CN110120978A - A kind of method for security protection of elasticity user's cloud computing resources - Google Patents
A kind of method for security protection of elasticity user's cloud computing resources Download PDFInfo
- Publication number
- CN110120978A CN110120978A CN201910412090.8A CN201910412090A CN110120978A CN 110120978 A CN110120978 A CN 110120978A CN 201910412090 A CN201910412090 A CN 201910412090A CN 110120978 A CN110120978 A CN 110120978A
- Authority
- CN
- China
- Prior art keywords
- user
- node
- security
- bandwidth
- sfi
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Abstract
The invention discloses a kind of method for security protection of elastic user's cloud computing resources; the bandwidth usage in prediction user following a period of time is removed from the history bandwidth usage amount of user, then will predict that the corresponding safe handling resource of difference between bandwidth and nominal bandwidth is used to provide same security service for other users;And when original subscriber uses more than prediction bandwidth, the other users for shared safe handling resource create new safe handling resource and are carried immediately, while ensure that the quality of security service of original subscriber;So that cloud service provider is had the ability for dynamically distributing underlying security processing function in this way, and safety guarantee can be provided for user and itself platform, while also saving virtualization resource.
Description
Technical field
The invention belongs to network communication technology fields, more specifically, are related to a kind of elastic user's cloud computing resources
Method for security protection.
Background technique
With the continuous promotion of computing platform hardware capabilities, virtualization technology is also more mature.In the past ten years, cloud
Calculate the emphasis direction being developing progressively as the big research and development of IT field one.Major internet manufacturer is proposed oneself one after another
Cloud computing platform, to medium-sized and small enterprises and personal offer cloud computing service.And other than selling virtualization computing resource, cloud clothes
Business provider needs to carry out safety guarantee to the virtualization services that user buys simultaneously.
It is to be mentioned by European Telecommunications Standards Organization (ETSI) from the angle of network operator that network function, which virtualizes (NFV),
A kind of framework of software and hardware separation out, is mainly the desire to by standardized IT virtualization technology, using industrywide standard
Volume server, storage and interchanger carry various network software functions, realize the flexible load of software, thus
It can be in the flexible deployment configuration of the different locations such as data center, network node and user terminal.NFV has broken network physical equipment
Binding relationship between layer and logic business layer can be to Virtual NE replaced the network element that each physical equipment is virtualized
Configuration is managed to meet unique demand.
It can be reduced by using NFV and even remove the middleware disposed in existing network, it can allow single physics
Platform runs different application programs, and user/tenant can use network function by multi version and multi-tenant simultaneously.And
NFV supports completely new method to realize elasticity, service guarantees, testing and diagnosing and security monitoring.It can promote software network environment
In new network function and service innovation, NFV be suitable for any data plane and control plane function, fixation or mobile network
Network is also suitble to need to realize the automatic management and configuration of scalability.In order to more fully utilize resource, virtualization cloud clothes
Business provider often it is expected to improve the utilization rate of resource, reduce vacancy rate and then improve income.
Currently, in the design and sales mode of cloud computing, it is to obtain that the virtualization that user buys specified size, which calculates service,
The virtualization resource amount of exact matching.Virtualization computing resource is had purchased in user, after having run the network service of oneself,
Cloud service provider usually also needs to provide Network Security Service for it, to ensure the normal operation and access speed of its network service
Degree, while ensureing the safety of itself platform.This service has become the infrastructure service of major cloud service provider, even if user
The not safe handling function outside purchase volume, it is also necessary to which most basic network service access safe mass guarantee is provided.
And the resource overhead of this partial virtual networking security function be can by cloud service provider autonomous control and
Elasticity adjustment.Meanwhile data traffic of this part is also that variation fluctuation is biggish, such as when user writes data into virtually
Change computing resource during, for another example when user network service welcomes peak period, just there is biggish data bandwidth requirements, corresponded to compared with
Big data bandwidth demand for security;When user service starts the data that calculation processing is newly written or network service enters low ebb
Phase, communication bandwidth at this time largely leave unused, and provide if being assigned with biggish safe handling to the user with the bandwidth of peak period at this time
Source, the great waste resulted in.
Summary of the invention
It is an object of the invention to overcome the deficiencies of the prior art and provide a kind of safety of elastic user's cloud computing resources to protect
Maintaining method realizes dynamic processing when user makes full use of idle virtualization resource and customer flow increases sharply.
For achieving the above object, a kind of method for security protection of elastic user's cloud computing resources of the present invention, feature
It is, comprising the following steps:
(1), network topology G is initialized
(1.1), all node node information in G, including node serial number node_id and node cpu quantity node_ are recorded
cpu_num;
(1.2), all link edge information in G, including link number edge_id, link bandwidth capacity edge_bw are recorded
With link weight W, and W=1 is initialized;
(2), security service function CPU-BW mapping table set is set
One CPU-BW mapping table is set for every kind of security service function, all types of security service functions are corresponding
CPU-BW mapping table constitutes security service function CPU-BW mapping table set;
(3), K shortest path (K-Shortest Path, KSP) multiple index data structure ksp_dict is set, wherein
Storage numbers corresponding index by start node number and terminal node in ksp_dict, and level-one index is that start node is numbered,
Secondary index is terminal node number, and respective value is K shortest path information;
(4), user security requirements set T and user security solution set S is set
(4.1), user security requirements set T is set, and initializing T is empty set;Wherein, the element stored in T is user
Demand for security t, t include start node number, terminal node number, bandwidth application capacity and security processing services function type sequence
Arrange SF, the format of SF are as follows: SF={ sf1,sf2,…,sfu, amount to u user security and handles service function type sf;
(4.2), user security solution set S is set, and initializing S is empty set;Wherein, the element stored in S is
User security solution s, s include that the total bandwidth bw_sum for being currently able to processing, each security service function are occupied total
CPU magnitude-set R_SUM, security service function chain set SFC;
Wherein, the format of R_SUM are as follows: R_SUM={ r1,r2,…,ru, ruIndicate u-th of user security processing service function
It can occupied total CPU quantity;
The format of SFC are as follows: SFC={ sfc1,sfc2,…,sfcq, and all security service function chains are according to security service
The mode of function chain increasing lengths arranges, sfcqIndicate q-th of security service function chain sfc;
Further, each security service function chain sfc includes the format of security service function example collection SFI, SFI
Are as follows: SFI={ sfi1,sfi2,…sfiu, sfiuIndicate that the security service function example sfi of u-th of user, each sfi are wrapped again
It includes and occupies bandwidth bw and corresponding path P ATH that CPU magnitude-set is R, can handle;Wherein, the format of R are as follows: R={ r1,
r2,…ru, the format of PATH are as follows: PATH={ node_id0,node_id1,…,node_idv, wherein node_id0It is starting
Node serial number, node_idvIt is terminal node number;
(5), user security demand is handled
(5.1), demand for security listening thread is opened, whether monitor in T has untreated user security demand t, if so,
Untreated t is then taken out, (5.2) are entered step, otherwise, go to step (6);
(5.2), the corresponding user security solution s of setting user security demand t, and initialize bw_sum value in s and be
Bw value;Corresponding types security service function is found by bw_sum and obtains corresponding CPU-BW mapping table, then passes through bw_sum
CPU quantity needed for finding corresponding types security service function, and it is assigned to r in R;Initialization SFC is empty set;
(5.3), it is numbered according to the start node of t number and terminal node, corresponding starting section is found out from ksp_dict
K shortest path between point and terminal node;
(5.4), from K shortest path, screening outbound path remaining bandwidth minimum value is greater than bw, and all nodes are surplus in path
CPU quantity needed for remaining CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as sp;
(5.5), multiple type sfi are successively disposed on the node of residue CPU quantity abundance respectively in sp, then are saved corresponding
The difference that point residue CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as the node residue CPU number
Amount;
(5.6), each link edge in sp is traversed, the difference that the remaining bandwidth of each link edge subtracts bw_sum is assigned
It is worth and gives respective links edge, the remaining bandwidth as the link;
(5.7), sfc is added in SFC, and s is added in S, be then return to step (5.1);
(6), service bandwidth is handled
(6.1), setting traversal factor i, the value for initializing i is 1;
(6.2) if, i be less than or equal to S set size, then follow the steps (6.3), otherwise, go to step (6.4);
(6.3), i-th of solution s in S is taken, and elastic management is carried out to s;
(6.3.1), setting excess bandwidth bwrest, and initialize bwrestS, which is subtracted, equal to bw_sum corresponds to user service data
Current bandwidth;
(6.3.2), bw_sum is assigned a value of to the current bandwidth that s corresponds to user service data;
(6.3.3), setting traversal factor j, the value for initializing j is the set sizes of SFC;
(6.3.4), the size for comparing traversal factor j take j-th of sfc in SFC, and hold to j-th of sfc if j is greater than 0
The following sub-step of row;Otherwise, go to step (6.3.5);
(6.3.4.1), setting bandwidth bw to be releasedreleaseIf bwrestLess than bw, then bw is initializedreleaseValue is
bwrest;Otherwise, bw is initializedreleaseValue is bw;
(6.3.4.2), bw is subtracted into bwreleaseDifference be assigned to bw again, if the bw after assignment be 0, by sfc
It is removed from SFC;Meanwhile corresponding CPU-BW mapping table is obtained according to the security service function type of corresponding sfi, then pass through band
Roomy small bwreleaseThe CPU quantity of reduction needed for searching security service function carries out the corresponding CPU quantitative value r of each sfi certainly
Subtract;
(6.3.4.3), by bwrestSubtract bwreleaseDifference be assigned to bw againrestIf the bw after assignmentrestFor
0, then go to step (6.4);
(6.3.4.4), j is subtracted 1 certainly, and gos to step (6.3.4);
(6.3.5), i is increased 1 certainly, and gos to step (6.2);
(6.4), the value for reinitializing i is 1;
(6.5) if, i be less than or equal to current sfi quantity, take out i-th of sfi, and execute following sub-step, otherwise,
Go to step (7);
The elastic optimization range of (6.5.1), the current sfi of setting are the link intersection of the associated all sfc of sfi;
(6.5.2), in elastic optimization range, the sfi of same type is found, the merging for calculating each combinable sfi is received
Benefit, optionally;
(6.5.3), judgement are currently then selected in elastic optimization range with the presence or absence of alternative if there is alternative
It selects alternative to merge multiple sfi, i is then assigned a value of 1, enter step (7);Otherwise, i increases 1 certainly, return step
(6.5);
(7), resource elastic management
(7.1), the amount of bandwidth of all user service datas is examined successively, finds the bandwidth of first user service data
The user for the total bandwidth bw_sum that security solution s corresponding more than the user can be handled, subsequently into step (7.2);
If not finding in all users, go to step (8);
(7.2), setting security service needs increased bandwidth capacity bwadd, and initialize bwaddValue is the user's found
Business datum bandwidth subtracts the difference for the total bandwidth bw_sum that the corresponding security solution s of the user can be handled;
(7.3), user security solution s is modified, by bw_sum and bwaddAnd be assigned to bw_sum again;So
Afterwards, corresponding CPU-BW mapping table is obtained according to corresponding types security service function, then corresponding types is found by bw_sum
CPU quantity needed for security service function, and it is assigned to the r in R;
(7.4), it is numbered according to the start node of t number and terminal node, corresponding starting section is found out from ksp_dict
K shortest path between point and terminal node;
(7.5), from K shortest path, screening outbound path remaining bandwidth minimum value is greater than bwadd, and all nodes in path
CPU quantity needed for remaining CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as
sp*;
(7.6), multiple type sfi are successively disposed respectively on the node of residue CPU quantity abundance in sp*, then will correspond to
The difference that node residue CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as node residue CPU
Quantity;
(7.7), sp is traversed*In each link edge, the remaining bandwidth of each link edge is subtracted to the difference of bw_sum
It is assigned to respective links edge, the remaining bandwidth as the link;
(7.8), sfc is added in SFC, then repeatedly step (7.1);
(8), the security service of elastic user's cloud computing resources terminates.
Goal of the invention of the invention is achieved in that
A kind of method for security protection of elastic user's cloud computing resources of the present invention, goes pre- from the history bandwidth usage amount of user
The bandwidth usage in user's following a period of time is surveyed, then will predict the corresponding peace of the difference between bandwidth and nominal bandwidth
Full process resource is used to provide same security service for other users;And when original subscriber uses more than prediction bandwidth, immediately
It creates new safe handling resource to share the other users of safe handling resource and is carried, while ensure that the peace of original subscriber
Full service quality;Make in this way cloud service provider have dynamically distribute underlying security processing function ability, and can be user with
Itself platform provides safety guarantee, while also saving virtualization resource.
Meanwhile a kind of method for security protection of elastic user's cloud computing resources of the present invention also has the advantages that
(1), high usage;Elastic safety guard method proposed by the invention is being protected in conjunction with virtual machine and container technique
While hindering existing security service, computing resource can be more made full use of.
(2), reliability;The present invention has ensured when user traffic flow increases while providing security function service
Securely and reliably.
(3), compatible;The present invention does not have special limitation requirement to the cloud service support platform of bottom, only for required
Security service deployment optimized with scheduling.
Detailed description of the invention
Fig. 1 is a kind of method for security protection flow chart of elastic user's cloud computing resources of the present invention;
Fig. 2 is user security demand process flow diagram;
Fig. 3 is service bandwidth process flow diagram;
Fig. 4 is flexible resource management flow chart.
Specific embodiment
A specific embodiment of the invention is described with reference to the accompanying drawing, preferably so as to those skilled in the art
Understand the present invention.Requiring particular attention is that in the following description, when known function and the detailed description of design perhaps
When can desalinate main contents of the invention, these descriptions will be ignored herein.
Embodiment
Fig. 1 is a kind of method for security protection flow chart of elastic user's cloud computing resources of the present invention.
In the present embodiment, as shown in Figure 1, a kind of method for security protection of elastic user's cloud computing resources of the present invention, packet
Include following steps:
S1, initialization network topology G
Safeguard protection network is that the basis of method for security protection is provided for cloud computing resources, and safeguard protection network topology should be by
Switching equipment (physical switches) and calculating equipment (physical server) and physical link form.Switching equipment and physical link
Form exchange network.Every switching equipment connects several calculating equipment by physical link, and a calculating equipment can only
Connect a switching equipment;
S1.1, record G in all node node information, node node be a logical concept, be a switching equipment and
Made of the integration of its all calculating equipment being connected, node node information includes node serial number node_id and node cpu quantity
node_cpu_num;
All link edge information in S1.2, record G, including link number edge_id, link bandwidth capacity edge_bw
With link weight W, and W=1 is initialized.
S2, setting security service function CPU-BW mapping table set
One CPU-BW mapping table is set for every kind of security service function, all types of security service functions are corresponding
CPU-BW mapping table constitutes security service function CPU-BW mapping table set;Wherein, security service function CPU-BW mapping table branch
Two-way index is held, for storing the CPU quantity and corresponding maximum bandwidth capacity BW that every kind of security service function needs.
S3, setting K shortest path (K-Shortest Path, KSP) multiple index data structure ksp_dict, wherein K is most
The list that short circuit information is made of K shorter path information, and the form row being incremented by with path length in shorter path information
Column, specifically save format are as follows: the number for the node that all paths are passed through between start node and terminal node;It is deposited in ksp_dict
Storage numbers corresponding index by start node number and terminal node, and level-one index is that start node is numbered, and secondary index is eventually
Only node serial number, respective value are K shortest path information.
S4, setting user security requirements set T and user security solution set S
S4.1, setting user security requirements set T, and initializing T is empty set;Wherein, the element stored in T is user's peace
Full demand t, t include start node number, terminal node number, bandwidth application capacity and security processing services function type sequence
The format of SF, SF are as follows: SF={ sf1,sf2,…,sfu, amount to u user security and handles service function type sf;
S4.2, setting user security solution set S, and initializing S is empty set;Wherein, the element stored in S is to use
Family security solution s, s include total bandwidth bw_sum, the occupied total CPU of each security service function for being currently able to processing
Magnitude-set R_SUM, security service function chain set SFC;
Wherein, the format of R_SUM are as follows: R_SUM={ r1,r2,…,ru, ruIndicate u-th of user security processing service function
It can occupied total CPU quantity;
The format of SFC are as follows: SFC={ sfc1,sfc2,…,sfcq, and all security service function chains are according to security service
The mode of function chain increasing lengths arranges, sfcqIndicate q-th of security service function chain sfc;
Further, each security service function chain sfc includes the format of security service function example collection SFI, SFI
Are as follows: SFI={ sfi1,sfi2,…sfiu, sfiuIndicate that the security service function example sfi of u-th of user, each sfi are wrapped again
It includes and occupies bandwidth bw and corresponding path P ATH that CPU magnitude-set is R, can handle;Wherein, the format of R are as follows: R={ r1,
r2,…ru, the format of PATH are as follows: PATH={ node_id0,node_id1,…,node_idv, wherein node_id0It is starting
Node serial number, node_idvIt is terminal node number;
S5, the processing of user security demand, as shown in Figure 2;
S5.1, demand for security listening thread is opened, whether monitor in T has untreated user security demand t, if so,
Untreated t is then taken out, S5.2 is entered step, otherwise, go to step S6;
S5.2, the corresponding user security solution s of setting user security demand t, and initializing bw_sum value in s is bw
Value;Corresponding types security service function is found by bw_sum and obtains corresponding CPU-BW mapping table, then is looked by bw_sum
CPU quantity needed for finding corresponding types security service function, and it is assigned to r in R;Initialization SFC is empty set;
S5.3, it is numbered according to the start node of t number and terminal node, corresponding start node is found out from ksp_dict
K shortest path between terminal node;
S5.4, from K shortest path, screening outbound path remaining bandwidth minimum value is greater than bw, and all nodes are surplus in path
CPU quantity needed for remaining CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as sp;
S5.5, multiple type sfi are successively disposed on the node of residue CPU quantity abundance respectively in sp, then is saved corresponding
The difference that point residue CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as the node residue CPU number
Amount;
Each link edge in S5.6, traversal sp, the difference that the remaining bandwidth of each link edge subtracts bw_sum is assigned
It is worth and gives respective links edge, the remaining bandwidth as the link;
S5.7, sfc is added in SFC, and s is added in S, be then return to step S5.1;
S6, service bandwidth processing, detailed process are as shown in Figure 3;
S6.1, setting traversal factor i, the value for initializing i is 1;
If S6.2, i are less than or equal to the size of S set, S6.3 is thened follow the steps, otherwise, go to step S6.4;
S6.3, i-th of solution s in S is taken, and elastic management is carried out to s;
S6.3.1, setting excess bandwidth bwrest, and initialize bwrestS, which is subtracted, equal to bw_sum corresponds to user service data
Current bandwidth;
S6.3.2, bw_sum is assigned a value of to the current bandwidth that s corresponds to user service data;
S6.3.3, setting traversal factor j, the value for initializing j is the set sizes of SFC;
S6.3.4, the size for comparing traversal factor j take j-th of sfc in SFC, and hold to j-th of sfc if j is greater than 0
The following sub-step of row;Otherwise, go to step S6.3.5;
S6.3.4.1, setting bandwidth bw to be releasedreleaseIf btswerLess than bw, then bw is initializedreleaseValue is bwrest;
Otherwise, bw is initializedreleaseValue is bw;
S6.3.4.2, bw is subtracted into bwreleaseDifference be assigned to bw again, if the bw after assignment be 0, by sfc
It is removed from SFC;Meanwhile corresponding CPU-BW mapping table is obtained according to the security service function type of corresponding sfi, then pass through band
Roomy small bwreleaseThe CPU quantity of reduction needed for searching security service function carries out the corresponding CPU quantitative value r of each sfi certainly
Subtract;
S6.3.4.3, by btswerSubtract bwreleaseDifference be assigned to bw againrestIf the bw after assignmentrestIt is 0,
Then go to step S6.4;
S6.3.4.4, j is subtracted 1 certainly, and the S6.3.4 that gos to step;
S6.3.5, i is increased to 1, and the S6.2 that gos to step certainly;
S6.4, the value for reinitializing i are 1;
If S6.5, i are less than or equal to the quantity of current sfi, i-th of sfi is taken out, and execute following sub-step, otherwise, jumped
Go to step S7;
S6.5.1, the link intersection that the elastic optimization range that current sfi is arranged is the associated all sfc of sfi;
S6.5.2, in elastic optimization range, find the sfi of same type, the merging for calculating each combinable sfi is received
Benefit, optionally;
In the present embodiment, the calculation of consolidated income are as follows: each occupied resource of sfi is integer numerical value, and is held
Resource consumed by a certain item service function type of the related service function chain of load is floating type numerical value, thus, by multiple sfi
Relevant portion slack resources merge, and the resource of related integer numerical value can be discharged after slack resources amount is greater than 1, and merge and open
Pin is mainly cost needed for sfi merges, and can be applied and be determined according to real system.
S6.5.3, judgement currently then select in elastic optimization range with the presence or absence of alternative if there is alternative
Alternative merges multiple sfi, and i is then assigned a value of 1, enters step S7;Otherwise, i increases 1 certainly, return step S6.5;
S7, resource elastic management, detailed process are as shown in Figure 4;
S7.1, the amount of bandwidth that all user service datas are examined successively, find the bandwidth of first user service data
The user for the total bandwidth bw_sum that security solution s corresponding more than the user can be handled, subsequently into step S7.2;If
It is not found in all users, then go to step S8;
S7.2, setting security service need increased bandwidth capacity bwadd, and initialize bwaddValue is the user's found
Business datum bandwidth subtracts the difference for the total bandwidth bw_sum that the corresponding security solution s of the user can be handled;
S7.3, user security solution s is modified, by bw_sum and bwaddAnd be assigned to bw_sum again;Then,
Corresponding CPU-BW mapping table is obtained according to corresponding types security service function, then corresponding types safety is found by bw_sum
CPU quantity needed for service function, and it is assigned to the r in R;
S7.4, it is numbered according to the start node of t number and terminal node, corresponding start node is found out from ksp_dict
K shortest path between terminal node;
S7.5, from K shortest path, screening outbound path remaining bandwidth minimum value be greater than bwadd, and all nodes in path
CPU quantity needed for remaining CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as
sp*;
S7.6, in sp*Multiple type sfi are successively disposed on the node of middle residue CPU quantity abundance respectively, then are saved corresponding
The difference that point residue CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as the node residue CPU number
Amount;
S7.7, traversal sp*In each link edge, by the remaining bandwidth of each link edge subtract bw_sum difference assign
It is worth and gives respective links edge, the remaining bandwidth as the link;
S7.8, sfc is added in SFC, then repeatedly step S7.1;
The security service of S8, elastic user's cloud computing resources terminate.
Although the illustrative specific embodiment of the present invention is described above, in order to the technology of the art
Personnel understand the present invention, it should be apparent that the present invention is not limited to the range of specific embodiment, to the common skill of the art
For art personnel, if various change the attached claims limit and determine the spirit and scope of the present invention in, these
Variation is it will be apparent that all utilize the innovation and creation of present inventive concept in the column of protection.
Claims (4)
1. a kind of method for security protection of elasticity user's cloud computing resources, which comprises the following steps:
(1), network topology G is initialized
(1.1), all node node information in G, including node serial number node_id and node cpu quantity node_cpu_ are recorded
num;
(1.2), all link edge information in G, including link number edge_id, link bandwidth capacity edge_bw and chain are recorded
Right of way weight W, and initialize W=1;
(2), security service function CPU-BW mapping table set is set
One CPU-BW mapping table is set for every kind of security service function, the corresponding CPU-BW of all types of security service functions
Mapping table constitutes security service function CPU-BW mapping table set;
(3), K shortest path (K-Shortest Path, KSP) multiple index data structure ksp_dict is set, wherein ksp_
Storage numbers corresponding index by start node number and terminal node in dict, and level-one index is that start node is numbered, second level
Index is that terminal node is numbered, and respective value is K shortest path information;
(4), user security requirements set T and user security solution set S is set
(4.1), user security requirements set T is set, and initializing T is empty set;Wherein, the element stored in T is user security
Demand t, t include start node number, terminal node number, bandwidth application capacity and security processing services function type sequence
The format of SF, SF are as follows: SF={ sf1,sf2,…,sfu, amount to u user security and handles service function type sf;
(4.2), user security solution set S is set, and initializing S is empty set;Wherein, the element stored in S is user
Security solution s, s include the total bandwidth bw_sum for being currently able to processing, the occupied total CPU number of each security service function
Duration set R_SUM, security service function chain set SFC;
Wherein, the format of R_SUM are as follows: R_SUM={ r1,r2,…,ru, ruIt indicates shared by u-th of user security processing service function
Total CPU quantity;
The format of SFC are as follows: SFC={ sfc1,sfc2,…,sfcq, and all security service function chains are according to security service function
The incremental mode of chain length arranges, sfcqIndicate q-th of security service function chain sfc;
Further, each security service function chain sfc includes the format of security service function example collection SFI, SFI are as follows: SFI
={ sfi1,sfi2,…sfiu, sfiuIndicate that security service function the example sfi, each sfi of u-th of user include occupying again
The bandwidth bw and corresponding path P ATH that CPU magnitude-set is R, can handle;Wherein, the format of R are as follows: R={ r1,r2,…ru,
The format of PATH are as follows: PATH={ node_id0,node_id1,…,node_idv, wherein node_id0It is that start node is compiled
Number, node_idvIt is terminal node number;
(5), user's user security demand is handled
(5.1), demand for security listening thread is opened, whether have untreated user security demand t, if so, then taking if monitoring in T
Untreated t out enters step (5.2), and otherwise, go to step (6);
(5.2), the corresponding user security solution s of setting user security demand t, and initializing bw_sum value in s is bw value;
Corresponding types security service function is found by bw_sum and obtains corresponding CPU-BW mapping table, then is found by bw_sum
CPU quantity needed for corresponding types security service function, and it is assigned to r in R;Initialization SFC is empty set;
(5.3), according to the start node of t number and terminal node number, found out from ksp_dict corresponding start node with
K shortest path between terminal node;
(5.4), from K shortest path, screening outbound path remaining bandwidth minimum value is greater than bw, and all nodes are remaining in path
CPU quantity needed for CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as sp;
(5.5), multiple type sfi are successively disposed respectively on the node of residue CPU quantity abundance in sp, then corresponding node is remained
The difference that remaining CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as the node residue CPU quantity;
(5.6), each link edge in sp is traversed, the difference that the remaining bandwidth of each link edge subtracts bw_sum is assigned to
Respective links edge, the remaining bandwidth as the link;
(5.7), sfc is added in SFC, and s is added in S, be then return to step (5.1);
(6), service bandwidth is handled
(6.1), setting traversal factor i, the value for initializing i is 1;
(6.2) if, i be less than or equal to S set size, then follow the steps (6.3), otherwise, go to step (6.4);
(6.3), i-th of solution s in S is taken, and elastic management is carried out to s;
(6.3.1), setting excess bandwidth bwrest, and initialize bwrestS, which is subtracted, equal to bw_sum corresponds to working as user service data
Preceding bandwidth;
(6.3.2), bw_sum is assigned a value of to the current bandwidth that s corresponds to user service data;
(6.3.3), setting traversal factor j, the value for initializing j is the set sizes of SFC;
(6.3.4), the size for comparing traversal factor j take j-th of sfc in SFC if j is greater than 0, and to j-th of sfc execute with
Lower sub-step;Otherwise, go to step (6.3.5);
(6.3.4.1), setting bandwidth bw to be releasedreleaseIf bwrestLess than bw, then bw is initializedreleaseValue is bwrest;It is no
Then, bw is initializedreleaseValue is bw;
(6.3.4.2), bw is removed into bwreleaseDifference be assigned to bw again, if the bw after assignment be 0, by sfc from SFC
It removes;Meanwhile corresponding CPU-BW mapping table is obtained according to the security service function type of corresponding sfi, then pass through amount of bandwidth
bwreleaseThe corresponding CPU quantitative value r of each sfi subtract certainly by the CPU quantity of reduction needed for searching security service function;
(6.3.4.3), by bwrestSubtract bwreleaseDifference be assigned to bw againrestIf the bw after assignmentrestIt is 0, then jumps
Go to step (6.4);
(6.3.4.4), j is subtracted 1 certainly, and gos to step (6.3.4);
(6.3.5), i is increased 1 certainly, and gos to step (6.2);
(6.4), the value for reinitializing i is 1;
(6.5) if, i be less than or equal to current sfi quantity, take out i-th of sfi, and execute following sub-step, otherwise, jump
To step (7);
The elastic optimization range of (6.5.1), the current sfi of setting are the link intersection of the associated all sfc of sfi;
(6.5.2), in elastic optimization range, the sfi of same type is found, calculates the consolidated income of each combinable sfi, is made
For alternative;
(6.5.3), judgement currently then select in elastic optimization range standby with the presence or absence of alternative if there is alternative
It selects scheme to merge multiple sfi, i is then assigned a value of 1, enter step (7);Otherwise, i increases 1 certainly, return step (6.5);
(7), resource elastic management
(7.1), the amount of bandwidth of all user service datas is examined successively, the bandwidth for finding first user service data is more than
The user for the total bandwidth bw_sum that the corresponding security solution s of the user can be handled, subsequently into step (7.2);If institute
Have in user and do not find, then go to step (8);
(7.2), setting security service needs increased bandwidth capacity bwadd, and initialize bwaddValue is the business of the user found
Data bandwidth subtracts the difference for the total bandwidth bw_sum that the corresponding security solution s of the user can be handled;
(7.3), user security solution s is modified, by bw_sum and bwaddAnd be assigned to bw_sum again;Then, root
Corresponding CPU-BW mapping table is obtained according to corresponding types security service function, then corresponding types safety clothes are found by bw_sum
CPU quantity needed for function of being engaged in, and it is assigned to the r in R;
(7.4), according to the start node of t number and terminal node number, found out from ksp_dict corresponding start node with
K shortest path between terminal node;
(7.5), from K shortest path, screening outbound path remaining bandwidth minimum value is greater than bwadd, and all nodes are remaining in path
CPU quantity needed for CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as sp*;
(7.6), in sp*Multiple type sfi are successively disposed respectively on the node of middle residue CPU quantity abundance, then corresponding node is remained
The difference that remaining CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as the node residue CPU quantity;
(7.7), sp is traversed*In each link edge, the difference that the remaining bandwidth of each link edge subtracts bw_sum is assigned to
Respective links edge, the remaining bandwidth as the link;
(7.8), sfc is added in SFC, then repeatedly step (7.1);
(8), the security service of elastic user's cloud computing resources terminates.
2. a kind of method for security protection of elastic user's cloud computing resources according to claim 1, which is characterized in that described
Security service function CPU-BW mapping table support two-way index, for storing the CPU quantity of every kind of security service function needs
And corresponding maximum bandwidth capacity BW.
3. a kind of method for security protection of elastic user's cloud computing resources according to claim 1, which is characterized in that described
The list that is made of K shorter path information of K shortest path information, and the shape being incremented by with path length in shorter path information
Formula arrangement, specifically saves format are as follows: the number for the node that all paths are passed through between start node and terminal node.
4. a kind of method for security protection of elastic user's cloud computing resources according to claim 1, which is characterized in that described
Consolidated income calculation are as follows: the corresponding slack resources of the sfi of same type are merged, and as consolidated income.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910412090.8A CN110120978B (en) | 2019-05-17 | 2019-05-17 | Safety protection method for elastic user cloud computing resources |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910412090.8A CN110120978B (en) | 2019-05-17 | 2019-05-17 | Safety protection method for elastic user cloud computing resources |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110120978A true CN110120978A (en) | 2019-08-13 |
CN110120978B CN110120978B (en) | 2021-05-14 |
Family
ID=67522548
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910412090.8A Expired - Fee Related CN110120978B (en) | 2019-05-17 | 2019-05-17 | Safety protection method for elastic user cloud computing resources |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110120978B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113225211A (en) * | 2021-04-27 | 2021-08-06 | 中国人民解放军空军工程大学 | Fine-grained service function chain extension method |
CN114666223A (en) * | 2020-12-04 | 2022-06-24 | ***通信集团设计院有限公司 | Cloud computing resource pool processing method and device and readable storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104580120A (en) * | 2013-10-28 | 2015-04-29 | 北京启明星辰信息技术股份有限公司 | On-demand-service virtualization network intrusion detection method and device |
CN105955824A (en) * | 2016-04-21 | 2016-09-21 | 华为技术有限公司 | Method and device for configuring virtual resource |
CN106254154A (en) * | 2016-09-19 | 2016-12-21 | 杭州华三通信技术有限公司 | A kind of resource share method and device |
CN106411941A (en) * | 2016-11-24 | 2017-02-15 | 济南浪潮高新科技投资发展有限公司 | Security authentication resource allocation and management method in cloud environment |
US20170104847A1 (en) * | 2015-10-12 | 2017-04-13 | Fujitsu Limited | Vertex-centric service function chaining in multi-domain networks |
CN107332913A (en) * | 2017-07-04 | 2017-11-07 | 电子科技大学 | A kind of Optimization deployment method of service function chain in 5G mobile networks |
CN108063830A (en) * | 2018-01-26 | 2018-05-22 | 重庆邮电大学 | A kind of network section dynamic resource allocation method based on MDP |
-
2019
- 2019-05-17 CN CN201910412090.8A patent/CN110120978B/en not_active Expired - Fee Related
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104580120A (en) * | 2013-10-28 | 2015-04-29 | 北京启明星辰信息技术股份有限公司 | On-demand-service virtualization network intrusion detection method and device |
US20170104847A1 (en) * | 2015-10-12 | 2017-04-13 | Fujitsu Limited | Vertex-centric service function chaining in multi-domain networks |
CN105955824A (en) * | 2016-04-21 | 2016-09-21 | 华为技术有限公司 | Method and device for configuring virtual resource |
CN106254154A (en) * | 2016-09-19 | 2016-12-21 | 杭州华三通信技术有限公司 | A kind of resource share method and device |
CN106411941A (en) * | 2016-11-24 | 2017-02-15 | 济南浪潮高新科技投资发展有限公司 | Security authentication resource allocation and management method in cloud environment |
CN107332913A (en) * | 2017-07-04 | 2017-11-07 | 电子科技大学 | A kind of Optimization deployment method of service function chain in 5G mobile networks |
CN108063830A (en) * | 2018-01-26 | 2018-05-22 | 重庆邮电大学 | A kind of network section dynamic resource allocation method based on MDP |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114666223A (en) * | 2020-12-04 | 2022-06-24 | ***通信集团设计院有限公司 | Cloud computing resource pool processing method and device and readable storage medium |
CN114666223B (en) * | 2020-12-04 | 2023-11-21 | ***通信集团设计院有限公司 | Cloud computing resource pool processing method and device and readable storage medium |
CN113225211A (en) * | 2021-04-27 | 2021-08-06 | 中国人民解放军空军工程大学 | Fine-grained service function chain extension method |
CN113225211B (en) * | 2021-04-27 | 2022-09-02 | 中国人民解放军空军工程大学 | Fine-grained service function chain extension method |
Also Published As
Publication number | Publication date |
---|---|
CN110120978B (en) | 2021-05-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103369027B (en) | Location aware Virtual Service in mixing cloud environment is equipped with | |
CN103827825B (en) | Virtual resource object component | |
US9417903B2 (en) | Storage management for a cluster of integrated computing systems comprising integrated resource infrastructure using storage resource agents and synchronized inter-system storage priority map | |
CN105103506B (en) | For the method and system for the non-homogeneous bandwidth request allocation bandwidth in system for cloud computing | |
EP2652594B1 (en) | Multi-tenant, high-density container service for hosting stateful and stateless middleware components | |
CN105242956B (en) | Virtual functions service chaining deployment system and its dispositions method | |
CN103825964B (en) | SLS (Service Level Specification) scheduling device and SLS scheduling method based on cloud computing PaaS (platform-as-a-service) platform | |
CN104468803B (en) | A kind of virtual data center method for mapping resource and equipment | |
CN104335182A (en) | Method and apparatus for single point of failure elimination for cloud-based applications | |
CN108431778A (en) | Management to virtual desktop Instances Pool | |
CN109445802A (en) | The method of privatization Paas platform and its publication application based on container | |
CN104601680B (en) | A kind of method for managing resource and device | |
CN105468435A (en) | NFV dynamic resource distribution method | |
CN103747107B (en) | A kind of compatible cloud operating platform and its implementation | |
Wang et al. | Bandwidth guaranteed virtual network function placement and scaling in datacenter networks | |
Elmroth et al. | Self-management challenges for multi-cloud architectures | |
CN108667867A (en) | Date storage method and device | |
Grönkvist | Accelerating column generation for aircraft scheduling using constraint propagation | |
US11093288B2 (en) | Systems and methods for cluster resource balancing in a hyper-converged infrastructure | |
CN109327319A (en) | Method, equipment and the system of on-premise network slice | |
CN110120978A (en) | A kind of method for security protection of elasticity user's cloud computing resources | |
Houidi et al. | Exact multi-objective virtual network embedding in cloud environments | |
CN109639498B (en) | Service quality oriented resource flexible configuration method based on SDN and NFV | |
CN107967175A (en) | A kind of resource scheduling system and method based on multiple-objection optimization | |
CN109471725A (en) | Resource allocation methods, device and server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210514 |
|
CF01 | Termination of patent right due to non-payment of annual fee |