Abstract: Embodiments of the present disclosure relate to methods, devices and computer readable storage medium for tracing an attack source in a service function chain overlay network. In example embodiments, a request for tracing an attack source of an attacking data is sent at the attack tracer to a first service function chain domain of a plurality of service function chain domains through which the attacking data flow passes subsequently. The request includes flow characteristics of the attacking data flow. Then, the attack tracer receives a first set of results of flow matching based on the flow characteristics from the first service function chain domain. The attack tracer identifies the attack source in the plurality of service function chain domains at least in part based on the first set of results. In this way, the attack source may be traced efficiently in the service function chain overlay network.

Abstract: Methods and apparatus are provided for Service Level Agreement managements in distributed cloud environments. A method comprises monitoring enforcements of Service Level Agreements for services provided to a plurality of tenants by a cloud provider; detecting a possible Service Level Agreement violation for a service provided to one tenant of the plurality of tenants, wherein the possible Service Level Agreement violation is related to performance or security requirements; and automatically mitigating the possible Service Level Agreement violation with cooperation with at least one of a cloud manager and a security management system of the cloud provider. The possible Service Level Agreement violation can involve a possible confliction between performance requirements and security requirements, and mitigating the possible Service Level Agreement violation comprises resolving the possible confiction for self-healing. Methods for an automatic Service Level Agreement update is also provided.

Abstract: Embodiments of the present disclosure relate to a method, apparatus, and computer readable medium for providing a security service for a data center. According to the method, a packet terminating at or originating from the data center is received. At least one label is determined for the packet, each label indicating a security requirement for the packet. Based on the at least one label, a security service chain is selected for the packet, the security service chain including an ordered set of security functions deployed in the data center and to be applied to the packet. The packet is transmitted to the selected security service chain in association with the at least one label, the packet being processed by the ordered set of security functions in the security service chain.

Abstract: An apparatus for security management based on event correlation in a distributed multi-layered cloud environment is disclosed, wherein the distributed multi-layered cloud environment comprises at least one first layer cloud service provider, and at least one second layer cloud service provider as a tenant of the first layer cloud service provider, and the apparatus is installed at least on one cloud service provider of the first layer cloud service provider and the second layer cloud service provider, the apparatus comprising: a central processing module configured to: provide correlation as a Service (CORRaaS) to a plurality of tenants as virtualized security appliances or virtualized security functions for the plurality of tenants's lices, generate a second interface for allowing the plurality of tenants to configure the correlation as a Service (CORRaaS), and correlate and process security events from security functions in the plurality of tenants' slices to form processed security event data, and to detec

Abstract: Cloud service security management in cloud computer environment uses a first computer cloud entity with first security capabilities and under security management coordinated by a first security management service point in compliance with predefined first security requirements. Security management of a second computer cloud entity is coordinated by a second security management service point in compliance with predefined second security requirements. In the managing of the security of the cloud service in the cloud computer environment: a trusted relationship is established between the first and second security management service points, general security requirements for the cloud service are obtained; and a first security policy is defined for the first security management service point, based on the general security requirements for the cloud service, the first security capabilities and the first security requirements, for the running of the cloud service by the first computer cloud entity.

Abstract: Embodiments of the present disclosure relate to methods, devices and computer readable storage medium for tracing an attack source in a service function chain overlay network. In example embodiments, a request for tracing an attack source of an attacking data is sent at the attack tracer to a first service function chain domain of a plurality of service function chain domains through which the attacking data flow passes subsequently. The request includes flow characteristics of the attacking data flow. Then, the attack tracer receives a first set of results of flow matching based on the flow characteristics from the first service function chain domain. The attack tracer identifies the attack source in the plurality of service function chain domains at least in part based on the first set of results. In this way, the attack source may be traced efficiently in the service function chain overlay network.

Abstract: Methods and apparatus are provided for Service Level Agreement managements in distributed cloud environments. A method comprises monitoring enforcements of Service Level Agreements for services provided to a plurality of tenants by a cloud provider; detecting a possible Service Level Agreement violation for a service provided to one tenant of the plurality of tenants, wherein the possible Service Level Agreement violation is related to performance or security requirements; and automatically mitigating the possible Service Level Agreement violation with cooperation with at least one of a cloud manager and a security management system of the cloud provider. The possible Service Level Agreement violation can involve a possible confliction between performance requirements and security requirements, and mitigating the possible Service Level Agreement violation comprises resolving the possible confiction for self-healing. Methods for an automatic Service Level Agreement update is also provided.

Abstract: Embodiments of the present disclosure relate to a method, apparatus, and computer readable medium for providing a security service for a data center. According to the method, a packet terminating at or originating from the data center is received. At least one label is determined for the packet, each label indicating a security requirement for the packet. Based on the at least one label, a security service chain is selected for the packet, the security service chain including an ordered set of security functions deployed in the data center and to be applied to the packet. The packet is transmitted to the selected security service chain in association with the at least one label, the packet being processed by the ordered set of security functions in the security service chain.

Abstract: An apparatus for security management based on event correlation in a distributed multi-layered cloud environment is disclosed, wherein the distributed multi-layered cloud environment comprises at least one first layer cloud service provider, and at least one second layer cloud service provider as a tenant of the first layer cloud service provider, and the apparatus is installed at least on one cloud service provider of the first layer cloud service provider and the second layer cloud service provider, the apparatus comprising: a central processing module configured to: provide correlation as a Service (CORRaaS) to a plurality of tenants as virtualized security appliances or virtualized security functions for the plurality of tenants's lices, generate a second interface for allowing the plurality of tenants to configure the correlation as a Service (CORRaaS), and correlate and process security events from security functions in the plurality of tenants'slices to form processed security event data, and to detect

Abstract: Cloud service security management in cloud computer environment uses a first computer cloud entity with first security capabilities and under security management coordinated by a first security management service point in compliance with predefined first security requirements. Security management of a second computer cloud entity is coordinated by a second security management service point in compliance with predefined second security requirements. In the managing of the security of the cloud service in the cloud computer environment: a trusted relationship is established between the first and second security management service points, general security requirements for the cloud service are obtained; and a first security policy is defined for the first security management service point, based on the general security requirements for the cloud service, the first security capabilities and the first security requirements, for the running of the cloud service by the first computer cloud entity.

Abstract: An apparatus comprising at least one processing circuitry, and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus at least: to design an extended security zone configuration for a network service to be instantiated including at least one virtual network function in a communication network comprising virtualized network parts, wherein the extended security zone configuration assigns the at least one virtual network function according to local and/or global security requirements to at least one dedicated security zone, and to provide a security zone descriptor information element describing a final result of the extended security zone configuration design for usage in an information set defining a deployment variant of the network service to be instantiated

Abstract: An apparatus comprising at least one processing circuitry, and at least one memory for storing instructions to be executed by the processing circuitry, wherein the at least one memory and the instructions are configured to, with the at least one processing circuitry, cause the apparatus at least: to execute management tasks in an automated manner related to a control of security in a communication between two end points of a communication connection in a hybrid communication network, wherein the security is controlled for physical and virtual parts of the hybrid communication network, and to automatically control at least one of deployment, configuration and management of a security service including at least one security function instantiated or implemented in the hybrid communication network.