A method for intelligent deployment of SFC based on dynamic labels and GNN-DRL under a zero-trust architecture

By using dynamic labeling and GNN-DRL collaborative deployment methods under a zero-trust architecture, the problem of balancing micro-segmentation isolation and business performance in SFC deployment in a cloud-native environment is solved, realizing dynamic optimization of security policies and business performance, and improving network defense capabilities and resource utilization efficiency.

CN122247878APending Publication Date: 2026-06-19NANJING UNIV OF AERONAUTICS & ASTRONAUTICS

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NANJING UNIV OF AERONAUTICS & ASTRONAUTICS
Filing Date
2026-02-27
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing SFC deployment methods are difficult to adapt to complex attack scenarios in cloud-native environments, cannot effectively balance the conflict between strict micro-segmentation isolation and business performance, and ignore the dynamic quantification of VNF security attributes and the risk costs brought by cross-domain traffic.

Method used

We adopt a zero-trust architecture with dynamic labels and GNN-DRL collaborative SFC intelligent deployment method. By constructing a zero-trust micro-segmentation network communication architecture and combining graph neural networks and deep reinforcement learning, we achieve multi-objective joint optimization, including minimizing cross-label access risks, optimizing end-to-end service latency and deployment costs, and improving resource utilization efficiency while strictly isolating micro-segments.

Benefits of technology

It achieves a dynamic balance of network security in a zero-trust environment, provides high-performance services with low latency and low cost, effectively suppresses lateral movement attacks, and improves network defense capabilities and resource utilization efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122247878A_ABST
    Figure CN122247878A_ABST
Patent Text Reader

Abstract

This invention discloses a smart SFC deployment method based on dynamic tags and GNN-DRL in a zero-trust architecture, belonging to the field of communication technology. This method jointly optimizes the SFC deployment location and micro-segmentation security strategy to address the quality of service and security isolation issues in zero-trust network environments. First, the method constructs a zero-trust micro-segmentation network communication architecture, and then establishes a physical network and service request model to support SFC deployment. Next, it utilizes the VNF security tag mechanism and graph neural network (GNN) to establish a deep representation environment with security awareness capabilities, and executes a multi-objective SFC deployment strategy based on deep reinforcement learning (DRL). This invention comprehensively considers the impact of SFC performance indicators and micro-segmentation security isolation requirements, achieving efficient SFC deployment and multi-objective dynamic equilibrium in micro-segmentation networks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention pertains to network communication technology, specifically relating to an SFC intelligent deployment method based on dynamic tags and GNN-DRL under a zero-trust architecture. Background Technology

[0002] With the widespread adoption of Network Functions Virtualization (NFV) and Software-Defined Networking (SDN) technologies, the cloud-native architecture of network services has attracted significant attention from both academia and industry. The delivery of network services involves not only the dynamic allocation of resources but also ensuring network security in virtualized environments to address the risks posed by the disappearing boundaries. Some studies have proposed boundary-based defense strategies, such as deploying virtual firewalls or intrusion detection systems, aimed at preventing external attacks and protecting internal resources. However, these methods are not well-suited to the increasingly complex attack scenarios in cloud-native environments. Addressing the lateral movement problem arising from the disappearing boundaries of virtualized environments is crucial for building secure networks and optimizing overall defense systems.

[0003] Existing research has considered security issues in SFC deployments, but it hasn't addressed the significant impact of security policies on network performance caused by fine-grained isolation requirements. Subsequent research has explored embedding security functions into SFC paths to enhance protection capabilities. Researchers have extensively discussed the complexities of SFC deployments, including SFC mapping under resource constraints and SFC orchestration assuming known security requirement levels. However, in most cases, accurate dynamic security classification for massive heterogeneous VNFs and balancing the conflict between strict micro-segmentation isolation and service performance (such as latency) remains a significant challenge.

[0004] While previous research has provided effective solutions for SFC deployment in various environments (such as cloud computing and data centers) and considered basic resource optimization, these strategies are difficult to apply to new security scenarios. Existing research often focuses on coarse-grained security domain partitioning or static policy configuration; however, their research neglects the dynamic quantification of VNF security attributes and the risk costs brought by cross-domain traffic. When considering zero-trust architectures, security isolation and quality of service must be optimized simultaneously. This invention innovatively proposes a method for intelligent SFC deployment based on VNF dynamic security labels in zero-trust micro-segmentation network architectures, and proposes a decision-making strategy based on GNN-DRL collaboration, considering the risk of cross-label access, and performs multi-objective joint optimization deployment of these links. Summary of the Invention

[0005] Purpose of the invention: In order to address the risk of lateral movement caused by the disappearance of virtualization environment boundaries, optimize end-to-end service latency and deployment costs, minimize cross-label access risks, improve resource utilization efficiency while ensuring strict micro-segmentation isolation, and achieve a dynamic balance between security policies and business performance, this invention provides a micro-segmentation SFC multi-target deployment method based on dynamic security labels and GNN-DRL collaboration.

[0006] Technical Solution: A method for intelligent deployment of SFC based on dynamic labels and GNN-DRL under a zero-trust architecture, the method comprising: (1) Construct a zero-trust micro-segment network communication architecture, adopt a design that decouples the control plane and the data plane, and use a centralized SDN controller to uniformly perceive the network topology, issue micro-segment security policies and schedule computing and network resources; (2) Establish a physical network and service request model, abstract the underlying physical network into an undirected graph model, define the computing power of the node set and the communication attributes of the link set, and then establish an SFC service request model to describe the source node of the service chain, the logical dependency relationship of the VNF sequence and the traffic requirements. (3) Formulate a multi-objective joint optimization model to formalize the SFC deployment problem into a multi-objective joint optimization problem subject to dual constraints of resources and policies. The objectives include minimizing the total request response latency, weighted risk cost, and deployment cost, while satisfying resource constraints, bandwidth constraints, and latency constraints. The total request-response latency includes transmission latency, link propagation latency, total processing latency, and additional latency introduced by the micro-segmentation architecture, wherein the additional latency introduced by the micro-segmentation architecture... This refers to the verification time between virtual network functions with different labels, and its expression is as follows:

[0007] in, It is an SFC request. VNF sequences, This represents the average verification time among virtual network functions with different labels. Indicates the first A label for a virtual network function; For SFC requests Security risks Defined as the sum of the cross-label communication risk weights between all adjacent VNF ​​pairs on this link:

[0008] in, It is an SFC request. VNF sequences, It is the first in the sequence The label value of each VNF, For cross-label indicator functions, The risk weighting functions are defined as follows:

[0009]

[0010] in Indicates the first and the A label for a virtual network function; The deployment cost is expressed in the following form:

[0011] The unit cost of bandwidth is The server startup cost is The unit cost of server resources is , Indicates SFC request Virtual network function Whether to deploy on server node superior, VNF Memory and CPU requirements, Indicates SFC request Should virtual links be enabled? Mapping to physical link The value can be either 0 or 1. Indicates the minimum required bandwidth; (4) Establish a VNF multidimensional feature security labeling mechanism: Introduce an unsupervised learning method based on K-means clustering to transform the multidimensional feature attributes of VNF into readable dynamic security level labels, which are used to identify the security domain affiliation of VNF instances; By using the message passing mechanism of graph neural networks to aggregate the state information of physical network nodes and their neighbors, high-order feature encoding of the physical network topology is performed to generate environmental state representation vectors with rich semantics, providing standardized data support for subsequent intelligent decision-making. (5) Construct an intelligent deployment mechanism based on GNN-DRL collaboration: Construct a collaborative decision-making framework of graph neural network and deep reinforcement learning. Use graph neural network to extract high-order features of physical network topology and SFC logical dependencies. The deep reinforcement learning agent receives the state features output by graph neural network and learns to generate SFC node allocation and link mapping strategies under the guidance of composite reward function through trial and error with the environment.

[0012] The method described in this invention is based on the SFC service request information submitted by the user to the SDN controller. The SDN controller analyzes the user's demand characteristics and QoS constraints based on the service request information, including computing resources, bandwidth resources, VNF sequence logical dependencies, and security level requirements. At the same time, it combines the physical network topology, the current resource load status of the nodes, and the distribution of micro-segment security domains, and uses graph neural networks and deep reinforcement learning collaborative techniques to jointly optimize the deployment path and node allocation of SFC.

[0013] Specifically, the implementation steps of the above method are as follows: The zero-trust micro-segmentation network communication architecture constructed in step (1) aims to break through the limitations of traditional network boundary defense and achieve fine-grained isolation, dynamic access control, and global security management within the network. It adopts a decoupled design between the control plane and data plane, using a centralized SDN controller to uniformly perceive the entire network topology, distribute micro-segmentation security policies, and schedule computing and network resources. This achieves the zero-trust principle of "never trusting, always verifying," significantly improving the network's ability to defend against lateral movement attacks. This architecture not only supports flexible virtualized gateway deployment but also dynamically adapts to the isolation requirements of services with different security levels, providing a secure, efficient, and resilient network infrastructure to meet the stringent network security requirements of today's complex network environment.

[0014] Furthermore, step (2) includes providing a standardized mathematical environment for the resource scheduling and security policy implementation of SFC. First, the underlying physical network is abstracted into a graph model, and the computing power (such as CPU and memory) of the node set and the communication attributes (such as bandwidth and transmission latency) of the link set are precisely defined. At the same time, an SFC service request model is established to describe the source node of the service chain, the logical dependency relationship of the VNF sequence, and the traffic requirements, so as to ensure that subsequent algorithms can perform resource matching and path planning based on a unified model.

[0015] Undirected graph This represents the network structure in NFV, where Represents a set of server nodes. Let represent the set of physical edges, where Indicates the first Taiwan server, Indicates the first One physical edge. Multiple virtual machines (VMs) can be instantiated on each server to support different types of Virtual Network Functions (VNFs). It is a collection of virtual machines that support these VNFs.

[0016] The maximum amount of computing resources that each server can have is , representing the number of CPU and memory resources, respectively. Additionally, each physical edge... Connect two servers. Physical edge. By quadruple It means that among them Represent The source and target nodes. Physical edges. The maximum bandwidth capacity is The propagation delay is .

[0017] The SFC request set in the network is described as SFC request It is the first An SFC request. (SFC request) The representation of is This indicates an SFC request. Passing through in sequence One VNF. The maximum allowed end-to-end delay is determined by This indicates that the minimum required bandwidth is determined by This indicates that, based on the Poisson distribution and considering the dynamic nature of the network, the SFC request... Average arrival rate is .

[0018] SFC Request The VNF set is represented as ,in It is a request The first used Each VNF. The memory and CPU requirements are determined by In addition, an SFC request will be made. The set of virtual edges connecting each VNF is defined as follows: ,in Indicates SFC request Connecting to VNF With VNF The A virtual edge.

[0019] Furthermore, step (3) considers that SFC deployment is no longer merely a traditional resource allocation problem, but has evolved into a complex multi-dimensional decision-making process that integrates security policy constraints, network performance guarantees, and resource cost control. In practical scenarios, while strictly implementing micro-segmentation isolation strategies (such as cross-label authentication) can significantly reduce the security risks of lateral movement, it often introduces additional authentication latency or leads to path detours, thereby increasing deployment costs and affecting Quality of Service (QoS). Therefore, in order to find the optimal balance between security protection level, service latency, and network operating costs, the SFC deployment problem needs to be transformed into a computable mathematical problem.

[0020] This invention models the above problem as a multi-objective joint optimization problem constrained by both resources and policies, aiming to find a Pareto optimal solution that can simultaneously satisfy the aforementioned multi-dimensional requirements. Its mathematical expression is as follows:

[0021]

[0022] in, The total delay of the request and response is expressed as:

[0023] for Any business function chain request Its end-to-end total delay This includes transmission latency, processing latency on server nodes, link propagation latency, and additional latency introduced by the micro-segmentation architecture.

[0024] in, Indicates transmission delay:

[0025] here VNF Average transmission rate Indicates the data packet size; Indicates link propagation delay:

[0026] in, Indicates the first The inherent propagation delay of each physical link.

[0027] The processing latency of a single VNF instance is affected by the virtual machine's computing power and the specific type of VNF. Therefore, the processing latency may vary across different virtual machines. Represents virtual machine Requests for business function chains The processing speed. Represents virtual machine Request for SFC VNF The processing delay. This indicates the total processing delay:

[0028]

[0029] in, Represents virtual machine The maximum aggregation processing capacity, Represents virtual machine Request for business function chain The allocated CPU sharing rate. Because the resource requirements of different business function chains are independent, virtual machines... For the request The processing density is expressed as .

[0030] The additional latency introduced by the micro-segmentation architecture is the verification time between virtual network functions of different labels, and its expression is as follows:

[0031] in, This represents the average verification time among virtual network functions with different labels. Indicates the first A label for virtual network functionality.

[0032] Therefore, the total latency of the request and response is:

[0033] This represents the weighted risk cost, specifically, for a business function chain request. Its security risks Defined as the sum of the cross-label communication risk weights between all adjacent VNF ​​pairs on this link:

[0034] in, It is a request VNF sequences, It is the first in the sequence The label value of a VNF. For cross-label indicator functions, The risk weighting functions are defined as follows:

[0035]

[0036] Deployment costs are expressed as follows:

[0037]

[0038] The unit cost of bandwidth is The server startup cost is The unit cost of server resources is , Indicates SFC request Virtual network function Whether to deploy on server node superior, VNF Memory and CPU requirements, Indicates SFC request Should virtual links be enabled? Mapping to physical link The value can be either 0 or 1. Indicates the minimum required bandwidth; use Indicates virtual network function At the node The number of instances deployed on the server, because multiple VNF instances may be deployed on the same server to meet different requests. Therefore, we have:

[0039]

[0040] in, The request indicates the first A VNF, Indicates a request Is it still in service (1 or 0)? Indicates the request Virtual network function Whether to deploy on server node Above (1 or 0).

[0041] If resources are sufficient, server nodes can deploy multiple Virtual Network Functions (VNFs), but the following resource constraints must be met. as follows:

[0042] The total bandwidth requirement of all requests passing through the server node must not exceed its maximum output bandwidth; bandwidth constraint. as follows:

[0043] in Indicates a request Should virtual links be enabled? Mapping to physical link (Value can be 1 or 0).

[0044] Finally, a time delay constraint is proposed. as follows:

[0045] (4) Establish a VNF multidimensional feature security labeling mechanism

[0046] By introducing a VNF security labeling mechanism based on K-means clustering, and utilizing unsupervised learning of multi-dimensional feature attributes (such as resource requirements, function type, and preset level), discrete static VNF attributes are transformed into machine-readable dynamic security level labels, effectively ensuring that each VNF instance can be accurately identified in terms of its security domain affiliation. Furthermore, high-order feature encoding of the physical network topology is performed using a graph neural network (GNN), achieving a deep representation and accurate mapping of the network environment state, ensuring accurate quantification of security attributes and deep awareness of network status during SFC deployment.

[0047] (5) Construct an intelligent deployment mechanism based on GNN-DRL collaboration

[0048] By designing an intelligent deployment mechanism based on GNN-DRL collaboration, and utilizing a joint architecture of Graph Neural Networks (GNN) and Deep Reinforcement Learning (DRL), the SFC (Security Frame Controller) is ensured to find the globally optimal solution in complex topologies based on its security label and resource requirements. The message passing mechanism of the GNN module aggregates high-order features of physical network nodes and their neighbors, generating semantically rich environmental state representation vectors, providing the DRL agent with an accurate global view. Simultaneously, the DRL agent interacts with the environment through trial and error, learning and generating deployment strategies that satisfy differential segmentation constraints under the guidance of the reward function, thereby ensuring the placement of VNFs within the correct security domain and the optimal mapping of virtual links.

[0049] Beneficial Effects: The method described in this invention comprehensively considers the trade-off between the security isolation requirements of micro-segmentation in a zero-trust environment and the Quality of Service (QoS). First, it constructs a zero-trust micro-segmentation network communication architecture based on an SDN controller. Then, based on this architecture, it proposes a multi-objective intelligent deployment method for SFC (System-Functional-Functional-Network) based on VNF security labels and GNN-DRL collaboration. This includes: establishing a physical network and service request model; generating dynamic VNF security labels using a clustering algorithm; deeply representing the network state using a Graph Neural Network (GNN); and solving the multi-objective joint optimization problem using Deep Reinforcement Learning (DRL). Finally, experimental evaluations were conducted. The results show that, because this invention comprehensively considers the interaction between security isolation risks, end-to-end latency, and resource costs, it achieves the deployment principle of "same-label aggregation and cross-label authentication," providing high-performance services with lower latency and lower costs while ensuring network security. Attached Figure Description

[0050] Figure 1 This is a flowchart illustrating the method described in this invention; Figure 2 The diagram illustrates the practical application and key advantages of the differential segmentation in this invention. Figure 3 This is an example diagram of the tag-based zero-trust mechanism in SFC in an embodiment of the present invention; Figure 4 This is a diagram of the SFC deployment architecture based on GNN dynamic topology awareness in an embodiment of the present invention; Figure 5 is a comparison chart of deployment costs and cross-tag risk costs for MSG, Base, and Greedy in the embodiments of the present invention. Figure 5(a) shows the deployment costs under different request numbers, and Figure 5(b) shows the cross-tag risk costs under different request numbers. Figure 6 is a comparison of the latency of the MSG, Base, and Greedy algorithms in the embodiments of the present invention. Figure 6(a) shows the latency under different SFC lengths, and Figure 6(b) shows the latency under different request numbers. Figure 7 is a comparison of the request acceptance rates of the MSG, Base, and Greedy algorithms in the embodiments of the present invention. Figure 7(a) shows the request acceptance rate under different SFC lengths, and Figure 7(b) shows the request acceptance rate under different number of requests. Figure 8 shows a comparison of the average reward values ​​of the MSG, Base, and Greedy algorithms in the embodiments of the present invention. Figure 8(a) shows the average reward value under different SFC lengths, and Figure 8(b) shows the average reward value under different request numbers. Figure 9 This is a comparison of the average reward values ​​for different cluster numbers in the MSG of this invention. Detailed Implementation

[0051] To illustrate the technical solutions disclosed in this invention in detail, the invention will be further described below with reference to the accompanying drawings and embodiments.

[0052] This invention provides an SFC intelligent deployment method based on dynamic tags and GNN-DRL under a zero-trust architecture, which aims to minimize service latency, improve business response speed, reduce deployment costs, optimize resource allocation efficiency, minimize cross-tag access risks, and ensure fine-grained security isolation.

[0053] From an application perspective, with the deepening application of network virtualization technology and the widespread deployment of cloud-native architecture, the physical boundaries of traditional networks are gradually disappearing, and the expansion of the network attack surface brings severe lateral movement risks. This change makes traditional boundary-based defense models difficult to adapt to the current complex network environment, and network security is evolving towards an identity-centric zero-trust architecture. To achieve defense in depth and address the security challenges brought about by the disappearance of virtualization environment boundaries, micro-segmentation technology, which integrates the zero-trust concept, plays a crucial role in building secure networks. Micro-segmentation architecture, through fine-grained isolation strategies and dynamic trust assessment, can effectively curb the spread of attacks within the network. Addressing the security challenges and high-performance service requirements of virtualized networks, this invention presents an SFC deployment strategy under a micro-segmentation security architecture that integrates the zero-trust concept.

[0054] This invention provides an intelligent SFC deployment method based on dynamic security labels and GNN-DRL under a zero-trust architecture, which is used for the deep integration of security policies and resource scheduling. By utilizing the VNF security label mechanism, graph neural network (GNN) and deep reinforcement learning (DRL) collaborative decision-making, this example method aims to achieve multi-objective joint optimization of service latency, deployment cost and cross-label access risk in a dynamically changing network environment.

[0055] The implementation process of the technical solution provided by this invention is described in detail below.

[0056] The method described in this invention enables dynamic micro-segmentation deployment and multi-objective joint optimization decision-making for SFC based on a zero-trust architecture. It mainly includes an SDN controller, physical network infrastructure, micro-segmentation logical boundaries, and diverse SFC service requirements. The SDN controller, as the core management component, is responsible for real-time awareness of the global network topology and resource status, collecting SFC service request information, executing VNF security label generation and GNN-DRL collaborative decision-making algorithms, and uniformly distributing routing flow tables and micro-segmentation security policies. End users or tenants submit deployment requests to the controller, including latency, cost, and security level requirements, and wait for the network to allocate isolated computing and network resources. Nodes, links, and virtualized gateways in the physical network topology are uniformly scheduled by the SDN controller to provide high-performance services to users while ensuring zero-trust security isolation.

[0057] The main implementation process of the method described in this invention is as follows: Figure 1 As shown, based on the above technical solution, further detailed description is provided in the embodiments, specifically including the following steps: (1) Constructing a Zero-Trust Micro-Segmentation Network Communication Architecture: This invention constructs a zero-trust micro-segmentation network communication architecture based on an SDN controller. The architecture aims to break through the limitations of traditional network boundary defense and achieve fine-grained isolation, dynamic access control, and global security management within the network. Adopting a decoupled design between the control plane and data plane, a centralized SDN controller uniformly perceives the entire network topology, distributes micro-segmentation security policies, and schedules computing and network resources, thereby realizing the zero-trust concept of "never trusting, always verifying," significantly improving the network's ability to defend against lateral movement attacks. This architecture not only supports flexible virtualized gateway deployment but also dynamically adapts to the isolation requirements of services with different security levels, providing secure, efficient, and elastic network communication services to meet the stringent network security requirements of today's complex network environment.

[0058] Furthermore, in this invention, the SDN controller generates a micro-segmentation policy based on the security attributes of service requests. Under the assumption that each SFC request has specific security levels and performance requirements, the physical network must provide it with computational and bandwidth resources that satisfy the micro-segmentation isolation principle. The deployment aims to reduce end-to-end latency and resource usage costs of the service function chain while minimizing cross-security domain access risks, while ensuring micro-segmentation security. High-strength security isolation (i.e., mandatory cross-label detection) may increase communication latency and processing costs, while excessively pursuing low costs may blur security domain boundaries and increase the attack surface. The challenge lies in balancing these three conflicting objectives—latency, cost, and security risk—and implementing a deployment strategy of "same-label aggregation, cross-label authentication" in a dynamic network.

[0059] (2) Establishing a physical network and service request model: This invention provides a standardized mathematical environment for SFC resource scheduling and security policy implementation by establishing a physical network and service request model. First, the underlying physical network is abstracted into a graph model, precisely defining the computing power (such as CPU, memory) of the node set and the communication attributes (such as bandwidth, transmission latency) of the link set. At the same time, an SFC service request model is established to describe the source node of the service chain, the logical dependency relationship of the VNF sequence, and the traffic requirements, ensuring that subsequent algorithms can perform resource matching and path planning based on a unified model.

[0060] Furthermore, this invention first models the physical network, describing the resource attributes of nodes within the domain and the topological connections of links, and stores and represents them using graph-structured data. Then, it models SFC service requests, extracting key indicators such as maximum permissible latency and service function chain length. The model provides a systematic framework that clearly describes the complex topology of the physical network and the performance indicators of service requests, providing the necessary data input and theoretical foundation for subsequent security label generation and joint optimization.

[0061] (3) A multi-objective joint optimization model is formulated. This invention considers the complex coupling relationship between SFC performance indicators and the requirements for micro-segmented security isolation. Traditional single-objective optimization methods are difficult to effectively handle these mutually constraining decision dimensions. To this end, an integrated solution is proposed, which integrates latency, cost, and security risks into a multi-objective joint optimization problem. The objectives are to minimize end-to-end communication latency, reduce resource and instantiation costs, and minimize the interaction risks across security labels. Through this integrated approach, the limitations of traditional methods that only focus on resource efficiency while ignoring security risks are successfully overcome, providing a new solution for the secure deployment of SFC under a zero-trust architecture.

[0062] Furthermore, this invention introduces a VNF security label mechanism as the basis for risk quantification, formalizing service latency, deployment costs, and cross-label access risks into a joint multi-objective optimization problem, thus establishing the core constraint of security policies in resource scheduling. By constructing this joint optimization model, it aims to address the lateral movement risk caused by the disappearance of virtualization environment boundaries, strictly adhering to the micro-segmentation isolation principle during resource scheduling, thereby achieving a multi-objective dynamic balance among security isolation, service performance, and deployment costs.

[0063] (4) Establishing a VNF multi-dimensional feature security labeling mechanism: This invention establishes a VNF dynamic security label and environment representation model to ensure accurate quantification of security attributes and deep perception of network status during SFC deployment. By introducing a VNF security labeling mechanism based on K-means clustering, and utilizing unsupervised learning of multi-dimensional feature attributes (such as resource requirements, function type, and preset level), discrete VNF static attributes are transformed into machine-readable dynamic security level labels, effectively ensuring that each VNF instance can be accurately identified in terms of its security domain affiliation. Furthermore, by using graph neural networks (GNNs) to encode high-order features of the physical network topology, a deep representation and accurate mapping of the network environment status are achieved, thus providing standardized data support for subsequent intelligent decision-making.

[0064] Furthermore, this invention utilizes the K-means algorithm to establish a VNF security labeling model, dividing VNFs into different security clusters, thus solving the problems of static and coarse-grained security policy configuration in traditional methods. Simultaneously, it leverages the message passing mechanism of GNNs to aggregate network topology information, generating state representation vectors containing high-order correlation features of the physical network. This mechanism, combining security attribute quantification with deep environmental representation, provides accurate input features for solving the problem of policy derivation under complex topologies.

[0065] (5) Constructing an intelligent deployment mechanism based on GNN-DRL collaboration: This invention designs an intelligent deployment mechanism based on GNN-DRL collaboration, utilizing a joint architecture of graph neural networks (GNN) and deep reinforcement learning (DRL) to ensure that the SFC can find the globally optimal solution in complex topologies based on its security label and resource requirements. The message passing mechanism of the GNN module aggregates the high-order features of the physical network nodes and their neighbors, generating an environment state representation vector containing rich semantics, providing the DRL agent with an accurate global view. Simultaneously, the DRL agent interacts with the environment through trial and error, learning to generate deployment strategies that satisfy differential segmentation constraints under the guidance of the reward function, thereby ensuring the placement of VNFs within the correct security domain and the optimal mapping of virtual links.

[0066] Furthermore, this invention addresses the NP-hard deployment optimization problem by designing a collaborative decision-making framework. The Generative Neural Network (GNN) acts as the encoder, solving the challenge of extracting complex topological features, while the Dependent Link Logic (DRL) acts as the decision-maker, embedding the logic of "same-label aggregation and cross-label authentication." During training, the agent continuously adjusts its policy parameters based on feedback from latency, cost, and risk, ultimately outputting an SFC node allocation and link mapping scheme that adapts to dynamic network changes, ensuring the placement of VNFs within the correct security domain and the optimal mapping of virtual links.

[0067] Furthermore, in step (1), the zero-trust micro-segmentation network communication architecture is used, such as Figure 2 This approach effectively suppresses lateral movement of attacks, significantly reduces the attack surface, and enables fine-grained network segmentation, limiting network access exposed to any user, application, or device to the minimum necessary for operational purposes. Invalid attack paths are directly severed at the physical or logical level, exponentially increasing the difficulty for attackers to reconnoiter and penetrate the network. Strict adherence to the principle of least privilege not only enhances the overall security level but also better meets complex compliance requirements, while effectively preventing internal misoperations or malicious actions.

[0068] The working principle of this architecture can be explained in the following three aspects: 1. Control Layer: Policy Control Center and Zero-Trust Mechanism As the brain of the entire architecture, the control layer no longer implicitly trusts any traffic within the network, but strictly adheres to the principle of "never trust, continuous verification." Access decisions no longer rely solely on IP addresses, but instead make real-time, dynamic authorization judgments based on a comprehensive assessment of identity (user / device), context (time, location, device status), and request content. All security policies are centrally formulated and managed, and automatically distributed to all execution nodes, ensuring global policy consistency and rapid response.

[0069] 2. Execution Layer: Distributed secure execution nodes

[0070] The execution layer is deployed on all critical traffic paths and is responsible for implementing the policies issued by the control layer. This primarily includes authentication and access control, performing strict authentication and continuous trust assessment on every access request. It strictly adheres to the principle of least privilege, dynamically deciding whether to allow, deny, or restrict access.

[0071] 3. Resource Layer: Breaking away from the traditional flat network structure, this layer achieves multi-layered, in-depth isolation. Different application services (such as web servers, API gateways, load balancers, etc.) are divided into logically isolated zones. For example, the API gateway in isolation zone A cannot directly access the caching service in isolation zone D; direct access is not allowed by default.

[0072] By combining the deployment of micro-segmentation technology in the business function chain, this example proposes a micro-segmentation SFC dynamic execution path based on the zero-trust principle. This path is no longer a fixed pipeline, but is transformed into an intelligent workflow that can be dynamically generated according to the visitor's identity and request target, and is subject to full control by security policies.

[0073] For example, Figure 3As shown in the diagram, the numerical labels above each Virtual Network Function (VNF) are the core clues for understanding this mechanism; these labels correspond to the previously defined security levels. Higher label values ​​(e.g., #4) indicate more sensitive data processed by the VNF, requiring stricter security controls. The orchestration logic of the entire link is as follows: When a requester attempts to access a VNF with a higher security label than its current one, the system follows a default rejection policy, forcing the request to first pass through the gateway (VNF4). At this stage, based on the zero-trust principle, strict identity authentication and authorization verification are performed on the request to determine whether it has the permission to continue accessing and to determine the subsequent access path. If the request target is to obtain static resources (e.g., VNF2, label #2), since its security level is comparable to the requester's, the system will directly return the corresponding resource, thus prioritizing access efficiency. If the request target is to access the core database (e.g., VNF7, label #4), an advanced security policy will be triggered. The request must be processed and authenticated by the gateway before being approved to access the database. During this process, access to high-security-label resources by lower-security-label users must undergo strict review.

[0074] Security is no longer a static barrier surrounding business operations, but a dynamic element deeply integrated into the business flow. Based on fine-grained security tags (such as identity and data sensitivity), the network can automatically and in real time construct a customized security service chain that meets business functional requirements while adhering to the principles of least privilege and dynamic verification. This effectively protects core data security while balancing access efficiency with overall security.

[0075] Furthermore, step (4) establishes a VNF multi-dimensional feature security labeling mechanism. In the dynamic deployment of business function chains based on zero trust, assigning accurate security labels to each virtual network function is the foundation for the architecture to achieve refined security management. The VNF security labeling algorithm serves as the core input for automating and objectifying this process. Its workflow is as follows: First, a multi-dimensional feature vector is constructed for each VNF. This vector not only covers its resource specifications but, more importantly, integrates security-related attributes, including the number and severity of known vulnerabilities, the sensitivity level of the data being processed, the network exposure surface, and compliance requirements. Subsequently, this algorithm clusters all VNFs based on these feature vectors. By calculating the distance between vectors, VNFs with similar security features are automatically grouped into the same cluster. This process is essentially the discovery of hidden risk patterns in massive operation and security data. For example, it can automatically identify all VNFs that are exposed to the outside world, have high-risk vulnerabilities, and process payment data, and group them into the same cluster. Finally, based on the overall risk level represented by each cluster centroid, numerical security labels are assigned to them from low to high. For example, low-risk clusters are labeled #1, and clusters that process core data are labeled #4. Thus, the security level assessment, which originally relied on human experience and was relatively abstract, is transformed into a data-driven, clearly quantifiable inherent security attribute of VNFs through the VNF security label algorithm.

[0076] When selecting an automated clustering algorithm for VNF security labels, this algorithm demonstrates significant advantages and applicability compared to methods such as hierarchical clustering or DBSCAN. Its core strength lies in its good balance between efficiency and determinism: this algorithm exhibits high performance on preprocessed VNF feature data. With linear computational complexity, this algorithm can quickly partition large-scale VNF instances, meeting the real-time requirements of dynamic deployment environments. Simultaneously, it generates deterministic, non-nested clusters, precisely corresponding to the clear and mutually exclusive integer security label system required for VNFs, avoiding the complex tree-like relationships and security policy interpretation difficulties that hierarchical clustering may produce. Furthermore, by minimizing intra-cluster variance, the algorithm effectively ensures that VNFs within the same security label are as similar as possible in risk characteristics, thus ensuring that VNFs corresponding to high-security labels truly possess common characteristics such as high vulnerability risk and high data sensitivity, significantly improving label credibility and policy execution consistency. Therefore, considering the three key dimensions of computational efficiency, output structure clarity, and alignment with business objectives, this algorithm is a more practical and efficient choice for implementing VNF security label classification.

[0077] Furthermore, step (5) is based on the intelligent deployment mechanism of GNN-DRL collaboration. The graph neural network GNN and the SFC deployment problem have a deep structural isomorphism. The core task of SFC deployment can be regarded as finding the optimal mapping and path planning for another service request graph composed of VNFs and their dependencies in a physical network topology graph composed of servers (nodes) and links (edges). This is essentially a complex graph-to-graph matching and embedding problem. GNN is a powerful reasoning tool for handling such problems: through the message passing mechanism, it enables the state of each node in the physical network, including resources, location, security labels, etc., to interact and aggregate with its neighboring nodes in multiple rounds, thereby learning the deep contextual representation of each node in the global network topology and resource competition environment. This means that when GNN selects a deployment location for a certain VNF, it not only perceives the remaining resources of the target server, but also understands the link quality between the server and the security gateway, the compliance of the security domain to which it belongs, and the chain effect that the selection may have on the subsequent VNF ​​deployment. This ability to jointly and nonlinearly model network states and constraints enables GNNs to surpass traditional heuristic methods or ordinary neural networks, outputting a holistic, coordinated, resource-feasible, and secure deployment scheme end-to-end in a single forward propagation. As a result, it highly meets the deployment requirements of SFC in dynamic and complex network environments in terms of solution quality, policy consistency, and decision efficiency.

[0078] Therefore, using GNNs as the core decision-making module of deep reinforcement learning agents has significant advantages (such as...). Figure 4 (As shown). First, the current state of the dynamically changing network infrastructure and SFC request queue, including the resources of all servers, link states, VNF security labels, etc., is encoded into a heterogeneous graph and passed as input to the agent. The core of the agent is a graph neural network, which performs deep encoding of the input network state graph through message passing, extracting high-order representations of each network node and the global topology, thereby accurately capturing resource distribution, security constraints, and complex dependencies between components. These rich graph representations are then fed into a policy learning network (a fully connected network is used in this example), which calculates and outputs an optimal action, i.e., a complete SFC deployment scheme, including VNF placement and path selection. The agent applies this scheme to the environment, which updates accordingly and provides rewards and new states. Through continuous iteration of this process, the DRL agent, with the deep network insights provided by the GNN, gradually learns a high-order deployment strategy that can adapt to network dynamics, automatically balance multiple objectives, and inherently follow a micro-segmentation security policy, ultimately achieving autonomous, secure, and efficient network orchestration.

[0079] In this embodiment, simulation experiments were conducted to verify the actual effect of the present invention. To better illustrate the effect of the present invention, the algorithms of Base and Greedy were compared. The libraries used in our simulation experiments included pandas 2.2.2, stable-baselines3 1.0, numpy 2.1.2, networkx 2.8, gym 0.25.0, and tensorboard 2.18.0. The simulation environment was based on Python 3.8 and configured as a computer equipped with a 2.6 GHz Intel® Core™ i5-11400 processor and 16 GB of memory.

[0080] The experiment employed a classic NFV network architecture based on a Fat-Tree design. The network consisted of 12 to 50 servers, equipped with 10 to 30 CPU cores and 32 to 64 GB of memory. A single CPU core could process up to 1000 cycles per second. Each server's output bandwidth was configured at [100 Mbps, 100 Gbps]. The main effects included the following: (1) Deployment costs and cross-label risk costs As shown in Figure 5, the Greedy algorithm, due to its greedy strategy of making immediate decisions, consistently exhibits the highest overall cost. This strategy ignores overall link optimization, resulting in dispersed VNF deployments and severe resource fragmentation, thus increasing communication link and bandwidth overhead. Simultaneously, its risk cost remains high because it does not consider cross-label security vulnerabilities. The Base algorithm optimizes path selection through intelligent VNF ​​integration, achieving a lower deployment cost than Greedy. However, due to its lack of proactive adaptation to micro-segmentation security strategies, its cross-label risk cost is still significantly higher than the MSG algorithm. Although the MSG algorithm's deployment cost is slightly higher than the Base algorithm due to the introduction of security label constraints, its cross-label risk cost is the lowest, demonstrating optimal security. Combining Figures 6 and 7, it can be seen that the MSG algorithm effectively demonstrates that a more advantageous overall security benefit can be obtained through moderate performance / cost concessions.

[0081] (2) Communication delay

[0082] Comparative analysis of latency performance, such as Figure 6a As shown in the figure. Data indicates that an SFC length of approximately 15 is the inflection point for latency performance, at which point all three algorithms reach their optimal levels. Too short an SFC makes it difficult to fully utilize the synergistic effect of network resources, while too long an SFC leads to a double increase in deployment complexity and accumulated transmission latency due to the increased number of VNFs, resulting in performance degradation. This illustrates the necessity of rationally planning the SFC length. Regarding the impact of the number of requests on latency (… Figure 6bAs request volume increases, the latency of all three algorithms shows a slowing rate of increase due to server resource bottlenecks. Resource constraints lead to a larger physical span for VNF deployments, further exacerbating link communication latency. Nevertheless, the MSG algorithm maintains the lowest latency across the entire range, significantly outperforming the Base algorithm, which strongly demonstrates its superiority in latency optimization.

[0083] (3) Request acceptance rate

[0084] Regardless of changes in the number of requests and the size of server nodes, Figure 7 consistently shows that the Greedy algorithm maintains the highest request acceptance rate. This is because Greedy employs a first-match strategy, executing VNF deployment as soon as a suitable server node is found, without considering other performance metrics. Therefore, as shown in Figures 6 and 8, it performs poorly in terms of latency and average reward, essentially sacrificing overall performance for a higher acceptance rate. The MSG strategy proposed in this example consistently outperforms the Base algorithm in terms of acceptance rate, demonstrating that this method effectively improves request acceptance capabilities. Although MSG is slightly lower than Greedy in terms of pure acceptance rate, it significantly outperforms the Greedy algorithm in key performance aspects such as cost, latency, and reward, reflecting a more balanced performance trade-off and better meeting the needs of multi-objective collaborative optimization in real-world deployment scenarios.

[0085] (4) Average reward value

[0086] As shown in Figure 8, the MSG algorithm achieved the significantly highest average reward value in all experimental scenarios. Figure 7a It can be observed that the average reward of all three algorithms decreases as the length of the Service Function Chain (SFC) increases. This is because longer SFCs impose stricter constraints on resource allocation and path selection. However, the MSG algorithm exhibits excellent robustness. As the SFC length increases from 5 to 30, the reward values ​​of the Base and Greedy algorithms continue to decrease, while the performance curve of the MSG algorithm tends to stabilize. This indicates that MSG, through the relational reasoning capabilities of graph neural networks and the accurate modeling of security labels, can effectively address the resource orchestration challenges in complex SFC scenarios. Figure 7bAs can be seen, the average reward value of all three algorithms decreased as the number of concurrent requests in the network increased from 50 to 250. This reflects the impact of increased resource competition on deployment quality. However, the MSG algorithm maintained its leading advantage throughout. The MSG algorithm exhibited the smallest performance decline under high-load scenarios, demonstrating stronger scalability and load adaptability. This is attributed to the deep reinforcement learning agent's ability to continuously learn and optimize resource allocation strategies, achieving globally optimal decisions in dynamically changing network environments. The MSG algorithm demonstrated superior performance and stability under different SFC lengths and request loads, validating the effectiveness of the VNF security label clustering and graph neural network collaborative decision-making mechanism.

[0087] (5) Different cluster sizes

[0088] On the other hand, to further control the rationality of VNF labels, the impact of the initial K value of the VNF security labeling algorithm on the research was investigated. The results are as follows... Figure 9 As shown, the data exhibits a trend of initial rapid increase followed by a plateauing or even decline, confirming the necessity of hierarchical labeling: when the number of clusters increases from 5, the reward value significantly improves, indicating that assigning differentiated safety labels to VNFs provides agents with crucial safety context information, enabling them to make more granular and secure deployment decisions. However, after reaching a cluster size of 15, the average reward value gradually decreases, suggesting that finer labeling is not always better. Too many safety levels can lead to overly complex policies, potentially making it difficult for the model to learn effective general rules or generating unnecessary management overhead, thereby harming the overall optimization effect.

[0089] In summary, the experimental results show that the method described in this invention consistently maintains superior performance in terms of average service function connection success rate, average end-to-end latency, and average resource usage cost, effectively achieving a Pareto optimal balance between security, performance, and cost.

Claims

1. A method for intelligent deployment of SFC based on dynamic labels and GNN-DRL under a zero-trust architecture, characterized in that, The method includes: (1) Construct a zero-trust micro-segment network communication architecture, adopt a design that decouples the control plane and the data plane, and use a centralized SDN controller to uniformly perceive the network topology, issue micro-segment security policies and schedule computing and network resources; (2) Establish a physical network and service request model, abstract the underlying physical network into an undirected graph model, define the computing power of the node set and the communication attributes of the link set, and then establish an SFC service request model to describe the source node of the service chain, the logical dependency relationship of the VNF sequence and the traffic requirements. (3) Formulate a multi-objective joint optimization model to formalize the SFC deployment problem into a multi-objective joint optimization problem subject to dual constraints of resources and policies. The objectives include minimizing the total request response latency, weighted risk cost, and deployment cost, while satisfying resource constraints, bandwidth constraints, and latency constraints. The total request-response latency includes transmission latency, link propagation latency, total processing latency, and additional latency introduced by the micro-segmentation architecture, wherein the additional latency introduced by the micro-segmentation architecture... This refers to the verification time between virtual network functions with different labels, and its expression is as follows: in, It is an SFC request. VNF sequences, This represents the average verification time among virtual network functions with different labels. Indicates the first A label for a virtual network function; For SFC requests Security risks Defined as the sum of the cross-label communication risk weights between all adjacent VNF ​​pairs on this link: in, It is an SFC request. VNF sequences, It is the first in the sequence The label value of each VNF, For cross-label indicator functions, The risk weighting functions are defined as follows: in Indicates the first and the A label for a virtual network function; The deployment cost is expressed in the following form: The unit cost of bandwidth is The server startup cost is The unit cost of server resources is , Indicates SFC request Virtual network function Whether to deploy on server node superior, VNF Memory and CPU requirements, Indicates SFC request Should virtual links be enabled? Mapping to physical link The value can be either 0 or 1. Indicates the minimum required bandwidth; (4) Establish a VNF multidimensional feature security labeling mechanism: Introduce an unsupervised learning method based on K-means clustering to transform the multidimensional feature attributes of VNF into readable dynamic security level labels, which are used to identify the security domain affiliation of VNF instances; By using the message passing mechanism of graph neural networks to aggregate the state information of physical network nodes and their neighbors, high-order feature encoding of the physical network topology is performed to generate environmental state representation vectors with rich semantics, providing standardized data support for subsequent intelligent decision-making. (5) Construct an intelligent deployment mechanism based on GNN-DRL collaboration: Construct a collaborative decision-making framework of graph neural network and deep reinforcement learning. Use graph neural network to extract high-order features of physical network topology and SFC logical dependencies. The deep reinforcement learning agent receives the state features output by graph neural network and learns to generate SFC node allocation and link mapping strategies under the guidance of composite reward function through trial and error with the environment.

2. The SFC intelligent deployment method based on dynamic tags and GNN-DRL under a zero-trust architecture according to claim 1, characterized in that, The method is based on the SFC service request information submitted by the user to the SDN controller. The SDN controller analyzes the user's demand characteristics and QoS constraints based on the service request information, including computing resources, bandwidth resources, VNF sequence logical dependencies and security level requirements. At the same time, it combines the physical network topology, the current resource load status of the nodes and the distribution of micro-segment security domains, and uses graph neural network and deep reinforcement learning collaborative technology to jointly optimize the deployment path and node allocation of SFC.

3. The SFC intelligent deployment method based on dynamic tags and GNN-DRL under a zero-trust architecture according to claim 1, characterized in that, The zero-trust micro-segmentation network communication architecture described in step (1) can effectively curb the spread of attacks within the network through fine-grained isolation strategies and dynamic trust assessment; and it supports flexible virtualization gateway deployment, which can dynamically adapt to the isolation requirements of services with different security levels and improve the network's ability to defend against lateral movement attacks.

4. The SFC intelligent deployment method based on dynamic tags and GNN-DRL under a zero-trust architecture according to claim 1, characterized in that, Step (2) represents the underlying physical network structure as follows: ,in Represents a set of server nodes. Let represent the set of physical edges, where Indicates the first Taiwan server, Indicates the first A physical edge; Each server can instantiate multiple virtual machines to support different types of Virtual Network Functions (VNFs). This represents the set of virtual machines that support these VNFs; The maximum amount of computing resources that each server can have is , These represent the number of CPU and memory resources, respectively, for each physical edge. Connecting two servers can be represented by a quadruple. , Representing physical edges The source node and target node, physical edge The maximum bandwidth capacity is The propagation delay is ; The SFC request set is represented as Each SFC request Represented as SFC request Passing through in sequence A VNF, Indicates the minimum required bandwidth. Indicates the maximum permissible end-to-end delay. It is an SFC request. The average arrival rate follows a Poisson distribution; SFC Request The VNF set is represented as ,in It is a request The first used Each VNF The memory and CPU requirements are expressed as SFC request The set of virtual edges connecting each VNF is defined as follows: ,in Indicates SFC request VNF With VNF The A virtual edge.

5. The SFC intelligent deployment method based on dynamic tags and GNN-DRL under a zero-trust architecture according to claim 1, characterized in that, In step (3), an SFC request is made. The expression for calculating the total response delay is: in, The additional latency introduced by the differential segmentation architecture is expressed as follows: Transmission delay The calculation formula is as follows: in, VNF Average transmission rate Indicates the data packet size; Link propagation delay The calculation formula is as follows: in Indicates the first The inherent propagation delay of each physical link; Total processing latency The calculation formula is: In the formula, It is a virtual machine SFC request VNF The processing delay.

6. The SFC intelligent deployment method based on dynamic tags and GNN-DRL under a zero-trust architecture according to claim 1, characterized in that, The resource constraints mentioned in step (3) are that the total CPU and memory requirements of all VNF instances deployed on the server node do not exceed the maximum computing resources of the server; the bandwidth constraints are that the total bandwidth requirements of all requests passing through the server node do not exceed its maximum output bandwidth; and the latency constraints are that the total end-to-end latency of SFC requests does not exceed its maximum allowed end-to-end latency.

7. The SFC intelligent deployment method based on dynamic tags and GNN-DRL under a zero-trust architecture according to claim 1, characterized in that, In the K-means clustering process, a multi-dimensional feature vector is first constructed for each VNF, covering resource specifications, number and severity of known vulnerabilities, data sensitivity level, network exposure surface and compliance requirements. The distance between vectors is calculated to divide VNFs with similar security features into the same cluster. Based on the risk level of the cluster center point, integer security labels are assigned to each cluster from low to high.

8. The SFC intelligent deployment method based on dynamic tags and GNN-DRL under a zero-trust architecture according to claim 1, characterized in that, The composite reward function in step (5) includes latency penalty, cost penalty and cross-label risk penalty. The deep reinforcement learning agent continuously adjusts its strategy based on feedback during the training process, and finally outputs a globally optimal SFC node allocation and link mapping scheme that takes into account both business performance indicators and the principle of micro-segmentation isolation. The policy learning network of the deep reinforcement learning agent adopts a fully connected network. After receiving the graph representation output by the GNN, it calculates and outputs the SFC deployment scheme. After the scheme is applied to the environment, the environment is updated and feedback is given as a reward and a new state. The agent optimizes the deployment strategy through iterative interaction.

9. The SFC intelligent deployment method based on dynamic tags and GNN-DRL under a zero-trust architecture according to claim 1, characterized in that, The formula for calculating the composite reward function is as follows: in, It is a composite reward value. Indicates the base reward value. , These are the latency penalty coefficient, cost penalty coefficient, and deployment cost coefficient. Indicates the total delay of the request and response. Indicates the weighted risk cost. This indicates the deployment cost.