CN106095584A - The dispatching method of the security sensitive work stream that task based access control replicates in cloud computing - Google Patents

Abstract

The present invention provides the dispatching method of the security sensitive work stream that task based access control replicates in a kind of cloud computing, and named SOLID, it includes two important stages: 1) task scheduling based on selectivity Task Duplication, 2) utilize task encrypted work slack time stream intermediate data.Solve current existing workflow schedule method and often do not account for the demand for security of intermediate data during work flow operation process, the resource free timeslot that the data dependence relation between the most not making full use of by workflow task causes.The present invention compensate for above deficiency, finally, uses the workflow randomly generated to be simulated experiment, test result indicate that this dispatching method is better than existing algorithm.

Description

The dispatching method of the security sensitive work stream that task based access control replicates in cloud computing

Technical field

The present invention relates to a kind of cloud computing method, especially relate to the safety that in a kind of cloud computing, task based access control replicates quick The dispatching method of sense workflow.

Background technology

1, background

Cloud computing has become the novel type of Distributed Calculation.In such a mode, cloud supplier is with the side of instant paying Formula, on-demand provide the user service (such as, application, platform and calculate resource) [1].Particularly, infrastructure i.e. services (IaaS) pattern, i.e. platform, it has also become the most frequently used service mode.In such a mode, cloud service provider manages big rule The virtual machine (VM) of mould isomery processes the application of user.It addition, the available virtual machine in IaaS platform can dynamically increase and Reduce.Owing to cloud computing has been applied to more and more lead in the advantage [1,2] of the aspect such as price, quick-expansion, cloud computing Territory, such as bank, ecommerce, retail business and scientific research institution etc. [3].

Although cloud computing provides all benefits, potentially large number of user or tissue look around state to whether using cloud computing still to hold Degree [4,5].According to investigation, lacking safety is the one of the main reasons [6] stoping user to use cloud computing.This is because it is sensitive The leakage of data may result in the property loss of tissue.What is worse, if these data are extremely sensitive, their leakage will Cause irremediable consequence [7].Therefore, when application deployment to cloud computing platform, it is provided that corresponding security service ensures Data safety is most important.

Supporting that IaaS cloud platform processes in the programming mode of application, the work generally represented with directed acyclic graph (DAG) Stream.It should be noted that the process of workflow is often computation-intensive and data-intensive, a large amount of mediant of simultaneous According to generation and transmission.When the stream that maps out the work is applied to IaaS cloud, data security threat mainly has two sources: cloud supplier and Bad user [10].Cloud supplier grasps the data of user, and the cloud supplier of some malice can announce these data, even sells Others.Additionally, in IaaS environment, resource is shared by a large number of users, the data causing user are held by such sharing mode very much Easily stolen or distort [9] by other bad users.

In order to ensure the data safety processed in workflow process, a kind of practicable method is in intermediate data storage Before transmission, it is encrypted [9].Encryption intermediate data disclosure satisfy that the demand for security of workflow, but data add simultaneously Close necessarily cause regular hour expense [10].Additionally, each intermediate data has multiple security requirement, such as confidentiality, complete Whole property and certification.Meanwhile, each safety requirements of each intermediate data, it is possible to use multiple calculating time and safety are strong The encrypted instance of degree.Especially, the time overhead of encryption can postpone to wait the time started of the task of these intermediate data, and passs Travel to multiple task with returning, not only include their follow-up work, also include scheduling task after them and these The follow-up work of business.It will be apparent that be each safety requirements one suitable encrypted instance of selection of each intermediate data, it is typical case Combinatorial optimization problem.

2, related work:

In the past twenty years, existing substantial amounts of research solves workflow schedule problem.Such as, Zhu et al. extension NSGA-II optimizes completion date and the cost [11] running workflow in cloud environment.Rodriguez et al. proposes a kind of grain Subgroup optimized algorithm, its target is to try to reduce the executory cost of workflow, meets the deadline date of workflow execution simultaneously [12].It addition, Talukder et al. uses differential evolution algorithm (DE) to carry out man-hour in workflow schedule in grid computing Between and cost between balance [13].But, these methods based on random search have higher time complexity, make Obtain them and be difficult in actual cloud computing platform application.

Additionally, the most studied personnel of some heuristics put forward to solve workflow schedule problem.These methods are substantially Can be divided into: based on list, cluster and the heuritic approach of Task Duplication.Such as, durillo et al. extends workflow schedule calculation Method (HEFT), is used for processing multiple conflicting target: minimize completion date and cost [14].Boutin et al. proposes One is the most expansible and coordinated scheduling framework Appollo, and overall thinking various factors, to reduce task completion time [8].Lee et al. have studied the workflow schedule problem of utilization of resources, and proposes dispatching algorithm MER to weigh task Deadline and cost [15].Abrishami et al. proposes the workflow schedule algorithm of two task based access control clusters, is meeting Under conditions of its off period requires, optimize the executory cost [17] of workflow.But, above-mentioned heuristic is the most fully Utilize the free time time slot of resource.

Additionally, the workflow schedule method that also a few thing research task based access control replicates.Such as, Zong et al. proposes Energy-efficient duplication dispatching algorithm, to improve performance and the energy use efficiency [18] of cluster.Choudhury et al. proposes A kind of mixed scheduling method replicated based on mission critical, in multi-processor Embedded System traffic control stream task [19].But, in cluster and embedded system, the heuristic data that generally have ignored that existing task based access control repeats are asked safely Topic.

Due to raising day by day to data safety consciousness in cloud computing environment, more existing research and propose correlation method and protect The safety of barrier workflow intermediate data.Such as, Liu et al. proposes a data Placement Strategy, during running workflow, Dynamically place intermediate data [7].Qiu et al. proposes encrypted instance selection strategy based on ILP, carrys out the adjustable of safeguard work stream Degree property and the safety [10] of intermediate data.Zeng et al. proposes a workflow schedule algorithm, considers intermediate data simultaneously Cost and security constraint [21].But, existing safety dispatching method does not make full use of free timeslot to back up work Make stream task, with time started and the deadline of workflow of work ahead stream task.It addition, these methods are almost without profit With encrypting intermediate data the slack time of task, to such an extent as to the encryption times expense of data has seriously postponed completing of workflow Time.

Effective workflow schedule method and encrypted instance selection strategy are to minimize security sensitive work stream when completing Between and cost, and the effective way guaranteed data security.Existing about the research of workflow schedule in IaaS cloud or minimum Change deadline and the cost of workflow, or attempt reducing the operating cost of workflow simultaneously, meet its off period.It is worth It is noted that the free timeslot on virtual machine be by task between data dependence relation cause, even the scheduling of optimum Method is the most inevitable.But, seldom there is research replication task to these free timeslots, improve the deadline of workflow with this And operating cost.Additionally, the security requirement performing the intermediate data that workflow produces is not taken into full account.

For the limitation studied, we study, and how traffic control stream task is simultaneously selectively multiple to virtual machine Task processed, to free timeslot, to minimize deadline and the operating cost of workflow, improves the resource of virtual machine (VM) simultaneously Efficiency.Utilize the intermediate data of workflow is encrypted, to meet workflow the slack time of task additionally, we find Safety requirements.

List of references:

[1]P.Mell and T.Grance,“The nist definition of cloud computing,” National Institute of Standards and Technology,vol.53,no.6,p.50,2009.

[2]X.Zhu,L.T.Yang,H.Chen,J.Wang,S.Yin,and X.Liu,“Real-time tasks oriented energy-aware scheduling in virtualized clouds,”IEEE Transactions on Cloud Computing,vol.2,no.2,pp.168–180,2014.

[3]G.Juve,A.Chervenak,E.Deelman,S.Bharathi,G.Mehta,and K.Vahi, “Characterizing and profiling scientific workflows,”Future Generation Computer Systems,vol.29,no.3,pp.682–692,2013.

[4]C.Wang,K.Ren,and J.Wang,“Secure and practical outsourcing of linear programming in cloud computing,”in Proceedings of the 2011 INFOCOM.IEEE,2011,pp.820–828.

[5]L.Wei,H.Zhu,Z.Cao,X.Dong,W.Jia,Y.Chen,and A.V.Vasilakos,“Security and privacy for storage and computation in cloud computing,”Information Sciences,vol.258,pp.371–386,2014.

[6]C.A.Ardagna,R.Asal,E.Damiani,and Q.H.Vu,“From security to assurance in the cloud:A survey,”ACM Computing Surveys(CSUR),vol.48,no.1,p.2, 2015.

[7]W.Liu,S.Peng,W.Du,W.Wang,and G.S.Zeng,“Security-aware intermediate data placement strategy in scientific cloud workflows,”Knowledge and Information Systems,vol.41,no.2,pp.423–447,2014.

[8]E.Boutin,J.Ekanayake,W.Lin,B.Shi,J.Zhou,Z.Qian,M.Wu,and L.Zhou, “Apollo:scalable and coordinated scheduling for cloud-scale computing,”in Proceedings of the 11th USENIX conference on Operating Systems Design and Implementation.USENIXAssociation,2014,pp.285–300.

[9]S.Pearson and A.Benameur,“Privacy,security and trust issues arising from cloud computing,”in Proceedings of the Second International Conference on Cloud Computing Technology and Science(CloudCom).IEEE,2010, pp.693–702.

[10]M.Qiu,L.Zhang,Z.Ming,Z.Chen,X.Qin,and L.T.Yang,“Security-aware optimization for ubiquitous computing systems with seat graph approach,” Journal of Computer and System Sciences,vol.79,no.5,pp.518–529,2013.

[11]Z.Zhu,G.Zhang,M.Li,and X.Liu,“Evolutionary multi-objective workflow scheduling in cloud,”IEEE Transactions on Parallel and Distributed Systems,DOI:10.1109/TPDS.2015.2446459.

[12]M.A.Rodriguez and R.Buyya,“Deadline based resource provisioning and scheduling algorithm for scientific workflows on clouds,”IEEE Transactions on Cloud Computing,vol.2,no.2,pp.222–235,2014.

[13]A.Talukder,M.Kirley,and R.Buyya,“Multi-objective differential evolution for scheduling workflow applications on global grids,”Concurrency and Computation:Practice and Experience,vol.21,no.13,pp.1742–1756,2009.

[14]J.J.Durillo,R.Prodan,and J.G.Barbosa,“Pareto tradeoff scheduling of workflows on federated commercial clouds,”Simulation Modelling Practice and Theory,vol.58,pp.95–111,2015.

[15]Y.C.Lee,H.Han,A.Y.Zomaya,and M.Yousif,“Resource-efficient workflow scheduling in clouds,”Knowledge-Based Systems,vol.80,pp.153–162, 2015.

[16]H.M.Fard,R.Prodan,and T.Fahringer,“A truthful dynamic workflow scheduling mechanism for commercial multicloud environments,”IEEE Transactions on Parallel and Distributed Systems,vol.24,no.6,pp.1203–1212, 2013.

[17]S.Abrishami,M.Naghibzadeh,and D.H.Epema,“Deadline constrained workflow scheduling algorithms for infrastructure as a service clouds,”Future Generation Computer Systems,vol.29,no.1,pp.158–169,2013.

[18]Z.Zong,A.Manzanares,X.Ruan,and X.Qin,“Ead and pebd:two energy- aware duplication scheduling algorithms for parallel tasks on homogeneous clusters,”IEEE Transactions on Computers,vol.60,no.3,pp.360–374,2011.

[19]P.Choudhury,R.Kumar,and P.Chakrabarti,“Hybrid scheduling of dynamic task graphs with selective duplication for multiprocessors under memory and time constraints,”IEEE Transactions on Parallel and Distributed Systems,vol.19,no.7,pp.967–980,2008.

[20]X.Tang,K.Li,Z.Zeng,and B.Veeravalli,“A novel security driven scheduling algorithm for precedence-constrained tasks in heterogeneous distributed systems,”IEEE Transactions on Computers,vol.60,no.7,pp.1017–1029, 2011.

[21]L.Zeng,B.Veeravalli,and X.Li,“Saba:A security-aware and budget- aware workflow scheduling strategy in clouds,”Journal of Parallel and Distributed Computing,vol.75,pp.141–151,2015.

[22]M.Malawski,G.Juve,E.Deelman,and J.Nabrzyski,“Algorithms for cost- and deadline-constrained provisioning for scientific workflow ensembles in iaas clouds,”Future Generation Computer Systems,vol.48,pp.1–18,2015.

[23]S.Kianpisheh,N.M.Charkari,and M.Kargahi,“Reliability-driven scheduling of time/cost-constrained grid workflows,”Future Generation Computer Systems,vol.55,pp.1–16,2016.

[24]T.Xie and X.Qin,“Scheduling security-critical real-time applications on clusters,”IEEE Transactions on Computers,vol.55,no.7,pp.864– 879,2006.

[25]S.K.Garg and R.Buyya,“Networkcloudsim:Modelling parallel application in cloud simulations,”in Proceeding of the Fourth IEEE International Conference on Utility and Cloud Computing(UCC).IEEE,2011, pp.105-113.

[26]S.Abrishami,M.Naghibzadeh,and D.H.Epema,“Cost-driven scheduling of grid workflows using partial critical paths,”IEEE Transactions on Parallel and Distributed Systems,vol.23,no.8,pp.1400–1414,2012.

[26]L.F.Bittencourt,E.R.Madeira,and N.L.Da Fonseca,“Scheduling in hybrid clouds,”IEEE Communications Magazine,vol.50,no.9,pp.42–47,2012.

[27]R.N.Calheiros,R.Ranjan,A.Beloglazov,C.A.De Rose,and R.Buyya, “Cloudsim:a toolkit for modeling and simulation of cloud computing environments and evaluation of resource provisioning algorithms,”Software: Practice and Experience,vol.41,no.1,pp.23–50,2011.

[28]R.N.Calheiros and R.Buyya,“Meeting deadlines of scientific workflows in public clouds with tasks replication,”IEEE Transactions on Parallel and Distributed Systems,vol.25,no.7,pp.1787–1796,2014.

[29]https://confluence.pegasus.isi.edu/display/pegasus/ WorkflowGenerator.

Summary of the invention

The invention provides the dispatching method of the security sensitive work stream that task based access control replicates in a kind of cloud computing, different In existing method, the present invention utilizes existing free timeslot on virtual machine to replicate some predecessor tasks selectively, exerts Power reduces deadline and the cost of workflow, improves the resource efficiency of virtual machine simultaneously.Additionally, workflow task is lax Time is used to the output data of cryptographic tasks, this ensure that the safety requirements of workflow, minimizes the complete of workflow simultaneously One-tenth time and the increase of cost.Its technical scheme is as described below:

In a kind of cloud computing, the dispatching method of the security sensitive work stream that task based access control replicates, comprises the following steps:

(1) initialize available virtual machine list, be designated as vmList；Find all ready tasks and initialize, being designated as readyTL；A weight is given for each task in readyTL；

(2) ready task during dispatching algorithm SOLID uses alternative manner scheduling readyTL, iteration each time, The ready task that in readyTL, weight is maximum will be dispatched to corresponding void by function ScheduleTaskByDuplication () Plan machine, described function ScheduleTaskByDuplication () is initially used for ensureing that ready task is at its Late Finish Before complete, and the cost that runs minimized；Secondly, minimize the deadline of task and do not consider operating cost；When one ready After task is scheduled, its part or all of follow-up work will become ready task, and dispatching method SOLID finds out and just just becomes simultaneously The task of thread, gives weight, and adds middle readyTL to；

(3) after all of workflow task is scheduled for virtual machine, dispatching method SOLID calls function The intermediate data of workflow is encrypted by EncryptData (), and described function EncryptData () is each intermediate data Each security service selects suitable encrypted instance, meets the data demand for security of workflow；

(4) function EncryptData () is in each iteration, utilizes the slack time of task in encrypted work stream Between data, progressively strengthen the safety of data.

Further, in step (1), being calculated as follows of task weight:

Wherein, pred (t_i) representing the predecessor task set of task, r (p) represents the index of virtual machine of task of distributing to, ft_p,r(p)Expression task t_pAt virtual machineOn deadline, mtt_p,iDuring largest data transfer between expression task Between；met_iThe maximum operation time of expression task, pred (t_i)！=φ represents this ready task t_iPredecessor task be non-NULL.

Further, in step (2), function ScheduleTaskByDuplication () comprises the following steps:

1) selecting a virtual machine, this virtual machine can be in task t_iLate Finish before complete this task, or This virtual function completes this task the earliest；

2) if step 1) in, not finding can be in task t_iLate Finish in complete the virtual of this task Machine, then, it is judged that constantly replication task t_iBottleneck predecessor task to virtual machineWhether can be Task t is completed in task Late Finish_iOr complete task t earlier_i；If set up, then select this virtual machine；

3) if step 2) in, do not have the virtual machine can be in task t_iTask t is completed before Late Finish_i, function ScaleUpVM () will be called, and judge to increase whether a new virtual machine can complete task t earlier_iOr in task Task t is completed in deadline in evening_i；If set up, then increase a new virtual machine；

4) according to Task Duplication plan, task t_iPart or all of predecessor task virtual by be copied to choose MachineOn, then by task t_iIt is assigned to this virtual machine.

Further, described function ScaleUpVm () comprises the following steps:

1) a type of virtual machine s is selected_*, the virtual machine of the type or in task t_iWith minimum in latest finishing time Expense complete task t_i, or make task t_iThere is earliest finish time；

2) if selecting a suitable type of virtual machine, this function will rent the new virtual machine an of the type, and will New virtual machine adds virtual machine list to.

Further, in step (3), function EncryptData () comprises the following steps:

1) first the encrypted instance of every class security service is carried out non-decreasing sequence according to security intensity；

2) then for each intermediate data, select the security service demand that weight is maximum, and it is strong to distribute minimum safe The encrypted instance of degree gives these data；

3) when above encrypted instance cannot meet the general safety demand of workflow, each of each data is stepped up The encrypted instance security intensity of security service demand, until meeting the general safety demand of workflow.

Wherein, described bottleneck predecessor task bpt (t_i) refer in task t_iPredecessor task in, data arrive task t_i? The predecessor task in evening, i.e.Described pred (t_i) represent task predecessor task collection Close, ft_p,r(p)Expression task t_pAt virtual machineOn deadline, tt_p,iExpression task t_pWith t_iBetween data transmission Time.

Further, by task t_iBottleneck predecessor task bpt (t_i) copy to task t_iOn the virtual machine at place, need This virtual machine is found out a suitable free timeslot, finds in the task queue of virtual machine and can place task bpt (t_i) Free timeslot the earliest, the restriction relation between guarantee task simultaneously.

Further, in step (4), described task t_iL slack time_iAs follows:

Wherein, succ (t_i) represent task t_iDirect follow-up work set；WithExpression task t_sOpen Time beginning and deadline；tt_i,sExpression task t_iWith task t_sBetween call duration time；succ(t_i)！=φ represents that task is non- Sky,Expression task t_aTime started, t_aRepresent and just come task t_iTask below.

The present invention has the following advantages:

(1) propose two variable to analyze and minimize workflow task by replicating part predecessor task selectively Time started；Define the Late Finish of workflow task, and propose another theorem, analyze workflow task Complete to be deferred to its Late Finish, to reduce expense, avoid postponing their follow-up work and workflow simultaneously Deadline.

(2) on the basis of above theorem, dispatching algorithm SOLID based on replication task selectively is devised, Minimize workflow deadline in cloud computing and operating cost, improve the service efficiency of virtual machine simultaneously.

(3) propose an intermediate data encryption policy, and be integrated in SOLID, carry out the slack time of mining task, to work Make stream intermediate data to be encrypted, to ensure the safety requirements of workflow, minimize the increase of deadline and cost simultaneously.

Accompanying drawing explanation

Fig. 1 is cloud computing platform example；

Fig. 2 is the workflow instance of band intermediate data；

Fig. 3 a, Fig. 3 b, Fig. 3 c, Fig. 3 d represent a part for the overall flow figure of dispatching method, the line of each several part respectively Corresponding capitalization A, B, C, D, E, F is used to be attached；

Fig. 4 a is that the demand for security of workflow affects figure to its operating cost；

Fig. 4 b is the comparison diagram of standardization completion date；

Fig. 4 c is the schematic diagram of the resource utilization about virtual machine.

Detailed description of the invention

3, model and problem describe

In this part, the present invention provides IaaS cloud calculating, workflow, Information Security model successively.With upper mold On the basis of type, describe the scheduling model of workflow, consider the security requirement of application simultaneously.

3.1 model

3.1.1 IaaS cloud calculates platform

Being similar to document [16,17,22], the present invention pays close attention to infrastructure and i.e. services (IaaS) cloud platform, as shown in Figure 1. In whole framework, user is associated by scheduler with IaaS platform.Top is user, dynamically to scheduler submission work Stream, and the bottom is IaaS platform, for user's on-demand offer virtual machine (VM).Scheduler is the critical component in IaaS platform, It is responsible for traffic control stream task and be intermediate data Choice encryption example.The present invention studies the dependency rule of scheduler in IaaS.

IaaS cloud calculates platform and provides polytype virtual machine, is designated as S={s₁,s₂,…,s_m}[11].Dissimilar void The configuration variance of plan machine is mainly reflected in: different processor performance, internal memory, storage, network and operating system.Each s_uAll There is a price Price (s associated with it_u).The use time of virtual machine by hour in units of, that portion of inadequate one hour Charging was carried out according to one hour between timesharing.Such as, virtual machine employs 5.1 hours, and meter employs 6 hours.We use SymbolRepresent the kth platform virtual machine in cloud computing platform, and the type of this virtual machine is s_u。

Communication link between virtual machine uses two n × n matrix bw_n×nAnd nl_n×nRepresenting, wherein n represents and can use The quantity of virtual machine；bw_k,k'And nl_k,k'Represent virtual machine respectivelyWithBetween the network bandwidth and postpone [23].

3.1.2 the Work flow model of security-sensitive

In the present invention, directed acyclic graph (DAG) model is used for supporting security sensitive work stream, is expressed as: W={T, D, E, θ }, wherein, T={t₁,t₂,…,t_nRepresent the set of tasks in workflow W；D={d₁,d₂,…,d_nRepresent intermediate data Set, and d_iCorresponding task t_iOutput data；It addition, size (d_i) represent d_iData volume.It is the set on limit, If task t_iWith task t_jBetween there is dependence, then directed edge e_ij=(t_i,t_j) ∈ E exists for；t_iIt it is task t_j's Direct precursor, and t_jIt it is task t_iImmediate successor.Symbol pred (t_i) represent task t_iThe set of all direct precursor composition, Symbol succ (t_i) represent task t_iThe set of all immediate successors composition.θ represents the demand for security of workflow.θ value is 0 to 1 Between, defining according to the sensitivity of user data, it is 0 that minimum safe requires, is up to 1.

Fig. 2 shows a workflow instance figure being made up of 5 tasks.The vertex correspondence task presentation of DAG figure is circle Shape, and the output data of each task use rectangle to represent.Directed edge from data to task represents the data dependence between task Relation.

3.1.3 Information Security model

In cloud environment, distorting, spy upon and cheating of data is three kinds of common attacks, then three corresponding safety clothes Business demand is: confidentiality, complete and certification.Therefore, we use following definition to represent workflow task output data Security service demand.

Define 1. tasks t_iOutput data d_iSecurity service demand be represented by a tlv triple:

sr_i={ sr_i ^cs,sr_i ^is,sr_i ^as, wherein sr_i ^cs、sr_i ^isAnd sr_i ^asRepresent data d respectively_iSecurity services (cs) Demand, Sincere Service (is) demand and authentication service (as) demand.

Each security service demand has multiple encrypted instance to select.Security services demand, Sincere Service demand, with certification The encrypted instance of demand for services is expressed as: WithSubscript N (j), { cs, is, as} represent the encrypted instance of jth kind demand for services to j ∈ Quantity.

For the security service of Optimization Work stream, the security intensity of the different encrypted instance of quantitative measurement and calculating is needed to open Pin.One encrypted instanceCan be modeled asIts Middle l represents the index of encrypted instance；WithThe security intensity represented respectively and computing cost.These are added Closely knit example, their security intensity normalizes to the scope of 0 to 1.

3.2 problems describe

ParameterIt is used for representing data d_iJth ∈ the mapping relations of cs, is, as} class demand for security and encrypted instance:

Owing to every class security service demand of intermediate data can only be with an encrypted instance, it relates to following constraint:

Wherein, D represents that all tasks produce the set of intermediate data；| D | represents the quantity of element in set；

For a given intermediate data d_i, its jth ∈ the calculating time overhead of cs, is, as} class security service is:

Wherein, l represents the index of encrypted instance；N (j) represents the quantity of jth class encrypted instance；Represent jth class The time overhead of l encrypted instance；size(d_i) represent data d_iSize；Represent data d_iAnd between encrypted instance Relation, is shown in formula (1).

Therefore, intermediate data d_iSecurity overhead can be expressed as:

Task t is distributed in definition 2._iThe index of virtual machine be defined as r (t_i).Such as, if task t in workflow W₂ It is scheduled for virtual machineOn, then r (t₂)=8.

Due in workflow between task before and after restriction relation, a task only receives the number of all predecessor tasks According to just bringing into operation.Therefore, there is following constraint:

Wherein, pred (t_i) represent task predecessor task set；Expression task t_pAt virtual machineGo up The one-tenth time；Co (p) represents the encryption overhead of data；tt_p,iExpression task t_pWith t_iBetween data transmission period；Represent Task t_iAt virtual machineOn time started.

It is similar to document [23,25], from task t_pTo t_iData transmission period tt_p,iIt is calculated as follows:

Wherein,Represent network delay；w(e_p,i) represent the data volume needing transmission；Represent virtual Bandwidth between machine；r(t_p) and r (t_i) represent task t respectively_pWith task t_iThe index of the virtual machine mapped.

For a data-oriented d_i, its jth ∈ the security intensity of cs, is, as} class security service can be calculated as:

Data d_iSecurity intensity be calculated as:

Wherein,Represent data d_iThe weight of class j demand for security, and

Therefore, (sec (W)) of the general safety intensity of workflow W is:

Wherein, data d are represented_iAnd the relation between encrypted instance, is shown in formula (1).

In order to meet the demand for security of a workflow, we have a following constraint:

Sec(W)≥θ (10)

Meeting constraints (2), (5) and (10), the main optimization aim of the present invention is to minimize when completing of workflow W Between.Deadline is the deadline [26] finally completing task in whole workflow, is shown below:

Except the deadline, cost is another important indicator of cloud service, is conducive to improving the competing of cloud service provider Strive power and captivation.Therefore, the present invention reduces the cost for performing workflow to greatest extent, is described as follows:

Wherein, | VM | represents the virtual machine quantity running workflow set；tp_kIt it is the working cycle of virtual machine.

Additionally, perform workflow in IaaS cloud, pursue effectively utilizing of available resources and be one and challenging ask Topic.Another target of the present invention is the average resource maximizing virtual machine.This optimization aim can be write as:

Wherein, wt_kAnd tt_kRepresent virtual machine working time during running workflow W and total active time respectively (including work and free time).

4 algorithm designs

Generally, workflow schedule is NP-complete problem [11,27].Because being difficult to find out in polynomial time Optimal solution, the present invention proposes a heuristic mutation operations algorithm, to provide approximate optimal solution.

4.1 preparation

Analyze for convenience, first provide following premise:

One virtual machine only runs a task at a time point；

The cut-in time of virtual machine is the time that first task on this virtual machine starts to receive data；One The power cut-off time of individual virtual machine is the maximum time that all tasks complete data transmission；

If virtual machine can with and all of forerunner of a task be complete, be just immediately performed this task；

For each virtual machine, calculate and can occur with communicating simultaneously；

For each intermediate data, each security service demand can only be realized by an encrypted instance.

Because the call duration time being assigned between the task of same virtual machine is negligible, following two can be obtained Individual theorem, i.e. theorem 1 and 2, to facilitate the algorithm in 4.2 joints to design.

If theorem 1. task t_iOnly one of which predecessor task, i.e. | pred (t_i) |=1, assume its unique forerunner simultaneously Task is t_p, i.e. pred (t_i)={ t_p, by task t_iImmediately following task t_pIt is placed on same virtual machine, task t_iBeginning time BetweenThe earliest, i.e.

Prove: due to task t_iOnly receive task t_pData, just bring into operation, then task t_iTime started MeetIf by task t_iFollowed by task t_pIt is placed on same virtual machine, between task The transmission time be 0, i.e. tt_p,i=0, thenMinimized, i.e.

Theorem 2. assumes pred (t_i)={ t₁,t₂,…,t_kAnd ft₁+tt_1,i≥ft₂+tt_2,i,…,ft_k+tt_k,i, task t_i Earliest finish time beWherein k is task t_iPredecessor task Quantity, i.e. k=| pred (t_i)|；ft_l, 1≤l≤k represents the deadline of task；tt_l,i, 1≤l≤k represents task t_lWith appoint Business t_iBetween data transmission period；Represent set of tasks { t₁,t₂,…,t_lAll task completion time in } With, i.e.

Prove: orderWherein k is task t_iPredecessor task Quantity, i.e. k=| pred (t_i)|。

Situation 1: whenTime, due to

We can obtain

It addition, because

We can it is concluded thatIt is designated as conclusion (1.1).

WhenTime, we can also it is concluded that

It is designated as conclusion (1.2).

According to the conclusion of 1.1 and 1.2, we can obtain

If

Situation 2: whenTime, due toSoIt is designated as conclusion (2.1).

It addition, work asTime, because

With AndThereforeIt is designated as conclusion (2.2).

Can obtain from conclusion 2.1 and 2.2: If

Therefore, task t_iThe minimum time started be:

Above-mentioned two theorem shows scheduler task t_iTo the virtual machine at its predecessor task place, or replication task t_iPortion Divide or whole predecessor task is to task t_iThe virtual machine of distribution, it is possible to task t in advance_iTime started.

If defining 3. 1 tasks t_iIt is not dispatched to any virtual machine, defines its time startedWith when completing BetweenIt is all 0.

According to definition 3, each task t_iLatest finishing time lft_iIt is calculated as follows:

Theorem 3. assumes succ (t_i) it is task t_iFollow-up work collection.If task t_iDeadlineMeetSo task t_iComplete to be delayed the beginning of its follow-up work.

Prove: assumeSo task t_s'Time startedFull FootAndTask t_iDeadline MeetTherefore, Show by task t_iProduce the beginning not being delayed its all follow-up works the time of advent of data.Therefore, theorem 3 must be demonstrate,proved.

Theorem 3 shows, not every workflow task is required for completing as early as possible.Therefore, guaranteeing that workflow is the completeest On the premise of the one-tenth time, schedule it on the virtual machine of cost minimization, to minimize deadline and cost.

The workflow schedule that 4.2 task based access control replicate

In this section, it is proposed that the security sensitive work stream dispatching algorithm that a task based access control replicates, named SOLID.SOLID minimizes deadline and the cost of workflow specifically, meets the data demand for security of workflow simultaneously. Fig. 4 gives the flow chart of algorithm SOLID traffic control stream.

Define 4. ready tasks: if a task does not has any predecessor task, i.e.Or before they are all Task of driving has been scheduled on virtual machine, then this task is ready task.

In algorithm SOLID, ready task is scheduled on virtual machine, for task in order according to its weight size t_i, its weight rank (t_i) be calculated as follows:

Wherein, pred (t_i) represent task t_iPredecessor task set, r (p) represents the rope of virtual machine of task of distributing to Draw, ft_p,r(p)Expression task t_pDeadline, mtt_p,iThe largest data transfer time between expression task, met_iExpression task The maximum operation time.

Define 5. tasks t_iAt virtual machineOn expected cost be defined as follows:

Wherein, at_kRepresent virtual machineComplete the time of last task.

Define 6. bottleneck predecessor task bpt (t_i): task t_iPredecessor task in, data arrive task t_iForerunner the latest Task definition is the bottleneck predecessor task of this task, i.e.

In order to by task t_iBottleneck predecessor task bpt (t_i) copy to task t_iOn the virtual machine at place, need in this void A suitable free timeslot is found out on plan machine.The bright method of we is to find to place task in the task queue of virtual machine bpt(t_i) free timeslot the earliest, the restriction relation between guarantee task simultaneously.It is defined below that to give suitable time empty Gap.

Definition 7. hypothesis task t_bBeing a bottleneck predecessor task, it is at virtual machineOn the operation time be et_b,k, It is dispatched to virtual machineOn m task presentation beWhereinIf it is empty There is time slot on plan machine and meet condition (17), the time slot between title task and task is suitable for t_b。

It addition, virtual machineOn meet the earliest time gap of condition (17) and be designated as slot (t_b)。

Define 8. tasks t_iLax l_iTiming definition is as follows:

Wherein, succ (t_i) represent task t_iDirect follow-up work set；WithExpression task t_sOpen Time beginning and deadline；tt_i,sExpression task t_iWith task t_sBetween call duration time；t_aRepresent and just come task t_iBelow Task.

Fig. 3 a-Fig. 3 d is overview flow chart of the present invention, specifically includes:

The first step, initializes: initialization of virtual machine list vmList is virtual machine available in system；Find out institute either with or without The task of forerunner, initializes ready task set readyTL；Weight is given for each ready task；

Second step, it is judged that whether ready task set readyTL is empty, if sky, turns the 8th step；Otherwise, power is taken out The ready task of weight maximum (is designated as t_i), and calculate task t_iLate Finish lft_i, then perform the 3rd step.

3rd step, is assigned to task on the virtual machine that has been switched on, and method is:

3.1 by task t_iEach virtual machine inMatch one by one, and calculate consequent every pair of task-virtual machine The deadline ft of task_i,kWith expense pc_i,k；Wherein pc_i,kDefinition see definition 5.3.2 from the result of calculation of 3.1, choosing Go out to meet ft_i,k≤lft_i, and minimum pc_i,kVirtual machine

If 3.3 3.2 can select virtual machine, then by task t_iIt is assigned toOn virtual machine, forward the 7th step to；Otherwise, Forward the 4th step to；

4th step, the index of initialization of virtual machine k is k=0；The virtual machine selVM selected is empty；N is available virtual machine Quantity；Minimum completion time minFT is minFT ← 0；Turn the 5th step；

5th step, by Task Duplication, by task t_iIt is assigned on available virtual machine, as solid box black in Fig. 3 comprises portion Point, method is:

5.1 judge whether k ＞=n sets up, if set up, then turn the 6th step；Otherwise perform 5.2 steps；

If 5.2 tasks t_iBottleneck predecessor task bpt (t_i) not at virtual machineOn, then perform 5.3 steps；Otherwise, Renewal k is k=k+1, turns 5.1 steps；

5.3 judge virtual machineWhether existence can accommodate task bpt (t_i) free time groove, if it is present Calculate replication task bpt (t_i) to after this time slot, task t_iAt virtual machineOn deadline ft_i,k, then turn 5.4 Step；Otherwise, renewal k is k=k+1, turns 5.1 steps；

If 5.4 tasks t_iDeadline ft_i,kIt is not more than its Late Finish lft_i(that is, ft_i,k≤lft_i), Then replication task t_iAll bottleneck predecessor tasks to virtual machineCorresponding free time groove on, then by task t_iDistribution To virtual machineTurn next to the 7th step；Otherwise, 5.5 steps are turned；

If 5.5 tasks t_iDeadline ft_i,kLess than minimum completion time minFT (that is, ft_i,k＜ minFT), the most more The newly selected virtual machine isIt is minFT ← ft with minimum completion time_i,k；Then the 5.2nd step is turned；

6th step, is assigned to task on the virtual machine that newly increases, and as in Fig. 3, fine dotted line frame comprises part, method is as follows:

The index u of 6.1 initialization of virtual machine types is u=0；M is the type total amount of virtual machine；The type of virtual machine selected U* is u* ←-1；

If 6.2 u is more than or equal to m (that is, u ＞=m), then turning 6.3 steps；Otherwise, task t is calculated_iIt is s in type_u's New virtual machineOn deadline ft_i,k, then turn 6.4 steps；

6.3 if u* ＞-1, then increasing a type newly is s_u*Virtual machineAnd by task t_iIt is assigned to this most virtual MachineOn；This new virtual machine is joined in available virtual machine list vmList, i.e. simultaneously Then the 7th step is turned；

If 6.4 tasks t_iDeadline ft_i,kMore than its Late Finish lft_i(that is, ft_i,k＞ lft_i), then turn 6.5 step；Otherwise, a newly-increased type is s_uVirtual machineAnd by task t_iIt is assigned to this new virtual machineOn；Simultaneously This new virtual machine is joined in available virtual machine list vmList, i.e.Then is turned Seven steps；

If 6.5 tasks t_iDeadline ft_i,kLess than minimum completion time minFT (that is, ft_i,k＜ minFT), the most more The type of virtual machine u* newly selected is u* ← u, and the minimum completion time minFT of task is minFT ← ft_i,k, then turn the 6.6th Step；Otherwise, 6.6 steps are directly turned；

6.6 renewal type of virtual machine u are u ← u+1, then turn 6.2 steps；

7th step, finds out new ready task, and these tasks is joined readyTL, and method is as follows:

7.1 initialization task t_iThe index s of follow-up work is s=0；S is task t_iThe quantity of follow-up work, i.e. S=| succ(t_i)|；

If 7.2 s ＜ S, then find out task t_iThe s follow-up work, turn 7.3；Otherwise, second step is turned；

If 7.3 tasks t_iThe s follow-up work t_sBecome ready, then by t_sIt joins readyTL, i.e. readyTL ←readyTL∪t_s, then turn 7.2 steps；

8th step, is encrypted the intermediate data of workflow, as in Fig. 3, thick dashed line frame comprises part, method such as:

The encrypted instance of 8.1 pairs of every class security services carries out the sequence of a non-decreasing according to security intensity, i.e.Wherein

8.2 for each intermediate data, the security service demand that the weight of selection is maximum, and distributes minimum safe intensity Encrypted instance give these data, method is as follows:

8.2.1 the index i of initialization data is i ← 0；I is number of elements I ← | D | of data acquisition system, and wherein D is all The set that intermediate data is constituted；

If 8.2.2 i ＜ I, then find out data d_iSecurity service demand j* that weight is maximum, i.e. Turn 8.2.3 step；Otherwise, 8.3 steps are turned；

8.2.3 encrypted instance is usedEnsure data d_iJth * class security service demand；

8.2.4 for data other two classes security service demands (that is, j ∈ cs, is, as} j*}), and use virtual machine Encrypted instanceWherein virtual machine encrypted instance meetsWith

8.2.5 updating i is i ← i+1；Turn 8.2.2 step；

The 8.3 general safety intensity stepping up workflow, method is as follows:

If 8.3.1 general safety strength S ec (W) of workflow is more than setting θ (that is, Sec (W) ＞ θ), forward the 9th to Step；Otherwise, 8.3.2 step is forwarded to；

8.3.2 select data d_i*Jth * class security service demand, if meeting condition:

Wherein, l and l'=min{l+1, N (j) } all represent the index of encrypted instance；Δ t represents the time overhead of encryption.

8.3.3 more new data d_i*The encrypted instance of jth * class security service demand be l', forward 8.3.1 step to；

9th step, terminates.

5 performance evaluations

In this section, we assess proposed SOLID algorithm by experiment.In order to verify the excellent of the performance of SOLID Bad, SOLID and a benchmark algorithm are compared by quantitatively, i.e. SOLID-Random (SOLID-R).Additionally will SOLID compares with existing algorithm EFT-MER [15].Algorithm EFT-MER does not accounts for the demand for security of workflow, in order to make The most fair, the encryption policy that two different is integrated in EFT-MER and forms two mutation, i.e. EFT-MER with Exploring Laxity Time (EFT-MER-EL) and EFT-MER with Random encryption strategy (EFT-MER-R)。

5.1 experiments and parameter are arranged

In an experiment, the relevant parameter of Amazon AWS EC2 is used to simulate cloud environment.Experiment considers 6 classics Type of virtual machine, as shown in table 1 [11], [29].Metering period is 60 minutes.The quantity of every class virtual machine is unlimited.Empty Average bandwidth between plan machine is set as the random number between 10Mbps and 30Mbps.

The configuration parameter of table 1 virtual machine

The present invention uses the method being similar to document [20], stochastic generation workflow test set.

In an experiment, each intermediate data needs the security service of 3 types, i.e. integrity service, security services and Authentication service.Front 2 security services have 6 encrypted instances, the 3rd security service to have 3 encrypted instances.These security instance Security intensity and computing cost [7], [10], [24] as shown in table 2.

The parameter of table 23 class encrypted instance

In an experiment, for often organizing parameter, each algorithm independent operating 50 times, the experimental result drawn is all realities Test the meansigma methods of result.

5.2 demands for security impact on performance

In order to check the security requirement impact on algorithm performance of workflow, with step-length be 0.05 by demand for security etc. Level increases to 0.9 from 0.75, and the number of tasks of workflow, CCR are not set as 1500,2.0 and 1.0 with parallel Factor minute simultaneously.Fig. 4 In give experimental result.

Fig. 4 (a) shows, for standard completion date, SOLID is better than SOLID-R respectively, EFT-MER, EFT-MER-EL and The ratio of EFT-MER-R is 2.13%, 12.66%, 17.63% and 20.11%.This can be explained by following 2 reasons.First, SOLID utilizes free timeslot to replicate some predecessor tasks selectively, makes great efforts to reduce the time started of workflow task, because of This SOLID has relatively low standard completion date than SOLID-R, EFT-MER, EFT-MER-EL and EFT-MER-R.Secondly, SOLID make use of free timeslot to encrypt intermediate data, and therefore SOLID has better performance than SOLID-R.

Fig. 4 (b) shows, the cost of these 5 kinds of algorithms is increased slightly with the increase of safety requirements.This is due to higher safety Require to need higher security overhead.Additionally, SOLID average specific SOLID-R, EFT-MER, EFT-MER-EL and EFT-MER-R The cost spent few 9.61%, 31.67%, 36.57% and 39.78%.This can 2 reasons explain below.First, Algorithm SOLID is while ensureing task latest finishing time, by task scheduling to the virtual machine of cost minimization.Then, exist Data encryption stage, SOLID makes full use of and is encrypted intermediate data the slack time of workflow task, with the fewest Ground postpones follow-up work, this also means that the increase of Virtual Machine Worker time is minimum.

Fig. 4 (c) illustrates the experimental result of the resource utilization about virtual machine.Along with the increase of demand for security, SOLID With SOLID-R performance, downward trend occurs, and the performance of EFT-MER, EFT-MER-EL and EFT-MER-R is relative stable.This It is because SOLID and SOLID-R, by replication task, the free timeslot of virtual machine has been compressed to the limit, improve workflow Demand for security mean higher encryption times expense, be therefore easier to postpone the beginning of some tasks, to expand virtual machine Free timeslot.But, the free timeslot that other 3 algorithms produce is relatively big, and it is empty that the time overhead of encryption is conducive to compressing these Idle gap.It should be noted that resource utilization still ratio SOLID-R, EFT-MER, EFT-MER-EL and the EFT-MER-of SOLID R is high by 8.45%, 35.41%, 34.30% and 34.69%.This is because during SOLID selectivity repeated work stream task idle Virtual machine in gap, thus reduce idle resources of virtual machine.

Claims (8)

1. a dispatching method for the security sensitive work stream that task based access control replicates in cloud computing, comprises the following steps:

(1) initialize available virtual machine list, be designated as vmList；Find all ready tasks and initialize, being designated as readyTL； A weight is given for each task in readyTL；

(2) ready task during dispatching algorithm SOLID uses alternative manner scheduling readyTL, iteration each time, in readyTL The ready task of weight maximum will be dispatched to corresponding virtual machine by function ScheduleTaskByDuplication (), described Function ScheduleTaskByDuplication () is initially used for ensureing that ready task completes before its Late Finish, and Run minimized cost；Secondly, minimize the deadline of task and do not consider operating cost；When a ready task is scheduled After, its part or all of follow-up work will become ready task, and dispatching method SOLID finds out the task of just becoming ready simultaneously, Give weight, and add middle readyTL to；

(3) after all of workflow task is scheduled for virtual machine, dispatching method SOLID calls function EncryptData () Being encrypted the intermediate data of workflow, described function EncryptData () is each security service of each intermediate data Select suitable encrypted instance, meet the data demand for security of workflow；

(4) function EncryptData () is in each iteration, utilize task slack time encrypted work stream mediant According to, progressively strengthen the safety of data.

The dispatching method of the security sensitive work stream that task based access control replicates in cloud computing the most according to claim 1, its It is characterised by: in step (1), being calculated as follows of task weight:

$rank\left(t_i\right)=\left\{\begin{array}{cc}\underset{t_p\∈pred\left(t_i\right)}{\max }\{{\mathrm{ft}}_{p,r\left(p\right)}+{\mathrm{mtt}}_{p,i}\}+{\mathrm{met}}_i,& \begin{array}{cc}if& pred\left(t_i\right)!=\mathrm{\φ};\end{array}\\ {\mathrm{met}}_i,& otherwise.\end{array}\right.$

Wherein, pred (t_i) representing the predecessor task set of task, r (p) represents the index of virtual machine of task of distributing to, ft_p,r(p)Expression task t_pAt virtual machineOn deadline, mtt_p,iDuring largest data transfer between expression task Between；met_iThe maximum operation time of expression task, pred (t_i)！=φ represents this ready task t_iPredecessor task be non-NULL.

The dispatching method of the security sensitive work stream that task based access control replicates in cloud computing the most according to claim 1, its It is characterised by: in step (2), function ScheduleTaskByDuplication () comprises the following steps:

1) selecting a virtual machine, this virtual machine can be in task t_iLate Finish before complete this task, or this is virtual Function completes this task the earliest；

2) if step 1) in, not finding can be in task t_iLate Finish in complete the virtual machine of this task, that , it is judged that constantly replication task t_iBottleneck predecessor task to virtual machine(k=1,2 ..., n), if can in task Task t is completed in deadline in evening_iOr complete task t earlier_i；If set up, then select this virtual machine；

3) if step 2) in, do not have the virtual machine can be in task t_iTask t is completed before Late Finish_i, function ScaleUpVM () will be called, and judge to increase whether a new virtual machine can complete task t earlier_iOr in task Task t is completed in deadline in evening_i；If set up, then increase a new virtual machine；

4) according to Task Duplication plan, task t_iPart or all of predecessor task will be copied to the virtual machine chosenOn, then by task t_iIt is assigned to this virtual machine.

The dispatching method of the security sensitive work stream that task based access control replicates in cloud computing the most according to claim 3, its It is characterised by: described function ScaleUpVm () comprises the following steps:

1) a type of virtual machine s is selected_*, the virtual machine of the type or in task t_iTake with minimum in latest finishing time With completing task t_i, or make task t_iThere is earliest finish time；

2) if selecting a suitable type of virtual machine, this function will rent the new virtual machine an of the type, and will be new empty Plan machine adds virtual machine list to.

The dispatching method of the security sensitive work stream that task based access control replicates in cloud computing the most according to claim 1, its It is characterised by: in step (3), function EncryptData () comprises the following steps:

1) first the encrypted instance of every class security service is carried out non-decreasing sequence according to security intensity；

2) then for each intermediate data, select the security service demand that weight is maximum, and distribute minimum safe intensity Encrypted instance gives these data；

3) when above encrypted instance cannot meet the general safety demand of workflow, each safety of each data is stepped up The encrypted instance security intensity of demand for services, until meeting the general safety demand of workflow.

The dispatching method of the security sensitive work stream that task based access control replicates in cloud computing the most according to claim 3, its It is characterised by: described bottleneck predecessor task bpt (t_i) refer in task t_iPredecessor task in, data arrive task t_iThe latest Predecessor task, i.e.Described pred (t_i) represent task predecessor task set, ft_p,r(p)Expression task t_pAt virtual machineOn deadline, tt_p,iExpression task t_pWith t_iBetween data transmission time Between.

The dispatching method of the security sensitive work stream that task based access control replicates in cloud computing the most according to claim 6, its It is characterised by: by task t_iBottleneck predecessor task bpt (t_i) copy to task t_iOn the virtual machine at place, need virtual at this Find out a suitable free timeslot on machine, find in the task queue of virtual machine and can place task bpt (t_i) empty the earliest Idle gap, the restriction relation between guarantee task simultaneously.

The dispatching method of the security sensitive work stream that task based access control replicates in cloud computing the most according to claim 3, its It is characterised by: in step (4), described task t_iL slack time_iAs follows:

Wherein, succ (t_i) represent task t_iDirect follow-up work set；WithExpression task t_sBeginning time Between and the deadline；tt_i,sExpression task t_iWith task t_sBetween call duration time；succ(t_i)！=φ represents task non-NULL,Expression task t_aTime started, t_aRepresent and just come task t_iTask below.