Automation and Orchestration of Zero Trust Architecture:Potential Solutions and Challenges

,


Introduction
To date, most network security architectures have used perimeter-based defense to isolate internal networks from external networks.Firewalls, Virtual Private Networks (VPN), and Demilitarized Zone (DMZ) networks prevent external attacks by creating a network security perimeter [19,147].This can effectively prevent external attacks, but it is difficult to prevent internal attacks because once an intruder breaches the security perimeter, further illegal actions will not be hindered [129].In addition, with the rapid development of digital technologies such as 5G, the Internet of Things and Cloud Computing, the number of network users and devices [11] and their security concerns [130] are growing exponentially, as the perimeter of the network is becoming increasingly blurred [53,98].
This makes it more difficult to protect organizational resources, especially as more data access points, information inputs, and outputs are created [69].Therefore, preventing internal attacks requires a security architecture that does not trust any network [159,30].
Zero Trust Architecture (ZTA) [109] is a new concept of network security architecture based on the principle of least privilege, which aims to solve the above problems by restricting the behavior of subjects inside the network.Based on the core idea of "never trust, always verify" [148], ZTA follows a resource-based security policy: no users, devices or applications (services) can access the data without authentication and authorization.However, while ZTA provides more robust cyber protection measures, it still faces significant implementation challenges [68].The implementation of ZTA requires multiple security tools (e.g., firewalls) and policies to work together, and traditional stand-alone security detection approaches may not be applicable.In addition, the large amount of data collected and produced by these security tools can be used for risk analysis, prediction and evaluation within the framework.Thus, to maximize the security protection performance of ZTA, the components of existing frameworks need to be automated and orchestrated.In this context, AI (Artificial Intelligence) algorithms are considered as one of the most suitable technologies to automate and orchestrate ZTA [151].
AI technologies are considered as enablers for the Security Orchestration, Automation and Response (SOAR) solutions designed to automate and integrate different security tasks and processes in response to incidents [74].SOAR is also one of the functions to be considered in the execution of ZTA [12], which provides a reference for AI to perform automation and orchestration across components.
Security teams consider ZTA as an enabler to uphold security in their organization's networks.
In particular, ZTA needs develop capabilities that orchestrate and learn continuously to secure environment based on hyper-granular access privileges.ZTA automation and orchestration can relieve security personnel from manually assigning and reassigning access credentials throughout the organization's network.Moreover, permission changes over ZTA should be orchestrated in minutes, eliminating the friction and annoyance of security procedures for employees, and devices.In this paper, we focus on the potential of AI algorithms in the automation and orchestration for ZTA components.

Principles of Zero Trust
The concept of zero trust was first introduced in 2010 by John Kindwig, an analyst at consulting firm Forrester, who proposed the core idea of ZTA: "there are no longer trusted or untrusted networks, users and interface on security devices" [73,72].The ZTA automation and orchestration that our research paper focuses on was proposed by another Forrester researcher, Chase Cunningham.His Zero Trust eXtended (ZTX) research report published in 2018 [32] extends ZTA capabilities from micro-isolation to visibility, analytics, automation and orchestration.
With the growing trend of Internet security issues, many research institutes and organizations are beginning to pay attention to ZTA and offer different insights.Google began building the zero-trustbased BeyondCorp system in 2011 and published a series of papers for a comprehensive introduction to BeyondCorp [146,100,127,13,41,64].BeyondCorp always follows that access to services depends on the contextual factors of authenticated, authorized, encrypted users and their devices rather than the network to which connected.In 2019, Gartner extends Adaptive Security Architecture (ASA) and Continuous Adaptive Risk and trust evaluation (CARTA) to Zero Trust Network Access (ZTNA), which is used to phase out the VPN-based service access [19].In 2020, the National Institute of Standards and technologies (NIST) released version 2 of SP-800-207: Zero Trust Architecture [109], which provides detailed guidance on the design of zero-trust architectures based on a document format.
The main purpose of ZTA is for enhancing security.Although enterprises or organizations propose different strategies to understand and implement ZTA depending on their application environments, they are all based on the following three principles: 1. Access control should be resource-centric and context aware.
2. All users and devices must be authenticated and authorized based on dynamic policies before accessing the resources, following the least privilege policy.
3. Improve security by continuously monitoring the integrity and security of owned or associated assets.

Existing Surveys
Although a large number of studies related to ZTA have been published, there are few literature reviews on ZTA.A brief summary of the existing surveys on ZTA is provided in Table 1.Evan Gilman's book 'Zero Trust Networks' [51] begins with an introduction to the basic concepts of zero trust and describes step-by-step methods and techniques for implementing zero trust networks.It also examines the problems that zero trust may face from an attacker's view.Similarly, Jason Garbis, in the book : Discussed, −: partially mentioned, : Never mentioned.
1 Details about ZTA principle.
2 Comparison of security technologies based on perimeter and non-perimeter.
3 Categorisation and revision of ZTA components. 4Challenges about ZTA migration, automation and orchestration.
5 Specify the future research direction of ZTA.
'Zero Trust Security' [46], looks at enterprise security and IT infrastructure from a zero trust perspective.He also explains how zero-trust security can have an impact on network and security system integration.The existing surveys focus on basic concepts of ZTA [151], migration strategies [134], economic analysis [17], intrusion detection [4] and authentication [132].Yan and Wang [151] reviews the key technologies in the components of ZTA, and their application in real-world scenarios.The advantages of ZTA and the existing challenges are also presented.Teerakanok et al. [134] investigates the challenges, steps, and matters to be considered in migrating from a legacy architecture to ZTA.
Buck et al. [17] analyzes the disadvantages and costs of ZTA from an economics and user perspective based on blockchain.Alevizos et al. [4] also used blockchain to enhance the zero-trust architecture to the endpoint and reviewed state-of-the-art blockchain-based intrusion detection systems.Syed et al.
[132] survey the latest technologies available for authentication and access control in ZTA different scenarios and discuss ZTA encryption, micro-segmentation, and security automation methods.
Existing surveys provide careful review and analysis of different ZTA theoretical frameworks and application scenarios.However, none of them elaborate the potential benefits of the automation and orchestration of ZTA using AI techniques.In the wide range of ZTA application scenarios, where ZTA needs to process and analyze huge amounts of data from different sources, researchers have shown increasing interests in AI-driven automation and orchestration, which can provide assistance to ZTA in data classification, authentication and access control [151].Therefore, our main focus in this survey is to fill the gap by developing a systematic review of AI-focused approaches important for ZTA automation technologies from a technical perspective in conjunction with existing surveys.

Section 6 Conclusion
Monitoring SASE Authorization 5G/6G  The scope and organization of this survey are shown in Figure 1.Our goal is to use AI technologies to facilitate ZTA automation and orchestration, which will help further improve its efficiency and performance.
The main contributions on this paper are summarized as follows: 1. We comprehensively review and compare existing perimetrized-based and deperimetrized-based trust architectures.
2. We provide an in-depth analysis of existing AI technologies for ZTA automation and orchestration.
3. We discuss the challenges of implementing AI-based solutions in ZTA automation and the future developments.
Our survey paper is structured as follows.Section 2 reviews traditional perimetrized architecture and provides a fine-grained delineation of ZTA logical components and data sources.Section 3 identifies problems in the implementation of ZTA component automation and describes the role of AI technologies in automating the implementation of different ZTA components.Section 4 provides an overview of existing AI-based solutions.Section 5 describes limitations and challenges, and points to future research directions.Section 6 summarizes the survey paper.

Understanding Trust Architecture
In this section, we provide a fine-grained categorization of the logical components, data sources of ZTA, and discuss the ZTA automation workflow.

Perimetrized Architecture
Information security gained widespread attention after World War II, researchers defended against external attacks by building physical perimeters around computer systems and stored information [19].
The core concept of perimeter-based protection is allowing trusted users to access the internal network and blocking untrusted users.
All users, services, infrastructure and assets exist only within the internal network.The architecture considers all internal users to be trusted with unrestricted access to internal resources; any external users are untrusted and cannot access any services or devices inside the network.The perimeter-based security architecture effectively defends against incidents such as malware, phishing, denial of service, and zero-day attacks [36].
Recently, large amounts of data resources are migrating to the cloud, and users are expanding from human users to IoT devices.The traditional sense of network perimeter is being disrupted, which leads to attacks from the outside becoming more penetrating and dynamic.The attack surface has been expanded, many attacks are launched from the inside, and perimeter-based defenses are no longer effective against attacks from the inside.
Firewalls protect assets by isolating private network networks from public networks by filtering traffic and blocking access to untrusted sources or IP addresses [89].But the disadvantages of firewalls are also obvious, once an attacker breaches the network's defensive perimeter, the firewall cannot stop him from acting illegally on the internal network.
VPN is often used for access to remote networks, where a secure connection is established between the local network and the remote network by encrypting the communication data.While this strategy is effective in securing communications, it poses a threat to corporate assets because it requires traversal of the corporate infrastructure.VPN is effective in securing communication connections, but it has obvious drawbacks as well.VPN uses static authentication and cannot continuously verify user identity and endpoint trust during user access.VPN is also unable to define and restrict user privilege, users can access and steal intranet resources with impunity once they connect to VPN.
The DMZ network provides security for the internal network with an additional layer of security.
The DMZ is generally located between the two firewalls, external network traffic will enter the DMZ after passing through the first firewall, and will be sent to the second firewall after a security review by the DMZ [128].The DMZ's policy of security defense by using multiple firewalls in the system is called defense-in-depth security policy [147] The advantage of DMZ is that dual firewalls make attacks more difficult, and attackers need to break through two layers of firewalls to bring down the network.
In addition, even if one firewall fails, network traffic can be switched to a backup firewall to avoid a potential attack [33].Although the DMZ defense policy deepens the depth of defense, it relies too much on the firewall.If an attacker uses some method to bypass the firewall, for example, using malicious emails to gain direct access to the internal network, the DMZ will fail.Moreover, DMZ cannot identify attacks by trusted devices on other trusted devices.
In comparison, perimeter-based protection approach effectively protects against external attacks, but it overlooks those attacks that may come from within.Perimeter-based defense architecture is no longer suitable for today's cyber attacks, privileged access paths become riskier and make perimeterbased defense difficult to defend against illegal attacks from legitimate internal users.ZTA's principle of least privilege and micro-segmentation effectively limits the privileges of internal users and avoids the risk of unrestricted lateral movement of users within the network.The National Institute of Standards and technologies (NIST) divides the zero-trust model into a control plane, a data plane, and a data source [109].Among them, the control plane is primarily responsible for decision making, the data plane is responsible for executing the decisions made by the control plane, and the data source is predominantly responsible for providing data and policy rules to the control plane.We provide a more refined division of logical components and data sources on this basis and illustrate the process of their automated application.

Deperimetrized Architecture
Figure 2 shows the automation process of ZTA.The accessing subject receives session-based authentication generated by the PA before accessing the resource.Then identity information is sent to the PE to decide whether to grant permission.After PE decides to grant permission, PA configures the PEP to allow the session to start, otherwise, it closes the session.The access subject still accepts continuous tracking and verification of access behavior and identity by the security system during access to resources.Once illegal behavior is detected, the security system will inform PE to stop authorizing the session and the PE will close the session.

Intelligent Control Plane
In the traditional ZTA control plane, the Policy Decision Point (PDP) is divided into Policy Engine (PE) and Policy Administrator (PA) for making and executing decisions [109].Trust evaluation is the core algorithm of PE, which evaluates the trustworthiness of the subject based on data from different sources.The PE decides whether to grant the subject access to resources based on the trust evaluations via the supplied credentials.PE is essentially access control to user identity and devices.Therefore, in order to achieve the accuracy and timeliness of access control, authentication and authorization, it is necessary to automate the trust evaluation process and dynamically adjust the decision through trust value updates in real-time based on the continuously collected information.

Authentication and ID management
In ZTA, the PA is primarily responsible for establishing the communication path between the accessing subject and the resource, and then generating session-specific authentication credentials.Due to the wide range of ZTA application scenarios, authentication no longer refers to verifying user identity alone, but also includes authentication of IoT devices, and cloud services.Accurate authentication can directly reduce the risk of being attacked by falsified identity, so we divide authentication into user authentication and device authentication.Biometrics and Physical Layer Authentication (PLA) are considered effective authentication solutions, with biometrics identifying users based on their unique biometric features and physical layer identification identifying them by verifying device channel features.
ID management is responsible for creating, storing and managing user identity information, such as access rights, biometrics, etc.The enterprise Public Key Infrastructure (PKI) is responsible for generating authentication and communication encryption certificates issued by the system for devices, services, and users.Therefore, even though biometric authentication and PLA can dynamically verify the identity of the access subject, the generated authentication information still needs PKI for communication transmission.

Attack Detection
Automated attack detection can help ZTA defend against internal and external attacks.Nevertheless, attack detection is not a single technique or algorithm, but a combination and coordination of multiple techniques.We divide them into three categories based on different attack phases: automated threat intelligence collects information about potential attacks before they occur; automated intrusion detection detects ongoing attacks promptly; and automated log-based anomaly detection continuously monitors the internal operation of the network to identify and locate anomalous locations even if an attack breaks through the first two layers of detection.The coordination of multiple automation technologies can secure the ZTA to a large extent.

Connection Monitoring
The data plane is used for the actual communication between applications and its main role is to monitor the connection between the subject and the resource.All actions taken by the subject while accessing the resource are recorded by the logs, so it is possible to stop possible illegal actions by legitimate users by checking for abnormal log records.The Continuous Session and Diagnosis (CDM) system and the Security Information and Event Management (SIEM) system are also used to collect information and provide response strategies.
CDM mainly collects information about assets and updates configurations, and its capabilities include asset management, identity and access management, network security management, and data protection management.SIEM systems analyze relevant security information within a system and provide response strategies, and are composed of multiple monitoring and analysis components such as Log Management (LMS), Security Information Management (SIM) and Security Event Management (SEM).LMS is used as a traditional log collection and storage tool; SIM collects data from multiple security-related tools or systems; SEM is based on a proactive monitoring and analysis system that includes data visualization, event correlation and alerts.

AI algorithms for ZTA
To the best of our knowledge, most existing literature do not focus on AI technologies which are increasingly playing important roles in ZTA components.We therefore focus on, but are not limited to, applying AI technologies for the automation and orchestration of ZTA components, highlighting the comprehensiveness of AI-driven ZTA automation and orchestration.Figure 3 shows the categories of AI algorithms and their application in ZTA components.We divide ZTA components into four parts, control plane, authentication, attack detection and resources monitoring.

Control Plane
The control panel is the brain of the ZTA, and it evaluates and analyzes the data from other components for decision making.The control panel is divided into two main parts: trust evaluation and access Control.

Trust Evaluation
As mentioned in Section 2, the trust algorithm evaluates the trustworthiness of the subject based on different data sources to decide whether to grant access [109].It can support the automation of the modules inside the policy engine, which handles decision-making and flexible control over the tenets of ZTA by constantly assessing the trustworthiness of several network devices and enterprise systems.
However, automating the modules of ZTA's PE is highly challenging and non-trivial, because the access grant to network resources are often governed by the underlying trust evaluation algorithm [109].To this end, advanced machine learning techniques can be applied to handle effective trust evaluation; Wang et al. [140] have analyzed several conditions where machine learning-based trust evaluation methods enable improving the trustworthiness of the underlying devices in a distributed system.
The clustering algorithm performs binary clustering on the information features collected by different ZTA components, labeled as trustworthy or untrustworthy in the trust evaluation.This method can be applied to ZTA's access control decision-making to decide whether to grant or deny access.
Similarly, deep reinforcement learning can enhance the performance of the access control model by strengthening the trust evaluation policy by rewarding and punishing each evaluation action in an active trial-and-error manner [87,92].Moreover, transfer learning can be used to reduce the training time for the models because of its inherent knowledge-sharing approach.

Access Control
In ZTA, access control is a vital security protection method, trust evaluation can be considered as an import access control policy.Traditional access control refers to restricting what a user and a program capable of acting on his behalf can perform directly [112].With the advent of the era of 5G and IoT, more and more intelligent devices have joined the network, access control is no longer limited to restricting users' and programs' access to data.Access control in ZTA is redefined as only authenticated and authorized subjects can access resources, other subjects will be denied access.Subjects can be understood as users, applications (or services), or combinations of devices; resources can be interpreted as any objects connected to the network, such as printers, or computing resources [109].In addition, dynamic grants or revocation is also the primary function of the ZTA PE.
Before we discuss AI-based automated access control that can be applied to ZTA, it is also essential to focus on the different application scenarios of access control.Ravidas et al.Attribute-Based Access Control (ABAC), and Fine-Grained Access Control (FGAC) [167].The access control policy in ZTA is a combination of these three techniques, which automatically assign roles or permissions to users based on their static and dynamic attributes for fine-grained access control.Static attributes can be understood as user identity, while dynamic attributes include user access request time and location.Different roles within an organization have different permissions.Due to powerful classification capability, supervised learning can be used to automatically assign role permissions based on user attributes, or even directly assign user permissions.Those AI approaches can significantly reduce the time and improve the accuracy of privilege assignment compared to manual privilege assignment.

Identity Verification
Authentication is the primary factor in the control panel's decision to grant or deny access.Existing authentication technologies can be divided into biometric identification and physical layer authentication, which are used to authenticate human users and devices respectively.

Biometric Authentication
Many biometric features of human body are unique, such as the iris and fingerprints [15].However, these traditional surface biometrics of the human body are no longer reliable because they can be easily lost and copied, such as fingerprints left on a glass.With the development of wearable devices, features of internal human organs can also be effectively captured.However, how to classify and identify the collected biometric features is the main challenge that biometrics currently encounters.
The application of artificial intelligence can extract and classify the features obtained from wearable devices to verify the user's identity.
A detailed investigation of the application scheme of machine learning classification methods in continuous multimodal biometric authentication is presented by Ryu et al. [110].In automated user identification, the user biometric features stored in the ID management system are first quantified, then

Attack Detection Automation
Automated attack detection was the main means for ZTA to prevent attacks from internal and external.Attack detection techniques can be divided into threat intelligence collection and log-based anomaly detection.

Threat Intelligence Collection
Automated threat intelligence collection requires AI algorithms to sense, reason, and detect advanced cyber attacks [31].Currently, most cyber threat intelligence comes from open-source communities such as different hacker forums, blogs and tweets [86,135,44].Therefore, using AI technologies to extract useful information automatically is currently an immediate and effective way of extracting threat intelligence.Cascavilla et al. [21] reviewed existing cyber criminal activities and supplemented their classification for risk assessment.Cyber threat intelligence sharing is considered as an effective means to address the increasing number of cyberattacks, and Wagner et al. [138] investigated existing automated cyber threat intelligence sharing techniques.
In ZTA, we believe that AI technologies are the primary solution for automating cyber threat intelligence collection.The clustering algorithms of unsupervised learning can group different patterns of threat intelligence according to their similarity [6,70].The log-based anomaly detection method uses AI technologies to realize automatic log monitoring and anomaly identification.Because the log data is often in billions, unsupervised learning such as dimensionality reduction algorithms can effectively reduce the computational cost and improve the efficiency of anomaly identification [49].Furthermore, deep reinforcement learning is also used to collect threat intelligence, reinforcement learning subjects actively learn to extract more accurate threat intelligence through trial and error, which improves the identification performance of threat intelligence [143,117].

Log Anomaly Detection
Automated anomaly detection of log files can detect abnormal or illegal behaviors of ZTA internal resources in time.Soldani and Brogi [126] review anomaly detection methods and anomalies cause analysis methods in cloud services.Landauer et al. [79] investigate clustering methods for analyzing large volumes of log data.Likewise, Chalapathy and Chawla [23] provide an overview of deep learningbased anomaly detection methods and evaluate the effectiveness of these methods.
According to our survey, semi-supervised learning is mainly used to detect logs with abnormal conditions in ZTA.Although log anomaly detection can effectively detect known attack behaviors, the detection performance will drop sharply in the case of unknown attacks.Semi-supervised learning uses large amount of unlabelled data, as well as simultaneous use of labelled data, to perform pattern recognition work.It avoids the waste of data and resources, and solves the problems of weak generalization ability of supervised learning models and inaccuracy of unsupervised learning models.

Automated Resources Monitoring
Automated resource monitoring is an organization resource-centric security approach that continuously monitors the behavior of accessing subjects on resources.The main purpose of automated resource monitoring is to avoid illegal actions from legitimate users or devices.

SIEM Orchestration
Although the attack detection methods mentioned above can help ZTA effectively detect internal and external threats, they are unable to effectively classify and manage these security events.Attack detection methods also cannot automatically alert the security administrator or take countermeasures automatically.Automated SIEM orchestration is an effective solution to this problem.It can automatically collect and analyze information from the attack detection system, and automatically trigger security alerts to provide repair or mitigation solutions.Supervised learning classification algorithms are used to automatically classify various security events, solving the problem of inefficient manual classification [115].

Automated user behavior monitoring
Although users and devices in the ZTA architecture have been continuously authenticated and authorized, it doesn't mean that they are always credible, incidents such as fraudulent use of identity may occur [109,71].Continuous monitoring of internal users and equipment is an effective solution.
Modeling user behavior extracted from logs using artificial intelligence techniques is the main solution to automate abnormal user identification.To the best of our knowledge, there is no relevant survey about AI-based user abnormal behavior monitoring, we therefore review potential AI-based approaches to user behavior detection in Section 4.4.1.
Cluster algorithms detect legitimate users' illegal behaviors by clustering normal user behaviors into a cluster, while users away from the clustering are labeled as abnormal users.Similarly, the deep learning algorithm learns the daily access habits of users, and classifies them into normal and abnormal according to their behaviors.In addition, deep learning can also predict the possible behaviors of users based on their context and historical behaviors, and detect or prevent threats from them in time.

AI-driven ZTA
ZTA automation and orchestration can be considered as the process of reducing frequent mediation by security personnel via automating the detection and prevention of cyber threats.In this section, we review the AI approaches for ZTA components to ZTA automation and orchestration.Table 3 and Table 4 surveyed the recent AI-based approaches to trust evaluation, authentication, attack detection and system monitoring, respectively.UAuthn.

AC Smart Phone
Identify different user behaviors through embedded sensors [136] UAuthn.

Experience-Driven Trust Evaluation
Traditional trust evaluation is performed by quantifying trust-related attributes such as historical interaction information by using Bayesian inference [139], weighted average models [152], and other methods.Although these methods can assess trust to a certain extent, with the advent of the era of big data, traditional trust evaluation methods have become difficult to carry exponential trust-related attribute data, which greatly affects the accuracy of trust evaluation [140].Moreover, traditional methods must rely on known trust-related attributes for trust evaluation and cannot be applied in the absence of a priori knowledge.
The rapid processing of big data by AI makes AI-based trust evaluation methods suitable for existing complex network application scenarios.Online social networks (OSN) is one direct way to obtain user features, Supervised learning classifies users into trustworthy and untrustworthy by treating trust evaluation as a classification problem [166,27,26], or quantifies trust values directly using continuous values [158,40,93] based on OSN users' features.
However, supervised learning must have labeled data to train the model, in most ZTA practical application scenarios, users and devices features lack clear labels, and unsupervised learning such as K-means [90,162,96,154] can solve this problem by clustering trust objects without label into different level of trust groups.To further improve unsupervised learning performance, semi-supervised learning, which combines supervised and unsupervised learning, can be used to optimize the clustering boundaries.Multi-class supervised learning algorithms such as SVM and random forest [65,56,111] are used to find the optimal decision boundary between trusted and untrusted clusters.Moreover, reinforcement learning [95,52,58,107,168] can be used to find the optimal trust evaluation policy and improve trust evaluation models by continuously interacting with the surrounding environment by trial and error [165].
Since AI-based trust evaluation methods have high time complexity which requires significant computational and time resources for model training.Improving the performance while reducing the computation time of trust values is important for automating trust evaluation.To achieve this, distributed learning [121,50,57,66,37] and transfer learning [87] can be used to improve trust evaluation model performance and reduce model training time cost, respectively.Similarly, the quantum learningbased trust evaluation model [7,8] can further optimize the trust model and reduce the computational complexity of the model with the high parallelism of quantum computing [14,114].

Contextual Continuous Access Control
Access control restricts the subject's access to objects through authentication and authorization.
Since it is important to determine whether the subject requesting access is legitimate, authentication and authorization are fundamental considerations when trying to implement zero trust [132].In this section, we provide an overview of AI-based techniques for access control.

Automated User Authentication
Existing user authentication technique has shortcomings, knowledge-based (password, token, etc.) authentication methods are only established when the subject requests access and the user is not verified and tracked after passing the authentication [97].Biometric authentication methods also require specific specialized equipment to monitor which elevated the difficulty of continuous authentication.
Therefore, biometric authentication techniques based on continuous, multimodal and contextual is important for ZTA to verify user identity.
Because traditional physiological features such as fingerprints and irises are easy to obtain or copy, combined different biometric authentication methods to avoid the uncertainty of single authentication method, which is similar to Multi-Factor Authentication (MFA) [34] 4.2.2.Automated Device Authentication ZTX [32] considers IoT devices in a zero-trust network as the threat to network security, therefore allowing enterprises to segment, protect and restrict devices connected to the network and treat them as zero-trust devices (ZTD).Shah et al. [118] specially designed a lightweight device-to-device authentication protocol for ZTA called Lightweight Continuous Device-to-Device Authentication (LCDA), which uses mathematical functions to dynamically generate a session key to verify the identity of the device.Because traditional methods of device authentication that rely on IP addresses are susceptible to tampering or forgery [120], Physical Layer Authentication (PLA) is used to verify the device identity in wireless communication, and existing PLA techniques mainly identify the device identity through Radio Frequency Fingerprint (RFF) and Channel State Information (CSI).
RFF is similar to a human biometric fingerprint, the difference is that RFF is extracted from a wireless device communication signal.The main stages of an RF fingerprint-based wireless device identification system are signal capture, feature extraction and classification.After capturing the signal, unique features need to be extracted from different parts of the signal [20].Therefore, Radio Frequency Fingerprint Identification(RFFI) [88,120,104,160] is more secure and reliable than using IP for wireless device authentication.
CSI describes the channel state of wireless communication, and CSI variation is unique from device to device which can prevent spoofing attacks in PLA.AI techniques can perform dimensionality reduction, denoising, and feature extraction on CSI data [145].Therefore, the identity of wireless devices can be verified by using AI to classify CSI in ZTA [141,156,47,99].

Automated Authorization
Cloud is also a major application scenario for ZTA because many applications store their data in the cloud.Therefore, a dynamic access control model is needed to handle access requests from a large number of dynamic users.Riad et al. [108] proposed a hierarchical access control scheme with dynamic revocation threshold vectors based on multi-dimensional access control to dynamically authorize or revoke users with multiple rights in the cloud.This scheme revokes user rights based on the legal vector in the authorization process, and the revoked users can no longer encrypt the ciphertext, which effectively reduces the computational cost.And only non-revoked users have the right to generate a decryption token to decrypt the ciphertext.The authors also report that the proposed scheme is faster than other schemes in encryption and decryption time.
However, continuous user interaction with cloud can lead to data breaches.Esposito [42] addresses these issues by orchestrating different access control models.In addition, Esposito also proposed a pseudonym-based privacy protection method to protect users' personal information.To enhance the privacy of users and the security of encryption schemes, Li et al. [81] proposed a multi-authority ciphertext-based access control method with accountability.This method hides the access policy in the ciphertext from the encrypted file, and only the user policy that matches the access policy in the ciphertext can decrypt the ciphertext.In addition, the authors propose a tracking protocol to track the identities of file visitors.

Orchestrating Attack Detection
Threat Intelligence (TI) and system activity logs are important data sources of ZTA, as they provide near real-time feedback to the policy engine for decision making through the collection or recording of internal and external data.

Automated Threat Intelligence Identification
Threat intelligence is information about threats and guides organizations to improve security to counter threats by mining publicly available resources for vulnerabilities, cyber attacks and other information.Due to the numerous sources of threat intelligence, an automated system is needed to enable the collection of threat intelligence and to discriminate the authenticity of the collected intelligence.Sentuna et al. [116] discussed the emerging technologies of cyber threat intelligence, they combined the naive Bayes posterior probability function and risk assessment function to propose a threat prediction model.
Hacker forums are an important source of data for cyber threat intelligence, in order to collect cyber threat intelligence from hacker forums, [35,67,76,78,82] used supervised learning model as the classifier to classify the data based on security topics.Threat intelligence identification methods based on deep learning [150] and transfer learning [5,142] have also been used for improving threat intelligence identification performance and reducing model training time.

Automated Log-Based Anomaly Detection
System logs provide near real-time feedback on the operation of components within the system and automated anomaly detection of system log files can identify abnormal access activities to resources in a timely manner [38].System logs often record system operation in a time-series fashion, supervised learning-based log analysis methods [91,137] have advantages in automating the extraction of timeseries anomaly features.Deeplog [38] focused on building a workflow from the underlying logs and analyzing the detected anomalies.[144] argued that the performance of Deeplog is unsatisfactory, and they deeply optimized Deeplog and combined the first-order outlier detection algorithm of parameters to propose a semi-supervised anomaly detection model.
However, supervised machine learning strategies that rely on labels are not suitable for real-time anomaly detection systems because data labeling is time and cost expensive.To solve this problem, unsupervised log analysis methods [157,18] are used to effectively detect anomalies in a log without features.The output anomaly score represents the degree to which a log event is anomalous in terms of its content and temporal context.Semi-supervised learning-based log analysis methods [153,155,144] further improves the performance of unsupervised learning.Transfer learning-based log analysis methods [25,161] can effectively reduce training time and improve training efficiency.

Continuous Monitoring, Diagnosis and Mitigation
Automated anomaly detection can effectively collect information about attacks from both internal and external sources of a system, but it is difficult to effectively diagnose and mitigate the attack.
Therefore, the collected information needs to be further tracked and analyzed to make diagnostic decisions and policy updates.The clustering algorithm [24,62,102,131,45] can effectively divide users into groups based on their behavior.However, user behavior may change in different scenarios, and this may generate much unknown data.Therefore, Tang et al. [133] proposed a clustering method based on user behavior trajectory for software system user behavior analysis.[133] convert the user's access data and operation data to the software into a trajectory matrix and normalize, then calculate the similarity of user behaviors and cluster the user visits and operating habits based on similarity.
Deep learning LSTM algorithms [123,122,119] are used to automatically select user and device behavior features due to its ability to efficiently capture time series features.Singh et al. [123] proposed an anomaly detection method for network internal user behavior based on a hybrid machine learning algorithm.[123] focus on analyzing user behavior sequence to monitor users and detect potential internal threats.However, Singh et al. [123] also believed that existing internal detection methods had problems such as a high false alarm rate and insufficient feature selection.Therefore, Singh et al. [122] continued to propose an internal threat detection method based on user behavior for key infrastructure to improve feature extraction performance.Compared with the [123], [122] used Bi-LSTM for efficient feature extraction and used SVM as a classifier to classify user behaviors into normal and malicious.
[122] achieved an accuracy of 87.5 %, which is higher than LSTM+CNN (75.3 %).Similarly, Sharma et al. [119] proposed an abnormal user behavior detection model, which can use LSTM to model user behavior in conversation activities.

SIEM Orchestration
Although anomaly detection methods mentioned above can help ZTA effectively detect internal and external threats, they are unable to effectively classify and manage these security events.Anomaly detection also cannot automatically alert the security administrator or take countermeasures automatically.Automated SIEM orchestration is an effective solution to this problem.SIEM can automatically collect and analyze information from the anomaly detection system and automatically trigger security alerts to provide diagnosis or mitigation solutions.
However, the existing SIEM system may has defects because existing data packet analysis scheme cannot adapt to massive data [94].Therefore, Li and Yan [84] applied machine learning technologies to the SIEM system and proved the feasibility of machine learning to analyze data in the SIEM system.
Li and Yan [84] used Logstash to collect system logs from different sources, used K-means to cluster the connection information, and then use the spark or flink framework for real-time calculations.Lee et al. [80] proposed an AI-SIEM system based on a combination of neural network algorithms FCNN, CNN, and LSTM. Lee et al. [80] focused on using deep learning techniques to learn normal and threat patterns from the collected information.The main purpose is to improve the accuracy of real alarm classification and reduce the number of irrelevant alarms.
El Hajji et al. [39] focus on data combination techniques from different sources to enhance SIEM systems and use intrusion detector models based on neural networks.The first layer of the model used neural networks to classify system events into malignant and benign; the second layer used SVM to improve classification performance.The experimental results showed that the proposed model has improved classification performance and convergence speed.On the other hand, Hossain et al. [61] believe that manually classifying the events collected by SIEM is a difficult task, so they developed a set of automatic classification tools based on machine learning to solve this problem.In addition, Automated SIEM systems are also widely used in practical scenarios.Hindy et al. [60] proposed a SIEM system to detect abnormal events in a water supply system controlled by SCADA.Hindy et al.
[60] used machine learning to divide the attack data into fourteen different scenarios and reported the scenarios to the security operator.The proposed SIEM model can help operators accelerate the process of mitigating network attacks, but they also point out that the system cannot provide operators with information on new attack scenarios.Feng et al. [43] believed that the alarm false alarm rate issued by existing SIEM is too high, which is far beyond the processing range of the SOC.To solve this problem, Feng et al. [43] proposed a user-centric framework that uses machine learning algorithms to reduce the false alarm rate of security threats.

Impeding Challenges Harmonization Policy
Although each data source of ZTA has its own operational policies and standards, there is still a lack of a unified policy that governs the automation of ZTA components, including encryption policies, code specifications, etc.The most immediate consequence of the lack of uniform policy is the problem of data heterogeneity.In ZTA, monitoring network traffic and user behavior within the system is extremely dependent on the log data provided by each security tool, and PAs have to use multiple trust evaluation algorithms to adapt to different data formats, which not only make the trust evaluation hard, but also leads to performance degradation of the automated trust evaluation model.

Legacy System
With the development of the Internet of Things, cloud and other technologies, many devices can be realized by the central control system unified orchestration.But legacy infrastructure, applications, services, etc. still cannot pass zero-trust awareness because there is no concept of least privilege or lateral movement, nor is there any dynamic context-based authentication model that can be used, so the legacy system is vulnerable to a range of security threats [75].The existing solution is to add an authentication module to the central control system and then define its privileges.Although this solution alleviates the system legacy problem to some extent, it requires the accessing subject to traverse the infrastructure directly, which violates the network micro-segmentation principle of zero trust.

Data inconsistency
The data for trust evaluation comes from different data sources, but current ZTA has no uniform standard for the data of trust algorithms, so it may lead to data inconsistency, which further affect the performance of trust evaluation.Since the input for trust evaluation is provided by different data sources such as CDM, there is no uniformity in the format, role, and size of the data collected from these data sources, which makes it impossible for the trust algorithm to use the same method for evaluating the information sources.If different algorithms are used for evaluation, the efficiency of the model operation will be reduced.If the same algorithm is used for evaluation, the evaluation results will be affected directly.

Future Direction
Secure Access Service Edge (SASE) SASE is a service based on an entity's identity, real-time context, enterprise security/compliance policies, and continuous assessment of risk/trust throughout the session [63].SASE can provide mul-tiple network and security capabilities including core capabilities such as Software Defined Wide Area Network (SD-WAN), Web Security Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS).SASE converges network access and security capabilities, unified in the cloud for management and delivery, implementing security enforcement points SASE migrates security to the cloud, Zero Trust is a way of thinking that focuses on authentication and data access authorization on an as-needed basis, whereas SASE refers to a cloud delivery platform implemented at the edge that provides broad protection for data anywhere.SASE cannot be seen as a fast track to Zero Trust, but rather, SASE should be combined with Zero Trust to better protect cloud-based services as well as local services using Zero Trust principles.

5G/6G
While ZTA can meet the security requirements of untrusted infrastructures including hardware and software facilities, the massive amount of data generated between facilities needs to be transmitted to the appropriate components for security analysis and updating access policies.Traditional wired and wireless communication technologies are unable to meet such massive data transmission, Nextgeneration network (5G/6G) technologies are expected to enhance ZTA data processing and computing performance by providing massive connectivity with faster data rates, and ultra-low latency [105,83].
Conversely, ZTA can also dynamically detect anomaly activities of users/devices/applications in 5G/6G networks and restrict internal and external access to IoT resources [83].

Conclusion
With its least privilege and end-to-end principle, ZTA solves the security problems faced by

Figure 1 :
Figure 1: Organization and Structure

Figure 3 :
Figure 3: AI classes and applications in ZTA schemes in IoT and analyze their security and privacy requirements.In order to solve the lack of flexibility and scalability of access control based on symmetric encryption and public-Key encryption.Zhang et al.[164] reviewed access control attribute-based encryption (ABE) in cloud computing, and proposed the classification and evaluation criteria of ABE.There are three main types of access control techniques: Role-Based Access Control (RBAC), the features are classified by machine learning supervised algorithms such as KNN and DT for model training to perform authentication.Deep learning algorithms such as CNN can automatically extract and learn the user's biometric vector features directly from the information collected by biometric monitoring devices to confirm the user's identity.Deep transfer learning has also been used to address the problem of poor authentication performance due to insufficient user biometric data.3.2.2.Physical Layer AuthenticationContinuous authentication aims to continuously verify the identity of the endpoint during a communication session.AI-based PLA is considered as a potential solution, where AI algorithms can effectively extract device features from the communication channel and continuously verify the identity of users and devices[48].Xie et al.[149] conducted a detailed survey on existing PLA technologies, and they classified IoT device features into detecting device-based and channel-based features.Compared to device-based features, channel-based features are more difficult to copy or imitate, which provides improved security for device authentication.However, channel-based features are extracted from device communications, and manually distinguishing the communication features of different devices is impractical.Therefore, in ZTA automated device identification, deep learning can be used to automatically learn device channel features to distinguish device identity, thereby improving device authentication performance.

4. 4 . 1 .
Automated User and Device monitoringContinuous authentication and authorization can only identify the legitimacy of a user or device, but cannot effectively identify the illegal behavior of a legitimate user.Continuous monitoring of internal users and devices access behavior to resources is an effective solution to identity masquerading.

[ 61 ]
also experimented with various machine learning algorithms on multiple datasets to find the best text classification model, such as DT and SVM.The test results show that SVM has achieved the best performance on dataset TippingPoint and NetScreen, which are 95.08 % and 94.05 % respectively.
perimeter-based security architectures such as lateral movement, insider attacks, etc.The implementation and development of ZTA is further promoted by the use of AI technologies.This survey provides an insightful analysis of the recent literature on ZTA, revealing gaps in addressing AI in ZTA component automation and orchestration.In addition, this survey has identified trust evaluation, authentication, attack detection, and monitoring as the fundamental classifications that constitute the operation of ZTA component automation.To address the challenges associated with these classifications, an overview of AI-based solutions is provided.With the development of cloud computing, 5G/6G and other technologies, ZTA will be used in an increasingly wide range of fields.As we have observed in the literature, only a few zero-trust models employ AI-based automation techniques in their design.Therefore, This survey provides an interesting opportunity for future investigations to be explored by researchers.Mechanisms that leverage AI technologies to drive the automated operation of ZTA will lead developers to achieve ZTA automation and orchestration.

Table 1 :
Existing Surveys on ZTA

Table 2 :
Comparison between perimetrized and deperimetrized architecture

Table 4 :
AI Approaches for ZTA Attack Detection and Monitoring