Design Principles for AI-driven Zero-Touch Operations, Security & Trust in Multi-operator 5G Networks

Author: Gino Carrozzo, 5GZORRO Technical Manager, Nextworks s.r.l.

This blog article is an excerpt of a preprint version of the article G. Carrozzo et al., “AI-driven Zero-touch Operations, Security and Trust in Multi-operator 5G Networks: a Conceptual Architecture,” published in proceedings of 2020 European Conference on Networks and Communications (EuCNC), Dubrovnik, Croatia, 2020, pp. 254-258, doi:10.1109/EuCNC48522.2020.9200928.

The fifth-generation mobile communications (5G) demonstrated to be one of the main catalysts for the pervasive digitalisation of our society: ultra-high bandwidth, low latency and increased connectivity density are some of the main characteristics of 5G which Vertical industries are leveraging to implement innovative applications for business [EC5GCYBER].

Despite the considerable progress of the last few years, state of the art 5G networks nowadays (up to 3GPP Release 16) are not yet at the stage of complete achievement of all the challenging performance requirements and features promised, both in terms of specifications and prototypes and products. For example, 5G deployments today are occurring at limited scale (up to city-scope in various countries); most of the current releases target eMBB services with 5G NR but still do not allow coexistence of different types of vertical applications (i.e. eMBB with URLLC and/or mMTC, as per ITU classification); network slicing specified by 3GPP and network monitoring with analytics are not fully supported and do not span multiple operator domains; etc.

The standards communities, as well as research and industry, are continuing to work towards the realization of a number of additional evolutionary stages for 5G to achieve truly production-level support of diverse applications for various vertical industries.

The next challenge in 5G network management appears to be the implementation of highly pervasive shared network infrastructure, through a multiplicity of end-to-end network slices.

Differently from previous mobile network generations, 5G operators need to become capable of managing really complex chains of end-to-end services, built on assets from different resource providers for better CAPEX prospects, and are strongly driving their network and service transformations towards deep virtualization and sharing of resources being them from asset, computing, transport, radio and spectrum domain.

To realise this vision, the next generation 5G networks have to embrace full automation in network and service management and implement extensive zero-touch management approaches. Similarly, it becomes more and more critical to integrate 3rd-party resources (e.g., micro-data centers at smart city IT infrastructures like edge computing at street cabinets or at lampposts) and, thus, reach a truly ubiquitous edge computing environment.

Various analysts agree that only in this context it will be possible to deliver pervasive Business-to-Customer (B2C) and Business-to-Business (B2B) 5G services at reasonable prices and costs [NH5G]. All of this goes through the disruption of the traditional bilateral B2B models adopted by operators, which currently only implement sharing of passive infrastructure and roaming.

Also, for a profitable business in 5G, we need to develop a multi-party distributed model through which a large group of parties, from the traditional telecom operators to verticals/slice owners, spectrum-only owners, passive and active edge facility owners, wholesale fiber owners, etc, can establish cross-operator/cross-domain service chains, with security and trust.


5GZORRO is a Research and Innovation project funded by the European Commission as part of Phase 3 of the 5G Public-Private Partnership, which has been recently launched to specifically address the challenges of Zero-Touch Security And Trust For Ubiquitous Computing And Connectivity In 5G Networks.

5GZORRO incorporates solutions based on novel enabling technologies:


Operational Data Lakes which acts as logically centralized reservoirs of network operation data (e.g. resource monitoring, traffic captures, topology information, performance metrics, etc.) and can enable access, processing, aggregation, filtering of large sets of data via APIs;


Data-driven and AI-based solutions which can transform network orchestration and management into a cognitive process through which the network can self-adapt and self-react to changing conditions with minimal manual intervention. AI can also enable automatic and autonomous network operations following AIOps paradigm;


Distributed Ledger Technologies (DLT) which enable distributed security and trust across the multiple parties involved in the 5G service chain; 


Cloud-Native technologies which once integrated into SDN/NFV environments can increase the level of flexibility required by advanced 5G based services (e.g. for scalability, resilience).

The combination of these technologies is the basis for realization of the three main 5GZORRO innovations. 


The automatic (zero-touch) resource discovery is based on the extensive use of AIOps and DLT solutions. The main goal is, from the one hand, to allow different stakeholders to publish their own resource/service offerings and, from the other hand, to enable the business logic to automatically discover the most suitable set of resources while minimizing the human intervention. For the resource/service trading, 5GZORRO offers a set of modules that build a proper Marketplace Application where the business agent can discover and classify the available resources and services. Each resource/service offering published into the Marketplace is stored into the blockchain and becomes immutable, facilitating the process of discovery and classification and making it secure from a business point of view. The discovery and classification process can be hence completely automatized (zero-touch), directly affecting the way the various parties establish business relationships: offerings are clear, immutable and need no human interaction and/or offline negotiations. Further, the concept of Marketplace enlarges the set of network resources and extends it to abstractions like services and slices, opening the door to a new generation of network stakeholders beyond classical Telcos.


Once resources have been made available on the DLT-based resource catalogue and automatically discovered and classified, an automatic AI-based process can select the most suitable ones, request them from the owners and, after the business transaction has been fixed into the DLT, finally use them. The decision process is driven by analysing the historical information stored into the operational Data Lake, like costs and KPIs. Static rules can be set manually by the potential resource consumer that can act as a pre-filter, reducing the set of resources the AI-based agents can use for selection. The transactions are stored in the form of Smart Contracts, legally binding, automatically generated by the Platform when resources/services are requested for deployment, that also happens automatically. This last aspect involves also the lifecycle management of the resources/services, not only the deployment phase but also of the configuration and the optimization of the service based on the resource selected whose conditions are fixed into the smart contract. In particular, the Intelligent 3rd Party resource selection heavily applies the zero-touch management paradigm that guarantees that different resources/services offered by different providers (administrative domains) can be seamlessly composed (service creation/service stitching) across the different domains. AI-based mechanisms apply the correct configuration of the services/resources while guaranteeing that the Service Level Agreement is properly applied in all the parts of the service chain belonging to all the different domains. Special SLA monitoring mechanisms are implemented and will react in case of SLA breaching.  The application of the zero-touch paradigm dramatically reduces the time of resource/service negotiation between the involved parties: everything happens automatically, from the selection of the resources to the deployment of the services, passing through all the business and legal aspects. 


In view of enabling the automatic establishment of business relationships, 5GZORRO offers a mechanism that guarantees the trust and the security among the parties involved, with end-to-end security for the deployed services. Each stakeholder that wants to deploy a slice/service needs to be sure that all the resources/services provided by the 5GZORRO framework are secure and provided by trusted sources. The level of security and trust of each party is established in the smart contracts between the parties.
The way the different business parties can take advantage of the 5GZORRO approach is depicted in Figure 1.
As first step (see spot 1 in Figure 1), Operators use 5GZORRO DLT-Based marketplace to publish and to check for new resources (Zero-touch/Automated Resource discovery using DLT/BC). Resources (i.e. compute, storage, network at core, edge, far-edge), spectrum and services capabilities from different domains and service providers get automatically discovered and “inventorized”.
Then, in order to build a cross-operator service, the framework intelligence (AI) automatically selects proper resources (see spot 2 – Intelligent 3rd party resource selection) whose usage and chaining are automatically formalized through the mechanism of the Smart Contracts (see spot 3 – Trust establishment among multiple parties). Trust establishment among the multiple parties will be established via Blockchain, a distributed ledger technology which allows managing the complexity of a multi-stakeholder framework. In fact, Blockchain does not request trust a priori between involved parties (i.e. among Telcos, or between Telcos and Customers), and it can implement automated settlements among the parties by using Smart Contracts.


Figure 1: Zero-touch/Automated Resource discovery (1), Intelligent 3rd party resource selection, request and access/usage (2) and Trust establishment among multiple parties (3) in 5GZORRO.

Once resources are discovered and selected, network slices and network services can be managed across various administrative domains, making use of:

  • Efficient Day-0 operations (i.e. instantiation) with
    • Seamless use of heterogeneous virtualization platforms (VMs, containers, interconnected with various levels and forms of service meshes)
    • Use of different 5G radio spectrum from different licensed owners
    • Onboard functions and services defined by multiple providers with security and trust
    • Resource placement, spectrum use and service composition (stitching) across various domains
    • Service Function split and related service mesh networking with efficiency with respect to KPIs
  • Intelligent Day-1 (i.e. configuration) and Day-2 (i.e. optimization) zero-touch actions, which leverage on AI and ML techniques to process the monitoring information from the various service domains and, consequently
    • optimize network lifecycle management
    • implement SLA monitoring across the multi-party service chain
    • maintain the appropriate security, privacy and trust

Such a multi-party scenario from 5GZORRO heavily builds on the principles of virtualization, SDN, NFV, MEC and end-to-end slicing, for the demonstrated advantages that these technologies can bring. Nevertheless, and more than ever, security and trust become essential assets to initiate and ensure reliable and secure operations between these enabling technologies. In fact, 5G networks can be sliced into uniquely purposed slices, and due to the scale of expected deployments (1000s of virtual functions distributed over very large virtualized infrastructure footprint) it is mandatory to embrace intensive automation for both the service lifecycle management (instantiate, configure, optimize, release) and the verification that deployed functions have been originated by verified and trusted origins (attestation), and can be securely included in the service chain without harming the infrastructures and other slices/services.
It is important to note that security and zero-touch automation aspects have been generally addressed as distinct parts of network and service management up to nowadays, thus leading to different non-integrated solutions. For example, also the ETSI ZSM [ZSM] Terms of Reference do not mention security as a key motivation neither a Work Item is active/planned in ZSM Industry Study Group on the topic.


The 5GZORRO conceptual architecture presented in Figure 2 follows a principle of service-based architectures similar to the 5G Service-based architecture [3GPP-5G], and the ETSI Zero-touch Network and Service Management [ZSM].


Figure 2: Conceptual architecture of the 5GZORRO platform

Through a Permissioned Distributed Ledger infrastructure, 5GZORRO offers services for:

  1. Smart Contracts Management;
  2. Resource Discovery Brokering;
  3. Intelligent 3rd-party virtual resource selection;
  4. Spectrum trading and sharing;
  5. Secure SLA Monitoring.

Within the platform, the realization of these services is made possible through the interaction of various functions for slice orchestration, Network Intelligence and analytics, Security Trust, Management of Service virtualized Resources, all executed for multi-domain and single-domain scope.

The architecture implements the concept of sharing operational data across the whole system in a logically centralized data reservoir (a.k.a. Data Lake), so that multiple asynchronous management components may act upon this shared data pool towards optimizing a target set of KPIs. To facilitate open data sharing, Permissioned Ledgers are used for governance of and accounting for data use.

The 5G Operational Data Lake component is populated with data channelled by management services of Inter-domain Layer on behalf of domain-specific management services running in every domain of the Single Domain Layer. It will provide APIs for adding, processing (in place) and retrieving data for analytical processes. These APIs can be invoked by the management components in the Inter-domain Layer and by the service components in the Evolved 5G Service Layer without incurring any unneeded coupling between the data providers and the data consumers.

The 5G Permissioned Distributed Ledger component ensures the aforementioned interoperability by providing data governance, multi-party trust, and accounting for data usage by different participating parties.

A set of common best practices in the design of automated systems implementing zero-touch service orchestrations have been adopted to design the 5GZORRO architecture.

    • 5GZORRO builds as a Service-based architecture, as in 3GPP and ETSI ZSM;
    • 5GZORRO must allow Separation of responsibilities & scopes per domain/inter-domain;
    • 5GZORRO architecture needs to be Modular and Scalable to offer self-contained services, which can be independently deployed and scaled;
    • 5GZORRO architecture needs to be Extensible, to allow to add new services, capabilities and service end-points in a pluggable manner, without requiring changes to existing designs, implementations and interactions;
    • 5GZORRO architecture needs to be a Model-driven architecture with open interfaces, which uses information models to capture the attributes and supported operations of the managed objects. The information models and interfaces are independent from implementation and are modelled in YAML and Open API specification to facilitate portability and reusability;
    • 5GZORRO needs to adopt Communication Fabric mechanisms to implement both publish-subscribe patterns and direct invocations among functions for:
      • Network Slice lifecycle management;
      • Service and resource discovery/management;
      • Network analytics;
      • Security & Trust;
    • 5GZORRO architecture needs to be a Distributed architecture with instances in all domains of the involved 5GZORRO parties;
    • 5GZORRO architecture needs to include a Distributed Trusted data layer for SLA enforcement, resource discovery and smart contracts management implemented through Permissioned Distributed Ledger Technologies;
    • 5GZORRO architecture needs to include an Operational Data Lake capable to collect telemetry data from various domains and services and to implement AI-driven insights on service, resource and infrastructure operations.

In the next blog post, we will present the specific functional modules of the 5GZORRO high-level architecture to offer more insights into the designed services and offered interfaces.

The architecture and its corresponding platform modules are under development by the 5GZORRO project consortium, with initial prototypes of core components planned for release in Q2- 2021.

Follow our updates on and on GitHub at


[EC5GCYBER] EC Recommendation: Cybersecurity of 5G Networks. European Commission, Strasbourg 26.03.2019, available online at, last accessed 30-Nov-2020

[5GPPP-ARCH] 5G PPP 5G Architecture Working Group, White Paper – View on 5G Architecture version 3, July 2019, available online at, last accessed 30-Nov-2020

[NH5G] 5GCity project whitepaper, Enabling 5G Neutral Hosts: 5GCity Architecture and Business Model version 1, available online at, last accessed 30-Nov-2020  

[ZSM] ETSI Zero touch network & Service Management (ETSI ZSM), available online at, last accessed 30-Nov-2020

[3GPP-5G] 3GPP Technical Specification 29.500, 5G system, technical realization of service-based architecture, available online at:,  last accessed 30-Nov-2020

Follow our updates on 


We use cookies (and other similar technologies) to collect data to improve your experience on our site. By using our website, you՚re agreeing to the collection of data as described in our Data Collection Policy.