Department of Computer Science & Engineering

Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon Gyeonggi-Do 16419 Republic of Korea +82 31 299 4106 ahnjs124@skku.edu http://iotlab.skku.edu/people-Ahn-Yoseop.php

Department of Computer Science & Engineering

Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon Gyeonggi-Do 16419 Republic of Korea +82 31 299 4957 +82 31 290 7996 pauljeong@skku.edu http://iotlab.skku.edu/people-jaehoon-jeong.php

School of Electronic Engineering

Soongsil University 369, Sangdo-ro, Dongjak-gu Seoul 06978 Republic of Korea younghak@ssu.ac.kr

Network Management Internet Research Task Force Internet-Draft This document presents an integrated framework for automated security management in 5G edge networks using the Interface to Network Security Functions (I2NSF) architecture. The proposed system leverages Intent-Based Networking (IBN) to allow users or administrators to declare high-level security intents, which are translated into enforceable network and application policies. Network-level policies are delivered to 5G core components via the Network Exposure Function (NEF), while application-level policies are enforced directly on a User Equipment (UE) through distributed IBN Controllers. This architecture supports adaptive, context-aware, and distributed policy enforcement, enabling real-time response to dynamic edge conditions and user mobility scenarios such as handovers. By integrating closed-loop monitoring and analytics, the system ensures consistent and autonomous security across heterogeneous 5G environments.

Network softwarization has become a fundamental approach for delivering network services across various infrastructures, including 5G mobile networks , cloud computing platforms, and edge computing environments. This paradigm is enabled through key technologies such as Network Functions Virtualization (NFV) and Software-Defined Networking (SDN) . In addition, Intent-Based Networking (IBN) serves as a foundation for implementing intelligent behaviors in both network-level and application-level services. As networks continue to evolve in this software-driven direction, the emergence of 5G introduces new challenges, particularly in the realm of security. As mobile networks evolve toward 5G, the increasing complexity of network functions and the widespread deployment of edge devices such as IoT nodes, user equipment (UE), and application functions (AFs) introduce significant challenges to existing security models. These environments are inherently dynamic, heterogeneous, and latency-sensitive, making it difficult for traditional rule-based configurations, which are typically static and manually managed, to respond effectively to changing conditions. In particular, security operations at the edge require more contextual awareness, automation, and adaptability than ever before. Intent-Based Networking (IBN) provides a promising paradigm to meet these requirements. It enables operators or users to declare high-level goals, or intents, which the system can automatically translate into enforceable security and network policies . These policies may range from abstract service-level objectives to fine-grained access control rules. By automating this translation and enforcement process, the network gains the ability to respond autonomously to operational demands without requiring manual intervention. This model supports closed-loop control, where real-time feedback mechanisms continuously refine and adapt system behavior based on evolving context and intent. This document defines an intent-based framework for edge security management in the context of 5G systems. The framework builds upon the service-based architecture (SBA) defined in 3GPP 5G and beyond, and introduces a layered approach that includes intent translation, policy generation, enforcement, and monitoring. It integrates seamlessly with existing 3GPP network functions such as the Policy Control Function (PCF) , Access and Mobility Management Function (AMF), Session Management Function (SMF), and Network Data Analytics Function (NWDAF) . The aim is to deliver scalable and adaptive security control across heterogeneous edge domains through policy-driven orchestration. Furthermore, the framework is designed to support mobility scenarios, including handovers between gNBs and session migration across multiple User Plane Functions (UPFs). By dynamically enforcing intents on the edge, the system maintains consistent and context-aware security postures even in the presence of mobility events. This capability improves network resilience and responsiveness and provides a foundation for secure, automated, and intelligent 5G services. The proposed framework also aligns with long-term goals of zero-touch security, AI-driven orchestration, and intent-based policy automation within future mobile network infrastructures.

This section provides definitions of the key terms and concepts used throughout this document. The terminology is intended to establish a common understanding of the architectural elements, interfaces, and operational principles discussed in the context of intent-based security management in 5G networks. These terms are used to describe 5G Network automation based on the Intent-Based Networking (IBN) and Interface to Network Security Functions (I2NSF) framework. Intent: It refers to a set of operational objectives and expected outcomes that a network is expected to fulfill, expressed in a declarative manner without specifying the implementation details or the exact procedures to achieve them . Intents can be represented using XML or YAML formats, and may be delivered to the target components through protocols such as NETCONF , RESTCONF , or via standard REST APIs . IBN User Function (IUF): The IUF is typically accessed via a web-browser interface, which allows Mobile Object administrators to input network intents for the IBN Control Function (ICF). These intents serve as strategic objectives that guide the generation of security and network policies within the system. IBN Control Function (ICF): The ICF operates as a core component of the I2NSF architecture deployed within the 5G network. It is responsible for managing and orchestrating security enforcement functions by both translating the intents from the IUF into actionable policies, and selecting appropriate 5G Network Functions (NFs) for their execution. Developer's Management Function (DMF): The DMF is a component within the Interface to Network Security Functions (I2NSF) framework that acts as a provider of Network Security Functions (NSFs). It is responsible for registering the capabilities of these NSFs with the Security Controller, essentially making them available for use in enforcing security policies. Security Control Function (SCF): The SCF strengthens network security by generating low-level policies to modify and supplement the network configuration based on the delivered network policy and delivering them to the relevant individual NFs. Security Data Analytics Function (SDAF): THE SDAF collects and analyzes monitoring data to verify whether the policies generated based on intents have been properly enforced by the network security functions, and to evaluate the performance and functionality of the security services. Network Security Function (NSF): The NSF is a network security function that provides actual security services based on policies generated based on the user's intent. It actually executes security tasks such as blocking or allowing traffic based on the policy delivered from ICF.

This section defines a comprehensive framework for 5G security management automation by introducing its essential components and explaining how each of them is designed to interconnect with functions in the 5G core networks . The framework is grounded in intent-based networking principles, which enable high-level user or application intents to be automatically translated into actionable policies. These policies are then enforced and monitored across both the core and edge domains without requiring manual intervention. As 5G networks become more distributed and support a growing number of latency-sensitive services and heterogeneous devices, traditional static security mechanisms struggle to cope with the dynamic nature of threats and the scale of real-time traffic. Manual configuration is no longer feasible in such environments, making automated security orchestration essential to maintain consistent protection, reduce response time, and minimize human error. To realize this, the framework leverages a set of I2NSF-based functional modules that collectively support policy translation, enforcement, and real-time monitoring. By integrating these components into the 5G architecture, the system enables scalable, adaptive, and context-aware security operations tailored to the needs of dynamic and heterogeneous edge environments.

illustrates a 5G edge security service architecture based on the I2NSF framework , implemented as an Intent-Based System (IBS). An intent-based management strategy is required between the 5G Core network and distributed edge domains to enable the autonomous configuration and security enforcement of edge functions such as User Equipment (UEs), as described in the IETF draft on intent-based network management automation. On the right side of the architecture, the AFs for Security Services represent application-layer functions that initiate and manage high-level security intents. These functions serve as the interface between external users or applications and the intent-based security system. This service is composed of several key modules, including the Intent-Based Use Function (IUF), the Intent Control Function (ICF), the Security Control Function (SCF), the Developer's Management Function (DMF), and the Security Data Analytics Function (SDAF), which collectively support intent interpretation, policy translation, enforcement, and monitoring across the network. The security intent generated by the Intent-Based Network Use Function (IUF) is first interpreted as a high-level objective reflecting the desired behavior of the network or specific applications. This intent is then processed by the Intent-Based Network Control Function (ICF), which plays a central role in translating the abstract intent into concrete policies. Through this translation process, two distinct types of policies are created: a network policy, which governs how the underlying network should behave (e.g., traffic routing, filtering, or QoS enforcement), and an application policy, which defines how specific applications or devices should operate under given security constraints. Once these policies are generated, they are delivered to the 5G Core Network via the Network Exposure Function (NEF). The NEF serves as the gateway between external application functions and the internal control plane of the 5G Core. To support flexible deployment and orchestration, these components can be implemented as containerized microservices and managed using Kubernetes. By passing the policies through the NEF, the system enables relevant 5G Core components such as the Policy Control Function (PCF), Session Management Function (SMF), and Access and Mobility Management Function (AMF) to enforce the translated policies in real time. This ensures that the original user or service intent is consistently and dynamically applied throughout the network.

This testbed demonstrates a use case where high-level user intents are automatically translated into enforceable network and application policies. Leveraging the I2NSF (Interface to Network Security Functions) framework and deployed on the free5GC platform, this architecture enables automated, intent-driven security management that reduces the reliance on manual configuration and static rule sets. The system is designed to support distributed policy enforcement by integrating key I2NSF components such as the Intent-Based Networking Use Function (IUF), Intent Control Function (ICF), Security Control Function (SCF), and Security Data Analytics Function (SDAF). These components work collaboratively to process intents, generate appropriate policies, and enforce them dynamically across both the core network and the edge.

shows the procedure for 5G Edge Security Management Automation, specifically illustrating the creation of user intents and the generation of corresponding network policies and application policies. The process begins when a user or administrator expresses a security-related intent via the IBN Use Function (IUF). This intent, representing a high-level goal such as restricting access to certain websites or monitoring device behavior, is passed to the IBN Control Function (ICF). The ICF, equipped with an Intent Translator, converts this intent into both network-level and application-level policies. The translated network-level policies are forwarded through the router to the 5G Core's Network Exposure Function (NEF) , while the application-level policies are delivered directly to the User Equipment (UE). This enables consistent policy enforcement from the core network to the device edge.

illustrates the procedure of how the intent-driven network policies and application policies are applied across both the 5G core network and user equipment. These policies are then propagated throughout the 5G network to support coordinated and consistent security enforcement. Network-level policies are distributed to core network functions , where they help guide the overall behavior and resource allocation of the system in alignment with the user's intent. At the same time, application-level policies are delivered to various user devices, such as smartphones and IoT nodes, which have embedded controllers capable of interpreting and enforcing the received policies locally. This allows each device to autonomously adjust its behavior according to the defined security or operational requirements. In parallel, network-based security functions are also engaged to apply the necessary controls, such as access restrictions or traffic filtering, ensuring that both the core and the edge of the network operate securely and in harmony with the original intent. This distributed approach enables flexible, scalable, and adaptive policy enforcement across the entire mobile network environment . To support adaptive security validation, each user equipment's IBN Controller periodically generates monitoring reports based on local policy enforcement status. These reports are sent to the Security Data Analytics Function (SDAF), which analyzes the monitoring data to evaluate whether the applied policies are effectively enforced. All collected data is stored in a centralized Monitoring Data Storage module, enabling real-time policy validation and historical auditing. The related steps are as follows: Steps 1-2: An intent is sent from an application within the 5G Core to the IBN Control Function (ICF), where it is translated into network and application policies. This marks the beginning of intent-driven automation for security management. Step 3: The network policy is delivered via the NEF to relevant 5G Core functions and connected security components. These components then prepare for the enforcement of the policy. Step 4: The application policy is sent to the IBN Controllers on target user devices. This allows the devices to receive instructions without direct user intervention. Step 5: Each device applies the policy to adjust its settings and behavior. The changes take effect locally to reflect the system-wide intent. Step 6: Devices monitor their own status and send relevant data back to their IBN Controllers. This ensures continuous awareness of policy impact at the device level. Step 7: The IBN Controllers compile and forward the data as monitoring reports. These reports provide a basis for evaluating the effectiveness of the applied policies. Step 8: The reports are analyzed to check if the policies are working as intended, and the results are stored for future use. This completes the feedback loop that enables adaptive policy refinement. Through this process, the system enables intent-driven security management that spans from core network functions to individual user devices. By translating high-level intents into enforceable policies and continuously monitoring their effects, the architecture supports real-time adaptation to network conditions and user behaviors. This ensures that security enforcement remains consistent, context-aware, and autonomous throughout distributed edge environments. Moreover, the closed-loop structure provides a foundation for scalable and self-optimizing policy management, which is essential for future 5G edge-native networks. Also, the proposed system extends the core components such as the Intent-Based Networking Use Function (IUF), Intent Control Function (ICF), and distributed enforcement modules to operate in tandem with the handover procedures defined in 3GPP specifications. This helps keep security consistent and smart across the edge network where quick response and local control are especially important. This approach can also be applied to mobility scenarios where intent-driven security policies need to dynamically migrate and be re-enforced as User Equipment (UE) transitions between gNBs.

In the context of intent-based edge security management in 5G networks, several important security aspects must be considered to ensure robust and trustworthy system behavior. One key concern involves the potential for malicious manipulation of user intents. Since intents are high-level expressions of user goals that drive the automated generation of network and application policies, any unauthorized alteration could lead to unintended or insecure outcomes. Ensuring that each intent originates from a trusted source and is protected by integrity validation mechanisms is therefore essential. Another important consideration is the accuracy and reliability of the policy translation and enforcement process. When translating abstract intents into concrete policies, the system must preserve the user's original intent without introducing misconfigurations or inconsistencies. Incorporating validation checks and feedback mechanisms helps to ensure that policies are correctly interpreted and consistently applied across the network. To further enhance this process, deep learning techniques can be employed to detect anomalies, learn from past policy enforcement outcomes, and adaptively improve the translation logic based on contextual patterns and historical data.

This document does not require any IANA actions.

This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea Ministry of Science and ICT (MSIT) (No. RS-2024-00398199 and RS-2022-II221015). This work was supported in part by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea Ministry of Science and ICT (MSIT) (No. IITP-2025-RS-2022-II221199, Regional strategic industry convergence security core talent training business).

This document is made by the group effort of NMRG, greatly benefiting from inputs and texts by (Futurewei), (Daejeon University), and (Dong-Eui University). The authors sincerely appreciate their contributions. The following is the coauthor of this document: Department of Computer Science & Engineering

Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon Gyeonggi-Do 16419 Republic of Korea +82 31 299 4106 rna0415@skku.edu http://iotlab.skku.edu/people-Moses-Gu.php