CN115113982A - Security resource pool security service matching method, device and storage medium - Google Patents

Security resource pool security service matching method, device and storage medium Download PDF

Info

Publication number
CN115113982A
CN115113982A CN202210824160.2A CN202210824160A CN115113982A CN 115113982 A CN115113982 A CN 115113982A CN 202210824160 A CN202210824160 A CN 202210824160A CN 115113982 A CN115113982 A CN 115113982A
Authority
CN
China
Prior art keywords
container
real
value
time
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210824160.2A
Other languages
Chinese (zh)
Inventor
程筱彪
徐雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202210824160.2A priority Critical patent/CN115113982A/en
Publication of CN115113982A publication Critical patent/CN115113982A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • G06F9/505Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the load
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/50Indexing scheme relating to G06F9/50
    • G06F2209/5011Pool

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a security service matching method, a device and a storage medium for a security resource pool, wherein the method comprises the following steps: periodically counting the real-time performance index of each container corresponding to the target security module in the security resource pool; obtaining a real-time capacity value of each container according to the real-time performance index of each container; acquiring a target security service requirement of a target platform for the target security module, and sequencing each container according to the real-time capability value according to the target security service requirement; and selecting the container with the largest real-time capability value from the sorted containers to provide target security service for the target platform. The method, the device and the storage medium can solve the problem that the existing matching scheme is generally a scheme for polling each container resource, and the matching is not good due to the fact that the conditions that the resource change speed is high and the consumption difference of different requirements on the security resources under the cloud environment is not considered.

Description

Security resource pool security service matching method, device and storage medium
Technical Field
The present invention relates to the field of network technologies, and in particular, to a method and an apparatus for matching security services in a security resource pool, and a storage medium.
Background
The traditional security means is not suitable for boundary protection of a cloud environment, so that the virtualization technology is adopted to operate the security product capability in a pooled virtual environment, but because the cloud environment changes frequently, how to ensure that the most appropriate security resources are accessed when a new security service requirement exists becomes a difficult point.
The existing matching scheme is generally a scheme for polling each container resource to ensure that the access quantity of each security resource is substantially the same, however, the scheme does not consider the situations that the resource change speed is high and the consumption difference of different requirements on the security resources is large under the cloud environment, and it is easy to happen that the accessed security resources are destroyed quickly and no longer occupy the security resources, or the consumption of some requirements on the security resources is far greater than that of other requirements, so that the actual load of the security resources is greatly changed, and the matching is poor.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method, an apparatus and a storage medium for matching security services of a security resource pool, so as to at least solve the problem of poor matching caused by the fact that the existing matching scheme usually performs polling on each container resource, and the situations of fast resource change speed and large consumption difference of security resources due to different requirements in a cloud environment are not considered.
In a first aspect, the present invention provides a secure service matching method for a secure resource pool, where the method includes:
periodically counting real-time performance indexes of each container corresponding to the target security module in the security resource pool;
obtaining a real-time capacity value of each container according to the real-time performance index of each container;
acquiring a target security service requirement of a target platform for the target security module, and sequencing each container according to the real-time capability value according to the target security service requirement;
and selecting the container with the largest real-time capability value from the sorted containers to provide target security service for the target platform.
Further, the real-time performance indicators include: the method comprises the following steps of obtaining a real-time capacity value of each container according to real-time performance indexes of each container, wherein the real-time capacity values comprise a CPU real-time index, a bandwidth real-time index and a memory real-time index, and the method specifically comprises the following steps:
calculating to obtain the CPU proportional value, the bandwidth proportional value and the memory proportional value of all the containers according to the CPU real-time index, the bandwidth real-time index and the memory real-time index of each container;
respectively carrying out normalization processing on the CPU proportional value, the bandwidth proportional value and the memory proportional value;
calculating the load score of each container according to the CPU proportional value, the bandwidth proportional value and the memory proportional value after normalization processing;
obtaining a remaining load score list of each container under the target security module according to the load scores;
and calculating the real-time capacity value of each container according to the residual load score of each container in the residual load score list.
Further, the calculating according to the real-time CPU index, the real-time bandwidth index, and the real-time memory index of each container to obtain the CPU ratio values, the bandwidth ratio values, and the memory ratio values of all the containers specifically includes:
dividing the sum of the CPU maximum performance indexes of all containers corresponding to the target security module by the sum of the CPU real-time indexes of all containers corresponding to the target security module to obtain the CPU proportional values of all containers;
dividing the sum of the bandwidth maximum performance indexes of all containers corresponding to the target security module by the sum of the bandwidth real-time indexes of all containers corresponding to the target security module to obtain the bandwidth proportion values of all containers;
and dividing the sum of the maximum performance indexes of the memories of all the containers corresponding to the target security module by the sum of the real-time indexes of the memories of all the containers corresponding to the target security module to obtain the memory proportion values of all the containers.
Further, the normalizing the CPU ratio value, the bandwidth ratio value, and the memory ratio value respectively includes:
dividing the CPU proportional value by the sum of all proportional values to obtain a normalized CPU proportional value;
dividing the bandwidth proportion value by the sum of all the proportion values to obtain a normalized bandwidth proportion value;
and dividing the memory proportion value by the sum of all proportion values to obtain a normalized memory proportion value.
Further, the calculating the load score of each container according to the CPU proportion value, the bandwidth proportion value, and the memory proportion value after the normalization processing specifically includes:
calculating a load score for each container according to the following formula:
S x =W C *X C +W B *X B +W M *X M
in the formula, S x Represents the load score, W, of the x-th container C Representing the normalized CPU proportional value, W B Representing the normalized bandwidth ratio value, W M Representing the normalized memory ratio value, X C Represents the average CPU load of the X-th container, X B Represents the average bandwidth load of the X-th container, X M Represents the average memory load of the x-th container, where W C 、W B 、W M The value range of (A) is 0-100%.
Further, the obtaining of the remaining load score list of each container under the target security module according to the load score specifically includes:
subtracting the load score of each container from 1 to obtain the residual load score of each container;
and constructing the residual load score list according to the residual load score of each container.
Further, the calculating the real-time capability value of each container according to the remaining load score of each container in the remaining load score list specifically includes:
calculating the real-time capacity value of each container according to the following formula:
Figure BDA0003745720000000031
in the formula, R (S) x ) Representing the real-time capability value of the x-th container, S x Represents the load score of the x-th container, 1-S x Represents the remaining load score for the xth container,
Figure BDA0003745720000000041
representing the sum of the remaining load scores for all containers.
In a second aspect, the present invention provides a secure service matching apparatus for a secure resource pool, including:
the index counting module is used for periodically counting the real-time performance index of each container corresponding to the target security module in the security resource pool;
the capacity value acquisition module is connected with the index statistics module and used for acquiring the real-time capacity value of each container according to the real-time performance index of each container;
the capacity value sequencing module is connected with the capacity value acquisition module and used for acquiring a target security service requirement of a target platform for the target security module and sequencing each container according to the real-time capacity value according to the target security service requirement;
and the safety service matching module is connected with the capability value sorting module and used for selecting the container with the largest real-time capability value from the sorted containers to provide the target safety service for the target platform.
In a third aspect, the present invention provides a secure resource pool secure service matching apparatus, including a memory and a processor, where the memory stores a computer program, and the processor is configured to run the computer program to implement the secure resource pool secure service matching method according to the first aspect.
In a fourth aspect, the present invention provides a computer-readable storage medium, having a computer program stored thereon, where the computer program, when executed by a processor, implements the secure resource pool security service matching method according to the first aspect.
Considering the situations of high resource change speed and large consumption difference of different requirements on safety resources in a cloud environment, the method, the device and the storage medium for matching safety services of the safety resource pool provided by the invention firstly periodically count the real-time performance index of each container corresponding to a target safety module in the safety resource pool, then obtain the real-time capacity value of each container according to the real-time performance index of each container, when the target safety service requirement of a target platform for the target safety module is obtained, sort each container according to the real-time capacity value according to the target safety service requirement, and select the container with the largest real-time capacity value from the sorted containers to provide the target safety service for the target platform, the optimal matching of the security resources is realized, meanwhile, the problem that the safety efficiency is influenced due to the fact that the number of the same security module is too high in concurrency can be reduced, and the problem that the existing matching scheme is poor in matching due to the fact that the existing matching scheme is a scheme for polling all container resources generally and the situations that the resource change speed is high and the consumption difference of different requirements on the security resources is large under the cloud environment are not considered is solved.
Drawings
Fig. 1 is a flowchart of a secure service matching method for a secure resource pool according to embodiment 1 of the present invention;
fig. 2 is a schematic structural diagram of a secure service matching apparatus of a secure resource pool according to embodiment 2 of the present invention;
fig. 3 is a schematic structural diagram of a security service matching apparatus for a security resource pool according to embodiment 3 of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present invention, the following detailed description will be made with reference to the accompanying drawings.
It is to be understood that the specific embodiments and figures described herein are merely illustrative of the invention and are not limiting of the invention.
It is to be understood that the embodiments and features of the embodiments can be combined with each other without conflict.
It is to be understood that, for the convenience of description, only parts related to the present invention are shown in the drawings of the present invention, and parts not related to the present invention are not shown in the drawings.
It should be understood that each unit and module related in the embodiments of the present invention may correspond to only one physical structure, may also be composed of multiple physical structures, or multiple units and modules may also be integrated into one physical structure.
It will be understood that, without conflict, the functions, steps, etc. noted in the flowchart and block diagrams of the present invention may occur in an order different from that noted in the figures.
It is to be understood that the flowchart and block diagrams of the present invention illustrate the architecture, functionality, and operation of possible implementations of systems, apparatus, devices and methods according to various embodiments of the present invention. Each block in the flowchart or block diagrams may represent a unit, module, segment, code, which comprises executable instructions for implementing the specified function(s). Furthermore, each block or combination of blocks in the block diagrams and flowchart illustrations can be implemented by a hardware-based system that performs the specified functions or by a combination of hardware and computer instructions.
It should be understood that the units and modules referred to in the embodiments of the present invention may be implemented by software, or may be implemented by hardware, for example, the units and modules may be located in a processor.
Example 1:
the embodiment provides a secure service matching method for a secure resource pool, as shown in fig. 1, the method includes:
step S101: and periodically counting the real-time performance index of each container corresponding to the target security module in the security resource pool.
In this embodiment, the secure resource pool is a resource set that provides a secure service in the cloud computing platform, and in the secure resource pool, the secure resource is provided externally in the form of a service, and the function of the original physical security device is implemented in a container manner. A security module refers to a collection of containers that provide the same security function. Each security module corresponds to a security capability, which includes, for example, firewall, virus detection, intrusion prevention, SSL/ipsec vpn, database auditing, WEB protection, log auditing, host disinfection, bastion host, baseline verification, and the like. The target security module may be any of all security modules in the secure resource pool.
Specifically, the management system may count the real-time performance indexes of all containers in the security resource pool according to a fixed period, and classify the containers according to the provided security capabilities, and the management system may also count the real-time performance indexes of each container corresponding to a certain security module in the security resource pool according to the fixed period, where the performance indexes are used to characterize the performance of the container providing the corresponding security capabilities, and the real-time performance indexes may include: CPU real-time index, bandwidth real-time index and memory real-time index.
Step S102: and obtaining the real-time capacity value of each container according to the real-time performance index of each container.
Optionally, the obtaining the real-time performance value of each container according to the real-time performance index of each container specifically includes:
calculating to obtain the CPU proportional value, the bandwidth proportional value and the memory proportional value of all the containers according to the CPU real-time index, the bandwidth real-time index and the memory real-time index of each container;
respectively carrying out normalization processing on the CPU proportional value, the bandwidth proportional value and the memory proportional value;
calculating the load score of each container according to the CPU proportional value, the bandwidth proportional value and the memory proportional value after normalization processing;
obtaining a remaining load score list of each container under the target security module according to the load scores;
and calculating the real-time capacity value of each container according to the residual load score of each container in the residual load score list.
In this embodiment, because different performance indicators have different influences on the service performance, setting different proportions for the three real-time performance indicators is considered to calculate the load scores of different security modules. The higher the utilization rate of a certain performance is, the more scarce the resource is, so the average utilization rate of the three performances of all containers of the whole security module is calculated to be used as the proportional values of the three performance indexes.
The method for calculating the CPU proportion value, the bandwidth proportion value and the memory proportion value of all the containers according to the CPU real-time index, the bandwidth real-time index and the memory real-time index of each container specifically comprises the following steps:
dividing the sum of the CPU maximum performance indexes of all containers corresponding to the target security module by the sum of the CPU real-time indexes of all containers corresponding to the target security module to obtain the CPU proportional values of all containers;
dividing the sum of the bandwidth maximum performance indexes of all containers corresponding to the target security module by the sum of the bandwidth real-time indexes of all containers corresponding to the target security module to obtain the bandwidth proportion values of all containers;
and dividing the sum of the maximum performance indexes of the memories of all the containers corresponding to the target security module by the sum of the real-time indexes of the memories of all the containers corresponding to the target security module to obtain the memory proportion values of all the containers.
In this embodiment, taking a CPU as an example, the calculation formula of the CPU proportion values of all containers of the target security module is as follows:
Figure BDA0003745720000000081
in the formula, w C A scale value representing the CPU is shown as,
Figure BDA0003745720000000082
represents the sum of the CPU maximum performance metrics of all the containers of the target security module,
Figure BDA0003745720000000083
the sum of CPU real-time indexes of all containers of the target security module is represented, n is the total number of all containers of the target security module, and the maximum performance index refers to the maximum supportable performance index of the corresponding container.
Optionally, the normalizing the CPU ratio value, the bandwidth ratio value, and the memory ratio value respectively includes:
dividing the CPU proportional value by the sum of all proportional values to obtain a normalized CPU proportional value;
dividing the bandwidth proportion value by the sum of all the proportion values to obtain a normalized bandwidth proportion value;
and dividing the memory proportion value by the sum of all proportion values to obtain a normalized memory proportion value.
In this embodiment, the sum of all the proportional values is the sum of the CPU proportional value, the bandwidth proportional value, and the memory proportional value, and taking the CPU as an example, the formula for normalizing the CPU proportional value is as follows:
Figure BDA0003745720000000084
in the formula, W C Represents the normalized CPU ratio value, w C Indicating the proportional value of the CPU, w B Proportional value, w, representing the bandwidth M Indicating the scale value of the memory.
Optionally, the calculating the load score of each container according to the CPU proportion value, the bandwidth proportion value, and the memory proportion value after the normalization processing specifically includes:
calculating a load score for each container according to the following formula:
S x =W C *X C +W B *X B +W M *X M
in the formula, S x Represents the load score, W, of the x-th container C Representing the normalized CPU proportional value, W B Representing the normalized bandwidth ratioExample value, W M Representing the normalized memory ratio value, X C Represents the average CPU load of the X-th container, X B Represents the average bandwidth load of the X-th container, X M Represents the average memory load of the x-th container, where W C 、W B 、W M The value range of (A) is 0-100%.
In this embodiment, after obtaining the normalized ratio value, the management system sequentially calculates the load scores of the containers under the target security module, where the value range of x is 1 to n, and n is the total number of all containers of the target security module.
Optionally, the obtaining a remaining load score list of each container under the target security module according to the load score specifically includes:
subtracting the load score of each container from 1 to obtain the residual load score of each container;
and constructing the residual load score list according to the residual load score of each container.
In this embodiment, assuming that the target security module is the 1 st security module in the security resource pool, and the number of containers is n, the constructed remaining load score list is as follows:
Figure BDA0003745720000000091
in the formula (I), the compound is shown in the specification,
Figure BDA0003745720000000092
representing the load score of the 1 st container under the 1 st security module,
Figure BDA0003745720000000093
the remaining load score for the 1 st container under the 1 st security module is represented.
Optionally, the calculating a real-time capability value of each container according to the remaining load score of each container in the remaining load score list specifically includes:
calculating the real-time capacity value of each container according to the following formula:
Figure BDA0003745720000000094
in the formula, R (S) x ) Representing the real-time capability value of the x-th container, S x Represents the load score of the x-th container, 1-S x Represents the remaining load score for the xth container,
Figure BDA0003745720000000095
representing the sum of the remaining load scores for all containers.
In this embodiment, the real-time capability value of each container is calculated according to the remaining load score of each container, and taking the target security module as the 1 st security module in the security resource pool as an example, the real-time capability value of the 1 st container in the 1 st security module is:
Figure BDA0003745720000000096
wherein the content of the first and second substances,
Figure BDA0003745720000000097
representing the sum of the remaining load scores of all containers of the 1 st security module,
Figure BDA0003745720000000098
representing the remaining load score for the 1 st container in the 1 st security module.
Step S103: acquiring a target security service requirement of a target platform for the target security module, and sequencing each container according to the real-time capability value according to the target security service requirement;
step S104: and selecting the container with the largest real-time capability value from the sorted containers to provide target security service for the target platform.
In this embodiment, when the target platform needs to use a certain security capability of the security resource pool, a container corresponding to the security capability is applied to the management system to provide a security service for the management system. Specifically, when the target platform needs to use the security capacity corresponding to the target security module in the security resource pool, a target security service requirement is sent to the management system, the management system sorts all containers under the target security module according to the requirement according to the real-time capacity value, and since the container with the largest real-time capacity value is also the best in performance, the container with the largest real-time capacity value is selected to provide the target security service for the target platform.
In the secure resource pool secure service matching method provided by the embodiment of the invention, in consideration of the situations of fast resource change speed and large consumption difference of different requirements on secure resources in a cloud environment, the real-time performance indexes of each container corresponding to a target secure module in a secure resource pool are periodically counted firstly, then the real-time capacity value of each container is obtained according to the real-time performance indexes of each container, when the target secure service requirement of a target platform for the target secure module is obtained, each container is sorted according to the real-time capacity value according to the target secure service requirement, and the container with the largest real-time capacity value is selected from the sorted containers to provide the target secure service for the target platform, because the performance of the container with the largest real-time capacity value is also optimal, the optimal matching of the secure resources can be realized under the condition of limited resources, meanwhile, the problem that the safety efficiency is influenced due to the fact that the number of the same safety modules is too high in concurrency can be solved, and the problem that the existing matching scheme is poor in matching due to the fact that the existing matching scheme is generally a scheme for polling all container resources and the situations that the resource change speed is high and the consumption difference of different requirements on the safety resources is large under the cloud environment are not considered is solved.
Example 2:
as shown in fig. 2, the present embodiment provides a secure service matching apparatus for a secure resource pool, configured to execute the secure service matching method for the secure resource pool, where the secure service matching apparatus includes:
the index counting module 11 is used for periodically counting the real-time performance index of each container corresponding to the target security module in the security resource pool;
the capacity value acquisition module 12 is connected with the index statistics module 11 and is used for obtaining the real-time capacity value of each container according to the real-time performance index of each container;
the capability value sequencing module 13 is connected to the capability value obtaining module 12, and is configured to obtain a target security service requirement of a target platform for the target security module, and sequence each container according to the real-time capability value according to the target security service requirement;
and the security service matching module 14 is connected with the capability value sorting module 13 and is used for selecting the container with the largest real-time capability value from the sorted containers to provide the target security service for the target platform.
Optionally, the real-time performance indicators include: the real-time index of the CPU, the real-time index of the bandwidth, and the real-time index of the memory, and the capability value obtaining module 12 specifically includes:
the proportion value acquisition unit is used for calculating and obtaining the CPU proportion values, the bandwidth proportion values and the memory proportion values of all the containers according to the CPU real-time index, the bandwidth real-time index and the memory real-time index of each container;
the normalization processing unit is used for respectively performing normalization processing on the CPU proportional value, the bandwidth proportional value and the memory proportional value;
the load scoring unit is used for calculating the load score of each container according to the CPU proportional value, the bandwidth proportional value and the memory proportional value after the normalization processing;
the score list unit is used for obtaining a residual load score list of each container under the target security module according to the load scores;
and the capacity value calculating unit is used for calculating the real-time capacity value of each container according to the residual load score of each container in the residual load score list.
Optionally, the ratio value obtaining unit specifically includes:
the first calculation unit is used for dividing the sum of the CPU maximum performance indexes of all containers corresponding to the target security module by the sum of the CPU real-time indexes of all containers corresponding to the target security module to obtain the CPU proportion values of all containers;
the second calculation unit is used for dividing the sum of the bandwidth maximum performance indexes of all containers corresponding to the target security module by the sum of the bandwidth real-time indexes of all containers corresponding to the target security module to obtain the bandwidth proportion values of all containers;
and the third calculating unit is used for dividing the sum of the maximum performance indexes of the memories of all the containers corresponding to the target security module by the sum of the real-time indexes of the memories of all the containers corresponding to the target security module to obtain the memory proportion values of all the containers.
Optionally, the normalization processing unit specifically includes:
the fourth calculation unit is used for dividing the CPU proportional value by the sum of all proportional values to obtain a normalized CPU proportional value;
the fifth calculation unit is used for dividing the bandwidth proportion value by the sum of all the proportion values to obtain a bandwidth proportion value after normalization processing;
and the sixth calculating unit is used for dividing the memory proportion value by the sum of all the proportion values to obtain the normalized memory proportion value.
Optionally, the load score unit is specifically configured to calculate the load score of each container according to the following formula:
S x =W C *X C +W B *X B +W M *X M
in the formula, S x Represents the load score, W, of the x-th container C Representing the normalized CPU proportional value, W B Representing the normalized bandwidth ratio value, W M Representing the normalized memory ratio value, X C Represents the average CPU load of the X-th container, X B Represents the average bandwidth load of the X-th container, X M Represents the average memory load of the xth container, where W C 、W B 、W M The value range of (a) is 0-100%.
Optionally, the score list unit specifically includes:
a seventh calculating unit, configured to subtract the load score of each container from 1 to obtain a remaining load score of each container;
and the construction unit is used for constructing the residual load score list according to the residual load score of each container.
Optionally, the ability value calculating unit is specifically configured to calculate a real-time ability value of each container according to the following formula:
Figure BDA0003745720000000121
in the formula, R (S) x ) Representing the real-time capability value of the x-th container, S x Represents the load score of the x-th container, 1-S x Represents the remaining load score for the x-th container,
Figure BDA0003745720000000131
representing the sum of the remaining load scores for all containers.
Example 3:
referring to fig. 3, the present embodiment provides a secure resource pool security service matching apparatus, which includes a memory 21 and a processor 22, where the memory 21 stores a computer program, and the processor 22 is configured to run the computer program to execute the secure resource pool security service matching method in embodiment 1.
The memory 21 is connected to the processor 22, the memory 21 may be a flash memory, a read-only memory or other memories, and the processor 22 may be a central processing unit or a single chip microcomputer.
Example 4:
the present embodiment provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the secure resource pool security service matching method in embodiment 1.
The computer-readable storage media includes volatile or nonvolatile, removable or non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, computer program modules or other data. Computer-readable storage media include, but are not limited to, RAM (Random Access Memory), ROM (Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), flash Memory or other Memory technology, CD-ROM (Compact disk Read-Only Memory), Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
Embodiments 2 to 4 provide a security resource pool security service matching apparatus and a storage medium, where in consideration of situations of fast resource change speed and large consumption difference of security resources due to different requirements in a cloud environment, a real-time performance index of each container corresponding to a target security module in a security resource pool is periodically counted first, and then a real-time performance value of each container is obtained according to the real-time performance index of each container, when a target security service requirement of a target platform for the target security module is obtained, each container is sorted according to the real-time performance value according to the target security service requirement, and a container with a largest real-time performance value is selected from the sorted containers to provide a target security service for the target platform, where the container with the largest real-time performance value is also the best, so that under a limited resource situation, the optimal matching of the security resources is realized, meanwhile, the problem that the safety efficiency is influenced due to the fact that the number of the same security module is too high in concurrency can be reduced, and the problem that the existing matching scheme is poor in matching due to the fact that the existing matching scheme is a scheme for polling all container resources generally and the situations that the resource change speed is high and the consumption difference of different requirements on the security resources is large under the cloud environment are not considered is solved.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.

Claims (10)

1. A secure service matching method for a secure resource pool is characterized by comprising the following steps:
periodically counting real-time performance indexes of each container corresponding to the target security module in the security resource pool;
obtaining a real-time capacity value of each container according to the real-time performance index of each container;
acquiring a target security service requirement of a target platform for the target security module, and sequencing each container according to the real-time capability value according to the target security service requirement;
and selecting the container with the largest real-time capability value from the sorted containers to provide target security service for the target platform.
2. The matching method for security services of security resource pool according to claim 1, wherein the real-time performance index comprises: the method comprises the following steps of obtaining a real-time capacity value of each container according to real-time performance indexes of each container, wherein the real-time capacity values comprise a CPU real-time index, a bandwidth real-time index and a memory real-time index, and the method specifically comprises the following steps:
calculating to obtain the CPU proportional value, the bandwidth proportional value and the memory proportional value of all the containers according to the CPU real-time index, the bandwidth real-time index and the memory real-time index of each container;
respectively carrying out normalization processing on the CPU proportional value, the bandwidth proportional value and the memory proportional value;
calculating the load score of each container according to the CPU proportional value, the bandwidth proportional value and the memory proportional value after normalization processing;
obtaining a remaining load score list of each container under the target security module according to the load scores;
and calculating the real-time capacity value of each container according to the residual load score of each container in the residual load score list.
3. The matching method for security services in a security resource pool according to claim 2, wherein the calculating according to the real-time CPU index, the real-time bandwidth index and the real-time memory index of each container obtains the CPU ratio, the bandwidth ratio and the memory ratio of all the containers, and specifically includes:
dividing the sum of the CPU maximum performance indexes of all containers corresponding to the target security module by the sum of the CPU real-time indexes of all containers corresponding to the target security module to obtain the CPU proportional values of all containers;
dividing the sum of the bandwidth maximum performance indexes of all containers corresponding to the target security module by the sum of the bandwidth real-time indexes of all containers corresponding to the target security module to obtain the bandwidth proportion values of all containers;
and dividing the sum of the maximum performance indexes of the memories of all the containers corresponding to the target security module by the sum of the real-time indexes of the memories of all the containers corresponding to the target security module to obtain the memory proportion values of all the containers.
4. The matching method for security services in a security resource pool according to claim 2, wherein the normalizing the CPU ratio value, the bandwidth ratio value, and the memory ratio value respectively comprises:
dividing the CPU proportional value by the sum of all proportional values to obtain a normalized CPU proportional value;
dividing the bandwidth proportion value by the sum of all the proportion values to obtain a normalized bandwidth proportion value;
and dividing the memory proportion value by the sum of all proportion values to obtain a normalized memory proportion value.
5. The matching method for security services of a security resource pool according to claim 2, wherein the calculating the load score of each container according to the CPU proportion value, the bandwidth proportion value, and the memory proportion value after the normalization processing specifically includes:
calculating a load score for each container according to the following formula:
S x =W C *X C +W B *X B +W M *X M
in the formula, S x Represents the load score, W, of the x-th container C Represents the CPU ratio value after normalization, W B Representing the normalized bandwidth ratio value, W M Representing the normalized memory ratio value, X C Represents the average CPU load of the X-th container, X B Represents the average bandwidth load of the X-th container, X M Represents the average memory load of the xth container, where W C 、W B 、W M The value range of (A) is 0-100%.
6. The matching method for security service of security resource pool according to claim 2, wherein the obtaining the remaining load score list of each container under the target security module according to the load score specifically includes:
subtracting the load score of each container from 1 to obtain the residual load score of each container;
and constructing the residual load score list according to the residual load score of each container.
7. The matching method for security service of security resource pool according to claim 2, wherein the calculating the real-time capability value of each container according to the remaining load score of each container in the remaining load score list specifically comprises:
calculating the real-time capacity value of each container according to the following formula:
Figure FDA0003745719990000031
in the formula, R (S) x ) Represents the real-time capability value of the xth container, S x Represents the load score of the x-th container, 1-S x To representThe remaining load score for the x-th container,
Figure FDA0003745719990000032
representing the sum of the remaining load scores for all containers.
8. A secure service matching apparatus for a secure resource pool, comprising:
the index counting module is used for periodically counting the real-time performance index of each container corresponding to the target security module in the security resource pool;
the capacity value acquisition module is connected with the index statistics module and used for acquiring the real-time capacity value of each container according to the real-time performance index of each container;
the capacity value sequencing module is connected with the capacity value acquisition module and used for acquiring a target security service requirement of a target platform for the target security module and sequencing each container according to the real-time capacity value according to the target security service requirement;
and the safety service matching module is connected with the capability value sorting module and used for selecting the container with the largest real-time capability value from the sorted containers to provide the target safety service for the target platform.
9. A secure resource pool secure service matching apparatus comprising a memory and a processor, the memory having stored therein a computer program, the processor being configured to run the computer program to implement the secure resource pool secure service matching method of any one of claims 1-7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, implements the secure resource pool security service matching method according to any one of claims 1 to 7.
CN202210824160.2A 2022-07-14 2022-07-14 Security resource pool security service matching method, device and storage medium Pending CN115113982A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210824160.2A CN115113982A (en) 2022-07-14 2022-07-14 Security resource pool security service matching method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210824160.2A CN115113982A (en) 2022-07-14 2022-07-14 Security resource pool security service matching method, device and storage medium

Publications (1)

Publication Number Publication Date
CN115113982A true CN115113982A (en) 2022-09-27

Family

ID=83332643

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210824160.2A Pending CN115113982A (en) 2022-07-14 2022-07-14 Security resource pool security service matching method, device and storage medium

Country Status (1)

Country Link
CN (1) CN115113982A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116016213A (en) * 2022-12-27 2023-04-25 绿盟科技集团股份有限公司 Traffic arrangement method, device, system and equipment based on network target range

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116016213A (en) * 2022-12-27 2023-04-25 绿盟科技集团股份有限公司 Traffic arrangement method, device, system and equipment based on network target range

Similar Documents

Publication Publication Date Title
CN111464583B (en) Computing resource allocation method, device, server and storage medium
CN112669138A (en) Data processing method and related equipment
CN111694839B (en) Time sequence index construction method and device based on big data and computer equipment
DE112020002552T5 (en) SYSTEM AND PROCEDURES FOR A SIEM RULE ORDER AND CONDITIONAL EXECUTION
CN115113982A (en) Security resource pool security service matching method, device and storage medium
WO2019119635A1 (en) Seed user development method, electronic device and computer-readable storage medium
CN111581258A (en) Safety data analysis method, device, system, equipment and storage medium
US20180248900A1 (en) Multi-dimensional data samples representing anomalous entities
CN111091245A (en) Method and device for determining participation in ordered energy utilization enterprises
CN113326064A (en) Method for dividing business logic module, electronic equipment and storage medium
CN113723801A (en) Village type dividing method, device, equipment and storage medium
CN111159009B (en) Pressure testing method and device for log service system
CN108664322A (en) Data processing method and system
CN112148880A (en) Customer service dialogue corpus clustering method, system, equipment and storage medium
CN110991241A (en) Abnormality recognition method, apparatus, and computer-readable medium
CN116527398A (en) Internet of things card risk identification method, device, equipment and storage medium
CN113946566B (en) Web system fingerprint database construction method and device and electronic equipment
CN110866831A (en) Asset activity level determination method and device and server
CN115221174A (en) Data grading storage method, device, equipment and medium based on artificial intelligence
CN115562934A (en) Service flow switching method based on artificial intelligence and related equipment
CN115408702A (en) Stacking interface operation risk level evaluation method and application thereof
CN113542200B (en) Risk control method, risk control device and storage medium
US9342511B2 (en) Fast selection in hardware or software
CN109344119B (en) File merging processing method and device, computing equipment and computer storage medium
CN112596903A (en) Intelligent information processing method and device based on big data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination