CN110764871B

CN110764871B - Cloud platform-based mimicry application packaging and control system and method

Info

Publication number: CN110764871B
Application number: CN201910962974.0A
Authority: CN
Inventors: 刘文彦; 仝青; 扈红超; 程国振; 陈福才; 霍树民; 李凌书; 徐水灵; 倪思源; 周梦丽
Original assignee: Information Engineering University of PLA Strategic Support Force; Network Communication and Security Zijinshan Laboratory
Current assignee: Information Engineering University of PLA Strategic Support Force; Network Communication and Security Zijinshan Laboratory
Priority date: 2019-10-11
Filing date: 2019-10-11
Publication date: 2023-02-14
Anticipated expiration: 2039-10-11
Also published as: CN110764871A

Abstract

The invention provides a cloud platform-based mimicry application packaging and control system and method. The system comprises: a simulated packaging system interface which provides a graphical management entrance for a user; the mimicry packaging server unit is responsible for receiving and preliminarily processing user requests from the interface, including user management, command check and command issuing; the mimic-state encapsulation task management unit is used for providing the management functions of mimic-state encapsulation tasks, including task creation, task deletion, task running state check and control condition modification in the task running process; the real-time feedback control unit of the mimicry network element is responsible for monitoring and managing the operation of the mimicry network element in real time, and comprises the steps of monitoring the online connection of the mimicry network element, collecting the operation abnormal information of the mimicry network element, making decisions such as the detection of an abnormal virtual machine and the scheduling of the abnormal virtual machine, and controlling the operation state of the mimicry network element.

Description

Cloud platform-based mimicry application packaging and control system and method

Technical Field

The invention relates to the technical field of network space security, in particular to a cloud platform-based mimicry application packaging and control system and method.

Background

The cloud computing integrates resources such as computing, storage and data in a physical form by taking a virtualization technology as a basic technology, and provides elastic services for users. With the rise of cloud computing, cloud service platforms have come up, and the cloud service platforms are responsible for managing cloud computing resources, providing abstracted cloud computing resources to tenants in a specific form, and enabling the tenants to conveniently use the cloud computing resources. The OpenStack cloud platform, one of the representatives of the open source cloud service projects, is a free software and open source code project which is developed and launched by cooperation of NASA (national aerospace administration) and Rackspace and authorized by Apache license, currently has a wide user group, and forms an active community containing over 130 enterprises and 1350 developers.

The cloud service platform can provide convenient cloud computing services, but has own unique security problems. The virtualization technology can cause virtual machines of different users to coexist in the same physical server, and an attacker can rent the virtual machines to be used as a springboard to attack the virtual machines of other tenants residing on the same server, steal user data, tamper information, spread viruses and even control the virtual machines to be broilers, so that large-scale cloud attack is started. At the same time, cloud applications running on the virtual machine are also threatened accordingly, causing service to be paralyzed, interrupted, or to work in an unexpected manner. Therefore, the cloud service platform is difficult to provide cloud computing service with sufficient safety, and virtual machines and application moments of tenants are within the threat range of attackers.

The mimicry defense (Wu Jiang, network space mimicry defense research [ J ]. Information security bulletin, 2016,1 (4)) technology is an architecture technology based on dynamics, heterogeneity and redundancy, and the technology can resist attacks based on unknown vulnerabilities and backdoors. The mimicry defense technology has natural complementarity with the cloud computing technology for the construction requirement of low cost and light weight, so that the mimicry defense technology is applied to the cloud service platform, and a feasible way can be provided for improving the safety of the cloud service platform.

Disclosure of Invention

In order to solve the problem that the virtual machine and the application of a tenant are in the threat range of an attacker at the moment due to the safety problem of the existing cloud service platform, the invention provides a mimicry application packaging and controlling method and system based on the cloud platform, and a plurality of corresponding functional units and a processing method.

The invention provides a cloud platform-based mimicry application encapsulation and control method, wherein the cloud platform comprises a plurality of mimicry network elements, and the method comprises the following steps:

the interface of the mimicry packaging system receives a user request and forwards the user request to the mimicry packaging server unit;

the method comprises the following steps that a simulation packaging server unit receives a user request forwarded by a simulation packaging system interface and carries out primary processing according to the type of the user request;

the mimicry packaging task management unit receives a task management command issued by the mimicry packaging server unit, processes the task management command again according to the type of the task management command, and feeds back a processing result to the mimicry packaging server unit;

the operation of the simulated network element is monitored in real time by the simulated network element real-time feedback control unit, the task management command forwarded by the simulated encapsulation task management unit is received and executed, and the execution result is fed back to the simulated encapsulation task management unit;

the quasi-attitude encapsulation task management unit receives an execution result of the quasi-attitude network element real-time feedback control unit and modifies related task state information in a database according to the execution result;

and the quasi-attitude packaging server unit receives the processing result of the quasi-attitude packaging task management unit and feeds the processing result back to the interface of the quasi-attitude packaging system for displaying.

Correspondingly, the invention also provides a cloud platform-based mimicry application encapsulation and control system, wherein the cloud platform comprises a plurality of mimicry network elements, and the system comprises:

the system comprises a simulation packaging system interface, a simulation packaging server unit and a simulation packaging system interface, wherein the simulation packaging system interface is used for receiving a user request and forwarding the user request to the simulation packaging server unit;

the mimicry packaging server unit is used for receiving the user request forwarded by the interface of the mimicry packaging system and performing primary processing according to the type of the user request; receiving a processing result of the quasi-state packaging task management unit, and feeding the processing result back to the quasi-state packaging system interface for displaying;

the mimicry encapsulation task management unit is used for receiving the task management command issued by the mimicry encapsulation server unit, reprocessing the task management command according to the type of the task management command and feeding back a processing result to the mimicry encapsulation server unit; receiving an execution result of a real-time feedback control unit of the simulated network element, and modifying related task state information in a database according to the execution result;

and the quasi-attitude network element real-time feedback control unit is used for monitoring the operation of the quasi-attitude network element in real time, receiving and executing the task management command forwarded by the quasi-attitude encapsulation task management unit, and feeding back an execution result to the quasi-attitude encapsulation task management unit.

Further, the mimicry packaging system interface comprises a registration page and a login page, wherein the login page comprises a tenant page and an administrator page, the tenant page and the administrator page respectively comprise a newly added task page and a task viewing page, and the task viewing pages respectively comprise a task modification page and a task deletion page.

Correspondingly, the invention also provides a processing method of the mimicry encapsulation server unit based on the mimicry application of the cloud platform, which comprises the following steps: receiving a user request forwarded by a pseudo-encapsulation system interface, and performing primary processing according to the type of the user request; the types of the user request include: a registration request, a login request and a task management command;

receiving a processing result of the mimicry packaging task management unit, and feeding the processing result back to the interface of the mimicry packaging system for displaying;

the preliminary treatment comprises the following steps:

checking and filtering the content of the user registration request, adding user information to the database, and returning a registration success response to the mimicry packaging system interface;

extracting user information transmitted by the interface of the mimicry packaging system from the login request, retrieving and checking the user information in the database, and if the user information is checked to be correct, returning login success information and the user level to the interface of the mimicry packaging system; if the check is inconsistent, returning login failure information to the interface of the mimicry packaging system;

and carrying out format check and authority check on the task management command, and issuing the checked task management command to the mimicry encapsulation task management unit.

Correspondingly, the invention also provides a cloud platform-based mimicry encapsulation server unit for the mimicry application, which comprises: a user management module, configured to manage user information in a database, where the management includes: checking and filtering the content of the user registration request, adding user information to the database, and returning a registration success response to the mimicry packaging system interface; extracting user information transmitted by the interface of the mimicry packaging system from the login request, retrieving and checking the user information in the database, and if the user information is checked to be correct, returning login success information and the user level to the interface of the mimicry packaging system; if the check is inconsistent, returning login failure information to the interface of the mimicry packaging system;

the command checking and issuing module is used for carrying out format checking and permission checking on the task management command and issuing the checked task management command to the mimicry encapsulation task management unit; and receiving the processing result of the mimicry packaging task management unit, and feeding the processing result back to the interface of the mimicry packaging system for displaying.

The invention also provides a processing method of the mimicry encapsulation task management unit based on the mimicry application of the cloud platform, which comprises the following steps: receiving a task management command issued by the quasi encapsulation server unit, judging the type of the task management command, reprocessing the task management command according to the type of the task management command, and feeding back a processing result to the quasi encapsulation server unit; the types of the task management commands comprise a newly-built packaging task, a modifying task, a checking task and a deleting task;

receiving an execution result of a real-time feedback control unit of the quasi-attitude network element, and modifying related task state information in a database according to the execution result;

the reprocessing comprises: if the packaged task command is newly established, analyzing the command to acquire a mimicry application type and a security level, creating a task according to the mimicry application type and the security level, and writing task information into a database;

if the command is the modification task command, analyzing the command to acquire a task number and modification content, and processing according to the type of the modification content: if the type of the modified content is virtual machine migration, deciding a virtual machine migration strategy and implementing migration; if the type of the modified content is other modification except for virtual machine migration, the modification task command is forwarded to a simulation network element real-time feedback control unit;

if the command is a view task command, analyzing the command to obtain a task number, searching relevant records in a database, and generating return information;

and if the command is the task deleting command, analyzing the command to acquire a task number, and forwarding the task deleting command to the real-time feedback control unit of the dynamic network element.

Further, the receiving an execution result of the mimicry network element real-time feedback control unit, and modifying the relevant task state information in the database according to the execution result specifically includes:

receiving the response of the real-time feedback control unit of the simulated network element to the task modification command: if the response shows that the modification task is successful, generating a data record according to the modification result, and storing the data record in a historical task change table of the database; if the response shows that the modification task fails, recording error information as a return result;

receiving the response of the real-time feedback control unit of the simulated network element to the task deleting command: if the response shows that the task is successfully deleted, increasing the history task change table records of the database, and modifying the records corresponding to the current task state table; and if the response shows that the task is failed to be deleted, recording error information as a return result.

Correspondingly, the invention also provides a mimicry encapsulation task management unit of the mimicry application based on the cloud platform, which comprises the following steps: the command type judging module is used for receiving the task management command issued by the mimicry encapsulation server unit and judging the type of the task management command; the types of the task management commands comprise a new encapsulation task, a modification task, a viewing task and a deletion task;

the quasi encapsulation module is used for receiving a newly-built encapsulation task command, analyzing the command to acquire a quasi application type and a security level, creating a task according to the quasi application type and the security level, and writing task information into a database;

the task modification module is used for receiving the newly-built encapsulated task command, analyzing the command to acquire a task number and modification content, and processing according to the type of the modification content: if the type of the modified content is virtual machine migration, deciding a virtual machine migration strategy and implementing migration; if the type of the modified content is other modification except for virtual machine migration, the modification task command is forwarded to a simulation network element real-time feedback control unit; receiving the response of the real-time feedback control unit of the simulated network element to the task modification command: if the response shows that the modification task is successful, generating a data record according to the modification result, and storing the data record in a historical task change table of the database; if the response shows that the modification task fails, recording error information as a return result;

the task checking module is used for receiving the task checking command, analyzing the command to obtain a task number, searching the related records in the database and generating return information;

the task deleting module is used for receiving a task deleting command, analyzing the command to acquire a task number, forwarding the task deleting command to the simulated network element real-time feedback control unit, and receiving the response of the simulated network element real-time feedback control unit to the task deleting command: if the response shows that the task is successfully deleted, increasing the history task change table records of the database, and modifying the records corresponding to the current task state table; and if the response shows that the task deletion fails, recording error information as a return result.

The invention also discloses a processing method of the mimicry network element real-time feedback control unit based on the mimicry application of the cloud platform, which comprises the following steps:

monitoring the operation of the quasi-attitude network element in real time, receiving and executing a task management command forwarded by the quasi-attitude encapsulation task management unit, and feeding an execution result back to the quasi-attitude encapsulation task management unit;

the operation of the real-time monitoring and simulation network element specifically comprises:

receiving a connection request in a mimicry network element, and establishing a feedback control thread for the mimicry network element;

collecting operation process information of the simulated network element, comprehensively analyzing the operation process information, and determining whether a virtual machine of the simulated network element needs to be scheduled and a scheduling strategy when the virtual machine needs to be scheduled;

and controlling the running state of each mimicry network element, wherein the running state comprises a lease period, a virtual machine scheduling period, an arbitration rule of the proxy virtual machine, the survival state of the proxy virtual machine, and the suspension, restart and deletion of the virtual machine.

Correspondingly, the invention also provides a mimicry network element real-time feedback control unit based on the mimicry application of the cloud platform, which comprises: the register module is used for receiving a connection request in the mimicry network element and establishing a feedback control thread for the mimicry network element;

the feedback control module comprises a feedback control thread of each mimicry network element and is used for collecting the operation process information of the mimicry network element, comprehensively analyzing the operation process information and determining whether the virtual machine of the mimicry network element needs to be scheduled and a scheduling strategy when the virtual machine needs to be scheduled; controlling the running state of each mimicry network element, wherein the running state comprises a lease period, a virtual machine scheduling period, an agent virtual machine arbitration rule, an agent virtual machine survival state, and virtual machine pause, restart and delete;

and the external command interface is used for receiving and executing the task management command forwarded by the mimicry encapsulation task management unit and feeding back an execution result to the mimicry encapsulation task management unit.

The invention has the beneficial effects that:

although the existing cloud platforms such as OpenStack and the like can provide a management scheme of a virtual machine, related components are lacked for managing a mimicry network element bearing a mimicry application. The existing cloud management platform provides basic SaaS service, namely network infrastructure, software, hardware operation platform and the like required by informatization of enterprises are built, however, known and unknown vulnerabilities exist in virtualization technology, the types of infrastructures used by the cloud platform are multiple, and safety risks are different, so that the attack surface of the cloud platform is expanded to a certain extent, and the applications deployed on the cloud platform are in unknown risk levels. The core function of the packaging and control system provided by the invention is to construct a mimicry network element for the mimicry application packaging and implement automatic management. The mimicry defense technology enhances uncertainty of mimicry application through a dynamic heterogeneous redundancy method, has a defense effect on known vulnerabilities, and can resist threats of unknown vulnerabilities. The invention applies the mimicry defense technology to the OpenStack cloud platform, and carries out automatic mimicry encapsulation and management on the cloud application, on one hand, a user can conveniently and transparently use the mimicry technology to greatly enhance the safety of the application, and defend the threat of potential unknown loopholes while resisting known attacks, on the other hand, the encapsulation and control system avoids the complexity of creating and managing the mimicry application, provides a self-adaptive feedback control mechanism, and reduces the complexity of deploying the mimicry cloud application and the workload of managing the application by the user while meeting the customization requirement of the application. The method is different from the traditional plug-in cloud platform defense technology, and provides a feasible scheme for enhancing the endogenous safety of the cloud platform application.

Drawings

Fig. 1 is a schematic structural diagram of a cloud platform-based mimicry application encapsulation and control system according to an embodiment of the present invention;

FIG. 2 is a schematic structural diagram of a pseudo-packaging system interface according to an embodiment of the present invention;

fig. 3 is a schematic flowchart of a method for packaging and controlling a mimicry application based on a cloud platform according to an embodiment of the present invention;

fig. 4 is a schematic flowchart of a processing method of a mimicry network element real-time feedback control unit of a mimicry application based on a cloud platform according to an embodiment of the present invention;

fig. 5 is a flowchart of a working process of a registration module of a mimicry network element real-time feedback control unit according to an embodiment of the present invention;

fig. 6 is a flowchart of a feedback control thread of a mimicry network element real-time feedback control unit according to an embodiment of the present invention;

fig. 7 is a flowchart illustrating an operation of an external command interface of a mimic network element real-time feedback control unit according to an embodiment of the present invention;

fig. 8 is a schematic flow chart of a processing method of a mimicry encapsulation server unit of a mimicry application based on a cloud platform according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions in the embodiments of the present invention will be described clearly below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Although cloud platforms such as OpenStack can provide a management scheme for a virtual machine, related components are lacking for managing a mimic network element carrying a mimic application. The mimicry network element is a combination of a proxy virtual machine and a plurality of executive virtual machines, wherein the combination is formed by a plurality of virtual machines. The core function of the system provided by the invention is to construct the mimicry network element for the mimicry application encapsulation, and implement automatic management, so that a user can conveniently and transparently use the mimicry resource, and the management complexity is avoided while the application security is enhanced.

Fig. 1 is a mimetic application encapsulation and control system based on a cloud platform provided in an embodiment of the present invention, where the cloud platform includes a plurality of mimetic network elements, and the system includes: the system comprises a mimic-state packaging system interface, a mimic-state packaging server unit, a mimic-state packaging task management unit and a mimic-state network element real-time feedback control unit. Wherein:

specifically, a mock-up packaging system interface for providing a user graphical management portal, comprising: a user registration and login interface, a tenant-level mimicry network element management interface (i.e., a tenant interface), and an administrator-level system management interface (i.e., an administrator interface). The user registration and login interface provides a user registration and login function; the tenant interface displays the mimicry network element in use by a user, and provides an entrance of the functions of adding, deleting, checking and changing the mimicry network element and the function of modifying the user identity information; the administrator interface provides access to the administrative functions of all the mimicry network elements in the system and the administrative functions of all the users. The user interacts with the system through the simulated packaging system interface, the simulated packaging system interface receives commands or requests input by the user on the relevant interface, and then the simulated packaging system interface submits the commands or requests to the simulated packaging server unit for subsequent processing.

As an implementable manner, as shown in fig. 2, the mimicry package system interface includes a registration page and a login page, the login page includes a tenant page and an administrator page, the tenant page and the administrator page respectively include a newly added task page and a task viewing page, and each task viewing page includes a task modification page and a task deletion page.

The mimicry packaging server unit is used for receiving the user request forwarded by the interface of the mimicry packaging system and performing primary processing according to the type of the user request; receiving a processing result of the mimicry packaging task management unit, and feeding the processing result back to an interface of a mimicry packaging system for displaying;

specifically, the pseudo-encapsulation server unit is responsible for receiving and preliminarily processing a request or a command from a pseudo-encapsulation system interface, and mainly provides a user management function and a command checking and issuing function, wherein the command checking refers to command validity checking. The user management function mainly implements related operations around user authentication, including operations of adding, deleting, searching and changing user information, and the user information is stored in a user information management table of the database. The command checking and issuing function is mainly that a legal request of a legal user is screened and issued to the mimicry encapsulation task management unit for subsequent processing, a received processing result is returned to the interface of the mimicry encapsulation system, and the interface of the mimicry encapsulation system displays the processing result.

As one possible implementation, as shown in fig. 1, the pseudo-encapsulation server unit includes: a user management module and a command checking and issuing module. Wherein:

a user management module, configured to manage user information in a database, where the management includes: checking and filtering the content of the user registration request, adding user information to the database, and returning a registration success response to the mimicry packaging system interface; extracting user information transmitted by the interface of the mimicry packaging system from the login request, retrieving and checking the user information in the database, and if the user information is checked to be correct, returning login success information and the user level to the interface of the mimicry packaging system; if the check is inconsistent, returning login failure information to the interface of the mimicry packaging system;

the command checking and issuing module is used for carrying out format checking and authority checking on the task management command and issuing the checked task management command to the mimicry encapsulation task management unit; and receiving the processing result of the mimicry packaging task management unit, and feeding the processing result back to the interface of the mimicry packaging system for displaying.

The mimicry encapsulation task management unit is used for receiving the task management command issued by the mimicry encapsulation server unit, reprocessing the task management command according to the type of the task management command and feeding back a processing result to the mimicry encapsulation server unit; receiving an execution result of a real-time feedback control unit of the quasi-attitude network element, and modifying related task state information in a database according to the execution result;

specifically, the creation of the fictitious network element is performed in the form of one encapsulation task, that is, each fictitious network element uniquely corresponds to one encapsulation task. The mimic package task management unit provides the management function of the mimic package task.

As one possible implementation, as shown in fig. 1, the pseudo-encapsulation task management unit includes: the device comprises a command type judgment module, a mimicry packaging module, a task modification module, a task checking module and a task deleting module. Wherein:

the command type judging module is used for receiving the task management command issued by the mimicry encapsulation server unit and judging the type of the task management command; the types of the task management commands comprise a new encapsulation task, a modification task, a viewing task and a deletion task;

the task checking module is used for receiving a task checking command, analyzing the command to acquire a task number, searching related records in a database and generating return information;

the task deleting module is used for receiving a task deleting command, analyzing the command to acquire a task number, forwarding the task deleting command to the simulated network element real-time feedback control unit, and receiving the response of the simulated network element real-time feedback control unit to the task deleting command: if the response shows that the task is deleted successfully, increasing the history task change table records of the database, and modifying the records corresponding to the current task state table; and if the response shows that the task deletion fails, recording error information as a return result.

Specifically, the real-time feedback control unit of the mimic-state network element is responsible for real-time monitoring and managing the operation of the mimic-state network element, and includes: monitoring the online connection of the mimicry network element; collecting abnormal operation information of the mimicry network element and making decisions (such as detection of abnormal virtual machines and scheduling of the abnormal virtual machines); and controlling the running state of the quasi-attitude network element. And receiving and executing the task management command forwarded by the mimicry encapsulation task management unit, and feeding back an execution result to the mimicry encapsulation task management unit.

As an implementable embodiment, as shown in fig. 1, the mimicry network element real-time feedback control unit includes: the device comprises a registration module, a feedback control module and an external command interface. Wherein:

the register module is used for receiving a connection request in a mimicry network element and establishing a feedback control thread for the mimicry network element;

specifically, after starting up an agent virtual machine in the mimicry network element, the agent virtual machine automatically initiates a connection to a real-time feedback control unit of the mimicry network element, and submits identity information of the agent virtual machine; the registration module extracts the identity information of the proxy virtual machine, then queries a database, extracts the mimicry network element information corresponding to the proxy virtual machine and returns the information to the proxy virtual machine, so that the mimicry network element can start related applications as required; meanwhile, the register module establishes an independent feedback control thread for the mimicry network element to monitor the operation of the mimicry network element, and the feedback control thread is subordinate to the feedback control module.

The feedback control module comprises a feedback control thread of each mimicry network element and is used for collecting the operation process information of the mimicry network element, comprehensively analyzing the operation process information and determining whether the virtual machine of the mimicry network element needs to be scheduled and a scheduling strategy when the virtual machine needs to be scheduled; controlling the running state of each mimicry network element, wherein the running state comprises a lease period, a virtual machine scheduling period, a judgment rule of the proxy virtual machine, the survival state of the proxy virtual machine, and the suspension, restart and deletion of the virtual machine;

and the external command interface is used for receiving and executing the task modification command and the task deletion command forwarded by the mimicry encapsulation task management unit and feeding back an execution result to the mimicry encapsulation task management unit.

Specifically, after receiving a task modification command and/or a task deletion command, the external command interface extracts the identity information (such as a task number to be modified and an operation control condition) of a related pseudo-network element in the command, then sends the identity information to a corresponding feedback control thread, performs subsequent processing (including modifying the operation control condition, deleting the pseudo-network element and the like) by a feedback control module, and finally receives an operation response of the feedback control thread and returns the response to the pseudo-encapsulated task management unit. It should be noted that, when the mimetic network element is about to be deleted, all the virtual machines of the mimetic network element are deleted in a correlated manner, and the corresponding feedback control thread is ended.

Based on the cloud platform-based mimicry application encapsulation and control system provided by the invention, as shown in fig. 3, the embodiment of the invention also provides a cloud platform-based mimicry application encapsulation and control method, wherein the cloud platform comprises a plurality of mimicry network elements, and the method comprises the following steps:

s301: the interface of the mimicry packaging system receives a user request and forwards the user request to the mimicry packaging server unit;

the user can enter a registration page to carry out new user registration approval, or enter the login page to directly log in a user name and a password to enter a tenant page or an administrator page. The tenant page includes: a newly added task page, a task viewing page (which can be screened and viewed according to different conditions), a task modification page and a task deletion page related to the tenant; the administrator page includes: the system comprises a newly added task page, a task viewing page (which can be screened and viewed according to different conditions), a task modification page and a task deletion page related to an administrator. The key differences between administrators and tenants are: the administrator can manage all tasks in the system.

S302: the method comprises the following steps that a pseudo-encapsulation server unit receives a user request forwarded by a pseudo-encapsulation system interface and carries out primary processing according to the type of the user request;

specifically, the types of the user request include: registration request, login request and task management command

As an implementation manner, the performing the preliminary processing according to the type of the user request specifically includes: checking and filtering the content of the user registration request, adding user information to the database, and returning a registration success response to the mimicry packaging system interface;

extracting user information transmitted by the interface of the mimicry packaging system from the login request, retrieving and checking the user information in the database, and if the user information is checked to be correct, returning login success information and user level to the interface of the mimicry packaging system; if the check is inconsistent, returning login failure information to the interface of the mimicry packaging system;

the users in step S301 are divided into tenants and administrators, and in actual application, the tenants belong to common users, so the user level in this step includes: general users and administrator users.

S303: the mimicry encapsulation task management unit receives a task management command issued by the mimicry encapsulation server unit, processes the task management command again according to the type of the task management command, and feeds back a processing result to the mimicry encapsulation server unit;

specifically, the types of the task management commands include a new encapsulation task, a modification task, a view task and a delete task;

as an implementation manner, the reprocessing according to the type of the task management command specifically includes:

if the packaged task command is newly established, analyzing the command to acquire a mimicry application type and a security level, creating a task according to the mimicry application type and the security level, and writing task information into a database;

if the command is the modification task command, analyzing the command to obtain a task number and modification content, and processing according to the type of the modification content: if the type of the modified content is virtual machine migration, deciding a virtual machine migration strategy and implementing migration; if the type of the modified content is other modification except for virtual machine migration, the modification task command is forwarded to a simulation network element real-time feedback control unit;

if the command is the task deleting command, the command is analyzed to obtain a task number, and the task deleting command is forwarded to the real-time feedback control unit of the dynamic network element.

S304: the operation of the simulated network element is monitored in real time by the simulated network element real-time feedback control unit, the task management command forwarded by the simulated encapsulation task management unit is received and executed, and the execution result is fed back to the simulated encapsulation task management unit;

specifically, the monitoring operation of the quasi-attitude network element in real time specifically includes:

S305: the mimicry encapsulation task management unit receives an execution result of the real-time feedback control unit of the mimicry network element, and modifies related task state information in a database according to the execution result;

specifically, receiving a response of the real-time feedback control unit of the simulated network element to the task modification command: if the response shows that the modification task is successful, generating a data record according to the modification result and storing the data record in a historical task change table of the database; if the response shows that the modification task fails, recording error information as a return result;

receiving the response of the real-time feedback control unit of the simulated network element to the task deleting command: if the response shows that the task is successfully deleted, increasing the history task change table records of the database, and modifying the records corresponding to the current task state table; and if the response shows that the task deletion fails, recording error information as a return result.

S306: and the quasi-state packaging server unit receives the processing result of the quasi-state packaging task management unit and feeds the processing result back to the quasi-state packaging system interface for displaying.

Specifically, the processing result of the feedback received by the pseudo-encapsulation server unit is graphically presented by the pseudo-encapsulation system interface. In addition, the pseudo-encapsulation system interface also provides a dynamic presentation of the scheduling history for each task.

In the above embodiments, the cloud platform-based mimicry application encapsulation and control system and method of the present invention are described by combining the nodes such as the mimicry encapsulation server unit, the mimicry encapsulation task management unit, and the mimicry network element real-time feedback control unit. The method executed by each node of the pseudo-encapsulation server unit, the pseudo-encapsulation task management unit, the pseudo-network element real-time feedback control unit and the corresponding execution device are also the technical scheme based on the same inventive concept. Now separately described are the following:

the embodiment of the invention also provides a processing method of a mimicry encapsulation task management unit of a mimicry application based on a cloud platform, and the processing method is shown in figure 4 and comprises the following steps:

s401: receiving a task management command issued by a pseudo encapsulation server unit, and judging the type of the task management command: if a new packaging task is established, S402 is switched; if yes, turning to S403; if yes, turning to S404; if the task is deleted, go to S405.

S402: and further analyzing the command content, acquiring a simulated application type and a task safety level, creating a task according to the simulated application type and the safety level, and writing task information into a database. Then go to step S406.

Specifically, the security level determines to some extent the number of virtual machines, the arbitration rule of the proxy virtual machine, and the virtual machine coexistence state that the to-be-created mimicry network element needs to include. Therefore, a virtual machine creation policy needs to be determined according to the mimicry application type and the security level, then a task is created according to the determined creation policy, and task information is written into a database. The image type of the virtual machine refers to a type of an image generated due to different deployed application types, that is, the image type corresponds to the application type. Since a plurality of computing nodes (i.e., hosts) generally exist on the OpenStack platform, when determining the deployment location of the virtual machine (i.e., when determining which computing node the virtual machine is deployed in), the deployment location is randomly generated by the program according to the coexistence state determined by the security level. And when the task is created, selecting the mirror image of the corresponding task to call the OpenStack API interface to execute virtual machine creation work.

The writing of the task information into the database specifically comprises the following steps: and constructing a data record by the task number, the task occurrence time, the task security level, the task state, the information of each newly-created virtual machine contained in the task and the virtual machine role, and respectively storing the data record into a current task state table and a historical task state table of the database. In the invention, the roles of the virtual machine are divided into two types: a proxy virtual machine and an execution volume virtual machine.

The security levels are classified into three levels of 1, 2 and 3 as an example: the security levels of 1, 2 and 3 can be set, the number of the executive virtual machines in the mimicry network element to be built is respectively 3, 4 and 5, the arbitration rules are respectively 2-big number voting (namely, the final response can be obtained only when 2 or more than 2 executive virtual machines return consistent responses), 3-big number voting and 4-big number voting, and the coexistence states of the virtual machines are respectively 'coexistence' and 'any two executive virtual machines do not coexist in the same host machine'. That is to say, if it is known that the security level is 3 by analyzing the user request, the number of virtual machines in the to-be-created mimicry network element should be 6, of which 1 is a proxy virtual machine and the other 5 are executive virtual machines, and a decision rule of 4-majority voting is adopted, and it is ensured that any two executive virtual machines do not coexist in the same host machine, and no requirement is made on the proxy virtual machine.

The mimicry application types in the embodiment of the invention include but are not limited to web services, DNS services and mail services.

It should be noted that, in the present invention, when the type of the virtual machine is not explicitly indicated, the virtual machine includes a proxy virtual machine and an execution body virtual machine.

S403: further analyzing the command content, acquiring a task number to be modified and modified content, and processing according to the type of the modified content: if the type of the modified content is virtual machine migration, deciding a virtual machine migration strategy and implementing migration; if the type of the modified content is other modification except for virtual machine migration, the modification task command is forwarded to a simulation network element real-time feedback control unit;

specifically, modifying the task command mainly refers to modifying the virtual machine operation control conditions, and the virtual machine operation control conditions include multiple types: the method comprises the following steps of virtual machine coexistence state, task lease time, task virtual machine scheduling period and task arbitration rules. The type of the modified content is virtual machine migration, which essentially means that the coexistence state of the virtual machines is modified; and other modifications mean that the task lease time, the task virtual machine scheduling period and the task arbitration rule are modified.

The virtual machine coexistence state includes 2 states: 0 and 1; wherein 0 represents that the multiple executive virtual machines in the mimicry network element are allowed to coexist, and 1 represents that the multiple executive virtual machines in the mimicry network element are not allowed to coexist, that is, all the executive virtual machines should be distributed on different servers.

For the modification of the coexistence state of the virtual machine, a virtual machine migration strategy is determined according to the specific modification condition, the OpenStack API interface is called to execute the migration work of the virtual machine according to the determined virtual machine migration strategy, the current task state table in the database is changed according to the migration result, a task change record is generated, and the task change record is stored in the historical task state table of the database. Then go to step S406.

The determining of the virtual machine migration policy according to the specific modification condition specifically includes: the coexistence state of the virtual machines is changed from 0 to 1, the virtual machines coexisting in the same host need to be migrated, and the effect that any two execution body virtual machines in the same mimicry application do not coexist in the same host is achieved; when the virtual machine coexistence state changes from 1 to 0, the migration may be performed or may not be performed, and both conditions for allowing coexistence are satisfied.

For other modifications, sending the command to an external command interface of the real-time feedback control unit of the simulated network element, and waiting for the response of the real-time feedback control unit of the simulated network element: if the response shows that the modification task is successful, generating a data record according to the modification result, and storing the data record in a historical task change table of the database; and if the response shows that the modification task fails, recording error information as a return result. Then go to step S406.

S404: and further analyzing the command content, acquiring a task number to be checked, searching a related record in a database, and generating return information. Then go to step S406.

S405: further analyzing the command content, acquiring a task number to be deleted, sending the task deleting command to an external command interface of the real-time feedback control unit of the dynamic network element, and receiving the response of the external command interface: if the response shows that the task is deleted successfully, increasing the history task change table records of the database, and modifying the records corresponding to the current task state table; and if the response shows that the task deletion fails, recording error information as a return result.

S406: and returning the processing result to the mimicry packaging server unit.

Correspondingly, an embodiment of the present invention further provides a cloud platform-based mimicry encapsulation task management unit for a mimicry application, which is configured to execute the foregoing method, and specifically includes:

the command type judging module is used for receiving the task management command issued by the mimicry encapsulation server unit and judging the type of the task management command; the types of the task management commands comprise a newly-built packaging task, a modifying task, a checking task and a deleting task;

the quasi-attitude encapsulation module is used for receiving the newly-built encapsulation task command, analyzing the command to obtain a quasi-attitude application type and a security level, creating a task according to the quasi-attitude application type and the security level, and writing task information into a database;

the task modification module is used for receiving the newly-built encapsulated task command, analyzing the command to obtain a task number and modification content, and processing according to the type of the modification content: if the type of the modified content is virtual machine migration, deciding a virtual machine migration strategy and implementing migration; if the type of the modified content is other modification except for virtual machine migration, the modification task command is forwarded to a simulation network element real-time feedback control unit; receiving the response of the real-time feedback control unit of the simulated network element to the task modification command: if the response shows that the modification task is successful, generating a data record according to the modification result, and storing the data record in a historical task change table of the database; if the response shows that the modification task fails, recording error information as a return result;

the task deleting module is used for receiving a task deleting command, analyzing the command to acquire a task number, forwarding the task deleting command to the quasi-dynamic network element real-time feedback control unit, and receiving the response of the quasi-dynamic network element real-time feedback control unit to the task deleting command: if the response shows that the task is successfully deleted, increasing the history task change table records of the database, and modifying the records corresponding to the current task state table; and if the response shows that the task deletion fails, recording error information as a return result.

The embodiment of the invention also provides a processing method of the mimicry network element real-time feedback control unit based on the mimicry application of the cloud platform, which comprises the following steps:

s501: monitoring the operation of the mimicry network element in real time; the method specifically comprises the following steps:

s5011: receiving a connection request in a mimicry network element, and establishing a feedback control thread for the mimicry network element; as shown in fig. 5, the method comprises the following steps:

a1: monitoring a connection from the proxy virtual machine;

a2: when a new connection request is received, connection is established;

a3: if the connection is successfully established, establishing an independent feedback control thread for the connection, and performing proxy feedback control; if the connection is failed to be established, the connection is abandoned;

a4: turning to a1, the new connection remains to be listened to.

S5012: collecting operation process information of the simulated network element, comprehensively analyzing the operation process information, and determining whether a virtual machine of the simulated network element needs to be scheduled and a scheduling strategy when the virtual machine needs to be scheduled; and controlling the running state of each mimicry network element, wherein the running state comprises a lease period, a virtual machine scheduling period, an arbitration rule of the proxy virtual machine, the survival state of the proxy virtual machine, and the suspension, restart and deletion of the virtual machine.

Specifically, the running state of each mimicry network element is controlled by collecting the running process information of the mimicry network element in real time through a feedback control thread. As shown in fig. 6, this step includes the following steps:

b1: and receiving the message sent by the proxy virtual machine in a non-blocking mode, and analyzing the message type.

b2: and if the message type is the identity message actively sent when the proxy virtual machine is online, receiving the identity message sent by the proxy virtual machine, retrieving the executive body virtual machine information related to the proxy virtual machine from a database, assembling all the executive body virtual machine information to form a message, and sending the message to the proxy virtual machine. Then b5 is rotated;

b3: if the message type is the abnormal executive body virtual machine message found when the agent virtual machine judges, the abnormal frequency information of the executive body virtual machine is accumulated, and if the abnormal frequency exceeds a preset threshold, the state of the executive body virtual machine is modified into abnormal. Then b5 is rotated;

b4: and if the message type is a heartbeat detection response message sent by the proxy virtual machine, resetting a proxy heartbeat detection timeout timer in the feedback control thread. Then b5 is rotated;

b5: checking a running control condition change mark of the proxy virtual machine: if the change mark is changed, b6 is turned; if the change flag is not changed, turning to b9;

b6: check whether the control conditions have changed: the control conditions include lease, scheduling period, and arbitration rules. If the control condition is changed, respectively modifying the corresponding control variables in the feedback control thread according to the global variables, specifically: if the lease is changed, modifying the control condition variable related to the lease in the thread; if the scheduling period is changed, modifying control condition variables related to the scheduling period in the thread; if the arbitration rule changes, the new arbitration rule is sent directly to the proxy virtual machine.

b7: checking the lease value of the mimicry network element: if the lease period is 0, suspending the operation of all virtual machines in the simulation network element and modifying related task information in the database; if the lease is greater than 0, no operation is carried out; and if the lease is-1, deleting all the virtual machines in the mimicry network element, modifying the related task information in the database, and ending the feedback control thread where the task to be deleted is located.

b8: checking whether a scheduling period of the execution body virtual machine is reached: if the virtual machine arrives, generating the same new virtual machines for all the existing virtual machines of the execution body, sending new virtual machine information of the execution body to the proxy virtual machine, enabling the proxy virtual machine to establish connection with the new execution body, disconnecting the proxy virtual machine from the old virtual machine of the execution body, modifying the state of the virtual machine of the old execution body into 'to be deleted', and finally recording the scheduling information in a database; if not, no action is taken.

b9: check if the heartbeat detection period has arrived: if the heartbeat is over, sending a heartbeat detection message to the proxy virtual machine, setting a proxy heartbeat detection timeout timer to start timing, and further detecting whether the proxy heartbeat is over or not: if yes, indicating that the proxy virtual machine is disconnected, rebuilding the proxy virtual machine, then establishing the association between the new proxy virtual machine and the original executive body virtual machine, and finally reporting error information; if not, no action is taken.

b10: checking whether an executive virtual machine state detection period is reached: if the state of each execution body virtual machine is up, sequentially detecting the state of each execution body virtual machine, calling OpenStack API to regenerate the same execution body virtual machine for the execution body virtual machine with the abnormal state, and sending a replacement message to the proxy virtual machine to enable the proxy virtual machine to replace the new execution body virtual machine for online work; calling OpenStackAPI to delete the relevant executive virtual machine for the executive virtual machine in the state of 'waiting to be deleted'; and finally, recording the operation information of the related tasks in a database. If not, no action is taken.

b11: and b1, turning.

S502: receiving and executing a task management command forwarded by the mimicry encapsulation task management unit, and feeding back an execution result to the mimicry encapsulation task management unit;

specifically, the task management command in this step relates to a modify task command and a delete task command, where the type of the modified content in the modify task command is other modifications. As shown in fig. 7, the method comprises the following steps:

s5021: receiving a task modification command and a task deletion command forwarded by the pseudo-encapsulation task management unit; when receiving the command, the command can be received by using a task modification API provided externally.

S5022: if the received task management command is a task modification command, extracting a task number to be modified and a virtual machine operation control condition to be modified in the command, and sending information to a feedback control thread corresponding to the task number;

s5023: and receiving an operation response of the feedback control thread, and returning a response result to the mimicry packaging task management unit.

S5024: if the received task management command is a task deleting command, extracting a task number to be deleted in the command, modifying the corresponding task lease to be-1, and sending information to a feedback control thread corresponding to the task number;

s5025: and receiving an operation response of the feedback control thread, and returning a response result to the quasi-state encapsulation task management unit.

Correspondingly, an embodiment of the present invention further provides a mimicry network element real-time feedback control unit for a mimicry application based on a cloud platform, which is configured to execute the foregoing method, and with reference to fig. 5 to 7, the mimicry network element real-time feedback control unit includes:

and the external command interface is used for receiving and executing the task management command forwarded by the pseudo-encapsulation task management unit and feeding back an execution result to the pseudo-encapsulation task management unit.

The embodiment of the invention also provides a processing method of a mimicry encapsulation server unit based on the mimicry application of the cloud platform, as shown in fig. 8, the processing method comprises the following steps:

s801: receiving a user request forwarded by a simulated packaging system interface;

s802: performing primary processing according to the type of the user request;

specifically, the types of the user request include: a registration request, a login request and a task management command; the preliminary treatment comprises the following steps:

s8021: checking and filtering the content of the user registration request, adding user information to the database, and returning a registration success response to the mimicry packaging system interface; then, go to step S801.

S8022: extracting user information transmitted by the interface of the mimicry packaging system from the login request, retrieving and checking the user information in the database, and if the user information is checked to be correct, returning login success information and the user level to the interface of the mimicry packaging system; if the check is inconsistent, returning login failure information to the interface of the mimicry packaging system; then go to step S801.

S8023: and carrying out format check and authority check on the task management command, and issuing the checked task management command to the mimicry encapsulation task management unit.

S803: receiving a processing result of the mimicry packaging task management unit, and feeding the processing result back to the interface of the mimicry packaging system for displaying; then, go to step S801.

Correspondingly, an embodiment of the present invention further provides a cloud platform-based mimicry encapsulation server unit for a mimicry application, configured to execute the method described above, where the method includes:

the command checking and issuing module is used for carrying out format checking and permission checking on the task management command and issuing the checked task management command to the mimicry encapsulation task management unit; and receiving a processing result of the mimicry packaging task management unit, and feeding the processing result back to an interface of a mimicry packaging system for displaying.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. A cloud platform-based mimicry application encapsulation and control method is characterized in that the cloud platform comprises a plurality of mimicry network elements, and the method comprises the following steps:

the method comprises the following steps that a simulation packaging server unit receives a user request forwarded by a simulation packaging system interface and carries out primary processing according to the type of the user request; the types of the user request include: a registration request, a login request and a task management command; the preliminary treatment comprises the following steps: checking and filtering the content of the user registration request, adding user information to the database, and returning a registration success response to the mimicry packaging system interface; extracting user information transmitted by the interface of the mimicry packaging system from the login request, retrieving and checking the user information in the database, and if the user information is checked to be correct, returning login success information and the user level to the interface of the mimicry packaging system; if the check is inconsistent, returning login failure information to the interface of the mimicry packaging system; carrying out format check and authority check on the task management command, and issuing the checked task management command to the mimicry encapsulation task management unit;

the mimicry encapsulation task management unit receives a task management command issued by the mimicry encapsulation server unit, processes the task management command again according to the type of the task management command, and feeds back a processing result to the mimicry encapsulation server unit; the types of the task management commands comprise a new encapsulation task, a modification task, a viewing task and a deletion task; the reprocessing comprises:

if the packaged task command is newly established, analyzing the command to acquire a mimicry application type and a security level, creating a task according to the mimicry application type and the security level, and writing task information into a database; if the command is the modification task command, analyzing the command to obtain a task number and modification content, and processing according to the type of the modification content: if the type of the modified content is virtual machine migration, deciding a virtual machine migration strategy and implementing migration; if the type of the modified content is other modifications except for virtual machine migration, the modification task command is forwarded to a real-time feedback control unit of the quasi-attitude network element; if the command is a view task command, analyzing the command to obtain a task number, searching relevant records in a database, and generating return information; if the command is the task deleting command, analyzing the command to acquire a task number, and forwarding the task deleting command to a simulation network element real-time feedback control unit;

the mimicry encapsulation task management unit receives an execution result of the real-time feedback control unit of the mimicry network element, and modifies related task state information in a database according to the execution result;

the quasi-attitude packaging server unit receives the processing result of the quasi-attitude packaging task management unit and feeds the processing result back to the interface of the quasi-attitude packaging system for displaying;

the virtual network element is a combination of a proxy virtual machine and a plurality of executive virtual machines, wherein the virtual network element is formed by a plurality of virtual machines.

2. The method according to claim 1, wherein the receiving, by the fictitious encapsulating task management unit, the execution result of the real-time feedback control unit of the fictitious network element, and modifying the relevant task state information in the database according to the execution result specifically includes:

receiving the response of the real-time feedback control unit of the dynamic network element to the task modification command: if the response shows that the modification task is successful, generating a data record according to the modification result, and storing the data record in a historical task change table of the database; if the response shows that the modification task fails, recording error information as a return result;

receiving the response of the real-time feedback control unit of the dynamic network element to the task deleting command: if the response shows that the task is successfully deleted, increasing the history task change table records of the database, and modifying the records corresponding to the current task state table; and if the response shows that the task is failed to be deleted, recording error information as a return result.

3. The method according to claim 1, wherein the real-time feedback control unit of the virtualized network element monitors the operation of the virtualized network element in real time, specifically comprising:

4. A cloud platform based mimicry application encapsulation and control system, wherein the cloud platform comprises a plurality of mimicry network elements, the system comprising:

the system comprises a pseudo-encapsulation system interface, a pseudo-encapsulation server unit and a pseudo-encapsulation server unit, wherein the pseudo-encapsulation system interface is used for receiving a user request and forwarding the user request to the pseudo-encapsulation server unit;

the mimicry packaging server unit is used for receiving the user request forwarded by the interface of the mimicry packaging system and performing primary processing according to the type of the user request; receiving a processing result of the quasi-state packaging task management unit, and feeding the processing result back to the quasi-state packaging system interface for displaying; the dynamic encapsulation server unit comprises:

a user management module, configured to manage user information in a database, where the management includes: checking and filtering the content of the user registration request, adding user information to the database, and returning a registration success response to the mimicry packaging system interface; extracting user information transmitted by the interface of the mimicry packaging system from the login request, retrieving and checking the user information in the database, and if the user information is checked to be correct, returning login success information and user level to the interface of the mimicry packaging system; if the check is inconsistent, returning login failure information to the interface of the mimicry packaging system;

the command checking and issuing module is used for carrying out format checking and authority checking on the task management command and issuing the checked task management command to the mimicry encapsulation task management unit; receiving a processing result of the mimicry packaging task management unit, and feeding the processing result back to an interface of a mimicry packaging system for displaying;

the mimicry encapsulation task management unit is used for receiving the task management command issued by the mimicry encapsulation server unit, reprocessing the task management command according to the type of the task management command and feeding back a processing result to the mimicry encapsulation server unit; receiving an execution result of a real-time feedback control unit of the simulated network element, and modifying related task state information in a database according to the execution result; the mimic package task management unit comprises:

the task modification module is used for receiving a task modification command, analyzing the command to acquire a task number and modification content, and processing according to the type of the modification content: if the type of the modified content is virtual machine migration, deciding a virtual machine migration strategy and implementing migration; if the type of the modified content is other modification except for virtual machine migration, the modification task command is forwarded to a simulation network element real-time feedback control unit; receiving the response of the real-time feedback control unit of the simulated network element to the task modification command: if the response shows that the modification task is successful, generating a data record according to the modification result and storing the data record in a historical task change table of the database; if the response shows that the modification task fails, recording error information as a return result;

the task deleting module is used for receiving a task deleting command, analyzing the command to acquire a task number, forwarding the task deleting command to the quasi-dynamic network element real-time feedback control unit, and receiving the response of the quasi-dynamic network element real-time feedback control unit to the task deleting command: if the response shows that the task is successfully deleted, increasing the history task change table records of the database, and modifying the records corresponding to the current task state table; if the response shows that the task deletion fails, recording error information as a return result;

the quasi-attitude network element real-time feedback control unit is used for monitoring the operation of the quasi-attitude network element in real time, receiving and executing the task management command forwarded by the quasi-attitude encapsulation task management unit, and feeding back an execution result to the quasi-attitude encapsulation task management unit;

5. The system of claim 4, wherein the dynamic packaging system interface comprises a registration page and a login page, wherein the login page comprises a tenant page and an administrator page, wherein the tenant page and the administrator page respectively comprise an additional task page and a task view page, and wherein the task view page respectively comprises a task modification page and a task deletion page.

6. The system of claim 4, wherein the real-time feedback control unit of the stateful network element comprises: