Security Data Analytics Function Based on 5G Service-Based Architecture for Intent-Based Network Management

To respond to large-scale attacks on 5G communication infrastructure based on hyper-performance, hyperspace, and advanced security threats targeting new convergence services and intended super-trust-based security technology. It can ensure constant security throughout B5G infrastructure and relate to the foundation aim to acquire skills. For ibn management to optimize an adaptive 5G network, there are a lot of research fields to secure intent-based super-trust security skills and related technology. AI-based autonomous security and control framework to provide safe new convergence services, 5G-based station security to ensure availability of 3D mobile communication, and quantum security technologies (PQC, QKD) of conversion methodology for B5G encryption system application. This document outlines the architecture and specific functions of SDAF, a network function designed to conduct security analysis and deliver analysis results within 5G systems utilizing a Service-Based Architecture (SBA). To this end, we define the concept of SDAF, the structure for internalizing the 5G system, the communication interface SDAF uses, and a use case that can utilize it. This is also based on the service and operation requirements for a 5G system with SBA (3GPP).

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.

NWDAF (Network Data Analytics Function): As one of the components of the 5G service-based architecture, SDAF analyzes past events for NFs in the 5G core network (statistics or predictions) and provides the results. Consequently, this enables overall management and performance improvement of the 5G network. (Technical Specification (TS) 23.288) SBA (Service Based Architecture): A structure of a 5G system defined in Release 15 by 3GPP allows control plane NFs to interact with each other based on services. The NFs of the SBA interact using a service-based interface (SBI). (TS 23.501) SBI (Service Based Interface): A structure of a 5G system defined in Release 15 by 3GPP enables control plane NFs to interact with each other based on services. The NFs within the SBA interact using a service-based interface (SBI). (TS 23.501)

3GPP: The 3rd Generation Partnership Project AF: Application Function AMF: Access and Mobility Management Function AUSF: Authentication Server Function DN: Data Network gNB: Next Generation Node B NF: Network Function NRF: Network Repository Function PCF: Policy Control Function (R)AN: Radio Access Network UDM: Unified Data Management UDR: Unified Data Repository UE: User Equipment UPF: User Plane Function

1. 5G/6G Wireless Access/D2D/Infrastructure Virtualization Element Technical Analysis and Definition of Security Requirements 2. 5G/6G Global Network Security Intelligence Internalization Element Technology Analysis and Detail Functional Definition 3. Analysis of Flying Base Station Security Vulnerabilities and Security Requirements 4. Analysis of Quantum Security Element Technology for Application of 5G/6G Cryptosystem

The 5G system architecture is based on the software and virtualization of network functions (NF). An NF that performs a specific network function is defined, and the interworking between NFs is carried out using a service-based interface (SBI). The SBA structure aims for a service-oriented architecture that provides independent micro-services by modularizing network functions such as Session Management Functions (SMF), Access and Mobility Management Functions (AMF), and User Plane Data Processing (UPF). In addition, each NF adopted a standardized communication interface through the RESTful API based on HTTP/2 and JSON, enabling them to operate as a 'Provider and Consumer' structure for interconnection and communication between the two NFs. SDAF is an application function for internalizing real-time security analysis functions according to 5G service-based architecture standards. The purpose of SDAF is to collect network information, security event information, and log information from the 5G system structure, create a response security policy through various security analyses, and apply it to the 5G system structure in real-time.

+-----+ +---+ +---+ +---+ +---+ +---+ NSSF NEF NRF PCF UDM AF +-----+ +---+ +---+ +---+ +---+ +---+ |Nnssf |Nnef |Nnrf |Npef |Nudm |Naf ------------------------------------------------------- |Nausf |Namf |Nsmf +------+ +-----+ +-----+ AUSF AMF SMF +------+ +-----+ +-----+ | | ------------ ------ N1| N2| N4| +---+ +------+ +----+ +---+ UE ---- (R)AN -N3- UPF -N6- DN +---+ +------+ +----+ +---+ SDAF interacts with other NFs through the SBI interface as shown in (Fig1). At this time, SDAF collects security-related data in response to the consumer NF's security analysis service request, uses it to perform security analysis, and derives the results. SDAF's core functions include security data collection, security analysis, and security policy creation and enforcement.

+-----+ +---+ +---+ +---+ +------+ NDAF NRF UDM AF NWDAF +-----+ +---+ +---+ +---+ +------+ |Nsdaf |Nnrf |Nudm |Naf |Nnwdaf ---------------------------------------------------- |Npcf |Namf |Nsmf |Nudr +-----+ +----+ +----+ +----+ PCF AMF SMF UDR +-----+ +----+ +----+ +----+ | | ------------ N1| N2| N4| +---+ +-----+ +----+ +---+ UE --- gNB -N3- UPF -N6- DN +---+ +-----+ +----+ +---+ Security data collection is a function of collecting security data information from NFs connected to SBA structures such as AMF, SMF, PCF, UPF, etc. The security analysis function analyzes correlations based on collected security data (logs, security events, etc.) to detect specific patterns or anomalies and identify potential security threats. The security policy creation and enforcement function generate policies through the security analysis function by defining response methods for specific security events or behaviors. For example, it can automatically block or send warnings when a specific type of attack is detected and enforce these policies accordingly.

SDAF follows the SBI API Design Guide TS 29.501 (5G System; Principles and Guidelines for Services Definition) standard and defines Nsdaf as a communication interface name for interworking with other NFs.

The SBI communication service uses a service producer and service consumer model. A service producer plays a role in providing a specific service among NFs within the SBA structure. A service consumer, on the other hand, can be any NF that utilizes or requests a specific service provided by the service producer. As depicted in Fig 3, SDAF can function as a service producer that provides security analysis services or as a service consumer that utilizes services from other NFs.

SDAF any NF SDAF any NF -------- --------- --------- --------- Service Service Service Service Producer --Nsdaf-- Consumer Consumer --Nnf-- Producer -------- --------- --------- --------- ....... ....... . a . . b . ....... ....... SDAF message transmission and reception methods provide two methods (a. Request/Response method and b. Subscribe/Notify method) depending on the purpose of using the SDAF service (Fig 4). The request/response method is a synchronized communication method used for one-off service provision and utilization. In contrast, the subscription/notification method is an asynchronous communication method. When a service consumer subscribes to a specific service, the service producer sends notifications or updates asynchronously.

------------ -------------- NF Service ---Request/Response---> NF Service Consumer ---Subscribe/Norify---> Producer ------------ --------------

The security data collection function involves SDAF gathering data potentially utilized for security analysis from other NFs. SDAF may collect two types of data: general data and security data. General data collection involves gathering event data from NFs within the SBA, following the guidelines of 3GPP TS 23.502. In the data collection function, the producer NF is the NFs that provides data, and the SDAF operates as the consumer NF. The security data type is a function of collecting the security data of each NF. For example, network data (PCAP, flow information, etc.) of the NF, system logs, and security equipment detection logs may be collected.

In the request/response method, the service operation name of SDAF is defined as "Nsdaf_DataExposure". The service operations for collecting security data include IDS LogTransfer, NF log data transfer, and network packet data transfer.

The security analysis function provides various security analysis services requested by other NFs while SDAF acts as a service producer. SDAF's analysis-enabled services include SIEM analysis, AI analysis, and CTI analysis services. The SIEM analysis service is a service that monitors and analyzes security events and log data collected from NFs, manages logs, and determines whether there is a security threat. The AI analysis service performs security analysis using a machine learning model to identify and assess potential security threats. The CTI analysis function is a function of analyzing CTI such as malicious IP and malicious URLs and determining whether there is a security threat because it has a database that stores information on security threats (malicious IP, etc.). The three detailed functions of the security analysis function operate through the services provided by SDAF. SDAF acts as the producer NF, while the NF receiving the security analysis result serves as the consumer NF. The services utilized by SDAF are categorized according to their specific functions, and these functions operate via either request/response or subscription/notification methods.

TBD

SDAF's security policy creation and enforcement function involve creating and implementing policies to respond to security threats. This function operates based on the security analysis results derived from the security analysis function. In the security policy creation and enforcement function, the producer NF is SDAF, which creates the security policy, while the consumer NF is the NF responsible for implementing the security policy. This function operates through request/response or subscription/notification methods.

TBD

There are no IANA considerations related to this document.

[TBD]