CN112399609B - Resource allocation method and device - Google Patents
Resource allocation method and device Download PDFInfo
- Publication number
- CN112399609B CN112399609B CN202011397631.3A CN202011397631A CN112399609B CN 112399609 B CN112399609 B CN 112399609B CN 202011397631 A CN202011397631 A CN 202011397631A CN 112399609 B CN112399609 B CN 112399609B
- Authority
- CN
- China
- Prior art keywords
- data stream
- data
- network
- resource allocation
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0893—Assignment of logical groups to network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W72/00—Local resource management
- H04W72/12—Wireless traffic scheduling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W72/00—Local resource management
- H04W72/20—Control channels or signalling for resource management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W72/00—Local resource management
- H04W72/50—Allocation or scheduling criteria for wireless resources
- H04W72/53—Allocation or scheduling criteria for wireless resources based on regulatory allocation policies
Abstract
The embodiment of the invention discloses a resource allocation method and device, and relates to the technical field of communication. The problem of resource preemption among network slices can be solved. The method comprises the following steps: acquiring a first data stream; wherein the first data stream carries a tag; the tag comprises an identification of the first network slice and resource configuration information of the first network slice; the resource configuration information is used for characterizing virtual devices allocated for the first network slice; then, the first network slice is determined according to the identification of the first network slice. And then, according to the resource allocation information, allocating network resources for the first network slice. And finally, transmitting the first data stream by adopting network resources. The embodiment of the invention is applied to a network system.
Description
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a resource allocation method and device.
Background
The network slicing technology can be adopted to customize the network, cloud and management for operators to meet the personalized requirements of consumers and enterprises on services.
Currently, most of the research on network slicing stays on common security policies. However, no solution exists at present for the problem of resource preemption among network slices caused by the influence of factors such as unclear boundary of resource allocation, insufficient strategy, insufficient granularity of control and the like.
Disclosure of Invention
The invention provides a resource allocation method and a resource allocation device, which can solve the problem of resource preemption among network slices.
In order to achieve the above purpose, the invention adopts the following technical scheme:
in a first aspect, a method for configuring resources is provided, the method comprising: acquiring a first data stream; wherein the first data stream carries a tag; the tag comprises an identification of the first network slice and resource configuration information of the first network slice; the resource configuration information is used for characterizing virtual devices allocated for the first network slice; then, the first network slice is determined according to the identification of the first network slice. And then, according to the resource allocation information, allocating network resources for the first network slice. And finally, transmitting the first data stream by adopting network resources.
Based on the method, when the resource allocation is carried out on the network slices, the problem of resource preemption among the network slices is caused by the influence of factors such as unclear boundary of the resource allocation, insufficient strategy, insufficient granularity of control and the like. The embodiment of the invention ensures that the data stream to be transmitted carries the label containing the identification of the network slice and the resource configuration information. Therefore, classification of the data streams is realized, the data streams can be transmitted in respective network slices, and cross-slice and cross-domain flow of the data streams is prevented. In addition, resources can be prevented from being robbed between network slices.
In a second aspect, there is provided a resource allocation apparatus, the apparatus comprising:
an acquisition unit configured to acquire a first data stream; wherein the first data stream carries a tag; the tag comprises an identification of the first network slice and resource configuration information of the first network slice; the resource configuration information is used to characterize the virtual device allocated for the first network slice.
And the processing unit is used for determining the first network slice according to the identification of the first network slice acquired by the acquisition unit.
And the processing unit is also used for configuring network resources for the first network slice according to the resource configuration information.
The processing unit is further configured to transmit the first data stream using the network resource.
It can be appreciated that the above-provided resource allocation device is configured to perform the method corresponding to the first aspect provided above, and therefore, the advantages achieved by the above-provided resource allocation device can refer to the method corresponding to the first aspect and the advantages of the corresponding scheme in the following detailed description, which are not repeated herein.
In a third aspect, a resource allocation apparatus is provided, the apparatus comprising in its structure a processor for executing program instructions to cause the apparatus to perform the method of the first aspect.
In a fourth aspect, there is provided a computer readable storage medium having stored therein computer program code which, when run on resource allocation means, causes the resource allocation means to carry out the method of the first aspect described above.
In a fifth aspect, there is provided a computer program product storing computer software instructions as described above, which when run on a resource allocation apparatus, cause the resource allocation apparatus to perform a program as the method of the first aspect described above.
Drawings
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a schematic structural diagram of a communication system to which a resource allocation method according to an embodiment of the present invention is applied;
FIG. 2 is a schematic flow chart of a resource allocation method according to an embodiment of the present invention;
FIG. 3 is a second flowchart of a resource allocation method according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a security classification system according to an embodiment of the present invention;
FIG. 5 is a third flowchart of a resource allocation method according to an embodiment of the present invention;
FIG. 6 is a flowchart of a resource allocation method according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a resource allocation device according to an embodiment of the present invention;
FIG. 8 is a second schematic diagram of a resource allocation apparatus according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a computer program product of a resource allocation method according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments.
It should be noted that, in the embodiments of the present invention, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment should not be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.
It should be noted that, in the embodiment of the present application, "english: of", "corresponding" and "corresponding" may sometimes be used in combination, and it should be noted that the meaning to be expressed is consistent when the distinction is not emphasized.
In embodiments of the application, the terms "first", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.
The slicing can provide differentiated services of various industries, namely the slicing can be customized, the purpose of the enterprise to select the slicing is flexibility of the slicing, more importantly, the configurable differentiated security capability of the slicing can be guaranteed, the security and reliability of end-to-end data transmission of the slicing can be guaranteed, in the tide of new foundation, the data is used as production factors to continuously drive the development of various industries, the data security becomes increasingly important kinetic energy of industry development, the rapid development of the current 5G network is combined, the network requirements of the industry are continuously increased, the network is more refined, if a telecom operator can provide a safer and more reliable data transmission environment for tenants, the acceleration of the digitized transformation of the industry can be promoted, the service range of the operator can be enlarged, the networked and intelligent development of the industry is jointly promoted, an internal security ecological system is further created, the data security and the free growth of the network is one of important directions of the security research of the slicing.
In view of the foregoing, an embodiment of the present application provides a resource allocation method, which may be applied to a system architecture as shown in fig. 1. In fig. 1, a terminal 01, a resource allocation device 02, a core network 03, and a data network 04. The resource allocation device according to the embodiment of the present application may be the resource allocation device 02 in fig. 1, or may be a module or a chip in the resource allocation device 02. The implementation of the resource allocation means is not limited in any way here.
In addition, the core network 03 may be divided into a plurality of network slices, where each network slice includes a set of Network Functions (NF) with specific functions, for example, the network slice 1 in fig. 1 includes NF1, NF2, and NF3; network slice 2 includes NF4, NF5, and NF6; the network slice 3 includes NF7, NF8. The access network (radio access network, RAN) communicates with the respective network slice through a network slice selection and routing function (slice selection and routing function, SSRF). After the terminal accesses the RAN, the terminal selects a proper network slice through SSRF, so as to access a data network (data network), and customized service is provided through specific NF and parameter configuration, so that an end-to-end network slice architecture in 5G is formed. It should be noted that, the functions corresponding to the resource allocation device 02 according to the embodiment of the present application may be implemented by SSRF.
For example, the terminal 01 in the embodiment of the present application may have different names, such as a User Equipment (UE), an access terminal, a terminal unit, a terminal station, a mobile station, a remote terminal, a mobile device, a wireless communication device, a vehicle user equipment, a terminal agent, or a terminal apparatus, etc. It may specifically be a mobile phone, a tablet computer, a desktop, a laptop, a handheld computer, a notebook, an ultra-mobile personal computer (ultra-mobile personal computer, UMPC), a netbook, a cellular phone, a personal digital assistant (personal digital assistant, PDA), an augmented reality (augmented reality, AR) \virtual reality (VR) device, and the like, which may communicate with the base station, and the specific form of the terminal is not limited in the embodiments of the present application.
The resource allocation method provided by the embodiment of the present application is described below with reference to the communication system shown in fig. 1 by taking a resource allocation device as an example.
As shown in fig. 2, the resource allocation method provided by the embodiment of the present application specifically includes the following steps:
s11, the resource allocation device acquires a first data stream.
Wherein the first data stream carries a tag; the tag comprises an identification of the first network slice and resource configuration information of the first network slice; the resource configuration information is used to characterize the virtual device allocated for the first network slice.
Optionally, the resource configuration information at least includes: one or more of an identification of the virtual machine, an identification of the switch, and an identification of the firewall.
The identification of the first network slice may be, for example, an identification number (identity document, ID) of the slice. The ID of the slice typically selects auxiliary information (single network slice selection assistance information, S-nsai) for the network slice. Further, the S-NSSAI may include two pieces of information: one is a slice/service type (SST), which is mainly used to characterize the network slice behavior of the corresponding slice feature and traffic expectations. Second, a slice differentiator (slice differentiator, SD); the SD is primarily used to supplement slice/service types to distinguish multiple network slices of the same slice/service type. Where SD is optional information.
In addition, the kinds of network slices may be: standardized global universal network slices. Alternatively, operator public land mobile network (public land mobile network, PLMN) customized network slicing, currently, core TS23.501 has a Slice Service (SST) defining three standards supporting cross PLMN services.
Illustratively, the tag carried by the first data stream may also include user information. Specifically, the user may refer to a renter and a user of the network slice, which may be a person or a legal person, and the user information may be a unique identifier for identifying the user, for example, may be an international mobile subscriber identity (international mobile subscribe identification number, IMSI) or the like, and may be specifically determined according to practical situations.
And S12, the resource allocation device determines the first network slice according to the identification of the first network slice.
S13, the resource allocation device allocates network resources for the first network slice according to the resource allocation information.
Illustratively, if the virtual machine assigned to network slice 1 is a resource No. 3-6, the corresponding identification is denoted v1= { v13, v14, v15, v16}. The assigned switches are switch1, switch3 and switch5; the corresponding designation is sw1= { s11, s13, s15}. Assigned firewalls are fw1, fw3, fw5, and the corresponding labels are denoted fw1= { fw11, fw13, fw15}; thus, the resource configuration information of network slice 1 may be denoted qf1= { s-nssai1, v1, sw1, fw1}. The virtual machine allocated by the network slice 2 is the resource of 7-9, and the corresponding mark is denoted as v2= { v27, v28, v29}; the assigned switches are switch2, switch4 and switch6, and the corresponding marks are denoted as sw2= { s22, s24, s26}; assigned firewalls are fw2, fw4, fw6, and the corresponding labels are denoted fw 2= { fw22, fw24, fw26}; thus, the resource configuration information of network slice 2 may be denoted qf2= { s-nssai2, v2, sw2, fw2}. The virtual machines allocated by the network slice 3 are 1, 2 and 5 resources, and the corresponding marks are denoted as v3= { v31, v32, v35}; the assigned switches are switch7, switch9 and switch11, and the corresponding marks are denoted as sw3= { s37, s39, s311}; assigned firewalls are fw7, fw9, fw11, and the corresponding notation is fw3= { fw37, fw39, fw311}; thus, the resource configuration information of network slice 3 may be denoted qf3= { s-nssai3, v3, sw3, fw3}.
Further, on the basis of the above example, since the data flow has different identifiers in each PDU session, the identifier of the data flow is added to the tag carried by the first data flow even if the data type, the data importance degree and the configured network resource in the same slice are the same. The identity of each data stream is different. And therefore when other parameters are consistent, a distinction can be made according to the identity of the data stream. Therefore, the rapid positioning of the data stream is realized, and powerful support is provided for the traceability of the data stream.
S14, the resource allocation device adopts network resources to transmit the first data stream.
Based on the method, when the resource allocation is carried out on the network slices, the problem of resource preemption among the network slices is caused by the influence of factors such as unclear boundary of the resource allocation, insufficient strategy, insufficient granularity of control and the like. The embodiment of the invention ensures that the data stream to be transmitted carries the label containing the identification of the network slice and the resource configuration information. Therefore, classification of the data streams is realized, the data streams can be transmitted in respective network slices, and cross-slice and cross-domain flow of the data streams is prevented. In addition, resources can be prevented from being robbed between network slices.
In one implementation manner, referring to fig. 3 in conjunction with fig. 2, considering security of a data stream during transmission, an embodiment of the present application provides a manner of security level, which specifically includes:
s31, the resource allocation device acquires the data type of each data in the first data stream.
Wherein the data type is public data or private data.
By way of example, the public data may be video-class data such as a television series, a movie, etc. The private data may be data of an intranet. The data type of each data may be determined according to the user or tenant requirements.
S32, the resource allocation device determines the security level of the first data stream based on the data type of each data.
Optionally, the security level of the first data stream may also be determined by determining whether each data includes a preset specific character. For example, the preset specific character can be data with extremely high safety requirements like an identification card number; or, the user or tenant annotates the security level-related annotation character of each data.
Further, the security level of the first data stream is comprehensively determined by combining preset specific characters contained in each data with the data types of the corresponding data.
Illustratively, the data type identifier is divided according to public data and private data, wherein 1 represents public data and 0 represents private data; the security levels are classified into very important, important and general three levels according to the importance of the data, and the corresponding security levels are a high security level, a medium security level and a low security level in sequence. The policy of the security level can be flexibly configured according to the importance degree of the data stream, namely, the data streams of different levels can be flexibly adjusted according to the needs of tenants.
In this implementation, the security level of the data stream is determined by the data type of the data contained in the data stream, so that the data stream can safely flow in the respective slices according to the set rule.
Further, the tag also includes a security level of the first data stream. Encryption may be performed in the following manner according to the security level of the first data stream.
Mode one, in case of determining the security level of the first data stream as the first level; and encrypting the first data stream according to the Internet security protocol IPSEC based on a first preset encryption algorithm. Therefore, after encrypting the first data stream based on the encryption manner, transmitting the first data stream by using the network resource includes: and transmitting the encrypted first data stream by adopting network resources.
The first preset encryption algorithm may be any algorithm capable of encrypting data; such as: advanced encryption standard (advanced encryption standard, AES) 256, the algorithm ZUC128, SM2 of ancestor, etc. Therefore, the present application does not limit the first preset encryption algorithm. The first level may be the high security level described above.
According to the first mode, the data stream with the security level of the first level is encrypted by adopting a first preset encryption algorithm according to IPSEC. The security of the whole data stream in the transmission process is ensured.
And in a second mode, under the condition that the security level of the first data stream is determined to be the second level, determining at least one preset type of data in the first data stream, and encrypting the at least one preset type of data based on a second preset encryption algorithm. Therefore, when the encryption mode is adopted to encrypt the first data stream, network resources are adopted to transmit the first data stream, which comprises the following steps: and transmitting the encrypted first data stream by adopting network resources.
The second level may be, for example, the medium security level described above. In addition, it should be noted that the first preset encryption algorithm may be the same encryption algorithm as the second preset encryption algorithm, or may be different from the first preset encryption algorithm.
In the second mode, the data stream with the second security level contains the data with the preset type, so that the security of the data with the preset type in the data stream is ensured.
In the third mode, when the security level of the first data stream is determined to be the third level, at least one preset type of data in the first data stream can be determined according to the requirement, and the at least one preset type of data is encrypted based on a third preset encryption algorithm. Therefore, when the encryption mode is adopted to encrypt the first data stream, network resources are adopted to transmit the first data stream, which comprises the following steps: and transmitting the encrypted first data stream by adopting network resources.
The third level may be, for example, the low security level described above for which the data stream may be encrypted as needed. For example, an encryption option may be provided for a user or tenant at the time of service selection, and when the user or tenant selects the option, the data of the service is encrypted.
In the third mode, the data with the preset type is determined to be contained in the data stream with the third security level according to the requirement, and the data with the preset type is encrypted, so that the security of the data with the preset type in the data stream is ensured; meanwhile, the flexibility of data encryption is improved.
Exemplary, referring to fig. 4, an embodiment of the present application provides a schematic structural diagram of a security grading system. The system includes a security container module 41 and a security classification policy module 42. The security container module 41 performs an encryption operation mainly according to the security policy generated by the security hierarchy policy module 42, and may specifically include a cryptographic algorithm unit 411, an authentication unit 412, and a security unit 413. The security classification policy module 42 primarily classifies security classes into three classes of high security, medium security, and low security. Different encryption modes are adopted according to different grades. The security policy for the data stream with high security level can execute IPSEC, encryption is performed by adopting AES256 encryption algorithm, authentication and security protection are performed on preset key nodes, and the like. The security policy for data flows of medium security level may be AES256 encryption algorithm, target sub-link performing IPSEC, and key node adding security devices, etc. The security policy for low security level data streams may be to encrypt the data stream or a portion of the data therein on demand, encrypt the target sub-link on demand, add protection equipment on critical nodes on demand, etc.
In one implementation, referring to fig. 5 in conjunction with fig. 2, S14 specifically includes:
s141, the resource allocation device determines a path for transmitting the first data stream in the network resource.
S142, the resource allocation device encrypts the target sub-link in the path based on a third preset encryption algorithm.
Wherein the path includes a plurality of sub-links; the target sub-link is one of a plurality of sub-links.
For example, the target sub-link may be a sub-link in the path that has a security coefficient below a preset threshold when transmitting data without encryption.
S143, the resource allocation device adopts the encrypted target sub-link and other sub-links to transmit the first data stream.
According to the implementation mode, the target sub-link in the path is encrypted, so that the situation that data is stolen through the target sub-link in the transmission process is prevented, and the safety and reliability of data flow transmission in the path are improved.
In one implementation, referring to fig. 6 in conjunction with fig. 2, considering that there may be sensitive data in the data stream, after the data stream is acquired, the embodiment of the present application performs the discrimination and processing operation of the sensitive data on the data stream. The method specifically comprises the following steps:
s61, the resource allocation device determines that the first data stream contains data with preset characters.
For example, the data of the preset character may be sensitive data such as an identification card number or a telephone number.
S62, the resource allocation device executes desensitization operation on the data containing the preset characters in the first data stream according to the preset desensitization rule.
Illustratively, the desensitizing operation is actually desensitizing the sensitive data, and the specific implementation may be any of the following.
1) Substitution of
The method specifically refers to that the disguised data is used for completely replacing sensitive data in the source data, and the data for common replacement has irreversibility so as to ensure the safety. Substitutions are the most common data desensitization methods, with specific operations being constant substitutions (all sensitive data replaced with unique constant values), table look-up substitutions (data are selected randomly from an intermediate table or according to a specific algorithm to be replaced), parametric substitutions (sensitive data are taken as input, new substitution data are formed by a specific function), etc. The particular alternative algorithm chosen depends on a balance between factors such as efficiency, traffic demand, etc. Alternative methods can thoroughly desensitize single class data, but often also lose business meaning for related fields, and the design of intermediate tables is critical for table lookup substitution.
2) Shuffling
The association relation between sensitive data and other data of the line is broken through cross-line random exchange, so that desensitization is realized. The shuffling can guarantee partial traffic data information (such as effective data range, data statistics, etc.) over a considerable range, making the desensitized data appear more consistent with the source data, while sacrificing some security. The general shuffling method is used for a large data set, and needs to preserve the scene of specific characteristics of the data to be desensitized; for small data sets, the target data formed by shuffling may be restored by other information, requiring special care when in use.
3) Numerical conversion
Specifically, the source data of the numerical value and the date type is controllably adjusted through a random function (for example, the data of the numerical value type is randomly increased or decreased by 20 percent, and the data of the date is randomly increased or decreased for 200 days), so that the camouflage of the specific numerical value is finished while the relevant statistical characteristics of the original data are maintained. The numerical variation can effectively control the statistical characteristics and the authenticity of the target data by adjusting the variation range, and is a common desensitization method.
4) Encryption
The method specifically refers to encryption processing of data to be desensitized, so that an external user only sees meaningless encrypted data, and meanwhile, under the 13 th stage of the special field 'cloud computing and big data' subject 192015, decryption capability can be provided, and a related party with a secret key can obtain original data. The encryption method has certain security risk (key leakage or insufficient encryption strength); encryption itself requires a certain computational power, which can create a significant resource overhead for large data set sources; the format of the encrypted data is generally different from that of the original data, and the authenticity is poor. In general, the manner in which encrypted data is desensitized is not so much applied.
5) Shielding
Refers to the unified replacement of a portion of the content of sensitive data with a disguising symbol (e.g., "X") such that the sensitive data remains partially disclosed. The method can be largely desensitized, and meanwhile, the original data sense is maintained, so that the method is also a widely used method.
6) Null insertion/deletion
In particular, sensitive data is deleted directly or set to a NULL value.
Further, referring to fig. 6, after performing a desensitization operation on the data stream, a specific implementation of S14 includes:
and S14a, the resource allocation device adopts network resources to transmit the desensitized first data stream.
It should be noted that the execution sequence of S61, S12 and S13 in the corresponding fig. 6 may be adjusted as required, which is not limited in any way in the embodiment of the present application.
By the implementation mode, the data containing the preset characters in the data stream are subjected to desensitization operation, the data are deformed, and reliable protection of sensitive privacy data is realized.
The embodiment of the application can divide the function modules of the resource allocation device according to the embodiment of the method, for example, each function module can be divided corresponding to each function, and two or more functions can be integrated in one processing module. The integrated modules may be implemented in hardware or in software functional modules. It should be noted that, in the embodiment of the present application, the division of the modules is schematic, which is merely a logic function division, and other division manners may be implemented in actual implementation.
As shown in fig. 7, a schematic structural diagram of a resource allocation device 70 according to an embodiment of the present invention is provided, where the resource allocation device 70 allocates a carrier for each of a plurality of operators, and the carrier carries services under all network types of the corresponding operator; wherein the network type is public network and one of a plurality of private networks. The resource allocation apparatus 70 specifically includes an acquisition unit 701 and a processing unit 702.
Specifically, an acquiring unit 701 is configured to acquire a first data stream; wherein the first data stream carries a tag; the tag comprises an identification of the first network slice and resource configuration information of the first network slice; the resource configuration information is used to characterize the virtual device allocated for the first network slice. For example, the acquisition unit 701 may be used to implement S11 as shown in fig. 2.
The processing unit 702 is configured to determine the first network slice according to the identifier of the first network slice acquired by the acquiring unit 701. For example, the processing unit 702 may be used to implement S12 as shown in fig. 2.
The processing unit 702 is further configured to configure network resources for the first network slice according to the resource configuration information. For example, the processing unit 702 may be used to implement S13 as shown in fig. 2.
The processing unit 702 is further configured to transmit the first data stream using the network resource. For example, the processing unit 702 may be used to implement S14 as shown in fig. 2.
Optionally, the acquiring unit 701 is further configured to acquire a data type of each data in the first data stream; the data type is public data or private data. For example, the acquisition unit 701 may be used to implement S31 as shown in fig. 3.
A processing unit 702 for determining a security level of the first data stream based on the data type of each data acquired by the acquisition unit 701. For example, the processing unit 702 may be used to implement S32 as shown in fig. 3.
Optionally, the tag further comprises a security level of the first data stream.
Optionally, the processing unit 702 is further configured to, in case it is determined that the security level of the first data stream is the first level; and encrypting the first data stream according to the Internet security protocol IPSEC based on a first preset encryption algorithm.
The processing unit 702 is further configured to transmit the encrypted first data stream using the network resource.
Optionally, the processing unit 702 is further configured to determine at least one preset type of data in the first data stream and encrypt the at least one preset type of data based on the second preset encryption algorithm if it is determined that the security level of the first data stream is the second level.
The processing unit 702 is further configured to transmit the encrypted first data stream using the network resource.
Optionally, the processing unit 702 is specifically configured to determine a path for transmitting the first data stream in the network resource. For example, the processing unit 702 may be used to implement S141 as shown in fig. 5.
The processing unit 702 is further configured to encrypt the target sub-link in the path based on a third preset encryption algorithm; the path includes a plurality of sub-links; the target sub-link is one of a plurality of sub-links. For example, the processing unit 702 may be used to implement S142 as shown in fig. 5.
The processing unit 702 is further configured to transmit the first data stream using the encrypted target sub-link and the other sub-links. For example, the processing unit 702 may be used to implement S143 as shown in fig. 5.
Optionally, the processing unit 702 is further configured to determine that the first data stream includes data of a preset character. For example, the processing unit 702 may be used to implement S61 as shown in fig. 6.
The processing unit 702 is further configured to perform a desensitization operation on data including a preset character in the first data stream according to a preset desensitization rule. For example, the processing unit 702 may be used to implement S62 as shown in fig. 6.
The processing unit 702 is further configured to transmit the desensitized first data stream using the network resource. For example, the processing unit 702 may be used to implement S14a as shown in fig. 6.
Of course, the resource allocation device 70 provided in the embodiment of the present application includes, but is not limited to, the above modules, for example, the resource allocation device 70 may further include a sending unit 703 and a storage unit 704. The sending unit 703 may be configured to send the relevant data in the resource allocation apparatus 70 to other devices, so as to implement data interaction with the other devices. The storage unit 704 may be used for storing program code of the resource allocation device 70, and may also be used for storing data generated by the resource allocation device 70 during operation, such as data in a write request, etc.
The system architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided by the embodiments of the present application, and those skilled in the art can know that, with the evolution of the network architecture and the appearance of the new service scenario, the technical solution provided by the embodiments of the present application is equally applicable to similar technical problems.
Fig. 8 is a schematic structural diagram of a resource allocation device 70 according to an embodiment of the present application, and as shown in fig. 8, the resource allocation device 70 may include: at least one processor 51, a memory 52, a communication interface 53 and a communication bus 54.
The following describes the respective constituent elements of the resource allocation apparatus 70 in detail with reference to fig. 8:
the processor 51 is a control center of the resource allocation device 70, and may be one processor or a collective name of a plurality of processing elements. For example, processor 51 is a central processing unit (Central Processing Unit, CPU), but may also be an integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits configured to implement embodiments of the present invention, such as: one or more DSPs, or one or more field programmable gate arrays (Field Programmable Gate Array, FPGAs).
In a particular implementation, processor 51 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 8, as an example. Also, as one embodiment, the resource allocation device 70 may include a plurality of processors, such as the processor 51 and the processor 55 shown in fig. 8. Each of these processors may be a Single-core processor (Single-CPU) or a Multi-core processor (Multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
The Memory 52 may be, but is not limited to, a Read-Only Memory (ROM) or other type of static storage device that can store static information and instructions, a random access Memory (Random Access Memory, RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), a compact disc (Compact Disc Read-Only Memory, CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 52 may be stand alone and be coupled to the processor 51 via a communication bus 54. Memory 52 may also be integrated with processor 51.
In a specific implementation, the memory 52 is used to store data in the present invention and to execute software programs of the present invention. The processor 51 may perform various functions of the air conditioner by running or executing a software program stored in the memory 52 and calling data stored in the memory 52.
The communication interface 53 uses any transceiver-like means for communicating with other devices or communication networks, such as a radio access network (Radio Access Network, RAN), a wireless local area network (Wireless Local Area Networks, WLAN), a terminal, a cloud, etc. The communication interface 53 may include a receiving unit implementing a receiving function and a transmitting unit implementing a transmitting function.
The communication bus 54 may be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (Peripheral Component Interconnect, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in fig. 8, but not only one bus or one type of bus.
As an example, in connection with fig. 7, the acquisition unit 701 in the resource allocation device 70 realizes the same function as the communication interface 53 in fig. 8, the processing unit 702 realizes the same function as the processor 51 in fig. 8, and the storage unit 704 realizes the same function as the memory 52 in fig. 8.
Another embodiment of the present invention also provides a computer-readable storage medium having stored therein instructions which, when executed on a computer, cause the computer to perform the method shown in the above-described method embodiment.
In some embodiments, the disclosed methods may be implemented as computer program instructions encoded on a computer-readable storage medium in a machine-readable format or encoded on other non-transitory media or articles of manufacture.
Fig. 9 schematically illustrates a conceptual partial view of a computer program product provided by an embodiment of the invention, the computer program product comprising a computer program for executing a computer process on a computing device.
In one embodiment, a computer program product is provided using signal bearing medium 410. The signal bearing medium 410 may include one or more program instructions that when executed by one or more processors may provide the functionality or portions of the functionality described above with respect to fig. 2. Thus, for example, referring to the embodiment shown in FIG. 2, one or more features of S11-S14 may be carried by one or more instructions associated with signal bearing medium 410. Further, the program instructions in fig. 9 also describe example instructions.
In some examples, signal bearing medium 410 may comprise a computer readable medium 411 such as, but not limited to, a hard disk drive, compact Disk (CD), digital Video Disk (DVD), digital tape, memory, read-only memory (ROM), or random access memory (random access memory, RAM), among others.
In some implementations, the signal bearing medium 410 may include a computer recordable medium 412 such as, but not limited to, memory, read/write (R/W) CD, R/W DVD, and the like.
In some implementations, the signal bearing medium 410 may include a communication medium 413 such as, but not limited to, a digital and/or analog communication medium (e.g., fiber optic cable, waveguide, wired communications link, wireless communications link, etc.).
The signal bearing medium 410 may be conveyed by a communication medium 413 in wireless form (e.g., a wireless communication medium conforming to the IEEE802.41 standard or other transmission protocol). The one or more program instructions may be, for example, computer-executable instructions or logic-implemented instructions.
In some examples, a data-writing apparatus such as described with respect to fig. 4 may be configured to provide various operations, functions, or actions in response to program instructions through one or more of computer-readable medium 411, computer-recordable medium 412, and/or communication medium 413.
From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of functional modules is illustrated, and in practical application, the above-described functional allocation may be implemented by different functional modules according to needs, i.e. the internal structure of the apparatus is divided into different functional modules to implement all or part of the functions described above.
In the several embodiments provided by the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another apparatus, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and the parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a readable storage medium. Based on such understanding, the technical solution of the embodiments of the present invention may be essentially or a part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a device (may be a single-chip microcomputer, a chip or the like) or a processor (processor) to perform all or part of the steps of the method described in the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
The foregoing is merely illustrative of specific embodiments of the present invention, and the scope of the present invention is not limited thereto, but any changes or substitutions within the technical scope of the present invention should be covered by the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (12)
1. A method for resource allocation, comprising:
acquiring a first data stream; wherein the first data stream carries a tag; the tag comprises an identification of a first network slice and resource configuration information of the first network slice; the resource configuration information is used for characterizing virtual devices allocated for the first network slice;
determining the first network slice according to the identification of the first network slice;
acquiring the data type of each data in the first data stream; the data type is public data or private data;
determining a security level of the first data stream based on the data type of each data;
encrypting the first data stream according to an internet security protocol IPSEC based on a first preset encryption algorithm under the condition that the security level of the first data stream is determined to be a first level;
According to the resource allocation information, allocating network resources for the first network slice;
transmitting the first data stream using the network resource; said transmitting said first data stream using said network resource comprises: and transmitting the first data stream encrypted based on the first preset encryption algorithm by adopting the network resource.
2. The resource allocation method of claim 1, wherein the tag further comprises a security level of the first data stream.
3. The resource allocation method according to claim 1 or 2, characterized by further comprising:
under the condition that the security level of the first data stream is determined to be the second level, determining at least one preset type of data in the first data stream, and encrypting the at least one preset type of data based on a second preset encryption algorithm;
the transmitting the first data stream using the network resource further comprises:
and transmitting the first data stream encrypted based on the second preset encryption algorithm by adopting the network resource.
4. The resource allocation method according to claim 1 or 2, wherein transmitting the first data stream using the network resource comprises:
Determining a path in the network resource for transmitting a first data stream;
encrypting the target sub-link in the path based on a third preset encryption algorithm; the path includes a plurality of sub-links; the target sub-link is one of the plurality of sub-links;
and transmitting the first data stream by adopting the encrypted target sub-link and other sub-links.
5. The resource allocation method according to claim 1, further comprising:
determining data containing preset characters in the first data stream;
performing desensitization operation on the data containing the preset characters in the first data stream according to a preset desensitization rule;
transmitting the first data stream using the network resource, further comprising:
and transmitting the desensitized first data stream by adopting the network resource.
6. A resource allocation apparatus, comprising:
an acquisition unit configured to acquire a first data stream; wherein the first data stream carries a tag; the tag comprises an identification of a first network slice and resource configuration information of the first network slice; the resource configuration information is used for characterizing virtual devices allocated for the first network slice;
The processing unit is used for determining the first network slice according to the identification of the first network slice acquired by the acquisition unit;
the acquiring unit is further configured to acquire a data type of each data in the first data stream; the data type is public data or private data;
the processing unit is further configured to determine a security level of the first data stream based on the data type of each data acquired by the acquiring unit;
the processing unit is further configured to, in a case where it is determined that the security level of the first data stream is a first level; encrypting the first data stream according to an internet security protocol IPSEC based on a first preset encryption algorithm;
the processing unit is further configured to configure network resources for the first network slice according to the resource configuration information;
the processing unit is further configured to transmit the first data stream using the network resource; said transmitting said first data stream using said network resource comprises: and transmitting the first data stream encrypted based on the first preset encryption algorithm by adopting the network resource.
7. The resource allocation apparatus according to claim 6, wherein the tag further comprises a security level of the first data stream.
8. The resource allocation apparatus according to claim 6 or 7, wherein,
the processing unit is further configured to determine at least one preset type of data in the first data stream and encrypt the at least one preset type of data based on a second preset encryption algorithm when determining that the security level of the first data stream is a second level;
the processing unit is further configured to transmit, by using the network resource, the first data stream encrypted based on the second preset encryption algorithm.
9. The resource allocation apparatus according to claim 6 or 7, wherein,
the processing unit is specifically configured to determine a path for transmitting a first data stream in the network resource;
the processing unit is further configured to encrypt the target sub-link in the path based on a third preset encryption algorithm; the path includes a plurality of sub-links; the target sub-link is one of the plurality of sub-links;
the processing unit is further configured to transmit the first data stream using the encrypted target sub-link and the other sub-links.
10. The resource allocation apparatus according to claim 6, wherein,
The processing unit is further configured to determine data that includes a preset character in the first data stream;
the processing unit is further configured to perform a desensitization operation on data including the preset character in the first data stream according to a preset desensitization rule;
the processing unit is further configured to transmit the desensitized first data stream using the network resource.
11. A resource allocation apparatus, characterized in that the architecture of the resource allocation apparatus comprises a processor for executing program instructions, such that the resource allocation apparatus performs the resource allocation method according to any of claims 1-5.
12. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein computer program code which, when run on resource allocation means, causes the resource allocation means to perform the resource allocation method according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011397631.3A CN112399609B (en) | 2020-12-03 | 2020-12-03 | Resource allocation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011397631.3A CN112399609B (en) | 2020-12-03 | 2020-12-03 | Resource allocation method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112399609A CN112399609A (en) | 2021-02-23 |
| CN112399609B true CN112399609B (en) | 2023-08-11 |
Family
ID=74605053
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011397631.3A Active CN112399609B (en) | 2020-12-03 | 2020-12-03 | Resource allocation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112399609B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115442304A (en) * | 2021-06-04 | 2022-12-06 | 中国移动通信有限公司研究院 | Resource determination method, forwarding device, controller, system and medium |
| CN113630382A (en) * | 2021-07-08 | 2021-11-09 | 浙江清华长三角研究院 | System management method for data compliance safety circulation |
| CN117631598B (en) * | 2024-01-26 | 2024-04-02 | 北京中科网芯科技有限公司 | Data acquisition system based on 5G network |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107659419A (en) * | 2016-07-25 | 2018-02-02 | 华为技术有限公司 | Network dicing method and system |
| CN108810903A (en) * | 2017-05-04 | 2018-11-13 | 中国移动通信有限公司研究院 | A kind of configuration of data transmission and data transmission method and device |
| WO2018232241A1 (en) * | 2017-06-16 | 2018-12-20 | Convida Wireless, Llc | Small data transfer, data buffering, and data management as a service in a communications network |
| CN109392096A (en) * | 2017-08-04 | 2019-02-26 | 华为技术有限公司 | A kind of resource allocation method and device |
| CN109451540A (en) * | 2018-12-13 | 2019-03-08 | 中国联合网络通信集团有限公司 | A kind of resource allocation methods and equipment of network slice |
| CN110214459A (en) * | 2017-03-01 | 2019-09-06 | 华为技术有限公司 | The method and apparatus of business processing |
| CN110226337A (en) * | 2017-01-26 | 2019-09-10 | 华为技术有限公司 | A kind of method and equipment accessing Target cell |
| CN110691382A (en) * | 2018-07-06 | 2020-01-14 | 中国移动通信有限公司研究院 | Wireless resource allocation method and network element equipment |
| CN110831038A (en) * | 2019-11-06 | 2020-02-21 | 中国联合网络通信集团有限公司 | Network slice resource scheduling method and device |
| CN110912736A (en) * | 2019-11-13 | 2020-03-24 | 中国联合网络通信集团有限公司 | Resource allocation method and device |
| CN111971944A (en) * | 2018-03-29 | 2020-11-20 | 诺基亚通信公司 | Configuring network slices |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10630410B2 (en) * | 2016-05-13 | 2020-04-21 | Telefonaktiebolaget Lm Ericsson (Publ) | Network architecture, methods, and devices for a wireless communications network |
| WO2018201506A1 (en) * | 2017-05-05 | 2018-11-08 | 华为技术有限公司 | Communication method and related device |
| US11178557B2 (en) * | 2019-05-17 | 2021-11-16 | North Carolina State University | Function slicing of wired and wireless network resources |
-
2020
- 2020-12-03 CN CN202011397631.3A patent/CN112399609B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107659419A (en) * | 2016-07-25 | 2018-02-02 | 华为技术有限公司 | Network dicing method and system |
| CN110226337A (en) * | 2017-01-26 | 2019-09-10 | 华为技术有限公司 | A kind of method and equipment accessing Target cell |
| CN110214459A (en) * | 2017-03-01 | 2019-09-06 | 华为技术有限公司 | The method and apparatus of business processing |
| CN108810903A (en) * | 2017-05-04 | 2018-11-13 | 中国移动通信有限公司研究院 | A kind of configuration of data transmission and data transmission method and device |
| WO2018232241A1 (en) * | 2017-06-16 | 2018-12-20 | Convida Wireless, Llc | Small data transfer, data buffering, and data management as a service in a communications network |
| CN109392096A (en) * | 2017-08-04 | 2019-02-26 | 华为技术有限公司 | A kind of resource allocation method and device |
| CN111971944A (en) * | 2018-03-29 | 2020-11-20 | 诺基亚通信公司 | Configuring network slices |
| CN110691382A (en) * | 2018-07-06 | 2020-01-14 | 中国移动通信有限公司研究院 | Wireless resource allocation method and network element equipment |
| CN109451540A (en) * | 2018-12-13 | 2019-03-08 | 中国联合网络通信集团有限公司 | A kind of resource allocation methods and equipment of network slice |
| CN110831038A (en) * | 2019-11-06 | 2020-02-21 | 中国联合网络通信集团有限公司 | Network slice resource scheduling method and device |
| CN110912736A (en) * | 2019-11-13 | 2020-03-24 | 中国联合网络通信集团有限公司 | Resource allocation method and device |
Non-Patent Citations (1)
| Title |
|---|
| "5G网络信息面临的安全问题及防护办法";虞尚智;《中国新通信》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112399609A (en) | 2021-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112399609B (en) | Resource allocation method and device | |
| WO2020004901A1 (en) | Method and apparatus for processing communication company information in wireless communication system | |
| CN110830990B (en) | Identity information processing method and device and storage medium | |
| CN112699399B (en) | Encryption database system, method and device for realizing encryption database system | |
| CN112287372B (en) | Method and apparatus for protecting clipboard privacy | |
| CN103813314A (en) | Soft SIM card enabling method and network access method, terminal, and network access device | |
| US20120278611A1 (en) | Vpn-based method and system for mobile communication terminal to access data securely | |
| CN112800472A (en) | Industrial internet identification data protection system based on micro-service architecture | |
| CN109347839B (en) | Centralized password management method and device, electronic equipment and computer storage medium | |
| US20150310220A1 (en) | Clipboard management | |
| US10575180B2 (en) | Securing identities of chipsets of mobile devices | |
| CN112804679B (en) | Network slice connection method and device, storage medium and electronic device | |
| CN103516717A (en) | Managing multiple forwarding information bases | |
| CN113642014A (en) | Data access system based on hybrid cloud and public cloud server | |
| US20180205762A1 (en) | Automatically securing data based on geolocation, network or device parameters | |
| CN116436682A (en) | Data processing method, device and system | |
| KR101480443B1 (en) | Hybrid network partition system and method thereof | |
| CN115396890A (en) | Data collection method and device | |
| CN116522355A (en) | Electric power data boundary protection method, equipment, medium and device | |
| CN116319927A (en) | Service calling method, electronic equipment and system in hybrid cloud environment | |
| CN106537962A (en) | Method, device, and equipment for wireless network configuration, access, and visit | |
| CN114697052B (en) | Network protection method and device | |
| CN112084536B (en) | Key storage method and device based on blockchain | |
| US11337056B1 (en) | 5G network exposure function (NEF) capturing processor identity | |
| CN111339578A (en) | Key access method, device, system, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |