Security and Safety
Volume 2, 2023
Security and Safety in the "Metaverse"
|Number of page(s)||15|
|Published online||30 June 2023|
Towards building a firm metaverse security base
China Telecom Research Institute, Shanghai, 200122, China
2 China Telecom Research Institute, Beijing, 102209, China
* Corresponding authors (email: email@example.com)
Revised: 13 March 2023
Accepted: 18 April 2023
The Metaverse is a significant field that is currently receiving considerable attention from both the industry and academia. The transformation of the Metaverse from science fiction to reality is being actively promoted by technology, industry, and capital. However, the development of the Metaverse is still in its early stages, and the system architecture and theoretical technology of the Metaverse are not yet mature. This paper provides a comprehensive analysis of the Metaverse and summarizes its holographic, omnipotent, multidimensional, and multifaceted characteristics. The development of the Metaverse is founded on the relevant infrastructure, and we elaborate on the primary components of the Metaverse infrastructure. Furthermore, we systematically summarize the security risks inherent in the Metaverse infrastructure. Based on this, we propose utilizing the system security technology concept to guide the construction of a Metaverse security protection system from various perspectives at each level of computing, cloud, network, digital assets, and terminals, in order to construct a secure foundation for addressing the Metaverse’s security risks and challenges.
Key words: Metaverse / New infrastructure / Security base / Highly trusted network / Trusted identiry / Trusted circulation of data
Citation: Li AM, Yao XH, Gu HY, et al. Towards building a firm metaverse security base. Security and Safety 2023; 2: 2023005. https://doi.org/10.1051/sands/2023005
© The Author(s) 2023. Published by EDP Sciences and China Science Publishing & Media Ltd.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
As the metaverse gains momentum, various sectors, including technology, industry, and capital, are actively working to bring it to fruition. Major nations and well-known corporations have established metaverse industries to compete for a stake in the future digital landscape. At present, there is no standard definition of the metaverse. However, people have invested a great deal of imagination and hope into the idea, envisioning it as a new space with high realism and deep immersion – a “second space” parallel to the real world. The advancement of technology is a double-edged sword. As the metaverse becomes more immersive and users spend more time online, the protection of personal privacy and digital assets will become increasingly crucial. The governance and security management of the metaverse will extend far beyond the scope of cyberspace governance and network information security management. The metaverse cannot be constructed without the support of its infrastructure. Thus, establishing a solid security foundation is a precondition for its sustainable development. The purpose of this paper is to identify the nature of the metaverse, predict its future development trends, analyze the key directions for the security management of the new infrastructure of the metaverse, identify security risks, and propose recommendations for the security management of the metaverse infrastructure. Such an analysis is of great practical and strategic significance to promote the high-quality development of the digital economy and the sustainable development of cyberspace.
The term “metaverse” is derived from the American science fiction novel Snow Crash, which combines the words “meta” and “universe”. “Meta” connotes origin, transcendence, and transformation. The phrases Meta and Universe have the connotation of transcending and changing the universe. The concept of the metaverse is not new; it appears in works of historical fiction, art, movies, video games, and other media. The metaverse’s ultimate expression is an “infinite game”, a universe that transcends limitations and continually evolves. The metaverse represents a reimagining of space and time that generates new values. It reflects on the relationship between the universe and the world, literally questioning the nature of reality. The metaverse has two levels: the real world and the virtual world. We argue that the core of the metaverse is the blending, reshaping, and fusion of these two worlds. This fusion is the essence and definition of the metaverse. As human thought and technology advance, we are closer to realizing the ideal world envisioned by humanity, which is evolving within the metaverse. Through the metaverse, we can explore and understand the world with diverse perspectives and dimensions, creating a better space in which to live.
The term metaverse encompasses the origin and evolution of everything in the world. By reshaping space and time, it has the potential to introduce new values and usher in a new era. Several major nations worldwide have issued national strategies for the development of the metaverse industry, and leading internet giants such as Facebook, Google, Microsoft, and NVIDIA have made significant investments in this field. The metaverse has now become an important industrial field and development direction that concerns both industry and academia. The key concepts of the metaverse include digital twins, digital assets, and digital creation. A digital twin is a virtual replica of a real-world system, person, or object, created using information collected from sensors and other real-world sources. Digital assets refer to any type of asset that exists digitally, such as digital currency, digital artwork, or digital real estate. These assets can be bought, sold, and traded on digital marketplaces and exchanges. Digital creation in the metaverse involves creating virtual objects, buildings, furnishings, artwork, and other assets that people can use and interact with.
Although there are different definitions of a metaverse in the industry, the industry has formed a high consensus on some core features and basic judgments of the metaverse, such as the core features of “virtual reality, immersive experience, digital twin, intelligent computing, digital assets, digital creation”, etc. Compared to the traditional internet, the metaverse exhibits new features. Firstly, the massive information interaction mapping has led to an unprecedented collection of privacy data in the metaverse. Secondly, the application scenarios of virtual and real-world interaction in the metaverse require lower latency, higher reliability, and continuous access to ensure user experience. Thirdly, the virtual, free, and decentralized environment of the metaverse has resulted in diversified economic and social civilization development trends . Metaverse is the main development direction of the next-generation Internet, the virtual-real integration space for people’s life and work, and an important place for the creation and production of digital assets .
The Metaverse is not a simple application system built by a single technology but rather a “digital world” created by a series of interconnected and collaborative technologies. The technology system of the Metaverse is primarily composed of two parts: the infrastructure layer and the core capability layer. The infrastructure layer includes intelligent computing, 5G and 6G cloud-network convergence, data collaboration, and security technology, among others. The core capability layer comprises digital twin and digital native technology, digital humans, next-generation human-computer interaction, general artificial intelligence, AI modeling, blockchain, and new governance models. The industry generally believes that the Metaverse will be the next wave of the digital economy. The pull of the Metaverse on the digital economy will be all-encompassing, including infrastructure such as computing power and cloud networks, as well as many applications in 2B2C fields such as office, education, social, gaming, and intelligent manufacturing, and hardware and software platforms in human-computer interaction fields such as XR and brain-computer interface. Additionally, it will include the digital economic system, such as NFT (Non-Fungible Token), and more fundamental industries such as chips.
In the future, the metaverse is poised to become a new type of space with unparalleled realism and immersion. It will be capable of simulating multiple senses, including vision, hearing, smell, taste, and touch, and achieving a high degree of fidelity in replicating natural systems such as weather patterns, ocean currents, and biological processes. As a result, the metaverse will emerge as a parallel “second space” to the physical world, representing the cyberspace of the next generation. This highly complex and digital existence will enable information to interact not only with other information in the metaverse but also with matter, energy, and even the human mind. However, the decentralized nature of the metaverse poses inherent challenges to security regulation and control. It is important to discuss the issues that arise during the development of the metaverse.
The metaverse industry can be roughly categorized as the metaverse infrastructure industry, the metaverse virtual world construction and content application industry, the metaverse digital human industry, the metaverse human-computer interaction industry, and so on. The new infrastructure of the metaverse is the cornerstone of the metaverse’s development. The new infrastructure of the metaverse can be divided into three levels: information infrastructure, convergence infrastructure, and innovation infrastructure, which includes the five components of intelligent computing, cloud-network convergence, terminal devices, digital assets, and security base (Figure 1).
New infrastructure of metaverse and its security
GPU-based intelligent computing is the key to the new infrastructure in the metaverse era. The development of the metaverse will facilitate the world to move into the era of intelligent computing. The fact that the current market value of NVIDIA Corporation, a major GPU manufacturer, exceeds that of INTEL Corporation is convincing evidence. In the era of the metaverse, the high demand for intelligent computing and bandwidth will present numerous opportunities for the development of 5G, artificial intelligence, and the chip industry. Considering the growth in the number of XR devices in the next 5–10 years, and the increased demand for computing power and bandwidth for single-device performance improvement, according to the estimations of CAICT, IDC, and Sadie, the demand for computing power and bandwidth in the metaverse will skyrocket in the next 5–10 years, and it is expected that by 2030 the demand for computing power in the metaverse will be 80 times of the current one, and the demand for bandwidth will be 60 times of the current one. More than 1000 times the computing power demand and more than 100 times the bandwidth demand serve as the foundation for the long-term growth of the metaverse .
In the era of the metaverse, machines, devices, portals, networks, applications, platforms, and data are endowed with consciousness, emotion, and life. There will be more and more metaverse portals, applications, and platforms with immersive experiences, emotional and creative characteristics. The data created by these systems is not only massive and ponderous but also holographic and multi-dimensional. The demand for computing power is not only fast and accurate but also intelligent and flexible. The demand for network transmission is not only high bandwidth and low latency but also agile and controllable. Therefore, the cloud computing, network technology, and cloud-network convergence technology of the metaverse must adapt to these new demands. In the metaverse era, cloud-network convergence integrating intelligent computing, holographic network, and emotional AI will constitute one of the most important new infrastructures .
In the metaverse era, the variety of terminal devices will increase, and will greatly exceed the narrow terminal category represented by the original cell phone. The terminal device layer with interaction, presentation, and display functions is a crucial component of the new infrastructure in the metaverse era. The main features of the applications in the metaverse will be immersive experiences, emotional and creative, and the requirements for its construction are “holographic input” and “omnipotent perception”. VR, naked-eye 3D, laser holographic technology, and the innovation and upgrading of metaverse terminal technology should be developed based on the terms “holographic” and “omnipotent”.
The metaverse is characterized by users who are consumers, participants, and creators. Within this virtual space, an increasing number of digital assets, including anime characters, artworks, and virtual real estate, are being created and produced. While global internet companies like Facebook and Roblox offer virtual social and office environments, their primary focus is on digital asset creation. In the metaverse era, public digital assets such as digital landmarks, facilities, and cultural assets are essential components. Digital assets and creation based on digital identity will be a crucial trend for asset and value creation. Safely trading, intelligently managing, and easily circulating digital assets is an important issues. Digital assets are becoming an increasingly vital part of the new infrastructure in the metaverse era.
Major countries in the world generally give high attention to the development of the metaverse. The United States has a significant advantage over China in core basic technologies such as computing and storage chips, artificial intelligence, and operating systems. To strengthen U.S. national preeminence, the White House and the U.S. military are developing a future technology strategy for the metaverse. South Korea’s Digital New Deal 2.0 plans to invest $2.2 billion over five years to develop emerging technologies represented by the metaverse to help maintain South Korea’s leadership in emerging fields and expand the country’s economic footprint. The Japanese government has urged KDDI to lead and participate in the development of the metaverse in order to achieve global leadership in the metaverse field. It can be anticipated that the metaverse era will be a world characterized by real sovereign states at its borders. The infrastructure, digital assets, and operation rules of the metaverse are inevitably closely related to actual national sovereignty. Cyberspace sovereignty and national security are closely related. National sovereignty in the digital world will inevitably become a focal point of interest in the near future. The competition of the metaverse will be the competition for national sovereignty. At the same time, in the era of the metaverse, people will gradually evolve new roles, social relations, cultural order, etc., and there will be “metaverse citizens”. Consequently, the governance and security management of the metaverse will extend far beyond the scope of cyberspace governance and network information security management. The metaverse security based on system security technology and governance technology is the new infrastructure of the metaverse. There will be many new legal, moral, and ethical issues that need to investigate.
The development of digital technologies such as big data, blockchain, digital twin, human-computer interaction, simulation technology, augmented reality, etc. is the foundation of the metaverse. Metaverse is the result of a highly developed stage of digital technologies. On the one hand, new technological changes are driven by the combination and integration of diverse technologies, prompted by relevant scenarios and applications. On the other hand, the superposition of risks associated with various types of technologies generates new security risks. Metaverse has unrestricted growth potential, but its infrastructure faces the same security threats posed by intelligent computing, cloud-network convergence, terminal access, digital assets, etc.
The virtual reality space of Metaverse involves estate, healthcare, education, the military, gaming, etc. In a computer-generated virtual environment, users can interact with each other. The metaverse provides a more immersive experience, enhanced real-world integration, and a novel mode of cyberspace interaction. The metaverse is more interconnected with the real world than traditional cyberspace.
The metaverse features real-time feedback and continuous online, relying on technologies such as cloud computing, 5G, IoT, edge computing, and high-performance computing to connect more devices to the cloud. The metaverse encompasses multiplayer online games, open-ended tasks, editable worlds, XR portals, AI-generated content, economic and social systems, decentralized authentication systems, realistic scenarios, etc. These tasks place exceptionally high demands on algorithms and computing power, which may result in a dearth of computing power resources and necessitate a balance of stability, sustainability, and low cost. Existing infrastructure may be incapable of supporting the operation of a metaverse space on a global scale.
Cybersecurity threats in the metaverse are similar to those in Web 3.0, including hacking, vulnerability exploitation, and fraud. The metaverse creates a connection between the physical and digital worlds. Some metaverse projects merge the real and virtual lives of their users, introducing new security risks. Attackers may create fake metaverse applications and games to obtain sensitive information in order to get victims to connect to their digital wallets. Therefore, it is necessary to verify the trustworthiness and security of applications and message sources [5, 6].
From a security standpoint, the greater the number of cloud-connected endpoints, the more attack surfaces are exposed. Many AR, VR, and IoT wearable devices lack security considerations from the beginning of their design. With the advent of these new devices, the opportunities for attackers to gain access to valuable personal information are increasing. And users may not realize that their phone or IoT device is tracking them. These devices with weak security controls and portability are highly vulnerable to becoming highly targeted points of vulnerability that attackers can use to infiltrate networks. For example, an attacker can exploit a network of IoT devices to automatically distribute malware that can be quickly replicated in a metaverse. It can also reduce computing power by mining cryptocurrencies, corrupting data, and crashing servers with DDoS attacks. In addition, phishing, malicious URLs, and similar online attacks will continue to exist in the metaverse. Entirely new attack strategies are also possible, such as attacks that focus more on vulnerabilities in NFTs, exchanges, and cryptocurrencies.
The metaverse collects more types of and more sensitive personal information than the traditional Internet. The sensors can collect more personal data than ever before, including biometric data such as brain waves, fingerprints, voice prints, irises, eye movements, electromyographic signals, and health data such as blood pressure, heart rate, and body temperature. It is especially important to note that the massive leakage of biometric information collected by the metaverse will be irreversible. The disclosure of biometric information is more dangerous than the disclosure of passwords. Simultaneously, users’ economic transactions, social contacts, and numerous other behaviors in the rich application scenarios of the metaverse will generate a vast amount of multidimensional data. This means that all metaverse user behaviors and preferences can be recorded, allowing for a more three-dimensional and accurate user portrait [7, 8].
Due to the massive, centralized, and private nature of metaverse’s personal information collection, which leads to the loss of personal privacy in case of leakage, the loss of personal privacy will be all-round. Privacy leakage will pose a great threat to public personal safety and property security, which means the privacy protection of metaverse should be more strict. According to a market survey on metaverse, 50% of people are worried about the security of users’ identity, 47% are worried about the mandatory monitoring that users may have to experience, and 45% are worried about the possible misuse of personal information. If the identity verification and data security issues of the metaverse are not resolved, the rollout of the metaverse will be hindered and humans will not be able to fully enjoy the networking, collaboration, and business development opportunities that the metaverse offers. The metaverse is overly dependent on data, and if the data is attacked and corrupted, it may cause more damage. The transnational operation nature of the metaverse itself will also bring frequent user data exit security issues .
The underlying technology of digital assets in the metaverse scenario is digital credentials issued, transferred, stored, and traded based on blockchain technology. The blockchain-based digital assets of the metaverse are digital, unique, and decentralized, distinguishing them significantly from traditional digital assets.
The metaverse digital assets can be divided into two categories according to their own characteristics: on-chain native assets and on-chain mapped assets. Although the data stored in blockchain has the characteristics of immutability and traceability, the problem of how to realize the uniqueness of digital asset tags and eliminate the replicability of virtual digital assets remains to be solved. Native assets are assets that originate from the metaverse and blockchain technology in digital form and are born in the virtual world and do not have corresponding underlying assets in the real world. Typical native assets include Fungible Token. On-chain mapped assets are digital assets with real-world mapping value, i.e., the digital asset enjoys some real-world rights as an endorsement, and NFT represents this type of asset. Since NFT is implemented based on public chains such as Ether, FLOW, and Near with transparency, the privacy of users cannot be guaranteed. Moreover, since the consensus algorithm is centered on the proof-of-work mechanism, the transaction execution efficiency and corresponding throughput of public chains are constrained. Secondly, although NFT has the feature of traceability, it faces the problem of being unable to prove whether the source of the transaction is real and trustworthy, i.e., it is impossible to confirm whether the traced asset holder is the real owner of the asset . Moreover, on-chain native assets and on-chain mapped assets can be exchanged with each other through trading, which may bring about governance issues .
Classical cryptosystems applied to blockchains have become less secure due to the rapid development of quantum computing technology. Shor quantum algorithm can solve the integer decomposition problem in polynomial time, while the Grover quantum search algorithm is regarded as an efficient method for locating the original hash function value by accelerating hash collisions. As the number of quantum bits in quantum computers increases, the time required to break classical ciphers decreases, so many researchers are focusing on the implementation of anti-quantum ciphers to achieve quantum-resistant blockchain. The current anti-quantum cryptographic algorithms are mainly based on the complexity of mathematical computation to resist the attacks of quantum computers. However, the complexity of mathematical computation also causes huge network resource overhead, which adds difficulties to adapt blockchain architecture. Quantum cryptography, which combines quantum physics theory with classical cryptographic schemes, can also achieve post-quantum security .
In the virtual world of the metaverse, users need to earn virtual capital rewards through activities such as work and games, which can be used to exchange for real property. Achieving a secure value system is crucial to the construction of the metaverse ecology. In addition, the immutability and traceability of blockchain can ensure the security of the economic system by ensuring the irreproducibility of digital assets.
Metaverse relies on a number of emerging technologies such as blockchain and artificial intelligence, and the core algorithms are increasingly deployed and interdependent. Therefore, the vulnerability of the system will come to the fore and greater risks are likely to emerge as technology advances. AI algorithms are inherently logically unreliable and uninterpretable. If the system is subjected to malicious attacks, it may cause damage to property or even personal safety .
In addition, AI algorithms themselves may be used in illegal ways, such as generating bots for 24/7 attacks, and “deep fake” based on personal biometric information. Deep fake technology achieves the tampering, forgery and automatic generation of images, sounds and videos, which are highly realistic, through the capture, acquisition and editing of personal biological information. Once the technology is misused, it will inevitably cause a great infringement on the reputation and property of the involved people. Moreover, it may further impact the security of public society. During some major international events or regional conflicts in the past, in order to incite public opinion, lawbreakers fabricated audio and videos of important political figures to create fake news quickly disseminated on social media, which greatly affected the public’s judgment of the real situation and the social stability [14, 15].
The metaverse is composed of many new technologies. When different technologies are combined in the metaverse, they often bring new security issues, because various technologies have different characteristics and security threats, and they may interact with each other, leading to new vulnerabilities and modes of attack. For example, the combination of digital twins and a new generation of human-machine interaction technology in the metaverse can create digital twins in the virtual world for people, objects, or events in the real world, and provide users with a seamless experience through interactive tools such as VR devices and brain-machine interfaces. However, this also brings certain security risks. Since the digital twin is based on real-world data, which typically contains sensitive information, such as personal health conditions, physiological features, and enterprise production data. In order to interact with these digital twins in the metaverse with a high degree of realism, interaction terminals need to collect some data from these digital twins for simulation. This process brings the risk of information leakage. If this information is stolen by attackers, it may lead to serious privacy risks. Moreover, due to the virtual-real mapping established by digital twin technology, the leakage of these virtual data will also mean the leakage of real-world data, which may cause harm to the safety of life and property in the real world.
Furthermore, the combination of artificial intelligence and digital human technology allows hackers to forge the identity and personality of digital humans, and impersonate real users in the metaverse. The fake identity may be used for illegal activities such as obtaining personal information and participating in network fraud, posing potential security threats to individuals and organizations. Moreover, virtual deception through the use of artificial intelligence and digital human technology could also affect users’ behavior and consciousness in the virtual world, causing them to make wrong decisions or engage in unlawful activities, thus posing risks to individuals and organizations.
Moreover, the combination of augmented reality and sensor technology, while providing users with more intelligent and personalized services such as smart homes and smart cities, can also bring new security risks. If the virtual information used in augmented reality tampers with or malicious code is implanted, it may result in the theft or alteration of related information. The tampering or falsification of the data may cause deviations in users’ decisions and behavior. For example, in a smart city, attackers can manipulate sensor data to create false traffic information, leading to erroneous augmented reality results and ultimately causing real-world traffic problems .
Currently, one of the distinctive features of the metaverse is that it allows users to create their own content, which promotes the prosperity of the metaverse. All users are both participants and creators, and even the rules of community governance of the metaverse will be decided by users rather than developers. This is one of the biggest differences between the metaverse and traditional video games. However, every coin has two sides. While this kind of community autonomy encourages creativity and increases vitality, it also brings more challenges for security governance because of the virtual nature of the network, the anonymity of user participation, and the innovation of application scenarios. For example, how to define the code of conduct and ethics among users in the metaverse? Whether users’ virtual identities have rights to life, health, and personality? How to punish malicious users in the metaverse when they steal other users’ digital collections or digital currencies, and how to map them to the real world and confirm the value? How to regulate malicious users when they use innovative financial methods to commit fraud? At this stage, the metaverse is still an evolving and developing concept, so the security governance and regulation of the metaverse will also be an evolving and developing process. However, considering the trend of development of the metaverse and a large number of innovative network applications, we should now carry out research on metaverse security governance in terms of both theoretical preparation and practice of regulation, including rules of community governance in the metaverse, new laws and regulations and regulatory measures for digital assets and new (financial) applications of the metaverse, implementation of national sovereignty in the virtual world, principles and penalties for cybercrime in the metaverse, etc. .
Overall, both the variety and number of various applications will increase in the metaverse era. Therefore, the number and patterns of security threats faced by the system will also increase. People urgently need a capability that can perform high-speed and accurate extraction, and intelligent analysis of unknown or potential attacks. People also need the ability to aggregate and display results of data analysis in real-time, so as to perform real-time discovery, blocking, and emergency response for security threats. Only by laying the foundation well for the security of the metaverse and building a firm security base can we establish a reliable, mutually trusting, and interconnected metaverse to serve the increasingly rich imagination of human beings and industrialized applications, and make the development of the metaverse sustainable and healthy.
The concept of the metaverse and the construction of the metaverse system have created the most complex cyber and system security requirements to date for people. The metaverse system will not have only one security system throughout. It should be the interaction of a number of security systems, different security structures, multiple guiding ideas and philosophies of security, and different security paradigms, which play different roles in different levels, different dimensions, and different aspects. Because of their mutual influence and correlation, a solid security network is constructed covering all levels and applications of the metaverse system. The metaverse is characterized by “holographic, omnipotent and multi-dimensional”. We need to build the security system of the metaverse in different aspects such as intelligent computing, cloud-network convergence, digital assets, and terminal devices to cope with security risks and challenges in the metaverse .
In terms of intelligent computing and cloud-network convergence, we should reasonably arrange computing resources, network facilities, and high-performance computing centers, enabling intelligent scheduling of computability and intelligent computing service capabilities. At the same time, we should strengthen the construction of data resource infrastructure, accelerate the deployment of big data center clusters, and enhance data sensing, transmission, and storage capabilities. For key industries, several high-quality data sets and knowledge graphs should be built and opened to cope with the rapidly growing demand for computing and flexible scheduling, etc. .
In response to the demand for security of cloud-network infrastructure, it is necessary to follow the trend of automation and intelligence, reconstruct the cyber security architecture based on the separation of management and control, introduce intensive big data analysis and artificial intelligent security response decisions, construct the security policy implementation chain of “defense, monitoring, response and prediction”, promote the collaborative and efficient security capability of continuous adaptive risk and trust (CARTA), and further enhance the refinement and agility of security. Based on the operation and management mode of resource-intensive sharing, capacity flexible scheduling, and service on demand, we need to build a linked and open security platform for metaverse, promote the innovation and development of security service content, realization mechanism, and delivery method, make the industry chain of metaverse security develop in a virtuous cycle to form a sustainable ecosystem of metaverse security, and promote the application of new technologies and new business in the metaverse .
We use an elastic network to build a highly trusted network architecture, secure the network’s native architecture, address the cyber threats in extreme situations, and enhance the network’s high business continuity, strike resistance, and data disaster recovery capabilities. Based on the concept of “built-in instead of external security, active instead of passive defense, and the system as a whole instead of isolated”, the core technologies of cyber resilience, trusted network, and zero trust are used to solve the problems such as unpredictable security vulnerabilities and information asymmetry between attackers and defenders.
First, we use the design of the system’s own security architecture and mechanisms as a starting point, to meet the redundancy and backup of software and hardware equipment, applications, data, and routing at all levels, to achieve the robustness of the network itself. Furthermore, we use relevant threat-aware technologies, to effectively prevent known security threats, identify unknown security threats, and form immunity to unknown threats through self-learning and self-adaptive adjustment, and finally build a highly trustworthy, adaptive, and resilient fault-tolerant security architecture with disaster-recovery capabilities .
Second, to address the real and trusted core issues such as the verifiability, controllability, and traceability of each associated element of large-scale network entities and network behaviors, we use trusted network technologies to make the terminal device addresses, transmission paths, and network services real and trusted, and build a trusted network architecture .
Third, with the security concept of “continuous verification and never trust”, we establish dynamic and trustworthy access control mechanism for identity-based business through the software-defined perimeter, micro-segmentation, and identity access and management, etc. We narrow the boundary of network defense to a single or smaller resource group, and no longer grant pre-defined trust permission according to the location of the network. Moreover, we extend the protection from the traditional network level to the application level, implement the zero-trust concept into each system development, construction, operation and maintenance, perform resource isolation and fine-grained authorization, and enhance the security capability of the new infrastructures in the metaverse .
Users access the metaverse through various smart terminal devices, and various smart devices themselves pose security risks. Secure connections to the dedicated computing, cloud, edge, and 5G infrastructure needed to support the metaverse should be considered, and the security of underlying sectors such as chips and operating systems should be reinforced to reduce the security risks faced by smart terminals in the metaverse.
Chip security technology guarantees the security of chip products throughout their lifecycle by strictly controlling the entire process of development, design, and delivery, avoiding the existence of security vulnerabilities at the chip level, which may jeopardize the security of the chip itself or the upper-layer devices or data. Operating systems without misconfiguration, vulnerability, backdoor, and Trojan horses can prevent illegal access to computer resources by illegal users. With the development of trusted computing, operating system protection based on the root of trust is also evolving. With a password, hardware security reinforcement, backdoor vulnerability analysis, access control and other technologies, the security of all types of devices involved in the metaverse is ensured in hardware, firmware and system software, etc., which prevents illegal access to device resources.
Chip and firmware are inseparable, and the root of trust of the whole system is composed of the underlying software (virtual machine, RTOS, TEE, driver) and hardware (hardware circuit). With vulnerabilities in the underlying layer, there is a huge threat of the system being cracked. Chip security technology has evolved to the point where it is not limited to the traditional scope of the independent secure element, but considers comprehensive protection of hardware, underlying software, operating system, and upper-layer applications in a more open and complex system. The entire process of development, design, and delivery should be strictly controlled to guarantee the security of the chip throughout its lifecycle .
The operating system is the program that manages the entire computer hardware and software resources. It is the foundation of the network system and the key to ensuring that the entire internet realizes the transmission and sharing of information. The security of the operating system plays a pivotal role in network security. A secure operating system guarantees the confidentiality, integrity and availability of the use of computing resources. It also provides all-round protection for databases, applications network systems, etc. The insecure structure and mechanism of the operating system, the simplification of the PC hardware structure, the partial execution of the state of the system, and the absence of memory overrun protection may lead to security incidents such as resource configurations that can be tampered with, malicious programs that are implanted and executed, buffer overflow attacks, and illegal takeover of system administrator privileges. The security of the operating system should be reinforced by a series of methods, including but not limited to strong passwords, border defense, software updates, the shutdown of unused services, data encryption, backup, encryption of sensitive communications, vulnerability scanning and anti-virus, etc., especially the identification and protection of backdoors and vulnerabilities [24, 25].
Blockchain technology provides a new way to establish multi-party collaboration across subjects, a new model for traditional applications, and a trusted third party for information interaction. Its core technologies include consensus mechanisms, cryptography, distributed storage and smart contracts, etc. It brings openness, consensus, decentralization, trustless, transaction transparency, anonymity of both sides, immutability, traceability, collective maintenance, a reliable database with a time stamp, and other open application features. In the application of metaverse, we can use the basic characteristics of blockchain such as decentralization, trustless, collective maintenance and reliable database to build a secure and credible application base of the metaverse. Through the resource directory chain with a complete bottom chain, the on-chain application layer will cover a comprehensive system. Penetrating supervision of business will be realized. The efficiency of business collaboration will be improved. Business expansion costs will be reduced. Data supervision ability will be enhanced, and cooperation mechanisms between multiple subjects will be created. At the same time, it guarantees the cleanliness and credibility of on-chain data and meets the demand of ease for use. The visualization of the on-chain data helps to supervise the operation of the whole business chain more intuitively and intelligently. The key points of data security management include terminal hosts, application systems, network borders, etc. These key points can be properly managed, controlled and retained by blockchain’s storage and certificate and smart contracts to ensure the integrity, authenticity, and confidentiality of the data in transmission and storage, which provides real-time dynamic security monitoring of data and improves the ability of data security [12, 26, 27].
Distributed authentication of digital identity can be achieved using blockchain technology. On the one hand, distributed technology makes forgery difficult and verification easy, and on the other hand, it enables uniform standards, facilitates interconnection, and allows for minimal open access to private data. We need to define identity and authority in the metaverse, strengthen identity and verification standards, create and implement the responsibility of data and data protection, take advantage of fully traceable and tamper-evident identity authentication and authority control, clarify how these data are stored, which systems and people the data are used by and how they are used. We also need to implement strict access control to key data resources and security operation auditing.
With the security concept of “continuous verification, never trust”, zero trust prevents unauthorized access to resources and reduces the security risk during resource access. The essence of zero trust architecture is to establish a dynamic and trustworthy access control mechanism for identity-based businesses, which can be achieved by software-defined perimeter, micro-segmentation and identity access and management, etc. In practice, zero trust architecture can narrow the boundary of network defense to a single or smaller resource group, no longer grant pre-defined trust permission according to the location of the network, and extend the protection from the traditional network level to the application level. We can draw on the “never trust, continuous verification” zero trust model in the metaverse, and leverage the use of virtual reality (VR) or augmented reality (AR) glasses or headsets in the metaverse to develop new authentication tools and mechanisms based on unique biometric authentication systems to prevent threats or restrict access by using persistent authentication, and to reduce and eliminate security issues about sensitive data .
In order to cope with data security risks, large-scale platforms in the metaverse era, such as infrastructures, should assume the public obligation of data security. Data security is part of the public interest. Platform data need to be managed both in a categorized and graded manner, and need to achieve traceability and storage using blockchain. We should take advantage of dynamic data monitoring, privacy computing, and other technologies to achieve secure data circulation.
Data security-related technology is data-centered, covering the whole life cycle of data and implementing technical protection for data and digital asset flow. It mainly solves the protection problem based on data classification and grading, and differentiation in each part of data storage, flow, and sharing. The difficulty lies in the secure circulation of data .
First, we need to solve the problem of risk identification, protection, and disposal in the dynamic use and circulation of data. We can perform data abnormality, data security risk, and event monitoring and evaluation through technologies such as user and entity behavior analytics (UEBA), data flow monitoring, sub-scene user information protection, and data traceability. Combined with the dynamic flow characteristics of data, the analysis of the acquired monitoring data can be performed. At present, expert experience and rule matching are mature and are widely used for their advantages of clear scenarios and business readability. However, it cannot effectively identify covert attacks, unknown risks or unknown abnormal behaviors, if overly relying on expert experience. Machine learning and deep learning techniques can be used to model data usage and risks of data circulation. Through long-period log precipitation and multi-source log correlation analysis, a data behavior security baseline can be established to achieve deep identification of unknown risks such as irregular hidden behaviors, point-and-click attacks, unknown attacks, and unknown abnormal behaviors of users .
Second, the problem of achieving credible data interaction under the premise of protecting the data itself from external leakage should be addressed to realize the secure circulation and application of data in the metaverse. Privacy protection technologies such as secure multi-party computing, federated learning, and trusted execution environment can be used to realize data availability without visibility. We need to build the capability of highly available privacy-preserving computing and trusted circulation of data elements using blockchain [27, 28].
Artificial intelligence is the foundation of the metaverse, with problems such as uninterpretability, high dependence on data, and weak robustness. In order to enhance the security of AI systems and reduce the security risk of intelligent algorithms, an AI security risk defense system in the metaverse needs to be established. AI security risk originates from the general failure to consider relevant security threats at the beginning of algorithm design. Malicious attacks on AI systems may cause property damage or even threaten personal safety. AI risk defense has three levels: architecture level, attack and defense level, and model level. The corresponding technologies involve the security of AI autonomous framework, AI adversarial security, and application of AI security. AI autonomous framework security is based on an autonomous and controllable AI framework to achieve secure and trusted training, data processing, and execution based on source code. The trends of AI framework security are to improve the interpretability and robustness of AI models. A secure and trusted AI framework needs to support interpretability for models and provide evaluation methods of AI robustness. AI adversarial security includes attack detection of an AI model, adversarial defense, 8 examples, AI model anti-stealing and AI deep fake detection, etc. The trend of AI adversarial security is the mutual promotion and synergistic development of attack and defense technologies. For example, adversarial attacks, data poisoning, and other attack technologies and defense technologies such as adversarial defense and poisoned data detection will develop in parallel. AI security applications include robustness evaluation and reinforcement of AI models, uninterpretability detection of an AI model, full verification of complex scenarios, etc. In the face of model theft attacks, model watermarking and model signature techniques become the new trend of AI model copyright protection .
The implementation of the metaverse is based on the combination of various new technologies, providing people with a realistic sensory environment. However, it inevitably expands the difficulty of information security protection. Nevertheless, the development of the metaverse is still in its early stages, and the problems that arise from the combination of various technologies need to be truly understood through practice. In order to better solve the new problems caused by the integration of various new technologies, we need to introduce the concept of a parallel universe and build a metaverse framework based on parallel security . By creating a parallel artificial network space to interact with the real network space, we can respond to the security challenges faced by the metaverse network space.
Parallel universe network space is a type of twin system of the real network space in the metaverse, which can be used to repeat experiments and test the security capability of the metaverse. After analyzing the test results, the defense strategy can be optimized in real-time. The metaverse not only needs large-scale hardware support, but also has a large demand for network space computing and massive data storage. The parallel universe network space is not a digital twin of the hardware and services of the real network space, but rather a mapping of the metaverse in a computer, which is a software-defined representation of the physical and virtual worlds. The artificial network space not only has the basic model and functions of the real network space, but also can deduce the changes in the metaverse, providing support for precise description, advanced prediction, and intelligent decision-making.
Using the diverse scenarios built on artificial systems, suitable virtual security scenarios can be easily selected according to the security needs of the network space, in order to conduct computational experiments to practice defense strategies. In the process of the computational experiments, progress in testing defense strategies and data fusion can be visualized through human-machine interaction. The network space security solutions formed after the computational experiments will guide the realization of secure network space in real network space through parallel execution. The parallel universe security system will improve the monitoring and control of the network space in the metaverse, and provide real-time optimized security solutions to effectively respond to the constantly changing network security threats in the metaverse .
Metaverse, known as the cyberspace of the next generation, will evolve into a “second space” parallel to the real world. However, the inherent security risks of various underlying technologies have brought powerful security threats to the metaverse, and there may be new risks with the development of the metaverse. In this paper, we first introduce the primary components of the metaverse infrastructure and summarize the security risks faced by the metaverse infrastructure. Then we provide some guides for establishing a comprehensive security protection system for the metaverse in terms of computing, digital assets, terminals, etc. Digitalization makes the human society “smarter”, but it also makes the security more “vulnerable”. The metaverse is the new form and engine of the digital economy. While it brings opportunities for development, it also brings certain risks. Phishing, certificate theft, privacy disclosure, ransom attacks, and other unresolved cybersecurity issues are likely to continue in the metaverse, and there may be risks unique to the metaverse. While we value the business opportunities brought by the metaverse, we should also focus on risk prevention, rationally analyze the new security risks brought by the metaverse, systematically design security strategies, and build the world of virtual participation with security concepts, principles, and privacy-based technologies. Especially for the security of the new infrastructure of the metaverse, we need to reasonably build a highly trusted security network, solve security vulnerabilities from chips, operating systems, and other underlying sources, use technology including blockchain, zero-trust, and privacy computing to establish a full lifecycle security system for digital assets, realize credible identity authentication and establish a secure mechanism for circulation of data elements, so as to build a secure base for the development of the metaverse.
Conflict of Interest
The authors declare that they have no conflict of interest.
No data are associated with this article.
Anmin Li conceived the paper, participated in its design and coordination, carried out the review and analysis of the new infrastructure of the metaverse, and participated in manuscript preparation; Xiaohui Yao carried out the review and analysis of the security risks in the new infrastructure of the metaverse, proposed to build the security system of metaverse, and participated in manuscript preparation; Haiying Gu carried out the review and analysis of the system security of the metaverse, and participated in manuscript preparation; Yungeng Zhang and Yuan Chang helped perform the analysis on the security risks in the new infrastructure of the metaverse with constructive discussions, and participated in manuscript preparation. All authors read and approved the final manuscript.
We thank the anonymous reviewers for their helpful comments.
This research did not receive any funding.
- Yang C and Zhu L. Metaverse security: Safeguarding the integration of virtual and real worlds. Inf Commun Technol 2022; 16: 3. [Google Scholar]
- Wang H, Li Y and Li Y. Research on evolution and security risk of metaverse. Chin J Network Inf Secur 2022; 2: 8. [Google Scholar]
- Tong Z, Ye F and Yan M et al. A survey on algorithms for intelligent computing and smart city applications. Big Data Mining Anal 2021;4:155–72. [CrossRef] [Google Scholar]
- Li Z. Cloud-Network Integration: Digital Information Infrastructure in the Age of Computility. Beijing: CITIC Press, 2022. [Google Scholar]
- Lahiri U. Cybersecurity and the metaverse: Guardians of the new digital world, https://hackernoon.com/cybersecurity-and-the-metaverse-guardians-of-the-new-digital-world. [Google Scholar]
- Shen Y. Metaverse and national data security: Challenges and trends in building an ecological governance system. China Inf Secur 2022; 1: 70–2. [Google Scholar]
- Gao Y and Yang D. Addressing the metaverse challenge: A three-dimensional structural paradigm for integrated data security governance. Administration Reform. 2022; 3: 10. [Google Scholar]
- Lee L-H, Braud T and Zhou P et al. All one needs to know about metaverse: A complete survey on technological singularity, virtual ecosystem, and research agenda. ArXiv preprint [arXiv:2110.05352], 2021. [Google Scholar]
- Lu J. Beware of the risks and dangers of the “metaverse fever” and promote the healthy and sustainable development of the metaverse industry. http://www.cssn.cn/zx/bwyc/202203/t20220325_5400581.shtml. [Google Scholar]
- Han S, Pu B and Li S et al. Application of block chain technology in digital asset security transaction. Comput Syst Appl 2018; 27: 5. [Google Scholar]
- Han Y. Characteristics and security challenges of non-homogenous tokens for digital ledger technology. China Inf Secur 2022; 000: 001 [Google Scholar]
- He B, Kang C and Zhang Y. Blockchain security risks and its regulatory practices. China Inf Secur 2021; 135: 43–47. [Google Scholar]
- Cao X. Research on metaverse development and security risk. China Inf Secur 2022; 151: 90–93. [Google Scholar]
- Hu F and Hei X. AI, Machine Learning and Deep Learning: A Security Perspective. CRC Press, 2023. [CrossRef] [Google Scholar]
- Gao Y, Li Y and Zhu L et al. Not all samples are born equal: Towards effective clean-label backdoor attacks. Pattern Recognit 2023; 139: 109512. [CrossRef] [Google Scholar]
- Alismail A, Altulaihan E and Rahman MMH et al. A systematic literature review on cybersecurity threats of virtual reality (vr) and augmented reality (ar). In: Data Intelligence and Cognitive Informatics: Proceedings of ICDICI 2022, 761–74. [Google Scholar]
- Kroll JA, Huey J and Barocas S et al. Accountable algorithms. Univ Pennsylvania. Law Rev 2017; 165: 633–705. [Google Scholar]
- Han J, Liu Z and Lyu Q et al. Metasecurity: A framework for metaverse security based on parallel security. J Command Control 2022; 8: 3. [Google Scholar]
- Lee J, Bagheri B and Kao H-A. A cyber-physical systems architecture for industry 4.0-based manufacturing systems. Manuf Lett 2015; 3: 18–23. [CrossRef] [Google Scholar]
- Ross R, Pillitteri V and Graubart R et al. Developing cyber resilient systems: a systems security engineering approach. Tech. Rep., National Institute of Standards and Technology, 2019. [Google Scholar]
- Louin D, Kelly S and Krishnaswamy P et al. Tnc if-tnccs: Tlv binding version 2.0, revision 8. TCG, 2013. [Google Scholar]
- Rose S, Borchert O and Mitchell S et al. Zero trust architecture. Tech. Rep., National Institute of Standards and Technology; 2020. [Google Scholar]
- Wang Z. Application and analysis of security–chip in intelligent terminal. China Internet 2016; 08: 19–22. [Google Scholar]
- Shi W and Sun Y. The development of research on secure operating systems. Comput Sci 2002; 29: 5. [Google Scholar]
- Shi W and Sun Y. The development of research on secure operating systems. Comput Sci 2002; 29: 9. [Google Scholar]
- Rawat DB, Doku R and Garuba M. Cybersecurity in big data era: From securing big data to data-driven security. IEEE Trans Serv Comput 2019; 14: 2055–72. [Google Scholar]
- Alshamrani SS and Basha AF. Iot data security with dna-genetic algorithm using blockchain technology. Int J Comput Appl Technol 2021; 65: 150–9. [CrossRef] [Google Scholar]
- Zheng X and Cai Z. Privacy-preserved data sharing towards multiple parties in industrial iots. IEEE J Sel Areas Commun 2020; 38: 968–79. [CrossRef] [Google Scholar]
- Chen Y, Shen C and Wang Q et al. Security and privacy risks in artificial intelligence systems. J Comput Res Dev 2019; 56: 2135. [Google Scholar]
- Han J, Liu Z and Lv Q et al. Metasecurity: A framework for metaverse security based on parallel security. J Command Control 2022; 8: 249. [Google Scholar]
- Yang L, Chen S and Wang X et al. Digital twins and parallel systems: State of the art, comparisons and prospect. Acta Autom Sin 2019; 45: 2001–31. [Google Scholar]
Anmin Li male, born in December 1969, is a State Department special allowance expert, Ph.D., professorate senior engineer. He is currently the Vice President of the Research Institute of China Telecom, and has served as the President of Shanghai Research Institute of China Telecom and the General Manager of the Information Security Department of China Telecom. He is the chairman of the Metaverse Working Committee of China Mobile Communications Association and the main member of the Metaverse 30 Forum. He has won one first prize and two-second prizes for national management innovation awards, one first prize and five-second prizes for provincial or ministerial science and technology progress awards, and has published more than 20 papers in core journals and 5 books at home and abroad. He has taken the lead in organizing more than ten major scientific research projects and key product development at national or provincial levels, has organized the design and establishment of China Telecom's information security management system, has taken the lead in the successful bid for the National Engineering Laboratory of Mobile Internet System and Application Security for China Telecom, and has won the first National Outstanding Talent Award for Network Information Security.
Xiaohui Yao male, born in July 1979, graduated from the Department of Communication Engineering at Beijing University of Posts and Telecommunications. Currently, he serves as the Operations Director of China Telecom Cloud Network Security Laboratory. He has been engaged in technical research and development in the fields of informatization, big data, cloud computing, and information security for China Telecom enterprises for a long time. He has participated in or led the research and implementation of projects such as China Telecom's management support system, enterprise data warehouse, big data marketing, and cloud network security planning, published over 10 papers in core journals both domestically and internationally.
Haiying Gu female, graduated from Shanghai Jiao Tong University with a master's degree in Power Electronics and is a senior engineer. Currently serving as the Chief Engineer of the Cloud Network Security Laboratory of China Telecom Research Institute, he has previously held positions such as Deputy Director of the Operations Support Department, Deputy Director of the Information Security Research Institute, and Director of the Market Research Center of Shanghai Telecom Research Institute. He has been engaged in strategic research, industry and market analysis in the communication and information industry for a long time, led to complete a number of scientific research projects, published more than 10 papers and 2 monographs in domestic and foreign journals as the lead author and the main author.
Yungeng Zhang is an engineer of Research Institute of China Telecom. He received his PhD in Intelligence Science and Technology from Peking University, in 2022. He received his Bachelor Degree in Electronic and Information Science and Technology from Peking University, in 2017. His research interests encompass Artificial Intelligence, Computer Vision and Image processing. He has published papers in important conferences and journals, including IEEE TMI, IEEE TCI, MedIA, AAAI, MICCAI, etc.
Yuan Chang is an engineer the Research Institute of China Telecom. He received his Ph.D. in Computer Software and Theory from Peking University, in 2022. He received his Bachelor's Degree from the School of Mathematical Sciences, University of Science and Technology of China, in 2016. His research interests encompass Artificial Intelligence, Computer Vision, and Computer Graphics. He has published papers in important conferences and journals, including ACM MM, IEEE ICASSP, CVM, etc.
Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.
Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.
Initial download of the metrics may take a while.