WO2021174439A1 - Allocation resource of network slice - Google Patents

Allocation resource of network slice Download PDF

Info

Publication number
WO2021174439A1
WO2021174439A1 PCT/CN2020/077752 CN2020077752W WO2021174439A1 WO 2021174439 A1 WO2021174439 A1 WO 2021174439A1 CN 2020077752 W CN2020077752 W CN 2020077752W WO 2021174439 A1 WO2021174439 A1 WO 2021174439A1
Authority
WO
WIPO (PCT)
Prior art keywords
network slice
security
network
security requirement
instance
Prior art date
Application number
PCT/CN2020/077752
Other languages
French (fr)
Inventor
Zhiyuan Hu
Jing PING
Wen Wei
Zhigang Luo
Original Assignee
Nokia Shanghai Bell Co., Ltd.
Nokia Solutions And Networks Oy
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Shanghai Bell Co., Ltd., Nokia Solutions And Networks Oy, Nokia Technologies Oy filed Critical Nokia Shanghai Bell Co., Ltd.
Priority to CN202080097942.XA priority Critical patent/CN115211159A/en
Priority to PCT/CN2020/077752 priority patent/WO2021174439A1/en
Publication of WO2021174439A1 publication Critical patent/WO2021174439A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security

Definitions

  • Embodiments of the present disclosure generally relate to communication techniques, and more particularly, to methods, devices and computer readable medium for allocation resource of network slices.
  • embodiments of the present disclosure relate to a method for allocating network slices and corresponding devices.
  • a first device comprising at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to receive, from a second device, a request for allocation resource of network slice.
  • the first device is further caused to obtain a security requirement of the network slice from the request.
  • the first device is also caused to determine a list of security services based on the security requirement.
  • the first device is further caused to assign a network slice instance at least satisfying a security requirement indicated by the received request.
  • the first device is yet caused to transmit an indication of the assigned network slice instance to the second device.
  • a second device comprising at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the second device to generate a request for allocation resource of network slice, the request at least indicating a security requirement.
  • the second device is further caused to transmit the request to a first device.
  • the second device is yet caused to receive an indication of an assigned network slice instance from the first device, the assigned network slice instance at least satisfying the security requirement.
  • a method comprising receiving, at a first device and from a second device, a request for allocation resource of network slice.
  • the method also comprises obtaining a security requirement of the network slice from the request.
  • the method further comprises determining a list of security services based on the security requirement.
  • the method yet comprises assigning network slice instance supporting the list of security services.
  • the method further comprises transmitting an indication of the assigned network slice instance to the second device.
  • a method comprising generating a request for allocation resource of network slice, the request at least indicating a security requirement.
  • the method also comprises transmitting the request to a first device.
  • the method further comprises receiving an indication of the assigned network slice instance from the first device, the assigned network slice instance at least satisfying the security requirement.
  • an apparatus comprising means for receiving, at a first device and from a second device, a request for allocation resource of network slice; means for obtaining a security requirement of the network slice from the request; means for determining a list of security services based on the security requirement; means for assigning network slice instance supporting the list of security services; and means for transmitting an indication of the assigned network slice instance to the second device.
  • an apparatus comprising means for generating a request for allocation resource of network slice, the request at least indicating a security requirement; means for transmitting the request to a first device; and means for receiving an indication of the assigned network slice instance from the first device, the assigned network slice instance at least satisfying the security requirement.
  • a computer readable medium comprising program instructions for causing an apparatus to perform at least the method according to the above third or fourth aspect.
  • a computer program product that is stored on a computer readable medium and includes machine-executable instructions, wherein the machine-executable instructions, when being executed, cause the machine to perform the method according to the above third or fourth aspect.
  • Fig. 1 illustrates a schematic diagram of a communication system according to according to some example embodiments of the present disclosure
  • Fig. 2 illustrates a block diagram of a network slicing system according to according to some example embodiments of the present disclosure
  • Fig. 3 illustrates a flow chart of a method according to some example embodiments of the present disclosure
  • Fig. 4 illustrates a schematic diagram of interactions between devices according to some example embodiments of the present disclosure
  • Fig. 5 illustrates a schematic diagram of interactions between devices according to some example embodiments of the present disclosure
  • Fig. 6 illustrates a flow chart of a method according to some example embodiments of the present disclosure
  • Fig. 7 illustrates a simplified block diagram of an apparatus that is suitable for implementing example embodiments of the present disclosure.
  • Fig. 8 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
  • references in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • first and second etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments.
  • the term “and/or” includes any and all combinations of one or more of the listed terms.
  • circuitry may refer to one or more or all of the following:
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • the term “communication network” refers to a network following any suitable communication standards, such as Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) , New Radio (NR) and so on.
  • LTE Long Term Evolution
  • LTE-A LTE-Advanced
  • WCDMA Wideband Code Division Multiple Access
  • HSPA High-Speed Packet Access
  • NB-IoT Narrow Band Internet of Things
  • NR New Radio
  • the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.55G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • suitable generation communication protocols including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.55G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the a
  • the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom.
  • the network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , a NR NB (also referred to as a gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, Integrated Access and Backhaul (IAB) node, a low power node such as a femto, a pico, and so forth, depending on the applied terminology and technology.
  • BS base station
  • AP access point
  • NodeB or NB node B
  • eNodeB or eNB evolved NodeB
  • NR NB also referred to as a gNB
  • terminal device refers to any end device that may be capable of wireless communication.
  • a terminal device may also be referred to as a communication device, user equipment (UE) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) .
  • UE user equipment
  • SS Subscriber Station
  • MS Mobile Station
  • AT Access Terminal
  • the terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial and/
  • network slicing used herein refers to a technology that allows multiple logical networks to be created on the top of a common shared physical infrastructure.
  • network slice used herein refers to an independent end-to-end logical network that runs on a shared physical infrastructure, capable of providing a negotiated service quality.
  • a network slice is self-contained in terms of operation and traffic flow and can have its own network architecture, engineering mechanisms and network provision. It in general is to architect, partition and organize virtualized network resource to enable flexible support of diverse use case realizations.
  • network slice instance used herein refers to an instance of network slice, which is created based on network slice blueprint/template/resource module.
  • network slicing orchestration used herein refers to automation and ability to customize enhances service performance and customer satisfaction. Orchestration enables the automation of creation and delivery of services.
  • network slice subnet used herein refers to a logical network that comprises a set of managed network functions and the required resources (e.g. compute, storage and networking resources) .
  • network slice subnet instance used herein refers to an instance of network slice subnet, which is created based on network slice subnet blueprint/template/resource module.
  • network slicing is introduced to offer a different mix of capabilities to meet all these diverse requirements at the same time.
  • various types of users/customers can enjoy connectivity and data processing tailored to their specific requirements (for examples, data speed, quality, latency, reliability, security, and services) that adhere to a Service Level Agreement (SLA) agreed with the communication service providers.
  • SLA Service Level Agreement
  • end-to-end precision slicing network slices reliability
  • network slices scalability network slice lifecycle management.
  • network slice security is beginning to receive attention from academia and industry.
  • Network slice security includes several aspects, such as security for network slice management, security for network slice orchestration, access security for network slice.
  • Security for network slice orchestration is very important but has received little attention in the industry so far.
  • management security for network slices has been defined, for example, authentication, authorization, integrity protection, and confidentiality protection for the interface between the management service producer and the management service consumer) .
  • network slice specific authentication and authorization, data confidentiality and integrity, user identification privacy and inter-slice security isolation has also proposed.
  • Some further conventional technologies have defined security for network slice management exposure interface and integrity protection of Network Slice Subnet Template (NSST) .
  • NSST Network Slice Subnet Template
  • a first device receives a request for allocation resource of network slice from a second device.
  • the first device assigns the network slice instance which satisfies security requirement based on the request. In this way, different security requirements of different consumers can be satisfied.
  • Fig. 1 illustrates a schematic diagram of a communication system in which embodiments of the present disclosure can be implemented.
  • the communication system 100 comprises a first device 110 and a second device 120.
  • the communication system 100 which is a part of a communication network, comprises a device 130-1, a device 130-2, ...., a device 130-N, which can be collectively referred to as “third device (s) 130. ”
  • One or more devices are associated with and covered by a cell. It is to be understood that the number of devices and cells shown in Fig. 1 is given for the purpose of illustration without suggesting any limitations.
  • the communication system 100 may comprise any suitable number of devices and cells.
  • the first device 110, the second device 120 and the third device 130 can communicate data and control information to each other.
  • the number of devices shown in Fig. 1 is given for the purpose of illustration without suggesting any limitations.
  • the second device 120 and the first device 110 are interchangeable.
  • the first device 110 may be a network device.
  • the first device 110 may be a core network device.
  • the second device 120 may communicate with the first device 110 to create a network slice instance.
  • the third devices 130 may communicate with each other over the network slice instance.
  • the third device 130 may be terminal devices.
  • the third device 130 may comprise network devices, for example, the third devices 130-3 and 130-4 may be network devices.
  • the number of third devices is only an example.
  • the third device 130 may be able to access the network slice instance.
  • the first device 110 will manage and monitor the status of network slice instance through third devices 130-3 and/or 130-4.
  • Communications in the communication system 100 may be implemented according to any proper communication protocol (s) , comprising, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • s cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • IEEE Institute for Electrical and Electronics Engineers
  • the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA) , Frequency Division Multiple Access (FDMA) , Time Division Multiple Access (TDMA) , Frequency Division Duplex (FDD) , Time Division Duplex (TDD) , Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency Division Multiple Access (OFDMA) and/or any other technologies currently known or to be developed in the future.
  • CDMA Code Division Multiple Access
  • FDMA Frequency Division Multiple Access
  • TDMA Time Division Multiple Access
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • MIMO Multiple-Input Multiple-Output
  • OFDMA Orthogonal Frequency Division Multiple Access
  • Fig. 2 illustrates a block diagram of a network slicing system 200 according to according to some example embodiments of the present disclosure.
  • the network slicing system 200 is only an example not a limitation.
  • the network slicing system 200 may also comprise other modules which are not shown in Fig. 2.
  • the network slicing system 200 may be implemented at any suitable devices, for example, the first device 110.
  • the network slicing system 200 may comprise a network slice (NS) consuming portal 205 which can receive request for allocation resource of network slice from a consumer, for example, a health care provider.
  • the network slicing system 300 may comprise a NS management and orchestration part 210.
  • the NS management module 2110 may support operations for a network slice instance.
  • the operations may be one or more of activation, supervision, performance reporting, resource capacity planning, and modification.
  • the NS data collection module 2120 may be configured to collect network data (for example, data related to service, network slice, network slice subnet, and/or network functions) to support improving network performance and efficiency to accommodate and support the diversity of services and requirements.
  • network data for example, data related to service, network slice, network slice subnet, and/or network functions
  • the NS management and orchestration part 210 may also comprise a NS data analytics module 2130 which is configured to utilize the collected network data to perform analytics in order to assist and complement management services for an optimum network performance and service assurance.
  • the NS instance inventory module 2160 may be configured to store the information about the available network slice instances.
  • the network slicing system 200 comprises a NS orchestration module 2140 which is configured to request the allocation resource of network slice. Further, network slice modules which describe static parameters and functional components of network slices are stored in a NS resource module 2150. In other embodiments, there are other modules in the network slicing system 200, for example, a NS security policy module 2170, a NS security data collection module 2180, and an NS security data analytic module 2190.
  • the NS security policy module 2170 may be configured to support reflecting security requirements of the requested network slice service to network slice security policy.
  • the NS security data collection module 2180 may be configured to collect security policy enforcement status on network data (e.g.
  • the NS security data analytic module 2190 may be configured to utilize the collected network data on security policy enforcement status to perform analytics for an optimum network slice security assurance. Details of the above modules are described later with reference to the following drawings.
  • a network slice may comprise a plurality of NS subnets (NSS) , for example, a NSS 220-1, a NSS 220-2 or a NSS 220-3.
  • NSS NS subnets
  • the NSS may comprise one of more of the following: a NSS management module 2210, a NSS data collection module 2220, a NSS data analytics module 2230, a NSS orchestration module 2240, a NSS resource module 2250, a NSS instance inventory module 2260, a NSS security controlling module 2270, a NSS security data collection module 2280 and a NSS security data analytics module 2290.
  • the NS subnets may be divided based on different domains, for example, geographic area. Alternatively, the NS subnets may be divided based on different functions. For example, there may be one or more NS subnets which have certain security characteristics.
  • the NSS security controlling module 2270 may be configured to support setting network slice security policy to network slice subnet security controlling.
  • the NSS security data collection module 2280 may be configured to collect security policy enforcement status on network data (e.g. network slice, network slice subnet, and/or network functions related data) to support checking if security requirements for the requested network slice subnet are satisfied or not.
  • the NSS security data analytics module 2290 may be configured to utilize the collected network data on security policy enforcement status to perform analytics for an optimum network slice subnet security assurance .
  • the network slice system 200 may also comprise network function virtualization management and orchestration (NFV-MANO) module 230 which is configured to manage network function virtualization infrastructure (NFVI) and orchestrate the allocation of resources needed by the network services and virtual network functions (VNFs) .
  • the NFV orchestrator (NFVO) module 240 in the network slice system 200 may be responsible for the orchestration of NFVI resources across multiple virtual infrastructure managements (VIMs) and the lifecycle management of network services.
  • the NFVO module may comprise a network service catalog module 2410, a VNF catalog module 2420, a VFV instance inventory 2430, and a NFVI resources module 2440.
  • the network slice system 200 may comprise a VNF manager (VNFM) which is configured to be responsible for the lifecycle management of VNF instances.
  • VNFM virtualized infrastructure manager
  • the virtualized infrastructure manager (VIM) module 270 may be configured to be responsible for controlling and managing the NFVI compute, storage and network resources. SDN control module including data forward policies may be included into VIM.
  • the NFV-MANO module 230 may also comprise a NFV security manager module 250 which is configured to manage the security on a network service over its entire lifecycle.
  • a security service catalog module 2510 in the NFV security manager module 250 may be a new logical function with the following capabilities: 1) to store all of the on-boarded security service; 2) to support the creation and management of the security service resource model; 3) to support create network slice subnet instance (i.e. NSS_security) .
  • the NFV security manager module 250 may also comprise a virtual security function (VSN) catalog module 2520 which is a specific type of VNF catalog.
  • VSN virtual security function
  • the NFV security manager module 250 may further comprise a VSF instance 2530 which is a specific type of VNF instance.
  • the VSF used herein may refer to a special type of VNF with tailored security functionality (for example, firewall, IDS/IPS, virtualized security monitoring functions) .
  • the network slice system 200 may comprise NFVI security manager 230 which is configured build and manage the security in NFVI to support NFV security manager requests for managing security of network services in higher layer.
  • the VNF module 285 in the network slice system 200 may comprise a VNF and a virtual security function (VSF) which is a special type of VNF with tailored security functionality (for example, firewall, IDS/IPS, virtualized security monitoring functions) .
  • VSF virtual security function
  • the NFVI-based Security Function module 290 may be a security function provided by the NFV Infrastructure. It includes virtualized security appliances or software security features (e.g. hypervisor-based firewalls) and hardware-based security appliances/modules/features (e.g.
  • the physical network function (PNF) module 295 in the network slice system 200 may comprise one or more PNFs and one or more physical security function (PSF) which is a conventionally realized security function in the physical part of the hybrid network.
  • PNF physical network function
  • Fig. 3 illustrates a signaling flow 300 of allocating the network slice according to some example embodiments of the present disclosure.
  • the signaling flow 300 may involve the first device 110 and the second device 120. It should be noted that the signaling flow shown in Fig. 3 is only an example.
  • Fig. 3 illustrates a flow chart of method 300 of allocating the network slice according to some example embodiments of the present disclosure.
  • the method 300 will be described with reference to Fig. 2.
  • the method 300 can be implemented at any suitable devices.
  • the method may be implemented at the first device 110.
  • the first device 110 receives a request for allocation resource of network slice from the second device 120.
  • the request can be transmitted to the first device 110 via the NS consuming portal 205.
  • the request indicates one or more characteristics of the network slice.
  • the request indicates a security requirement of the network slice.
  • the request may indicate network slice type.
  • the request may indicate the bandwidth of the network slice.
  • the characteristics may comprise priority of the network slice.
  • a latency requirement of the network slice may be indicated in the request.
  • the request may also indicate a throughput of the network slice and/or the maximum number of terminal devices accessing the network slice.
  • the first device 110 may perform authentication of the second device 120 based on certificate or a pre-shared key.
  • the second device 120 may be authorized by the first device 110 based on a white/back list or an access control list (ACL) .
  • ACL access control list
  • the first device 110 obtains a security requirement of the network slice from the request.
  • the first device 110 determines, at block 330, a list of security services based on the security requirement.
  • the first device 110 assigns a network slice instance supporting the list of security services.
  • the network slice instance at least satisfies the security requirement indicated in the request. For example, if the request indicates the requirement of isolating the hardware, the network slice may be allocated with isolated hardware. In this way, the security requirement of the requested network slice can be achieved.
  • the first device 110 may map the list of security services to the plurality of network slice resource module and obtain information of available network slice instances.
  • the first device 110 may obtain security status of the available network slice instances and determine whether existing network slice instances satisfy the security requirement. If the existing network slice instances satisfy the security requirement, the first device 110 may determine the existing network slice instances to be the requested allocation resource of network slice subnet. If the existing network slice instances dissatisfy the profile of the network slice subnet, the first device 110 may create network slice instances based at least in part on the security requirement.
  • the first device 110 may map the list of security services to the plurality of network slice subnet resource module and obtain information of available network slice subnet instances.
  • the first device 110 may obtain security status of the available network slice subnet instances and determine whether existing network slice subnet instances satisfy the security requirement. If the existing network slice subnet instances satisfy the security requirement, the first device 110 may determine the existing network slice subnet instances to be the requested allocation resource of network slice subnet. If the existing network slice subnet instances dissatisfy the profile of the network slice subnet, the first device 110 may create network slice subnet instances based at least in part on the security requirement.
  • Figs. 4 and 5 illustrate schematic diagrams of interactions 400 and 500 of assigning the network slice instance according to some example embodiments of the present disclosure, respectively.
  • Fig. 4 shows the interaction of assigning the network slice instance at NS level
  • Fig. 5 shows the interaction of assigning the network slice subnet instance at NSS level.
  • the NS orchestration module 2140 may obtain 4005 the security requirement from the received request.
  • the NS orchestration module 2140 may determine 4010 a list of security service type based on the security requirement. For example, the NS orchestration module 2140 may determine that the isolation of data transport is required based on the security requirement.
  • the list of security service types may comprise virus detection and data cleaning.
  • the NS orchestration module 2140 may determine that tamper-proof for management data is needed.
  • the confidentiality protection for data during transmission may be included in the list of security service types.
  • the list of security service types may further integrity protection for data during transmission.
  • the list of security service types may also comprise one or more of the following: hardware isolation, software isolation, anti-DDoS attack, anti-virus and anti-malware software. It should be noted that embodiments of the present disclosure are not limited in this aspect.
  • the NS orchestration module 2140 may access 4015 the NS resource module 2150 to obtain the security status of the network slice instances.
  • the NS resource module 2150 may store network slice modules which describe static parameters and functional components of network slices.
  • the NS orchestration module 2140 may map 4020 the received request with the list of security service type to a suitable NS resource module.
  • a security profile of the suitable NS resource module may satisfy the security requirement indicated in the request.
  • the security profile of the suitable NS resource module may comprise data encryption.
  • data integrity validation may be included in the security profile.
  • the profile may also comprise data filtering and/or data cleaning.
  • the suitable NS resource module may be able to support required services indicated in the request.
  • the NS orchestration module 2140 may access 4025 the NS instance inventory module 2160 to obtain the information about the available network slice instances.
  • the NS orchestration module 2140 may determine 4030 whether an existing network slice instance satisfies the request.
  • the NS orchestration module 2140 may check whether the available network slice instances can support the required services based on the information obtained from the NS instance inventory module 2160.
  • the NS orchestration module 2140 may also check whether the available network slice instances are able to satisfy the security requirement in the request based on the information obtained from the NS instance inventory module 2160. If there is one existing network slice instance satisfies the security requirement, the NS orchestration module 2140 may assign 4035 the existing network slice instance to the requested allocation of network slice.
  • the NS orchestration module 2140 may create 4040 a new network slice instance.
  • the NS orchestration module 2140 may determine a plurality of subnets to create the network slice instance, for example, the subnets 220-1, 220-2 and 220-3.
  • the NS orchestration module 2140 may create the network slice instance by chaining the plurality of NS subnets.
  • the NS orchestration module 2140 may transmit a further request to the NSS orchestration module 2240 for allocating resources to the plurality NS subnets, which is not shown in Fig. 4.
  • Fig. 5 shows the interaction of creating the network slice subnet instance at NSS level.
  • the NSS orchestration module 2240 may authenticate and authorizes the NS orchestration module 2140.
  • the NSS orchestration module 2240 may access 5015 the NSS resource module 2250.
  • the NSS resource module 2250 may store network slice subnet modules which describe static parameters and functional components of network slice subnets.
  • the NSS resource module 2250 may obtain the security status of the network slice subnet instances.
  • NSS orchestration module 2240 may map 5020 the received request with the list of security service type to a suitable NSS resource module.
  • a security profile of the suitable NSS resource module may satisfy the security requirement indicated in the further request.
  • the security profile of the suitable NSS resource module may comprise data encryption. In other example embodiments, data integrity validation may be included in the security profile.
  • the profile may also comprise data filtering and/or data cleaning.
  • the suitable NSS resource module may be able to support required services indicated in the request.
  • the NSS orchestration module 2240 may access 5025 the NSS instance inventory module 2260 to obtain the information about the available network slice subnet instances.
  • the NSS orchestration module 2240 may determine 5030 whether an existing network slice subnet instance satisfies the request.
  • the NSS orchestration module 2240 may check whether the available network slice subnet instances can support the required services based on the information obtained from the NSS instance inventory module 2260.
  • the NSS orchestration module 2240 may also check whether the available network slice subnet instances are able to satisfy the security requirement in the further request based on the information obtained from the NSS instance inventory module 2260.
  • the NSS orchestration module 2240 may assign 5035 the existing network slice subnet instance to the requested allocation resource of network slice subnet.
  • the NSS orchestration module 2240 may provide security status of the network slice subnet instance to the NS orchestration module 2140.
  • the NSS orchestration module 2240 may create 5040 a new network slice subnet instance.
  • the NSS orchestration module 2240 may transmit 5045 another request for allocation resource of network services to the NFV-MANO 230.
  • the NFV-MANO 230 may perform 5050 the authentication the other request based on certificates and authorization the other request based on ACL or white/black list.
  • the NFV-MANO 230 may assign 5055 the requested for allocation resource for network slice subnet to one or more existing network services instances satisfying the security requirements. Alternatively, the NFV-MANO 230 may create new network services instances for the requested allocation of network slice subnet.
  • the NFV-MANO 230 may transmit 5060 a confirmation of the network services to the NSS orchestration module 2240. In some embodiments, the NSS orchestration module 2240 may confirm the allocation of network slice subnet instances to the NS orchestration module 2140.
  • the first device 110 transmit an indication of the assignment of the network slice instance to the second device 120.
  • the NS orchestration module 2140 may transmit the indication to the second device 120 via the NS consuming portal 205.
  • the NS orchestration module 2140 may also provide security status of the network slice instance to the second device 120.
  • the first device 110 may monitor data on the assigned network slice instance. The first device 110 may determine whether the security requirement of the network slice is satisfied based on the monitored data.
  • the data may refer to the date related to the network slice instance or network slice subnet instance.
  • the NS security data collection module 2180 may collect security policy enforcement status on the monitored data to support checking if security requirements for the requested allocation resource of network slice is satisfied or not.
  • the NS security data analytic module 2190 may utilize the collected network data on security policy enforcement status to perform analytics for an optimum network slice subnet security assurance.
  • the NS security policy module 2170 may support setting network slice security policy to network slice subnet security controlling. If the security requirement is not satisfied, the first device 110 may update the allocation resource of network slice. For example, the first device 110 may recreate or reassign the network slice instance.
  • the first device 110 may monitor the third device 130-1 though other devices, for example, the device 130-3 and/or 130-4 which is a network device.
  • the first device 110 may also monitor the accessing data from the third device 130-3 and/or 130-4.
  • An abnormal behavior of the third device 130-1 may be detected by the first device 110 based on the accessing data of the third device 130-1 via the device 130-3 and/or 130-4 on the network slice instance.
  • Fig. 6 illustrates a flow chart of method 600 of allocating the network slice according to some example embodiments of the present disclosure.
  • the method 600 can be implemented at any suitable devices.
  • the method may be implemented at the second device 120.
  • the second device 120 generates a request for an allocation of the network slice.
  • the request indicates one or more characteristics of the network slice.
  • the request indicates a security requirement of the network slice.
  • the request may indicate network slice type.
  • the request may indicate the bandwidth of the network slice.
  • the characteristics may comprise priority of the network slice.
  • a latency requirement of the network slice may be indicated in the request.
  • the request may also indicate a throughput of the network slice and/or the maximum number of terminal devices accessing the network slice.
  • the second device 120 transmits the request to the first device 110.
  • the request can be transmitted to the first device 110 via the NS consuming portal 205.
  • the second device 120 may be authenticated by the first device 110 on certificate or a pre-shared key.
  • the second device 120 may be authorized by the first device 110 based on a white/back list or an access control list (ACL) .
  • ACL access control list
  • the second device 120 receives an indication of the assignment of the network slice instance to the second device 120.
  • the indication may be received via the NS consuming portal 205.
  • the NS orchestration module 2140 may also provide security status of the network slice instance to the second device 120.
  • the second device 120 may receive a further indication of an update allocation resource of network slice if the security requirement is dissatisfied.
  • the second device 120 may receive another indication of detection of an abnormal behavior of a third device 130.
  • an apparatus for performing the method 300 may comprise respective means for performing the corresponding steps in the method 300.
  • These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
  • the apparatus comprises means for receiving, at a first device and from a second device, a request for allocation resource of network slice; means for obtain a security requirement of the network slice from the request; means for determining a list of security services based on the security requirement; means for assigning network slice instance supporting the list of security services; and means for transmitting an indication of the assigned network slice instance to the second device.
  • the means for assigning the network slice instance comprises: means for mapping the list of security services to the network slice resource module; means for obtaining the information of the available network slice instances; means for obtaining security status of the available network slice instances; means for determining whether an existing network slice instance satisfies the security requirement; means for in accordance with a determination that the existing network slice instance satisfies the security requirement, determining the existing network slice instance to be the requested allocation resource of network slice; or means for in accordance with a determination that the existing network slice instance dissatisfies the profile of the network slice, creating a new network slice instance based at least in part on the security requirement.
  • the means for creating the network slice instance comprises: means for assigning a plurality of network slice subnet instances which satisfy the security requirement and required services; means for creating the network slice instance by chaining the plurality of network slice subnet instances.
  • the means for assigning the plurality of network slice subnet instance comprises means for mapping the list of security services to the plurality of network slice subnet resource module; means for obtaining the information of the available network slice subnet instances; means for obtaining security status of the available network slice subnet instances; means for determining whether existing network slice subnet instances satisfy the security requirement; in accordance with a determination that the existing network slice subnet instances satisfy the security requirement, means for determining the existing network slice subnet instances to be the requested allocation resource of network slice subnet; or in accordance with a determination that the existing network slice subnet instances dissatisfy the profile of the network slice subnet, means for creating network slice subnet instances based at least in part on the security requirement.
  • the apparatus further comprises means for in response to monitoring data on the network slice instance, determining whether the security requirement of the network slice is satisfied based on the data; and means for in accordance with a determination that the security requirement is dissatisfied, updating the allocation resource of network slice.
  • the apparatus further comprises means for detecting an abnormal behavior of a third device by monitoring accessing data of the third device on the network slice instance.
  • the apparatus comprises means for mapping the list of security services to a network slice resource module; means for obtaining security status of one or more network slice instances; and means for assigning the network slice instance based on the network slice resource module.
  • the first device is a network device
  • the second device is another network device
  • the third device is a terminal device or a further network device.
  • an apparatus for performing the method 600 may comprise respective means for performing the corresponding steps in the method 600.
  • These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
  • the apparatus comprises means for generating a request for allocation resource of network slice, the request at least indicating a security requirement; means for transmitting the request to a first device; and means for receiving an indication of the assigned network slice instance from the first device, the assigned network slice instance at least satisfying the security requirement.
  • the apparatus further comprises means for in accordance with a determination that the security requirement is dissatisfied, receiving a further indication of an update allocation resource of network slice.
  • the apparatus further comprises means for receiving, from the first device, another indication of detection of an abnormal behavior of a third device.
  • the first device is a network device
  • the second device is another network device
  • the third device is a terminal device or a further network device.
  • Fig. 7 is a simplified block diagram of a device 700 that is suitable for implementing embodiments of the present disclosure.
  • the device 700 may be provided to implement the communication device, for example the first device 110 or the second device 120 as shown in Fig. 1.
  • the device 700 includes one or more processors 710, one or more memories 720 coupled to the processor 710, and one or more communication modules 740 coupled to the processor 710.
  • the communication module 740 is for bidirectional communications.
  • the communication module 740 has at least one antenna to facilitate communication.
  • the communication interface may represent any interface that is necessary for communication with other network elements.
  • the processor 710 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
  • the device 700 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
  • the memory 720 may include one or more non-volatile memories and one or more volatile memories.
  • the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 724, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , and other magnetic storage and/or optical storage.
  • the volatile memories include, but are not limited to, a random access memory (RAM) 722 and other volatile memories that will not last in the power-down duration.
  • a computer program 730 includes computer executable instructions that are executed by the associated processor 710.
  • the program 730 may be stored in the ROM 724.
  • the processor 710 may perform any suitable actions and processing by loading the program 730 into the RAM 722.
  • the embodiments of the present disclosure may be implemented by means of the program 720 so that the device 700 may perform any process of the disclosure as discussed with reference to Figs. 2 and 6.
  • the embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
  • the program 730 may be tangibly contained in a computer readable medium which may be included in the device 700 (such as in the memory 720) or other storage devices that are accessible by the device 700.
  • the device 700 may load the program 730 from the computer readable medium to the RAM 722 for execution.
  • the computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like.
  • Fig. 8 shows an example of the computer readable medium 800 in form of CD or DVD.
  • the computer readable medium has the program 730 stored thereon.
  • NFV network functions virtualization
  • a virtualized network function may comprise one or more virtual machines running computer program codes using standard or general type servers instead of customized hardware. Cloud computing or data storage may also be utilized.
  • radio communications this may mean node operations to be carried out, at least partly, in a central/centralized unit, CU, (e.g. server, host or node) operationally coupled to distributed unit, DU, (e.g. a radio head/node) . It is also possible that node operations will be distributed among a plurality of servers, nodes or hosts. It should also be understood that the distribution of labor between core network operations and base station operations may vary depending on implementation.
  • the server may generate a virtual network through which the server communicates with the distributed unit.
  • virtual networking may involve a process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network.
  • Such virtual network may provide flexible distribution of operations between the server and the radio head/node.
  • any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation.
  • a CU-DU architecture is implemented.
  • the device 700 may be comprised in a central unit (e.g. a control unit, an edge cloud server, a server) operatively coupled (e.g. via a wireless or wired network) to a distributed unit (e.g. a remote radio head/node) .
  • the central unit e.g. an edge cloud server
  • the distributed unit may be stand-alone apparatuses communicating with each other via a radio path or via a wired connection. Alternatively, they may be in a same entity communicating via a wired connection, etc.
  • the edge cloud or edge cloud server may serve a plurality of distributed units or radio access networks.
  • at least some of the described processes may be performed by the central unit.
  • the device 700 may be instead comprised in the distributed unit, and at least some of the described processes may be performed by the distributed unit.
  • the execution of at least some of the functionalities of the device 500 may be shared between two physically separate devices (DU and CU) forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • CU-DU architecture may provide flexible distribution of operations between the CU and the DU. In practice, any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation.
  • the device 500 controls the execution of the processes, regardless of the location of the apparatus and regardless of where the processes/functions are carried out.
  • various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
  • the present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium.
  • the computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the methods 300 and 400 as described above with reference to Figs. 3 and 6.
  • program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • the functionality of the program modules may be combined or split between program modules as desired in various embodiments.
  • Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
  • Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
  • the program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
  • the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above.
  • Examples of the carrier include a signal, computer readable medium, and the like.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

Abstract

Embodiments of the present disclosure relate to allocation resource of network slices. According to embodiments of the present disclosure, a first device receives a request for allocation resource of network slice from a second device. The first device assigns the network slice instance which satisfies security requirement based on the request. In this way, different security requirements of different consumers can be satisfied.

Description

ALLOCATION RESOURCE OF NETWORK SLICE FIELD
Embodiments of the present disclosure generally relate to communication techniques, and more particularly, to methods, devices and computer readable medium for allocation resource of network slices.
BACKGROUND
With the development of mobile communication technologies, people’s lives have been enriched. In the future, the mobile communication will continue to develop, reaching segments of the industry such as automotive, manufacturing, logistics, energy, as well as sectors such as financial, healthcare and others that are not currently fully exploiting the potential of mobile services. However, above various applications have different requirements. Some applications may require ultra-reliable communication, whereas others may require ultra-high-bandwidth communication or extremely low latency. So, the technology “network slicing” is introduced to offer a different mix of capabilities to meet all these diverse requirements at the same time.
SUMMARY
Generally, embodiments of the present disclosure relate to a method for allocating network slices and corresponding devices.
In a first aspect, there is provided a first device. The first device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to receive, from a second device, a request for allocation resource of network slice. The first device is further caused to obtain a security requirement of the network slice from the request. The first device is also caused to determine a list of security services based on the security requirement. The first device is further caused to assign a network slice instance at least satisfying a security requirement indicated by the received request. The first device is yet caused to transmit an indication of the assigned network slice instance to the second device.
In a second aspect, there is provided a second device. The second device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the second device to generate a request for allocation resource of network slice, the request at least indicating a security requirement. The second device is further caused to transmit the request to a first device. The second device is yet caused to receive an indication of an assigned network slice instance from the first device, the assigned network slice instance at least satisfying the security requirement.
In a third aspect, there is provided a method. The method comprises receiving, at a first device and from a second device, a request for allocation resource of network slice. The method also comprises obtaining a security requirement of the network slice from the request. The method further comprises determining a list of security services based on the security requirement. The method yet comprises assigning network slice instance supporting the list of security services. The method further comprises transmitting an indication of the assigned network slice instance to the second device.
In a fourth aspect, there is provided a method. The method comprises generating a request for allocation resource of network slice, the request at least indicating a security requirement. The method also comprises transmitting the request to a first device. The method further comprises receiving an indication of the assigned network slice instance from the first device, the assigned network slice instance at least satisfying the security requirement.
In a fifth aspect, there is provided an apparatus. The apparatus comprises means for receiving, at a first device and from a second device, a request for allocation resource of network slice; means for obtaining a security requirement of the network slice from the request; means for determining a list of security services based on the security requirement; means for assigning network slice instance supporting the list of security services; and means for transmitting an indication of the assigned network slice instance to the second device.
In a sixth aspect, there is provided an apparatus. The apparatus comprises means for generating a request for allocation resource of network slice, the request at least indicating a security requirement; means for transmitting the request to a first device; and means for receiving an indication of the assigned network slice instance from the first  device, the assigned network slice instance at least satisfying the security requirement.
In a seventh aspect, there is provided a computer readable medium comprising program instructions for causing an apparatus to perform at least the method according to the above third or fourth aspect.
In an eighth aspect, there is provided a computer program product that is stored on a computer readable medium and includes machine-executable instructions, wherein the machine-executable instructions, when being executed, cause the machine to perform the method according to the above third or fourth aspect.
It is to be understood that the summary section is not intended to identify key or essential features of embodiments of the present disclosure, nor is it intended to be used to limit the scope of the present disclosure. Other features of the present disclosure will become easily comprehensible through the following description.
BRIEF DESCRIPTION OF THE DRAWINGS
Some example embodiments will now be described with reference to the accompanying drawings, where:
Fig. 1 illustrates a schematic diagram of a communication system according to according to some example embodiments of the present disclosure;
Fig. 2 illustrates a block diagram of a network slicing system according to according to some example embodiments of the present disclosure;
Fig. 3 illustrates a flow chart of a method according to some example embodiments of the present disclosure;
Fig. 4 illustrates a schematic diagram of interactions between devices according to some example embodiments of the present disclosure;
Fig. 5 illustrates a schematic diagram of interactions between devices according to some example embodiments of the present disclosure;
Fig. 6 illustrates a flow chart of a method according to some example embodiments of the present disclosure;
Fig. 7 illustrates a simplified block diagram of an apparatus that is suitable for implementing example embodiments of the present disclosure; and
Fig. 8 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
Throughout the drawings, the same or similar reference numerals represent the same or similar element.
DETAILED DESCRIPTION
Principle of the present disclosure will now be described with reference to some example embodiments. It is to be understood that these embodiments are described only for the purpose of illustration and help those skilled in the art to understand and implement the present disclosure, without suggesting any limitation as to the scope of the disclosure. The disclosure described herein can be implemented in various manners other than the ones described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.
References in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
It shall be understood that although the terms “first” and “second” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a” , “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” , “comprising” , “has” , “having” , “includes” and/or “including” , when used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/or combinations thereof.
As used in this application, the term “circuitry” may refer to one or more or all of the following:
(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and
(b) combinations of hardware circuits and software, such as (as applicable) :
(i) a combination of analog and/or digital hardware circuit (s) with software/firmware and
(ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
(c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
As used herein, the term “communication network” refers to a network following any suitable communication standards, such as Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) ,  High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) , New Radio (NR) and so on. Furthermore, the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.55G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future. Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.
As used herein, the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom. The network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , a NR NB (also referred to as a gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, Integrated Access and Backhaul (IAB) node, a low power node such as a femto, a pico, and so forth, depending on the applied terminology and technology.
The term “terminal device” refers to any end device that may be capable of wireless communication. By way of example rather than limitation, a terminal device may also be referred to as a communication device, user equipment (UE) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) . The terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an  industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial and/or industrial wireless networks, and the like. In the following description, the terms “terminal device” , “communication device” , “terminal” , “user equipment” and “UE” may be used interchangeably.
The term “network slicing” used herein refers to a technology that allows multiple logical networks to be created on the top of a common shared physical infrastructure. The term “network slice” used herein refers to an independent end-to-end logical network that runs on a shared physical infrastructure, capable of providing a negotiated service quality. A network slice is self-contained in terms of operation and traffic flow and can have its own network architecture, engineering mechanisms and network provision. It in general is to architect, partition and organize virtualized network resource to enable flexible support of diverse use case realizations. The term “network slice instance” used herein refers to an instance of network slice, which is created based on network slice blueprint/template/resource module. The term “network slicing orchestration” used herein refers to automation and ability to customize enhances service performance and customer satisfaction. Orchestration enables the automation of creation and delivery of services. The term “network slice subnet” used herein refers to a logical network that comprises a set of managed network functions and the required resources (e.g. compute, storage and networking resources) . The term “network slice subnet instance” used herein refers to an instance of network slice subnet, which is created based on network slice subnet blueprint/template/resource module.
As mentioned above, the technology “network slicing” is introduced to offer a different mix of capabilities to meet all these diverse requirements at the same time. With network slicing, various types of users/customers can enjoy connectivity and data processing tailored to their specific requirements (for examples, data speed, quality, latency, reliability, security, and services) that adhere to a Service Level Agreement (SLA) agreed with the communication service providers. However, there are some challenges for implementing full-scale end-to-end network slicing deployments for consumer, business and government segments, for example, end-to-end precision slicing, network slices reliability, network slices scalability, and network slice lifecycle management. One of the most important challenges is network slice security, which is beginning to receive attention from academia and industry.
Network slice security includes several aspects, such as security for network slice  management, security for network slice orchestration, access security for network slice. Security for network slice orchestration is very important but has received little attention in the industry so far.
In some conventional technologies, management security for network slices has been defined, for example, authentication, authorization, integrity protection, and confidentiality protection for the interface between the management service producer and the management service consumer) . Moreover, it has also proposed that network slice specific authentication and authorization, data confidentiality and integrity, user identification privacy and inter-slice security isolation. Some further conventional technologies have defined security for network slice management exposure interface and integrity protection of Network Slice Subnet Template (NSST) . However, there is little research on security for network slice orchestration.
According to embodiments of the present disclosure, a first device receives a request for allocation resource of network slice from a second device. The first device assigns the network slice instance which satisfies security requirement based on the request. In this way, different security requirements of different consumers can be satisfied.
Fig. 1 illustrates a schematic diagram of a communication system in which embodiments of the present disclosure can be implemented. The communication system 100 comprises a first device 110 and a second device 120. The communication system 100, which is a part of a communication network, comprises a device 130-1, a device 130-2, ...., a device 130-N, which can be collectively referred to as “third device (s) 130. ” One or more devices are associated with and covered by a cell. It is to be understood that the number of devices and cells shown in Fig. 1 is given for the purpose of illustration without suggesting any limitations. The communication system 100 may comprise any suitable number of devices and cells. In the communication system 100, the first device 110, the second device 120 and the third device 130 can communicate data and control information to each other. The number of devices shown in Fig. 1 is given for the purpose of illustration without suggesting any limitations. The second device 120 and the first device 110 are interchangeable. The first device 110 may be a network device. Alternatively, the first device 110 may be a core network device. The second device 120 may communicate with the first device 110 to create a network slice instance. After that, the third devices 130 may communicate with each other over the network slice instance. The third device 130 may be terminal devices. Alternatively, the third device 130 may  comprise network devices, for example, the third devices 130-3 and 130-4 may be network devices. The number of third devices is only an example. The third device 130 may be able to access the network slice instance. The first device 110 will manage and monitor the status of network slice instance through third devices 130-3 and/or 130-4.
Communications in the communication system 100 may be implemented according to any proper communication protocol (s) , comprising, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future. Moreover, the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA) , Frequency Division Multiple Access (FDMA) , Time Division Multiple Access (TDMA) , Frequency Division Duplex (FDD) , Time Division Duplex (TDD) , Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency Division Multiple Access (OFDMA) and/or any other technologies currently known or to be developed in the future.
Example embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings. Fig. 2 illustrates a block diagram of a network slicing system 200 according to according to some example embodiments of the present disclosure. The network slicing system 200 is only an example not a limitation. The network slicing system 200 may also comprise other modules which are not shown in Fig. 2. The network slicing system 200 may be implemented at any suitable devices, for example, the first device 110.
As shown in Fig. 2, the network slicing system 200 may comprise a network slice (NS) consuming portal 205 which can receive request for allocation resource of network slice from a consumer, for example, a health care provider. The network slicing system 300 may comprise a NS management and orchestration part 210. The NS management module 2110 may support operations for a network slice instance. For example, the operations may be one or more of activation, supervision, performance reporting, resource capacity planning, and modification.
The NS data collection module 2120 may be configured to collect network data  (for example, data related to service, network slice, network slice subnet, and/or network functions) to support improving network performance and efficiency to accommodate and support the diversity of services and requirements.
In some embodiments, the NS management and orchestration part 210 may also comprise a NS data analytics module 2130 which is configured to utilize the collected network data to perform analytics in order to assist and complement management services for an optimum network performance and service assurance. The NS instance inventory module 2160 may be configured to store the information about the available network slice instances.
As shown in Fig. 2, the network slicing system 200 comprises a NS orchestration module 2140 which is configured to request the allocation resource of network slice. Further, network slice modules which describe static parameters and functional components of network slices are stored in a NS resource module 2150. In other embodiments, there are other modules in the network slicing system 200, for example, a NS security policy module 2170, a NS security data collection module 2180, and an NS security data analytic module 2190. For example, the NS security policy module 2170 may be configured to support reflecting security requirements of the requested network slice service to network slice security policy. In some example embodiments, the NS security data collection module 2180 may be configured to collect security policy enforcement status on network data (e.g. service, network slice, network slice subnet, and/or network functions related data) to support checking if security requirements for the requested network slice service are satisfied or not. The NS security data analytic module 2190 may be configured to utilize the collected network data on security policy enforcement status to perform analytics for an optimum network slice security assurance. Details of the above modules are described later with reference to the following drawings.
In some embodiments, a network slice may comprise a plurality of NS subnets (NSS) , for example, a NSS 220-1, a NSS 220-2 or a NSS 220-3. For one NSS, there are some related modules. As shown in Fig. 2, the NSS (for example, the NSS 220-1) may comprise one of more of the following: a NSS management module 2210, a NSS data collection module 2220, a NSS data analytics module 2230, a NSS orchestration module 2240, a NSS resource module 2250, a NSS instance inventory module 2260, a NSS security controlling module 2270, a NSS security data collection module 2280 and a NSS security data analytics module 2290. The NS subnets may be divided based on different domains,  for example, geographic area. Alternatively, the NS subnets may be divided based on different functions. For example, there may be one or more NS subnets which have certain security characteristics.
Functions of the above modules in the NSS are similar to the functions in the network slice, which will also be described later. For example, the NSS security controlling module 2270 may be configured to support setting network slice security policy to network slice subnet security controlling. In some embodiments, the NSS security data collection module 2280 may be configured to collect security policy enforcement status on network data (e.g. network slice, network slice subnet, and/or network functions related data) to support checking if security requirements for the requested network slice subnet are satisfied or not. Moreover, the NSS security data analytics module 2290 may be configured to utilize the collected network data on security policy enforcement status to perform analytics for an optimum network slice subnet security assurance .
The network slice system 200 may also comprise network function virtualization management and orchestration (NFV-MANO) module 230 which is configured to manage network function virtualization infrastructure (NFVI) and orchestrate the allocation of resources needed by the network services and virtual network functions (VNFs) . The NFV orchestrator (NFVO) module 240 in the network slice system 200 may be responsible for the orchestration of NFVI resources across multiple virtual infrastructure managements (VIMs) and the lifecycle management of network services. In some embodiments, the NFVO module may comprise a network service catalog module 2410, a VNF catalog module 2420, a VFV instance inventory 2430, and a NFVI resources module 2440.
In some example embodiments, the network slice system 200 may comprise a VNF manager (VNFM) which is configured to be responsible for the lifecycle management of VNF instances. The virtualized infrastructure manager (VIM) module 270 may be configured to be responsible for controlling and managing the NFVI compute, storage and network resources. SDN control module including data forward policies may be included into VIM.
As shown in Fig. 2, the NFV-MANO module 230 may also comprise a NFV security manager module 250 which is configured to manage the security on a network service over its entire lifecycle. Further, a security service catalog module 2510 in the NFV security manager module 250 may be a new logical function with the following  capabilities: 1) to store all of the on-boarded security service; 2) to support the creation and management of the security service resource model; 3) to support create network slice subnet instance (i.e. NSS_security) . The NFV security manager module 250 may also comprise a virtual security function (VSN) catalog module 2520 which is a specific type of VNF catalog. The NFV security manager module 250 may further comprise a VSF instance 2530 which is a specific type of VNF instance. The VSF used herein may refer to a special type of VNF with tailored security functionality (for example, firewall, IDS/IPS, virtualized security monitoring functions) .
In an example embodiment, the network slice system 200 may comprise NFVI security manager 230 which is configured build and manage the security in NFVI to support NFV security manager requests for managing security of network services in higher layer. The VNF module 285 in the network slice system 200 may comprise a VNF and a virtual security function (VSF) which is a special type of VNF with tailored security functionality (for example, firewall, IDS/IPS, virtualized security monitoring functions) . The NFVI-based Security Function module 290 may be a security function provided by the NFV Infrastructure. It includes virtualized security appliances or software security features (e.g. hypervisor-based firewalls) and hardware-based security appliances/modules/features (e.g. Hardware Security Modules, Crypto Accelerators, or Trusted Platform Modules) . The physical network function (PNF) module 295 in the network slice system 200 may comprise one or more PNFs and one or more physical security function (PSF) which is a conventionally realized security function in the physical part of the hybrid network.
Reference is now made to Fig. 3, which illustrates a signaling flow 300 of allocating the network slice according to some example embodiments of the present disclosure. For the purpose of discussion, the process 300 will be described with reference to Fig. 2. The signaling flow 300 may involve the first device 110 and the second device 120. It should be noted that the signaling flow shown in Fig. 3 is only an example.
Reference is now made to Fig. 3, which illustrates a flow chart of method 300 of allocating the network slice according to some example embodiments of the present disclosure. For the purpose of discussion, the method 300 will be described with reference to Fig. 2. The method 300 can be implemented at any suitable devices. For example, the method may be implemented at the first device 110.
At block 310, the first device 110 receives a request for allocation resource of network slice from the second device 120. The request can be transmitted to the first device 110 via the NS consuming portal 205. The request indicates one or more characteristics of the network slice. For example, the request indicates a security requirement of the network slice. In some embodiments, the request may indicate network slice type. Alternatively or in addition, the request may indicate the bandwidth of the network slice. The characteristics may comprise priority of the network slice. In some example embodiments, a latency requirement of the network slice may be indicated in the request. The request may also indicate a throughput of the network slice and/or the maximum number of terminal devices accessing the network slice.
In some embodiments, the first device 110 may perform authentication of the second device 120 based on certificate or a pre-shared key. Alternatively or in addition, the second device 120 may be authorized by the first device 110 based on a white/back list or an access control list (ACL) .
At block 320, the first device 110 obtains a security requirement of the network slice from the request. The first device 110 determines, at block 330, a list of security services based on the security requirement.
At block 340, the first device 110 assigns a network slice instance supporting the list of security services. The network slice instance at least satisfies the security requirement indicated in the request. For example, if the request indicates the requirement of isolating the hardware, the network slice may be allocated with isolated hardware. In this way, the security requirement of the requested network slice can be achieved.
In some example embodiments, the first device 110 may map the list of security services to the plurality of network slice resource module and obtain information of available network slice instances. The first device 110 may obtain security status of the available network slice instances and determine whether existing network slice instances satisfy the security requirement. If the existing network slice instances satisfy the security requirement, the first device 110 may determine the existing network slice instances to be the requested allocation resource of network slice subnet. If the existing network slice instances dissatisfy the profile of the network slice subnet, the first device 110 may create network slice instances based at least in part on the security requirement.
In other example embodiments, the first device 110 may map the list of security  services to the plurality of network slice subnet resource module and obtain information of available network slice subnet instances. The first device 110 may obtain security status of the available network slice subnet instances and determine whether existing network slice subnet instances satisfy the security requirement. If the existing network slice subnet instances satisfy the security requirement, the first device 110 may determine the existing network slice subnet instances to be the requested allocation resource of network slice subnet. If the existing network slice subnet instances dissatisfy the profile of the network slice subnet, the first device 110 may create network slice subnet instances based at least in part on the security requirement.
Figs. 4 and 5 illustrate schematic diagrams of  interactions  400 and 500 of assigning the network slice instance according to some example embodiments of the present disclosure, respectively. In particular, Fig. 4 shows the interaction of assigning the network slice instance at NS level and Fig. 5 shows the interaction of assigning the network slice subnet instance at NSS level.
As shown in Fig. 4, the NS orchestration module 2140 may obtain 4005 the security requirement from the received request. The NS orchestration module 2140 may determine 4010 a list of security service type based on the security requirement. For example, the NS orchestration module 2140 may determine that the isolation of data transport is required based on the security requirement. Alternatively, the list of security service types may comprise virus detection and data cleaning. In some example embodiments, the NS orchestration module 2140 may determine that tamper-proof for management data is needed. The confidentiality protection for data during transmission may be included in the list of security service types. In other embodiments, the list of security service types may further integrity protection for data during transmission. The list of security service types may also comprise one or more of the following: hardware isolation, software isolation, anti-DDoS attack, anti-virus and anti-malware software. It should be noted that embodiments of the present disclosure are not limited in this aspect.
The NS orchestration module 2140 may access 4015 the NS resource module 2150 to obtain the security status of the network slice instances. As mentioned above, the NS resource module 2150 may store network slice modules which describe static parameters and functional components of network slices. The NS orchestration module 2140 may map 4020 the received request with the list of security service type to a suitable NS resource module. For example, a security profile of the suitable NS resource module may  satisfy the security requirement indicated in the request. The security profile of the suitable NS resource module may comprise data encryption. In other example embodiments, data integrity validation may be included in the security profile. The profile may also comprise data filtering and/or data cleaning. Alternatively or in addition, the suitable NS resource module may be able to support required services indicated in the request.
The NS orchestration module 2140 may access 4025 the NS instance inventory module 2160 to obtain the information about the available network slice instances. The NS orchestration module 2140 may determine 4030 whether an existing network slice instance satisfies the request. In some example embodiments, the NS orchestration module 2140 may check whether the available network slice instances can support the required services based on the information obtained from the NS instance inventory module 2160. The NS orchestration module 2140 may also check whether the available network slice instances are able to satisfy the security requirement in the request based on the information obtained from the NS instance inventory module 2160. If there is one existing network slice instance satisfies the security requirement, the NS orchestration module 2140 may assign 4035 the existing network slice instance to the requested allocation of network slice. If there is no existing network slice instance satisfies the security requirement, the NS orchestration module 2140 may create 4040 a new network slice instance. The NS orchestration module 2140 may determine a plurality of subnets to create the network slice instance, for example, the subnets 220-1, 220-2 and 220-3. The NS orchestration module 2140 may create the network slice instance by chaining the plurality of NS subnets. The NS orchestration module 2140 may transmit a further request to the NSS orchestration module 2240 for allocating resources to the plurality NS subnets, which is not shown in Fig. 4. Fig. 5 shows the interaction of creating the network slice subnet instance at NSS level.
If the NSS orchestration module 2240 receives the further request from the NS orchestration module 2140, the NSS orchestration module 2240 may authenticate and authorizes the NS orchestration module 2140. The NSS orchestration module 2240 may access 5015 the NSS resource module 2250. As mentioned above, the NSS resource module 2250 may store network slice subnet modules which describe static parameters and functional components of network slice subnets. The NSS resource module 2250 may obtain the security status of the network slice subnet instances. NSS orchestration module  2240 may map 5020 the received request with the list of security service type to a suitable NSS resource module. For example, a security profile of the suitable NSS resource module may satisfy the security requirement indicated in the further request. The security profile of the suitable NSS resource module may comprise data encryption. In other example embodiments, data integrity validation may be included in the security profile. The profile may also comprise data filtering and/or data cleaning. Alternatively or in addition, the suitable NSS resource module may be able to support required services indicated in the request.
The NSS orchestration module 2240 may access 5025 the NSS instance inventory module 2260 to obtain the information about the available network slice subnet instances. The NSS orchestration module 2240 may determine 5030 whether an existing network slice subnet instance satisfies the request. In some example embodiments, the NSS orchestration module 2240 may check whether the available network slice subnet instances can support the required services based on the information obtained from the NSS instance inventory module 2260. The NSS orchestration module 2240 may also check whether the available network slice subnet instances are able to satisfy the security requirement in the further request based on the information obtained from the NSS instance inventory module 2260. If there is one existing network slice subnet instance satisfies the security requirement, the NSS orchestration module 2240 may assign 5035 the existing network slice subnet instance to the requested allocation resource of network slice subnet. The NSS orchestration module 2240 may provide security status of the network slice subnet instance to the NS orchestration module 2140.
If there is no existing network slice subnet instance satisfies the security requirement, the NSS orchestration module 2240 may create 5040 a new network slice subnet instance. The NSS orchestration module 2240 may transmit 5045 another request for allocation resource of network services to the NFV-MANO 230. The NFV-MANO 230 may perform 5050 the authentication the other request based on certificates and authorization the other request based on ACL or white/black list.
After authentication and authorization, the NFV-MANO 230 may assign 5055 the requested for allocation resource for network slice subnet to one or more existing network services instances satisfying the security requirements. Alternatively, the NFV-MANO 230 may create new network services instances for the requested allocation of network slice subnet. The NFV-MANO 230 may transmit 5060 a confirmation of the network services  to the NSS orchestration module 2240. In some embodiments, the NSS orchestration module 2240 may confirm the allocation of network slice subnet instances to the NS orchestration module 2140.
Referring back to Fig. 3, at block 350, the first device 110 transmit an indication of the assignment of the network slice instance to the second device 120. For example, the NS orchestration module 2140 may transmit the indication to the second device 120 via the NS consuming portal 205. The NS orchestration module 2140 may also provide security status of the network slice instance to the second device 120.
In some example embodiments, the first device 110 may monitor data on the assigned network slice instance. The first device 110 may determine whether the security requirement of the network slice is satisfied based on the monitored data. The data may refer to the date related to the network slice instance or network slice subnet instance. For example, the NS security data collection module 2180 may collect security policy enforcement status on the monitored data to support checking if security requirements for the requested allocation resource of network slice is satisfied or not. The NS security data analytic module 2190 may utilize the collected network data on security policy enforcement status to perform analytics for an optimum network slice subnet security assurance. The NS security policy module 2170 may support setting network slice security policy to network slice subnet security controlling. If the security requirement is not satisfied, the first device 110 may update the allocation resource of network slice. For example, the first device 110 may recreate or reassign the network slice instance.
After assigning the network slice instance, the first device 110 may monitor the third device 130-1 though other devices, for example, the device 130-3 and/or 130-4 which is a network device. The first device 110 may also monitor the accessing data from the third device 130-3 and/or 130-4. An abnormal behavior of the third device 130-1 may be detected by the first device 110 based on the accessing data of the third device 130-1 via the device 130-3 and/or 130-4 on the network slice instance.
Fig. 6 illustrates a flow chart of method 600 of allocating the network slice according to some example embodiments of the present disclosure. The method 600 can be implemented at any suitable devices. For example, the method may be implemented at the second device 120.
At block 610, the second device 120 generates a request for an allocation of the  network slice. The request indicates one or more characteristics of the network slice. For example, the request indicates a security requirement of the network slice. In some embodiments, the request may indicate network slice type. Alternatively or in addition, the request may indicate the bandwidth of the network slice. The characteristics may comprise priority of the network slice. In some example embodiments, a latency requirement of the network slice may be indicated in the request. The request may also indicate a throughput of the network slice and/or the maximum number of terminal devices accessing the network slice.
At block 620, the second device 120 transmits the request to the first device 110. For example, the request can be transmitted to the first device 110 via the NS consuming portal 205. In some embodiments, the second device 120 may be authenticated by the first device 110 on certificate or a pre-shared key. Alternatively or in addition, the second device 120 may be authorized by the first device 110 based on a white/back list or an access control list (ACL) .
At block 630, the second device 120 receives an indication of the assignment of the network slice instance to the second device 120. For example, the indication may be received via the NS consuming portal 205. The NS orchestration module 2140 may also provide security status of the network slice instance to the second device 120.
In some embodiments, the second device 120 may receive a further indication of an update allocation resource of network slice if the security requirement is dissatisfied. Alternatively, the second device 120 may receive another indication of detection of an abnormal behavior of a third device 130.
In embodiments, an apparatus for performing the method 300 (for example, the first device 110) may comprise respective means for performing the corresponding steps in the method 300. These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
In some embodiments, the apparatus comprises means for receiving, at a first device and from a second device, a request for allocation resource of network slice; means for obtain a security requirement of the network slice from the request; means for determining a list of security services based on the security requirement; means for assigning network slice instance supporting the list of security services; and means for transmitting an indication of the assigned network slice instance to the second device.
In some embodiments, the means for assigning the network slice instance comprises: means for mapping the list of security services to the network slice resource module; means for obtaining the information of the available network slice instances; means for obtaining security status of the available network slice instances; means for determining whether an existing network slice instance satisfies the security requirement; means for in accordance with a determination that the existing network slice instance satisfies the security requirement, determining the existing network slice instance to be the requested allocation resource of network slice; or means for in accordance with a determination that the existing network slice instance dissatisfies the profile of the network slice, creating a new network slice instance based at least in part on the security requirement.
In some embodiments, the means for creating the network slice instance comprises: means for assigning a plurality of network slice subnet instances which satisfy the security requirement and required services; means for creating the network slice instance by chaining the plurality of network slice subnet instances.
In some embodiments, the means for assigning the plurality of network slice subnet instance comprises means for mapping the list of security services to the plurality of network slice subnet resource module; means for obtaining the information of the available network slice subnet instances; means for obtaining security status of the available network slice subnet instances; means for determining whether existing network slice subnet instances satisfy the security requirement; in accordance with a determination that the existing network slice subnet instances satisfy the security requirement, means for determining the existing network slice subnet instances to be the requested allocation resource of network slice subnet; or in accordance with a determination that the existing network slice subnet instances dissatisfy the profile of the network slice subnet, means for creating network slice subnet instances based at least in part on the security requirement.
In some embodiments, the apparatus further comprises means for in response to monitoring data on the network slice instance, determining whether the security requirement of the network slice is satisfied based on the data; and means for in accordance with a determination that the security requirement is dissatisfied, updating the allocation resource of network slice.
In some embodiments, the apparatus further comprises means for detecting an  abnormal behavior of a third device by monitoring accessing data of the third device on the network slice instance.
In some embodiments, the apparatus comprises means for mapping the list of security services to a network slice resource module; means for obtaining security status of one or more network slice instances; and means for assigning the network slice instance based on the network slice resource module.
In some embodiments, the first device is a network device, the second device is another network device, and the third device is a terminal device or a further network device.
In embodiments, an apparatus for performing the method 600 (for example, the second device 120) may comprise respective means for performing the corresponding steps in the method 600. These means may be implemented in any suitable manners. For example, it can be implemented by circuitry or software modules.
In some embodiments, the apparatus comprises means for generating a request for allocation resource of network slice, the request at least indicating a security requirement; means for transmitting the request to a first device; and means for receiving an indication of the assigned network slice instance from the first device, the assigned network slice instance at least satisfying the security requirement.
In some embodiments, the apparatus further comprises means for in accordance with a determination that the security requirement is dissatisfied, receiving a further indication of an update allocation resource of network slice.
In some embodiments, the apparatus further comprises means for receiving, from the first device, another indication of detection of an abnormal behavior of a third device.
In some embodiments, the first device is a network device, the second device is another network device, and the third device is a terminal device or a further network device.
Fig. 7 is a simplified block diagram of a device 700 that is suitable for implementing embodiments of the present disclosure. The device 700 may be provided to implement the communication device, for example the first device 110 or the second device 120 as shown in Fig. 1. As shown, the device 700 includes one or more processors 710, one or more memories 720 coupled to the processor 710, and one or more communication  modules 740 coupled to the processor 710.
The communication module 740 is for bidirectional communications. The communication module 740 has at least one antenna to facilitate communication. The communication interface may represent any interface that is necessary for communication with other network elements.
The processor 710 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 700 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
The memory 720 may include one or more non-volatile memories and one or more volatile memories. Examples of the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 724, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , and other magnetic storage and/or optical storage. Examples of the volatile memories include, but are not limited to, a random access memory (RAM) 722 and other volatile memories that will not last in the power-down duration.
computer program 730 includes computer executable instructions that are executed by the associated processor 710. The program 730 may be stored in the ROM 724. The processor 710 may perform any suitable actions and processing by loading the program 730 into the RAM 722.
The embodiments of the present disclosure may be implemented by means of the program 720 so that the device 700 may perform any process of the disclosure as discussed with reference to Figs. 2 and 6. The embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
In some example embodiments, the program 730 may be tangibly contained in a computer readable medium which may be included in the device 700 (such as in the memory 720) or other storage devices that are accessible by the device 700. The device 700 may load the program 730 from the computer readable medium to the RAM 722 for execution. The computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like. Fig.  8 shows an example of the computer readable medium 800 in form of CD or DVD. The computer readable medium has the program 730 stored thereon.
It should be appreciated that future networks may utilize network functions virtualization (NFV) which is a network architecture concept that proposes virtualizing network node functions into “building blocks” or entities that may be operationally connected or linked together to provide services. A virtualized network function (VNF) may comprise one or more virtual machines running computer program codes using standard or general type servers instead of customized hardware. Cloud computing or data storage may also be utilized. In radio communications, this may mean node operations to be carried out, at least partly, in a central/centralized unit, CU, (e.g. server, host or node) operationally coupled to distributed unit, DU, (e.g. a radio head/node) . It is also possible that node operations will be distributed among a plurality of servers, nodes or hosts. It should also be understood that the distribution of labor between core network operations and base station operations may vary depending on implementation.
In an embodiment, the server may generate a virtual network through which the server communicates with the distributed unit. In general, virtual networking may involve a process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network. Such virtual network may provide flexible distribution of operations between the server and the radio head/node. In practice, any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation.
Therefore, in an embodiment, a CU-DU architecture is implemented. In such case the device 700 may be comprised in a central unit (e.g. a control unit, an edge cloud server, a server) operatively coupled (e.g. via a wireless or wired network) to a distributed unit (e.g. a remote radio head/node) . That is, the central unit (e.g. an edge cloud server) and the distributed unit may be stand-alone apparatuses communicating with each other via a radio path or via a wired connection. Alternatively, they may be in a same entity communicating via a wired connection, etc. The edge cloud or edge cloud server may serve a plurality of distributed units or radio access networks. In an embodiment, at least some of the described processes may be performed by the central unit. In another embodiment, the device 700 may be instead comprised in the distributed unit, and at least some of the described processes may be performed by the distributed unit.
In an embodiment, the execution of at least some of the functionalities of the device 500 may be shared between two physically separate devices (DU and CU) forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes. In an embodiment, such CU-DU architecture may provide flexible distribution of operations between the CU and the DU. In practice, any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation. In an embodiment, the device 500 controls the execution of the processes, regardless of the location of the apparatus and regardless of where the processes/functions are carried out.
Generally, various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium. The computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the  methods  300 and 400 as described above with reference to Figs. 3 and 6. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various embodiments. Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented. The program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present disclosure, the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above. Examples of the carrier include a signal, computer readable medium, and the like.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in the context of separate embodiments may also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment may also be implemented in multiple embodiments separately or in any suitable sub-combination.
Although the present disclosure has been described in languages specific to structural features and/or methodological acts, it is to be understood that the present disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (28)

  1. A first device comprising:
    at least one processor; and
    at least one memory including computer program codes;
    the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to:
    receive, from a second device, a request for allocation resource of network slice;
    obtain a security requirement of the network slice from the request;
    determine a list of security services based on the security requirement;
    assign network slice instance supporting the list of security services; and
    transmit an indication of the assigned network slice instance to the second device.
  2. The first device of claim 1, wherein the first device is caused to assign the network slice instance by:
    mapping the list of security services to the network slice resource module;
    obtaining information of available network slice instances;
    obtaining security status of the available network slice instances;
    determining whether an existing network slice instance satisfies the security requirement;
    in accordance with a determination that the existing network slice instance satisfies the security requirement, determining the existing network slice instance to be the requested allocation resource of network slice; or
    in accordance with a determination that the existing network slice instance dissatisfies the profile of the network slice, creating a network slice instance based at least in part on the security requirement.
  3. The first device of claim 2, wherein the first device is caused to create the network slice instance by:
    assigning a plurality of network slice subnet instances which satisfy the security requirement and required services; and
    creating the network slice instance by chaining the plurality of network slice subnet instances.
  4. The first device of claim 3, wherein the first device is further caused to assign the plurality of network slice subnet instances by:
    mapping the list of security services to the plurality of network slice subnet resource module;
    obtaining information of available network slice subnet instances;
    obtaining security status of the available network slice subnet instances;
    determining whether existing network slice subnet instances satisfy the security requirement;
    in accordance with a determination that the existing network slice subnet instances satisfy the security requirement, determining the existing network slice subnet instances to be the requested allocation resource of network slice subnet; or
    in accordance with a determination that the existing network slice subnet instances dissatisfy the profile of the network slice subnet, creating network slice subnet instances based at least in part on the security requirement.
  5. The first device of claim 1, wherein the first device is further caused to:
    in response to monitoring data on the network slice instance, determine whether the security requirement of the requested allocation resource of network slice is satisfied; and
    in accordance with a determination that the security requirement is dissatisfied, updating the allocation resource of network slice.
  6. The first device of claim 1, wherein the first device is further caused to:
    detect an abnormal behavior of a third device by monitoring accessing data of the third device on the network slice instance; and
    transmit a further indication of the detection of the abnormal behavior to the second device.
  7. The first device of claim 1, wherein the first device is further caused to:
    map the list of security services to a network slice resource module; and
    obtain security status of one or more network slice instances; and
    assign the network slice instance based on the network slice resource module.
  8. The first device of any one of claims 1-7, wherein the first device is a network device, the second device is another network device, and the third device is a terminal  device or a further network device.
  9. A second device comprising:
    at least one processor; and
    at least one memory including computer program codes;
    the at least one memory and the computer program codes are configured to, with the at least one processor, cause the second device to:
    generate a request for allocation resource of network slice, the request at least indicating a security requirement;
    transmit the request to a first device; and
    receive an indication of a assigned network slice instance from the first device, the assigned network slice instance at least satisfying the security requirement.
  10. The second device of claim 9, wherein the second device is further caused to:
    in accordance with a determination that the security requirement is dissatisfied, receive a further indication of an update allocation resource of network slice.
  11. The second device of claim 9, wherein the second device is further caused to:
    receive, from the first device, another indication of detection of an abnormal behavior of a third device.
  12. The second device of any one of claims 8-10, wherein the first device is a network device, the second device is another network device, and the third device is a terminal device or a further network device.
  13. A method comprising:
    receiving, at a first device and from a second device, a request for allocation resource of network slice;
    obtaining a security requirement of the network slice from the request;
    determining a list of security services based on the security requirement;
    assigning network slice instance supporting the list of security services; and
    transmitting an indication of the assigned network slice instance to the second device.
  14. The method of claim 13, wherein assigning the network slice instance comprises:
    mapping the list of security services to the network slice resource module;
    obtaining information of available network slice instances;
    obtaining security status of the available network slice instances;
    determining whether an existing network slice instance satisfies the security requirement;
    in accordance with a determination that the existing network slice instance satisfies the security requirement, determining the existing network slice instance to be the requested allocation resource of network slice; or
    in accordance with a determination that the existing network slice instance dissatisfies the profile of the network slice, creating the network slice instance based at least in part on the security requirement.
  15. The method of claim 14, wherein creating the network slice instance comprises:
    assigning a plurality of network slice subnet instances which satisfy the security requirement and required services; and
    creating a network slice instance by chaining the plurality of network slice subnet instances.
  16. The method of claim 15, wherein assigning the plurality of network slice subnet instances comprises:
    mapping the list of security services to the plurality of network slice subnet resource modules;
    obtaining information of available network slice subnet instances;
    obtaining security status of the available network slice subnet instances;
    determining whether existing network slice subnet instances satisfy the security requirement;
    in accordance with a determination that the existing network slice subnet instances satisfy the security requirement, determining the existing network slice subnet instances to be the requested allocation resource of network slice subnet; or
    in accordance with a determination that the existing network slice subnet instances dissatisfy the profile of the network slice subnet, creating network slice subnet instances based at least in part on the security requirement.
  17. The method of claim 13, further comprising:
    in response to monitoring data on the network slice instance, determining whether the security requirement of the network slice is satisfied based on the data; and
    in accordance with a determination that the security requirement is dissatisfied, updating the allocation resource of network slice.
  18. The method of claim 13, further comprising:
    detecting an abnormal behavior of a third device by monitoring accessing data of the third device on the network slice instance.
  19. The method of claim 13, further comprising:
    mapping the list of security services to a network slice resource module; and
    obtaining security status of one or more network slice instances; and
    assigning the network slice instance based on the network slice resource module.
  20. The method of any one of claims 13-19, wherein the first device is a network device, the second device is another network device, and the third device is a terminal device or a further network device.
  21. A method comprising:
    generating, at a second device, a request for allocation resource of network slice, the request at least indicating a security requirement;
    transmitting the request to a first device; and
    receiving an indication of the assigned network slice instance from the first device, the assigned network slice instance at least satisfying the security requirement.
  22. The method of claim 21, further comprising:
    in accordance with a determination that the security requirement is dissatisfied, receiving a further indication of an update allocation resource of network slice.
  23. The method of claim 21, further comprising:
    receiving, from the first device, another indication of detection of an abnormal  behavior of a third device.
  24. The method of any one of claims 21-23, wherein the first device is a network device, the second device is another network device, and the third device is a terminal device or a further network device.
  25. An apparatus comprising:
    means for receiving, at a first device and from a second device, a request for allocation resource of network slice;
    means for obtaining a security requirement of the network slice from the request;
    means for determining a list of security; and
    means for transmitting an indication of the assigned network slice instance to the second device.
  26. An apparatus comprising:
    means for generating a request for allocation resource of network slice, the request at least indicating a security requirement;
    means for transmitting the request to a first device; and
    means for receiving an indication of the assigned network slice instance from the first device, the assigned network slice instance at least satisfying the security requirement.
  27. A computer readable storage medium comprising program instructions stored thereon, the instructions, when executed by an apparatus, causing the apparatus to perform the method of any one of claims 13-20.
  28. A computer readable storage medium comprising program instructions stored thereon, the instructions, when executed by an apparatus, causing the apparatus to perform the method of any one of claims 21-24.
PCT/CN2020/077752 2020-03-04 2020-03-04 Allocation resource of network slice WO2021174439A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202080097942.XA CN115211159A (en) 2020-03-04 2020-03-04 Allocation resources of network slices
PCT/CN2020/077752 WO2021174439A1 (en) 2020-03-04 2020-03-04 Allocation resource of network slice

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/077752 WO2021174439A1 (en) 2020-03-04 2020-03-04 Allocation resource of network slice

Publications (1)

Publication Number Publication Date
WO2021174439A1 true WO2021174439A1 (en) 2021-09-10

Family

ID=77613899

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/077752 WO2021174439A1 (en) 2020-03-04 2020-03-04 Allocation resource of network slice

Country Status (2)

Country Link
CN (1) CN115211159A (en)
WO (1) WO2021174439A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023212891A1 (en) * 2022-05-06 2023-11-09 Nokia Shanghai Bell Co., Ltd. Apparatus, method, and computer program
WO2023240524A1 (en) * 2022-06-16 2023-12-21 Nokia Shanghai Bell Co., Ltd. Devices, methods, apparatuses, and computer readable media for network slice with high security

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017200978A1 (en) * 2016-05-16 2017-11-23 Idac Holdings, Inc. Security-based slice selection and assignment
CN108270823A (en) * 2016-12-30 2018-07-10 华为技术有限公司 A kind of service providing method, device and system
US20190021010A1 (en) * 2017-07-05 2019-01-17 Huawei Technologies Co., Ltd. Methods and systems for network slicing
CN109392096A (en) * 2017-08-04 2019-02-26 华为技术有限公司 A kind of resource allocation method and device
WO2019201017A1 (en) * 2018-04-19 2019-10-24 华为技术有限公司 Negotiation method and apparatus for security algorithm

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108024255A (en) * 2016-11-03 2018-05-11 华为技术有限公司 The method and the network equipment of extended network section example
CN108023757B (en) * 2016-11-03 2020-04-28 华为技术有限公司 Method, device and system for managing network slice instances
WO2018089634A1 (en) * 2016-11-11 2018-05-17 Intel IP Corporation Network slice management
CN108632058B (en) * 2017-03-18 2020-10-09 华为技术有限公司 Network slice management method and device
CN110138575B (en) * 2018-02-02 2021-10-08 中兴通讯股份有限公司 Network slice creating method, system, network device and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017200978A1 (en) * 2016-05-16 2017-11-23 Idac Holdings, Inc. Security-based slice selection and assignment
CN108270823A (en) * 2016-12-30 2018-07-10 华为技术有限公司 A kind of service providing method, device and system
US20190021010A1 (en) * 2017-07-05 2019-01-17 Huawei Technologies Co., Ltd. Methods and systems for network slicing
CN109392096A (en) * 2017-08-04 2019-02-26 华为技术有限公司 A kind of resource allocation method and device
WO2019201017A1 (en) * 2018-04-19 2019-10-24 华为技术有限公司 Negotiation method and apparatus for security algorithm

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ERICSSON: "Isolation aspects of Network Slicing", 3GPP DRAFT; S2-161482_SLICE_ISOLATION, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Sophia Antipolis, FRANCE; 20160411 - 20160415, 5 April 2016 (2016-04-05), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051086485 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023212891A1 (en) * 2022-05-06 2023-11-09 Nokia Shanghai Bell Co., Ltd. Apparatus, method, and computer program
WO2023240524A1 (en) * 2022-06-16 2023-12-21 Nokia Shanghai Bell Co., Ltd. Devices, methods, apparatuses, and computer readable media for network slice with high security

Also Published As

Publication number Publication date
CN115211159A (en) 2022-10-18

Similar Documents

Publication Publication Date Title
US11272569B2 (en) System and method for sharing multi-access edge computing resources in a wireless network
TWI791950B (en) Industrial automation with 5g and beyond
EP4002904A1 (en) Technologies for radio equipment cybersecurity and multiradio interface testing
US20220197773A1 (en) Automated resource management for distributed computing
Kotulski et al. Towards constructive approach to end-to-end slice isolation in 5G networks
US10425411B2 (en) Systems and apparatuses for a secure mobile cloud framework for mobile computing and communication
US11706617B2 (en) Authenticating radio access network components using distributed ledger technology
US11202210B2 (en) Facilitating model-driven automated cell allocation in fifth generation (5G) or other advanced networks
US20220407890A1 (en) Security for 5g network slicing
WO2021174439A1 (en) Allocation resource of network slice
WO2022271299A1 (en) Trusted 5g network slices
US20220417948A1 (en) Learned scheduler for flexible radio resource allocation to applications
Koutlia et al. Design and experimental validation of a software-defined radio access network testbed with slicing support
WO2022261244A1 (en) Radio equipment directive solutions for requirements on cybersecurity, privacy and protection of the network
Hoffmann et al. A secure and resilient 6G architecture vision of the German flagship project 6G-ANNA
WO2022000155A1 (en) Access control of service based management framework
WO2021068096A1 (en) Adaptive mutual trust model for dynamic and diversity multi-domain network
US20210037061A1 (en) Managing machine learned security for computer program products
WO2023043535A1 (en) Resistance to side-channel attacks on 5g network slices
US10735529B2 (en) Operations control of network services
Ahmad et al. An overview of the security landscape of virtual mobile networks
WO2022118142A1 (en) Authenticity assessment of a requestor based on a communication request
WO2021072594A1 (en) Tenant management
US10887218B2 (en) Enhanced dynamic encryption packet segmentation
WO2023015482A1 (en) Management data isolation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20923037

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20923037

Country of ref document: EP

Kind code of ref document: A1