CN111800291B - Service function chain deployment method and device - Google Patents

Service function chain deployment method and device Download PDF

Info

Publication number
CN111800291B
CN111800291B CN202010461022.3A CN202010461022A CN111800291B CN 111800291 B CN111800291 B CN 111800291B CN 202010461022 A CN202010461022 A CN 202010461022A CN 111800291 B CN111800291 B CN 111800291B
Authority
CN
China
Prior art keywords
combination
vnf
service
value
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010461022.3A
Other languages
Chinese (zh)
Other versions
CN111800291A (en
Inventor
崔琪楣
范玮琪
陶小峰
张平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202010461022.3A priority Critical patent/CN111800291B/en
Publication of CN111800291A publication Critical patent/CN111800291A/en
Application granted granted Critical
Publication of CN111800291B publication Critical patent/CN111800291B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The embodiment of the invention provides a service function chain deployment method and a device, wherein the method comprises the following steps: selecting VNFs from preset VNFs of each service type of the service type of each service type requested by the service request to obtain VNF sets of which the VNFs are respectively in the number within a preset number range; obtaining each first combination, wherein each first combination comprises a VNF set corresponding to each service type; selecting a second combination for deploying the service function chain to be deployed in each second combination based on the adjusted security value and deployment consumption of each second combination, wherein the second combination is as follows: the security value of the first combination is greater than the first combination of expected security values; and deploying the service function chains to be deployed according to a preset logic sequence by the VNF in the selected second combination. When the scheme provided by the embodiment of the invention is applied to service function chain deployment, the safety of the deployed service function chain can be improved.

Description

Service function chain deployment method and device
Technical Field
The invention relates to the technical field of communication security, in particular to a service function chain deployment method and device.
Background
A service Function chain is an ordered set of VNFs (Virtual Network functions) that are used to provide services. Since a series of service types of a service to be requested may be included in a service request, when the service request is different, the service type included in the service request is also different, and thus the VNF in the service function chain for responding to the service request is also different.
In order to satisfy different service requests of a user, service function chains need to be deployed for the different service requests, so that the service requests of the user are responded based on the deployed service function chains. In the prior art, when a service function chain is deployed, generally, one VNF is randomly selected from preset VNFs of each service type of each service based on a service type of each service requested by a service request, and the service function chain is deployed based on the selected VNFs.
However, due to the random selection of VNFs, the selected VNFs may be less secure, and the less secure VNFs are vulnerable to network attackers, resulting in less secure service function chains being deployed.
Disclosure of Invention
The embodiment of the invention aims to provide a service function chain deployment method and a service function chain deployment device, which are used for improving the safety of a deployed service function chain. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a service function chain deployment method, where the method includes:
determining an expected safety value of a service function chain to be deployed according to a service request to be responded;
for each service type of the service requested by the service request to be responded, selecting a VNF from each preset virtual network function VNF of the service type to obtain a VNF set of which the quantity of the VNFs is respectively in each quantity within a preset quantity range;
combining the obtained VNF sets to obtain first combinations, wherein each first combination comprises a VNF set corresponding to each service type;
for each first combination, calculating the safety value of the first combination according to the safety value of each VNF in the first combination;
for each second combination, adjusting the total resource consumption of the VNFs in the second combination as deployment consumption according to the security value of the second combination, and adjusting the security value of the second combination according to the actual total occupied resource of the VNFs in the second combination, wherein the second combination is: the first combined security value is greater than the first combination of expected security values;
and selecting a second combination for deploying the service function chain to be deployed in each second combination based on the adjusted security value and deployment consumption of each second combination, and deploying the service function chain to be deployed according to a preset logic sequence by using the VNF in the selected second combination.
In one embodiment of the invention, the desired security value is a security value for a service function chain,
for each first combination, calculating the security value of the first combination according to the security values of the VNFs in the first combination includes:
the safety value θ of each first combination is calculated according to the following expression:
Figure BDA0002510919460000021
wherein X represents the number of service types corresponding to the VNFs in the first combination, X represents the sequence number of the service types corresponding to the VNFs in the first combination, ΔxSecurity value, k, representing the xth service typexSecurity weight, n, representing the xth service typexThe VNF number of the VNF set corresponding to the xth service type is represented.
In one embodiment of the invention, the expected security value is a security value for a VNF in a service function chain,
for each first combination, calculating the security value of the first combination according to the security values of the VNFs in the first combination includes:
the safety value μ of each first combination is calculated according to the following expression:
Figure BDA0002510919460000031
wherein X represents the number of service types corresponding to the VNFs in the first combination, X represents the sequence number of the service types corresponding to the VNFs in the first combination, ΔxSecurity value, k, representing the xth service typexSecurity weight, n, representing the xth service typexThe VNF number of the VNF set corresponding to the xth service type is represented.
In an embodiment of the present invention, the determining an expected security value of a service function chain to be deployed according to a service request to be responded includes:
when the service request to be responded carries an expected service security value of the requested service, taking the expected service security value as an expected security value of a service function chain to be deployed;
and when the service request to be responded does not carry the expected service safety value of the requested service, taking the preset expected safety value as the expected safety value of the service function chain to be deployed.
In an embodiment of the invention, the adjusting, for each second combination, the total resource consumption of the VNFs in the second combination to be deployed according to the security value of the second combination as deployment consumption, and the adjusting the security value of the second combination according to the actual total occupied resource of the VNFs in the second combination includes:
and for each second combination, calculating the sum of the total resource consumption of the VNF in the second combination and the safety value of the second combination, taking the calculated value as the deployment consumption of the second combination, calculating the sum of the actual total occupied resource of the VNF in the second combination and the safety value of the second combination, and taking the calculated value as the adjusted safety value of the second combination.
In an embodiment of the invention, the selecting, in each second combination, a second combination for deploying the service function chain to be deployed includes:
and calculating the ratio of the safety value and the deployment consumption after the adjustment of each second combination, and combining the second combination with the maximum ratio as the second combination for deploying the service function chain to be deployed.
In an embodiment of the present invention, after the deploying, by the VNF in the selected second combination, the service function chain to be deployed according to the preset logical order, the method further includes:
evaluating operational performance values of the VNFs in the selected second combination;
selecting an operating VNF for operation among the selected VNFs of the second combination based on the evaluated operational performance values of the VNFs and the safety values of the VNFs;
responding the service request to be responded based on the determined working VNF.
In an embodiment of the present invention, the method further includes:
according to a preset period, based on the historical safety value of each VNF, the safety value T of each VNF in the current period is determined according to the following expression:
Figure BDA0002510919460000041
wherein, T0For the safety value evaluation result of the VNF of the current period, I is the sequence number of the period, I is the number of the periods from the initial period to the current period, and TiIs the safety value of the VNF of the ith period, alpha is the safety weight of the safety value evaluation result of the VNF, betaiIs a security weight of the security value of the VNF of the i-th cycle, and
Figure BDA0002510919460000042
greater than a preset threshold.
In a second aspect, an embodiment of the present invention provides a service function chain deployment apparatus, where the apparatus includes:
the expected security value determining module is used for determining an expected security value of the service function chain to be deployed according to the service request to be responded;
a VNF set obtaining module, configured to select, for each service type of the service requested by the service request to be responded, a VNF from each preset virtualized network function VNF of the service type, and obtain a VNF set in which the number of VNFs is each number within a preset number range;
a first combination obtaining module, configured to combine the obtained VNF sets to obtain first combinations, where each first combination includes a VNF set corresponding to each service type;
a safety value calculation module, configured to, for each first combination, calculate a safety value of the first combination according to the safety value of each VNF in the first combination;
a data calculation module, configured to, for each second combination, adjust, according to a security value of the second combination, total resource consumption of VNFs in the second combination to be deployed as deployment consumption, and adjust, according to actual total occupied resources of VNFs in the second combination, a security value of the second combination, where the second combination is: the first combined security value is greater than the first combination of expected security values;
and the service function chain deployment module is used for selecting a second combination for deploying the service function chain to be deployed in each second combination based on the adjusted safety value and deployment consumption of each second combination, and deploying the VNF in the selected second combination according to a preset logic sequence.
In one embodiment of the invention, the desired security value is a security value for a service function chain,
the safety value calculation module is specifically configured to calculate a safety value θ of each first combination according to the following expression:
Figure BDA0002510919460000051
wherein X represents the number of service types corresponding to the VNFs in the first combination, X represents the sequence number of the service types corresponding to the VNFs in the first combination, ΔxSecurity value, k, representing the xth service typexSecurity weight, n, representing the xth service typexThe VNF number of the VNF set corresponding to the xth service type is represented.
In one embodiment of the invention, the expected security value is a security value for a VNF in a service function chain,
the safety value calculation module is specifically configured to calculate the safety value μ of each first combination according to the following expression:
Figure BDA0002510919460000052
wherein X represents the number of service types corresponding to the VNF in the first combinationQuantity, x represents the sequence number, Δ, of the service type corresponding to the VNF in the first combinationxSecurity value, k, representing the xth service typexSecurity weight, n, representing the xth service typexThe VNF number of the VNF set corresponding to the xth service type is represented.
In an embodiment of the present invention, the expected security value determining module is specifically configured to, when the service request to be responded carries an expected service security value of a requested service, use the expected service security value as an expected security value of a service function chain to be deployed; and when the service request to be responded does not carry the expected service safety value of the requested service, taking the preset expected safety value as the expected safety value of the service function chain to be deployed.
In an embodiment of the invention, the data calculating module is specifically configured to calculate, for each second combination, a sum of total resource consumption of the VNF in the second combination and a security value of the second combination, use the calculated value as deployment consumption of the second combination, calculate a sum of actual total occupied resources of the VNF in the second combination and a security value of the second combination, and use the calculated value as the adjusted security value of the second combination.
In an embodiment of the present invention, the service function chain deployment module is specifically configured to calculate a ratio between the adjusted security value and deployment consumption of each second combination, use the second combination with the largest ratio as the second combination for deploying the service function chain to be deployed, and deploy the service function chain to be deployed according to a preset logic sequence by using the VNF in the selected second combination.
In an embodiment of the present invention, the apparatus further includes:
an operational performance value evaluation module, configured to evaluate an operational performance value of the VNF in the selected second combination after the service function chain deployment module;
an operating VNF selection module for selecting an operating VNF for operation among the VNFs of the selected second combination based on the evaluated operating performance value of the VNF and the safety value of the VNF;
and the service request response module is used for responding the service request to be responded based on the determined working VNF.
In an embodiment of the present invention, the apparatus further includes: a VNF security value calculation module that calculates a security value of the VNF,
the VNF safety value calculation module is specifically configured to determine, according to a preset period and based on a historical safety value of each VNF, a safety value T of each VNF in a current period according to the following expression:
Figure BDA0002510919460000061
wherein, T0For the safety value evaluation result of the VNF of the current period, I is the sequence number of the period, I is the number of the periods from the initial period to the current period, and TiIs the safety value of the VNF of the ith period, alpha is the safety weight of the safety value evaluation result of the VNF, betaiIs a security weight of the security value of the VNF of the i-th cycle, and
Figure BDA0002510919460000062
greater than a preset threshold.
In a third aspect, an embodiment of the present invention provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, where the processor and the communication interface complete communication between the memory and the processor through the communication bus;
a memory for storing a computer program;
a processor configured to implement the method steps of the first aspect when executing the program stored in the memory.
As can be seen from the above, when the solution provided by the embodiment of the present invention is applied to construct the service function chain, because the second combination for deploying the service function chain to be deployed is selected from the determined second combination based on the security value of the first combination and the expected security value of the service function chain to be deployed, and because the security value of the first combination can reflect the security of the VNF in the first combination, and the expected security value reflects the degree of security of the service function chain to be deployed, the security of the deployed service function chain is improved based on the VNFs in the selected second combination for deploying the service function chain to be deployed, on the basis of meeting the security requirement of the deployed service function chain.
In addition, because the VNFs are selected from the VNFs of each service type of the service requested by the service request, the VNF sets of which the VNFs are respectively in the number within the preset number range are obtained, and the obtained VNF sets are combined, compared with the prior art in which only one VNF is selected, selecting the VNFs in the number within the preset number range can reduce the probability of being attacked by a network attacker, and improve the security of the deployed service function chain.
Finally, the second combination for deploying the service function chain to be deployed is selected based on the adjusted security value and deployment consumption of each second combination, and the adjusted security value of the second combination more accurately reflects the security of the VNF in the second combination, and the deployment consumption of the second combination more accurately reflects the total resource consumption of the VNF in the second combination to be deployed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a first service function chain deployment method according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a dynamic selection method according to an embodiment of the present invention;
fig. 3a is a flowchart illustrating a second service function chain deployment method according to an embodiment of the present invention;
fig. 3b is a block diagram of a service function chain deployment architecture according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a service function chain deployment apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a schematic flowchart of a first service function chain deployment method according to an embodiment of the present invention, where the method includes S101 to S106.
S101: and determining an expected safety value of the service function chain to be deployed according to the service request to be responded.
The service request to be responded is used for requesting to obtain the service. For example: the above service may be: video download services, web download services, etc.
The service function chain is a set or chain composed of VNFs according to a preset logical order, and may be cut into a plurality of virtual end-to-end networks on a unified network infrastructure, and each service function chain is logically isolated from a radio access network to a bearer network and then to a core network, and thus may also be referred to as a network slice. The service function chain adapts various types of business applications, which will make it possible to support various needs on a generic network infrastructure with the finest granularity.
The expected security value of the service function chain can be understood as; a value that can be reached by the security of the service function chain is desired.
Because a user generally expects that security provided by a service can be guaranteed, so as to ensure that important data is not stolen, when the user sends a service request, a desired service security value of a service function chain to be deployed is generally added to the service request, and the desired service security value can be a security score and the like.
Based on this, in an embodiment of the present invention, when the expected service security value of the requested service is carried in the service request to be responded, the expected service security value is used as the expected security value of the service function chain to be deployed.
Specifically, when the expected service security value is a security score, the expected service security value may be classified into security levels, for example: the security level may be divided into 5 levels. Where 5 means highest, 4 means higher, 3 means medium, 2 means normal, and 1 means lower.
When the expected service safety value exceeds the preset safety value range, the expected service safety value can be normalized and respectively corresponds to 1-5 levels according to the preset interval.
Therefore, the expected safety value of the service function chain to be deployed can be consistent with the expected business safety value of the user, and the safety requirement of the user on the service function chain to be deployed is met.
In an embodiment of the present invention, when the service request to be responded does not carry the expected service security value of the requested service, the preset expected security value is used as the expected security value of the service function chain to be deployed.
The preset desired safety value may be set by a worker based on experience.
In this way, the safety of the service function chain to be deployed can be ensured by taking the preset expected safety value as the expected safety value of the service function chain to be deployed.
S102: and selecting a VNF from each VNF of the service type according to each service type of the service requested by the service request to be responded, and obtaining a VNF set of which the VNF number is respectively in each number within a preset number range.
The preset number range can be set by the staff according to experience, for example: the predetermined number range may be [1,5 ].
The preset number range may also be determined according to the expected safety value determined in S101, for example: the predetermined number range is proportional to the expected safety value, and is larger when the expected safety value is higher, and is smaller when the expected safety value is lower.
The VNF sets with the VNF numbers respectively being the respective numbers within the preset number range may be understood as: each VNF of the VNF set is configured to provide a service of the same service type, and the number of VNFs of the VNF set is a number within a preset number range. For example: assume that VNF is included in service type A1、VNF2、VNF3、……、VNFnWherein VNF1、VNF2、VNF3、……、VNFnAre all used for providing services of service type A, and the preset number range is [1,5]]Then, a VNF set with a VNF number of 1, a VNF set with a VNF number of 2, a VNF set with a VNF number of 3, a VNF set with a VNF number of 4, and a VNF set with a VNF number of 5 may be obtained.
Specifically, when VNFs are selected from VNFs of each service type, VNFs may be selected from functionally equivalent VNFs included in the heterogeneous function execution pool in a random selection manner, so as to obtain a VNF set in which the number of VNFs is respectively a number within a preset number range.
The heterogeneous function execution pool includes VNFs of respective service types, and each VNF of each service type may also be referred to as a functionally equivalent VNF.
In an embodiment of the present invention, a dynamic selection algorithm may also be adopted to select VNFs in each VNF of each service type requested by a service request to be responded, so as to obtain a VNF set in which the number of VNFs is respectively a number within a preset number range.
Referring to fig. 2, fig. 2 is a schematic flowchart of a dynamic selection method according to an embodiment of the present invention. In FIG. 2, a heterogeneous function execution pool 1, a heterogeneous function execution pool 2, and a VNF are included11、VNF12、……、VNF1n、VNF21、VNF22、……、VNF2nVNF pool, service 1, service 2, VNF1x、VNF1y、VNF2x、VNF2y
Wherein, the heterogeneous function execution pool 1 comprises VNF11、VNF12、……、VNF1n。VNF11、VNF12、……、VNF1nAre used to provide service 1.
VNF in heterogeneous function execution pool 221、VNF22、……、VNF2n。VNF21、VNF22、……、VNF2nAre used to provide service 2.
Including VNFs in a VNF pool1x、VNF1y、VNF2x、VNF2yWherein VNF1x、VNF1yFor two VNFs dynamically selected from the heterogeneous function execution pool 1, the VNFs2x、VNF2yTwo VNFs dynamically selected from the heterogeneous function execution pool 2.
S103: and combining the obtained VNF sets to obtain first combinations.
Each first combination comprises a VNF set corresponding to each service type. For example: assume type of service St1The corresponding set of VNFs includes: VNF set11VNF set12Service type St2The corresponding set of VNFs includes: VNF set21VNF set22. Then four sets of first combinations are available, respectively: (VNF set11VNF set21) (VNF set)11VNF set22) (VNF set)12VNF set21) (VNF set)12VNF set22)。
Specifically, each obtained VNF set may be combined in a preset combination manner to obtain each first combination. For example: the preset combination mode may include: random combinations, directional combinations, and the like.
S104: for each first combination, a security value for that first combination is calculated from the security values of the individual VNFs within that first combination.
The security value of each VNF in the first combination reflects the security size of each VNF. Thus, the security value of the first combination may be calculated from the security values of the individual VNFs within the second combination.
Specifically, when calculating the safety value of each first combination, the sum of the safety values of each VNF in the first combination may be calculated, and the calculated value may be used as the safety value of the first combination.
Since the first combined security value is used for comparison with the expected security value of the chain of service functions to be deployed, the first combined security value type is related to the type of the expected security value of the chain of service functions to be deployed. Based on this, in one embodiment of the present invention, when the desired security value is a security value for the service function chain, the security value θ of each first combination may be calculated according to the following expression:
Figure BDA0002510919460000111
wherein X represents the number of service types corresponding to the VNFs in the first combination, X represents the sequence number of the service types corresponding to the VNFs in the first combination, ΔxSecurity value, k, representing the xth service typexSecurity weight, n, representing the xth service typexThe VNF number of the VNF set corresponding to the xth service type is represented.
Wherein, DeltaxThe product of the security values of the respective VNFs may be included for the xth service type.
Therefore, the total security value of the VNFs in the first combination can be calculated more accurately according to the security value of the service type, the security weight of the service type, and the number of VNFs included in the service type.
In one embodiment of the present invention, when the desired security value is a security value for a VNF in a service function chain, the security value μ of each first combination may be calculated according to the following expression:
Figure BDA0002510919460000121
wherein X represents the number of service types corresponding to VNF in the first combination, and X is tableSequence number, Δ, indicating the type of service to which the VNF in the first combination correspondsxSecurity value, k, representing the xth service typexSecurity weight, n, representing the xth service typexThe VNF number of the VNF set corresponding to the xth service type is represented.
Therefore, according to the security value of the service type, the security weight of the service type, the number of the service types and the number of the VNFs included in the service type, the average security value of the VNFs in the first combination can be calculated more accurately.
S105: and for each second combination, adjusting the total resource consumption of the VNFs in the second combination to be deployed as deployment consumption according to the security value of the second combination, and adjusting the security value of the second combination according to the actual total occupied resources of the VNFs in the second combination.
The second combination is as follows: the security value of the first combination is greater than the first combination of expected security values.
Because the expected security value is a value that the security of the service function chain to be deployed is expected to reach, when the security value of the second combination is greater than the expected security value, it can be ensured that the security of the service function chain deployed based on the VNF in each second combination can meet the requirement on the security of the service function chain.
The above-mentioned total resource consumption of the VNFs in the second combination of deployment may be understood as: the sum of the resources consumed by each VNF of the second combination is deployed. The resources consumed by the VNFs for deploying the second combination include computing resources, storage resources, network resources, and the like.
Since the deployment consumption of the second combination is related to the security value of the second combination, for example: the higher the security value of the second combination, the more the deployment consumption of the second combination; the deployment of the second combination consumes less when the security value of the second combination is lower. Thus, the total resource consumption of the VNFs in the second combination may be adjusted as deployment consumption according to the security value of the second combination.
Specifically, when calculating the deployment consumption of each second combination, the deployment consumption of the second combination may be determined according to the total resource consumption of the VNFs in the deployment second combination, the weight of the total resource consumption, and the security value of the second combination.
The actual total occupied resources of the VNFs in the second combination are: the sum of the actual occupied resources of each VNF in the second combination. The actual occupied resources of the VNF may include actual occupied computing resources, actual occupied storage resources, actual occupied network resources, etc. of the VNF.
Since the security of the second combination is related to the actual total occupied resources of the VNFs of the second combination, for example: the higher the security of the second combination when the actual total occupied resources of the VNFs of the second combination are the more; the security of the second combination is lower when the actual total occupied resources of the VNFs of the second combination are lower. Thus, the security value of each second combination may be adjusted according to the actual total occupied resources of the VNFs within each second combination.
Specifically, when adjusting the security value of each second combination, the security value adjustment range may be determined according to the actual total occupied resource of the VNF in the second combination and the weight of the actual total occupied resource, and the security value of the second combination may be adjusted according to the determined security value adjustment range.
S106: and selecting a second combination for deploying the service function chain to be deployed in each second combination based on the adjusted safety value and deployment consumption of each second combination, and deploying the VNF in the selected second combination according to a preset logic sequence.
Because the adjusted security value of the second combination can more accurately reflect the security of the second combination, and the deployment consumption of the second combination reflects the total resource consumption when each VNF of the second combination is deployed, the second combination for deploying the service function chain to be deployed is selected in each second combination based on the calculated adjusted security value and deployment consumption of each second combination, so that the resource consumption for deploying the VNF can be saved on the basis of ensuring the security of the service function chain deployed by each VNF in the selected second combination, and the resource utilization rate is improved.
Specifically, when the second combination for deploying the service function chain to be deployed is selected, the second combination, in which the adjusted security value of the second combination is within the preset security value range and the deployment consumption of the second combination is within the preset deployment consumption range, may be combined into the second combination for deploying the service function chain to be deployed. The preset safety value range and the preset deployment consumption range can be set by workers according to experience.
In an embodiment of the present invention, a ratio between the adjusted security value and the deployment consumption of each second combination may be calculated, and the second combination with the largest ratio is used as the second combination for deploying the service function chain to be deployed.
In this way, the ratio between the adjusted security value and the deployment consumption of each second combination is calculated, the second combination with the largest ratio is used as the second combination for deploying the service function chain to be deployed, and on the basis of improving the security value of the selected second combination, the consumption of VNF in deploying the second combination is reduced, and the resource utilization rate is improved.
Since the service function chain is composed of a group of ordered VNFs, after determining the second combination for deploying the service function chain to be deployed, that is, after determining to deploy each VNF of the service function chain to be deployed, the selected VNFs need to be connected according to a preset logical order, so as to form the service function chain.
As can be seen from the above, when the solution provided in this embodiment is applied to construct the service function chain, because the second combination for deploying the service function chain to be deployed is selected from the determined second combination based on the security value of the first combination and the expected security value of the service function chain to be deployed, and because the security value of the first combination can reflect the security of the VNF in the first combination, and the expected security value reflects the degree of security of the service function chain to be deployed, the security of the service function chain to be deployed is improved based on each VNF deployment service function chain in the selected second combination for deploying the service function chain to be deployed on the basis of meeting the security requirement of the service function chain to be deployed.
In addition, because the VNFs are selected from the VNFs of each service type of the service requested by the service request, the VNF sets of which the VNFs are respectively in the number within the preset number range are obtained, and the obtained VNF sets are combined, compared with the prior art in which only one VNF is selected, selecting the VNFs in the number within the preset number range can reduce the probability of being attacked by a network attacker, and improve the security of the deployed service function chain.
Finally, the second combination for deploying the service function chain to be deployed is selected based on the adjusted security value and deployment consumption of each second combination, and the adjusted security value of the second combination more accurately reflects the security of the VNF in the second combination, and the deployment consumption of the second combination more accurately reflects the total resource consumption of the VNF in the second combination to be deployed.
In an embodiment of the present invention, for each second combination in S105, the total resource consumption of the VNFs in the second combination to be deployed may be adjusted as deployment consumption according to the security value of the second combination, and the security value of the second combination may be adjusted according to the actual total occupied resource of the VNFs in the second combination.
And for each second combination, calculating the sum of the total resource consumption of the VNF in the second combination and the safety value of the second combination, taking the calculated value as the deployment consumption of the second combination, calculating the sum of the actual total occupied resource of the VNF in the second combination and the safety value of the second combination, and taking the calculated value as the adjusted safety value of the second combination.
For example: assume that the actual total occupied resource of the VNF in the second combination is S1The safety value of the second combination is N1The sum of the actual total occupied resources of the VNF in the second combination and the safety value of the second combination may be calculated as: s1+N1. Assume that the total resource consumption of the VNFs in the second combination is deployed as S2The safety value of the second combination is N2The total resource consumption of the VNFs in the second combination and the security of the respective second combination may be calculatedThe sum of the values is: s2+N2
In this way, the sum of the actual total resource occupation of the VNF in the second combination and the safety value of the second combination is calculated, the adjusted safety value of the second combination can be obtained more accurately, and the sum of the total resource consumption of the VNF in the deployed second combination and the safety value of the second combination is calculated, so that the deployed consumption of the second combination can be obtained more accurately.
In an embodiment of the present invention, on the basis of the above embodiment, the following step B1-step B3 may be further included.
Step B1: evaluating operational performance values of the VNFs in the selected second combination.
The operational performance values of the VNF described above can be understood as: value of performance parameter of VNF at work. The operational performance value of the VNF reflects an operational state of the VNF.
Specifically, a statistical analysis method may be used to evaluate the operational performance values of the VNFs in the second combination according to the recorded historical operational performance values of the VNFs in the second combination.
The historical operational performance values of the VNFs in the second combination may be understood as: performance values of the VNF in the second combination when previously operating.
The statistical analysis method comprises maximum value taking, average value taking and the like.
Specifically, the simulated operation performance value of the VNF in the second combination in the simulated operation environment may be recorded, and the operation performance value of the VNF in the second combination may be evaluated according to the recorded simulated operation performance value.
Step B2: selecting an operating VNF for operation among the selected VNFs of the second combination based on the evaluated operational performance values of the VNFs and the safety values of the VNFs.
Since the number of VNFs belonging to the same service in the second combination may be multiple, an operating VNF for operation needs to be selected so as to respond to the traffic request based on the selected operating VNF.
Specifically, when an operating VNF for operation is selected from the VNFs of the selected second combination, the VNF whose operating performance value of the VNF is within the preset performance value range and whose safety value of the VNF is within the preset VNF safety value range may be used as the operating VNF.
The preset performance range and the preset VNF safety value range may be set by a worker according to experience.
Specifically, when the operational VNF for operation is selected from the VNFs of the second selected combination, the operational VNF may be selected according to an operational performance value of the VNF, a safety value of the VNF, a weight corresponding to the operational performance value of the VNF, and a weight corresponding to the safety value of the VNF.
Step B3: responding to the service request to be responded based on the determined working VNF.
In particular, the operational VNF may provide services to the user in order to respond to the business request to be responded to.
In this way, according to the estimated operational performance value of the VNF and the safety value of the VNF, the operational VNF for operation is selected from the VNFs of the selected second combination, so that the safety value of the service function chain to be deployed can be increased on the basis of increasing the operational efficiency of the selected operational VNF.
In an embodiment of the present invention, on the basis of the above embodiment, the method may further include determining, according to a preset period, a safety value T of each VNF in a current period based on a historical safety value of each VNF according to the following expression:
Figure BDA0002510919460000161
wherein, T0For the safety value evaluation result of the VNF of the current period, I is the sequence number of the period, I is the number of the periods from the initial period to the current period, and TiIs the safety value of the VNF of the ith period, alpha is the safety weight of the safety value evaluation result of the VNF, betaiIs a security weight of the security value of the VNF of the i-th cycle, and
Figure BDA0002510919460000171
greater than a preset threshold, for example: the preset threshold may be 0.5, 0.4, etc.
Specifically, each VNF may be ranked in terms of security degrees according to evaluation indexes such as VNF types, traffic requirements and traffic demands of all adjacent links connected to the VNF, the number of VNFs directly connected to other VNFs, VNF resources and security requirements, and data integrity and confidentiality in the VNF, and the ranking of the VNF is used as an initial trust level of the VNF.
Therefore, the safety values of the VNFs are updated according to the preset interval period, so that the safety values of the VNFs can better accord with the actual working conditions of the VNFs.
In an embodiment of the present invention, after the service function chain to be deployed is deployed, the real-time security value of the service function chain may be evaluated according to the current working state of the deployed service function chain at preset time intervals.
The real-time security value θ of the service function chain can be evaluated according to the following expressiont
Figure BDA0002510919460000172
Wherein, theta0Evaluating the safety value of the service function chain for the current period, I is the sequence number of the period, I is the number of the periods from the initial period to the current period, and thetaiFor the security value of the service function chain of the i-th cycle,
Figure BDA0002510919460000174
the security weight of the result is evaluated for the security value of the service function chain,
Figure BDA0002510919460000173
the security weight of the security value of the service function chain of the ith cycle.
The service function chain deployment scheme provided by the embodiment of the present invention is specifically described below by specific embodiments. Referring to fig. 3a and fig. 3b, fig. 3a is a schematic flowchart of a second service function chain deployment method according to an embodiment of the present invention, and fig. 3b is a block diagram of a service function chain deployment architecture according to an embodiment of the present invention.
In fig. 3a, the first step: and determining a deployment request of the service function chain according to the service request to be responded.
The second step is that: and determining functionally equivalent VNFs in the heterogeneous function execution pool by adopting a dynamic selection algorithm according to the determined deployment request of the service function chain, wherein each functionally equivalent VNF forms a VNF set.
The third step: and combining the obtained VNF sets to obtain first combinations, and evaluating the safety values of the first combinations.
The fourth step: the second combination for deploying the service function chain is selected based on the actual total occupied resources of the VNFs of the second combination and the total resource consumption of the VNFs in deploying the second combination.
The fifth step: deploying a service function chain based on the selected second combination and the network infrastructure.
In fig. 3b, a service request layer, an input module, a heterogeneous function execution pool, a dynamic selector, a VNF pool, a trust evaluation layer, a decision output layer, a profit computation module, and a timing module are included. The trust evaluation layer comprises VNF security grade value evaluation, service function chain trust degree evaluation and network resource trust degree evaluation.
The service request layer is used for receiving a service request to be responded, obtaining an expected security value of a service function chain to be deployed and generating a service function chain deployment request.
The input module is used for receiving a service function chain deployment request sent by a service request layer.
The heterogeneous function execution pool includes a plurality of functionally equivalent VNFs.
The dynamic selector is used for selecting the VNF from the heterogeneous function execution pool according to the expected safety value of the service function chain to be deployed.
The VNF pool includes individual VNFs selected by the dynamic selector.
The trust evaluation layer is used for evaluating the security value of each combination composed of each VNF in the VNF pool. The trust evaluation layer comprises VNF security grade value evaluation, service function chain trust degree evaluation and network resource trust degree evaluation.
Specifically, the VNF security level value evaluation is used to evaluate the security value of each VNF. The service function chain trust evaluation is used for evaluating the safety value of the service function chain to be deployed. The network resource trust evaluation is used for evaluating actual resource occupation of each VNF and resource consumption for deploying each VNF.
And the decision output layer is used for evaluating the working performance of each VNF of the service function chain to be deployed.
The profit calculation module is used for calculating the safety value and the deployment consumption of the service function chain to be deployed and determining the VNF forming the service function chain to be deployed.
The timing module is used for re-evaluating the safety value of the VNF and the safety value of the service function chain according to the preset interval time.
Corresponding to the service function chain deployment method, the embodiment of the invention also provides a service function chain deployment device.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a service function chain deployment device according to an embodiment of the present invention, where the device includes 401 and 406.
An expected security value determining module 401, configured to determine, according to the service request to be responded, an expected security value of the service function chain to be deployed;
a VNF set obtaining module 402, configured to select, for each service type of the service requested by the service request to be responded, a VNF from each preset virtualized network function VNF of the service type, so as to obtain a VNF set in which the number of VNFs is each number within a preset number range;
a first combination obtaining module 403, configured to combine the obtained VNF sets to obtain first combinations, where each first combination includes a VNF set corresponding to each service type;
a safety value calculation module 404, configured to, for each first combination, calculate a safety value of the first combination according to the safety values of the VNFs in the first combination;
a data calculating module 405, configured to, for each second combination, adjust, according to the security value of the second combination, total resource consumption of VNFs in the second combination to be deployed as deployment consumption, and adjust, according to actual total occupied resources of VNFs in the second combination, the security value of the second combination, where the second combination is: the first combined security value is greater than the first combination of expected security values;
and a service function chain deployment module 406, configured to select, based on the adjusted security value and deployment consumption of each second combination, a second combination for deploying the service function chain to be deployed in each second combination, and deploy, according to a preset logic sequence, the VNF in the selected second combination to the service function chain to be deployed.
As can be seen from the above, when the solution provided in this embodiment is applied to construct the service function chain, because the second combination for deploying the service function chain to be deployed is selected from the determined second combination based on the security value of the first combination and the expected security value of the service function chain to be deployed, and because the security value of the first combination can reflect the security of the VNF in the first combination, and the expected security value reflects the degree of security of the service function chain to be deployed, the security of the service function chain to be deployed is improved based on each VNF deployment service function chain in the selected second combination for deploying the service function chain to be deployed on the basis of meeting the security requirement of the service function chain to be deployed.
In addition, because the VNFs are selected from the VNFs of each service type of the service requested by the service request, the VNF sets of which the VNFs are respectively in the number within the preset number range are obtained, and the obtained VNF sets are combined, compared with the prior art in which only one VNF is selected, selecting the VNFs in the number within the preset number range can reduce the probability of being attacked by a network attacker, and improve the security of the deployed service function chain.
Finally, the second combination for deploying the service function chain to be deployed is selected based on the adjusted security value and deployment consumption of each second combination, and the adjusted security value of the second combination more accurately reflects the security of the VNF in the second combination, and the deployment consumption of the second combination more accurately reflects the total resource consumption of the VNF in the second combination to be deployed.
In one embodiment of the invention, the desired security value is a security value for a service function chain,
the safety value calculation module is specifically configured to calculate a safety value θ of each first combination according to the following expression:
Figure BDA0002510919460000201
wherein X represents the number of service types corresponding to the VNFs in the first combination, X represents the sequence number of the service types corresponding to the VNFs in the first combination, ΔxSecurity value, k, representing the xth service typexSecurity weight, n, representing the xth service typexThe VNF number of the VNF set corresponding to the xth service type is represented.
Therefore, the total security value of the VNFs in the first combination can be calculated more accurately according to the security value of the service type, the security weight of the service type, and the number of VNFs included in the service type.
In one embodiment of the invention, the expected security value is a security value for a VNF in a service function chain,
the safety value calculation module is specifically configured to calculate the safety value μ of each first combination according to the following expression:
Figure BDA0002510919460000211
wherein X represents the number of service types corresponding to the VNFs in the first combination, X represents the sequence number of the service types corresponding to the VNFs in the first combination, ΔxSecurity value, k, representing the xth service typexSecurity weight, n, representing the xth service typexThe VNF number of the VNF set corresponding to the xth service type is represented.
Thus, according to the security value of the service type, the security weight of the service type, the number of the service types, and the number of VNFs included in the service type, the average security value of the VNFs in the first combination can be calculated more accurately.
In an embodiment of the present invention, the expected security value determining module is specifically configured to, when the service request to be responded carries an expected service security value of a requested service, use the expected service security value as an expected security value of a service function chain to be deployed; and when the service request to be responded does not carry the expected service safety value of the requested service, taking the preset expected safety value as the expected safety value of the service function chain to be deployed.
Therefore, the expected safety value of the service function chain to be deployed can be consistent with the expected business safety value of the user, and the safety requirement of the user on the service function chain to be deployed is met; the safety of the service function chain to be deployed can be ensured by taking the preset expected safety value as the expected safety value of the service function chain to be deployed.
In an embodiment of the present invention, the data calculation module is specifically configured to calculate, for each second combination, a sum of total resource consumption of the VNF in the second combination and a security value of the second combination, use the calculated value as deployment consumption of the second combination, calculate a sum of actual total occupied resources of the VNF in the second combination and a security value of the second combination, and use the calculated value as the adjusted security value of the second combination.
In this way, the sum of the actual total resource occupation of the VNF in the second combination and the safety value of the second combination is calculated, the adjusted safety value of the second combination can be obtained more accurately, and the sum of the total resource consumption of the VNF in the deployed second combination and the safety value of the second combination is calculated, so that the deployed consumption of the second combination can be obtained more accurately.
In an embodiment of the present invention, the service function chain deployment module is specifically configured to calculate a ratio between the adjusted security value and deployment consumption of each second combination, combine the second combination with the largest ratio as the second combination for deploying the service function chain to be deployed, and deploy the service function chain to be deployed according to a preset logic sequence by using the VNF in the selected second combination.
In this way, the ratio between the adjusted security value and the deployment consumption of each second combination is calculated, the second combination with the largest ratio is used as the second combination for deploying the service function chain to be deployed, and on the basis of improving the security value of the selected second combination, the consumption of VNF in deploying the second combination is reduced, and the resource utilization rate is improved.
In one embodiment of the present invention, the apparatus further comprises:
an operational performance value evaluation module, configured to evaluate an operational performance value of the VNF in the selected second combination after the service function chain deployment module;
an operating VNF selection module for selecting an operating VNF for operation among the VNFs of the selected second combination based on the evaluated operating performance value of the VNF and the safety value of the VNF;
and the service request response module is used for responding the service request to be responded based on the determined working VNF.
In this way, according to the estimated operational performance value of the VNF and the safety value of the VNF, the operational VNF for operation is selected from the VNFs of the selected second combination, so that the safety value of the service function chain to be deployed can be increased on the basis of increasing the operational efficiency of the selected operational VNF.
In one embodiment of the present invention, the apparatus further comprises: a VNF security value calculation module that calculates a security value of the VNF,
the VNF safety value calculation module is specifically configured to determine, according to a preset period and based on a historical safety value of each VNF, a safety value T of each VNF in a current period according to the following expression:
Figure BDA0002510919460000221
wherein, T0For the safety value evaluation result of the VNF of the current period, I is the sequence number of the period, I is the number of the periods from the initial period to the current period, and TiIs the ith cycleα is a security weight of the result of the evaluation of the security value of the VNF, βiIs a security weight of the security value of the VNF of the i-th cycle, and
Figure BDA0002510919460000231
greater than a preset threshold.
Therefore, the safety values of the VNFs are updated according to the preset interval period, so that the safety values of the VNFs can better accord with the actual working conditions of the VNFs.
Corresponding to the service function chain deployment method, the embodiment of the invention also provides electronic equipment.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, including a processor 501, a communication interface 502, a memory 503 and a communication bus 504, where the processor 501, the communication interface 502 and the memory 503 complete communication with each other through the communication bus 504,
a memory 503 for storing a computer program;
the processor 501 is configured to implement the service function chain deployment method according to the embodiment of the present invention when executing the program stored in the memory 503.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In still another embodiment provided by the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the service function chain deployment method provided by the embodiment of the present invention.
In yet another embodiment provided by the present invention, a computer program product containing instructions is also provided, which when run on a computer causes the computer to implement the service function chain deployment method provided by the embodiment of the present invention when executed.
As can be seen from the above, when the solution provided in this embodiment is applied to construct the service function chain, because the second combination for deploying the service function chain to be deployed is selected from the determined second combination based on the security value of the first combination and the expected security value of the service function chain to be deployed, and because the security value of the first combination can reflect the security of the VNF in the first combination, and the expected security value reflects the degree of security of the service function chain to be deployed, the security of the service function chain to be deployed is improved based on each VNF deployment service function chain in the selected second combination for deploying the service function chain to be deployed on the basis of meeting the security requirement of the service function chain to be deployed.
In addition, because the VNFs are selected from the VNFs of each service type of the service requested by the service request, the VNF sets of which the VNFs are respectively in the number within the preset number range are obtained, and the obtained VNF sets are combined, compared with the prior art in which only one VNF is selected, selecting the VNFs in the number within the preset number range can reduce the probability of being attacked by a network attacker, and improve the security of the deployed service function chain.
Finally, the second combination for deploying the service function chain to be deployed is selected based on the adjusted security value and deployment consumption of each second combination, and the adjusted security value of the second combination more accurately reflects the security of the VNF in the second combination, and the deployment consumption of the second combination more accurately reflects the total resource consumption of the VNF in the second combination to be deployed.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the apparatus, the electronic device, and the computer-readable storage medium, since they are substantially similar to the embodiments of the method, the description is simple, and for the relevant points, reference may be made to the partial description of the embodiments of the method.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (10)

1. A method for service function chain deployment, the method comprising:
determining an expected safety value of a service function chain to be deployed according to a service request to be responded;
for each service type of the service requested by the service request to be responded, selecting a VNF from each preset virtual network function VNF of the service type to obtain a VNF set of which the quantity of the VNFs is respectively in each quantity within a preset quantity range;
combining the obtained VNF sets to obtain first combinations, wherein each first combination comprises a VNF set corresponding to each service type;
for each first combination, calculating the safety value of the first combination according to the safety value of each VNF in the first combination;
for each second combination, adjusting the total resource consumption of the VNFs in the second combination as deployment consumption according to the security value of the second combination, and adjusting the security value of the second combination according to the actual total occupied resource of the VNFs in the second combination, wherein the second combination is: the first combined security value is greater than the first combination of expected security values;
and selecting a second combination for deploying the service function chain to be deployed in each second combination based on the adjusted security value and deployment consumption of each second combination, and deploying the service function chain to be deployed according to a preset logic sequence by using the VNF in the selected second combination.
2. The method of claim 1, wherein the desired security value is a security value for a service function chain,
for each first combination, calculating the security value of the first combination according to the security values of the VNFs in the first combination includes:
the safety value θ of each first combination is calculated according to the following expression:
Figure FDA0003035049690000011
wherein X represents the number of service types corresponding to the VNFs in the first combination, X represents the sequence number of the service types corresponding to the VNFs in the first combination, ΔxSecurity value, k, representing the xth service typexSecurity weight, n, representing the xth service typexThe VNF number of the VNF set corresponding to the xth service type is represented.
3. The method of claim 1, wherein the desired security value is a security value for a VNF in a service function chain,
for each first combination, calculating the security value of the first combination according to the security values of the VNFs in the first combination includes:
the safety value μ of each first combination is calculated according to the following expression:
Figure FDA0003035049690000021
wherein X represents the number of service types corresponding to the VNFs in the first combination, X represents the sequence number of the service types corresponding to the VNFs in the first combination, ΔxSecurity value, k, representing the xth service typexSecurity weight, n, representing the xth service typexThe VNF number of the VNF set corresponding to the xth service type is represented.
4. The method according to claim 1, wherein the determining the expected security value of the service function chain to be deployed according to the service request to be responded comprises:
when the service request to be responded carries an expected service security value of the requested service, taking the expected service security value as an expected security value of a service function chain to be deployed;
and when the service request to be responded does not carry the expected service safety value of the requested service, taking the preset expected safety value as the expected safety value of the service function chain to be deployed.
5. The method of claim 1, wherein for each second combination, adjusting the total resource consumption of the VNFs in the second combination as deployment consumption according to the security value of the second combination, and adjusting the security value of the second combination according to the actual total occupied resource of the VNFs in the second combination comprises:
and for each second combination, calculating the sum of the total resource consumption of the VNF in the second combination and the safety value of the second combination, taking the calculated value as the deployment consumption of the second combination, calculating the sum of the actual total occupied resource of the VNF in the second combination and the safety value of the second combination, and taking the calculated value as the adjusted safety value of the second combination.
6. The method of claim 1, wherein selecting a second combination for deploying the service function chain to be deployed among the second combinations comprises:
and calculating the ratio of the safety value and the deployment consumption after the adjustment of each second combination, and combining the second combination with the maximum ratio as the second combination for deploying the service function chain to be deployed.
7. The method according to any of claims 1 to 6, wherein after said deploying the VNFs in the selected second combination in the preset logical order, the method further comprises:
evaluating operational performance values of the VNFs in the selected second combination;
selecting an operating VNF for operation among the selected VNFs of the second combination based on the evaluated operational performance values of the VNFs and the safety values of the VNFs;
responding the service request to be responded based on the determined working VNF.
8. The method according to any one of claims 1-6, further comprising:
according to a preset period, based on the historical safety value of each VNF, the safety value T of each VNF in the current period is determined according to the following expression:
Figure FDA0003035049690000031
wherein, T0Safety value evaluation for VNF of current cycleAs a result, I is the sequence number of the cycle, I is the number of cycles from the initial cycle to the current cycle, TiIs the safety value of the VNF of the ith period, alpha is the safety weight of the safety value evaluation result of the VNF, betaiIs a security weight of the security value of the VNF of the i-th cycle, and
Figure FDA0003035049690000032
greater than a preset threshold.
9. A service function chain deployment apparatus, the apparatus comprising:
the expected security value determining module is used for determining an expected security value of the service function chain to be deployed according to the service request to be responded;
a VNF set obtaining module, configured to select, for each service type of the service requested by the service request to be responded, a VNF from each preset virtualized network function VNF of the service type, and obtain a VNF set in which the number of VNFs is each number within a preset number range;
a first combination obtaining module, configured to combine the obtained VNF sets to obtain first combinations, where each first combination includes a VNF set corresponding to each service type;
a safety value calculation module, configured to, for each first combination, calculate a safety value of the first combination according to the safety value of each VNF in the first combination;
a data calculation module, configured to, for each second combination, adjust, according to a security value of the second combination, total resource consumption of VNFs in the second combination to be deployed as deployment consumption, and adjust, according to actual total occupied resources of VNFs in the second combination, a security value of the second combination, where the second combination is: the first combined security value is greater than the first combination of expected security values;
and the service function chain deployment module is used for selecting a second combination for deploying the service function chain to be deployed in each second combination based on the adjusted safety value and deployment consumption of each second combination, and deploying the VNF in the selected second combination according to a preset logic sequence.
10. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1 to 8 when executing a program stored in the memory.
CN202010461022.3A 2020-05-27 2020-05-27 Service function chain deployment method and device Active CN111800291B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010461022.3A CN111800291B (en) 2020-05-27 2020-05-27 Service function chain deployment method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010461022.3A CN111800291B (en) 2020-05-27 2020-05-27 Service function chain deployment method and device

Publications (2)

Publication Number Publication Date
CN111800291A CN111800291A (en) 2020-10-20
CN111800291B true CN111800291B (en) 2021-07-20

Family

ID=72806300

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010461022.3A Active CN111800291B (en) 2020-05-27 2020-05-27 Service function chain deployment method and device

Country Status (1)

Country Link
CN (1) CN111800291B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114020455B (en) * 2021-10-27 2023-01-24 中国联合网络通信集团有限公司 Arranging method and device of service functions and computer readable storage medium
CN114629685B (en) * 2022-02-17 2022-12-16 华南理工大学 Industrial private network hard slicing service function chain deployment method, device and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107332913A (en) * 2017-07-04 2017-11-07 电子科技大学 A kind of Optimization deployment method of service function chain in 5G mobile networks
CN107682203A (en) * 2017-10-30 2018-02-09 北京计算机技术及应用研究所 A kind of security function dispositions method based on service chaining
CN108881207A (en) * 2018-06-11 2018-11-23 中国人民解放军战略支援部队信息工程大学 Network safety service framework and its implementation based on security service chain
CN109495391A (en) * 2018-12-18 2019-03-19 天津城建大学 A kind of security service catenary system and data packet matched retransmission method based on SDN
CN110505082A (en) * 2019-07-26 2019-11-26 国家电网有限公司 A kind of NFV service chaining mapping method towards cost and QoS

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170019303A1 (en) * 2015-07-14 2017-01-19 Microsoft Technology Licensing, Llc Service Chains for Network Services
CN109245932A (en) * 2018-09-20 2019-01-18 北京计算机技术及应用研究所 A kind of security function service chaining dispositions method
CN111147307B (en) * 2019-12-30 2022-04-29 重庆邮电大学 Service function chain reliable deployment method based on deep reinforcement learning

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107332913A (en) * 2017-07-04 2017-11-07 电子科技大学 A kind of Optimization deployment method of service function chain in 5G mobile networks
CN107682203A (en) * 2017-10-30 2018-02-09 北京计算机技术及应用研究所 A kind of security function dispositions method based on service chaining
CN108881207A (en) * 2018-06-11 2018-11-23 中国人民解放军战略支援部队信息工程大学 Network safety service framework and its implementation based on security service chain
CN109495391A (en) * 2018-12-18 2019-03-19 天津城建大学 A kind of security service catenary system and data packet matched retransmission method based on SDN
CN110505082A (en) * 2019-07-26 2019-11-26 国家电网有限公司 A kind of NFV service chaining mapping method towards cost and QoS

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于SDN/NFV 的安全服务链自动编排部署框架;张奇;《计算机***应用》;20180315;全文 *
安全服务链中虚拟网络功能分配与调度算法研究;黄睿,张红旗;《计算机应用研究》;20180209;全文 *

Also Published As

Publication number Publication date
CN111800291A (en) 2020-10-20

Similar Documents

Publication Publication Date Title
US10972344B2 (en) Automated adjustment of subscriber policies
CN108243044B (en) Service deployment method and device
CN112579194B (en) Block chain consensus task unloading method and device based on time delay and transaction throughput
CN111800291B (en) Service function chain deployment method and device
CN111478857B (en) Interface current limiting control method and device and electronic equipment
Liu et al. Security-aware resource allocation for mobile cloud computing systems
CN111866775A (en) Service arranging method and device
CN111324471B (en) Service adjustment method, device, equipment and storage medium
CN111654561B (en) Method and device for determining IP address number, electronic equipment and storage medium
CN110808914A (en) Access request processing method and device and electronic equipment
US8291080B2 (en) Session control system, session control method and session control program
CN116302469A (en) Task processing method and device
CN116418653A (en) Fault positioning method and device based on multi-index root cause positioning algorithm
CN115098257A (en) Resource scheduling method, device, equipment and storage medium
CN113438098B (en) Time delay sensitive virtual network mapping method and device in cloud data center
CN104579738A (en) Computer-implemented method, computer system, computer program product to manage traffic in a network
Zhu et al. Cost-efficient VNF placement strategy for IoT networks with availability assurance
CN111752706A (en) Resource allocation method, device and storage medium
CN111857995A (en) Process scheduling method and device, storage medium and electronic device
WO2020000724A1 (en) Method, electronic device and medium for processing communication load between hosts of cloud platform
CN111858458B (en) Method, device, system, equipment and medium for adjusting interconnection channel
CN113472591B (en) Method and device for determining service performance
Zhan et al. Cost-aware traffic management under demand uncertainty from a colocation data center user’s perspective
CN113535378A (en) Resource allocation method, storage medium and terminal equipment
CN113141394B (en) Resource allocation method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant