Abstract: Enhancement of service function chain (SFC) security ability by composing virtual network functions (VNFs) and allocating resources considering their security attributes can address the vulnerability threats in cloud environments, which is an important means of attempting to secure SFCs at the deployment stage. However, existing works do not consider the vulnerability correlation of the multi-step attack chains when completing SFC deployment based on trustworthiness. This results in existing security orchestration methods ignoring the differences in trustworthiness among network entities and focusing only on local trust optimization; these steps effectively disrupt the attack chains to secure SFCs. In this article, an innovative hierarchical trust model is proposed to assess the differentiated trustworthiness among network entities caused by vulnerability correlation. On the basis of trustworthiness assessment, both virtual trust of VNF combinations at the SFC composition stage and physical trust of physical node (PN) selections at the SFC placement stage are globally considered to disrupt the attack chains in SFCs as much as possible. To this end, the security-aware and cost-efficient SFC composition and placement (SCSCP) problem is formulated as an integer linear programming (ILP) problem, which is NP-hard. To tackle the SCSCP problem, the joint trust and cost global optimization (JTCGO) algorithm is proposed to dynamically update the trustworthiness and globally find the SFC deployment solutions including the VNF combination schemes and PN selection schemes. Simulation results demonstrate that our proposed algorithm can provide the optimal SFC deployment solutions for requests and can guarantee the SFC trustworthiness at a controllable cost, thereby protecting SFCs from network attacks in complex security environments.

面向破坏攻击路径的服务功能链动态信任部署方法

[1]Afrasiabi SN, Ebrahimzadeh A, Promwongsa N, et al., 2024. Cost-efficient cluster migration of VNFs for service function chain embedding. IEEE Trans Netw Serv Manag, 21(1):979-993.

[2]Alomari Z, Zhani MF, Aloqaily M, et al., 2023. On ensuring full yet cost-efficient survivability of service function chains in NFV environments. J Netw Syst Manag, 31(3):45.

[3]Bagheri A, Shameli-Sendi A, 2023. Automating the translation of cloud users’ high-level security needs to an optimal placement model in the cloud infrastructure. IEEE Trans Serv Comput, 16(6):4580-4590.

[4]Cao HT, Jindal A, Hu H, et al., 2022. Secure and intelligent service function chain for sustainable services in healthcare cyber physical systems. IEEE Trans Netw Sci Eng, 10(5):2674-2684.

[5]Cao HT, Yang LX, Garg S, et al., 2024. Softwarized resource allocation of tailored services with zero security trust in 6G networks. IEEE Wirel Commun, 31(2):58-65.

[6]Eramo V, Miucci E, Ammar M, et al., 2017. An approach for service function chain routing and virtual function network instance migration in network function virtualization architectures. IEEE/ACM Trans Netw, 25(4):2008-2025.

[7]Gherari M, Dieye M, Elbiaze H, et al., 2024. 3C resource allocation for next-generation applications in an in-network computing-enabled edge-cloud continuum. Proc IEEE Global Communications Conf, p.614-619.

[8]Hasneen J, Sadique KM, 2022. A survey on 5G architecture and security scopes in SDN and NFV. In: Iyer B, Ghosh D, Balas VE (Eds.). Applied Information Processing Systems. Advances in Intelligent Systems and Computing, Springer, Singapore, p. 447-460.

[9]Herrera JG, Botero JF, 2016. Resource allocation in NFV: a comprehensive survey. IEEE Trans Netw Serv Manag, 13(3):518-532.

[10]Hong J, Park S, Yoo JH, et al., 2020. A machine learning based SLA-aware VNF anomaly detection method in virtual networks. Proc Int Conf on Information and Communication Technology Convergence, p.1051-1056.

[11]Hu Y, Guo YA, 2021. Survivable service function chain mapping in NFV-enabled 5G networks. Proc 7^th Int Conf on Network Softwarization, p.375-380.

[12]Ji JZ, Wu TX, Yang CC, 2024. Neural population dynamics optimization algorithm: a novel brain-inspired meta-heuristic method. Knowl-Based Syst, 300:112194.

[13]Jorquera Valero JM, Sánchez Sánchez PM, Gil Pérez M, et al., 2023. Cutting-edge assets for trust in 5G and beyond: requirements, state of the art, trends, and challenges. ACM Comput Surv, 55(11):1-36.

[14]Kikuchi H, Takahashi K, 2016. Zipf distribution model for quantifying risk of re-identification from trajectory data. J Inform Process, 24(5):816-823.

[15]Kopec CD, Erlich JC, Brunton BW, et al., 2015. Cortical and subcortical contributions to short-term memory for orienting movements. Neuron, 88(2):367-377.

[16]Niu M, Han QM, Cheng B, et al., 2022. HARS: a high-available and resource-saving service function chain placement approach in data center networks. IEEE Trans Netw Serv Manag, 19(2):829-847.

[17]Pattaranantakul M, Vorakulpipat C, Takahashi T, 2023. Service function chaining security survey: addressing security challenges and threats. Comput Netw, 221:109484.

[18]Peng CZ, Zheng DY, Philip S, et al., 2021. Latency-bounded off-site virtual node protection in NFV. IEEE Trans Netw Serv Manag, 18(3):2545-2556.

[19]Peretz R, Shenzis S, Hay D, 2020. Moving target defense for virtual network functions. Proc IEEE/IFIP Network Operations and Management Symp, p.1-9.

[20]Semedo JD, Zandvakili A, Machens CK, et al., 2019. Cortical areas interact through a communication subspace. Neuron, 102(1):249-259.

[21]Shahjalal M, Farhana N, Roy P, et al., 2022. A binary gray wolf optimization algorithm for deployment of virtual network functions in 5G hybrid cloud. Comput Commun, 193:63-74.

[22]Tang L, Xue CC, Zhao YC, et al., 2024. Anomaly detection of service function chain based on distributed knowledge distillation framework in cloud-edge Industrial Internet of Things scenarios. IEEE Int Things J, 11(6):10843-10855.

[23]Torkzaban N, Baras JS, 2020. Trust-aware service function chain embedding: a path-based approach. Proc IEEE Conf on Network Function Virtualization and Software Defined Networks, p.31-36.

[24]Torkzaban N, Papagianni C, Baras JS, 2019. Trust-aware service chain embedding. Proc 6^th Int Conf on Software Defined Systems, p.242-247.

[25]Valente A, Ostojic S, Pillow JW, 2022. Probing the relationship between latent linear dynamical systems and low-rank recurrent neural network models. Neur Comput, 34(9):1871-1892.

[26]Varadharajan V, Karmakar KK, Tupakula U, et al., 2022. Toward a trust aware network slice-based service provision in virtualized infrastructures. IEEE Trans Netw Serv Manag, 19(2):1065-1082.

[27]Vyas S, Golub MD, Sussillo D, et al., 2020. Computation through neural population dynamics. Annu Rev Neurosci, 43(1):249-275.

[28]Wang M, Cheng B, Wang SG, et al., 2021. Availability-and traffic-aware placement of parallelized SFC in data center networks. IEEE Trans Netw Serv Manag, 18(1):182-194.

[29]Wang WL, Liang CC, Chen QB, et al., 2022. Distributed online anomaly detection for virtualized network slicing environment. IEEE Trans Veh Technol, 71(11):12235-12249.

[30]Wang WL, Liang CC, Tang L, et al., 2023. Federated multi-discriminator BiWGan-GP based collaborative anomaly detection for virtualized network slicing. IEEE Trans Mob Comput, 22(11):6445-6459.

[31]Wang WL, Zhou HC, Li M, et al., 2024. An autonomous deployment mechanism for AI security services. IEEE Access, 12:4048-4062.

[32]Yu XH, Jiang JH, Shuai CY, 2013. Approach to attack path generation based on vulnerability correlation. IEEE Conf Anthol.

[33]Zhang PY, Wang C, Jiang CX, et al., 2021. Security-aware virtual network embedding algorithm based on reinforcement learning. IEEE Trans Netw Sci Eng, 8(2):1095-1105.

[34]Zhang QQ, Tang HB, You W, et al., 2021. Network function heterogeneous redundancy deployment method based on immune algorithm. Chin J Netw Inform Secur, 7(1):46-56 (in Chinese).

[35]Zhang T, Xu CQ, Zhang BC, et al., 2023. Towards attack-resistant service function chain migration: a model-based adaptive proximal policy optimization approach. IEEE Trans Depend Secur Comput, 20(6):4913-4927.

[36]Zhang Y, Jiang CX, Zhang PY, 2023. Security-aware resource allocation scheme based on DRI in cloud-edge-terminal cooperative vehicular network. IEEE Int Things J, 11(1):95-104.

[37]Zheng DY, Liu XR, Tang WY, et al., 2023. Cost optimization in security-aware service function chain deployment with diverse vendors. Proc IEEE Global Communications Conf, p.2093-2098.

[38]Zheng DY, Xing HL, Feng L, et al., 2024. Provably efficient security-aware service function tree composing and embedding in multi-vendor networks. Comput Netw, 254:110843.

[39]Zhou DQ, Ji XS, You W, et al., 2024. DDQN-SFCAG: a service function chain recovery method against network attacks in 6G networks. Comput Netw, 254:110748.