5G is the underlying core technology of digital economy and also the basic support for high-speed development of the information industry. The 5G network security becomes an important challenge for mobile communications in the future.
At present, the telecom network provides security protection through patch-based, passive, and external measures. The risk level of network security can only be evaluated statically, and its risk status can be roughly evaluated through factors such as network value, security vulnerabilities, and frequency of security incidents. However, the attacks on the network cannot be detected and protected in real time.
In the deployment of network security and protection, the maintenance cost is high, so it is difficult to adjust the dynamic policy and maintain automatically. This has been unable to meet the service needs and application scenarios of current complex telecom networks.
Native Security Solution
Facing future network evolution, ZTE has proposed to build an integrated trusted network security architecture (Fig. 1). The 5G/5G-Advanced network security should have four features: automation security, self-defense security, self-adaption security and self-evolution security.
The security and protection capabilities of various assets in 5G networks are automatically improved, including equipment nodes, infrastructure, network service, data, users, management nodes, operating systems, middleware, database, and software service. This helps to achieve complete and trusted protection, service, access, and data, dynamically measure and detect system status and security, and build native security at the NE level, thus promoting native security at the network level.
Security management is implemented for all assets of 5G network cloud through visualization, and unified security vulnerability management, configuration delivery, and upgrade can be realized. Intrusion detection is implemented for network traffic and data streams, ACL policies are set, and abnormal processes are managed and controlled.
The security engine is used to implement unified security capability orchestration. The cloud and network are scheduled and orchestrated for automatic security resource allocation, automatic security service distribution, automatic security policy adaptation (network security coordination), and real-time protection responses to advanced network threats (security analysis linkage). Multiple NEs and layers coordinate to ensure network security, implement centralized security policy management and orchestration, and provide security services as required.
5G network cloud based on cloud computing and SDN/NFV needs to learn from traditional experiences and lessons and introduce the blockchain technology to help the network build a secure and trusted communication environment and realize the tamper-proof and recovery of the system. Trusted computing can be used to implement trusted startup, trusted measurement, and remote trusted management of NEs, make network hardware and software functions run continuously in line with expectations, and provide active defense capability for network infrastructure.
Zero trust is also introduced to carry out fine visual management of the network. The corresponding security components are deployed to build an end-to-end 5G network cloud security system. All user behaviors and logs in the management system are managed in a centralized manner, and regular audit policies are set to perform security audit. The overall 5G network-cloud security can be audited and traceable.
5G security service can monitor and perceive the security status of 5G network cloud at any time, and the asset security risks are visible. Security events can be quickly predicted and alerted at the first time, and can be detected, repaired or dealt with in time to ensure the availability of network service. When the network service or security system is upgraded, or the service process is rebuilt, the security capability can be improved dynamically.
When part of the network is invaded, the security engine intercepts threat traffic and starts a security hardening process to quickly avoid or eliminate the threats. In addition, the security service can share threat information to protect the entire network from similar threats.
Each layer of the network is embedded with AI capabilities and federated learning (distributed machine learning) capabilities to implement network self-adaptation, self-awareness, and self-operations. Through rapid learning and training, the AI and federated learning technologies can detect, backtrack, and analyze network traffic and behavior abnormalities more accurately, and establish a ubiquitous interaction and coordination mechanism among the end, edge, network, and cloud intelligence entities of the telecom network. These technologies accurately perceive the state of network security, predict potential risks, and then complete self-optimization and self-evolution through the intelligent consensus decision-making mechanism to achieve active in-depth security defense and automatic handling of security risks. They also provide practical security analysis and alarms to resist various APT attacks.
From the four dimensions of automation security, defense, prediction, detection and response, the native security system in a 5G trusted network emphazes that security and protection is a continuous and cyclical process, and can build a self-adaptive security model in major business scenarios. Based on the self-adaptive security architecture, the native security system generates and coordinates defense, detection, response and prediction capabilities to achieve self-discovery, self-repair, and self-balancing of security attacks. In this way, an independent security immunity can be built to provide an integrated network security service.
ZTE has been committed to building an end-to-end automatic, AI, resilient and trusted native security communication network to provide more secure and reliable products and services for customers around the world.