CN110120978B - Safety protection method for elastic user cloud computing resources - Google Patents

Safety protection method for elastic user cloud computing resources Download PDF

Info

Publication number
CN110120978B
CN110120978B CN201910412090.8A CN201910412090A CN110120978B CN 110120978 B CN110120978 B CN 110120978B CN 201910412090 A CN201910412090 A CN 201910412090A CN 110120978 B CN110120978 B CN 110120978B
Authority
CN
China
Prior art keywords
user
node
bandwidth
sfi
cpu
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201910412090.8A
Other languages
Chinese (zh)
Other versions
CN110120978A (en
Inventor
周潮
刘坚
许都
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201910412090.8A priority Critical patent/CN110120978B/en
Publication of CN110120978A publication Critical patent/CN110120978A/en
Application granted granted Critical
Publication of CN110120978B publication Critical patent/CN110120978B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The invention discloses a safety protection method of elastic user cloud computing resources, which predicts the bandwidth use condition of a user in a period of time in the future from the historical bandwidth use amount of the user, and then uses safety processing resources corresponding to the difference between the predicted bandwidth and the rated bandwidth to provide the same safety service for other users; when the use of the original user exceeds the predicted bandwidth, a new safety processing resource is immediately established for other users sharing the safety processing resource to carry, and the safety service quality of the original user is ensured; therefore, the cloud service provider has the capability of dynamically allocating basic security processing functions, can provide security guarantee for users and self platforms, and saves virtualized resources.

Description

Safety protection method for elastic user cloud computing resources
Technical Field
The invention belongs to the technical field of network communication, and particularly relates to a security protection method for cloud computing resources of elastic users.
Background
With the continuous improvement of hardware capability of computing platforms, virtualization technology is becoming more mature. In the past decade, cloud computing has gradually evolved into a major research and development direction in IT. Each large internet manufacturer has launched a cloud computing platform and provides cloud computing services for small and medium-sized enterprises and individuals. In addition to selling virtualized computing resources, cloud service providers also need to secure virtualized services purchased by users.
Network Function Virtualization (NFV) is a framework of software and hardware separation proposed by the European Telecommunications Standards Institute (ETSI) from the perspective of network operators, and IT is mainly expected to implement flexible loading of software by adopting a large-capacity server, storage, and switch of industry standards to carry various network software functions through a standardized IT virtualization technology, so that flexible deployment and configuration can be performed at different locations, such as a data center, a network node, and a user end. The NFV breaks the binding relationship between the physical equipment layer and the logical service layer of the network, each physical equipment is replaced by a virtualized network element, and the virtual network element can be managed and configured to meet unique requirements.
By using NFV, middleware deployed in existing networks can be reduced or even removed, it enables a single physical platform to run different applications, and users/tenants can use network functions simultaneously through multiple versions and multiple tenants. And the NFV supports a brand-new method to realize elasticity, service assurance, test diagnosis and safety monitoring. It can facilitate innovation of new network functions and services in a software network environment, NFV is applicable to any data plane and control plane functions, fixed or mobile networks, as well as to automated management and configuration needed to achieve scalability. In order to utilize resources more fully, a virtualized cloud service provider often expects to improve the utilization rate of resources, reduce the idle rate, and then improve the yield.
Currently, in the design and sales mode of cloud computing, a user purchases a virtualized computing service of a specified size to obtain a completely matched virtualized resource amount. After a user purchases virtualized computing resources and runs own network service, a cloud service provider generally needs to provide network security service for the user, so as to guarantee normal running and access speed of the network service and guarantee security of a platform of the user. This service has become the basic service of each big cloud service provider, and even if the user does not purchase additional security processing functions, the most basic security quality guarantee for network service access must be provided.
The resource cost of the part of the virtualized network security function can be autonomously controlled and flexibly adjusted by the cloud service provider. Meanwhile, the data traffic of the part also has large variation and fluctuation, for example, when a user writes data into virtualized computing resources, and when the user network service comes to a peak, the user network service has a large data bandwidth requirement, which corresponds to a large data bandwidth security requirement; when the user service starts to calculate and process newly written data, or the network service enters a valley period, a large amount of communication bandwidth is idle at the moment, and if a large amount of safe processing resources are allocated to the user by the bandwidth in a peak period at the moment, great waste is caused.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a security protection method for cloud computing resources of elastic users, so that the users can fully utilize idle virtualized resources and dynamically process the user traffic when the user traffic is increased suddenly.
In order to achieve the above object, the present invention provides a method for protecting security of cloud computing resources of a flexible user, comprising the following steps:
(1) initializing network topology G
(1.1) recording all node information in G, including node number node _ id and node CPU number node _ CPU _ num;
(1.2) recording all link edge information in G, including a link number edge _ id, a link bandwidth capacity edge _ bw and a link weight W, and initializing W to be 1;
(2) setting a CPU-BW mapping table set of security service function
Setting a CPU-BW mapping table for each safety service function, wherein the CPU-BW mapping tables corresponding to all types of safety service functions form a safety service function CPU-BW mapping table set;
(3) setting a K Shortest Path (KSP) multi-level index data structure KSP _ dit, wherein the KSP _ dit stores indexes corresponding to starting node numbers and ending node numbers, the first-level index is the starting node number, the second-level index is the ending node number, and the corresponding value is the K Shortest Path information;
(4) setting a user security requirement set T and a user security solution set S
(4.1) setting a user safety requirement set T, and initializing T to be an empty set; the element stored in the T is a user safety requirement T, the T comprises a starting node number, an ending node number, an application bandwidth capacity and a safety processing service function type sequence SF, and the SF is in the format: SF ═ SF1,sf2,…,sfuH, totally counting u user safety processing service function types sf;
(4.2) setting a user security solution set S, and initializing S as an empty set; the elements stored in the S are user safety solutions S, wherein the S comprises a total bandwidth bw _ SUM which can be processed currently, a total CPU (Central processing Unit) number set R _ SUM occupied by each safety service function and a safety service function chain set SFC;
wherein, the format of R _ SUM is: r _ SUM ═ R1,r2,…,ru},ruRepresenting the total CPU quantity occupied by the u-th user safety processing service function;
the format of the SFC is: SFC ═ SFC1,sfc2,…,sfcq}, and all security service function chainsArranged in such a way that the length of the chain of security service functions increases, sfcqRepresents the qth security service function chain sfc;
further, each security service function chain sfc comprises a set of security service function instances SFI, the format of SFI being: SFI ═ SFI1,sfi2,…sfiu},sfiuThe safety service function instances sfi of the u-th user are represented, each sfi comprises a set of occupied CPU numbers R, a processable bandwidth bw and a corresponding PATH; wherein, the format of R is: r ═ R1,r2,…ruThe format of PATH is: PATH ═ { node _ id0,node_id1,…,node_idvWherein, node _ id0Is the starting node number, node _ idvIs the termination node number;
(5) user security requirement handling
(5.1) starting a safety demand monitoring thread, monitoring whether an unprocessed user safety demand T exists in the T, if yes, taking out the unprocessed T, and entering the step (5.2), otherwise, skipping to the step (6);
(5.2) setting a user safety solution s corresponding to the user safety requirement t, and initializing a bw _ sum value in s as a bw value; finding the corresponding type of safety service function through BW _ sum to obtain a corresponding CPU-BW mapping table, finding the number of CPUs required by the corresponding type of safety service function through BW _ sum, and assigning to R in R; initializing the SFC as an empty set;
(5.3) searching a K shortest path between the corresponding starting node and the corresponding terminating node from ksp _ dit according to the starting node number and the terminating node number of the t;
(5.4) screening out a path with the minimum value of the residual bandwidth of more than bw, wherein the residual CPU number of all nodes in the path is more than the CPU number required by the deployment of the safety service function, and the path with the shortest path length is marked as sp;
(5.5) sequentially deploying a plurality of types sfi on nodes with sufficient residual CPU number in sp, and assigning a difference value obtained by subtracting the CPU number consumed by the newly-built sfi from the residual CPU number of the corresponding node to serve as the residual CPU number of the node;
(5.6) traversing each link edge in the sp, and assigning a difference value obtained by subtracting bw _ sum from the residual bandwidth of each link edge to the corresponding link edge as the residual bandwidth of the link;
(5.7), adding SFC to the SFC and S to S, and then returning to the step (5.1);
(6) service bandwidth handling
(6.1) setting a traversal factor i, and initializing the value of i to be 1;
(6.2) if i is smaller than or equal to the size of the S set, executing the step (6.3), otherwise, jumping to the step (6.4);
(6.3) taking the ith solution S in the S, and flexibly managing the S;
(6.3.1) setting the excess bandwidth bwrestAnd initializes bwrestSubtracting the current bandwidth of the user service data corresponding to s from bw _ sum;
(6.3.2) assigning bw _ sum as the current bandwidth of the user service data corresponding to s;
(6.3.3) setting a traversal factor j, and initializing the value of the traversal factor j to be the size of the set of the SFC;
(6.3.4), comparing the size of the traversal factor j, if j is larger than 0, taking the jth SFC in the SFC, and executing the following substeps on the jth SFC; otherwise, jumping to the step (6.3.5);
(6.3.4.1) setting the bandwidth to be released bwreleaseIf bwrestIf the bw is less than bw, initializing bwreleaseValue bwrest(ii) a Otherwise, initialize bwreleaseThe value is bw;
(6.3.4.2) subtracting bw from bwreleaseRe-assigning the difference value to bw, and if the assigned bw is 0, removing SFC from the SFC; meanwhile, a corresponding CPU-BW mapping table is obtained according to the type of the corresponding sfi security service function, and the bandwidth BW is passedreleaseSearching the number of the CPUs required to be reduced by the security service function, and performing self-reduction on the CPU number value r corresponding to each sfi;
(6.3.4.3) mixing bwrestSubtract bwreleaseReassigns the difference value of (to be) to bwrestIf assigned bwrestIf the value is 0, jumping to the step (6.4);
(6.3.4.4), self-decreasing j by 1, and jumping to step (6.3.4);
(6.3.5), increasing i by 1 and jumping to the step (6.2);
(6.4) reinitializing i to have a value of 1;
(6.5), if i is less than or equal to the current sfi number, taking out the ith sfi and executing the following substeps, otherwise, jumping to the step (7);
(6.5.1), setting the elastic optimization range of the current sfi to be the link intersection of all sfc associated with sfi;
(6.5.2) in the elastic optimization range, searching sfi of the same type, and calculating the merging benefit of each mergeable sfi as an alternative;
(6.5.3) judging whether the alternative scheme exists at present, if so, selecting the alternative scheme within the elastic optimization range to combine a plurality of sfi, then assigning i as 1, and entering the step (7); otherwise, i is increased by 1, and the step (6.5) is returned;
(7) resource elasticity management
(7.1) sequentially checking the bandwidth sizes of all user service data, finding out a user with the bandwidth of the first user service data exceeding the total bandwidth bw _ sum which can be processed by the security solution s corresponding to the user, and then entering the step (7.2); if not found in all users, jumping to the step (8);
(7.2) increased bandwidth capacity bw needed to set up security servicesaddAnd initializes bwaddThe value is the difference value of the service data bandwidth of the found user minus the total bandwidth bw _ sum which can be processed by the security solution s corresponding to the user;
(7.3) modifying the user security solution s, and combining bw _ sum with bwaddThe sum of (1) is reassigned to bw _ sum; then, acquiring a corresponding CPU-BW mapping table according to the corresponding type safety service function, searching the quantity of CPUs required by the corresponding type safety service function through BW _ sum, and assigning R in R;
(7.4) according to the starting node number and the ending node number of the t, finding out a K shortest path between the corresponding starting node and the corresponding ending node from the ksp _ dit;
(7.5) screening out the shortest path with the minimum value of the remaining bandwidth of the path larger than bw from the K shortest pathaddAnd the residual CPU number of all nodes in the path is greater than the CPU number required by the deployment of the security service function, and one path with the shortest path length is marked as sp*
(7.6) sequentially deploying a plurality of types sfi on nodes with sufficient residual CPU number in sp, and assigning a difference value obtained by subtracting the CPU number consumed by the newly-built sfi from the residual CPU number of the corresponding node to serve as the residual CPU number of the node;
(7.7) traversal sp*Assigning the difference value of subtracting bw _ sum from the residual bandwidth of each link edge to the corresponding link edge as the residual bandwidth of the link;
(7.8), adding SFC to the SFC, and then repeating step (7.1);
(8) and ending the safety service of the elastic user cloud computing resource.
The invention aims to realize the following steps:
the invention relates to a safety protection method of elastic user cloud computing resources, which predicts the bandwidth use condition of a user within a period of time in the future from the historical bandwidth use amount of the user, and then uses safety processing resources corresponding to the difference between the predicted bandwidth and the rated bandwidth to provide the same safety service for other users; when the use of the original user exceeds the predicted bandwidth, a new safety processing resource is immediately established for other users sharing the safety processing resource to carry, and the safety service quality of the original user is ensured; therefore, the cloud service provider has the capability of dynamically allocating basic security processing functions, can provide security guarantee for users and self platforms, and saves virtualized resources.
Meanwhile, the security protection method for the cloud computing resources of the elastic user further has the following beneficial effects:
(1) high utilization rate; the elastic safety protection method provided by the invention combines the virtual machine and the container technology, and can more fully utilize computing resources while ensuring the existing safety service.
(2) Reliability; the invention provides the safety function service and simultaneously ensures the safety and the reliability of the user service flow during the growth.
(3) Compatibility; the invention has no special restriction requirement on the bottom cloud service supporting platform and only optimizes the required safety service deployment and scheduling.
Drawings
FIG. 1 is a flow chart of a method for securing cloud computing resources for a resilient user in accordance with the present invention;
FIG. 2 is a user security requirements processing flow diagram;
FIG. 3 is a traffic bandwidth processing flow diagram;
FIG. 4 is a flow diagram of elastic resource management.
Detailed Description
The following description of the embodiments of the present invention is provided in order to better understand the present invention for those skilled in the art with reference to the accompanying drawings. It is to be expressly noted that in the following description, a detailed description of known functions and designs will be omitted when it may obscure the subject matter of the present invention.
Examples
Fig. 1 is a flowchart of a security protection method for an elastic user cloud computing resource according to the present invention.
In this embodiment, as shown in fig. 1, the method for protecting security of cloud computing resources of an elastic user according to the present invention includes the following steps:
s1, initializing network topology G
The safety protection network is the basis for providing a safety protection method for cloud computing resources, and a safety protection network topology is composed of switching equipment (a physical switch), computing equipment (a physical server) and physical links. The switching device and the physical link form a switching network. Each exchange device is connected with a plurality of computing devices through physical links, and one computing device can only be connected with one exchange device;
s1.1, recording all node information in G, wherein the node is a logic concept and is formed by integrating a switching device and all computing devices connected with the switching device, and the node information comprises a node number node _ id and a node CPU (Central processing Unit) number node _ CPU _ num;
and S1.2, recording all link edge information in G, including a link number edge _ id, a link bandwidth capacity edge _ bw and a link weight W, and initializing W to be 1.
S2, setting a safety service function CPU-BW mapping table set
Setting a CPU-BW mapping table for each safety service function, wherein the CPU-BW mapping tables corresponding to all types of safety service functions form a safety service function CPU-BW mapping table set; the safety service function CPU-BW mapping table supports bidirectional index, and is used for storing the number of CPUs required by each safety service function and the corresponding maximum bandwidth capacity BW.
S3, setting a K Shortest Path (KSP) multilevel index data structure KSP _ dit, wherein the K Shortest Path information is a list consisting of K pieces of shorter Path information and is arranged in a mode of increasing Path length in the shorter Path information, and the specific storage format is as follows: the serial numbers of nodes passed by all paths between the starting node and the terminating node; the ksp _ ditt stores indexes corresponding to the starting node number and the terminating node number, the first-level index is the starting node number, the second-level index is the terminating node number, and the corresponding value is the shortest-circuit information of K.
S4, setting a user security requirement set T and a user security solution set S
S4.1, setting a user safety requirement set T, and initializing the T into an empty set; the element stored in the T is a user safety requirement T, the T comprises a starting node number, an ending node number, an application bandwidth capacity and a safety processing service function type sequence SF, and the SF is in the format: SF ═ SF1,sf2,…,sfuH, totally counting u user safety processing service function types sf;
s4.2, setting a user security solution set S, and initializing S as an empty set; the elements stored in the S are user safety solutions S, wherein the S comprises a total bandwidth bw _ SUM which can be processed currently, a total CPU (Central processing Unit) number set R _ SUM occupied by each safety service function and a safety service function chain set SFC;
wherein, the format of R _ SUM is: r _ SUM ═ R1,r2,…,ru},ruRepresenting the total CPU quantity occupied by the u-th user safety processing service function;
the format of the SFC is: SFC ═ SFC1,sfc2,…,sfcqAnd all the security service function chains are arranged in such a way that the security service function chain length increases, sfcqRepresents the qth security service function chain sfc;
further, each security service function chain sfc comprises a set of security service function instances SFI, the format of SFI being: SFI ═ SFI1,sfi2,…sfiu},sfiuThe safety service function instances sfi of the u-th user are represented, each sfi comprises a set of occupied CPU numbers R, a processable bandwidth bw and a corresponding PATH; wherein, the format of R is: r ═ R1,r2,…ruThe format of PATH is: PATH ═ { node _ id0,node_id1,…,node_idvWherein, node _ id0Is the starting node number, node _ idvIs the termination node number;
s5, processing user safety requirements, as shown in FIG. 2;
s5.1, starting a safety demand monitoring thread, monitoring whether an unprocessed user safety demand T exists in the T, if yes, taking out the unprocessed T, and entering the step S5.2, otherwise, jumping to the step S6;
s5.2, setting a user safety solution S corresponding to the user safety requirement t, and initializing a bw _ sum value in S as a bw value; finding the corresponding type of safety service function through BW _ sum to obtain a corresponding CPU-BW mapping table, finding the number of CPUs required by the corresponding type of safety service function through BW _ sum, and assigning to R in R; initializing the SFC as an empty set;
s5.3, searching a K shortest path between the corresponding starting node and the corresponding terminating node from ksp _ dit according to the starting node number and the terminating node number of the t;
s5.4, screening out a path with the minimum value of the path residual bandwidth larger than bw, the residual CPU number of all nodes in the path larger than the CPU number required by the deployment of the safety service function, and the shortest path length from the shortest path K, and marking as sp;
s5.5, sequentially deploying a plurality of types sfi on nodes with sufficient residual CPU quantity in sp, and assigning a difference value obtained by subtracting the CPU quantity consumed by the newly-built sfi from the residual CPU quantity of the corresponding node to serve as the residual CPU quantity of the node;
s5.6, traversing each link edge in the sp, and assigning a difference value obtained by subtracting bw _ sum from the residual bandwidth of each link edge to the corresponding link edge as the residual bandwidth of the link;
s5.7, adding SFC into the SFC, adding S into S, and returning to the step S5.1;
s6, processing the service bandwidth, the specific flow is as shown in fig. 3;
s6.1, setting a traversal factor i, and initializing the value of i to be 1;
s6.2, if i is smaller than or equal to the size of the S set, executing the step S6.3, otherwise, skipping to the step S6.4;
s6.3, taking the ith solution S in the S, and carrying out elastic management on the S;
s6.3.1 setting the excess bandwidth bwrestAnd initializes bwrestSubtracting the current bandwidth of the user service data corresponding to s from bw _ sum;
s6.3.2, assigning bw _ sum as the current bandwidth of the user service data corresponding to s;
s6.3.3, setting a traversal factor j, and initializing the value of j to be the size of the set of SFCs;
s6.3.4, comparing the size of the traversal factor j, if j is larger than 0, taking the jth SFC in the SFC, and executing the following substeps on the jth SFC; otherwise, go to step S6.3.5;
s6.3.4.1 setting bandwidth to be released bwreleaseIf b istswerIf the bw is less than bw, initializing bwreleaseValue bwrest(ii) a Otherwise, initialize bwreleaseThe value is bw;
s6.3.4.2, subtract bw from bwreleaseDifference of (2) is heavyNewly assigning a value to bw, and if the bw after assignment is 0, removing SFC from the SFC; meanwhile, a corresponding CPU-BW mapping table is obtained according to the type of the corresponding sfi security service function, and the bandwidth BW is passedreleaseSearching the number of the CPUs required to be reduced by the security service function, and performing self-reduction on the CPU number value r corresponding to each sfi;
s6.3.4.3, btswerSubtract bwreleaseReassigns the difference value of (to be) to bwrestIf assigned bwrestIf the value is 0, jumping to the step S6.4;
s6.3.4.4, decreasing j by 1, and jumping to step S6.3.4;
s6.3.5, increasing i by 1 and jumping to the step S6.2;
s6.4, reinitializing the value of i to be 1;
s6.5, if i is less than or equal to the current sfi number, taking out the ith sfi and executing the following substeps, otherwise, jumping to the step S7;
s6.5.1, setting the elastic optimization range of the current sfi as the link intersection of all sfc associated with sfi;
s6.5.2, in the elastic optimization range, searching sfi of the same type, and calculating the merging profit of each mergeable sfi as an alternative;
in this embodiment, the calculation method of the merging profit is as follows: each sfi resource is integer value and the resource consumed by a service function type of the associated service function chain is floating point value, so combining multiple sfi associated partial idle resources can release the resource of the associated integer value when the amount of idle resources is greater than 1, and the cost of combining cost is mainly sfi and can be determined according to the actual system application.
S6.5.3, judging whether the alternative scheme exists at present, if so, selecting the alternative scheme within the elastic optimization range to combine a plurality of sfi, then assigning i to be 1, and entering the step S7; otherwise, i is increased by 1, and the step S6.5 is returned;
s7, resource elastic management, wherein the specific flow is shown in FIG. 4;
s7.1, sequentially checking the bandwidth sizes of all user service data, finding out a user with the bandwidth of the first user service data exceeding the total bandwidth bw _ sum which can be processed by the security solution S corresponding to the user, and then entering the step S7.2; if not found in all users, jumping to step S8;
s7.2 setting bandwidth capacity bw increased by security serviceaddAnd initializes bwaddThe value is the difference value of the service data bandwidth of the found user minus the total bandwidth bw _ sum which can be processed by the security solution s corresponding to the user;
s7.3, modifying the user security solution S, and combining bw _ sum and bwaddThe sum of (1) is reassigned to bw _ sum; then, acquiring a corresponding CPU-BW mapping table according to the corresponding type safety service function, searching the quantity of CPUs required by the corresponding type safety service function through BW _ sum, and assigning R in R;
s7.4, searching a K shortest path between the corresponding starting node and the corresponding terminating node from ksp _ dict according to the starting node number and the terminating node number of the t;
s7.5, screening out the shortest path K with the minimum value of the residual bandwidth of the path larger than bwaddAnd the residual CPU number of all nodes in the path is greater than the CPU number required by the deployment of the security service function, and one path with the shortest path length is marked as sp*
S7.6 at sp*Respectively and sequentially deploying a plurality of types sfi on nodes with sufficient residual CPU quantity, and assigning a difference value obtained by subtracting the CPU quantity consumed by the newly-built sfi from the residual CPU quantity of the corresponding node to the corresponding node as the residual CPU quantity of the node;
s7.7, traversing sp*Assigning the difference value of subtracting bw _ sum from the residual bandwidth of each link edge to the corresponding link edge as the residual bandwidth of the link;
s7.8, adding SFC into the SFC, and then repeating the step S7.1;
and S8, ending the security service of the elastic user cloud computing resource.
Although illustrative embodiments of the present invention have been described above to facilitate the understanding of the present invention by those skilled in the art, it should be understood that the present invention is not limited to the scope of the embodiments, and various changes may be made apparent to those skilled in the art as long as they are within the spirit and scope of the present invention as defined and defined by the appended claims, and all matters of the invention which utilize the inventive concepts are protected.

Claims (4)

1. A security protection method for cloud computing resources of elastic users is characterized by comprising the following steps:
(1) initializing network topology G
(1.1) recording all node information in G, including node number node _ id and node CPU number node _ CPU _ num;
(1.2) recording all link edge information in G, including a link number edge _ id, a link bandwidth capacity edge _ bw and a link weight W, and initializing W to be 1;
(2) setting a CPU-BW mapping table set of security service function
Setting a CPU-BW mapping table for each safety service function, wherein the CPU-BW mapping tables corresponding to all types of safety service functions form a safety service function CPU-BW mapping table set;
(3) setting a K Shortest Path (KSP) multi-level index data structure KSP _ dit, wherein the KSP _ dit stores indexes corresponding to starting node numbers and ending node numbers, the first-level index is the starting node number, the second-level index is the ending node number, and the corresponding value is the K Shortest Path information;
(4) setting a user security requirement set T and a user security solution set S
(4.1) setting a user safety requirement set T, and initializing T to be an empty set; the element stored in the T is a user safety requirement T, the T comprises a starting node number, an ending node number, an application bandwidth capacity and a safety processing service function type sequence SF, and the SF is in the format: SF ═ SF1,sf2,…,sfuH, totally counting u user safety processing service function types sf;
(4.2) setting a user security solution set S, and initializing S as an empty set; the elements stored in the S are user safety solutions S, wherein the S comprises a total bandwidth bw _ SUM which can be processed currently, a total CPU (Central processing Unit) number set R _ SUM occupied by each safety service function and a safety service function chain set SFC;
wherein, the format of R _ SUM is: r _ SUM ═ R1,r2,…,ru},ruRepresenting the total CPU quantity occupied by the u-th user safety processing service function;
the format of the SFC is: SFC ═ SFC1,sfc2,…,sfcqAnd all the security service function chains are arranged in such a way that the security service function chain length increases, sfcqRepresents the qth security service function chain sfc;
further, each security service function chain sfc comprises a set of security service function instances SFI, the format of SFI being: SFI ═ SFI1,sfi2,…sfiu},sfiuThe safety service function instances sfi of the u-th user are represented, each sfi comprises a set of occupied CPU numbers R, a processable bandwidth bw and a corresponding PATH; wherein, the format of R is: r ═ R1,r2,…ruThe format of PATH is: PATH ═ { node _ id0,node_id1,…,node_idvWherein, node _ id0Is the starting node number, node _ idvIs the termination node number;
(5) user security requirement handling
(5.1) starting a safety demand monitoring thread, monitoring whether an unprocessed user safety demand T exists in the T, if yes, taking out the unprocessed T, and entering the step (5.2), otherwise, skipping to the step (6);
(5.2) setting a user safety solution s corresponding to the user safety requirement t, and initializing a bw _ sum value in s as a bw value; finding the corresponding type of safety service function through BW _ sum to obtain a corresponding CPU-BW mapping table, finding the number of CPUs required by the corresponding type of safety service function through BW _ sum, and assigning to R in R; initializing the SFC as an empty set;
(5.3) searching a K shortest path between the corresponding starting node and the corresponding terminating node from ksp _ dit according to the starting node number and the terminating node number of the t;
(5.4) screening out a path with the minimum value of the residual bandwidth of more than bw, wherein the residual CPU number of all nodes in the path is more than the CPU number required by the deployment of the safety service function, and the path with the shortest path length is marked as sp;
(5.5) sequentially deploying a plurality of types sfi on nodes with sufficient residual CPU number in sp, and assigning a difference value obtained by subtracting the CPU number consumed by the newly-built sfi from the residual CPU number of the corresponding node to serve as the residual CPU number of the node;
(5.6) traversing each link edge in the sp, and assigning a difference value obtained by subtracting bw _ sum from the residual bandwidth of each link edge to the corresponding link edge as the residual bandwidth of the link;
(5.7), adding SFC to the SFC and S to S, and then returning to the step (5.1);
(6) service bandwidth handling
(6.1) setting a traversal factor i, and initializing the value of i to be 1;
(6.2) if i is smaller than or equal to the size of the S set, executing the step (6.3), otherwise, jumping to the step (6.4);
(6.3) taking the ith solution S in the S, and flexibly managing the S;
(6.3.1) setting the excess bandwidth bwrestAnd initializes bwrestSubtracting the current bandwidth of the user service data corresponding to s from bw _ sum;
(6.3.2) assigning bw _ sum as the current bandwidth of the user service data corresponding to s;
(6.3.3) setting a traversal factor j, and initializing the value of the traversal factor j to be the size of the set of the SFC;
(6.3.4), comparing the size of the traversal factor j, if j is larger than 0, taking the jth SFC in the SFC, and executing the following substeps on the jth SFC; otherwise, jumping to the step (6.3.5);
(6.3.4.1) setting the bandwidth to be released bwreleaseIf bwrestIf the bw is less than bw, initializing bwreleaseValue bwrest(ii) a Otherwise, initialize bwreleaseThe value is bw;
(6.3.4.2) subtracting bw from bwreleaseRe-assigning the difference value to bw, and if the assigned bw is 0, removing SFC from the SFC; meanwhile, a corresponding CPU-BW mapping table is obtained according to the type of the corresponding sfi security service function, and the bandwidth BW is passedreleaseSearching the number of the CPUs required to be reduced by the security service function, and performing self-reduction on the CPU number value r corresponding to each sfi;
(6.3.4.3) mixing bwrestSubtract bwreleaseReassigns the difference value of (to be) to bwrestIf assigned bwrestIf the value is 0, jumping to the step (6.4);
(6.3.4.4), self-decreasing j by 1, and jumping to step (6.3.4);
(6.3.5), increasing i by 1 and jumping to the step (6.2);
(6.4) reinitializing i to have a value of 1;
(6.5), if i is less than or equal to the current sfi number, taking out the ith sfi and executing the following substeps, otherwise, jumping to the step (7);
(6.5.1), setting the elastic optimization range of the current sfi to be the link intersection of all sfc associated with sfi;
(6.5.2) in the elastic optimization range, searching sfi of the same type, and calculating the merging benefit of each mergeable sfi as an alternative;
(6.5.3) judging whether the alternative scheme exists at present, if so, selecting the alternative scheme within the elastic optimization range to combine a plurality of sfi, then assigning i as 1, and entering the step (7); otherwise, i is increased by 1, and the step (6.5) is returned;
(7) resource elasticity management
(7.1) sequentially checking the bandwidth sizes of all user service data, finding out a user with the bandwidth of the first user service data exceeding the total bandwidth bw _ sum which can be processed by the security solution s corresponding to the user, and then entering the step (7.2); if not found in all users, jumping to the step (8);
(7.2) increased bandwidth capacity bw needed to set up security servicesaddAnd initializes bwaddValue is to findSubtracting the difference value of the total bandwidth bw _ sum which can be processed by the security solution s corresponding to the user from the service data bandwidth of the user;
(7.3) modifying the user security solution s, and combining bw _ sum with bwaddThe sum of (1) is reassigned to bw _ sum; then, acquiring a corresponding CPU-BW mapping table according to the corresponding type safety service function, searching the quantity of CPUs required by the corresponding type safety service function through BW _ sum, and assigning R in R;
(7.4) according to the starting node number and the ending node number of the t, finding out a K shortest path between the corresponding starting node and the corresponding ending node from the ksp _ dit;
(7.5) screening out the shortest path with the minimum value of the remaining bandwidth of the path larger than bw from the K shortest pathaddAnd the residual CPU number of all nodes in the path is greater than the CPU number required by the deployment of the security service function, and one path with the shortest path length is marked as sp*
(7.6) in sp*Respectively and sequentially deploying a plurality of types sfi on nodes with sufficient residual CPU quantity, and assigning a difference value obtained by subtracting the CPU quantity consumed by the newly-built sfi from the residual CPU quantity of the corresponding node to the corresponding node as the residual CPU quantity of the node;
(7.7) traversal sp*Assigning the difference value of subtracting bw _ sum from the residual bandwidth of each link edge to the corresponding link edge as the residual bandwidth of the link;
(7.8), adding SFC to the SFC, and then repeating step (7.1);
(8) and ending the safety service of the elastic user cloud computing resource.
2. The method according to claim 1, wherein the security service function CPU-BW mapping table supports a bidirectional index for storing the number of CPUs required for each security service function and the corresponding maximum bandwidth capacity BW.
3. The method according to claim 1, wherein the K shortest path information is a list of K shorter path information, and is arranged in a form of increasing path lengths in the shorter path information, and the specific storage format is as follows: the number of nodes that all paths between the originating node and the terminating node pass through.
4. The security protection method for the cloud computing resources of the elastic user according to claim 1, wherein the calculation mode of the combined profit is as follows: and merging the idle resources corresponding to sfi of the same type, and taking the merged resources as the merged profit.
CN201910412090.8A 2019-05-17 2019-05-17 Safety protection method for elastic user cloud computing resources Expired - Fee Related CN110120978B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910412090.8A CN110120978B (en) 2019-05-17 2019-05-17 Safety protection method for elastic user cloud computing resources

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910412090.8A CN110120978B (en) 2019-05-17 2019-05-17 Safety protection method for elastic user cloud computing resources

Publications (2)

Publication Number Publication Date
CN110120978A CN110120978A (en) 2019-08-13
CN110120978B true CN110120978B (en) 2021-05-14

Family

ID=67522548

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910412090.8A Expired - Fee Related CN110120978B (en) 2019-05-17 2019-05-17 Safety protection method for elastic user cloud computing resources

Country Status (1)

Country Link
CN (1) CN110120978B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114666223B (en) * 2020-12-04 2023-11-21 ***通信集团设计院有限公司 Cloud computing resource pool processing method and device and readable storage medium
CN113225211B (en) * 2021-04-27 2022-09-02 中国人民解放军空军工程大学 Fine-grained service function chain extension method

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104580120A (en) * 2013-10-28 2015-04-29 北京启明星辰信息技术股份有限公司 On-demand-service virtualization network intrusion detection method and device
US9998563B2 (en) * 2015-10-12 2018-06-12 Fujitsu Limited Vertex-centric service function chaining in multi-domain networks
CN105955824B (en) * 2016-04-21 2019-07-19 华为技术有限公司 A kind of virtual resource configuration method and device
CN106254154B (en) * 2016-09-19 2020-01-03 新华三技术有限公司 Resource sharing method and device
CN106411941B (en) * 2016-11-24 2019-05-07 济南浪潮高新科技投资发展有限公司 Safety certification resource allocation and management method under a kind of cloud environment
CN107332913B (en) * 2017-07-04 2020-03-27 电子科技大学 Optimized deployment method of service function chain in 5G mobile network
CN108063830B (en) * 2018-01-26 2020-06-23 重庆邮电大学 Network slice dynamic resource allocation method based on MDP

Also Published As

Publication number Publication date
CN110120978A (en) 2019-08-13

Similar Documents

Publication Publication Date Title
US9497139B2 (en) Client-allocatable bandwidth pools
US10623269B2 (en) Operator fusion management in a stream computing environment
US9154589B1 (en) Bandwidth-optimized cloud resource placement service
CN112153700A (en) Network slice resource management method and equipment
US20120259983A1 (en) Distributed processing management server, distributed system, distributed processing management program and distributed processing management method
Wang et al. Bandwidth guaranteed virtual network function placement and scaling in datacenter networks
US9979616B2 (en) Event-driven framework for filtering and processing network flows
CN110120978B (en) Safety protection method for elastic user cloud computing resources
US11093288B2 (en) Systems and methods for cluster resource balancing in a hyper-converged infrastructure
CN109639498B (en) Service quality oriented resource flexible configuration method based on SDN and NFV
CN109873714B (en) Cloud computing node configuration updating method and terminal equipment
US11847485B2 (en) Network-efficient isolation environment redistribution
EP4170491A1 (en) Resource scheduling method and apparatus, electronic device, and computer-readable storage medium
CN110928638A (en) Method and device for selecting host machine for virtual machine deployment
CN113010265A (en) Pod scheduling method, scheduler, memory plug-in and system
US20200142822A1 (en) Multi-tenant cloud elastic garbage collector
CN111352726A (en) Streaming data processing method and device based on containerized micro-service
EP3398304B1 (en) Network service requests
CN113722107B (en) Cloud product management and control service deployment method, device, equipment and storage medium
US20220019457A1 (en) Hardware placement and maintenance scheduling in high availability systems
CN111770179B (en) High-performance high-availability cloud networking gateway implementation method, medium and terminal
CN112217654B (en) Service resource license management method and related equipment
CN116264550A (en) Resource slice processing method and device, storage medium and electronic device
CN107294765B (en) Network function virtualization self-adaptive trust management method
CN110888741A (en) Resource scheduling method and device for application container, server and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210514