CN110120978A - A kind of method for security protection of elasticity user's cloud computing resources - Google Patents

A kind of method for security protection of elasticity user's cloud computing resources Download PDF

Info

Publication number
CN110120978A
CN110120978A CN201910412090.8A CN201910412090A CN110120978A CN 110120978 A CN110120978 A CN 110120978A CN 201910412090 A CN201910412090 A CN 201910412090A CN 110120978 A CN110120978 A CN 110120978A
Authority
CN
China
Prior art keywords
user
node
security
bandwidth
sfi
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910412090.8A
Other languages
Chinese (zh)
Other versions
CN110120978B (en
Inventor
周潮
刘坚
许都
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201910412090.8A priority Critical patent/CN110120978B/en
Publication of CN110120978A publication Critical patent/CN110120978A/en
Application granted granted Critical
Publication of CN110120978B publication Critical patent/CN110120978B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The invention discloses a kind of method for security protection of elastic user's cloud computing resources; the bandwidth usage in prediction user following a period of time is removed from the history bandwidth usage amount of user, then will predict that the corresponding safe handling resource of difference between bandwidth and nominal bandwidth is used to provide same security service for other users;And when original subscriber uses more than prediction bandwidth, the other users for shared safe handling resource create new safe handling resource and are carried immediately, while ensure that the quality of security service of original subscriber;So that cloud service provider is had the ability for dynamically distributing underlying security processing function in this way, and safety guarantee can be provided for user and itself platform, while also saving virtualization resource.

Description

A kind of method for security protection of elasticity user's cloud computing resources
Technical field
The invention belongs to network communication technology fields, more specifically, are related to a kind of elastic user's cloud computing resources Method for security protection.
Background technique
With the continuous promotion of computing platform hardware capabilities, virtualization technology is also more mature.In the past ten years, cloud Calculate the emphasis direction being developing progressively as the big research and development of IT field one.Major internet manufacturer is proposed oneself one after another Cloud computing platform, to medium-sized and small enterprises and personal offer cloud computing service.And other than selling virtualization computing resource, cloud clothes Business provider needs to carry out safety guarantee to the virtualization services that user buys simultaneously.
It is to be mentioned by European Telecommunications Standards Organization (ETSI) from the angle of network operator that network function, which virtualizes (NFV), A kind of framework of software and hardware separation out, is mainly the desire to by standardized IT virtualization technology, using industrywide standard Volume server, storage and interchanger carry various network software functions, realize the flexible load of software, thus It can be in the flexible deployment configuration of the different locations such as data center, network node and user terminal.NFV has broken network physical equipment Binding relationship between layer and logic business layer can be to Virtual NE replaced the network element that each physical equipment is virtualized Configuration is managed to meet unique demand.
It can be reduced by using NFV and even remove the middleware disposed in existing network, it can allow single physics Platform runs different application programs, and user/tenant can use network function by multi version and multi-tenant simultaneously.And NFV supports completely new method to realize elasticity, service guarantees, testing and diagnosing and security monitoring.It can promote software network environment In new network function and service innovation, NFV be suitable for any data plane and control plane function, fixation or mobile network Network is also suitble to need to realize the automatic management and configuration of scalability.In order to more fully utilize resource, virtualization cloud clothes Business provider often it is expected to improve the utilization rate of resource, reduce vacancy rate and then improve income.
Currently, in the design and sales mode of cloud computing, it is to obtain that the virtualization that user buys specified size, which calculates service, The virtualization resource amount of exact matching.Virtualization computing resource is had purchased in user, after having run the network service of oneself, Cloud service provider usually also needs to provide Network Security Service for it, to ensure the normal operation and access speed of its network service Degree, while ensureing the safety of itself platform.This service has become the infrastructure service of major cloud service provider, even if user The not safe handling function outside purchase volume, it is also necessary to which most basic network service access safe mass guarantee is provided.
And the resource overhead of this partial virtual networking security function be can by cloud service provider autonomous control and Elasticity adjustment.Meanwhile data traffic of this part is also that variation fluctuation is biggish, such as when user writes data into virtually Change computing resource during, for another example when user network service welcomes peak period, just there is biggish data bandwidth requirements, corresponded to compared with Big data bandwidth demand for security;When user service starts the data that calculation processing is newly written or network service enters low ebb Phase, communication bandwidth at this time largely leave unused, and provide if being assigned with biggish safe handling to the user with the bandwidth of peak period at this time Source, the great waste resulted in.
Summary of the invention
It is an object of the invention to overcome the deficiencies of the prior art and provide a kind of safety of elastic user's cloud computing resources to protect Maintaining method realizes dynamic processing when user makes full use of idle virtualization resource and customer flow increases sharply.
For achieving the above object, a kind of method for security protection of elastic user's cloud computing resources of the present invention, feature It is, comprising the following steps:
(1), network topology G is initialized
(1.1), all node node information in G, including node serial number node_id and node cpu quantity node_ are recorded cpu_num;
(1.2), all link edge information in G, including link number edge_id, link bandwidth capacity edge_bw are recorded With link weight W, and W=1 is initialized;
(2), security service function CPU-BW mapping table set is set
One CPU-BW mapping table is set for every kind of security service function, all types of security service functions are corresponding CPU-BW mapping table constitutes security service function CPU-BW mapping table set;
(3), K shortest path (K-Shortest Path, KSP) multiple index data structure ksp_dict is set, wherein Storage numbers corresponding index by start node number and terminal node in ksp_dict, and level-one index is that start node is numbered, Secondary index is terminal node number, and respective value is K shortest path information;
(4), user security requirements set T and user security solution set S is set
(4.1), user security requirements set T is set, and initializing T is empty set;Wherein, the element stored in T is user Demand for security t, t include start node number, terminal node number, bandwidth application capacity and security processing services function type sequence Arrange SF, the format of SF are as follows: SF={ sf1,sf2,…,sfu, amount to u user security and handles service function type sf;
(4.2), user security solution set S is set, and initializing S is empty set;Wherein, the element stored in S is User security solution s, s include that the total bandwidth bw_sum for being currently able to processing, each security service function are occupied total CPU magnitude-set R_SUM, security service function chain set SFC;
Wherein, the format of R_SUM are as follows: R_SUM={ r1,r2,…,ru, ruIndicate u-th of user security processing service function It can occupied total CPU quantity;
The format of SFC are as follows: SFC={ sfc1,sfc2,…,sfcq, and all security service function chains are according to security service The mode of function chain increasing lengths arranges, sfcqIndicate q-th of security service function chain sfc;
Further, each security service function chain sfc includes the format of security service function example collection SFI, SFI Are as follows: SFI={ sfi1,sfi2,…sfiu, sfiuIndicate that the security service function example sfi of u-th of user, each sfi are wrapped again It includes and occupies bandwidth bw and corresponding path P ATH that CPU magnitude-set is R, can handle;Wherein, the format of R are as follows: R={ r1, r2,…ru, the format of PATH are as follows: PATH={ node_id0,node_id1,…,node_idv, wherein node_id0It is starting Node serial number, node_idvIt is terminal node number;
(5), user security demand is handled
(5.1), demand for security listening thread is opened, whether monitor in T has untreated user security demand t, if so, Untreated t is then taken out, (5.2) are entered step, otherwise, go to step (6);
(5.2), the corresponding user security solution s of setting user security demand t, and initialize bw_sum value in s and be Bw value;Corresponding types security service function is found by bw_sum and obtains corresponding CPU-BW mapping table, then passes through bw_sum CPU quantity needed for finding corresponding types security service function, and it is assigned to r in R;Initialization SFC is empty set;
(5.3), it is numbered according to the start node of t number and terminal node, corresponding starting section is found out from ksp_dict K shortest path between point and terminal node;
(5.4), from K shortest path, screening outbound path remaining bandwidth minimum value is greater than bw, and all nodes are surplus in path CPU quantity needed for remaining CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as sp;
(5.5), multiple type sfi are successively disposed on the node of residue CPU quantity abundance respectively in sp, then are saved corresponding The difference that point residue CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as the node residue CPU number Amount;
(5.6), each link edge in sp is traversed, the difference that the remaining bandwidth of each link edge subtracts bw_sum is assigned It is worth and gives respective links edge, the remaining bandwidth as the link;
(5.7), sfc is added in SFC, and s is added in S, be then return to step (5.1);
(6), service bandwidth is handled
(6.1), setting traversal factor i, the value for initializing i is 1;
(6.2) if, i be less than or equal to S set size, then follow the steps (6.3), otherwise, go to step (6.4);
(6.3), i-th of solution s in S is taken, and elastic management is carried out to s;
(6.3.1), setting excess bandwidth bwrest, and initialize bwrestS, which is subtracted, equal to bw_sum corresponds to user service data Current bandwidth;
(6.3.2), bw_sum is assigned a value of to the current bandwidth that s corresponds to user service data;
(6.3.3), setting traversal factor j, the value for initializing j is the set sizes of SFC;
(6.3.4), the size for comparing traversal factor j take j-th of sfc in SFC, and hold to j-th of sfc if j is greater than 0 The following sub-step of row;Otherwise, go to step (6.3.5);
(6.3.4.1), setting bandwidth bw to be releasedreleaseIf bwrestLess than bw, then bw is initializedreleaseValue is bwrest;Otherwise, bw is initializedreleaseValue is bw;
(6.3.4.2), bw is subtracted into bwreleaseDifference be assigned to bw again, if the bw after assignment be 0, by sfc It is removed from SFC;Meanwhile corresponding CPU-BW mapping table is obtained according to the security service function type of corresponding sfi, then pass through band Roomy small bwreleaseThe CPU quantity of reduction needed for searching security service function carries out the corresponding CPU quantitative value r of each sfi certainly Subtract;
(6.3.4.3), by bwrestSubtract bwreleaseDifference be assigned to bw againrestIf the bw after assignmentrestFor 0, then go to step (6.4);
(6.3.4.4), j is subtracted 1 certainly, and gos to step (6.3.4);
(6.3.5), i is increased 1 certainly, and gos to step (6.2);
(6.4), the value for reinitializing i is 1;
(6.5) if, i be less than or equal to current sfi quantity, take out i-th of sfi, and execute following sub-step, otherwise, Go to step (7);
The elastic optimization range of (6.5.1), the current sfi of setting are the link intersection of the associated all sfc of sfi;
(6.5.2), in elastic optimization range, the sfi of same type is found, the merging for calculating each combinable sfi is received Benefit, optionally;
(6.5.3), judgement are currently then selected in elastic optimization range with the presence or absence of alternative if there is alternative It selects alternative to merge multiple sfi, i is then assigned a value of 1, enter step (7);Otherwise, i increases 1 certainly, return step (6.5);
(7), resource elastic management
(7.1), the amount of bandwidth of all user service datas is examined successively, finds the bandwidth of first user service data The user for the total bandwidth bw_sum that security solution s corresponding more than the user can be handled, subsequently into step (7.2); If not finding in all users, go to step (8);
(7.2), setting security service needs increased bandwidth capacity bwadd, and initialize bwaddValue is the user's found Business datum bandwidth subtracts the difference for the total bandwidth bw_sum that the corresponding security solution s of the user can be handled;
(7.3), user security solution s is modified, by bw_sum and bwaddAnd be assigned to bw_sum again;So Afterwards, corresponding CPU-BW mapping table is obtained according to corresponding types security service function, then corresponding types is found by bw_sum CPU quantity needed for security service function, and it is assigned to the r in R;
(7.4), it is numbered according to the start node of t number and terminal node, corresponding starting section is found out from ksp_dict K shortest path between point and terminal node;
(7.5), from K shortest path, screening outbound path remaining bandwidth minimum value is greater than bwadd, and all nodes in path CPU quantity needed for remaining CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as sp*
(7.6), multiple type sfi are successively disposed respectively on the node of residue CPU quantity abundance in sp*, then will correspond to The difference that node residue CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as node residue CPU Quantity;
(7.7), sp is traversed*In each link edge, the remaining bandwidth of each link edge is subtracted to the difference of bw_sum It is assigned to respective links edge, the remaining bandwidth as the link;
(7.8), sfc is added in SFC, then repeatedly step (7.1);
(8), the security service of elastic user's cloud computing resources terminates.
Goal of the invention of the invention is achieved in that
A kind of method for security protection of elastic user's cloud computing resources of the present invention, goes pre- from the history bandwidth usage amount of user The bandwidth usage in user's following a period of time is surveyed, then will predict the corresponding peace of the difference between bandwidth and nominal bandwidth Full process resource is used to provide same security service for other users;And when original subscriber uses more than prediction bandwidth, immediately It creates new safe handling resource to share the other users of safe handling resource and is carried, while ensure that the peace of original subscriber Full service quality;Make in this way cloud service provider have dynamically distribute underlying security processing function ability, and can be user with Itself platform provides safety guarantee, while also saving virtualization resource.
Meanwhile a kind of method for security protection of elastic user's cloud computing resources of the present invention also has the advantages that
(1), high usage;Elastic safety guard method proposed by the invention is being protected in conjunction with virtual machine and container technique While hindering existing security service, computing resource can be more made full use of.
(2), reliability;The present invention has ensured when user traffic flow increases while providing security function service Securely and reliably.
(3), compatible;The present invention does not have special limitation requirement to the cloud service support platform of bottom, only for required Security service deployment optimized with scheduling.
Detailed description of the invention
Fig. 1 is a kind of method for security protection flow chart of elastic user's cloud computing resources of the present invention;
Fig. 2 is user security demand process flow diagram;
Fig. 3 is service bandwidth process flow diagram;
Fig. 4 is flexible resource management flow chart.
Specific embodiment
A specific embodiment of the invention is described with reference to the accompanying drawing, preferably so as to those skilled in the art Understand the present invention.Requiring particular attention is that in the following description, when known function and the detailed description of design perhaps When can desalinate main contents of the invention, these descriptions will be ignored herein.
Embodiment
Fig. 1 is a kind of method for security protection flow chart of elastic user's cloud computing resources of the present invention.
In the present embodiment, as shown in Figure 1, a kind of method for security protection of elastic user's cloud computing resources of the present invention, packet Include following steps:
S1, initialization network topology G
Safeguard protection network is that the basis of method for security protection is provided for cloud computing resources, and safeguard protection network topology should be by Switching equipment (physical switches) and calculating equipment (physical server) and physical link form.Switching equipment and physical link Form exchange network.Every switching equipment connects several calculating equipment by physical link, and a calculating equipment can only Connect a switching equipment;
S1.1, record G in all node node information, node node be a logical concept, be a switching equipment and Made of the integration of its all calculating equipment being connected, node node information includes node serial number node_id and node cpu quantity node_cpu_num;
All link edge information in S1.2, record G, including link number edge_id, link bandwidth capacity edge_bw With link weight W, and W=1 is initialized.
S2, setting security service function CPU-BW mapping table set
One CPU-BW mapping table is set for every kind of security service function, all types of security service functions are corresponding CPU-BW mapping table constitutes security service function CPU-BW mapping table set;Wherein, security service function CPU-BW mapping table branch Two-way index is held, for storing the CPU quantity and corresponding maximum bandwidth capacity BW that every kind of security service function needs.
S3, setting K shortest path (K-Shortest Path, KSP) multiple index data structure ksp_dict, wherein K is most The list that short circuit information is made of K shorter path information, and the form row being incremented by with path length in shorter path information Column, specifically save format are as follows: the number for the node that all paths are passed through between start node and terminal node;It is deposited in ksp_dict Storage numbers corresponding index by start node number and terminal node, and level-one index is that start node is numbered, and secondary index is eventually Only node serial number, respective value are K shortest path information.
S4, setting user security requirements set T and user security solution set S
S4.1, setting user security requirements set T, and initializing T is empty set;Wherein, the element stored in T is user's peace Full demand t, t include start node number, terminal node number, bandwidth application capacity and security processing services function type sequence The format of SF, SF are as follows: SF={ sf1,sf2,…,sfu, amount to u user security and handles service function type sf;
S4.2, setting user security solution set S, and initializing S is empty set;Wherein, the element stored in S is to use Family security solution s, s include total bandwidth bw_sum, the occupied total CPU of each security service function for being currently able to processing Magnitude-set R_SUM, security service function chain set SFC;
Wherein, the format of R_SUM are as follows: R_SUM={ r1,r2,…,ru, ruIndicate u-th of user security processing service function It can occupied total CPU quantity;
The format of SFC are as follows: SFC={ sfc1,sfc2,…,sfcq, and all security service function chains are according to security service The mode of function chain increasing lengths arranges, sfcqIndicate q-th of security service function chain sfc;
Further, each security service function chain sfc includes the format of security service function example collection SFI, SFI Are as follows: SFI={ sfi1,sfi2,…sfiu, sfiuIndicate that the security service function example sfi of u-th of user, each sfi are wrapped again It includes and occupies bandwidth bw and corresponding path P ATH that CPU magnitude-set is R, can handle;Wherein, the format of R are as follows: R={ r1, r2,…ru, the format of PATH are as follows: PATH={ node_id0,node_id1,…,node_idv, wherein node_id0It is starting Node serial number, node_idvIt is terminal node number;
S5, the processing of user security demand, as shown in Figure 2;
S5.1, demand for security listening thread is opened, whether monitor in T has untreated user security demand t, if so, Untreated t is then taken out, S5.2 is entered step, otherwise, go to step S6;
S5.2, the corresponding user security solution s of setting user security demand t, and initializing bw_sum value in s is bw Value;Corresponding types security service function is found by bw_sum and obtains corresponding CPU-BW mapping table, then is looked by bw_sum CPU quantity needed for finding corresponding types security service function, and it is assigned to r in R;Initialization SFC is empty set;
S5.3, it is numbered according to the start node of t number and terminal node, corresponding start node is found out from ksp_dict K shortest path between terminal node;
S5.4, from K shortest path, screening outbound path remaining bandwidth minimum value is greater than bw, and all nodes are surplus in path CPU quantity needed for remaining CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as sp;
S5.5, multiple type sfi are successively disposed on the node of residue CPU quantity abundance respectively in sp, then is saved corresponding The difference that point residue CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as the node residue CPU number Amount;
Each link edge in S5.6, traversal sp, the difference that the remaining bandwidth of each link edge subtracts bw_sum is assigned It is worth and gives respective links edge, the remaining bandwidth as the link;
S5.7, sfc is added in SFC, and s is added in S, be then return to step S5.1;
S6, service bandwidth processing, detailed process are as shown in Figure 3;
S6.1, setting traversal factor i, the value for initializing i is 1;
If S6.2, i are less than or equal to the size of S set, S6.3 is thened follow the steps, otherwise, go to step S6.4;
S6.3, i-th of solution s in S is taken, and elastic management is carried out to s;
S6.3.1, setting excess bandwidth bwrest, and initialize bwrestS, which is subtracted, equal to bw_sum corresponds to user service data Current bandwidth;
S6.3.2, bw_sum is assigned a value of to the current bandwidth that s corresponds to user service data;
S6.3.3, setting traversal factor j, the value for initializing j is the set sizes of SFC;
S6.3.4, the size for comparing traversal factor j take j-th of sfc in SFC, and hold to j-th of sfc if j is greater than 0 The following sub-step of row;Otherwise, go to step S6.3.5;
S6.3.4.1, setting bandwidth bw to be releasedreleaseIf btswerLess than bw, then bw is initializedreleaseValue is bwrest; Otherwise, bw is initializedreleaseValue is bw;
S6.3.4.2, bw is subtracted into bwreleaseDifference be assigned to bw again, if the bw after assignment be 0, by sfc It is removed from SFC;Meanwhile corresponding CPU-BW mapping table is obtained according to the security service function type of corresponding sfi, then pass through band Roomy small bwreleaseThe CPU quantity of reduction needed for searching security service function carries out the corresponding CPU quantitative value r of each sfi certainly Subtract;
S6.3.4.3, by btswerSubtract bwreleaseDifference be assigned to bw againrestIf the bw after assignmentrestIt is 0, Then go to step S6.4;
S6.3.4.4, j is subtracted 1 certainly, and the S6.3.4 that gos to step;
S6.3.5, i is increased to 1, and the S6.2 that gos to step certainly;
S6.4, the value for reinitializing i are 1;
If S6.5, i are less than or equal to the quantity of current sfi, i-th of sfi is taken out, and execute following sub-step, otherwise, jumped Go to step S7;
S6.5.1, the link intersection that the elastic optimization range that current sfi is arranged is the associated all sfc of sfi;
S6.5.2, in elastic optimization range, find the sfi of same type, the merging for calculating each combinable sfi is received Benefit, optionally;
In the present embodiment, the calculation of consolidated income are as follows: each occupied resource of sfi is integer numerical value, and is held Resource consumed by a certain item service function type of the related service function chain of load is floating type numerical value, thus, by multiple sfi Relevant portion slack resources merge, and the resource of related integer numerical value can be discharged after slack resources amount is greater than 1, and merge and open Pin is mainly cost needed for sfi merges, and can be applied and be determined according to real system.
S6.5.3, judgement currently then select in elastic optimization range with the presence or absence of alternative if there is alternative Alternative merges multiple sfi, and i is then assigned a value of 1, enters step S7;Otherwise, i increases 1 certainly, return step S6.5;
S7, resource elastic management, detailed process are as shown in Figure 4;
S7.1, the amount of bandwidth that all user service datas are examined successively, find the bandwidth of first user service data The user for the total bandwidth bw_sum that security solution s corresponding more than the user can be handled, subsequently into step S7.2;If It is not found in all users, then go to step S8;
S7.2, setting security service need increased bandwidth capacity bwadd, and initialize bwaddValue is the user's found Business datum bandwidth subtracts the difference for the total bandwidth bw_sum that the corresponding security solution s of the user can be handled;
S7.3, user security solution s is modified, by bw_sum and bwaddAnd be assigned to bw_sum again;Then, Corresponding CPU-BW mapping table is obtained according to corresponding types security service function, then corresponding types safety is found by bw_sum CPU quantity needed for service function, and it is assigned to the r in R;
S7.4, it is numbered according to the start node of t number and terminal node, corresponding start node is found out from ksp_dict K shortest path between terminal node;
S7.5, from K shortest path, screening outbound path remaining bandwidth minimum value be greater than bwadd, and all nodes in path CPU quantity needed for remaining CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as sp*
S7.6, in sp*Multiple type sfi are successively disposed on the node of middle residue CPU quantity abundance respectively, then are saved corresponding The difference that point residue CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as the node residue CPU number Amount;
S7.7, traversal sp*In each link edge, by the remaining bandwidth of each link edge subtract bw_sum difference assign It is worth and gives respective links edge, the remaining bandwidth as the link;
S7.8, sfc is added in SFC, then repeatedly step S7.1;
The security service of S8, elastic user's cloud computing resources terminate.
Although the illustrative specific embodiment of the present invention is described above, in order to the technology of the art Personnel understand the present invention, it should be apparent that the present invention is not limited to the range of specific embodiment, to the common skill of the art For art personnel, if various change the attached claims limit and determine the spirit and scope of the present invention in, these Variation is it will be apparent that all utilize the innovation and creation of present inventive concept in the column of protection.

Claims (4)

1. a kind of method for security protection of elasticity user's cloud computing resources, which comprises the following steps:
(1), network topology G is initialized
(1.1), all node node information in G, including node serial number node_id and node cpu quantity node_cpu_ are recorded num;
(1.2), all link edge information in G, including link number edge_id, link bandwidth capacity edge_bw and chain are recorded Right of way weight W, and initialize W=1;
(2), security service function CPU-BW mapping table set is set
One CPU-BW mapping table is set for every kind of security service function, the corresponding CPU-BW of all types of security service functions Mapping table constitutes security service function CPU-BW mapping table set;
(3), K shortest path (K-Shortest Path, KSP) multiple index data structure ksp_dict is set, wherein ksp_ Storage numbers corresponding index by start node number and terminal node in dict, and level-one index is that start node is numbered, second level Index is that terminal node is numbered, and respective value is K shortest path information;
(4), user security requirements set T and user security solution set S is set
(4.1), user security requirements set T is set, and initializing T is empty set;Wherein, the element stored in T is user security Demand t, t include start node number, terminal node number, bandwidth application capacity and security processing services function type sequence The format of SF, SF are as follows: SF={ sf1,sf2,…,sfu, amount to u user security and handles service function type sf;
(4.2), user security solution set S is set, and initializing S is empty set;Wherein, the element stored in S is user Security solution s, s include the total bandwidth bw_sum for being currently able to processing, the occupied total CPU number of each security service function Duration set R_SUM, security service function chain set SFC;
Wherein, the format of R_SUM are as follows: R_SUM={ r1,r2,…,ru, ruIt indicates shared by u-th of user security processing service function Total CPU quantity;
The format of SFC are as follows: SFC={ sfc1,sfc2,…,sfcq, and all security service function chains are according to security service function The incremental mode of chain length arranges, sfcqIndicate q-th of security service function chain sfc;
Further, each security service function chain sfc includes the format of security service function example collection SFI, SFI are as follows: SFI ={ sfi1,sfi2,…sfiu, sfiuIndicate that security service function the example sfi, each sfi of u-th of user include occupying again The bandwidth bw and corresponding path P ATH that CPU magnitude-set is R, can handle;Wherein, the format of R are as follows: R={ r1,r2,…ru, The format of PATH are as follows: PATH={ node_id0,node_id1,…,node_idv, wherein node_id0It is that start node is compiled Number, node_idvIt is terminal node number;
(5), user's user security demand is handled
(5.1), demand for security listening thread is opened, whether have untreated user security demand t, if so, then taking if monitoring in T Untreated t out enters step (5.2), and otherwise, go to step (6);
(5.2), the corresponding user security solution s of setting user security demand t, and initializing bw_sum value in s is bw value; Corresponding types security service function is found by bw_sum and obtains corresponding CPU-BW mapping table, then is found by bw_sum CPU quantity needed for corresponding types security service function, and it is assigned to r in R;Initialization SFC is empty set;
(5.3), according to the start node of t number and terminal node number, found out from ksp_dict corresponding start node with K shortest path between terminal node;
(5.4), from K shortest path, screening outbound path remaining bandwidth minimum value is greater than bw, and all nodes are remaining in path CPU quantity needed for CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as sp;
(5.5), multiple type sfi are successively disposed respectively on the node of residue CPU quantity abundance in sp, then corresponding node is remained The difference that remaining CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as the node residue CPU quantity;
(5.6), each link edge in sp is traversed, the difference that the remaining bandwidth of each link edge subtracts bw_sum is assigned to Respective links edge, the remaining bandwidth as the link;
(5.7), sfc is added in SFC, and s is added in S, be then return to step (5.1);
(6), service bandwidth is handled
(6.1), setting traversal factor i, the value for initializing i is 1;
(6.2) if, i be less than or equal to S set size, then follow the steps (6.3), otherwise, go to step (6.4);
(6.3), i-th of solution s in S is taken, and elastic management is carried out to s;
(6.3.1), setting excess bandwidth bwrest, and initialize bwrestS, which is subtracted, equal to bw_sum corresponds to working as user service data Preceding bandwidth;
(6.3.2), bw_sum is assigned a value of to the current bandwidth that s corresponds to user service data;
(6.3.3), setting traversal factor j, the value for initializing j is the set sizes of SFC;
(6.3.4), the size for comparing traversal factor j take j-th of sfc in SFC if j is greater than 0, and to j-th of sfc execute with Lower sub-step;Otherwise, go to step (6.3.5);
(6.3.4.1), setting bandwidth bw to be releasedreleaseIf bwrestLess than bw, then bw is initializedreleaseValue is bwrest;It is no Then, bw is initializedreleaseValue is bw;
(6.3.4.2), bw is removed into bwreleaseDifference be assigned to bw again, if the bw after assignment be 0, by sfc from SFC It removes;Meanwhile corresponding CPU-BW mapping table is obtained according to the security service function type of corresponding sfi, then pass through amount of bandwidth bwreleaseThe corresponding CPU quantitative value r of each sfi subtract certainly by the CPU quantity of reduction needed for searching security service function;
(6.3.4.3), by bwrestSubtract bwreleaseDifference be assigned to bw againrestIf the bw after assignmentrestIt is 0, then jumps Go to step (6.4);
(6.3.4.4), j is subtracted 1 certainly, and gos to step (6.3.4);
(6.3.5), i is increased 1 certainly, and gos to step (6.2);
(6.4), the value for reinitializing i is 1;
(6.5) if, i be less than or equal to current sfi quantity, take out i-th of sfi, and execute following sub-step, otherwise, jump To step (7);
The elastic optimization range of (6.5.1), the current sfi of setting are the link intersection of the associated all sfc of sfi;
(6.5.2), in elastic optimization range, the sfi of same type is found, calculates the consolidated income of each combinable sfi, is made For alternative;
(6.5.3), judgement currently then select in elastic optimization range standby with the presence or absence of alternative if there is alternative It selects scheme to merge multiple sfi, i is then assigned a value of 1, enter step (7);Otherwise, i increases 1 certainly, return step (6.5);
(7), resource elastic management
(7.1), the amount of bandwidth of all user service datas is examined successively, the bandwidth for finding first user service data is more than The user for the total bandwidth bw_sum that the corresponding security solution s of the user can be handled, subsequently into step (7.2);If institute Have in user and do not find, then go to step (8);
(7.2), setting security service needs increased bandwidth capacity bwadd, and initialize bwaddValue is the business of the user found Data bandwidth subtracts the difference for the total bandwidth bw_sum that the corresponding security solution s of the user can be handled;
(7.3), user security solution s is modified, by bw_sum and bwaddAnd be assigned to bw_sum again;Then, root Corresponding CPU-BW mapping table is obtained according to corresponding types security service function, then corresponding types safety clothes are found by bw_sum CPU quantity needed for function of being engaged in, and it is assigned to the r in R;
(7.4), according to the start node of t number and terminal node number, found out from ksp_dict corresponding start node with K shortest path between terminal node;
(7.5), from K shortest path, screening outbound path remaining bandwidth minimum value is greater than bwadd, and all nodes are remaining in path CPU quantity needed for CPU quantity is greater than deployment of secure services function, and the shortest paths of path length, are denoted as sp*
(7.6), in sp*Multiple type sfi are successively disposed respectively on the node of middle residue CPU quantity abundance, then corresponding node is remained The difference that remaining CPU quantity subtracts the CPU quantity of newly-built sfi consumption is assigned to corresponding node, as the node residue CPU quantity;
(7.7), sp is traversed*In each link edge, the difference that the remaining bandwidth of each link edge subtracts bw_sum is assigned to Respective links edge, the remaining bandwidth as the link;
(7.8), sfc is added in SFC, then repeatedly step (7.1);
(8), the security service of elastic user's cloud computing resources terminates.
2. a kind of method for security protection of elastic user's cloud computing resources according to claim 1, which is characterized in that described Security service function CPU-BW mapping table support two-way index, for storing the CPU quantity of every kind of security service function needs And corresponding maximum bandwidth capacity BW.
3. a kind of method for security protection of elastic user's cloud computing resources according to claim 1, which is characterized in that described The list that is made of K shorter path information of K shortest path information, and the shape being incremented by with path length in shorter path information Formula arrangement, specifically saves format are as follows: the number for the node that all paths are passed through between start node and terminal node.
4. a kind of method for security protection of elastic user's cloud computing resources according to claim 1, which is characterized in that described Consolidated income calculation are as follows: the corresponding slack resources of the sfi of same type are merged, and as consolidated income.
CN201910412090.8A 2019-05-17 2019-05-17 Safety protection method for elastic user cloud computing resources Expired - Fee Related CN110120978B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910412090.8A CN110120978B (en) 2019-05-17 2019-05-17 Safety protection method for elastic user cloud computing resources

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910412090.8A CN110120978B (en) 2019-05-17 2019-05-17 Safety protection method for elastic user cloud computing resources

Publications (2)

Publication Number Publication Date
CN110120978A true CN110120978A (en) 2019-08-13
CN110120978B CN110120978B (en) 2021-05-14

Family

ID=67522548

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910412090.8A Expired - Fee Related CN110120978B (en) 2019-05-17 2019-05-17 Safety protection method for elastic user cloud computing resources

Country Status (1)

Country Link
CN (1) CN110120978B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113225211A (en) * 2021-04-27 2021-08-06 中国人民解放军空军工程大学 Fine-grained service function chain extension method
CN114666223A (en) * 2020-12-04 2022-06-24 ***通信集团设计院有限公司 Cloud computing resource pool processing method and device and readable storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580120A (en) * 2013-10-28 2015-04-29 北京启明星辰信息技术股份有限公司 On-demand-service virtualization network intrusion detection method and device
CN105955824A (en) * 2016-04-21 2016-09-21 华为技术有限公司 Method and device for configuring virtual resource
CN106254154A (en) * 2016-09-19 2016-12-21 杭州华三通信技术有限公司 A kind of resource share method and device
CN106411941A (en) * 2016-11-24 2017-02-15 济南浪潮高新科技投资发展有限公司 Security authentication resource allocation and management method in cloud environment
US20170104847A1 (en) * 2015-10-12 2017-04-13 Fujitsu Limited Vertex-centric service function chaining in multi-domain networks
CN107332913A (en) * 2017-07-04 2017-11-07 电子科技大学 A kind of Optimization deployment method of service function chain in 5G mobile networks
CN108063830A (en) * 2018-01-26 2018-05-22 重庆邮电大学 A kind of network section dynamic resource allocation method based on MDP

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580120A (en) * 2013-10-28 2015-04-29 北京启明星辰信息技术股份有限公司 On-demand-service virtualization network intrusion detection method and device
US20170104847A1 (en) * 2015-10-12 2017-04-13 Fujitsu Limited Vertex-centric service function chaining in multi-domain networks
CN105955824A (en) * 2016-04-21 2016-09-21 华为技术有限公司 Method and device for configuring virtual resource
CN106254154A (en) * 2016-09-19 2016-12-21 杭州华三通信技术有限公司 A kind of resource share method and device
CN106411941A (en) * 2016-11-24 2017-02-15 济南浪潮高新科技投资发展有限公司 Security authentication resource allocation and management method in cloud environment
CN107332913A (en) * 2017-07-04 2017-11-07 电子科技大学 A kind of Optimization deployment method of service function chain in 5G mobile networks
CN108063830A (en) * 2018-01-26 2018-05-22 重庆邮电大学 A kind of network section dynamic resource allocation method based on MDP

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114666223A (en) * 2020-12-04 2022-06-24 ***通信集团设计院有限公司 Cloud computing resource pool processing method and device and readable storage medium
CN114666223B (en) * 2020-12-04 2023-11-21 ***通信集团设计院有限公司 Cloud computing resource pool processing method and device and readable storage medium
CN113225211A (en) * 2021-04-27 2021-08-06 中国人民解放军空军工程大学 Fine-grained service function chain extension method
CN113225211B (en) * 2021-04-27 2022-09-02 中国人民解放军空军工程大学 Fine-grained service function chain extension method

Also Published As

Publication number Publication date
CN110120978B (en) 2021-05-14

Similar Documents

Publication Publication Date Title
CN103369027B (en) Location aware Virtual Service in mixing cloud environment is equipped with
CN103827825B (en) Virtual resource object component
US9417903B2 (en) Storage management for a cluster of integrated computing systems comprising integrated resource infrastructure using storage resource agents and synchronized inter-system storage priority map
CN105103506B (en) For the method and system for the non-homogeneous bandwidth request allocation bandwidth in system for cloud computing
EP2652594B1 (en) Multi-tenant, high-density container service for hosting stateful and stateless middleware components
CN105242956B (en) Virtual functions service chaining deployment system and its dispositions method
CN103825964B (en) SLS (Service Level Specification) scheduling device and SLS scheduling method based on cloud computing PaaS (platform-as-a-service) platform
CN104468803B (en) A kind of virtual data center method for mapping resource and equipment
CN104335182A (en) Method and apparatus for single point of failure elimination for cloud-based applications
CN108431778A (en) Management to virtual desktop Instances Pool
CN109445802A (en) The method of privatization Paas platform and its publication application based on container
CN104601680B (en) A kind of method for managing resource and device
CN105468435A (en) NFV dynamic resource distribution method
CN103747107B (en) A kind of compatible cloud operating platform and its implementation
Wang et al. Bandwidth guaranteed virtual network function placement and scaling in datacenter networks
Elmroth et al. Self-management challenges for multi-cloud architectures
CN108667867A (en) Date storage method and device
Grönkvist Accelerating column generation for aircraft scheduling using constraint propagation
US11093288B2 (en) Systems and methods for cluster resource balancing in a hyper-converged infrastructure
CN109327319A (en) Method, equipment and the system of on-premise network slice
CN110120978A (en) A kind of method for security protection of elasticity user's cloud computing resources
Houidi et al. Exact multi-objective virtual network embedding in cloud environments
CN109639498B (en) Service quality oriented resource flexible configuration method based on SDN and NFV
CN107967175A (en) A kind of resource scheduling system and method based on multiple-objection optimization
CN109471725A (en) Resource allocation methods, device and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210514

CF01 Termination of patent right due to non-payment of annual fee