CN112073397B - Software-defined security-based hybrid resource management system - Google Patents

Software-defined security-based hybrid resource management system Download PDF

Info

Publication number
CN112073397B
CN112073397B CN202010880502.3A CN202010880502A CN112073397B CN 112073397 B CN112073397 B CN 112073397B CN 202010880502 A CN202010880502 A CN 202010880502A CN 112073397 B CN112073397 B CN 112073397B
Authority
CN
China
Prior art keywords
resource
module
control
management
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010880502.3A
Other languages
Chinese (zh)
Other versions
CN112073397A (en
Inventor
杨茂深
赵慧
于然
张雨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Computer Technology and Applications
Original Assignee
Beijing Institute of Computer Technology and Applications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Computer Technology and Applications filed Critical Beijing Institute of Computer Technology and Applications
Priority to CN202010880502.3A priority Critical patent/CN112073397B/en
Publication of CN112073397A publication Critical patent/CN112073397A/en
Application granted granted Critical
Publication of CN112073397B publication Critical patent/CN112073397B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Stored Programmes (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a hybrid resource management system based on software defined security, and belongs to the field of software defined security and the technical field of virtualization. The hybrid resource management system based on software definition safety provided by the invention follows a standard software definition safety architecture, considers the advantages of the traditional software definition safety, realizes the decoupling of data and control, ensures the mutual separation of a data layer and a control layer, and solves the problems of software service management and control and hybrid resource scheduling.

Description

Software definition security-based hybrid resource management system
Technical Field
The invention belongs to the field of software definition security and the technical field of virtualization, and particularly relates to a hybrid resource management system based on software definition security.
Background
Software definition security is extended from the concept of a software defined network, traditional software definition security focuses on security equipment, and abstracts the functions of the security equipment, so that the security equipment does not adopt working modes which are respectively administrative and independently deployed, and the software defined network management method has the advantages that the networking division effect of the software defined network is utilized, network equipment with physical partitions which are not together is divided into the same management system for management, and the scheduling and the management of the security functions are facilitated; the coupling between the data processing layer and the control management layer is removed, the central management can conveniently and independently control each device with the same function, and the difference of management control layers such as manufacturer versions is ignored. However, the conventional software defined security has disadvantages, such as only aiming at physical or virtual network security devices, not at security oriented functions. The system can manage and control hardware devices such as IDS, firewall, server and the like, can also configure virtual network devices, but lacks management aiming at software type security service or security plug-in; secondly, software-defined security also lacks an orchestration means for multiple secure resources, especially in combination with software and hardware resource scheduling.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: how to provide a hybrid resource management system based on software defined security aiming at service management and control in software aspect and scheduling condition of software and hardware hybrid resources which are lacked in the current software defined security system, inheriting the advantages of the traditional software defined security, and solving the problems of software service management and control and hybrid resource scheduling.
(II) technical scheme
In order to solve the technical problem, the invention provides a hybrid resource management system based on software defined security, which comprises a security resource module of various hybrid resources, a centralized control module responsible for resource scheduling and distribution, and an application management module providing a calling interface for a user.
Preferably, the secure resource module is a component of the data layer, and provides mixed resources of a container, a physical device, a virtual device, a secure application, and a secure service; the centralized control module directly interacts with the security resources to realize the uniform scheduling and management of various resources in the security resource module, and the application management module is associated with the applications and services of users to provide uniform interfaces for various applications and services.
Preferably, the security resource module is composed of physical and virtual security network devices, containers, security services and security processes, the security resource module integrates a data layer obtained by splitting an SDN, and then uses an NFV technology to complete virtualization of network functions, and ensures that all mixed resources have respective enough system resources, thereby providing security storage, starting environment and operation dependence; the centralized control module integrates the control layers split by the SDN and integrates the control management module according to the resource type, so that the centralized control module downwards performs arrangement and state management on the functional components of the mixed resources; the centralized control module pairs the function points and the control of various resources to form a 'control-function pair', integrates the function points and the control-function pair into a control interface, upwards provides a control management API for the application management module, downwards performs resource allocation and scheduling on the security resource module, realizes the management of scheduling and arranging of mixed resources, completes the service distribution of the security resource module through a configuration service chain, classifies the control management API according to the function points and the function types, re-adapts the control interfaces of the mixed resources, further integrates all the function interfaces in a unified way, and provides the occupation allocation management and the system resource allocation of the security resources; the application management module is directly connected with a user, and provides a security service interface, a security application interface, a resource management interface and an arrangement engine task issuing interface for the user; the application management module inquires and manages through a resource management interface, the resource allocation condition of the safety resources in the safety resource module, the deployment management of physical and virtual safety equipment and the scheduling use condition of the network virtualization module; and checking the management condition of each control-function pair, the use condition and the detailed configuration of the function elements and the configuration condition of the service chain of the control management module in the centralized management module.
Preferably, the secure resource module is composed of multiple carrier types, physical and virtual secure network devices, containers, secure services and secure processes; according to the security products, 10 types including firewall type, security vulnerability scanning analysis type, intrusion detection type, network equipment security module type, virus protection type, network 3A, security operating system type, network security isolation type, security protocol type and encryption type are classified; the 10-class functions realize network, calculation and storage splitting of the data processing layer through NFV to obtain relatively independent 10-class safety function elements, and the centralized control module schedules the safety function elements to further complete safety tasks required by users.
Preferably, the centralized control module recombines the control layers according to the functional elements of various safety resources, manages uniformly and adapts the control layers as external interfaces to be provided for the application management module; the centralized control module consists of a resource scheduling engine, a control management module and a control interface decoupled from the security resources; the resource scheduling engine is used for judging, distributing and scheduling whether the current system resource can start the functional element, whether the current functional element is occupied or not and whether deadlock occurs or not, and the starting aspect adopts an FIFO mode to ensure the operating environments of a container and software; the control management module is responsible for pairing and managing 'control-function pair', managing the resource access authority, acquiring information of the state of the function element and feeding the information back to the resource scheduling engine in time; and aiming at the functional elements of the safety resource module, a resource scheduling engine in charge of dynamic allocation and a control management module in charge of resource management and control schedule the functional elements.
Preferably, the application management module accepts an external interface provided by the centralized control module, the application management module includes a security service interface and a security application interface for standardizing the interface format, a resource management interface for modifying and querying security resources, and an orchestration engine task issuing interface for processing security tasks, and provides these simplified and centralized security function solutions to users, and users can directly use these services to execute required services, and can also use the orchestration engine application to issue orchestration tasks.
Preferably, the centralized management module directly interacting with the security resources further splits the control layer against the functions based on the security function elements, corresponds the control layer to the security function elements, forms the function unitized control elements as much as possible, takes the 10-class security functions as branches, and converges to form the control elements by taking the single function as a unit, and constructs the control elements as the control interfaces, and the centralized control module externally provides the control interfaces with the minimized functions for the application management module to use.
Preferably, the control management module is further configured to configure the service chaining module, and is responsible for managing a source and allocation of each functional element when processing input, including which secure resource the data stream is allocated to process, where the processing mode is forwarding traffic or copy traffic.
Preferably, the resource scheduling engine determines the resources expected to be consumed by the security resources in the following manner: the following definitions are first made: resource overhead
Figure BDA0002653957690000041
Refers to the resource overhead incurred by deploying a functional element i to a virtual resource r,
Figure BDA0002653957690000042
represents the storage overhead of the selected virtual resource r;
Figure BDA0002653957690000043
an overhead of computing resources representing the selected virtual resource r;
Figure BDA0002653957690000044
representing the deployment of functional elements i onto virtual resources r and resource schedulingInteraction overhead generated by the degree engine;
Figure BDA0002653957690000045
the data transmission quantity between the function module representing the function element and the resource scheduling engine;
thus, there are:
Figure BDA0002653957690000046
resource scheduling engine pair
Figure BDA0002653957690000047
And judging, when the distributable resources do not meet the conditions, waiting for resource distribution and execution in an FIFO mode, detecting the deadlock problem of the function element resource request in real time by the centralized management module, checking the running state of the safety resources, and carrying out proper adjustment and distribution.
The invention also provides a working method of the system after the user calls the application management module interface, which comprises the following steps: the user application calls a single safety function through a service interface of the application management module; the user application issues a task strategy issued by a user through an arrangement engine interface of the application management module to realize the scheduling of a plurality of safety functions and a plurality of safety resources; the user modifies the configuration of the control management configuration and the resource management configuration through a resource management interface of the application management module;
the step of calling the single security function by the application through the service interface provided by the application management module specifically comprises the following steps: (1) the user-defined application selects and calls a service interface with one function according to the self-requirement; (2) the service interface is connected with the centralized management module to control and manage the API and issue a resource application; (3) a resource scheduling engine of the centralized control module schedules a control submodule where a control element of the function is located according to the application content; (4) the control sub-module starts the function element of the corresponding safety resource module according to the control-function pair and executes the safety function;
the step of calling the security resource through the orchestration engine specifically comprises the following steps: (1) the scheduling engine receives a task strategy issued by a user and generates a scheduling task according to the task strategy; (2) the arrangement engine judges whether the current resource meets the arrangement condition according to the arrangement task content, and waits if the current resource does not meet the arrangement condition; (3) after the arranging condition is met, according to each safety function configured in the task, calling a corresponding service interface and issuing a resource application; (4) a resource scheduling engine of the centralized control module schedules a control submodule where a control element of the function is located according to the application content; (5) the control sub-module starts the function element of the corresponding safety resource module according to the control-function pair and executes the safety function;
the step of modifying the resource configuration through the resource management interface provided by the application management module specifically comprises the following steps: (1) a user calls a resource management interface to send out a management request; (2) the resource management processing module processes the management request and inquires corresponding management contents; (3) judging according to the query target, distinguishing into control management configuration or resource management configuration, and querying modules of different levels; (4) if the query target is control management configuration, the management condition of a control-function pair of the centralized control module, the use condition and detailed configuration of the function elements, the configuration condition of the service chain and the like are displayed; (5) if the query target is resource management configuration, displaying the resource allocation condition of the security resources in the security resource module, the deployment management of physical, namely virtual security equipment, and the scheduling use condition of the network virtualization module; (6) and finishing the modification of the resource configuration.
(III) advantageous effects
The hybrid resource management system based on software definition safety provided by the invention follows a standard software definition safety architecture, considers the advantages of the traditional software definition safety, realizes the decoupling of data and control, ensures the mutual separation of a data layer and a control layer, and solves the problems of software service management and control and hybrid resource scheduling.
Drawings
FIG. 1 is a block diagram of a hybrid resource management system based on software-defined security according to the present invention;
FIG. 2 is a sequence diagram illustrating a service interface usage flow of a hybrid resource management system based on software defined security according to the present invention;
FIG. 3 is a timing diagram illustrating a process for using an orchestration engine of a hybrid resource management system based on software defined security according to the present invention;
fig. 4 is a flowchart illustrating a resource management interface of a hybrid resource management system based on software defined security according to the present invention.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
As shown in fig. 1, the system constructs a software defined security architecture overall architecture based on SDN/NFV, the SDN decouples the control layer and the data processing layer of security resources, so that the decoupled control layer interface does not depend on the architecture of each manufacturer alone, and the NFV further decouples the data processing layer to obtain independent modules for network, calculation and storage, so that the security function does not depend on a dedicated device. The software defined security architecture is divided into three levels, therefore, the system comprises from bottom to top: the system comprises a safety resource module containing various mixed resources, a centralized control module in charge of resource scheduling and distribution, and an application management module for providing a calling interface for a user.
The security resource module is used as an important component of the data layer and provides mixed resources of a container, physical equipment, virtual equipment, security application and security service; the control layer comprises a centralized control module and an application management module, wherein the centralized control module directly interacts with the security resources to realize the uniform scheduling and management of various resources in the security resource module, and the application management module is associated with the applications and services of the user to provide uniform interfaces for various applications and services and reduce the professional requirements of the user on the application system. The control layer has the characteristics of centralized management, high efficiency of resource utilization, simplicity in operation and the like, and is suitable for network security construction of large groups and organizations.
The security resource module integrates a data layer obtained by SDN splitting, and then uses NFV technology to complete virtualization of network functions, and ensures that all mixed resources have respective enough system resources, thereby providing security storage, starting environment and operation dependence; the centralized control module integrates the control layers split by the SDN and integrates the control management module according to the resource types, so that the centralized control module comprises a container control submodule, a software control submodule, an equipment control submodule and an access control submodule and downwards arranges and manages the state of the functional components of the mixed resources; the centralized control module pairs the function points and the control of various resources to form a control-function pair, integrates the control-function pair into a control interface, upwards provides a control management API for the application management module, downwards performs resource allocation and scheduling on the safety resource module to realize the management of scheduling and arrangement of mixed resources, completes service distribution on the safety resource module through a configuration service chain, and the control management API classifies according to the function points and the function types, re-adapts the control interfaces of the mixed resources to further uniformly integrate all the function interfaces and provide occupation allocation management and system resource allocation of the safety resources. The application management module is responsible for directly connecting users, provides a simpler and more convenient security service interface, a security application interface, a resource management interface and an arrangement engine task issuing interface for the users, and the users can use the arrangement engine to realize the connection of services required by corresponding services, can also directly use the service application interface normalized by the application management module, and can also manage the resource management of the security resource module through the resource management interface to carry out resource configuration, authority and storage management. The user can directly interface the service interface, the service interface standardizes the control management API of the centralized management module, and the user can conveniently call a single safety function; the user can also utilize the arrangement engine of the application management module to process corresponding services, the arrangement engine constructs a plurality of safety functions to form tasks, and the function execution sequence and parameters are flexibly adjusted; the application management module inquires and manages through a resource management interface, the resource allocation condition of the safety resource in the safety resource module, the deployment management of physical and virtual safety equipment, the scheduling use condition of the network virtualization module and the like; and checking the management condition of the control management module in the centralized management module on each control-function pair, the use condition and the detailed configuration of the function elements, the configuration condition of the service chain and the like.
The safety resource module consists of various carrier types, physical and virtual safety network equipment, a container, safety service and safety process; the security products are classified into 10 types, namely, firewall type, security vulnerability scanning analysis type, intrusion detection type, network equipment security module type, virus protection type, network 3A, security operating system type, network security isolation type, security protocol type and encryption type. The 10-class functions realize network, calculation and storage splitting of the data processing layer through NFV to obtain relatively independent 10-class safety function elements, and the centralized control module schedules the safety function elements to further complete safety tasks required by users.
The centralized control module is composed of control layers of software defined security technology decoupling, and the centralized control module recombines the control layers according to the functional elements of various security resources, manages the control layers in a unified mode and adapts the control layers into external interfaces to be provided for the application management module. Aiming at the functional elements of the safety resource module, the centralized control module schedules the functional elements by a resource scheduling engine in charge of dynamic allocation and a control management module in charge of resource management and control, the resource scheduling engine judges allocation and scheduling according to whether the current system resources can start the functional elements, whether the current functional elements are occupied, whether deadlock occurs and the like, and a service chain module is used for allocating the trend of data streams, forwarding and copying and other processing modes.
The application management module is used for receiving an external interface provided by the centralized control module, comprises a security service interface and a security application interface for standardizing the interface format, a resource management interface for modifying and inquiring security resources and an arrangement engine task issuing interface for processing security tasks, and provides simplified and centralized security function solutions for users. Users can directly utilize the services to execute required services, and can also use the orchestration engine application to issue orchestration tasks.
The safety resource module for gathering various resources is composed of various carrier types. Different from the traditional software definition system, the system comprehensively considers the potential safety hazard of pure software service/application and the software and hardware scheduling plan of the service, and brings the lightweight virtualization container, the safety service and the process into the overall range of safety resources. Network functions are further virtualized by using NFV technology to obtain independent modules of network, calculation and storage, functional elements aiming at specific safety functions are formed according to functional division, and a management system can directly use the combination of the functional elements to finish the use of safety resources.
The centralized management module directly interacting with the security resources further splits the control layer according to the functions on the basis of the security function elements, corresponds the control layer to the security function elements, and forms functional unitized control elements as much as possible, which is different from the traditional software definition system, and the control layer split of the system is more unitized. The 10-class security functions are taken as branches, the control elements are formed by converging single functions as units, and the control elements are constructed as control interfaces. The centralized control module provides externally such a control interface with minimized functionality for use by the application management module.
The centralized control module of the management system constructs a scheduling and management engine aiming at the security resource module, and the scheduling and management engine consists of a resource scheduling engine, a control management module and a control interface decoupled from the security resources. The resource scheduling engine judges and schedules whether the current system resource can start the functional element, whether the current functional element is occupied, whether deadlock occurs and the like, and the starting aspect adopts an FIFO mode to ensure the operating environments of containers, software and the like. The control management module is divided into a container control submodule, an equipment control submodule, a software control submodule and an access control submodule and is responsible for pairing and managing 'control-function pair', managing resource access authority, acquiring information of the states of the function elements and feeding the information back to the resource scheduling engine in time so as to avoid the problems of occupation waiting, overload and the like. In addition, the control management module configures the service chain module, and is responsible for managing the source and allocation of each functional element when processing input, including which secure resource the data stream is allocated to for processing, and the processing mode is forwarding traffic or copying traffic.
The resource scheduling engine is used for a safe resource stationThe manner of determining the resources expected to be consumed is: the following definitions are first made: resource overhead
Figure BDA0002653957690000101
Refers to the resource overhead incurred by deploying a functional element i to a virtual resource r,
Figure BDA0002653957690000102
represents the storage overhead of the selected virtual resource r;
Figure BDA0002653957690000103
an overhead of computing resources representing the selected virtual resource r;
Figure BDA0002653957690000104
representing the interaction overhead generated by deploying the functional element i on the virtual resource r and a resource scheduling engine;
Figure BDA0002653957690000105
the quantity of transmission data between the function module representing the function element and the resource scheduling engine;
thus, there are:
Figure BDA0002653957690000106
resource scheduling engine pair
Figure BDA0002653957690000107
And judging, when the allocable resources do not meet the conditions, waiting for resource allocation and execution in an FIFO mode, detecting the deadlock problem of the functional element resource request in real time by the centralized management module, checking the running state of the safe resources, and carrying out proper adjustment and allocation.
The application management module provides a simplified single-function application/service interface, a resource management interface and a task issuing interface of the scheduling engine. The arrangement engine consists of a strategy analysis module, an arrangement task generation module, an arrangement task execution module, an arrangement task model library and a security resource model, a user initiates a configuration strategy, the analysis module analyzes to obtain the operation required to be executed by the user, the analysis engine calls complex operations such as ids detection, flow cleaning, user authentication and the like according to a task template, each function element is configured to start sequence timing and circulation according to the requirement, the security resource model simulates the actual running condition, and when the arrangement problem does not exist, the arrangement task execution module issues the task, calls a corresponding interface provided by the centralized control module, runs and monitors.
For resource management, the resource management interface of the application management module is used for inquiring the safe resource control condition of the centralized control module, so that the management condition of the control management module of the centralized control module on each control-function pair can be obtained, the use condition and the detailed configuration of the function elements can be checked, the configuration condition of the service chain can be checked, and the resource management interface is used for configuring and managing the centralized control module. The resource management interface of the application management module is used for inquiring the equipment condition of the security resource module, so that the resource allocation condition of the security resource, the deployment management of the physical and virtual security equipment and the scheduling use condition of the network virtualization module can be obtained, and the resource management interface is used for visually inquiring the configuration management of the corresponding management module.
The invention is introduced by using a plurality of embodiments, and the working process of the hybrid resource management system based on software defined safety after a user calls an application management module interface comprises the following steps: the user application calls a single safety function through a service interface of the application management module; the user application issues a task strategy issued by a user through an arrangement engine interface of the application management module to realize the scheduling of a plurality of safety functions and a plurality of safety resources; and the user modifies the configuration of the control management configuration and the resource management configuration through the resource management interface of the application management module.
As shown in fig. 2, an embodiment of the hybrid resource management system based on software defined security according to the present invention, wherein the step of calling the single security function by the service interface provided by the application management module is: (1) the user-defined application selects a service interface of a certain function according to the self-requirement and calls the service interface; (2) the service interface is connected with the centralized management module to control and manage the API and issue a resource application; (3) a resource scheduling engine of the centralized control module schedules a control submodule where a control element of the function is located according to the application content; (4) the control sub-module enables the function element of the corresponding security resource module according to the control-function pair and executes the security function.
As shown in fig. 3, an embodiment of the hybrid resource management system based on software defined security according to the present invention, wherein the step of invoking the secure resource by the orchestration engine is: (1) the scheduling engine receives a task strategy issued by a user and generates a scheduling task according to the task strategy; (2) the arrangement engine judges whether the current resource meets the arrangement condition according to the arrangement task content, and waits if the current resource does not meet the arrangement condition; (3) after the arranging condition is met, according to each safety function configured in the task, calling a corresponding service interface and issuing a resource application; (4) a resource scheduling engine of the centralized control module schedules a control submodule where a control element of the function is located according to the application content; (5) the control sub-module enables the function element of the corresponding safety resource module according to the control-function pair and executes the safety function.
As shown in fig. 4, an embodiment of the hybrid resource management system based on software defined security according to the present invention, wherein the step of modifying the resource configuration through the resource management interface provided by the application management module comprises: (1) a user calls a resource management interface to send out a management request; (2) the resource management processing module processes the management request and inquires corresponding management contents; (3) judging according to the query target, distinguishing into control management configuration or resource management configuration, and querying modules of different levels; (4) if the query target is control management configuration, the management condition of a control-function pair of the centralized control module, the use condition and detailed configuration of the function elements, the configuration condition of the service chain and the like are displayed; (5) if the query target is resource management configuration, displaying the resource allocation condition of the security resources in the security resource module, the deployment management of physical and virtual security equipment, the scheduling use condition of the network virtualization module and the like; (6) and finishing the modification of the resource configuration.
Compared with the prior art, the invention has the following advantages:
1. the safety resource module provides mixed resources of software and hardware, covers a wider safety resource range, has more contents and is easy to expand, and realizes an application scene of combining the safety functions of the software and the hardware.
2. The centralized control module provides functions of safe resource occupation waiting and allocation optimization, reasonably schedules resources of the safe resource module, optimizes internal management and facilitates cooperation and intercommunication among mixed resources.
3. The application management module is classified according to the safety function, and provides a uniform, simple and easy-to-operate resource utilization interface based on the API provided upwards by the centralized control module.
4. The application management module is provided with an arrangement engine, and is configured with a safety device model and an arrangement task template to simulate the actual arrangement effect, so that whether the current resource is suitable for task arrangement is judged.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (7)

1. A hybrid resource management system based on software defined security, the hybrid resource management system comprising: the system comprises a safety resource module containing various mixed resources, a centralized control module in charge of resource scheduling and distribution, and an application management module for providing a calling interface for a user;
the security resource module is used as a component of a data layer and provides mixed resources of a container, physical equipment, virtual equipment, security application and security service; the centralized control module directly interacts with the security resources to realize the uniform scheduling and management of various resources in the security resource module, and the application management module is associated with the applications and services of users to provide uniform interfaces for various applications and services;
the security resource module is composed of physical and virtual security network equipment, a container, security services and a security process, integrates a data layer obtained by splitting an SDN, and then completes virtualization of network functions by using an NFV (network file virtualization) technology, ensures that all mixed resources have respective enough system resources, and provides security storage, a starting environment and operation dependence; the centralized control module integrates the control layers split by the SDN and integrates the control management module according to the resource type, so that the centralized control module downwards performs arrangement and state management on the functional components of the mixed resources; the centralized control module pairs the function points and the control of various resources to form a 'control-function pair', integrates the function points and the control to form a control interface, upwards provides a control management API for the application management module, downwards performs resource allocation and scheduling on the safety resource module, realizes the management of scheduling and arrangement of mixed resources, completes the service distribution of the safety resource module through a configuration service chain, classifies the control management API according to the function points and the function types, re-adapts the control interfaces of the mixed resources, further integrates all the function interfaces in a unified way, and provides the occupation allocation management and the system resource allocation of the safety resources; the application management module is directly connected with a user, and provides a security service interface, a security application interface, a resource management interface and an arrangement engine task issuing interface for the user; the application management module inquires and manages through a resource management interface, the resource allocation condition of the safety resources in the safety resource module, the deployment management of physical and virtual safety equipment and the scheduling use condition of the network virtualization module; checking the management condition of each 'control-function pair', the use condition and the detailed configuration of the function elements and the configuration condition of the service chain by a control management module in the centralized management module;
the working method of the hybrid resource management system after the user calls the application management module interface comprises the following steps: the user application calls a single safety function through a service interface of the application management module; the user application issues the task strategy issued by the user through an arrangement engine interface of the application management module to realize the scheduling of a plurality of safety functions and a plurality of safety resources; the user modifies the configuration of the control management configuration and the resource management configuration through a resource management interface of the application management module;
the step of calling the single security function by the application through the service interface provided by the application management module specifically comprises the following steps: (1) the user-defined application selects and calls a service interface with one function according to the self-requirement; (2) the service interface is connected with the centralized management module to control and manage the API and issue a resource application; (3) a resource scheduling engine of the centralized control module schedules a control submodule where the control element of the function is located according to the application content; (4) the control sub-module starts the function element of the corresponding safety resource module according to the control-function pair and executes the safety function;
the steps of calling the security resources through the orchestration engine specifically include: (1) the scheduling engine receives a task strategy issued by a user and generates a scheduling task according to the task strategy; (2) the arrangement engine judges whether the current resource meets the arrangement condition according to the arrangement task content, and waits if the current resource does not meet the arrangement condition; (3) after the arranging condition is met, according to each safety function configured in the task, calling a corresponding service interface and issuing a resource application; (4) a resource scheduling engine of the centralized control module schedules a control submodule where the control element of the function is located according to the application content; (5) the control sub-module starts the function element of the corresponding safety resource module according to the control-function pair and executes the safety function;
the step of modifying the resource configuration through the resource management interface provided by the application management module specifically comprises the following steps: (1) a user calls a resource management interface to send out a management request; (2) the resource management processing module processes the management request and inquires corresponding management contents; (3) judging according to the query target, distinguishing into control management configuration or resource management configuration, and querying modules of different levels; (4) if the query target is control management configuration, displaying the management condition, the use condition and the detailed configuration of the function elements and the configuration condition of the service chain of the centralized control module 'control-function pair'; (5) if the query target is resource management configuration, displaying the resource allocation condition of the security resources in the security resource module, the deployment management of physical and virtual security equipment and the scheduling use condition of the network virtualization module; (6) and finishing the modification of the resource configuration.
2. The system of claim 1, wherein said secure resource module, consisting of a plurality of bearer types, physical and virtual secure network devices, containers, secure services and secure processes; the method comprises the following steps of classifying 10 types, namely a firewall type, a security vulnerability scanning analysis type, an intrusion detection type, a network equipment security module type, a virus protection type, a network 3A, a security operating system type, a network security isolation type, a security protocol type and an encryption type, according to security products; the 10-class functions realize network, calculation and storage splitting of the data processing layer through NFV to obtain relatively independent 10-class safety function elements, and the centralized control module schedules the safety function elements to further complete safety tasks required by users.
3. The system of claim 2, wherein the centralized control module reorganizes the control layer against the functional elements of the various types of security resources, manages them uniformly, and adapts them to external interfaces for the application management module; the centralized control module consists of a resource scheduling engine, a control management module and a control interface decoupled from the security resources; the resource scheduling engine is used for judging, distributing and scheduling whether the current system resource can start the functional element, whether the current functional element is occupied or not and whether deadlock occurs or not, and the starting aspect adopts an FIFO mode to ensure the operating environments of a container and software; the control management module is responsible for pairing and managing 'control-function pair', managing the resource access authority, acquiring information of the state of the function element and feeding the information back to the resource scheduling engine in time; and aiming at the functional elements of the safety resource module, a resource scheduling engine in charge of dynamic allocation and a control management module in charge of resource management and control schedule the functional elements.
4. The system of claim 3, wherein the application management module accepts an external interface provided by the centralized control module, the application management module includes a security service interface and a security application interface for standardizing the interface format, a resource management interface for modifying and querying security resources, and an orchestration engine task issuing interface for processing security tasks, and provides these simplified and centralized security function solutions to users, and users can directly use these services to execute required services or use the orchestration engine application to issue orchestration tasks.
5. The system of claim 4, wherein the centralized management module directly interacting with the secure resources further splits the control layer against the functions based on the secure function elements, corresponds the control layer to the secure function elements to form functional unitized control elements, converges to form control elements in units of single functions by taking 10 categories of secure functions as branches, and constructs the control elements as control interfaces, and the centralized control module provides the control interfaces with minimized functions for the application management module to use.
6. The system of claim 5, wherein the control management module is further configured to configure the service chaining module to manage the source and allocation of each functional element in processing the input, including which secure resource the data stream is allocated to process, and the processing manner is forwarding traffic or copying traffic.
7. The system of claim 6, wherein the resource scheduling engine determines the resources expected to be consumed by the security resources by: the following definitions are first made: resource overhead
Figure FDA0003607611160000041
Refers to the resource overhead incurred by deploying a functional element i to a virtual resource r,
Figure FDA0003607611160000042
represents the storage overhead of the selected virtual resource r;
Figure FDA0003607611160000043
an overhead of computing resources representing the selected virtual resource r;
Figure FDA0003607611160000044
representing the interaction overhead generated by deploying the functional element i on the virtual resource r and a resource scheduling engine;
Figure FDA0003607611160000045
the data transmission quantity between the function module representing the function element and the resource scheduling engine;
thus, there are:
Figure FDA0003607611160000051
resource scheduling engine pair
Figure FDA0003607611160000052
And judging, when the distributable resources do not meet the conditions, waiting for resource distribution and execution in an FIFO mode, detecting the deadlock problem of the function element resource request in real time by the centralized management module, checking the running state of the safety resources, and carrying out proper adjustment and distribution.
CN202010880502.3A 2020-08-27 2020-08-27 Software-defined security-based hybrid resource management system Active CN112073397B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010880502.3A CN112073397B (en) 2020-08-27 2020-08-27 Software-defined security-based hybrid resource management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010880502.3A CN112073397B (en) 2020-08-27 2020-08-27 Software-defined security-based hybrid resource management system

Publications (2)

Publication Number Publication Date
CN112073397A CN112073397A (en) 2020-12-11
CN112073397B true CN112073397B (en) 2022-08-23

Family

ID=73659044

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010880502.3A Active CN112073397B (en) 2020-08-27 2020-08-27 Software-defined security-based hybrid resource management system

Country Status (1)

Country Link
CN (1) CN112073397B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113778991B (en) * 2021-09-14 2024-07-05 珠海市新德汇信息技术有限公司 Method for realizing resource access control of big data

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363159A (en) * 2014-07-02 2015-02-18 北京邮电大学 Virtual open network building system and method based on software definition network
CN107370835A (en) * 2017-09-11 2017-11-21 郑州云海信息技术有限公司 A kind of cloud computing center network architecture based on SDN and NFV technologies

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106302153B (en) * 2015-05-11 2020-02-07 中兴通讯股份有限公司 Multi-domain controller, single-domain controller, software defined optical network system and method
CN106612312A (en) * 2015-10-23 2017-05-03 中兴通讯股份有限公司 Virtualized data center scheduling system and method
CN109617873A (en) * 2018-12-06 2019-04-12 中山大学 A kind of flow attacking system of defense based on SDN cloud security function services tree-model

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363159A (en) * 2014-07-02 2015-02-18 北京邮电大学 Virtual open network building system and method based on software definition network
CN107370835A (en) * 2017-09-11 2017-11-21 郑州云海信息技术有限公司 A kind of cloud computing center network architecture based on SDN and NFV technologies

Also Published As

Publication number Publication date
CN112073397A (en) 2020-12-11

Similar Documents

Publication Publication Date Title
US11875173B2 (en) Execution of auxiliary functions in an on-demand network code execution system
JP7060724B2 (en) Task scheduling methods, resource sharing usage, schedulers, computer-readable storage media and equipment
US10817331B2 (en) Execution of auxiliary functions in an on-demand network code execution system
US20200334023A1 (en) Self-moving operating system installation in cloud-based network
US20190332511A1 (en) Tracking cloud installation information using cloud-aware kernel of operating system
JP2021529386A (en) Execution of auxiliary functions on the on-demand network code execution system
US8862720B2 (en) Flexible cloud management including external clouds
US20110296000A1 (en) Systems and methods for exporting usage history data as input to a management platform of a target cloud-based network
US20210273990A1 (en) Secure multi-directional data pipeline for data distribution systems
US20110295727A1 (en) Systems and methods for aggregate monitoring of utilization data for vendor products in cloud networks
US20100306765A1 (en) Methods and systems for abstracting cloud management
Sun et al. HYPER: A hybrid high-performance framework for network function virtualization
CA2875807A1 (en) Offloading virtual machine flows to physical queues
JP2015537307A (en) Component-oriented hybrid cloud operating system architecture and communication method thereof
US11546413B2 (en) System and method for identifying capabilities and limitations of an orchestration based application integration
US20110258620A1 (en) Method and Apparatus for Making a BPM Application Available to Multiple Tenants
CN112202615A (en) Multi-CNI cooperative work system and method
CN112073397B (en) Software-defined security-based hybrid resource management system
Harmer et al. An application-centric model for cloud management
CN116113923A (en) Container cluster management method and system
WO2020108337A1 (en) Cpu resource scheduling method and electronic equipment
WO2021215756A1 (en) Method for allocating and visualizing network slice resource
CN111831402A (en) Method, apparatus and computer program product for managing software functions
CN114024976B (en) Big data service architecture based on 5G and method for constructing big data service
CN111581203A (en) Information processing method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant