On Credibility-Based Service Function Chain Deployment

With the advancements of Software Defined Networking and Network Function Virtualization technologies, users can access the software-based service function chain (SFC), which is composed of multiple sequential virtual network function (VNF) nodes. Although SFC is more flexible and adaptive in terms of design and deployment, the security risks should not be underestimated. At present, there is a lack of security or risk assessment for SFC, and SFC deployments rarely take their security into account. However, vulnerabilities and risks can cause VNF node failure during operation, which can lead to issues such as disruptions in SFC service and user data leakage. This paper proposes the concept of SFC credibility, which quantifies the authenticity, availability, and reliability of the VNF nodes from both time and space dimensions. Then, a hierarchical credibility evaluation model is built such that VNF nodes can be selected for the user based on their trustworthiness. A credibility-based deployment strategy is further designed for SFC and the corresponding VNF forwarding graph. Furthermore, a comparative study with three existing deployment strategies has shown the advantages of the proposed method. The extensive experimental results demonstrate the improved trust degree and the acceptance rate of SFC with a limited budget.


I. INTRODUCTION
In the era of fifth-generation (5G), Software Defined Network (SDN) and Network Function Virtualization (NFV) are becoming a research hotspot. To dynamically and centrally schedule the user traffic, SDN technology separates the control and forwarding planes of network equipment. NFV makes use of virtualization technologies to divide the functions of each network node into separated blocks. These functional blocks are carried out in software, and are no longer confined to the hardware structure [1]. As shown in the NFV network operation architecture of Fig. 1, the SDN controllers are available in all types of networks. The network functions of Metropolitan/Local Area Network (MAN/LAN) and service requests from enterprise/home users are implemented by virtualized software.
In a virtualized network, the user requests may need to go through different network functions. In general, the sequence of those network functions is specific, and the path formed by different network functions is called Service Function Chain (SFC) [2]. To provision customized and flexible services, users and operators can identify business requirements and create virtual network functions (VNFs) on the SFC with the aid of SDN and NFV. The SFC represents the type and order of VNF through which the data stream needs to pass. VNF Forwarding Graph (VNF-FG) is also a logical topology diagram used to represent the VNF connection relationship and flow direction. It can contain multiple SFC flows and provide multiple services. At present, SDN/NFV based SFC deployment has been applied in more and more scenarios, but the security risks incurred in the deployment process should not be undervalued.
As compared with the relatively reliable hardware equipment, software-level VNF is more vulnerable, which also exacerbates the reliability risk of the network [3]. Since the software is uploaded to the hardware node to run, the VNF failure may come from the VNF itself or the failed physical node. The resulting fuzzy VNF security boundary makes it challenging to control and eliminate the vulnerability. These uncertain threats or risks will cause VNF node failure and SFC breakage, which can further lead to service interruption, resource depletion, and user data leakage. For example, the interfaces to the virtualized network resources can be exposed when we create and manage virtual slices on top of the physical infrastructure. Moreover, the VNF equipment is also vulnerable to attacks such as Hardware Trojan Attacks, Eavesdropping Attacks, and Routing Attacks [4]. In addition, the security management in the virtualized environment is difficult, because we need to maintain end-to-end security, including end-user security, network security, and the security of the virtualized and physical resources [5].
Although the security problem has become increasingly prominent, it is rarely considered in the deployment process of SFC, and the security assessment mechanisms are also lacking. Considering various factors that impact the security and reliability of VNF and SFC, we propose a quantifiable security assessment method, and based on this method, the service function chain is further deployed. Aiming at the existing security problems in the SDN/NFV environment, we focus on improving the robustness and reliability of SFC by evolving from "passive defense" to "active security". In conclusion, the main contributions are as follows: • The credibility of SFC is proposed as the probability that a service function chain can provide reliable services for users and keep them from being attacked. The corresponding evaluation paradigm is designed to measure credibility from three comprehensive aspects: authenticity, availability, and reliability, such that VNF with high credibility is relatively more secure. • For the reliability aspect of SFC credibility, a unique reliability index model is constructed. By investigating the data security, defense measures, virtualization, and access control of VNF, the analytical hierarchy process can reflect the reliability of VNF more comprehensively and objectively. • According to the evaluation paradigm of credibility, we proposed an SFC deployment strategy. Different from the current strategy, this method comprehensively considers the authenticity of nodes, the availability of resources, and the reliability of VNF. Compared with the other three strategies, our approach can effectively enhance the robustness and acceptance rate of SFC. The rest of this article is arranged as follows: Section II introduces the related work on trust evaluation and optimization of SFC. Section III describes the credibility evaluation paradigm. Section IV introduces the reliability index model. Section V describes the credibility-based SFC deployment algorithm. Section VI presents the results of relevant simulation experiments. Finally, Section VII concludes this paper.

A. TRUST EVALUATION
Trust plays an essential role in supporting systems to overcome uncertainties and risks [6]. The trustworthiness of wireless networks involves relationships among different network entities. At present, trust evaluation has been widely adopted in various aspects of wireless networks, such as data collection, clustering, data fusion, access control, malicious node identification, intrusion detection, and other fields [7]. 1) Trust in wireless networks is a fuzzy concept and many researchers are devoted to quantifying it. The difficulty of this line of works lies in designing a reasonable method capable of proving the validity of the quantitative results. [8] designed cooperative relationship, reward system, and other calculation models, and carried out clustering by support vector machine (SVM) to improve the accuracy. [9] focused on the confidentiality of the network, and used the grey clustering method to measure the relevant indicators. The algorithm in [10] is the aggregation of qualitative evaluation and quantitative evaluation. This method quantifies the coefficients such as loss and threat value according to the attack graph, constructs the risk assessment function with the quantified results, and then divides the risk value into different security levels.
2) Since trust is mutual, many studies have focused on measuring trust relationships among nodes. In this kind of research, the emphasis is on the objectivity of trust evaluation, and the complex attributes of trust can be categorized into direct trust and indirect trust. The algorithms adopted include the entropy weight method [11] and genetic algorithm [6]. [12] proposed a distributed method which depends on the properties and recommendations of the node.
3) Beyond that, many studies focus on trust differently. [13] proposed a trust model framework based on the blockchain, [14] proposed an information theory framework based on entropy weight and probability, both of which are used for malicious node detection. With the application of machine learning more and more widely [15], many methods have been applied to security assessment. [16] studied the information model of security situation based on XML and chooses the support vector regression machine to predict the network security situation and determine the parameter values. [17] focused on the impact of time on trust evaluation and proposed a trust evaluation model based on the time frame. In addition, security and risk assessment methods are gradually applied to the cloud computing environment [18]- [20].
Although SDN and NFV bring new features to the network, and the design of SFC is free from the limitations of hardware, there is still a lack of network security or trust evaluation method and metrics. Without a specific assessment method for SFC security and reliability, there is no foundation for service function chain deployment from the security perspective. Nowadays, security in SFC has become a fuzzy concept, and it is challenging to carry out a theoretical analysis of the security level of deployed SFC.

B. OPTIMIZATION OF SFC
At present, researches on the optimization of VNF/SFC can be broadly divided into three categories. 1) The first research direction focuses on improving reliability by increasing redundancy/backup [21]- [23]. Generally, the controller deploys a certain number of backup VNFs near the present VNF node. When the present VNF does not work, backup VNF nodes will be activated. However, no matter how precise the replacement algorithm is, the backup process is passive and occurs only after VNF's failure. This leads to discontinuity of services and excessive consumption of resources [24]. 2) The second direction focuses on security optimization based on the idea of mimicry defense, which can increase the difficulty of attacks and reduce the probability of a successful attack [25], [26]. However, this method can cause a big waste of communication resources, and in some cases, it may not be worthwhile to exchange communication resources for reliability. Consequently, some scholars also combined the above two methods [27], [28].
3) The third method is based on the idea of joint optimization of various aspects of the wireless networks, including reliability, availability, communication resources, and radio resources [29]- [32]. The joint optimization of the SFC is carried out by ensuring indicators such as end-to-end QoS are satisfied. However, the reliability is measured by where t nor represents the uptime of VNF, and t en represents the entire working time of VNF. This metric is not a convincing or fundamental generalization. Because it only focuses on the results (reliable or unreliable), rather than on factors that affect reliability. Furthermore, other authors [33] improved the reliability of SFC through various deployment algorithms. Several NFVbased use cases of ETSI records were studied in [34], and security mechanisms such as identity and access management (IAM), intrusion detection and intrusion prevention (IDS/IPS), network isolation, and data protection were considered. [35] proposed the performance metric of reliability, meta-distribution. And analyzed the reliability of heterogeneous networks based on random geometry. To sum up, most of the research works still adopt the after-action remedy, which fails to fundamentally solve the SFC optimization problem from the perspective of VNF/SFC's security mechanism.

III. CREDIBILITY EVALUATION PARADIGM OF VNF
To quantify the trust of a VNF, credibility is defined as the probability that a node can provide a trusted service within a given time duration, where nodes with higher credibility are more trustworthy and secure. By considering various securityrelated factors, such as the type of the physical nodes and the number of resources provisioned by the VNF instance, the credibility evaluation paradigm consists of three metrics: authenticity, availability, and most importantly, reliability. The authenticity and availability measurement will be introduced in this section and the reliability evaluation model will be introduced with details in the next section. And Important notations in this paper are summarized in Table 1.

A. AUTHENTICITY EVALUATION
From starting up to work, the security check phase of a VNF ought to encompass the following sequential steps: r Secure boot α: The secure boot refers to check for VNF when the VNF is starting. α ∈ [0, 1] represents the probability that a VNF is safe at startup, which depends on the certificate of faith of every software. Unless checked from the startup, we can no longer assure authenticity from the root [36]. Secure boot is the first line of protection and lays the groundwork for subsequent security assessments.
r Node authentication β: VNF is a functional block that works on the physical node. Only through the authentication of the physical node can the VNF be assured to be authentic and reliable. The authentication result can be either β = 1 (certified) or β = 0 (not certified). This step is very important because the virtual machine and user information can be loaded onto the certified node only.
r Integrity test γ : The purpose of the integrity test is to prevent a potentially malicious VNF from participating in the deployment of SFC. The result γ ∈ [0, 1] indicates the security level of the VNF, where γ = 1 means no threat. An integrity test is divided into boundary integrity test and internal integrity test. The security boundary of a VNF can separate itself from the external environment, which could be a potential point of attack. On one side of the boundary is the attacker and on the other side is the information and data within the network. With business increases and technologies involves, the wireless networks are more heterogeneous, and the corresponding security boundaries are becoming fuzzier. A boundary integrity test can indicate whether the virtual machine's network boundary is separated from the exterior network. The internal integrity test mainly checks the presence of hazard code, vulnerabilities, injected unfamiliar information, and the presence of malware in VNF. For instance, [36] proposed an internal integrity test by monitoring whether the operating system kernel has been modified. The above three steps will be executed in sequential order, and if one step fails, the subsequent steps will be aborted. We propose to define the authenticity of the NFV as a single parameter A ∈ [0, 1], which is defined as follows: where A represents the authenticity of NFV. where A will be 0 when any step fails, and the value will be higher only when all of the three steps have high authenticity.

B. AVAILABILITY EVALUATION
Availability refers to the probability of a trusted service being ready for use [37]. It is generally proportional to the sizes of various available resources, including CPU space, memory size, hard disk capacity, and network flow. Although there is no sequential restriction on availability between the different factors, they are Interrelated and mutually restrictive. For example, if the CPU spare space is too small, the VNF cannot be used properly even if the memory size is really large. This is shown as low availability. So, we still represent availability as a product of these factors.
where V represents the availability of the NFV, V CPU represents CPU spare space, V MEM is the remaining memory size, V DSK represents remaining hard disk capacity, V NET represents the available network flow.

C. RELIABILITY EVALUATION
Reliability indicates the probability that the VNF will work normally. Traditionally, reliability is described as the ratio between the uptime to entire working time, as shown in (1). However, this definition is only one-sided and does not capture the essence of reliability. In this paper, we propose a hierarchical reliability index model detailed in Section IV.

IV. RELIABILITY INDEX MODEL
Analytic hierarchy process (AHP) can transform complex decision problems into quantitative analysis problems through matrix operation. It is often applicable in problems with complex hierarchical structure and difficult quantitative evaluation [38]. IAF of ENISA [39] and FedRAMP [40] of USA have both studied risk control and security assessment of networks. In order to build a secure and reliable network environment, both of them also put forward the index requirements for security assessment, which is worth our reference. In this section, according to our research experience in the field of SFC and NFV, we built the reliability index model based on AHP by referring to the index of security assessment designed by ENISA and FedRAMP.
According to the index model, the reliability calculation process of VNF is shown in Fig. 2, which is described in detail below.

A. ESTABLISH A INDEX MODEL
The reliability of VNF can be divided into four basic factors: data reliability, protection reliability, virtual reliability, and access reliability. The data reliability refers to whether the VNF can effectively protect the user's personal information and the data required by the service. Protective reliability can indicate the ability of VNF to protect against potential attacks. Virtual reliability represents the security at the software and virtualized levels. Access reliability means the access control capability of VNF. Each basic factor contains the corresponding impact factors. As shown in the following three-layer index model in Table 2, where the top layer is defined as reliability, the second layer is the basic factor, and the third layer includes various impact factors.

B. ESTABLISH A JUDGMENT MATRIX
To quantify the reliability of an NFV node, we adopt the idea of fuzzy comprehensive evaluation method [41] to carry out where n is the total number of impact factors in Table II, and s i j is the relative importance of impact factors i and j. The above formula indicates s i, j = p i /p j , with p i and p j being the importance of impact factors i and j, respectively.

C. WEIGHT ALLOCATION
Consistency test [42] is needed to determine whether the weight matrix is accurate and available. The specific calculation steps are as follows: 1) Find the Maximum Eigenvalue λ max of Matrix S and Its Corresponding Eigenvector e λ = (e 1 e 2 · · · e n ); 2) Normalize E λ ; 3) Calculate Consistency Index (CI); N is the dimension of the matrix. 4) Calculate Consistency Ratio (CR); Consistency ratio (CR) is the ratio of consistency index (CI) to random index (RI) for the same order matrices. Table 3 shows the random index corresponding to consistency index in this case study. The judgments are acceptable when CR is less that 0.1. In general, the consistency shows the degree of relation and relevance with respect to the main factors.  After passing the conformance test, the weight is assigned by eigenvalue method. We suppose that the maximum eigenvalue is λ max and the corresponding eigenvector is E λ = (e 1 e 2 · · · e n ). By normalizing the element values in the eigenvectors, the final weight values of all the impact factors in the basic factors can be obtained.

CR = CI/RI
Further, we can get the weight matrix W = (w 1 w 2 · · · w n ).

D. ESTABLISH EVALUATION MATRIX
After that, the specific situation of the impact factor should be evaluated. The evaluation level v is divided into 5 items. Define the assessment score as f (v). Table 4 shows the respective values of f (v). An impact factor u i j (i = 1, . . ., m; j = 1, . . ., n) belong to the basic factor i, where m and n are the numbers of basic factors and impact factor, respectively. The division value of v k (k = 1, . . ., 5) is obtained as follows: The influence factor u i j needs to be graded by different experts or artificial intelligence machines. ξ k refers the time that u i j is graded in v k (k = 1, . . ., 5), and ι i jk refers the weight. So the evaluation set of u i j is Further, the evaluation set of all the impact factors of the basic factor i is obtained, thus we will obtain the total evaluation matrix.
In this paper, n is 4 and m is 4.

E. CALCULATE THE EVALUATION RESULTS
It is known from step C that the weight matrix is W = (w 1 w 2 w 3 w 4 ). And W i = (w i1 w i2 w i3 w i4 ) is defined as the weight vector of the basic factor i. Reliability evaluation set of basic factors i is obtained as follows: H i is the reliability evaluation set of basic factors i, and (ι i1 ι i2 ι i3 ι i4 ι i5 ) correspond to the division value of evaluation level v k (k = 1, 2, 3, 4, 5) respectively. Similarly, the above steps are carried out among the basic factors to obtain the reliability evaluation set H of VNF. 1, 2, 3, 4) is the reliability evaluation set of every basic factor. Finally, the reliability of a VNF is calculated as In addition, the reliability evaluation results obtained by this method are independent of the dimension of the matrix. In other words, when the factors affecting the reliability of VNF change (increase or decrease), it can also be calculated by this method.

F. CREDIBILITY EVALUATION
With the above analysis of three aspects: authenticity (A), V (availability), and R (reliability), the complete credibility evaluation model is shown in Fig. 3. In particular, the credibility of VNF can be obtained as follows.
where the authenticity is the basis for VNF security and trust, when value of authenticity is 0, the value of credibility should be 0. With different situations (applications), the availability and reliability are assigned different weights ω v and ω r . To make sure the values of availability and reliability are comparable, the availability of each VNF can be normalized as V nor = V/V max , where V max represents the maximum availability in the VNFs in the whole network. The credibility of the deployed SFC is where E (·) means to take the average credibility of all VNF instances in the SFC.

V. CREDIBILITY-BASED SFC DEPLOYMENT STRATEGY
In this section, we designed a credibility updating algorithm and an SFC deployment strategy according to the proposed credibility evaluation paradigm.

A. CREDIBILITY UPDATING ALGORITHM
The credibility of VNF is online and dynamic, and evaluation update method is very important for the deployment of SFC. Without appropriate update mechanism, the changes of nodes and the dynamic behavior of VNF can not be detected timely. Consequently, the efficiency of SFC will decrease, and it is  also easy to be attacked by disguised malicious VNF nodes. Different from traditional updating when VNF fails, we adopt sliding window and event triggering mechanism for the credibility updating algorithm.
Step 1: Every VNF is graded according to credibility evaluation paradigm. The VNF level is shown in the Table 5.
Step 2: The sliding window updating mechanism is adopted such that past credibility of a node can impact on the current results. For instance, with a window size of 3, the credibility T i of time i is calculated as (16) where T i represents the credibility updated by sliding window algorithm, and ϕ i represents the weight of time i. For each timeslot, the credibility is updated once and the corresponding VNF level is changed as well.
Step 3: we define a trigger event called "skipping". When the level of VNF in time i is different from the time i − 1, it is in the state of "skipping". In this state, we update the credibility by (17) where e represents exponential, and α represents different proportions. The slope of f (x) = e x at 0 is 1, which guarantees a fast-fall and slow-rise characteristics. We can adjust the value of α for better optimization when level is up or down. After a period of delay time k, switch back to sliding window mechanism. The reason Why we not switch to sliding window mechanism immediately is to prevent malicious nodes from posing as good nodes and then start to attack.

Require:
The size of window, size; The current timeslot, i; The level of VNF at timeslot i, grade i The credibility of VNF at timeslot i, T i The delay time, k 1: Calculate credibility by credibility evaluation paradigm. 2: if i >= size then 3: for each i do 4: Calculate credibility by sliding window mechanism. 5: if grade i = grade i−1 then 6: Calculate credibility by skipping mechanism. 7: Initialize delay time clock. 8: end if 9: end for 10: if clock ≥ k then 11: Switch to sliding window mechanism. 12: end if 13: end if 14: Update the credibility of VNFs; 15: return T ; The credibility updating algorithm is given in Algorithm 1. For each time i, the time complexity of our algorithm is O(n) and the space complexity is O(1).

B. CREDIBILITY-BASED DEPLOYMENT STRATEGY
Finally, we propose a SFC deployment strategy according to the credibility evaluation paradigm. In the VNF-FG, we consider the credibility of VNF. In this way, a safe and reliable VNF can be fully selected. As shown in Fig. 4, where SRC represents the source and DST represents the destination. Maintains a table that records VNF credibility in the network. Require: The set of nodes, Node n ; The matrix of bandwidth, B nn ; The set of deployment requests for the SFC, Re m ; Ensure: The set of deployment instances for VNF, In; The matrix of VNF's deployment location, loc nn ; The matrix of network flow, f low nn ; 1: Initialization parameter. 2: for each re ∈ Re m do 3: for each v ∈ Node n do 4: Calculate the distance from the source node through v to the destination node. 5: end for 6: Sort the nodes according to the sum of their distance from source to destination. 7: Sort the nodes according to credibility. 8: for each n f ∈ In do 9: for each v ∈ Node n do 10: if the same type of n f is deployed then 11: break; 12: else if the CPU of v > the CPU of n f then 13: Register nd in In; 14: the CPU of v -= the CPU of n f ; 15: end if 16: end for 17: Update B nn , f low nn , and loc nn ; 18: end for 19: end for 20: return B nn , In, loc nn , f low nn ; For each SFC deployment requests, select the VNF in various types with high credibility to participate in the deployment. The pseudocode for the entire selection process is given in Algorithm 2.
For each service function chain deployment request, the time complexity of our algorithm is O(n 2 ) and the space complexity is O(n 2 ).

VI. NUMERICAL SIMULATION
Physical network: We used a network map of 50 nodes in the simulation. Each physical node provides different resources for VNFs (such as CPU, memory, and so on). These resources have different sizes and are used to instantiate and process data. To simulate the complexity and variability of a real deployment environment, we randomly generates the values of properties related to the authenticity, availability and reliability of each node and VNF instance. Then we used above data to calculate the credibility of each VNF.
SFC requests and VNF forwarding graph: Because the user's services and the function of VNF instance are various, each SFC request is composed of 2-4 VNFs in series. And in the VNF-FG, five types of VNF instances are placed in the physical network to meet the requirements of different services. CPU and other resources required by each VNF are also randomly generated by MATLAB.
Simulation and Results: In this paper, we propose a credibility evaluation paradigm and a credibility-based deployment strategy (CBDS). Firstly, we simulate the feasibility of paradigm, and illustrate the advantages of the updating method Algorithm 1 by comparison. Then, we compare our CBDS algorithm with other three algorithms to prove its superiority. The other three algorithms are based on minimum deployment costs (MDC), TOPS algorithms proposed by [31], and random deployment strategy (RDS), respectively. TOPS algorithms minimize bandwidth resource consumption while optimizing CPU and link utilization. While MDC algorithms tends to choose the VNF with the lowest deployment costs.
In this paper, we use MATLAB and Python to simulate and analyze the result. We first use MATLAB to complete the simulation of Algorithm 1, then use Python to complete the simulation of Algorithm 2, and finally use MATLAB to analyze and compare the data. The considered parameters in numerical results are shown in the Table 6.

A. UPDATING ALGORITHM
In this subsection, we simulate our updating algorithm, sliding window with skipping (SWWS), and compare with two other  algorithm. One is No-sliding window (NSW) and anothor is sliding window (SW) method proposed by [12]. We randomly generated all the values required by credibility evaluation paradigm and simulated the attack process. And we carry out 100 simulations to get the average value.
We simulate the scenario in which a factor of VNF is attacked, as shown in Fig. 5. The simulation duration was set to 200 seconds. VNF is attacked at 150 seconds. Compared with NSW and SW, our update method would further amplify the negative impact of this attack by rapidly decreasing the credibility. When SFC is deployed, the probability of the attacked object being selected will be greatly reduced to achieve the purpose of active defense.
On the contrary, when VNF credibility is increased (this increase may be due to successful defense or malicious VNF fraud, etc.), according to our algorithm, the increase will be reduced when grade skipping occurs, and it will be restored to the sliding window algorithm after a delay time k. The whole process is shown in Fig. 6. The advantage of this is to prevent malicious VNF fraud. When the malicious VNF defrauds the trust of the SFC, it will participate in the deployment of the SFC. And that's when they might attack. Slowly increasing the credibility of VNF so that it will not be a priority option, and the delay time k can further reduce the probability of this fraud attack. This situation is shown in Fig. 7, the malicious VNF pretends itself to be a normal VNF at 100 seconds and attacks at 120 seconds.

B. CREDIBILITY
In order to calculate the credibility of SFC in different deployment algorithms, we deploy different numbers of SFC in turn and compare the advantages and disadvantages of them. Fig. 8 shows that the credibility of CBDS is significantly higher than other algorithms. When deploying 10 SFCS, it increases by 18% compared with the MDC, 24% compared with the TOPS and 19% compared with the RDS. However, with the increase in the number of deployed SFC, the advantage of CBDS gradually weakens. This is because when multiple SFC are deployed at same time, the nodes with higher trust are already used or the CPU is full, so the nodes with low credibility will participate in the composition of SFC. But even with 50 SFC deployments, CBDS is still more than 10% higher.

C. YIELD RATE
To measure the balance of credibility and VNF deployment costs, we propose to use "yield rate" to evaluate the benefit.
where, θ represents the total trust gain of VNFs in a SFC, namely the total credibility of VNFs, and cost represents the deployment cost of VNF instances. Fig. 9 shows that CBDS deliver trust benefit of 14% higher other algorithms averagely. This indicates that for all VNF, the trust benefit of the whole VNF instance is improved by   CBDS. When the number of SFC is less than 30, the yield rate of CBDS is significantly effective, while when the number of SFC is greater than 40, the effect of CBDS is not obvious.

D. DEPLOYMENT COST
We also compare the VNF deployment cost and bandwidth cost in different quantities of SFC. In the numerical simulation, the deployment costs of different kinds of VNFs is various, and the bandwidth cost is proportional to the distance between VNF. Fig. 10 shows that when the number of SFC is beneath 40, the cost of deploying VNF instances is similar, and when the number of VNF instances increases, CBDS will increase.
The identical is authentic in bandwidth consumption. When the number of deployed SFC is beneath 30, the bandwidth consumption is the same. Fig. 11 shows that solely when the VNF instance is increased to 40 does the bandwidth cost of CBDS increase. Both of the above display that CBDS does not cause excessive cost increases when deploying VNF instances inside an appropriate threshold. Combined with Fig. 9, this shows that while CBDS increases the cost of deployment and bandwidth to some extent, it is worth the cost for security. This is additionally illustrated by means of the yield rate.

E. ACCEPTANCE RATE
Different scenarios have different requirements for security and trust. In order to meet the trust requirements of different scenarios, there is usually a minimum threshold for credibility. When credibility is below this threshold, the SFC is not accepted because its credibility does not meet the trust condition of the deployment scenario, on the contrary, it is accepted when its credibility is greater than the threshold. Hereby, we compare the acceptance rate of SFC deployed by different algorithms or different credibility requirements. Fig. 12 shows that CBDS can significantly improve the acceptance rate of SFC. CBDS preferred VNFs with high credibility to form SFC and provide services for users. According to the algorithm in this paper, credibility synthesizes the identity authentication of nodes, availability of resource and reliability of VNF, while other existing algorithms only pursue deployment overhead or available resources, so the acceptance rate of CBDS is significantly higher than that of other existing algorithms. When the credibility requirement is greater than 0.85, this advantage of CBDS is obvious and is 5 times higher than other algorithms. And with the reduction of requirements, the advantages of the trust algorithm still exist.

VII. CONCLUSION
In this paper, we analyzed cutting-edge research on SFC security. We introduced AHP into SFC and VNF, and proposed a paradigm to quantify security and provide a new solution to security problems in the SFC and NFV. Distinct from remedial action after turning into unreliable or insecurity, it emphasizes initiative and robustness. We proposed the concept of VNF credibility, installed a hierarchical model, and quantitatively analyzed the credibility of VNF and SFC, so as to grant a foundation for the selection of VNF. Compared with the existing evaluation methods, the credibility evaluation paradigm, which depicts the degree of trust of SFC from both time and space dimensions by various influencing factors, is more comprehensive and persuasive. We proposed a SFC deployment strategy whose VNF-FG based on credibility to ensure the SFC is composed of VNF with high reliability and availability, and provide reliable service for users. The results confirmed that the credibility-based deployment strategy enhances the security and acceptance rate of SFC without immoderate consumption cost. We additionally recognized the limitations of our research. There might also be better solutions to the credibility-based service function chain composition. In the future, we will work on greater fine-grained security quantifiable research and the optimization of the SFC deployment strategy.