements", 2021. [TR28.536] "Management and orchestration; Management services for communication service assurance; Stage 2 and Stage 3", 2021. [TR28.861] "Study on the Self Organizing Networks (SON) for 5G networks", 2021. [ITU-T_Y.3172] "Architectural framework for machine learning in future networks including IMT-2020", 2020. [ITU-T_Y.3173] "Framework for evaluating intelligence level of future networks including IMT-2020", 2020. [ITU-T_Y.3174] "Framework for data handling to enable machine learning in future networks including IMT-2020", 2020. [ITU-T_Y.3176] "Machine learning marketplace integration in future networks including IMT-2020", 2020. [FG-ML5G_spec1] "Requirements, architecture and design for machine learning function orchestrator", 2020. [FG-ML5G_spec2] "Machine Learning Sandbox for future networks including IMT-2020 requirements and architecture framework", 2020. [Y.ML_IMT2020-RAFR] "Architecture framework for AI based network automation of resource adaptation and failure recovery for future networks including IMT 2020", 2020. Authors' Addresses Hwankuk Kim Kookmin University 77, Jeongneung-ro, Seongbuk-gu Seoul Kim, et al. Expires 9 January 2025 [Page 11] Internet-Draft draft-suk-nmrg-sdaf5g-ibn-00 July 2024 Phone: +82 2 910 4745 Email: rinyfeel@kookmin.ac.kr Min-Gyu Kim Kookmin University 77, Jeongneung-ro, Seongbuk-gu Seoul Phone: +82 2 910 4114 Email: skystarloid@kookmin.ac.kr Jaehyeok Jeong Sangmyung University 31, Sangmyeongdae-gil, Dongnam-gu Cheonan Phone: +82 41 550 5114 Email: 2023D1013@sangmyung.kr Min-Suk Kim Sangmyung University 31, Sangmyeongdae-gil, Dongnam-gu Cheonan Phone: +82 41 550 5113 Email: mskim1997@gmail.com Kim, et al. Expires 9 January 2025 [Page 12]