Design of a Security and Trust Framework for 5G Multi-domain Scenarios

With the expansion of 5G networks, new business models are arising where multi-tenancy and active infrastructure sharing will be key enablers for them. With these new opportunities, new security risks are appearing in the form of a complex and evolving threat landscape for 5G networks, being one of the main challenges for the 5G mass rollout. In 5G-enabled scenarios, adversaries can exploit vulnerabilities associated with resource sharing to perform lateral movements targeting other tenant resources, as well as to disturb the 5G services offered or even the infrastructure resources. Moreover, existing security and trust models are not adequate to react to the dynamicity of the 5G infrastructure threats nor to the multi-tenancy security risks. Hence, we propose in this work a new security and trust framework for 5G multi-domain scenarios. To motivate its application, we detail a threat model covering multi-tenant scenarios in an underlying 5G network infrastructure. We also propose different ways to mitigate these threats by increasing the security and trust levels using network security monitoring, threat investigation, and end-to-end trust establishments. The framework is applied in a realistic use case of the H2020 5GZORRO project, which envisions a multi-tenant environment where domain owners share resources at will. The proposed framework forms a secure environment with zero-touch automation capabilities, minimizing human intervention.

as there are not enough trust models in 5G networks [7]. The reasoning behind this is that trust is a dynamic concept that should be continuously adapted to new requirements, technologies, and enforcement environments, with 5G ecosystems being an area where trust models will be fundamental in maintaining end-to-end security and trustworthiness connections among stakeholders; for instance, enabling a trustworthy Network Slice Orchestration across multiple domains [8] or building cross-domain trust in software-defined 5G networks [9].
To cope with these challenges, new security and trust mechanisms should be introduced to implement full isolation in network slices as well as prevent unauthorized and malicious entities from accessing the 5G infrastructure. Moreover, apart from the 5G infrastructure, the mechanisms should cover multi-domain scenarios, where each domain is specified according to the administrative point of view, i.e., the group of resources belonging to a specific resource owner. Hence, multi-domain scenarios tightly combine the set of resources of a given domain with another set of resources from another domain. Specifically, the variety of communication mechanisms and protocols that are used in the different segments of the 5G infrastructure, as well as the multi-domain environments, requires advanced detection techniques that can interpret the control and data plane commands, and distinguish the legitimate from the malicious ones.
With the goal of improving the previous challenges, this article proposes a novel framework for increasing the security and trust levels of the 5G infrastructure, shared by diverse multi-tenant network slices. Concretely, this framework is developed following the security and trust approach by the H2020 5GZORRO project [10]. 5GZORRO aims to design and build a security and trust framework to validate zero trust principles in distributed multi-stakeholder environments [11]. Besides, such a framework will be integrated with 5G service and resource management platforms, along with distributed ledger technologies and zero-touch automation solutions, to boost a flexible and secure composition of 5G networks. Therefore, this solution includes detection and protection schemes for each domain as well as the 5G network infrastructure. These schemes are sets of policies designed to enhance the resilience of both intra-and inter-domain environments against the possible cyberattacks suffered, guaranteeing a prompt response to incidents. To identify the main detection and protection schemes to be applied, a thorough threat model covering the threat landscape of multi-tenant 5G networks is required, being considered not only security but also trust threats. The proposed framework combines different mechanisms for network security monitoring, threat investigation, and end-to-end trust establishments in multi-domain and multi-tenant environments. As well, this work also contemplates essential trends such as zero-touch automation [12], to minimize human intervention, and zero trust [11], to downsize the attack surface by means of the trust model. In the end, the feasibility of the framework has to be demonstrated in existing multitenant use case scenarios and workflows, in which it allows the establishment of trustworthy 5G-enabled network slices (service layer, network function layer, and infrastructure layer). In this sense, the contributions of this article are as follows. threats. This threat model is divided into two different threat sets: a first one reporting threats that affect the trust relationships among network entities; and a second set reporting the security threats related to the different logical levels and components in 5G networks. By means of this threat model is boosted the need of solutions that enhances security and trust procedures in multi-tenant 5G networks. • A novel framework that increases the security and trust levels of multi-tenant 5G networks. This framework follows a modular architecture composed by three components: the trust management module, which monitors, evaluates, and updates the trust chain generated among the different network entities; the intra-domain module, which monitors the domain network looking for potential threats or ongoing attacks, mitigating them if needed and possible; and the inter-domain module, which manages the security of the link connections with resources located at a third party's premises. • A use case showing the framework application in an existing multi-tenant scenario based on the H2020 5GZORRO project. This use case is drawn as a real workflow of multi-domain interactions for resource leasing, detailing where the security and trust framework can be applied to ensure the selection of a reliable third-party provider and the resources involved, and a secure end-to-end network slice establishment. • A discussion and comparison of the most recent security and trust frameworks found in the literature. From this comparison, a set of trends and challenges is extracted as guidelines for future work in the area, indicating the key questions to be considered to enhance the current state-of-the-art.
The rest of the paper is organized as follows. Section 2 provides a literature review of the existing security and trust models. Section 3 illustrates a threat model for multi-tenant 5G domains and Sect. 4 presents the framework that tackles the identified threats as well as increases the security and trust level in the 5G infrastructure. Moreover, Sect. 4 also demonstrates the application of the framework to existing multi-tenant scenarios. Section 5 discusses the challenges that are faced when applying the framework to such scenarios and links these challenges to standardization initiatives. And finally, Sect. 6 provides a summary of the article contributions as well as open perspectives for future work.

Current Security and Trust Models
Telecommunication Networks are a continuously developing field that needs to be kept up to date to cover novel security and trust requirements. The arrival of 5G networks has encouraged the emergence of new designs and technologies, as well as their associated properties and requirements. The previous security and trust models have become partially obsolete, and therefore, they require an iteration to adjust them to the new challenges brought by the 5G networks. Thus, this section performs a thorough review of trust models and/or trust management frameworks' state-ofthe-art. Table 1 summarizes the most meaningful ideas of each proposal.
Such is the importance of security and trust models in future Telecommunication Networks that not only 5GZORRO [13] is a research project focused on addressing this area. 5G-ENSURE [14] developed a trust modeling platform for 5G networks in the context of operators sharing their network resources. 5G-ENSURE involved partners defined trust as a decision to accept (or not) risks arising from one or more threats by means of their Trust Builder tool. Another EU research project focused on trust establishment is INSPIRE-5G Plus [15]. Its project consortium is working on an automated end-to-end security management framework that allows not only protection but also trustworthiness in managing 5G cross-domains scenarios. In a similar vein, MonB5G [16], another EU's Horizon 2020 research and innovation project, centers on zero-touch slice management and orchestration to ensure end-toend cross-domain Service Level Agreements (SLAs). In addition, it also empowers both Artificial Intelligent (AI)-assisted policy driven security monitoring and trust mechanisms for trustworthy and secure cross-domain operations. These are just some of the more recent research projects focused on modeling security and trust in 5G networks, but they are the drivers that intend to start the long road ahead in this area. Nevertheless, not only EU research projects are interested in building trust for 5G networks, the National Science Foundation via Secure and Trustworthy Cyberspace (SaTC) proposal is encouraging the generation of future projects that investigate frameworks and models for trust in computing environments, considering zero trust architectures and interpreting trust as a transparency and accountability mechanism [17].
One of the paramount rules in trust models is to guarantee that user data is trustworthy, and consequently, they are not biased since could be an indication that a trust model is receiving unrealistic recommendations, or in other words, is suffering from a collision attack. In [18], Jayasinghe et al. designed a hybrid trust framework that enabled them to assess user trust and data trust separately. This approach arose from existing literature models, that do not necessarily guarantee the trustworthiness of data. The main trust sources used to evaluate user trust and data trust are direct trust, from previous knowledge, and indirect trust, from experience and reputation. To discover those trust relationships, the authors utilized a data schema based on collaborative filtering, which allowed identifying misbehaving entities' data. Even though the authors proposed multiple IoT implementation scenarios, they did not carry out any experiments to check framework performance.
Regarding IoT scenarios, other authors also contributed to the improvement of trust models and/or trust management frameworks such as [19][20][21]. First, Fernández-Gago et al. introduced in [19] a dynamic trust model which helped to overcome the lack of certainty in IoT scenarios by means of trust, privacy, and security requirements. In order to develop their framework, the authors presented a 4-layer architecture that covered paramount phases of conventional trust models. At the bottom, the scenario layer identified enforcement IoT contexts. Then, the requirement layer detected crucial functional and non-functional requirements related to the context, following the service layer included services such as interoperability, dynamicity, and evolution of trust model. And finally, the trust layer included services packaged  [20] certain guidelines to create a trust evaluation framework for distributed IoT system management. Like the previous proposal, this framework was composed of multiple parts, specifically six core components. The authors of [20] pointed out a threat model, which considered common trust attacks, a feedback rating component, which gathered and calculated feedback scores based on experiences, and a trust model, which contained algorithms to compute a final trust based on feedbacks. In addition, the authors incorporated a decentralized technology like blockchain which supplied not only security through transaction encryption but also integrity by means of immutable records. Nevertheless, this approach was only a vision of Trust as a Service (TaaS), and hence it is a methodical approach. Last, Awan et al. addressed in [21] an important research into cross-domain trust management for IoT ecosystems. Due to the low capacity of IoT devices, the authors split domains into multiple communities based on similarities and interests. Each community had an architecture based on three central authority servers: (i) the domain server to guarantee a security domain, (ii) the community server to ensure intra-and inter-domain communications and to reduce threats, and (iii) the trust server to manage trust values and to assess trust scores. Regarding trust, this article leveraged a reputation-based trust approach, which was composed of direct trust (from previous interactions) and indirect (from recommendations) trust parameters. Furthermore, trust management was interpreted as a continuous and dynamic process due to trust changes over time, and therefore, either nodes or server updated and shared trust values between the community or the domain, depending on node's interaction. Accordingly, the authors carried out a theoretical investigation, through these three-layer security servers plus trust scores of each node, to finally propose a secure and trustworthy system considering the performance of IoT resource-constrained devices. Apart from IoT scenarios, where trust models are thoroughly applied, other conventional areas such as cloud environments and network scenarios are considering trust as a paramount mechanism. First, Uikey and Bhilare worked on an innovative role-based access control model based on trust management [22], which could be employed in cross-domain cloud environments. In this case, trust is calculated from direct experiences and recommendations, being features of both dimensions stemming from a set of security policies. Additionally, the framework introduced two trust evaluation mechanisms, depending on single or multi-domain establishment. Note that this approach computed two trust scores when an entity established a multi-domain relationship, one assessed from its own domain and another from the new domain. In the end, the authors contrasted the performance of access control model-based trust management against traditional Role-Based Access Control (RBAC) models [23], providing the former a higher success rate. In [24], the authors analyzed the trustworthiness of user's feedbacks to ensure accurate evaluations through identifying Sybil and collusive attacks. Thus, the main objective of this approach is to analyze the credibility of the feedback. The authors developed a Cloud Broker (CB) which helped the user to select the best Cloud Provider. CB is an intermediate entity between the 7 Page 8 of 35 user and the provider which receives user's feedback and contains a malicious filter, which analyses the feedback to discover previous attacks. In that sense, the authors established several own algorithms to find the attacks, where the conducted experiments depicted that the framework achieved an 89-95% success rate when malicious feedbacks were detected. Besides, the framework reduced high job failure rate as well as associated cost loss to the user in a cloud environment.
Second, Burikova et al. contemplated in [25] trust as a trust mechanism capable of improving certain absences in network environments. The authors aimed at covering the lack of trust between the Software Defined Network (SDN) controller and the network management applications, since this absence may provoke key security concerns in SDNs such as malicious traffic or an infected asset. Thus, they proposed a framework to establish and manage trust between the OpenFlow controller and the applications. The framework was composed of five crucial components: identity management modules, trust module, trust database, access control decision module, and dynamic monitoring and evaluating module. Regarding the trust module, they only considered direct trust, what was generated from reputation, operational and information risks, and privacy level. Besides, they proposed three zones (critical, surveillance, and trusted) where the tasks would be executed regarding their trust scores and the decision from the access control module. To this end, the authors developed a dummy controller, but they didn't produce any performance or accuracy results in their framework. Like [25], Yao and Yan also considered in [26] trust as a key element to be applied on SDNs. The authors leveraged trust to design a management framework that allowed evaluating applications' trust values. The main objective of this trust framework was to mitigate conflicts with utilization policies as well as discover attacks. The framework was mainly divided into two modules: Network Performance Monitor (NPM) and Trust Evaluation module (TE). The NPM module monitored network performance through flow rules issued by different applications, and then, monitoring data were labeled and sent to the TE module. This latter module calculated a final trust score from previous evaluations, current monitoring data, and controller's feedback. After weighing these values, the TE sent a final score to the control and data plane. Lastly, the simulated experiments (Mininet and Open-Flow) showed that the trust framework was effective, because trust evaluations needed less than 10 ms, and was accurate, since it can assess positively an application trust through adjusting parameter weighting based on each scenario.
Another enforcement of trust was contemplated by Li et al. in [27], who determined trust degrees of blockchain nodes to select a set of nodes with powerful communication skills and high trust scores. Thus, the trust value was defined by the credibility of the data held by a node and the stability of the node when regarding the data provided by other nodes. In order to carry out the node selection, they leveraged an integrated factor communication tree (IFT) algorithm. First, this algorithm sorted nodes from the largest to the smallest communication link values, and then, the nodes were again sorted by the trust degree value. After that, the authors defined three thresholds that allowed classifying nodes such as honest, free-ride, and malicious. Finally, they simulated multiple experiments that depicted this approach as reproducible and effective, as long as blockchain-based communication contained well-equipped nodes to cover the power capacity. In the same way, trust can be employed for end-to-end connectivity management and orchestration.
In the same research area, Suomalainen et al. proposed in [28] an adaptable and expandable framework for trust measuring and security control in 5G networks. This framework was based on a Trust Level Agreement (TLA) mechanism for sharing near real-time security awareness in multi-domain scenarios. The TLA mechanism was implemented by a trust metric enabler that allowed establishing trust communication following four easy phases. First and foremost, the trust metric enabler monitors the network for significant security events and measurements. In the case of security events, the trust metric enabler defines a set of services running on network slice, and for each one, it establishes a maximum and minimum level to measure its events associated (i.e., traffic statistics and authentication events). Second, a client requests a slice from the enabler, which will determine whether such the slice fulfills the client's trust demands. After that, the client and the service provider agree on using a given trust slice, and they establish a secure tunnel for communication. Finally, the trust metric enabler continues to acquire network information in order to notify the client about possible risks. This approach was covered by the 5G-ENSURE project [14], where a testbed composed of IoT devices and a video streaming application was used as the enforcement scenario.
In the light of the state-of-the-art proposals, no solution has been identified that allows not only to establish an end-to-end trustworthiness relationship in multitenant and multi-domain scenarios but also to contemplate security aspects, for instance, detecting operational and cyber-security threats from monitoring networks communications and guaranteeing privacy and integrity of cross-domain communications. In this vein, the security and trust framework design proposed in Sect. 4 endeavors to fill the above gaps identified in the literature solutions. Table 1 is summarizing the different research papers previously introduced and discussed, together with relevant indicators that define each proposal, thereby allowing a comparison between the diverse security and trust model approaches analyzed.

Multi-domain Threat Model
In modern multi-domain network scenarios, such as the one enabled by 5G, new security threats arise associated with the distributed nature of these environments, in addition to the already existing in earlier networking paradigms. Besides, modern technologies developed to deploy 5G networks (new SDN/NFV capabilities, cloud RAN, etc.) also bring new security threats to deal with. In addition, the interaction process between entities also carries a series of trust threats, threats that are more abstract than those related to security issues, but which can make entities interactions unfruitful for them.
The set of threats described in this section comes from two different perspectives, a first one related to multi-tenant trust relationships where each side has its own interests, and a second one aligned with the current security problems associated with distributed environments and their technologies. Despite the fact that the trust and security threats described below may mostly be associated with intra-and inter-domain scenarios, we want to contextualize them in a multi-tenant and multidomain environment since this is the basis for 5G scenarios [29]. It should be noted that the multi-domain threat model described in this section has been considered as a motivation to design the security and trust framework proposed in Sect. 4, and consequently, it does not endeavor to cover all of them.

Threats in Multi-tenant Trust Relationships
When two or more entities interact in a network scenario under a business relationship, mutual trust is one of key factors in making a satisfactory relationship for all parties. Therefore, the trust level can influence such critical aspects as to whether a service is consumed or not, enabled actions, its price, etc. Therefore, malicious entities can try to jeopardize this trust for their own benefit, affecting the revenue of legitimate entities.
Traditionally, trust relationships have been ordinarily derived from the use of trust models. Even though such models have been continuously evolving, they are not exempt from being affected by multiple threats. In this regard, a security and trust framework ought to consider and address the potential threats to trust in these multitenant environments, ensuring their proper functioning. Despite the set of conventional trust threats is very widespread and even dependent on the context and design decisions of each trustworthiness framework, we have gathered a subset of threats related to multi-tenant scenarios. Thus, the most well-known threats related to trust are identified in these scenarios together with possible mechanism to be addressed: • Trust privacy and secrecy. Normally, the trust value that an entity gives to another one is not published since the revelation of that value to the other parties can affect the trust relationship between the entities, as it can be asymmetrical (entities give different trust values to each other). • Subjectivity. Trust is a subjective concept by nature, different entities might give different trust values to the same relationship based on their different criteria. This aspect is greatly influenced by indirect trust, coming from non-deterministic aspects such as reputation. In order to tackle the subjectivity issue, a solution might be to derive personalized trust values based on a comparison of users' trust attitudes [30], another one might be not to consider an absolute score but a standard score (z-score), or as a percentile [31]. • Credibility. The believability of data content or recommendations by trustees is another conventional risk linked to trust models. Usually, credibility involves veracity, objectivity, observational sensitivity, and self-confidence [32], and it is regularly measured by the level of uncertainty [33]. • Bad-mouthing attack. It is often associated with trust models that contemplate recommendations or feedback. This attack intends to dwindle the trustworthiness of honest entities and/or increase the trustworthiness of untruthful entities by means of deceptive recommendations, feedback, or votes [34]. • On-off attack. In this case, a misleading entity has a split personality. First, when an attacker has a low trust level, it behaves honestly to grow its trust score over a period. Then, once the attacker gets into a certain trust level, it adopts a deceptive behavior until the trust score returns to a low level [35]. • Conflict behavior attack. This attack occurs when the attacker is capable of providing different trust recommendations in different domains or times. In this sense, attackers cause conflicts with usual entities since they damage the confidence in recommendations of honest users [36]. • Collusion attack. It is a joint attack where a group of attackers selects a target on which to focus their dishonest recommendations [37]. Consequently, they control the trust value for the target through a set of negative recommendations, in an organized and orchestrated manner, so that an honest entity would see its trust score dwindled. • Sybil attack. This attack is performed by malicious entities which intend to control the reputation of other honest entities involved in trust model in order to influence their trust estimations. By means of this attack, an attacker may take multiple bogus identities to steer certain actions from an honest entity, for instance, the redirection of network traffic toward a spiteful entity for performing exploitations [38].
As it can be appreciated from the previous list, there are many type threats that might affect trust from different perspectives. For that reason, solving or mitigating the existing threats is a critical issue when it comes to creating a properly functioning network environment, so that the potential malicious elements are clearly differentiated from the legitimate ones. Moreover, in the 5G-enabled distributed environments, these threats suppose an even higher risk to the environment, as the multiple network elements deployed are controlled by different decentralized entities, which prevent their unified management when trying to mitigate the threats. In this context, it is essential to develop new trust frameworks that take into account the trust threats in modern networks, and to make use of state-of-the-art technologies, such as Machine Learning (ML) and Deep Learning (DL), to mitigate and address these threats. In particular, this paper intends to address the collusion attack and the Sybil attack in spite of the fact that we do not currently have a definitive approach to tackle them. Furthermore, the other threats described above are intended to be covered in future iterations to introduce a robust and secure framework to the community.

Threats in Multi-tenant Network Environments
In 5G networks, it is usually necessary to combine network infrastructures located at different domains to reach the required Quality of Service (QoS) targets, thus creating multi-tenant network environments. These environments are mostly enabled by network slicing solutions. Nevertheless, network slicing carries its own security threats, as slices are formed by leveraging different parts of the 5G infrastructure. Each network part is subject to specific Tactics, Techniques and Procedures (TTPs) for interrupting its normal behavior. We hereby detail the TTPs that are relevant for each 5G network part: • Core: SDN and NFV mechanisms (e.g., controllers), together with the Management and Orchestration (MANO) and Virtualized Infrastructure Manager (VIM), are exposed to remote access threats [39]. These threats normally are manifested when malicious users exploit a given vulnerability that provides remote access for maintenance and troubleshooting. This remote management is especially useful for components that are situated in distant and harsh locations. Additionally, an adversary can alter the settings of MANO or compromise the isolation between network functions. Sometimes, network slicing implementation or the absence of proper isolation mechanisms can lead to malicious infiltration in tenant slices. Malicious users may cause resource exhaustion as well as sensitive data disclosure [40]. • Access network: The insecure nature of 5G radio access systems may lead to frequent Address Resolution Protocol (ARP) poisoning attacks [41]. In such attacks, the adversary tries to associate its MAC address with the IP address of a legitimate 5G component, causing any traffic meant for that IP address to be sent to the attacker instead. Another significant threat to the 5G access network is radio flooding [42], occurring when transmission of data requests is sent to exhaust resources. This can subsequently lead to a reduction or even a complete shutdown of the radio resources provided by the component. • Transport network: The transport part of 5G networks is where the main data exchange occurs, and it is supported by backhaul solutions. These solutions include satellite, fiber optics, micro-waves, Ethernet, and wireless communication. Usually, TLS is used to encrypt the exchanged data, however, recently discovered vulnerabilities (i.e., CVE-2020-1596) in the TLS hash algorithms can be leveraged to decrypt the original TLS traffic and eavesdrop on the enclosed information [6]. • Multi-access edge computing (MEC): The use of MEC platforms can offload part of the processing to improve latency and performance as they are deployed closer to the User Equipment (UE), in base stations. However, adversaries often use MEC platforms as a further attack vector that can be flooded with a request or directed traffic. Furthermore, MEC platforms usually employ APIs to interface resources and services, such as gateways, sensors, or actuators [43]. Since these APIs are open, they may be exploited by adversaries to gain access to the MEC platform.
Mitigating each of the above threats is vital for a proper 5G infrastructure operation, and hence no prioritization among them is considered. For successful detection and prevention, the system should consider a sequence of actions that Fig. 1 Multi-tenant environment attack phases and associated steps are followed by adversaries when performing their attack. These actions are illustrated in Fig. 1.
Specifically, attack actions are divided into two distinct phases. The first one concerns the cyber intrusion preparation for initial access to the 5G network, and the second phase refers to the attack development as well as its execution on the multitenant environment. The first step has the purpose of eavesdropping information [44] about the system, learning its behavior (Reconnaissance in Fig. 1) and developing methods to evade internal perimeter protections or security mechanisms, in order to gain access to the 5G infrastructure (Delivery). This usually involves potential inefficiencies that are leveraged as entry points to the 5G infrastructure (Exploitation) as well as communicating to external servers the information about the victim, and also download from them attack data (C2 Communication). As an example, an adversary can penetrate the enterprise network, eavesdrop on 5G connections, and use potential inefficiencies as entry points to the 5G infrastructure. Inefficiencies are often exposed by architectural complexity.
The second phase in Fig. 1 seeks to cause interruption of the multi-tenant environment normal operation. As each 5G infrastructure uses its own communication protocols and commands for controlling the system operation, an adversary requires this phase to cause a meaningful impact on the system. Such impact is caused by developing the attack (Attack Development & Tuning in Fig. 1) and validating it on similar or identically configured systems (Validation). This is usually a long-lasting period and during its course, the adversary maintains access to the system. When the attack is fully developed and validated, it still has to be executed in the multitenant environment (Execution). Upon effective execution, the attack is considered as successful.
If an adversary manages to successfully execute the above sequence of attack actions, a direct impact on the creation of the multi-domain network slices can be caused. Therefore, a resilient security architecture should cover all the 5G infrastructure as well as the multi-tenant and multi-domain scenarios. In addition, the detection and protection mechanisms against sophisticated and zero-day threats [45] need the combination of new security solutions at various levels, both within an administrative (i.e., resource owner) domain as well as cross-domains (i.e., the interconnection with other domains).

Multi-domain Security and Trust Framework Design
As seen in the previous section, multiple security and trust threats may appear in a multi-domain network scenario. Thus, it is essential to produce a security and trust management framework capable of addressing these threats, leveraging prevalent state-of-the-art technologies and following a holistic approach.
Even though security aspects covered by multi-domain networks involve a wide variety of mechanisms and techniques that might be introduced in a generic framework, such as AAA (Authentication, Authorization, and Accounting), firewalling, detection and mitigation attacks, these are already well studied and addressed by other good practice approaches, as [46,47]. Hence, it is not considered within the 7 Page 14 of 35 scope of this paper. In the paper, the focus will be on addressing the issues related to the lack of security and trust models in the 5G ecosystem, as well as some ways for mitigating the effect of some threats mentioned above if they realize. Additionally, a real deployment scenario from the 5GZORRO ecosystem will be presented, and there the security and trust framework will be instantiated to showcase trustworthiness and a protected landscape.

End-to-End Security and Trust Framework
The security and trust framework, which will be used by the 5GZORRO platform, provides an innovative mechanism to orchestrate end-to-end trust establishment and secure communications, in multi-tenant and multi-stakeholder scenarios. The requirements dictate the way in which 5GZORRO platform will be conducting security and trust across domains, both at business level and at system level. The former entails identity and permissions management (IdM), security and trust policy definition, etc., while the latter brings secure connectivity with third party resource using Generic Routing Encapsulation (GRE) or Virtual Private Network (VPN), Virtual Trust Domain establishment based on Trusted Execution Environments, among others. These requirements are the ones that will determine the selection of defensive mechanisms. This section will also look into methods to assess and respond to potential vulnerabilities that intend to undermine the trusted execution of workloads, offloaded across multiple domains. In addition, this section also brings a transversal concept like zero-touch, which plays a key role in allowing the integration of the security and trust framework with existing solutions in 5G networks. The process automation leads in a certain way to guarantee a higher security and trust level in the processes and environments which is precisely covered by a crucial concept considered in our framework, the zero trust principle [11].
From a high-level point of view, the security and trust framework can be perceived as the composition of three distinctive modules: trust management, intradomain security, and inter-domain security (see Fig. 2). They intend to cover trustworthiness and ensure a protected environment where the 5GZORRO platform resides. Specifically, the Trust Management module increases the trust level of multi-domain environments, the Intra-domain Security provides a detection and protection layer inside each domain, and finally, the Inter-domain Security focuses on protecting communication channels between domains. Even though these modules are instantiated and deployed as separate entities, these modules may require Fig. 2 Overview of the security and trust modules information from other to carry out their activities. In this vein, the proposed framework leverages a back-end database (Data Lake) to share non-sensitive information that other modules can use through a publish and subscriber mechanism (Kafka). Next, the three modules are described thoroughly below.

Trust Management
The Trust Management module is responsible for establishing end-to-end trustworthiness across distributed environments belonging to different stakeholders, such as the ones proposed by the 5GZORRO project, service or resource providers and service or resource consumers. Trust is a key element when defining and establishing commercial relationships between two or more partners. The fact of trusting (or not) other parties influences which partners are chosen for business relations and under which conditions. Factors that can influence trust or the lack of trust are, for example, the presence of trust-based resources in the infrastructure, service access control, or sensitive information execution. Therefore, this is a paramount element when trading resources and services allocated at a third-party infrastructure, one of the main environments in which 5GZORRO operates.
The essential functionality of the 5GZORRO Trust Management module is to control the entire life cycle of trust establishment for relationships among different entities: from the selection of the information sources to be used to the algorithms for calculating and updating the trust values, and finally, the improvement of the current calculation models and mechanisms. Additionally, this module also gathers indirect trust information derived from the relationships between two external stakeholders and the one doing trust calculation, generating a trust link between stakeholders based on their shared commercial relationships and interactions. Another characteristic of the 5GZORRO Trust Management module is its commitment to a zero trust approach driven by the NIST [11]. Zero trust means that there is no implicit confidence granted to stakeholders, regardless of whether they are located under their own domain. Due to the fact that the proposed Trust Management module enables both intra-and inter-domain connections, zero trust plays a pivotal role to cope with probable entities within our organization that were attacked and are behaving inappropriately. In this regard, the zero trust principle is one of the utmost relevant in the trust area since trust by default may be one of the attack vectors. Considering the zero trust principle, the proposed Trust Management will not consider previous trust scores calculated as valid for establishing a new relationship between entities and will require a trust score to be calculated for any internal or external relationship establishment.
In this vein, the Trust Management module operates following four generic phases with a logical order, which will be described below. It is worth mentioning that Fig. 3 describes the interrelationships of how calculations are performed. Hence, the Trust Management life cycle will start in the Trust information source module that will begin a continuous trust information collection process from multiple available sources (see the left side of Fig. 4). Then, such information will be sent toward the Trust calculation module in which a trust score will be determined, taking into account the information gathered in the previous module as well as ML/DL algorithms. After that, the information collected in the Trust information source module and the information inferred from the Trust calculation module will be stored via the Trust results and evidence storage module so as to keep track. Finally, the Trust level update module will be triggered to detect certain events which imply a trust score recalculation.

Trust Information Source Module
The initial phase concerns information gathering from trusted sources. This is a fundamental step that will have a direct impact on the next trust model phases, and on the produced output. In that sense, the Trust Management module ought first to find what are the available information sources. For the 5GZORRO ecosystem, there are multi-tenants and multistakeholders that make use of Smart Contracts (SCs) and SLAs, which are based on Distributed Ledger Technologies (DLT). Moreover, the SLAs are used to track breaches based on the initial SC agreements. These smart contracts are in turn stored in a secure and immutable network (DLT) that can be consulted by any 5GZORRO stakeholder. In this ecosystem, there are three main sources for trust calculation, depicted at the left side in Fig. 4, as input to the Trust Management module, from which to derive and infer features: the shared Data lake platform, the Monitoring analytics, and the Security management service. Once information sources have been determined, the Trust Management module will generate a set of trust features from that information. As shown in Fig. 4, trust models are mainly composed of direct trust and indirect trust, components located at the Trust information sources in the figure. On the one hand, direct trust is the information that has been gathered from direct interactions (trust history) with the entity from which it is intended to calculate its trust level. Through time, a stakeholder builds reputation information about other stakeholders, i.e., collects different trust assessments with the same entities to have an estimation, or a reference, on how future trust relationships could be. This way the Trust Management module considers objective properties to compute direct trust, such as SLA attributes or QoS properties, in order to avoid subjectivity problems. On the other hand, indirect trust is computed when an external entity, not directly involved in the current trust establishment event, provides information about one of the actors (trustee) involved in the relationship to be established. However, the trustor must have previous relationships with the intermediate entity. Since this information source involves feedback from other entities, it is necessary to determine how trustworthy the reply is, also known as, recommendation's credibility. Therefore, credibility will also be a factor directly linked to indirect trust.

Trust Calculation Module
Once all parameters have been gathered, from direct and indirect trust sources, the Trust calculation comes into play. It makes use of common algorithms from literature. On top of those, a set of ML-based algorithms are applied, though the selection of the ML/DL algorithm is based on the scenario characteristics and features. Nonetheless, Fig. 5 introduces some of the most conventional intelligent techniques such as Fuzzy theory, Bayesian networks, Markov networks, and so on. Note that the final trust score should withstand, at least, two of the main attacks that trust models often suffer, such as collusion attack (unrealistic or biased recommendations) and Sybil attack (multiple identities, associated with the same entity, increase/diminish reputation). Due to the fact that the proposed Trust Management is in an early development stage, more testing is needed, nevertheless, we are contemplating credibility as possible technique to distinguish deluding trust (collusion attack) [48] and fuzzy-based mechanisms to prevent Sybil attacks [49]. To avoid problematic subjectivities from indirect trust (known as recommendations), the 5GZORRO Trust Management module utilizes percentiles as a metric by which a trustee provides recommendations to a trustor. Thus, a relative quantity is used instead of absolute values, when estimating recommended trust. A percentile value indicates trustee's perception of another entity in relation to the other recommendations that the recommender has rated in the past. Lastly, the trust calculation phase also considers both sensitive information and which actions will the stakeholders be able to perform once the trust relationship is established. This consideration provides a final trust score according to the properties of each situation.

Trust Results and Evidence Storage
Next, when trust has been calculated, it is time for the Trust results and evidence storage module (see Fig. 6). To keep a timebased tracking, either data lakes or SQL/No-SQL databases will be used to store the output of the trust calculation model. They will maintain both a trust history and some of the information, considered public, to have recommendations available for future stakeholders. The selection of the storage source will be decided based on the type of information. For the case of sensitive information, it will be stored in a local repository where only stakeholders of its domain can access the information. For the non-sensitive, more options are available. Besides the functionality described previously, note that local repositories (SQL/No-SQL databases) will also host intra-and inter-domain policies, which enable large-scale adaptive systems that dynamically change their behavior in response to changing environments or requirements. Otherwise, in case the information can be shared with other stakeholders participating in the 5GZORRO platform, such information will be stored in a shared data lake.

Trust Level Update
As a last remark, note that the Trust level update module is a process that will run constantly since trust is a dynamic concept, which changes over time. It is paramount to identify a set of events that can be used as triggers for updating the current trust value. Security threats, SLA breaches, and relationship changes are considered as a set of candidates to trigger trust re-calculation of an active relationship (see Fig. 7).

Intra-domain Security
This module aims to offer security services in charge of detecting possible vulnerabilities and attacks, and apply the required countermeasures to mitigate the adverse events. The scope of this module covers an intra-domain perspective, where  each stakeholder deploys the services enabled by this module to enhance internal resource and service security. Besides, the deployment of this module in the internal organization infrastructure also improves the external trust from other stakeholders, as these services can be seen as an additional security guarantee for possible delegated resources or services.
The Intra-domain Security module allows the detection of operational and cybersecurity threats based on evidence that originates from monitoring network communications. To this end, operational threats relate to failures or malfunctions, whereas cyber-security threats relate to malicious activity, abuse of the 5GZORRO platform components or disrupt network communications [50,51]. Moreover, network communication monitoring is applied in (i) the modules, resources, and services inside each domain, and (ii) the 5G network infrastructure, i.e., mobile core with NFV MANO, RAN, or mobile edge. For the former, intra-domain communications occur through a network bus, which implements all the protocols and APIs to allow module interconnectivity. This bus is called intra-domain network fabric and allows different communication types, such as synchronous, asynchronous (event-based), point-to-point, or brokered communications. Furthermore, the latter requires access to the network packets that are exchanged into different layers of the 5G infrastructure. The high-level architecture of this module is shown in Fig. 8.
The first component of Fig. 8 is the Packet Analyzer, which is using a virtual SPAN (i.e., port mirroring) configuration or network probes on network elements as switches, gateways, and routers to collect network traffic data and control commands for each domain. Since traffic data and control commands can be sent either in standardized or proprietary formats, it also includes dissector modules for interpreting them. These network protocols are the ones used in (i) the 5G Network infrastructure (e.g., Core, RAN, and Edge) as well as (ii) the Intra-domain communication fabric.
For the detection part, it focuses on both known and unknown (zero-day) threats, by employing three main threat detection mechanisms, depending on the type of threat: Fig. 8 The Intra-domain Security module architecture • Rule-based: following a set of predefined rules and signatures for detecting known threats. The required inputs for this mechanism are obtained by Threat Intelligence platforms, as the Malware Information Sharing Platform (MISP) [52] or vulnerability databases as MITRE CVE [53]. • State-based: following the specifications of the network protocols that are used to communicate between the intra-domain modules and to detect anomalies when unusual message sequences, unsupported commands/codes, and error or unsupported messages are spotted. Since many protocols lack a dedicated specification or their specification is only proprietary, this module may require reverse engineering actions for interpreting commands that are inside the exchanged packets. • Behavior-based: using ML techniques to learn the intra-domain behavior by analyzing network data and forming a baseline upon which the detection of anomalies (including zero-day threats [45]) is feasible.
The Security Analytics module uses the collected data from the Packet Analyzer to produce data for analytics and visualizations, as well as to retrieve Indicators of Compromise (IoC) that are useful for the investigation of failures or threats. Moreover, since the Intra-domain Security module includes zero-touch automation capabilities, that facilitates management of complex systems in which operators may resort to utilize resources from other domains and allows operational processes and tasks to run automatically, the Security Analytics module allows integrating prevention and mitigation plugins (i.e., mechanisms and procedures). Such plugins enable the 5G infrastructure and multi-tenant environment to adapt, with the aim of applying countermeasures to potential attacks, for instance, brute force, privilege abuse, flooding, malicious logic insertion, bypassing physical security, etc. Prevention and mitigation plugins can be linked to the integration of firewall policies, blocking unauthorized entities and compromised assets from accessing the 5G network, or also isolating affected resources in a separate VLAN. Overall, these plugins define a closed loop architecture according to the ETSI Zero-touch network and Service Management (ZSM) [12] and since they perform active modifications on the 5G infrastructure, they also require stakeholder (e.g., MNOs, tenants, or CSPs) permissions.

Inter-domain Security
This module is tasked with establishing secure and trusted connections between different domains in the 5GZORRO environment, guaranteeing privacy and integrity without sacrificing performance. The Inter-domain Security module has a significant importance when it comes to performing network slicing and when integrating into domain networks, the resources leased from the marketplace and located in a third-party infrastructure. Thence, the Inter-domain Security module plays a pivotal role to avoid communication risks, which is the key objective. But before describing the process of establishing secure communication channels, it is important to introduce two key elements which play a significant role in the Inter-domain Security module, the Decentralized Identifier (DID) and the Verifiable Credential (VC).
A DID [54] is a new type of identifier, globally unique, resolvable with high availability, and cryptographically verifiable. DIDs are typically associated with 7 Page 22 of 35 cryptographic material, such as public keys and service endpoints, and they are used for establishing secure communication channels. The DID infrastructure can be thought of as a global key-value database in which the database is all DID-compatible blockchains, distributed ledgers, or decentralized networks. In this virtual database, the key is a DID and the value is a DID document. The purpose of the DID document is to describe the public keys, authentication protocols, and service endpoints necessary to bootstrap cryptographically verifiable interactions with the identified entity. In this regard, DID documents often leverage VCs to demonstrate claims. Thus, a VC [54] describes a privacy-preserving and tamper-evident credential (sort of claims) that can be demonstrated through a cryptographic process. The addition of technologies, such as digital signatures and distributed ledgers, makes VCs more tamper-evident and more trustworthy than their physical counterparts.
After introducing these technologies, it is time to explain how the Inter-domain Security module makes use of them, when setting up an innovative and reliable VPN between domains. The Inter-domain Security module uses the cryptographic material present in the DIDs, to derive shared keys between the elements located in different domains, and to establish a VPN-type connection that integrates these resources and services in the purchasing domain. Figure 9 depicts all the steps involved in establishing secure cross-domain communication channels where 5G Operator A realizes that it is not able to fulfill the performance levels indicated in its SLA, and therefore, checks the marketplace for available resources/services to expand its current capabilities. If it finds the needed Fig. 9 5GZORRO inter-domain secure establishment resources, it selects one of them and a Smart Contract is produced to reflect the transaction with 5G Operator B. After that, both operators request each other's public key to start the establishment of a secure and private communication channel. Since 5GZORRO leverages the DIDs and VCs when identifying, authenticating, and authorizing stakeholders, services, or resources, these may also be utilized as the asymmetric keys to derivate symmetric key pairs for a VPN tunnel (steps 1 and 2). Therefore, 5G Operator A is starting the VPN configuration process, by initiating a process called the shared key generation. By using 5G Operator B's public key, which was acquired from its VC (IdM DLT network), 5G Operator A forwards an authenticity proof to 5G Operator B (step 3). If the answer is satisfactory, 5G Operator A will generate and send a symmetric key to 5G Operator B, which will be subsequently utilized to securely and confidentially share information. Finally, the VPN configuration process will be finished, and the VPN will be set up with the purchased resources (step 4).

A Real Enforcement Use Case by 5GZORRO
After proposing and describing the components for a security and trust framework, this section describes how that framework will be a good fit for a real deployment scenario.
The 5GZORRO project aims to provide a framework for automated network management and cross-domain services. In this regard, security and trust are keys to succeeding in the goal. 5GZORRO often operates in multi-stakeholder environments and the project leverages on NFV, SDN, and service-based architecture to implement 5G networks, offering seamless end-to-end 5G service management. The project provides a Marketplace in which stakeholders can trade resources and services, in order to keep with the demanding dynamic requirements associated with 5G networks. The novelty here is the fact that an operator can lease on-demand resources and services located on third-party premises/infrastructures combining zero-touch automatization solutions and ensuring zero trust principles in distributed multistakeholder environments. Hence, these resources can be deployed and managed as their own, using zero-touch resource and service orchestration, for automated slice provisioning. Furthermore, another novelty here is the concept of security intents [55] that enable an operator to finally select, through intelligent resource and service discovery applications, a third-party that fulfills its security requirements.
The focus of this section will be on presenting how the proposed security and trust framework, which is composed of three different modules, integrates into an automated process of slice management and resource orchestration, involving resources belonging to different network domains. Figures 10, 11, and 12 illustrate the proposed 5GZORRO business flow for trustworthiness and secure end-to-end slice establishment, from the moment the entity uses the marketplace to search for the resources offered in other domains, all the way until the moment in which the slicing process with the acquired resources has been completed. But to understand Figs. 10, 11, and 12, we first provide a brief explanation of the entities involved in the end-to-end slicing process: • Intelligent Network Slice & Service Manager This functional entity is tasked with the automatic management of network slices into its own domain, or when the operator needs to extend its reach into other domains. This entity gathers monitoring data to produce intelligent analytics with the aim of proactively adapting the system due to constantly changing contexts. • Network Slice & Service Orchestrator Functional entity responsible for the deployment of network slices. This same entity orchestrates network services which can be provisioned on the intra-or inter-domain network slices. • Network Service Mesh Manager It handles the service meshes to provide connectivity for network services (service discovery, service routing, and service connection management). • Virtual Resource Manager Its main goal is to monitor the status of the managed entities and push monitoring data to the Intelligent Network Slice & Service Manager. Furthermore, this component is divided into three elements: service and resource monitoring, virtual resource management and control, and radio resource management and control. • Marketplace Platform It is an instance of the marketplace, anchored to one Marketplace DLT node. This component allows trading 5G resources and services through a decentralized catalog, taking advantage of the DLT technology. Each resource and service offered by the marketplace has a unique and global identifier, to be quickly and easily identified. These identifiers (DIDs) are then used to perform other actions such as establishing a secure end-to-end connection. • Intelligent SLA Monitoring & Breach Prediction This functional entity is made up of two key services. Its main objectives are to gather and examine aggregated monitoring data to identify SLA breaches by using AI techniques. Then, the Marketplace and the appropriated Smart Contract (SC) are notified, and the SC recalculates SLA status.
The proposed security and trust framework (highlighted in a green box in Fig. 10) will interact with the 5GZORRO platform at various stages and performing its operations in a holistic way, in few steps, and in parallel benefiting from its modular design. Initially, the Trust Management module is triggered when the client stakeholder asks for the available resources in the marketplace. During the resource selection process, trust level is a critical characteristic, since it can mislead the customer into selecting a slightly higher priced resource from a stakeholder who knows its ways to appear reliable to the system. Besides, the Trust Management module oversees the entire process, monitoring service incidents, or SLA breaches that may require trust level recalculation.
Second, the Intra-domain Security module (highlighted in the blue box in Fig. 11) is responsible for the continuous monitoring of the complete infrastructure. It gets triggered during the secure slicing process and makes sure that platforms on both ends are secure against threats. When slice monitoring is set up, decrypted network traffic from the slice is received and then forwarded to the Intra-domain Security module using a virtual SPAN port configuration. In the current implementation, the Intra-domain Security module is extending the functionality and protocol support of the Zeek network security monitor [56] as well as is integrated with a 5GZORROtailored Kibana [57] dashboard for the Security Analytics module. The complete integration is illustrated in Fig. 13. The choice of Zeek was based on its ability to perform knowledge-and behavior-based intrusion detection, instead of a rule-based detection that Suricata and Snort perform [56].
Finally, the Inter-domain Security module (highlighted in the orange box in Fig. 12) is critical in the slice setup process, as it oversees the end-to-end security for the established communications. In that sense, the Inter-domain Security module is triggered by the Network Service Mesh Manager when stitching slices are created in both domains. Here, both the Network Service Mesh Manager's DID and the leased resource's DID are utilized to configure a VPN connection using their public and private keys, and in consequence, a secure end-to-end communication is guaranteed across domains by means of the Inter-domain Security module. In the current 5GZORRO implementation, WireGuard VPN [58] has been selected based on its performance when comparing to other VPN solutions. This solution has been already used in 5G slicing solutions [59], outperforming other VPN solutions. Another of the strong points for WireGuard is that it supports, by design, asymmetrical key authentication based on Curve25519. This key protocol is also compatible with the W3C DID specification [54]. Then, DID public/private key adaptation with WireGuard would be straightforward if this protocol is used in the key generation process associated with the DIDs.
The described use case highlights how the security and trust framework proposed in this article can be integrated with the logic of slicing in a real environment. This way, the security of the process is improved against possible threats. Note that this framework could be applied in other use cases in the same way; for example, the trust module could be used once the slicing process is completed to manage resources or cancel their use.

Discussion, Trends, and Challenges
Once the design of the proposed security and trust framework has been detailed, it is essential to discuss its similarities and differences with related state-of-the-art frameworks. This discussion differentiates our work from other proposals and shows possible gaps in the current solutions of the literature. Besides, it is critical to detail the trends and challenges in the area, guiding future iterations of the 5GZORRO security and trust framework as well as setting the stage for new designs and framework implementations.
First, we compare the main characteristics of the most relevant frameworks presented in Sect. 2 with the framework presented in this manuscript and such characteristics are summarized in Table 2 to provide an overview of each framework. In that sense, most of the analyzed frameworks focus on IoT scenarios, and only Suomalainen et al. in [28] apply the framework to 5G and network slicing environments. Nevertheless, they also do not consider a zero-touch automated approach as the rest of frameworks presented in Sect. 2. Given that automation is clearly the path for future frameworks [60], the one presented in this article considers the automation of security and trust frameworks for 5G and beyond 5G, just as other under development frameworks in INSPIRE-5G Plus [15] and MonB5G [16] projects. Furthermore, this path involves many technical improvements regarding AI and network orchestration, such as the integration of AI and orchestration softwares, model optimization for real-time data processing, or the application and development of new algorithms.
Besides automation, the application of AI to security and trust processes brings numerous benefits. A very important one of these benefits is the ability to detect previously unseen threats by applying anomaly detection algorithms, something that is much more complex, if not impossible, using rule-based processing. In addition, the AI models can be adapted to new threats by simply changing the data they receive, reducing the need for expert knowledge to create them. Finally, these AI algorithms usually perform better at detecting complex patterns related to advanced security and trust threats, improving the results of traditional approaches.
Considering the implementation of the frameworks analyzed in Sect. 2, only a few of them have been accomplished, and a couple of solutions rely on simulations or no actual implementations. In this sense, our framework is being developed in a real scenario, very similar to the use case of Sect. 4.2, within the 5GZORRO project. In addition, INSPIRE-5G Plus and MonB5G are following similar paths in terms of implementation.
Finally, so far, only the MonB5G project and the framework designed for 5GZORRO project take into account a zero trust approach, where trust is not assumed depending on where the assets are located, improving trust management and further avoiding internal attacks. This is a paramount point that other frameworks have not already developed nor considered, and that is of utmost importance in modern network environments where intra-and inter-connections are more and more frequent, and with it the exploitation of trust assigned by default. In the case of intra-domain scenarios, the trust by default may have negative consequences if an internal entity has been attacked and consequently, its behavior tampered. In contrast, the trust assigned by default in an inter-domain scenario may skip a new trust computation process on a previously known entity, which would violate trust principles as trust varies over time and must be continuously updated (internal domains) or previously calculated (external domains).
Through the state-of-the-art research and the design of our security and trust framework, numerous trends and challenges have been identified in that research area. These trends guide the current implementation, while the encountered challenges are to be addressed by future framework iterations, in order to improve its capabilities and offered functionalities.
Regarding current trends, the main approaches and ideas expected for future security and trust frameworks are: • ML and DL application as trust computation algorithms Traditionally, trust value computation has been achieved by using rules, statistical functions, or proprietary algorithms developed for a particular platform. However, the rapid expansion of ML and DL techniques has led the current solutions, as well as those under development, to opt for these solutions when calculating confidence values [61]. The main advantage of these is their adaptability to different tasks, as they only require tweaking the training data and hyperparameters to generate different models, while traditional methods require manual changes and adaptations. Besides, these techniques achieve better performance than traditional algorithms because they can extract correlations and infer complex information between different network metrics that traditional algorithms cannot. • Virtualization Currently, many network components in the infrastructure are offered as a virtualized service (SaaS, PaaS, IaaS), and accessed through cloud services. In this extensively cloud-based network landscape, security and trust services are not an exception. Current frameworks are tending toward modularization or fragmentation, making that services can be offered independently through the network. In this sense, Security as a Service (SECaaS) [62] and TaaS [63] cloud applications are emerging, so that the requirements of each entity can be covered independently and in a personalized way. • From centralized architectures to decentralized ones Together with the virtualization of services, also comes its decentralization. Different security and trust functionalities can be enforced from different network elements and even different entities. This trend drastically enables the security and trust service scalability, indispensable in the new massive device 5G scenarios. Besides, this trend is also enabled by the integration of modern blockchain-based technologies in the security and trust life cycle [64], such as the DID integration [65] proposed in our architecture for the Inter-domain Security module.
Due to the fast evolution in the security and trust threats, but also in the frameworks dealing with them, there are many challenges to be considered when developing future security and trust solutions: • Standardization Several standardization organizations are working on security and trust frameworks and documents to boost common approaches for modern network management, however, there is not yet a common framework in this perspective. Currently, the most active group in this area is ETSI ISG ZSM [12], investigating automated network and service management and its application to future networks such as 5G. Regarding security and trust, the ZSM 010 group is studying the threat identification and mitigation options to ensure automated secure processes. Other organizations are also working on different proposals in this paradigm, such as the ITU-T Y.3053 [66] recommendation that introduces a framework for trustworthy networking with trust-centric network domains, or the IETF RFC 8485 [67], proposing a standard for determining the amount of trust to be placed in a digital identity transaction. • Zero-touch perspective Motivated by the explosion of ML and DL, the integration of these methods with network management has become one of the current challenges for modern network solutions. Thus, the automation of security and trust frameworks is not an exception and is receiving a lot of attention in the current designs under development. Nevertheless, there is still a lot of work to be done before fully automated solutions can adapt themselves to changing threats without external intervention. In this sense, and similarly to the previous challenge, the ETSI ZSM is the main group working toward a zero-touch perspective for security and trust management, together with the rest of the network aspects. • Optimal countermeasures and countermeasure fairness Once the different threats to security and trust can be detected, it is essential to properly define what to do to mitigate them. Here, despite the work done so far [68], there is no standardized set of countermeasures applicable to each threat. Instead, each framework defines its own countermeasure actions. Therefore, it is critical that these measures have a compromise between mitigating threats and maintaining high QoS without impairing network performance. In addition, countermeasures to trust threats also need to consider equity with other entities, as aggressive measures could be too damaging to them. • Transparency in security and trust management Transparency is one of the outstanding issues in the trust management of multi-stakeholder environments, since there is a tendency toward models in which security is provided by the obfuscation or confidentiality of the implemented security measures. However, the management of security and trust based on this approach has proven to be inefficient [69], leading to weak trust relationships. • Zero trust The application of zero trust approaches [11] for trust chain management is a novel paradigm that still requires to be implemented in frameworks and architectures of the future. This solution can greatly assist in managing trust in 5G environments where the number of devices is massive, highly dynamic, and heterogeneous. Thus, the security and trust threat landscape might be enclosed through a zero trust approach since it not only guarantees data and services intraand inter-domain protection, but also all enterprise assets and subjects.
From the trends and challenges described above, it is possible to extract the research lines that should guide the development of the security and trust frameworks of the future. As a conclusion of the future of the research, it can be stated that the main direction is toward the application of ML and DL techniques for the automation of security and trust frameworks, which will be deployed in a distributed and modular way and offered as virtualized services.

Conclusions and Future Work
Despite the benefits of 5G networks mass rollouts (higher dynamicity and multi-tenancy), it also brings a mighty threat landscape for adversaries. Owing to the fact that existing security and trust models are not suitable for dealing with the dynamicity of 5G infrastructure threats, the security risks due to the multi-tenancy, nor contemplating new approaches such as zero-touch and zero trust, a pivotal gap was identified in the literature. To address the aforementioned issues, this article has presented a security and trust framework designed for 5G multi-domain network scenarios. The framework has a modular architecture designed to cover threats originated by the new networking paradigms enabled by 5G, where resources from different stakeholders are leveraged to create network slices. Thus, the framework has three main components: a Trust Management module, in charge of managing end-to-end trustworthiness relationships between different entities and elements in the network; the Intra-domain Security module, able to identify attacks and vulnerabilities within the 5G infrastructure as well as in a multi-tenant/multi-domain environment through dynamic traffic analysis; and the Inter-domain Security module, in charge of providing security when creating slices using resources located cross-domains. The framework has been deployed in a realistic use case to demonstrate its usefulness and how it can be applied in a multi-domain network scenario associated with the EU H2020 5GZORRO project. In addition, a series of trends and challenges have been identified during the design phase, which will be addressed during the development stage.
As future work, we plan to provide concrete implementation and deployment details of the security and trust framework following the advances within the 5GZORRO project. Such details will also be in-line with the trends and challenges that were identified in this article. Another feasible objective for future work is to assess the chance of generating a taxonomy for trust models, so that recommendations can be shared with other entities and problems as subjectivity can be avoided. Similarly, well-known trust algorithms such as PeerTrust or PowerTrust will be analyzed to adapt its general functionalities to the requirements presented by the 5GZORRO project. Moreover, there is also a lack of standardizations or guidelines with practical recommendations to be used when generating trust models in 5G networks. Finally, we are also planning to conduct experiments validating the framework according to attacks that are based on the identified threats in 5G multi-tenant and multi-domain scenarios.