US-12627566-B2 - Dynamic re-constitution of a software defined perimeter (SDP) for micro-services network applications in a 5G/6G network

Abstract

Dynamic re-constitution of a software defined perimeter (SDP) for micro-services network applications in a 5G/6G telecommunications network includes authenticating both a device and also a user of the device seeking access to an initial set of network resources defining an initial SDP and, responsive to the authentication, generating an individual network communications link through a northbound API to one or more micro-services network applications of the initial SDP. Data traffic from the micro-services network applications is monitored over the link and the monitored data traffic is submitted to a predictor predicting a traffic pattern necessitating a change in the initial set of the network resources of the initial SDP. Finally, in response to the prediction of the traffic patterns, a new SDP is defined with a different set of the network resources, the network communications link terminated, and a new communications link established between the authenticated device and the new SDP.

Inventors

• Loizos Christofi
• Stelios Christofi
• Fanos Christofi

Assignees

• eBOS Technologies

Dates

Publication Date

20260512

Application Date

20230621

Claims (15)

1. 1 . A method for the minimization of network resource exposure in a software defined perimeter (SDP) for micro-services network applications in a 5G/6G telecommunications network comprising: selecting a set of micro-services network applications for access by a specific end user by a specific end user device; determining a minimal set of resources necessary for the operation of the set of the micro-services network applications; configuring an initial SDP with the determined minimal set of resources; authenticating the specific end user and the specific end user device into accessing the SDP of an individual data communications link over which no other device is granted access between the specific end user device and a northbound application programming interface (API) to the set of the micro-services network applications; performance monitoring the micro-services network applications in the SDP and submitting data from the performance monitoring to a predictor, the predictor predicting a new minimal set of resources; and, responsive to the prediction of the new minimal set of resources, defining a new SDP with the new minimal set of resources, terminating the data communications link, establishing a new data communications link between the authenticated device and the new SDP.
2. 2 . The method of claim 1 , wherein the data is data traffic from the micro-services network applications over the individual data communications link, the predictor predicting a traffic pattern necessitating a the new minimal set of resources.
3. 3 . The method of claim 1 , wherein the data is a traffic pattern between the specific end user device and one or more of the micro-services network applications, which indicates an attempted intrusion.
4. 4 . The method of claim 1 , wherein the data is a traffic pattern between one or more of the micro-services network applications and the resources of the determined minimal set of resources of the initial SDP which indicates an under-utilization of the network resources of the initial SDP necessitating a reduction in the network resources in the new SDP.
5. 5 . The method of claim 1 , wherein the predictor is a convolutional neural network trained with a set of data consisting of input performance data of the micro-services network applications in a corresponding SDP defined for a specified set of network resources and a corresponding annotation of a utilization of the specified set of network resources.
6. 6 . A data processing system adapted for the dynamic re-constitution of a software defined perimeter (SDP) for network applications in a 5G/6G telecommunications network, the system comprising: a host computing platform hosting in memory a multiplicity of central units (CUs) of the 5G/6G telecommunications network, the CU comprising a communicative coupling to a multiplicity of different distributed units (DUs), at least one of the DUs comprising an antenna transmitting over millimeter wave frequencies, the platform comprising one or more computers, each comprising memory and at least one processor; and, an SDP dynamic re-constitution module operating in concert with a network controller and disposed within the host computing platform, the module comprising computer program instructions enabled while executing in the memory of the host computing platform to perform: authenticating both a device and also a user of the device seeking access to an initial set of network resources defining an initial SDP; directing the network controller to generate an individual network communications link over which no other device is granted access between the authenticated device and a northbound application programming interface (API) to one or more micro-services network applications of the initial SDP provisioned for use by the authenticated device; monitoring data traffic from the micro-services network applications over the individual network communications link and submitting the monitored data traffic to a predictor, the predictor predicting a traffic pattern necessitating a change in the initial set of the network resources of the initial SDP; and, responsive to the prediction of the new minimal set of resources, defining a new SDP with a different set of the network resources, terminating the network communications link, establishing a new communications link between the authenticated device and the new SDP.
7. 7 . The system of claim 6 , further comprising an SDP gateway agent positioned behind a firewall in the network that has been configured in a deny-all state, the SDP gateway agent inspecting a log for the firewall in order to identify single packet authentication (SPA) packets so that the computer program instructions perform both the authenticating of both the device and the user of the device, and also the generating of the individual network communications link, responsive to each identified one of the SPA packets.
8. 8 . The system of claim 7 , wherein the firewall is deployed as part of a stack managed by an SDP controller operating at a virtual network function (VNF) level and in front of the micro-services network applications.
9. 9 . The system of claim 6 , wherein the traffic pattern indicates an attempted intrusion.
10. 10 . The system of claim 6 , wherein the traffic pattern indicates an under-utilization of the network resources of the initial SDP necessitating a reduction in the network resources in the new SDP.
11. 11 . A computing device comprising a non-transitory computer readable storage medium having program instructions stored therein, the instructions being executable by at least one processing core of a processing unit to cause the processing unit to perform the dynamic re-constitution of a software defined perimeter (SDP) for network applications in a 5G/6G telecommunications network, the dynamic re-constitution including: authenticating both a device and also a user of the device seeking access to an initial set of network resources defining an initial SDP; generating an individual network communications link over which no other device is granted access between the authenticated device and a northbound application programming interface (API) to one or more micro-services network applications of the initial SDP provisioned for use by the authenticated device; monitoring data traffic from the micro-services network applications over the individual network communications link and submitting the monitored data traffic to a predictor, the predictor predicting a traffic pattern necessitating a change in the initial set of the network resources of the initial SDP; and, responsive to the prediction of the new minimal set of resources, defining a new SDP with a different set of the network resources, terminating the network communications link, establishing a new communications link between the authenticated device and the new SDP.
12. 12 . The device of claim 11 , wherein the dynamic re-constitution further includes: configuring an SDP gateway agent behind a firewall in the network that has been configured in a deny-all state; inspecting by the SDP gateway agent, a log for the firewall in order to identify single packet authentication (SPA) packets; and, performing both the authenticating of both the device and the user of the device, and also the generating of the individual network communications link, responsive to each identified one of the SPA packets.
13. 13 . The device of claim 12 , wherein the dynamic re-constitution further includes deploying the firewall as part of a stack managed by an SDP controller operating at a virtual network function (VNF) level and in front of the micro-services network applications.
14. 14 . The device of claim 11 , wherein the traffic pattern indicates an attempted intrusion.
15. 15 . The device of claim 11 , wherein the traffic pattern indicates an under-utilization of the network resources of the initial SDP necessitating a reduction in the network resources in the new SDP.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims priority under 35 U.S.C. § 119(a) to Greece patent application number 20230100446, filed on Jun. 2, 2023, the entire teachings of which are incorporated herein by reference. BACKGROUND OF THE INVENTION Field of the Invention The present invention relates to the field of network resource allocation in an advanced cellular telecommunications network and more particularly to network resource allocation in a software defined network (SDN). Description of the Related Art The SDN is a technology that separates the control plane management of different connected network devices, from the underlying data plane that forwards network traffic to the devices. In this regard, an SDN architecture features software-defined controllers abstracted from the underlying network hardware, while offering intent-based or policy-based management of the network as a whole. This results in a network that is better aligned with the needs of application workloads through automated provisioning, programmatic network management, pervasive application-oriented visibility, and where needed, direct integration with cloud orchestration platforms. The separation of the control from the data plane in a network architecture remains the paramount feature of the SDN. Yet, SDN is more in that the SDN has a centralized or distributed intelligent entity that enjoys an entire view of the network, so as to make routing and switching decisions based on that view. In comparison, legacy network routers and switches only know about neighboring network equipment However, with a properly configured SDN environment, that central entity can control everything, from easily changing policies to simplifying configuration and automation across the enterprise. As can be seen, the principle of the SDN can find wide applications not just in connection with the management of a computer communications network, but also in the implementation and management of a cellular telecommunications network incorporating a computer communications network. As to the latter, the SDN forms an integral part in the current and emerging cellular telephony space such as 5G or 6G. The SDN includes two different application programming interfaces (APIs): southbound and northbound. The southbound API is the protocol specification that enables communication between controllers and switches and other network nodes, which is with the lower-level components. The southbound API further allows the router to identify network topology, determine network flows and implement request sent to it via northbound interfaces. In contrast, the northbound API allows communication amongst the higher-level components. While a traditional network relies upon a firewall or load balancer to control data plane behavior, the SDN installs applications that use the controller and these applications communicate with the controller through its northbound interface. In the context of the SDN, these applications are known as micro-services network applications. Of note, the northbound API provides the functionality necessary for micro-services network applications seeking deployment in the SDN to ensure that the desired resources including memory and processor resources are available and allocated to the micro-services network applications in a self-service model. To that end, the northbound API in the SDN—particularly in the mobile communications network model such as 5G—usually is static in form. As such, when deploying a micro-services network application to the mobile network, the micro-services network application can configure its desired resources only in so far as an understanding exists between the micro-services network application to be deployed and the current state of the northbound API. But the northbound API can change over time. Part of the configuration of resources for access through the northbound API is the desirability to provide access only to those resources absolutely required for the effective operation of the associated micro-services network applications. The provisioning of additional, unnecessary resources results in an overprovisioned environment. In all aspects of computing, the overprovisioned environment oftentimes results in depriving other applications from access to needed resources. As well, the overprovisioned environment presents an unnecessary security risk by exposing the unneeded resources to actors of malicious intent. To address the former, the notion of the SDP allows for a substantially more secure execution container for an application. Common in the domain of traditional enterprise network architecture, and often referred to as the “black cloud”, the SDP provides for two components: a host and a controller. The host can initiate a connection, or the host can accept a connection. These actions are managed by a controller through a control channel. As such, the control plane of the SDP architecture is separate