CN117376032B - Security service scheduling method and system, electronic equipment and storage medium - Google Patents

Security service scheduling method and system, electronic equipment and storage medium Download PDF

Info

Publication number
CN117376032B
CN117376032B CN202311660497.5A CN202311660497A CN117376032B CN 117376032 B CN117376032 B CN 117376032B CN 202311660497 A CN202311660497 A CN 202311660497A CN 117376032 B CN117376032 B CN 117376032B
Authority
CN
China
Prior art keywords
node
target
security component
determining
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311660497.5A
Other languages
Chinese (zh)
Other versions
CN117376032A (en
Inventor
张兴
何道敬
戴鹏
田志宏
张宜旺
鲁辉
姚敏森
童超
王伟
夏修理
王旭东
戴明哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Resources Intelligent Computing Technology Guangdong Co ltd
China Resources Digital Technology Co Ltd
Original Assignee
China Resources Intelligent Computing Technology Guangdong Co ltd
China Resources Digital Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Resources Intelligent Computing Technology Guangdong Co ltd, China Resources Digital Technology Co Ltd filed Critical China Resources Intelligent Computing Technology Guangdong Co ltd
Priority to CN202311660497.5A priority Critical patent/CN117376032B/en
Publication of CN117376032A publication Critical patent/CN117376032A/en
Application granted granted Critical
Publication of CN117376032B publication Critical patent/CN117376032B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0852Delays
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/61Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources taking into account QoS or priority requirements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a security service scheduling method and system, electronic equipment and storage medium, wherein the method comprises the following steps: receiving a secure service request from a user node from a DNS server; determining a target security component to be deployed according to the security service request; determining computing resources and network bandwidth requested by the target security component; calculating the data transmission rate between each edge calculation node and the user node; determining available nodes for deploying the target security component from the edge computing nodes according to the computing resources, the network bandwidth and the data transmission rate; determining network delay, processing time and load balancing coefficients between each available node and the user node; determining an optimal available node as a target node for deploying the target security component according to the network delay, the processing time and the load balancing coefficient; the address of the target node is issued to the DNS server to redirect traffic from the user node to the target node, thereby enabling the virtualized security component to meet the actual demand.

Description

Security service scheduling method and system, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a security service scheduling method and system, an electronic device, and a computer readable storage medium.
Background
Before receiving the service traffic sent by the user end, the server needs to make the service traffic pass through the security component, the traditional security architecture usually uses the network as the center, and manually configures various security policies to connect special hardware such as a firewall, a WAF, a bastion machine and the like in series, so as to perform a series of security detection on the received traffic, and as the digital age comes, the cloud computing technology breaks through continuously, and the cloud on the security service becomes a deterministic development trend.
In order to share the task of the cloud computing center, in the prior art, security services are often deployed on a plurality of edge computing nodes, in the security architecture for deploying security services on the edge computing nodes in a virtualized manner, service traffic sent by a client is required to be forwarded to the edge computing nodes and then a security component is required to be called for security detection, and finally the service traffic passing through the security detection is forwarded to a server.
Disclosure of Invention
In order to solve the above problems, embodiments of the present application provide a security service scheduling method and system, an electronic device, and a storage medium, which can deploy a security component to an optimal edge computing node, and reduce the overall delay when a service flow sent by a user node passes through the security component, so that the virtualized security component meets the actual requirement.
A first aspect of an embodiment of the present application proposes a security service scheduling method, applied to a cloud computing center, where the cloud computing center is in communication connection with a DNS server, and the DNS server is in communication connection with a user node, where the method includes:
Receiving a secure traffic request from the user node from the DNS server;
Determining a target security component to be deployed according to the security service request;
determining the computing resources and network bandwidth requested by the target security component;
calculating the data transmission rate between each edge calculation node and the user node;
Determining available nodes for deploying the target security component from all the edge computing nodes according to the computing resources, the network bandwidth and the data transmission rate;
Determining a network delay between each of the available nodes and the user node;
calculating the processing time and the load balancing coefficient of the target security component at each available node;
Determining the optimal available node as a target node for deploying the target security component according to the network delay, the processing time and the load balancing coefficient;
and transmitting the address of the target node to the DNS server so that the DNS server redirects the traffic from the user node to the target node.
In some embodiments, before redirecting traffic from the user node to the target node, comprising:
acquiring a preset priority of each target security component;
Determining the deployment sequence of each target security component according to the preset priority;
and deploying the target security component to the corresponding target node according to the deployment sequence.
In some embodiments, the determining a target node for deploying the target security component from the available nodes according to the network latency, the processing time, and the load balancing factor comprises:
Determining the overall time delay of a plurality of safety service chains formed by the available nodes according to the network time delay, the processing time and the load balancing;
And determining the safety service chain with the minimum overall time delay through a linear programming algorithm so as to determine the target node of each target safety component.
In some embodiments, the computing the data transmission rate between each edge computing node and the user node comprises:
Calculating a data transmission rate between each of the edge calculation nodes and the user node by the following formula:
Wherein, the liquid crystal display device comprises a liquid crystal display device, Is the transmission rate between the kth edge computing node and the user node,/> Is the transmission power of the kth edge computing node,/> representing a channel gain of a kth channel, the kth channel being a channel of communication between the kth edge computing node and the user node,/> Representing the bandwidth of the kth channel,/> Representing the transmission power of the ith said edge computing node,/> Representing a channel gain of an ith channel, the ith channel being a channel for communication between the ith edge computing node and the user node,/> representing the sum of the interference of all channels except the kth channel to the kth channel.
In some embodiments, the determining available nodes to deploy the target security component from all of the edge computing nodes based on the computing resources, the network bandwidth, and the data transfer rate comprises:
Acquiring the computational load and the bandwidth load of all the edge computing nodes;
In the event that it is determined that the data transmission rate of a first edge computing node is greater than a first rate threshold, that the sum of the computational load and the computational resources is less than a preset total amount of computational resources of the first edge computing node, and that the sum of the bandwidth load and the network bandwidth is less than the preset total amount of bandwidth of the first edge computing node, determining that the first edge computing node is an available node of the target security component, wherein the first edge computing node is one of the edge computing nodes.
In some embodiments, before said issuing the address of the target node to the DNS server to cause the DNS server to redirect traffic from the user node to the target node, further comprising:
determining a first container according to the target security component, wherein the first container is configured with a virtual machine environment required by running the target security component, and the target security component runs in the virtual machine environment;
and issuing the image file of the first container to the target node to deploy the target security component at the target node.
In some embodiments, the determining the target security component to be deployed according to the security service request includes:
matching a target security policy according to the security service request;
And determining the target security component to be deployed according to the target security policy.
A second aspect of an embodiment of the present application proposes a security service scheduling system, the system comprising:
A plurality of edge compute nodes, the edge compute nodes configured to deploy at least one type of target security component;
The DNS server is used for receiving a security service request sent by a user node and forwarding the security service request to the cloud computing center, and is also used for receiving a target node fed back by the cloud computing center and redirecting the service flow from the user node to the target node;
A cloud computing center for executing the security service scheduling method according to the embodiment of the first aspect.
A third aspect of an embodiment of the present application proposes an electronic device comprising a memory, a processor, a program stored on the memory and executable on the processor, and a data bus for enabling a connection communication between the processor and the memory, the program when executed by the processor implementing a security service scheduling method according to any one of the embodiments of the first aspect.
A fourth aspect of the embodiments of the present application proposes a computer readable storage medium storing one or more programs executable by one or more processors to implement the security service scheduling method according to any of the embodiments of the first aspect.
The embodiment of the application provides a security service scheduling method and system, electronic equipment and storage medium, wherein the security service scheduling method comprises the following steps: receiving a secure traffic request from the user node from the DNS server; determining a target security component to be deployed according to the security service request; determining the computing resources and network bandwidth requested by the target security component; calculating the data transmission rate between each edge calculation node and the user node; determining available nodes for deploying the target security component from all the edge computing nodes according to the computing resources, the network bandwidth and the data transmission rate; determining a network delay between each of the available nodes and the user node; calculating the processing time and the load balancing coefficient of the target security component at each available node; determining the optimal available node as a target node for deploying the target security component according to the network delay, the processing time and the load balancing coefficient; and transmitting the address of the target node to the DNS server so that the DNS server redirects the traffic from the user node to the target node. According to the security service scheduling method, when a security service request is received, a target security component to be deployed is determined based on the security service request, in the process of scheduling the edge computing nodes, the available nodes for deploying the target security component are screened out from all the edge computing nodes based on computing resources and network bandwidth requested by the target security component, the data transmission rate between each edge computing node and a user node, and finally, the optimal available node is determined to serve as the target node for deploying the target security component based on network time delay between each available node and the user node, processing time required by each available node for processing a corresponding security task and load balancing coefficients between all the available nodes, and the target security component is deployed on the target node, so that the overall time delay when service flow passes through the target security component is reduced, and the virtualized target security component can meet actual service requirements.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
FIG. 1 is a flow chart of a security service scheduling method provided by an embodiment of the present application;
FIG. 2 is a flow chart of another security service scheduling method provided by an embodiment of the present application;
FIG. 3 is a sub-flowchart of step S108 of FIG. 1;
FIG. 4 is a flow chart of another security service scheduling method provided by an embodiment of the present application;
FIG. 5 is a schematic diagram of a network topology of a security service dispatch system according to an embodiment of the present application;
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
the accompanying drawings are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate and do not limit the application.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, steps shown or described may be performed in a different order than block division in a device or in a flowchart. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
In the description of the embodiments of the present application, unless explicitly defined otherwise, terms such as arrangement, installation, connection, etc. should be construed broadly, and those skilled in the art may reasonably determine the specific meaning of the terms in the embodiments of the present application in combination with the specific contents of the technical solutions.
Referring to fig. 1, a first aspect of an embodiment of the present application proposes a security service scheduling method applied to a cloud computing center, where the cloud computing center is in communication connection with a DNS server, and the DNS server is in communication connection with a user node, where the security service scheduling method includes, but is not limited to, steps S101 to S109 as follows.
Step S101, receiving a security service request from a user node from a DNS server;
It may be understood that the user node may be a web page or an application server that needs to provide a security service, and the security service request may be a request for deploying a security component for the user node and providing the security service, specifically, the user node may send the security service request to a DNS server through a uniform URL interface, and the DNS server determines a network address of the user node by resolving the request, and then reports the network address of the user node and the security service request to the cloud computing center.
Step S102, determining a target security component to be deployed according to a security service request;
It will be appreciated that in practical applications, it is often necessary to deploy a plurality of different target security components for any one security service requirement, while the optimal security policy is different for different security service requests, so that it is necessary to deploy a plurality of different target security components for different security service requests. Specifically, matching a target security policy according to a security service request; and determining a target security component to be deployed according to the target security policy. For example, different network protocols differ in data transmission mode and message format, and the application scenarios of the different protocols are different, for example, SMTP protocol is used for email transmission and FTP protocol is mainly used for file transmission, so that the traffic sent by the different network protocols has different types of security risks, therefore, for the traffic sent by the different network protocols, different target security policies should be configured, so that the traffic sent by the different network protocols passes through different types of target security components to be protected, for example, the traffic sent by HTTP protocol is easy to have XSS attack, SQL injection, etc., and for the traffic sent by HTTP protocol, WAF components should be deployed to identify malicious SQL statements and filter XSS attack codes; for the service flow sent through the FTP protocol, the fort component should be deployed for authentication to reduce unauthorized access and avoid malware transmission through the antivirus gateway component; for traffic sent through SMTP protocol, a whitelist component may be set to reduce the transmission of spam, monitor and prevent the installation of malware through a firewall component, and detect the content of mail through an IDS/IPS component, avoiding the propagation of malware through mail. In this embodiment, different target security policies may be set according to the type of the security service request, and a mapping relationship between the type of the security service request and the target security policies is established, and after the security service request is received, the corresponding target security policies may be matched according to the type of the security service request, so as to determine a target security component to be deployed.
Step S103, determining the computing resources and network bandwidth requested by the target security component;
After determining the type of the target security component, the corresponding computing resources and network bandwidth may be determined based on the type of the target security component, and specifically, the amount of computing resources and bandwidth required for each security component to operate may be preset according to an empirical value. It will be appreciated that there are certain differences in the complexity of the components themselves for different types of security components, and differences in the computational resources and bandwidths that the components need to occupy when running, and in particular, for security components with a high complexity, more computational resources and bandwidth resources need to be allocated thereto, and correspondingly, for components with a low complexity, fewer computational resources and bandwidth resources need to be allocated, and based on this difference, the computational resources and network bandwidths allocated to each security component may be preset.
Step S104, calculating the data transmission rate between each edge calculation node and the user node;
It can be understood that the data is transmitted between the edge computing node and the user node through the channel, but is limited by the bandwidth and capacity of the channel, in unit time, the data volume that can be stably transmitted between the edge computing node and the user node has an upper limit, and the upper limit can be regarded as the data transmission rate between the edge computing node and the user node, at this time, the data transmission rate reflects the maximum data volume that can be transmitted to the edge computing node by the user node in unit time, if the data transmission rate is too low, the time required for transmitting the traffic with the same size from the user node to the edge computing node is longer, and the overall time delay when the traffic passes through the security service scheduling system is increased. Specifically, the data transmission rate can be calculated using the following formula:
Wherein, the liquid crystal display device comprises a liquid crystal display device, Is the transmission rate between the kth edge computing node and the user node,/> is the transmission power of the kth edge computing node,/> Representing the channel gain of the kth channel, which is the channel of communication between the kth edge computing node and the user node,/> Representing the bandwidth of the kth channel,/> Representing the transmission power of the ith edge computation node,/> Representing the channel gain of the ith channel, which is the channel for communication between the ith edge computing node and the user node, representing the sum of the interference of all channels except the kth channel to the kth channel. It should be noted that since the generation of channel noise is random, the above equation considers the data transmission rate in an ideal state, i.e., ignores the maximum achievable data transmission rate in the case of the channel noise of the kth channel itself.
Step S105, determining available nodes for deploying the target security component from all edge computing nodes according to computing resources, network bandwidth and data transmission rate;
Specifically, step S105 may include: acquiring computational load and bandwidth load of all edge computing nodes; in the event that it is determined that the data transmission rate of the first edge computing node is greater than the first rate threshold, that the sum of the computational load and the computational resources is less than a preset total amount of computational resources of the first edge computing node and that the sum of the bandwidth load and the network bandwidth is less than the preset total amount of bandwidth of the first edge computing node, determining that the first edge computing node is an available node of the target security component, wherein the first edge computing node is one of the edge computing nodes. It can be understood that each edge computing node is deployed with a resource monitoring module, which can monitor the computing power load and the bandwidth load of the corresponding edge computing in real time, and report the monitored computing power load and the monitored bandwidth load to the cloud computing center, at this time, the cloud computing center can sense the load condition of each edge computing node, based on this, the cloud computing center can determine the available computing resource and the available bandwidth of each edge computing node, compare the available computing resource and the available bandwidth with the computing resource and the network bandwidth of the target security component, and can determine whether the residual computing power and the residual bandwidth of each edge computing node are sufficient to support the operation of the target security component, and combine the data transmission rates of each edge computing node and the user node, and can screen out the computing resource of which the residual computing power exceeds the target security component and the available node of which the residual bandwidth is greater than the network bandwidth of the target security component and which is greater than the first rate threshold, at this time, the target security component can avoid the situation that the security component cannot be deployed to the available nodes due to insufficient power or bandwidth resource, and the traffic delay is prevented from increasing between the nodes when the data transmission rates are too low.
In this embodiment, a corresponding constraint condition may be added to an algorithm of the cloud computing center scheduling edge computing node, where the specific constraint condition is as follows:
;(1)
;(2)
Wherein, the liquid crystal display device comprises a liquid crystal display device, representing the kth process of the ith security element on the jth edge computing node,/> representing computing resources consumed by an ith security component in executing a kth process in a jth edge computing node,/> Representing the preset total computing resource amount of the jth edge computing node,/> Bandwidth resources consumed by the ith security component in executing the kth process in the jth edge computing node,/> Representing the preset bandwidth total of the jth edge computing node,/> representing the number of classes of security components,/> Representing the maximum number of processes to deploy the same security component on a single edge compute node, it will be appreciated that K may be a pre-set value,/> Take on a value of 0 or 1,/> A value of 1 indicates that the kth and ith security component is deployed on the jth edge computing node,/> A value of 0 indicates that the kth, ith security component is not deployed on the jth edge computing node. By adding the constraint condition in the scheduling algorithm of the cloud computing center, the target security component can be prevented from being deployed to the edge computing node with insufficient residual computing power or residual bandwidth for supporting computing resources or network bandwidth of the target security component.
Step S106, determining network time delay between each available node and the user node;
specifically, a Ping command may be sent from the available nodes to the user node to determine the network delay between the two nodes.
Step S107, calculating the processing time and the load balancing coefficient of the target security component at each available node;
Specifically, the cloud computing center may generate a service flow with the same size, send the service flow to each available node, and call a corresponding target security component in each available node to perform a corresponding security task on the service flow. It will be appreciated that, since the security components are deployed at the edge computing nodes in a container manner, in invoking the security components to perform security tasks, the time required for each edge computing node to invoke the target security component can be determined by the clock signal of the container itself as a load balancing factor for the available node, and the time required to complete the security tasks by the target security component in the edge computing node can be recorded as the processing time for the available node.
Step S108, determining an optimal available node as a target node for deploying the target security component according to the network delay, the processing time and the load balancing coefficient;
It will be appreciated that the network delay between the available node and the user node reflects the time required for data to be transferred between the two nodes, the load balancing factor reflects the response time required for the available node to invoke the target security component, and the processing time reflects the time required for traffic to be detected at the available node through the target security component. Based on the network delay, the processing time and the load balancing coefficient, the total time spent by the whole process of transmitting the service flow from the user node to the available node and completing the security detection in the available node can be determined, namely the whole time delay caused by the service flow passing through the target security component is reflected, the optimal available node is determined as the target node for deploying the target security component based on the network delay, the processing time and the load balancing coefficient, and the target security component can be deployed to the target node with the lowest whole time delay, so that the whole time delay when the flow transmitted by the user node passes through the security service scheduling system is reduced, and the virtualized security component can meet the actual service requirement.
Step S109, the address of the target node is issued to the DNS server, so that the DNS server redirects the traffic from the user node to the target node.
Specifically, after the cloud computing center determines the target node of the target security component, a flow table entry may be constructed based on the target node, where the flow table entry indicates that when a traffic flow from the user node is received, the traffic flow is redirected to the target node, and then the flow table entry is issued to the DNS server, and the DNS server parses the traffic flow when a traffic flow sent by the user node is received, and modifies a target IP address of the traffic flow based on the received flow table entry, so that the traffic flow from the user node is redirected to the target node, and thus, the target security component is invoked in the target node to perform a security detection task.
In the embodiment of the application, when a security service request sent by a user node is received, the type of a target security component is determined based on the type of the security service request, so that the number of security components through which service traffic sent by the user node needs to pass is reduced on the premise of ensuring the effectiveness of security service, and then available nodes are screened out from all edge computing nodes based on computing resources requested by the target security component, network bandwidth and the maximum data transmission rate which can be achieved between each edge computing node and the user node; and then screening out the optimal available node as a target node based on the network delay between each available node and the user node, the load balancing coefficient of each available node and the processing time of each available node, wherein it can be understood that the optimal node is selected based on the network delay, the processing time and the load balancing coefficient, and the node is the node with the shortest overall delay caused by executing the security task on the service flow after deploying the security component, and the service flow from the user node is directly forwarded to each target node, so that the time required by the service flow passing through the security service scheduling system is the shortest, the overall delay caused by the service flow passing through the security service scheduling system is effectively reduced, and the virtualized target security component can meet the actual service requirement.
Referring to fig. 2, in some embodiments, step S109 is preceded by, but not limited to, steps S201 to S203 as follows.
Step S201, obtaining preset priority of each target security component;
Step S202, determining the deployment sequence of each target security component according to a preset priority;
Step S203, the target security component is deployed to the corresponding target node according to the deployment sequence.
It will be appreciated that since the security tasks performed by each target security component are not the same, such as a firewall as the base protection component, the server may be protected from unauthorized access and malicious attacks; the WAF component is used for monitoring and filtering HTTP/HTTPS traffic entering the Web application program, identifying and preventing SQL injection, cross site scripting attack (XSS), cross Site Request Forging (CSRF) and other attack behaviors, setting priority for each security component based on the difference of security tasks executed by the security components, reflecting the importance degree of each security component based on the preset priority, determining the deployment sequence of each target security component based on the preset level of each target security component after the cloud computing center determines the target node of each target security component, and preferentially deploying the target security component with the preset priority to the corresponding target node, so that computing resources and bandwidth resources can be preferentially allocated to the target security component with higher importance degree, and the overall performance of the security service scheduling system is ensured.
Referring to fig. 3, step S108 includes, but is not limited to, the following steps S301 to S302.
Step S301, determining the overall time delay of a plurality of security service chains formed by available nodes according to network time delay, processing time and load balancing;
In step S302, a security service chain with the minimum overall delay is determined by a linear programming algorithm to determine a target node for deploying the target security component.
The security service chain refers to a service chain formed by available nodes of each target security component, for example, the types of the target security components are A, B, C, the available nodes of the target security components of the A type are a1, a2 and a3, the available nodes of the target security components of the B type are B1, B2 and B3, the available nodes of the target security components of the C type are C1, C2 and C3, and a plurality of security service chains such as a1-B1-C1, a1-B2-C3, a3-B1-C2 and the like can be formed based on the available nodes of each target security component, and each security service chain indicates that traffic flows through different available nodes. It can be understood that, because the computing power resources, computing power loads and positions of each available node in the network topology are different, the network delay generated by transmitting the traffic to each available node and the response time required by each available node to call the target security component are different, the processing time required by the target security component to post-process the corresponding security task in response to the response is different, so that when the target security component is deployed in different available nodes, the overall delay caused by the traffic passing through the security service scheduling system is also different, in this embodiment, based on the network delay between each available node and the user node, the load balancing coefficient of each available node and the processing time, the overall delay when the traffic flows pass through the security service scheduling system based on each security service chain can be calculated. Specifically, the overall delay of the traffic flow as it passes through the security service scheduling system based on each security service chain can be calculated with reference to the following formula:
;(3)
Wherein the method comprises the steps of Representing the overall delay of traffic passing through the security service dispatch system The value of the kth process of the ith safety component on the jth edge computing node is 0 or 1, the value of 1 is 1 and indicates that the service flow passes through the kth process of the ith safety component on the jth edge computing node under the condition of the safety service chain, and the value of 0 indicates that the service flow does not pass through the kth process of the ith safety component on the jth edge computing node under the safety service chain. /(I) representing network delay between user node and jth edge computing node,/> Representing the processing time of traffic through the ith security element at the kth processing on the jth edge computing node,/> load balancing factor representing traffic flow through the ith security element at the kth processing on the jth edge compute node,/> Representing the maximum number of processes for a single edge compute node,/> Representing the number of edge compute nodes,/> Representing the number of types of security components,/> 、/>、/> The preset weights of the network delay, the processing time and the load balancing coefficient are respectively. Based on the formula, the overall time delay of the service flow when each safety service chain passes through the safety service scheduling system can be calculated, the formula (3) is used as an objective function, the formula (1) and the formula (2) in the step S105 are used as constraint conditions and are input into a linear programming solver, the safety service chain with the minimum overall time delay under the constraint conditions meeting the formula (1) and the formula (2) can be found, and the objective node of each objective safety component can be determined based on the safety service chain.
Referring to fig. 4, in some embodiments, step S109 is preceded by steps S401 to S402.
Step S401, determining a first container according to a target security component, wherein the first container is configured with a virtual machine environment required by running the target security component, and the target security component runs in the virtual machine environment;
It may be appreciated that the cloud computing center may further be configured with a code repository for storing codes of each target security component, and in this embodiment, the target security components may be deployed based on a super-fusion architecture of a container and a virtual machine, specifically, a first container dedicated to each target security component is configured as an operation carrier of the target security component, the first container is configured with a virtual machine environment required for operating the target security component, and the container is operated in the virtual machine environment configured in the first container. In this manner, each target security component operates in a separate container environment, with the different containers being isolated from each other, such that the target security components operating in the different first containers do not interfere with each other. Meanwhile, the condition of each target safety component can be flexibly monitored, and fine-granularity monitoring on the safety resources is realized. Meanwhile, because part of the target security components need to operate in a specific computer environment, in the embodiment, based on the fusion architecture of the container and the virtual machine, the computer environment provided by the container is ensured to support the operation of the target security components. Specifically, in this embodiment, an operation carrier of the target security component may be built based on kubevirt architecture, where the architecture abstracts the virtual machine into Kubernetes resources, so that the cloud computing center may uniformly schedule the target security component through Kubernetesde, and may conveniently deploy the target security component on the target node in a mirror image container manner, or destroy the discarded target security component in a container deletion manner, so as to implement more flexible security resource management. After determining the target node that deployed the target security component, the corresponding first container may be matched based on the type of the target security component.
Step S402, the image file of the first container is issued to the target node to deploy the target security component at the target node.
After the type of the target security component is matched with the corresponding first container, the mirror image file of the first container is issued to the target node, so that the mirror image container corresponding to the first container is directly created in the target node, the mirror image container is configured with the same virtual machine environment as the first container, the target security component is operated on the virtual machine environment, and the deployment of the target security component is completed in a mirror image container mode based on the fact.
In this embodiment, by running the target security component in the fusion architecture of the container and the virtual machine, more fine-grained monitoring of the security resource and more flexible security resource supply are achieved.
Referring to fig. 5, the embodiment of the application further provides a security service scheduling system, which includes:
a plurality of edge compute nodes 501, the edge compute nodes 501 for deploying at least one type of target security component;
The DNS server 502 is configured to receive a secure service request sent by the user node 504 and forward the secure service request to the cloud computing center 503, and is further configured to receive a target node fed back by the cloud computing center 503, and redirect traffic from the user node 504 to the target node;
A cloud computing center 503 for executing the security service scheduling method set forth in any one of the above embodiments.
Specifically, the edge computing nodes 501 may be deployed in different regions, where the edge computing nodes 501 together form a cross-region edge computing node cluster, and each entity of the edge computing nodes may be a machine room in which a large number of computing devices and network devices are deployed.
The security service scheduling system may provide a uniform URL interface, where the user node 504 communicates with the DNS server 502 through the URL interface, so as to send a security service request to the security service scheduling system, after the DNS server 502 receives the security service request, the DNS server 502 analyzes the request, thereby obtaining an address of the user node 504 in a network topology and corresponding security service information, and then sends the address and the security service information to the cloud computing center 503, the cloud computing center 503 finds out an optimal node with sufficient computing power resources according to the security task information sent by the user node 504 and the address of the user node 504, and the optimal node with the shortest overall delay required for processing the corresponding security task is used as a target node, the cloud computing center 503 sends the corresponding target security component to the corresponding target node, and then sends the target node to the DNS server 502, after receiving the target node, binds the user node 504 with the corresponding target node, and then, when receiving an access flow from the user node 504 is received, the access flow is redirected to the corresponding target node, so that the corresponding target security component is called in the target node to execute the corresponding security task on the service flow. Based on the above, in the embodiment, the target security component is deployed at the target node with sufficient computational power resource and bandwidth resource and the shortest overall time delay caused by executing the security detection task, after the target node corresponding to the user node is determined, the access flow from the user node is directly redirected to the corresponding target node through the DNS server, the user node is decoupled from the cloud computing center, the overall time delay when the access flow passes through the security service scheduling system is effectively reduced, and the virtualized target security component can meet the actual service requirement.
Referring to fig. 6, an embodiment of the present application further proposes an electronic device 600, including:
At least one processor, and
A memory communicatively coupled to the at least one processor; wherein, the liquid crystal display device comprises a liquid crystal display device,
The memory stores instructions that are executed by the at least one processor to cause the at least one processor to perform a method according to any of the embodiments of the application when the instructions are executed.
The hardware configuration of the electronic device 600 is described in detail below with reference to fig. 6. The computer device includes: processor 610, memory 620, input, output interfaces 630, communication interfaces 640, and bus 650.
The processor 610 may be implemented by a general purpose central processing unit (Central Processing Unit, CPU), a microprocessor, an Application SPECIFIC INTEGRATED Circuit (ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solutions provided by the embodiments of the present disclosure;
the memory 620 may be implemented in the form of a Read Only Memory (ROM), a static storage device, a dynamic storage device, or a random access memory (Random Access Memory, RAM). Memory 620 may store an operating system and other application programs, and when implementing the technical solutions provided by the embodiments of the present disclosure through software or firmware, relevant program codes are stored in memory 620 and invoked by processor 610 to perform the security service scheduling method of the embodiments of the present disclosure;
An input/output interface 630 for inputting and outputting information;
the communication interface 640 is configured to implement communication interaction between the device and other devices, and may implement communication in a wired manner (e.g. USB, network cable, etc.), or may implement communication in a wireless manner (e.g. mobile network, WIFI, bluetooth, etc.);
Bus 650 transmits information between the various components of the device (e.g., processor 610, memory 620, input, output interfaces 630, and communication interfaces 640);
wherein the processor 610, the memory 620, the input and output interfaces 630 and the communication interface 640 enable communication connection between each other inside the device through a bus 650.
The embodiment of the application also provides a storage medium, which is a computer readable storage medium, and the computer readable storage medium stores computer executable instructions for causing a computer to execute the security service scheduling method of the embodiment of the application.
The flow diagrams depicted in the figures are exemplary only, and not necessarily all the elements and operations, steps, or order described. For example, some operations and steps may be decomposed, and some operations and steps may be combined or partially combined, so that the order of actual operations may be changed according to actual situations.
Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules in devices, units disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
The terms "comprises" and "comprising," along with any variations thereof, in the description of the present application and in the above-described figures are intended to cover non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to only those steps or elements that are expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in the present application, "at least one (item)" means one or more, and "a plurality" means two or more. "and, or" for describing an association relationship of an association object, the representation may have three relationships, for example, "a and, or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "generally indicates that the front-rear association object is an or relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The preferred embodiments of the present application have been described above with reference to the accompanying drawings, and are not thereby limiting the scope of the claims of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present application shall fall within the scope of the claims of the embodiments of the present application.

Claims (9)

1. A security service scheduling method applied to a cloud computing center, wherein the cloud computing center is in communication connection with a DNS server, and the DNS server is in communication connection with a user node, the method comprising:
Receiving a secure traffic request from the user node from the DNS server;
Determining a target security component to be deployed according to the security service request;
determining the computing resources and network bandwidth requested by the target security component;
calculating the data transmission rate between each edge calculation node and the user node;
Determining available nodes for deploying the target security component from all the edge computing nodes according to the computing resources, the network bandwidth and the data transmission rate;
Determining a network delay between each of the available nodes and the user node;
calculating the processing time and the load balancing coefficient of the target security component at each available node;
Determining the optimal available node as a target node for deploying the target security component according to the network delay, the processing time and the load balancing coefficient;
Issuing an address of the target node to the DNS server to cause the DNS server to redirect traffic from the user node to the target node;
The step of determining the optimal available node as the target node for deploying the target security component according to the network delay, the processing time and the load balancing coefficient comprises the following steps: determining the overall time delay of a plurality of safety service chains formed by the available nodes according to the network time delay, the processing time and the load balancing coefficient, wherein the safety service chains are service chains formed by the available nodes of each target safety component; determining the safety service chain with the minimum overall time delay through a linear programming algorithm so as to determine target nodes of each target safety component;
The step of determining the security service chain with the smallest overall delay through a linear programming algorithm to determine the target node of each of the target security components comprises: determining the security service chain with the minimum overall time delay under the constraint condition, and determining the target node of each target security component according to the security service chain with the minimum overall time delay, wherein the constraint condition is as follows:
Wherein, the liquid crystal display device comprises a liquid crystal display device, representing the kth process of the ith said target security component on the jth said edge computing node, with a value of 0 or 1,/> Representation and/> the corresponding ith said target security component consumes computing resources,/>, when executing the kth process in the jth said edge computing node representing the preset total amount of computing resources of the jth edge computing node, Representation and/> The corresponding ith said target security component consumes bandwidth resources,/>, when executing the kth process in the jth said edge computing node representing the preset bandwidth total amount of the jth edge computing node,/> Representing the number of categories of the target security component,/> representing the maximum number of processes deployed on a single said edge computing node with the same said target security component.
2. The method of claim 1, comprising, prior to said issuing the address of the destination node to the DNS server to cause the DNS server to redirect traffic from the user node to the destination node:
acquiring a preset priority of each target security component;
Determining the deployment sequence of each target security component according to the preset priority;
and deploying the target security component to the corresponding target node according to the deployment sequence.
3. The method of claim 1, wherein said calculating a data transmission rate between each edge calculation node and the user node comprises:
Calculating a data transmission rate between each of the edge calculation nodes and the user node by the following formula:
Wherein, the liquid crystal display device comprises a liquid crystal display device, Is the transmission rate between the kth edge computing node and the user node,/> Is the transmission power of the kth edge computing node,/> representing a channel gain of a kth channel, the kth channel being a channel of communication between the kth edge computing node and the user node,/> Representing the bandwidth of the kth channel,/> Representing the transmission power of the ith said edge computing node,/> Representing a channel gain of an ith channel, the ith channel being a channel for communication between the ith edge computing node and the user node,/> representing the sum of the interference of all channels except the kth channel to the kth channel.
4. The method of claim 1, wherein said determining available nodes to deploy the target security component from all of the edge computing nodes based on the computing resources, the network bandwidth, and the data transfer rate comprises:
Acquiring the computational load and the bandwidth load of all the edge computing nodes;
In the event that it is determined that the data transmission rate of a first edge computing node is greater than a first rate threshold, that the sum of the computational load and the computational resources is less than a preset total amount of computational resources of the first edge computing node, and that the sum of the bandwidth load and the network bandwidth is less than the preset total amount of bandwidth of the first edge computing node, determining that the first edge computing node is an available node of the target security component, wherein the first edge computing node is one of the edge computing nodes.
5. The method of claim 1, further comprising, prior to said issuing the address of the destination node to the DNS server to cause the DNS server to redirect traffic from the user node to the destination node:
determining a first container according to the target security component, wherein the first container is configured with a virtual machine environment required by running the target security component, and the target security component runs in the virtual machine environment;
And issuing the mirror image file of the first container to the target node to create a mirror image container with the target security component at the target node.
6. The method of claim 1, wherein the determining the target security component to be deployed based on the security service request comprises:
matching a target security policy according to the security service request;
And determining the target security component to be deployed according to the target security policy.
7. A security service dispatch system, the security service dispatch system comprising:
A plurality of edge compute nodes, the edge compute nodes configured to deploy at least one type of target security component;
The DNS server is used for receiving a security service request sent by a user node and forwarding the security service request to the cloud computing center, and is also used for receiving a target node fed back by the cloud computing center and redirecting the service flow from the user node to the target node;
Cloud computing center for executing the security service scheduling method according to any one of claims 1 to 6.
8. An electronic device comprising a memory, a processor, a program stored on the memory and executable on the processor, and a data bus for enabling a connection communication between the processor and the memory, the program when executed by the processor implementing the security service scheduling method of any one of claims 1 to 6.
9. A computer readable storage medium storing one or more programs executable by one or more processors to implement the security service scheduling method of any one of claims 1 to 6.
CN202311660497.5A 2023-12-06 2023-12-06 Security service scheduling method and system, electronic equipment and storage medium Active CN117376032B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311660497.5A CN117376032B (en) 2023-12-06 2023-12-06 Security service scheduling method and system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311660497.5A CN117376032B (en) 2023-12-06 2023-12-06 Security service scheduling method and system, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN117376032A CN117376032A (en) 2024-01-09
CN117376032B true CN117376032B (en) 2024-04-16

Family

ID=89393209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311660497.5A Active CN117376032B (en) 2023-12-06 2023-12-06 Security service scheduling method and system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117376032B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109068391A (en) * 2018-09-27 2018-12-21 青岛智能产业技术研究院 Car networking communication optimization algorithm based on edge calculations and Actor-Critic algorithm
WO2022028418A1 (en) * 2020-08-04 2022-02-10 中国移动通信有限公司研究院 Computing power processing network system, and service processing method and device
WO2022171083A1 (en) * 2021-02-10 2022-08-18 中国移动通信有限公司研究院 Information processing method based on internet-of-things device, and related device and storage medium
CN116032767A (en) * 2022-12-30 2023-04-28 北京交通大学 Intelligent fusion identification network-oriented computing power service chain management and control system architecture
CN116915862A (en) * 2023-03-28 2023-10-20 中国移动通信有限公司研究院 Security service deployment method and communication equipment
CN117042052A (en) * 2023-08-24 2023-11-10 郑州大学 Signal transmission method and system with calculation and communication functions
WO2023226743A1 (en) * 2022-05-27 2023-11-30 北京火山引擎科技有限公司 Cloud service deployment method and apparatus, electronic device and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109068391A (en) * 2018-09-27 2018-12-21 青岛智能产业技术研究院 Car networking communication optimization algorithm based on edge calculations and Actor-Critic algorithm
WO2022028418A1 (en) * 2020-08-04 2022-02-10 中国移动通信有限公司研究院 Computing power processing network system, and service processing method and device
WO2022171083A1 (en) * 2021-02-10 2022-08-18 中国移动通信有限公司研究院 Information processing method based on internet-of-things device, and related device and storage medium
WO2023226743A1 (en) * 2022-05-27 2023-11-30 北京火山引擎科技有限公司 Cloud service deployment method and apparatus, electronic device and storage medium
CN116032767A (en) * 2022-12-30 2023-04-28 北京交通大学 Intelligent fusion identification network-oriented computing power service chain management and control system architecture
CN116915862A (en) * 2023-03-28 2023-10-20 中国移动通信有限公司研究院 Security service deployment method and communication equipment
CN117042052A (en) * 2023-08-24 2023-11-10 郑州大学 Signal transmission method and system with calculation and communication functions

Also Published As

Publication number Publication date
CN117376032A (en) 2024-01-09

Similar Documents

Publication Publication Date Title
US11632392B1 (en) Distributed malware detection system and submission workflow thereof
US10798112B2 (en) Attribute-controlled malware detection
US11863581B1 (en) Subscription-based malware detection
US10445502B1 (en) Susceptible environment detection system
US11316900B1 (en) System and method for automatically prioritizing rules for cyber-threat detection and mitigation
US9825989B1 (en) Cyber attack early warning system
US8276205B2 (en) Systems and methods for updating content detection devices and systems
US10785255B1 (en) Cluster configuration within a scalable malware detection system
US9509628B2 (en) Managing devices in a heterogeneouus network
US8850565B2 (en) System and method for coordinating network incident response activities
US10671721B1 (en) Timeout management services
CN109714312B (en) Acquisition strategy generation method and system based on external threats
WO2019133451A1 (en) Platform and method for enhanced-cyber-attack detection and response employing a global data store
CN110554927A (en) Micro-service calling method based on block chain
US11316861B2 (en) Automatic device selection for private network security
US7333430B2 (en) Systems and methods for passing network traffic data
CN115934202A (en) Data management method, system, data service gateway and storage medium
CN117376032B (en) Security service scheduling method and system, electronic equipment and storage medium
CN112217770B (en) Security detection method, security detection device, computer equipment and storage medium
Pham et al. A quantitative risk assessment framework for adaptive intrusion detection in the cloud
US20210119822A1 (en) Function management device, function management method, and communication system
CN114157441A (en) Request processing system, method, electronic device and storage medium
JP2020149553A (en) Computer program, event abnormality detection method, and computer

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant