CN114363052A

CN114363052A - Method, device, equipment and medium for configuring security policy in network slice

Info

Publication number: CN114363052A
Application number: CN202111671114.5A
Authority: CN
Inventors: 靳京; 漆骏锋; 蒋红宇
Original assignee: Beijing Haitai Fangyuan High Technology Co Ltd
Current assignee: Beijing Haitai Fangyuan High Technology Co Ltd
Priority date: 2021-12-31
Filing date: 2021-12-31
Publication date: 2022-04-15
Anticipated expiration: 2041-12-31
Also published as: CN114363052B

Abstract

The application relates to the technical field of information security, in particular to a method, a device, equipment and a medium for configuring a security policy in a network slice, which solve the problem that effective security protection cannot be realized in a variable business service process, and comprises the following steps: determining a target network slice for providing service for a target service, respectively determining quality evaluation results respectively corresponding to each service quality information according to information values respectively corresponding to each service quality information under the target service and service state information of the target service, as well as weight parameters and state quality reference values respectively configured for each service quality information, and then arranging target quality evaluation results meeting preset conditions in each determined quality evaluation result and corresponding security policies into the target network slice for execution. Therefore, the method can better play an effective protection role in the business service process, improve the safety of business service and support the changed business safety requirements.

Description

Method, device, equipment and medium for configuring security policy in network slice

Technical Field

The present application relates to the field of information security technologies, and in particular, to a method, an apparatus, a device, and a medium for configuring a security policy in a network slice.

Background

With the development of the 5th Generation Mobile Communication Technology (5G), by means of network slicing, flexible design of functions, performance, isolation, and operation and maintenance in a network can be achieved, a dedicated network is created and provided, and mutually isolated and function-customizable network services are provided for services of different vertical industries, wherein the network services are specifically expressed as services of multiple levels of network basic Communication, resources, customization functions, networking, security, and the like.

At present, in order to implement security protection, a corresponding security policy is usually determined while a network slice is formed, so that when a configured network slice provides a service for a specified service, a pre-established security policy will play a role in protection, for example, for a service of performing an internet of vehicles using network slice security.

However, since the security policies in the network slice are configured synchronously when the network slice is formed, the constructed security policies are configured according to experience and business requirements, and only can protect against expected threat situations, so that effective security protection cannot be realized in a variable business service process, and the security of the business service is reduced.

In view of the above, a new method for configuring security policies in a network slice is needed to solve the above problems.

Disclosure of Invention

The embodiment of the invention provides a method and a device for configuring a security policy in a network slice, which are used for solving the problem that effective security protection cannot be realized in a variable business service process in the prior art.

The embodiment of the invention provides the following specific technical scheme:

in a first aspect, a method for configuring a security policy in a network slice is provided, including:

determining a target network slice for providing service for a target service, acquiring information values corresponding to all service quality information under the target service and service state information of the target service, and acquiring weight parameters and state quality reference values configured for all the service quality information respectively;

respectively determining quality evaluation results corresponding to the service quality information according to the information values and the service state information corresponding to the target service and the weight parameters and the state quality reference values corresponding to the service quality information;

and determining a target quality evaluation result meeting preset conditions in each quality evaluation result, acquiring a security policy corresponding to the value of the target quality evaluation result, and arranging the security policy into the target network slice for execution.

Optionally, the determining a target network slice for providing a service for a target service includes:

determining a business service requirement corresponding to a target business, and determining a business scene corresponding to the target business;

and determining a target network slice customized according to the business scene and the business service requirement.

Optionally, the obtaining information values corresponding to the quality of service information corresponding to the target service and the service state information of the target service includes:

acquiring network local topology information, data load information, safety isolation information, network communication hop count information and communication bandwidth information corresponding to the target service by adopting a preset data acquisition interface, and acquiring a service state change rate corresponding to the target service;

and taking the network local topology information, the data load information, the safety isolation information, the network communication hop count information and the communication bandwidth information as each service quality information corresponding to the target service, and taking the service state change rate as the service state information corresponding to the target service.

Optionally, the determining, according to each information value and service state information corresponding to the target service, and a weight parameter and a state quality reference value corresponding to each qos information, a quality evaluation result corresponding to each qos information respectively includes:

respectively calculating information weighting results corresponding to the service quality information according to the information values and the weighting parameters corresponding to the service quality information, and respectively using the information weighting results as service quality evaluation values of the corresponding service quality information;

determining a service quality reference value corresponding to each service quality information according to service state information and a state quality reference value corresponding to each service quality information;

and determining a quality evaluation result corresponding to each service quality information according to each service quality evaluation value and each service quality reference value.

Optionally, the method further includes:

dividing each value interval according to the quality evaluation result in advance, and setting corresponding safety protection grades corresponding to each value interval respectively;

and respectively configuring corresponding security policies aiming at the security levels, wherein the security policies at least comprise correspondingly configured computing performance resource amount, encryption intensity level, total amount of concurrent service and key management level.

Optionally, the preset conditions include: the absolute value of the service quality evaluation result is minimum.

In a second aspect, an apparatus for configuring a security policy in a network slice is provided, including:

an obtaining unit, configured to determine a target network slice providing a service for a target service, obtain information values corresponding to quality of service information of the target service and service state information of the target service, and obtain a weight parameter and a state quality reference value configured for each quality of service information;

a determining unit, configured to determine, according to each information value and service state information corresponding to the target service, and a weight parameter and a state quality reference value corresponding to each piece of service quality information, a quality evaluation result corresponding to each piece of service quality information;

and the arranging unit is used for determining a target quality evaluation result meeting a preset condition in each quality evaluation result, acquiring a security policy corresponding to the value of the target quality evaluation result, and arranging the security policy into the target network slice for execution.

Optionally, when determining the target network slice providing service for the target service, the obtaining unit is configured to:

Optionally, when the information value corresponding to each piece of quality of service information corresponding to the target service and the service state information of the target service are obtained, the obtaining unit is configured to:

Optionally, when determining the quality evaluation result corresponding to each piece of service quality information according to each information value and service state information corresponding to the target service, and the weight parameter and state quality reference value corresponding to each piece of service quality information, respectively, the determining unit is configured to:

Optionally, the apparatus further includes a creating unit, where the creating unit is configured to:

In a third aspect, a computer-readable electronic device is provided, comprising:

a memory for storing executable instructions;

a processor configured to read and execute executable instructions stored in the memory to implement the method of any of the first aspect.

In a fourth aspect, a storage medium, wherein instructions, when executed by an electronic device, enable the electronic device to perform the method of any of the first aspect.

The invention has the following beneficial effects:

the application provides a method, a device, equipment and a medium for configuring a security policy in a network slice, which are used for determining a target network slice for providing service for a target service, acquiring information values corresponding to each piece of service quality information corresponding to the target service and service state information of the target service, acquiring weight parameters and state quality reference values configured for each piece of service quality information respectively, determining quality evaluation results corresponding to each piece of service quality information respectively according to each information value and service state information corresponding to the target service and the weight parameters and state quality reference values corresponding to each piece of service quality information respectively, determining a target quality evaluation result meeting preset conditions in each quality evaluation result, and acquiring a security policy corresponding to the value of the target quality evaluation result, and arranging the security policy into the target network slice for execution.

Therefore, the security policy matched with the target network slice currently serving the target service can be evaluated according to the actually acquired service state information of the target service, the information value corresponding to each service quality information under the target service, and the weight parameter and the state quality reference value corresponding to each service quality information, so that the appropriate security policy is determined according to the current service condition of the current service and is arranged in the target network slice for execution, the synergistic effect of the security policy determination and the security policy arrangement is realized, the target network slice can execute the security policy which is suitable for the current service execution condition when the service is subsequently provided, namely, the existing security policy can be adjusted according to the service operation state, and the establishment of the security policy is based on the actual service quality and the service state, the method can better play an effective protection role in the business service process, improves the safety of business service, and more flexibly supports the changing business safety requirements.

Drawings

FIG. 1 is a general architecture diagram of an end-to-end network slice in an embodiment of the present application;

FIG. 2 is a schematic diagram of a network slice architecture in an embodiment of the present application;

fig. 3 is a schematic configuration flow diagram of a security policy in a network slice in an embodiment of the present application;

fig. 4 is a schematic logical structure diagram of a configuration apparatus for a security policy in a network slice in an embodiment of the present application;

fig. 5 is a schematic diagram of a hardware component structure of an electronic device to which an embodiment of the present application is applied.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments, but not all embodiments, of the technical solutions of the present application. All other embodiments obtained by a person skilled in the art without any inventive step based on the embodiments described in the present application are within the scope of the protection of the present application.

The terms "first," "second," and the like in the description and in the claims of the present application and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein.

The network slice is a product under 5G technology, is an organizational structure and a service providing mode provided by a 5G under an independent networking (SA) mode, can provide logic virtual network services with different safety levels and different service qualities by using a 5G network aiming at different user requirements and scenes, can create and continuously provide a customized dedicated network with customizable capability by elaborating and flexibly operating in multiple aspects of functions, performance, isolation, operation and maintenance and the like in the network, provides network slice services with the guaranteed performance, and provides mutually isolated and customizable functions for different vertical industries, wherein the network services are embodied in multiple aspects of basic network communication, resources, customized functions, networking, safety and the like.

The network slice adopts an end-to-end form, realizes flexible allocation of network resources and combination of network capacity according to requirements, and thus, based on a physical 5G system, a plurality of logical subnets with different characteristics can be virtualized. Each end-to-end network slice comprises a slice wireless access sub-network, a slice bearing sub-network and a slice core sub-network, and the unified management is realized by means of an end-to-end slice management system. Network slicing is based on Network Function Virtualization (NFV) and Software Defined Networking (SDN) technology infrastructure construction.

Referring to fig. 1, which is a schematic diagram of a general architecture of an end-to-end network slice in an embodiment of the present application, it can be seen from the schematic content in fig. 1 that models included in the general architecture of the network slice are specifically as follows:

communication Service Management Function (CSMF): the method can provide services such as slice Service ordering and high-Level Service Level Agreement (SLA) setting for users, and can convert user Service requirements and SLAs and transmit the converted requirements to a Network Slice Management Function (NSMF).

NSMF: and the system is responsible for managing and arranging the network slice example, and the requirements and the low-level SLA related to the network slice are set and converted into the requirements and parameters related to the network slice subnet example, and are issued to a Network Slice Subnet Management Function (NSSMF).

NSSMF: the Network slice subnet Management System is responsible for Management and arrangement of a Network slice subnet instance, generates a Network Service (NS) resource model and Service configuration according to requirements (such as radio access technology, bandwidth, end-to-end delay, Quality of Service (Qos) and the like) related to the slice subnet instance, and sends the resource model and the Service configuration to an NFV Orchestrator (NFVO) and an Element Management System (EMS), wherein each Network slice subnet (radio access subnet, carrier subnet, core subnet) logically has a corresponding NSSMF and EMS, and the EMS can provide a Management function for one or more Network functions.

Radio Access sub-Network (RAN): the flexible sub-slice customization can be performed according to different SLA requirements of different services issued by NSMF. Slice awareness, Access and Mobility Management Function (AMF) selection and rewriting, QoS flow mapping, etc., are provided, wherein a Centralized Unit (CU) is separated from a Distributed Unit (DU), and is managed by RAN EMS, and Management and Orchestration (MANO) provides overall Management and Orchestration of NFV, and an upward Access service support system/operation support system (OSS/BSS) is composed of NFV configurator (NFV editor, NFVO), Virtual Network Function Manager (Virtual Network resource Manager, VNFM), and Virtual Infrastructure Manager (VIM).

Bearer Network (BN): the Network node can transmit a Sliced Packet Network (SPN) and support a plurality of virtual independent logic networks in the same physical Network, each logic Network has independent Network resources, wherein the function inside the BN comprises a Network Control Orchestrator (NCO) and Software Defined Network Communication (SDNC).

Core subnet (Core Network, CN): the method comprises the steps of using SA networking, constructing a network slice based on a service architecture, supporting slice subscription, selection, capability opening, supporting slice intercommunication, multilevel security isolation of the slice and the like, wherein functions of Broadband Remote Access servers (vBRAS), session and Mobility Management functions (AMF), User Plane functions (UFM), MANO including NFUser Plane Function (NFVO), CNFM and VIM and basic equipment NFVI are involved in CN Function implementation. It should be noted that the AMF is responsible for access and mobility management of the user, and the UPF is responsible for user plane processing.

At present, in order to implement security protection in a network slice, a solid security protection mechanism is generally set for different services in a targeted manner, and a corresponding security policy is determined while the network slice is formed, so that the pre-established security policy plays a role in protection when the configured network slice provides a service for a specified service.

However, this protection method only implements protection based on a pre-established protection policy, and cannot implement effective security protection in a variable service process, and cannot cope with variable service states, so that the configured security policy cannot meet the security protection requirement.

The technical scheme includes that a target network slice for providing service for a target service is determined, information values corresponding to service quality information corresponding to the target service and service state information of the target service are obtained, weight parameters and state quality reference values configured for the service quality information are obtained, quality evaluation results corresponding to the service quality information are determined according to the information values and the service state information corresponding to the target service and the weight parameters and the state quality reference values corresponding to the service quality information, and target quality evaluation results meeting preset conditions are determined in the quality evaluation results, and acquiring a security policy corresponding to the value of the target quality evaluation result, and arranging the security policy into the target network slice for execution.

Preferred embodiments of the present application will be described in further detail below with reference to the accompanying drawings:

it should be noted that the technical solution provided in the embodiment of the present application is applied to a core network side, a dynamic security architecture design is implemented for a network slice, and a new security architecture is introduced to implement application security combination between a 5G network slice and a vertical industry, so that business applications of the vertical industry can be supported more specifically, and further a corresponding security protection mechanism is customized for the network slice according to business service requirements, and a dynamic security policy is provided.

In addition, the technical scheme provided by the application can be deployed in a processing device on the core network side in a software form, so that the updating, upgrading and expanding of the configuration method of the security policy in the network slice are facilitated, the continuously changing application security requirements in the vertical industry can be flexibly met, and the application range of the configuration method of the security policy in the network slice is widened. The following describes the technical solution proposed in the present application in detail, taking only a processing device on the core network side as an execution subject.

Referring to fig. 2, which is a schematic diagram of a network slice architecture in the embodiment of the present application, the following describes functions of components used in a configuration process of a security policy in the embodiment of the present application with reference to fig. 2:

in the secure network slice architecture illustrated in fig. 2, a processing device on a core network side customizes a corresponding network slice for vertical industry applications in a targeted manner according to different security requirements corresponding to different vertical industry applications, in the technical solution disclosed in the present application, a configuration of a security policy in a network slice has module components related to a dotted line in fig. 2, and specifically includes a QoS dynamic evaluation module for evaluating service quality information, a security protection level management and control module, a security policy refinement analysis module, and a service security management module, wherein,

1) QoS dynamic evaluation module

The method is used for acquiring parameters related to service quality in various service processing processes actually or periodically through various application data acquisition interfaces, specifically, after a target network slice providing service for a target service is determined, acquiring information values corresponding to various service quality information corresponding to the target service and service state information of the target service, acquiring weight parameters and state quality reference values configured for the various service quality information respectively, and determining quality evaluation results corresponding to the various service quality information respectively according to the information values and the service state information corresponding to the target service and the weight parameters and the state quality reference values corresponding to the various service quality information respectively.

Further, after the target service quality evaluation result is screened from each service quality evaluation result, the corresponding safety protection level is determined in the corresponding relation between the pre-established value interval of the service quality evaluation result and the safety protection level.

2) Safety protection equal-level management and control module

And the detailed analysis module is used for determining the matched security policy according to the obtained security protection level and sending the content constrained by the determined security policy to the corresponding security policy in the form of an instruction.

For example, if it is determined that the matched security protection level is n levels according to each piece of service quality information and service state information collected at a certain time, the security policy corresponding to the n levels: configured computational performance resources: the computing power of the CPU is xGHz; the resource scheduling is M concurrent devices, the bit number of a key in an encryption algorithm of data transmission is a bit, the authority is priority access, and the key management is distribution by adopting a secondary symmetric key pair.

3) Refined analysis module of security policy

The system is used for further refining the received security policy into specific execution operation and sending the operation to the VIM/MANO component, and generating corresponding network slices by the SDN and the NFV specifically, wherein the content of the refined analysis comprises resource management configuration, resource scheduling configuration, authority control configuration, key management configuration and the like.

4) Service safety management module

The method is used for providing a mechanism which is parallel to the automatic calculation of the security protection level and can determine the security policy, namely, under some special application scenes, the configured security protection level can be received, and the security protection of the target network slice is realized according to the security policy corresponding to the received security protection level.

Based on each component module illustrated in fig. 2, the processing device can establish an effective security policy for a network slice when performing configuration of a security policy in the network slice in real time or periodically based on a password security guarantee mechanism of the NFV/SDN, dynamically provide an optimal security channel for secure transmission of service data, and ensure confidentiality and integrity of data transmission and prevent replay attack all the time in a process in which environmental factors change constantly. Meanwhile, by means of the configuration mode of the security policy in the network slice, the security service can be provided for vertical industry users with different security protection levels in a differentiated mode, and equivalently, two aspects of operations of requirement customization and dynamic adjustment can be achieved.

It should be noted that the demand customization mainly solves the differentiated demand of the vertical industry, and affects the resource scheduling and security policy of the 5G network slice. The dynamic adjustment is to determine a matched security policy according to the change of relevant factors in the service processing process under different application scenarios, and to optimize the security protection in the network slice by using the matched security policy.

Referring to fig. 3, which is a schematic view illustrating a configuration flow of a security policy in a network slice in the embodiment of the present application, a process of a processing device executing configuration of the security policy in the network slice in the embodiment of the present application will be described with reference to fig. 3:

step 301: the processing equipment determines a target network slice for providing service for a target service, acquires information values corresponding to all service quality information under the target service and service state information of the target service, and acquires weight parameters and state quality reference values configured for all the service quality information respectively.

In the embodiment of the application, a processing device determines a service requirement corresponding to a target service, determines a service scene corresponding to the target service, and determines a target network slice customized according to the service scene and the service requirement.

Specifically, the processing device determines a service requirement corresponding to a target service triggered by a target object according to a service request triggered by the target object for the target service, where the service requirement at least includes a data transmission requirement and a requirement parameter for determining a network slice in a related technology. And the processing equipment determines a corresponding target network slice according to the business service requirement and the business scene corresponding to the target business.

It should be noted that, since the present application focuses on implementing targeted configuration of an effective protection policy for a network slice according to actual service quality and service state in a service scenario, the present application does not describe a process of determining a service scenario corresponding to a service and a process of determining a target network slice corresponding to a target service. Determining a service scenario and a service requirement corresponding to a target service, and determining a target network slice corresponding to the target service are mature technologies in the field, and will not be described herein. In the application, corresponding service scenarios are respectively and correspondingly configured for services of different vertical industries, wherein the service scenarios may be one of Enhanced Mobile Broadband (eMBB), low-latency and high-reliability (Ultra Reliable and low latency Communication, urrllc), and Massive internet of things Communication or Massive internet of things service (mtc).

Therefore, the target network slice capable of providing service for the target service can be determined corresponding to the target service and the service scene corresponding to the target service.

In this embodiment of the application, in order to better determine a service condition provided by the target network slice, the processing device may obtain an information value corresponding to each piece of service quality information under the target service and service state information of the target service, and obtain a weight parameter and a state quality reference value configured for each piece of service quality information.

Specifically, when acquiring each service quality information and service state information corresponding to a target service, a processing device may acquire network local topology information, data load amount information, security isolation information, network communication hop count information, and communication bandwidth information corresponding to the target service, and acquire a service state change rate corresponding to the target service, and then use the network local topology information, the data load amount information, the security isolation information, the network communication hop count information, and the communication bandwidth information as each service quality information corresponding to the target service, and use the service state change rate as the service state information corresponding to the target service, where the service state information is used to indicate a state change condition in a service processing process.

For example, in the car networking service, each piece of service quality information obtained corresponding to the car networking service at least includes application complexity (network topology) information, security isolation information, network communication hop count information, communication bandwidth, and data load information; the obtained service state information may be running speed information of the vehicle.

It should be noted that, in the embodiment of the present application, specific contents included in each piece of service quality information are determined according to an actual service scenario, and the processing device may adaptively adjust parameter information included in each piece of service quality information according to service scenarios of different vertical industries.

In addition, for each obtained service quality information, the obtained local topology information of the network can be obtained from a topology structure table of a base station of an operator, the obtained safety isolation degree information can be obtained from the requirement of an application service type, and the obtained hop count, communication bandwidth and the like of the network can be obtained from the network state of a 5G network operator.

Therefore, each service quality information and service state information for evaluating the service can be obtained, and a processing basis is provided for the subsequent quality evaluation aiming at each service quality information of the target service.

In this embodiment of the application, the processing device may further obtain a weight parameter and a state quality reference value configured for each piece of service quality information, where the weight parameter is set according to actual processing needs, a sum of the weight parameters corresponding to each piece of service quality information is 1, and the larger the value of the weight parameter is, the higher the attention degree of the representation to the corresponding piece of service quality information is, that is, the larger the influence degree of the representation to the corresponding piece of service quality information in the service quality evaluation is, and conversely, the lower the attention degree of the representation to the corresponding piece of service quality information is, the smaller the influence degree of the corresponding service quality in the service quality evaluation is.

It should be noted that, in services in different vertical industries, the weight parameters configured for each piece of qos information may be different, and the state quality reference values respectively configured for each piece of qos information are used to represent value taking results of each piece of qos information under unit state information, where each state quality reference value is set according to actual processing needs, and the state quality reference values corresponding to different pieces of qos information may be the same or different, and this application is not limited specifically.

For example, the corresponding state quality reference value in the car networking service may be a value result of each piece of service quality information at a unit speed.

In addition, in the embodiment of the application, the processing device may periodically or in real time acquire the information value and the service state information corresponding to each piece of service quality information according to the actual processing requirement, and execute a scheme for subsequently determining the security policy matched with the target network slice according to each piece of acquired service quality information and service state information.

Therefore, equivalently, a dynamic evaluation mechanism is introduced at the core network side, the service condition of the current target network slice can be dynamically determined according to the instant conditions of various service quality information and service state information in an application scene, and a processing basis is provided for subsequently determining a security policy matched with the service condition based on the service condition.

Step 302: and the processing equipment respectively determines the quality evaluation result corresponding to each service quality information according to each information value and service state information corresponding to the target service and the weight parameter and state quality reference value corresponding to each service quality information.

In this embodiment, the processing device may respectively calculate an information weighting result corresponding to each piece of qos information according to the information value and the weighting parameter corresponding to each piece of qos information, respectively use each information weighting result as a qos evaluation value of the corresponding qos information, determine a qos reference value corresponding to each piece of qos information according to the service status information and a qos reference value corresponding to each piece of qos information, and then determine a quality evaluation result corresponding to each piece of qos information according to each qos evaluation value and each qos reference value.

Specifically, the processing device may respectively construct a corresponding quality of service matrix according to information values corresponding to respective quality of service information under the target service, and construct a corresponding weight parameter matrix according to weight parameters corresponding to respective service instruction information, where the weight parameter matrix is a diagonal matrix.

In the following, it will be schematically described that the service quality information includes network local topology information, data load information, security isolation information, network communication hop count information, and communication bandwidth information, in this embodiment, the number of information included in the service quality information is different according to a specific application scenario, and the present application is not limited specifically.

Tp represents network local topology information, En represents data load information, Sn represents safety isolation information, Nh represents network communication hop count information, and Bc represents communication bandwidth information. According to the information value of each service quality information obtained at the current time t, a service parameter matrix pm (t) that can be constructed is:

PM(T)＝<QoS_Tp(t),QoS_En(t),QoS_Sn(t),QoS_Nh(t),QoS_Bc(t),...>

suppose W_TpRepresenting a weight parameter, W, corresponding to local topology information of the network_EnWeight parameter, W, indicating data load information correspondence_SnWeight parameter, W, representing the correspondence of security isolation information_NhWeight parameter, W, corresponding to information representing the number of network communication hops_BcAnd weight parameters corresponding to the communication bandwidth information are shown. According to the attention degree of different service quality information under the actual service scene, establishing a corresponding weight parameter matrix QoS (A) in the following form:

wherein, W_Tp+W_En+W_Sn+W_Nh+W_Bc＝1。

Assuming that the weight parameter configured for the network local topology information is 0.3, the weight parameter configured for the data load information is 0.2, the weight parameter configured for the security isolation information is 0.2, the weight parameter configured for the network communication hop count information is 0.15, and the weight parameter configured for the communication bandwidth information is 0.15, the weight parameter vector constructed correspondingly is:

note that the sum of the weight parameters configured for the respective pieces of quality of service information is 1.

Further, the processing device determines, based on the weight parameters configured for each piece of qos information, a qos evaluation value corresponding to each piece of qos information, respectively, using the following formula:

qos (p) represents a quality of service state matrix created by a quality of service evaluation value corresponding to each quality of service information at time t, qos (a) represents a weight parameter matrix set corresponding to each quality of service information, and pm (t) represents a service parameter matrix created by an information value corresponding to each quality of service information.

When the service quality reference value corresponding to the service is determined according to the state quality reference value corresponding to each service quality information and the service state information of the service, the following formula is adopted to realize the following steps:

wherein the QoS is_ckCharacterizing a QoS reference matrix formed from QoS reference values corresponding to respective QoS information_ckIs a matrix with 1 row and m columns; s (t) service state information corresponding to the current time t; e_QoSCharacterizing a reference value matrix determined by ideal state quality reference values corresponding to respective quality of service information, E_QoSIs a diagonal matrix.

When E is_QoSThe network communication quality control method is composed of 5 pieces of service quality information, and specifically comprises an ideal state quality reference value Tp (ck) corresponding to network local topology information, an ideal state quality reference value En (ck) corresponding to data load information, an ideal state quality reference value Sn (ck) corresponding to isolation information, an ideal state quality reference value Nh (ck) corresponding to network communication hop data information, and an ideal state quality reference value Bc (ck) corresponding to communication bandwidth information, which can be organized into a matrixThe following steps:

it should be noted that, in the embodiment of the present application, the state quality reference value corresponding to each piece of service quality information may be obtained from statistics in a large number of application practices in the same service scenario, or may be set according to actual processing needs, where the state quality information is used to represent a value that each piece of service quality information needs to reach in a current service state.

Further, after determining the service quality evaluation value and the service quality reference value corresponding to each of the service quality information, determining a quality evaluation result corresponding to each of the service quality information based on a difference between the service quality reference value and the service quality evaluation value of the service quality information.

Specifically, when determining the quality evaluation result corresponding to each piece of service quality information, the following formula is specifically adopted to implement:

min(|{S(t)·E_QoS-QoS(P)}|)

in the embodiment of the present application, for the above algorithm for determining each quality evaluation result, after determining each service quality information matched with a service scene corresponding to a target service corresponding to the target service, according to an information value corresponding to each acquired service quality information and a weight parameter set corresponding to each service quality information, determining a service quality evaluation value corresponding to each service quality information in a current state, and according to a state quality reference value corresponding to each service quality information in an ideal state, determining a service quality reference value corresponding to each service quality information, and further determining a matching security policy based on a minimum difference value between each service quality index and the corresponding service quality reference value.

In addition, considering that the target application is in the actual business processing process, the service requirement and the environmental factor of the target business are changed along with the time. In order to ensure the best effect of the communication service, the method and the device combine various performance parameters in different states as service quality information, such as application complexity, safety isolation, node transfer hop count, communication bandwidth, data load capacity and the like. Therefore, when the security policy is configured at a certain time, the qos evaluation values of the qos information at the current time need to be calculated as the basis for subsequently determining the security policy.

It should be noted that, in the scenario of the car networking service, the service state information of the target service is specifically vehicle speed information.

Therefore, the service quality evaluation value and the service quality reference value corresponding to each service can be determined according to the information value, the state quality reference value and the weight parameter corresponding to each service quality information under the target service which is actually acquired and by combining the service state information of the target service, and a processing basis is provided for the adjustment of the subsequent security policy.

Step 303: and the processing equipment determines a target quality evaluation result meeting preset conditions in each quality evaluation result, acquires a security policy corresponding to the value of the target quality evaluation result, and arranges the security policy into the target network slice for execution.

Specifically, after obtaining the quality evaluation results corresponding to each service quality information, the processing device screens out a target quality evaluation result satisfying a preset condition from the quality evaluation results, where the screening condition may be that an absolute value of the quality evaluation result is minimum, and a specific implementation formula is as follows:

min(|{S(t)*E_QoS-QoS(P)}|)

here, min () represents one quality evaluation result that determines the minimum absolute value of the quality evaluation results among the quality evaluation results corresponding to the respective pieces of service quality information, and "|" represents an absolute value.

It should be noted that, there is no linear relationship between the service index information, so in this embodiment of the present application, when adjusting the security policy of the target network slice according to the quality evaluation result, according to the service quality evaluation value and the service quality reference value corresponding to each service quality information, the target quality evaluation result closest to the service quality reference value is screened out, which is equivalent to determining the service quality information closest to the ideal state (service quality reference value), and the corresponding matched security policy is determined based on the service quality evaluation result.

In this way, the target quality evaluation result with the minimum value is screened from each service quality evaluation result, which is equivalent to screening out the service quality information with the minimum difference from the corresponding service quality reference value, namely screening out the optimal service quality information in the current state, and further performing the subsequent security policy judgment based on the screened target quality evaluation result.

And after determining a target quality evaluation result meeting preset conditions, the processing equipment acquires a security policy corresponding to the target quality evaluation result, and arranges the security policy into a target network slice for providing service for a target service.

In the embodiment of the application, the processing device generally divides each value interval in advance for a quality evaluation result, sets corresponding security protection levels corresponding to each value interval, and configures corresponding security policies for each security level, wherein the security policies at least include correspondingly configured computational performance resource amount, encryption strength level, concurrently processed service total amount, and key management level.

Specifically, the processing device may set a value range of each quality evaluation result according to actual processing requirements, set a corresponding security protection level for each value range, and set a corresponding security policy for each security protection level.

For example, three value ranges are set, respectively [0, 9), [9, 99), and [99, + ∞), and the value range [0, 9) is set to the low safety protection level, the value range [9, 99) is set to the medium safety protection level, and the value range [99, + ∞) is set to the high safety protection level. For a low security protection level, the configured security policy is: in the aspect of computing performance resources, the main frequency of a processor is set to be 1GHz, an encryption algorithm of data transmission is set to be 128 bits, resource scheduling is set to be 10 concurrent devices, and key management adopts 1-level symmetric key pair distribution; aiming at the medium safety protection level, the configured safety strategy is as follows: in the aspect of computing performance resources, the main frequency of a processor is set to be 1.5GHz, an encryption algorithm for data transmission is set to be 256 bits, resource scheduling is set to be 12 concurrent devices, and 2-level symmetric key pairs are adopted for key management and distribution; for a high security protection level, the configured security policy is: in the aspect of computing performance resources, the main frequency of a processor is 2GHz, an encryption algorithm for data transmission is 512 bits, resource scheduling is 15 concurrent devices, and key management adopts 3-level symmetric key pair distribution.

Based on this, after determining the target quality evaluation result, the processing device determines the safety protection level corresponding to the target quality evaluation result, and then determines the corresponding safety strategy according to the determined safety protection level.

It should be noted that the orchestration of policies in the target network slice is a mature technology in the field, and is not described herein again.

Therefore, the synergistic effect of the security policy determination and the security policy arrangement is realized, so that the target network slice can execute the security policy which is adaptive to the current service execution condition when providing services subsequently, which is equivalent to adjusting the existing security policy according to the service running state, so that the customization of the security policy is based on the actual service quality and service state, the effective protection effect can be better played in the service process, the security of the service is improved, and the changed service security requirement is more flexibly supported.

In the following, the following description will be given of a process of determining a security policy in a target network slice serving a car network service, by taking a car network service triggered by car C, where the target service is a corresponding rrlc service scenario, as an example:

s1: after receiving the service request sent by the car C, the processing device on the 5G core network side acquires an instant speed V (t1) of the car C as 10 as service state information, where the acquired quality of service information includes: network topology Tp (t1) ═ 5; the data load En (t1) is 2, and the security isolation Sn (t1) is 3; the network communication hop number Nh (t1) ═ 2; the communication bandwidth Bc (t1) is 0.6, and the construction of the corresponding quality of service matrix QoS (t1) is specifically as follows: :

QoS(t1)＝[5 2 3 2 0.6]

s2: and the processing equipment calculates the quality evaluation result corresponding to each service quality information in the car networking service of the car C.

The processing equipment acquires state quality reference values which are respectively set corresponding to the service quality information, and the network topology Tp (ck) is 0.2; data load amount en (ck) 0.2; the safety isolation Sn (ck) is 0.2; network communication hop number nh (ck) 0.2; the communication bandwidth bc (ck) is 0.2, and a corresponding matrix E is constructed_QoSThe method specifically comprises the following steps:

s3: the processing equipment obtains the weight parameters respectively set corresponding to each service quality information, and the network topology Tp (ck) is 0.3; data load amount en (ck) 0.2; the safety isolation Sn (ck) is 0.2; network communication hop number nh (ck) 0.15; a corresponding matrix qos (a) is constructed with a communication bandwidth bc (ck) of 0.15, specifically:

s4: according to S (t) E_QoS-qos (p) and qos (p) ═ pm (t) × qos (a), calculating the quality evaluation result corresponding to each qos information, and obtaining the following results:

further, the following formula is adopted to obtain a quality evaluation result:

then min | {0.5, 1.6, 1.4, 1.7, 1.91} |, 0.5

S5: and the processing equipment takes the quality evaluation result with the minimum absolute value in all the quality evaluation results as a target quality evaluation result and determines a safety strategy corresponding to the target quality evaluation result.

In particular, the processing equipment adopts a method based on min (| { S (t) × E)_QoSQoS (P) } to obtain the result of min (0.5, 1.6, 1.4, 1.7, 1.91), further determine that the target quality evaluation result is 0.5, then determine the safety protection grade corresponding to the target quality evaluation result, and determine the safety strategy corresponding to the safety protection grade.

With reference to the structure in fig. 2, after the QoS dynamic evaluation module determines the security level, the QoS dynamic evaluation module sends the security level to the security level management and control unit, and then the security level management and control unit adopts the security policy corresponding to the security level, configures a corresponding policy instruction, and issues the policy instruction to the refinement analysis module of the security policy, and then sends the refined security policy to the VIM/MANO component, and the SDN and NFV arrange the security policy into the target network slice.

For example, assume that the determined security policy is: selecting a processor with a dominant frequency of 1GHz, 10 concurrent numbers, selecting a symmetric encryption algorithm, distributing a key management by adopting a 1-level symmetric key pair, wherein the encryption algorithm is 128 bits, sending a refined security strategy to a VIM/MANO component, and specifically generating corresponding network slices by an SDN and an NFV.

It should be noted that, in this embodiment of the application, the processing device may perform the operations of S1-S3 in a polling manner with a preset time length as a period, in the current time period, the target network slice itself has a corresponding initial security policy, where the initial security policy is initially configured as a default, or is set in a previous polling period, and after completing security arrangement on the target network slice, the target device may adopt an updated security policy to provide the vehicle C with the internet-of-vehicles service.

Thus, by implementing the security policy configuration on the 5G network slice at the core network side, which is equivalent to implementing the security architecture design for the network slice and implementing the security policy configuration process, the service state information corresponding to different vertical fields and the corresponding quality of service information may be different, so that the related information can be flexibly configured in different vertical fields, and the combination degree and the application range with the vertical industry application can be enhanced from two dimensions of network resource infrastructure and service processing, thereby more flexibly and conveniently supporting the application security requirement of the vertical industry, in addition, as shown in fig. 2, the application adds a security level management and control module in the traditional network slice architecture, the module can utilize a dynamic analysis algorithm for determining the target quality evaluation result to comprehensively evaluate from the application scene, the data confidentiality requirement, the network environment and other factors, and network slice resources and various safety capabilities are associated, and the network slice resources and the safety strategies which are adaptive to the application safety requirements of the vertical industry are fully matched, so that the service efficiency and the safety of the network slice are improved.

Based on the same inventive concept, referring to fig. 4, which is a schematic diagram of a logical structure of a configuration apparatus of a security policy in a network slice in an embodiment of the present application, a configuration apparatus 400 of a security policy in a network slice includes an obtaining unit 401, a determining unit 402, and an arranging unit 403, wherein,

an obtaining unit 401, configured to determine a target network slice providing a service for a target service, obtain information values corresponding to quality of service information of the target service and service state information of the target service, and obtain a weight parameter and a state quality reference value configured for each quality of service information;

a determining unit 402, configured to determine, according to each information value and service state information corresponding to the target service, and a weight parameter and a state quality reference value corresponding to each qos information, a quality evaluation result corresponding to each qos information respectively;

the arranging unit 403 determines, in each quality evaluation result, a target quality evaluation result that meets a preset condition, obtains a security policy corresponding to a value of the target quality evaluation result, and arranges the security policy into the target network slice for execution.

Optionally, when determining the target network slice providing service for the target service, the obtaining unit 401 is configured to:

Optionally, when obtaining the information value corresponding to each piece of qos information corresponding to the target service and the service state information of the target service, the obtaining unit 401 is configured to:

Optionally, when determining the quality evaluation result corresponding to each piece of service quality information according to each information value and service state information corresponding to the target service, and the weight parameter and state quality reference value corresponding to each piece of service quality information, respectively, the determining unit 402 is configured to:

Optionally, the apparatus further includes a creating unit 404, where the creating unit 404 is configured to:

Based on the same inventive concept as the method embodiment described above, an electronic device is further provided in the embodiment of the present application, referring to fig. 5, which is a schematic diagram of a hardware composition structure of an electronic device to which the embodiment of the present application is applied, and the electronic device 500 may at least include a processor 501 and a memory 502. The memory 502 stores therein program code, which when executed by the processor 501, causes the processor 501 to perform any of the above-described steps of configuring a security policy in a network slice.

In some possible implementations, a computing device according to the present application may include at least one processor, and at least one memory. Wherein the memory stores program code that, when executed by the processor, causes the processor to perform the steps of configuring security policies in network slices according to various exemplary embodiments of the present application described above in this specification. For example, the processor may perform the steps as shown in fig. 3.

Based on the same inventive concept, in the embodiment based on the configuration of the security policy in the network slice in the embodiment of the present application, a computer-readable storage medium is provided, and when instructions in the storage medium are executed by an electronic device, the electronic device is enabled to execute the above configuration method of the security policy in the network slice.

In summary, the present application provides a method and an apparatus for configuring a security policy in a network slice, which determine a target network slice for providing a service for a target service, obtain information values corresponding to respective quality of service information corresponding to the target service and service state information of the target service, obtain weight parameters and state quality reference values configured for the respective quality of service information, respectively determine quality evaluation results corresponding to the respective quality of service information according to the respective information values and service state information corresponding to the target service, and the weight parameters and state quality reference values corresponding to the respective quality of service information, respectively determine a target quality evaluation result satisfying a preset condition in the respective quality evaluation results, and obtain a security policy corresponding to a value of the target quality evaluation result, and arranging the security policy into the target network slice for execution.

Thus, the security policy matched with the target network slice currently serving the target service can be evaluated according to the actually acquired service state information of the target service, the information value corresponding to each service quality information under the target service, and the weight parameter and the state quality reference value corresponding to each service quality information, so that the appropriate security policy is determined according to the current service condition of the current service and is arranged in the target network slice for execution, the synergistic effect of the security policy determination and the security policy arrangement is realized, the target network slice can execute the security policy which is suitable for the current service execution condition when the service is subsequently provided, namely, the existing security policy can be adjusted according to the service operation state, and the customization of the security policy is based on the actual service quality and the service state, the method can better play an effective protection role in the business service process, improves the safety of business service, and more flexibly supports the changing business safety requirements.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various modifications and variations can be made in the embodiments of the present invention without departing from the spirit or scope of the embodiments of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass such modifications and variations.

Claims

1. A method for configuring security policies in a network slice, comprising:

2. The method of claim 1, wherein the determining a target network slice to serve a target service comprises:

3. The method according to claim 1, wherein the obtaining information values corresponding to the respective qos information corresponding to the target service and the service status information of the target service comprises:

4. The method of claim 1, wherein the determining the quality evaluation result corresponding to each of the qos information according to each of the information value and the service status information corresponding to the target service and the weight parameter and the status quality reference value corresponding to each of the qos information respectively comprises:

5. The method of any one of claims 1-4, further comprising:

6. The method of any one of claims 1 to 4, wherein the preset conditions include: the absolute value of the service quality evaluation result is minimum.

7. An apparatus for configuring a security policy in a network slice, comprising:

8. The apparatus of claim 7, wherein the obtaining unit, when determining the target network slice serving the target traffic, is to:

9. The apparatus according to claim 7, wherein when the information value corresponding to each qos information corresponding to the target service and the service status information of the target service are obtained, the obtaining unit is configured to:

10. The apparatus according to claim 7, wherein the determining unit is configured to determine the quality evaluation result corresponding to each of the qos information according to each of the information value and the service status information corresponding to the target service, and the weight parameter and the status quality reference value corresponding to each of the qos information, respectively, and is configured to:

11. The apparatus according to any of claims 7-10, wherein the apparatus further comprises a creating unit for:

12. The apparatus of any one of claims 7-10, wherein the preset conditions include: the absolute value of the service quality evaluation result is minimum.

13. A computer-readable electronic device, comprising:

a memory for storing executable instructions;

a processor for reading and executing executable instructions stored in the memory to implement the method of any one of claims 1 to 6.

14. A storage medium, wherein instructions in the storage medium, when executed by an electronic device, enable the electronic device to perform the method of any of claims 1-6.