CN115987534A - Resource access method and device - Google Patents
Resource access method and device Download PDFInfo
- Publication number
- CN115987534A CN115987534A CN202111198509.8A CN202111198509A CN115987534A CN 115987534 A CN115987534 A CN 115987534A CN 202111198509 A CN202111198509 A CN 202111198509A CN 115987534 A CN115987534 A CN 115987534A
- Authority
- CN
- China
- Prior art keywords
- resource
- host
- network element
- information
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/67—Risk-dependent, e.g. selecting a security level depending on risk profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/30—Network data restoration; Network data reliability; Network data fault tolerance
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides a resource access method and a resource access device, relates to the technical field of communication, and is used for providing a mechanism for determining security risks possibly occurring in an ME host. The resource access method comprises the following steps: the first network element receives from the second network element information of a mobile edge host, the information of the mobile edge host comprising first information of resources provided by the mobile edge host and/or second information indicating a behavior of accessing the mobile edge host, and determines a risk status based on the information of the mobile edge host to provide a mechanism for determining a security risk of the ME host. And determining a resource strategy according to the risk state by the first network element, and adopting a corresponding resource strategy to timely reduce the security risk of the ME host, improve the security of the ME host and further improve the security of the MEC architecture.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a resource access method and apparatus.
Background
A multi-access edge computing (MEC) architecture provides a service environment for cloud computing and Information Technology (IT) for network operators and service providers. The MEC architecture includes a mobile edge system level (mobile edge system level) and an ME host level (mobile edge host level). The ME system layer is used for globally controlling an ME host layer, and the ME host layer includes an ME host and a Mobile Edge Platform Manager (MEPM) for managing the ME host. A third party customer (e.g., an Application (APP) provider) may deploy an APP on an ME host in the MEC architecture, the APP running with resources on the ME host. Wherein, the third party client can be understood as a resource user using the MEC architecture, and does not belong to the MEC architecture.
In order to ensure the security of the MEC architecture, a secure access mechanism is currently provided by which the identity of an external user requesting access to an application on the ME host can be verified, and if the authentication passes, the external user is allowed to access the application on the ME host. The security access mechanism can verify the identity of the external user and can eliminate the external user with illegal identity. But this security access mechanism only authenticates external users, but does not take into account security risks that may arise inside the ME host.
Disclosure of Invention
The embodiment of the application provides a resource access method and a resource access device, which are used for providing a mechanism for determining the security risk possibly occurring in an ME host.
In a first aspect, an embodiment of the present application provides a resource access method, which may be executed by a first network element, where the first network element is, for example, an operation support system OSS or an MEPM, or the first network element is a communication device having an OSS or an MEPM function, or the first network element is a chip system having an OSS or an MEPM function, and the like. The method comprises the following steps: a first network element receives information of a mobile edge host from a second network element, wherein the information of the mobile edge host comprises first information of a first resource and/or second information indicating the behavior of accessing the mobile edge host, and the first resource is a resource provided by the mobile edge host; the first network element determines a risk state according to the information of the mobile edge host, wherein the risk state is used for indicating whether the mobile edge host has a safety risk or not; and the first network element determines a resource policy according to the risk state, wherein the resource policy is used for indicating a policy for accessing resources provided by the mobile edge host. The second network element is, for example, an ME host or an MEPM, or the second network element is a communication device having the ME host or the MEPM, or the second network element is a chip system having the ME host or the MEPM, or the like.
In the embodiment of the present application, the first network element may analyze the risk state of the ME host according to the first information and/or the second information, and provide a mechanism for determining the risk state of the ME host to determine a security risk that may occur to the ME host. And if the ME host has security risk, a corresponding resource strategy can be adopted to reduce the security risk of the ME host in time, so that the security of the MEC architecture is further ensured.
In a possible implementation manner, the determining, by the first network element, the risk status according to the information of the mobile edge host includes: the first network element determines whether a second resource corresponding to the first information is abnormal, wherein if the resource corresponding to the first information is abnormal, the risk state is determined as that the mobile edge host has a risk of being invaded, and the second resource belongs to the first resource; and/or determining, by the first network element, whether a behavior corresponding to the second information is abnormal, wherein if the behavior corresponding to the second information is abnormal, it is determined that the risk state is that the mobile edge host has a risk of being invaded.
In the above embodiments, various ways of determining the risk status of the ME host are provided. The first network element receives the first information and/or the second information from the second network element, so that the first network element can acquire the first information and/or the second information in a relatively simple manner, and the first network element can directly analyze the first information and/or the second information to determine the risk state of the ME host, so that the process of determining the risk state of the ME host by the first network element is also simple.
In a possible implementation, the second resource includes a first hardware, the first information includes a first identifier, and the first identifier is an identifier of the first hardware; the determining, by the first network element, whether the second resource corresponding to the first information is abnormal includes: and if the first identifier is not matched with a pre-stored second identifier and/or the first identifier is not matched with a third identifier, the first network element determines that the first hardware is abnormal, the third identifier is an identifier received from a third network element and is an identifier of second hardware, and the second hardware is the hardware after the first hardware is changed.
In the foregoing embodiment, the first network element may analyze whether a first identifier of the first hardware included in the first information matches a pre-stored second identifier, and/or analyze whether the first identifier matches a third identifier received from a third network element, so as to determine whether the first hardware in the ME host is abnormal, which provides a way to determine whether the second resource is abnormal. And, matching different identities to determine whether the first hardware of the ME host is abnormal, without involving complex data analysis procedures, makes the manner of determining the risk status of the ME host relatively simple. And the third identifier is the identifier of the hardware after the first hardware is changed, and the first identifier is matched with the third identifier, so that the condition that the first hardware is normally changed is considered, and the reliability of the determined risk state of the ME host is higher.
In a possible implementation, the second resource includes a first type of port of the mobile edge host, and the first type of port belongs to a port already opened in the mobile edge host; the determining, by the first network element, whether the second resource corresponding to the first information is abnormal includes: the first network element receives information of a second type of port from a third network element, wherein the second type of port is a port which is applied for opening by the third network element to the mobile edge host; and if one or more ports in the first class of ports do not belong to the second class of ports, the first network element determines that the one or more ports are abnormal.
In the above embodiments, a way of determining whether a resource provided by the ME host is abnormal is provided. The first network element can analyze whether an unauthorized port exists in the first type of ports opened by the ME host, and further determine whether the second resource is abnormal, without complex data analysis and processing, and the manner of determining whether the second resource is abnormal is relatively simple. In addition, the method can definitely determine which ports are opened but unauthorized ports in the ME host, so that the ports can be closed later, and the like, which is beneficial to reducing risks existing in the ME host in a targeted manner.
In a possible implementation manner, the determining, by the first network element, a resource policy according to the risk status includes: and if the risk state is that the mobile edge host has the risk of being invaded, the first network element determines the resource policy to close the one or more ports.
In the foregoing embodiment, if the first network element determines that there are one or more unauthorized ports in the ports that the ME host has opened, the first network element may determine that the resource policy is to close the one or more ports, and then may close the one or more ports in time, so as to reduce the risk of the ME host and improve the security of the MEC architecture.
In a possible implementation manner, the determining, by the first network element, a resource policy according to the risk status includes: if the risk state is that the mobile edge host is at risk of being invaded, the first network element determines that the resource policy is to deactivate the mobile edge host or to reduce the security level of the mobile edge host, wherein if the security level of the mobile edge host is reduced to a first security level, the mobile edge host does not support an application with a deployment priority higher than the first priority, and the first priority is the highest priority of the applications which can support deployment when the security level of the mobile edge host is the first security level.
In the above embodiment, if the ME host is at risk of being hacked, the ME host may be selected to be disabled, thereby avoiding the further more serious risk of continuing to use the ME host. Or, the security level of the ME host may be selected to be lowered, and the lower the security level is, the lower the highest priority of the application supported by the ME host is, so that it is ensured that the application with the high priority may be deployed on the ME host with the higher security level, so as to ensure that the application with the higher priority operates more stably, and in addition, the application with the relatively lower priority may still be deployed on the ME host with the lower security level, so that resources on each ME host may be reasonably utilized.
In a possible implementation manner, the determining, by the first network element, the risk status according to the information of the mobile edge host includes: the first network element receives an access request from a fourth network element, wherein the access request is used for requesting to access a third resource of the mobile edge host; the first network element determines whether the third resource meets a first condition according to the information of the mobile edge host; and if the third resource does not satisfy the first condition, determining that the risk state is that the mobile edge host has the risk of being invaded, or if the third resource satisfies the first condition, determining that the risk state is that the mobile edge host does not have the risk of being invaded.
In the above embodiment, after receiving the access request, the first network element may analyze, according to the information of the ME host, whether the third resource requested by the access request satisfies the first condition, so as to determine a risk state of the ME host, and analyze the validity of the third resource requested by the access request, so as to investigate a security risk that may exist in the fourth network element, thereby reducing a situation that the fourth network element has a security risk and further invades the ME host, improving the security of the ME host, and further improving the security of the MEC architecture.
In one possible embodiment, the first condition includes one or more of: the number of resources included in the third resource does not exceed a resource number upper limit, and the resource number upper limit is determined according to the information of the mobile edge host; the third resource belongs to an available resource in the first resources, the first information includes available status information of the first resource, and the available status information is used for indicating the available resource in the first resources; or the third resource belongs to a resource of which the importance degree is lower than a preset importance degree in the first resource, and the first information includes the importance degree of the first resource.
In the above embodiments, various possibilities of the first condition are provided. In the above embodiment, the first network element may determine the upper limit of the number of resources according to the information of the ME host, for example, the first network element may determine the number of the first resource as the upper limit of the number of resources, and then the first network element may determine whether the third resource requested by the access request exceeds the upper limit of the number of resources, and under the condition that the third resource does not exceed the upper limit of the number of resources, it is determined that the first network element has no risk of being intruded, so that a situation that the access request exhausts resources of the ME host may be avoided, and the security of the ME host is ensured. In the above embodiment, the first network element may also determine, according to the available state information of the first resource, whether the third resource belongs to an available resource in the first resource, and determine that the first network element has no risk of being intruded when the third resource belongs to the available resource in the first resource, so that a situation that a resource that is not available in the ME host is used after the access request can be avoided, and the security of the resource of the ME host is improved. In the foregoing embodiment, the first network element may also determine, according to the importance degree of the first resource, whether the third resource belongs to a resource whose importance degree is lower than the preset importance degree in the first resource, and determine that the first network element has no risk of being intruded when the third resource belongs to a resource whose importance degree is lower than the preset importance degree in the first resource, so that it is possible to avoid requesting an overly important resource by the access request, and ensure the security of the important resource in the ME host.
In a possible implementation manner, the determining, by the first network element, a resource policy according to the risk status includes: if the risk state is that the mobile edge host has a risk of being invaded, the first network element determines that the resource policy is to refuse to access the third resource; or, if the mobile edge host is not at risk of being invaded in the risk state, the first network element determines that the resource policy is to allow access to the third resource.
In the foregoing embodiment, if the first network element determines the corresponding resource policy according to the risk state of the ME host, for example, if the ME host has a risk of being invaded by the fourth network element, the first network element determines that the resource policy is to deny access to the third resource, so that it is avoided that the fourth network element uses the access resource as a cause of invading the ME host, and the security of the ME host is improved, thereby improving the security of the MEC architecture.
In one possible embodiment, the method further comprises: and the first network element sends the resource strategy to a fifth network element.
In the foregoing embodiment, the first network element may send the resource policy to the fifth network element, so that the fifth network element may access the resource in the ME host in time according to the resource policy, which is beneficial to timely controlling a possible security risk of the ME host.
In one possible embodiment, the method further comprises: the first network element determines a risk state according to the information of the mobile edge host, including: the first network element sends the information of the mobile edge host to a sixth network element; the first network element receives the information of the risk status from the sixth network element.
In the foregoing embodiment, the first network element may send the information of the ME host to the sixth network element, and then the sixth network element determines the risk status, so that the first network element is not required to determine the risk status, and the throughput of the first network element is reduced.
In one possible embodiment, the first network element is an OSS or a MEPM.
In one possible embodiment, the second network element is an ME host or an MEPM.
In one possible embodiment, the third network element is an OSS.
In one possible embodiment, the fourth network element is an OSS, VIM, or CISM.
In one possible embodiment, the fifth network element is an MEPM, a virtual facility manager VIM, an ME host, or a container infrastructure service CISM.
In a possible embodiment, the sixth network element is an OSS or a multi-edge orchestrator MEO.
In a second aspect, an embodiment of the present application provides a resource policy obtaining method, which may be performed by a second network element, for example, an ME host or an MEPM, or a communication device having an ME host or an MEPM function, or a chip system having an ME host or an MEPM function. The method comprises the following steps: a second network element obtains information of a mobile edge host, wherein the information of the mobile edge host comprises first information of resources provided by the mobile edge host and/or second information indicating behaviors of accessing the mobile edge host; the second network element sends the information of the mobile edge host to the first network element; the second network element receives a resource policy from the first network element, the resource policy indicating a policy for accessing resources of the mobile edge host.
In the foregoing embodiment, after obtaining the information of the ME host, the second network element may send the information of the ME host to the first network element, so that the first network element determines the risk state of the ME host, determines a corresponding resource policy according to the risk state of the ME host, and sends the resource policy to the second network element, so that the second network element forwards the resource policy in time, or accesses the resource provided by the ME host in time according to the resource policy.
In a possible implementation, before the second network element sends the information of the mobile edge host to the first network element, the method further includes: and determining whether the mobile edge host has risks or not according to the information of the mobile edge host.
In the foregoing embodiment, when determining that whether the ME host has a risk cannot be determined according to the information of the ME host, the second network element may send the information of the ME host to the first network element when determining that the risk of the ME host cannot be determined, so that the first network element can determine the risk state of the ME host in time.
The advantageous effects of the second aspect and its embodiments described above may be referred to the description of the advantageous effects of the method of the first aspect and its embodiments.
In a third aspect, an embodiment of the present application provides a resource access method, including: a fifth network element receives a resource policy from a first network element, wherein the resource policy is used for indicating a policy for accessing resources of a mobile edge host, the resource policy is determined according to a risk state of the mobile edge host, the risk state is determined according to information of the mobile edge host, the information of the mobile edge host comprises first information of a first resource and/or second information indicating a behavior for accessing the mobile edge host, the risk state is used for indicating whether the mobile edge host has a risk, and the first resource is a resource provided by the mobile edge host; and the fifth network element accesses the resource in the mobile edge host according to the resource strategy.
In a possible embodiment, the fifth network element is an MEPM, VIM, ME host, or CISM.
In a fourth aspect, an embodiment of the present application provides a resource access method, which may be implemented by a communication system, where the communication system includes a first network element and a second network element, and reference may be made to the foregoing specific implementation manners of the first network element and the second network element. In the resource access method, the first network element may perform the method of any of the foregoing first aspects, and the second network element may perform the method of any of the foregoing second aspects.
Optionally, the communication system may further include a fourth network element, and the implementation manner of the fourth network element may refer to the foregoing. In the resource access method, the fourth network element may perform the method of any of the foregoing third aspects.
Optionally, the communication system may further include a third network element, and the implementation manner of the third network element may refer to the foregoing. In the resource access method, for example, the third network element sends the information of the second type of port to the first network element.
In a fifth aspect, an embodiment of the present application provides a communication system, which includes the first network element in the first aspect and the second network element in the second aspect.
Optionally, the communication system further includes the fourth network element of the third aspect.
Optionally, the communication system further includes the third network element. The third network element may be implemented as described above.
In a sixth aspect, an embodiment of the present application provides a communication apparatus, which may be the first network element in the above first aspect, or an electronic device (e.g., a system on chip) configured in the first network element, or a larger device including the first network element. The first network element comprises corresponding means (means) or modules for performing the first aspect or any of the alternative embodiments described above. For example, the communication device includes a processing module (sometimes also referred to as a processing unit) and a transceiver module (sometimes also referred to as a transceiver unit).
For example, the transceiver module is configured to receive information of a mobile edge host from a second network element, where the information of the mobile edge host includes first information of a first resource and/or second information indicating a behavior of accessing the mobile edge host, and the first resource is a resource provided by the mobile edge host; the processing module is configured to determine a risk state according to the information of the mobile edge host, where the risk state is used to indicate whether the mobile edge host has a security risk, and determine a resource policy according to the risk state, where the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host.
Optionally, the communication also includes other components, such as an antenna, input-output modules, interfaces, and the like. These components may be hardware, software, or a combination of software and hardware.
In one possible embodiment, the processing module includes an edge risk engine module and an edge resource policy management module, for example, the edge risk engine module is configured to determine a risk status according to information of the mobile edge host; the edge resource policy management module is used for determining a resource policy according to the risk state.
In another possible embodiment, the processing module includes a central risk engine module and a central resource policy management module, for example, the central risk engine module is configured to determine a risk status according to the information of the mobile edge host; the central resource strategy management module is used for determining a resource strategy according to the risk state.
In a seventh aspect, an embodiment of the present application provides a communication apparatus, where the communication apparatus may be the second network element in the foregoing second aspect, or an electronic device (e.g., a system on chip) configured in the second network element, or a larger device including the first network element. The second network element comprises corresponding means (means) or modules for performing the second aspect or any of the alternative embodiments described above. For example, the communication device includes a processing module (sometimes also referred to as a processing unit) and a transceiver module (sometimes also referred to as a transceiver unit).
For example, the processing module is configured to obtain information of a mobile edge host, where the information of the mobile edge host includes first information of a resource provided by the mobile edge host and/or second information indicating a behavior of accessing the mobile edge host; the transceiver module is configured to send information of the moving edge host to a first network element, and receive a resource policy from the first network element, where the resource policy is used to indicate a policy for accessing resources of the moving edge host.
Optionally, the communication device further comprises other components, such as an antenna, an input-output module, an interface, etc. These components may be hardware, software, or a combination of software and hardware.
In one possible embodiment, the processing module includes a risk awareness agent module, for example, for obtaining information of the mobile edge host.
In one possible implementation, the processing module further includes a host policy enforcement module configured to receive the resource policy from the first network element.
In an eighth aspect, an embodiment of the present application provides a communication apparatus, where the communication apparatus may be the fifth network element in the third aspect, or an electronic device (e.g., a system on chip) configured in the fifth network element, or a larger device that includes the fifth network element. The fifth network element comprises corresponding means or modules for performing the third aspect or any of the alternative embodiments described above. For example, the communication device includes a processing module (sometimes also referred to as a processing unit) and a transceiver module (sometimes also referred to as a transceiver unit).
For example, the transceiver module is configured to receive, from a first network element, a resource policy, where the resource policy is used to indicate a policy for accessing a resource of a mobile edge host, where the resource policy is determined according to a risk status of the mobile edge host, where the risk status is determined according to information of the mobile edge host, where the information of the mobile edge host includes first information of a first resource and/or second information indicating a behavior for accessing the mobile edge host, where the risk status is used to indicate whether the mobile edge host is at risk, and the first resource is a resource provided by the mobile edge host; the processing module is used for accessing the resources in the mobile edge host according to the resource strategy.
Optionally, the communication device further comprises other components, such as an antenna, an input-output module, an interface, etc. These components may be hardware, software, or a combination of software and hardware.
In one possible implementation, the processing module includes a resource policy enforcement module, for example, the resource policy enforcement module is configured to obtain information of a mobile edge host, and the host policy enforcement module is configured to access a resource in the mobile edge host according to the resource policy.
In a ninth aspect, an embodiment of the present application provides a communication apparatus, which may be the first network element in the above first aspect, or an electronic device (e.g., a system on chip) configured in the first network element, or a larger device including the first network element. The first network element comprises corresponding means (means) or modules for performing the first aspect or any of the alternative embodiments described above.
In one possible implementation, the communication device includes an edge risk engine module and an edge resource policy management module.
For example, the edge risk engine module is configured to receive information of a mobile edge host from a second network element, the information of the mobile edge host including first information of a first resource and/or second information indicating a behavior of accessing the mobile edge host, the first resource being a resource provided by the mobile edge host, and determine a risk status according to the information of the mobile edge host, the risk status being used to indicate whether a security risk exists for the mobile edge host; the edge resource policy management module is configured to determine a resource policy according to the risk status, where the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host.
In another possible implementation, the communication device includes a central risk engine module and a central resource policy management module.
For example, the central risk engine module is configured to receive information of a mobile edge host from a second network element, where the information of the mobile edge host includes first information of a first resource and/or second information indicating a behavior of accessing the mobile edge host, where the first resource is a resource provided by the mobile edge host, and determine a risk status according to the information of the mobile edge host, where the risk status is used to indicate whether a security risk exists in the mobile edge host; the central resource policy management module is configured to determine a resource policy according to the risk status, where the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host.
In a tenth aspect, an embodiment of the present application provides a communication apparatus, which may be the first network element in the first aspect, or an electronic device (e.g., a system on chip) configured in a second network element, or a larger device including the first network element. The second network element comprises corresponding means (means) or modules for performing the second aspect or any of the alternative embodiments described above. For example, the communication device includes a risk awareness agent module and a host policy enforcement module.
For example, the risk awareness agent module is configured to obtain information of a mobile edge host, where the information of the mobile edge host includes first information of a resource provided by the mobile edge host and/or second information indicating a behavior of accessing the mobile edge host, and send the information of the mobile edge host to a first network element; the host policy enforcement module is configured to receive a resource policy from the first network element, where the resource policy is used to indicate a policy for accessing a resource of the mobile edge host.
In an eleventh aspect, an embodiment of the present application provides a communication apparatus, where the communication apparatus may be the fifth network element in the third aspect, or an electronic device (e.g., a system on chip) configured in the fifth network element, or a larger device that includes the fifth network element. The fifth network element comprises corresponding means or modules for performing the third aspect or any of the alternative embodiments described above. For example, the communication device includes a resource policy enforcement module.
For example, the resource policy enforcement module is configured to receive, from a first network element, a resource policy, where the resource policy is used to indicate a policy for accessing a resource of a mobile edge host, the resource policy is determined according to a risk status of the mobile edge host, the risk status is determined according to information of the mobile edge host, the information of the mobile edge host includes first information of a first resource and/or second information indicating a behavior for accessing the mobile edge host, the risk status is used to indicate whether the mobile edge host has a risk, and the first resource is a resource provided by the mobile edge host; and accessing the resources in the mobile edge host according to the resource policy.
In a twelfth aspect, an embodiment of the present application provides a communication system, which includes the apparatus in the sixth aspect and the apparatus in the seventh aspect.
Optionally, the communication system further includes the apparatus of the eighth aspect.
In a thirteenth aspect, an embodiment of the present application provides a communication system, which includes the apparatus of the ninth aspect and the apparatus of the tenth aspect.
Optionally, the communication system further includes the apparatus of the eleventh aspect.
In a fourteenth aspect, an embodiment of the present application provides a communication apparatus, including: a processor and a memory; the memory is used for storing one or more computer programs, the one or more computer programs comprising computer executable instructions, which when executed by the resource access device, the processor executes the one or more computer programs stored by the memory to cause the communication device to perform the method of any of the first, second or third aspects.
In a fifteenth aspect, embodiments of the present application provide a computer-readable storage medium for storing a computer program which, when run on a computer, causes the computer to perform the method of any one of the first, second or third aspects.
In a sixteenth aspect, embodiments provide a computer program product having a computer program stored thereon, the computer program comprising program instructions which, when executed by a computer, cause the computer to perform the method of any one of the first, second or third aspects.
In a seventeenth aspect, the present application provides a chip system, where the chip system includes a processor and an interface, where the processor is configured to call and execute instructions from the interface, and when the processor executes the instructions, the method of the first aspect, the second aspect, or the third aspect is implemented. The chip system may be formed by a chip, and may also include a chip and other discrete devices.
In an eighteenth aspect, embodiments of the present application further provide a computer program, which, when run on a computer, causes the computer to perform the method of any one of the first, second or third aspects.
Advantageous effects of the above third to eighteenth aspects and implementations thereof may be referred to the description of the advantageous effects of the method of the first aspect and implementations thereof.
Drawings
Fig. 1A is a schematic diagram of an MEC architecture suitable for use in the embodiment of the present application;
fig. 1B is a schematic diagram of an MEC architecture suitable for use in the embodiment of the present application;
fig. 2 is a first flowchart of a resource access method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a resource access method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a resource access method according to an embodiment of the present application;
fig. 5 is a fourth flowchart of a resource access method according to an embodiment of the present application;
fig. 6 is a schematic flowchart of a resource access method according to an embodiment of the present application;
fig. 7 is a sixth flowchart of a resource access method according to an embodiment of the present application;
fig. 8 is a seventh flowchart of a resource access method according to an embodiment of the present application;
fig. 9 is a schematic flowchart eight of a resource access method according to an embodiment of the present application;
fig. 10 is a first structural diagram of a communication device according to an embodiment of the present disclosure;
fig. 11 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 13A is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 13B is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 14 is a sixth schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 16 is a schematic diagram of an embodiment of the present application for deploying the apparatus shown in fig. 13A, 13B, 14 and 15 in the MEC architecture shown in fig. 1A;
fig. 17 is another schematic diagram of the deployment of the apparatus shown in fig. 13A, 13B, 14 and 15 in the MEC architecture in fig. 1B according to an embodiment of the present disclosure;
fig. 18 is a schematic structural diagram eight of a communication device according to an embodiment of the present application;
fig. 19 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 20 is a schematic structural diagram ten of a communication apparatus according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail with reference to the accompanying drawings. The particular methods of operation in the method embodiments may also be applied to apparatus embodiments or system embodiments.
Hereinafter, some terms in the embodiments of the present application are explained to facilitate understanding by those skilled in the art.
1. The network element in the embodiment of the present application may be a single physical device, or may also be an apparatus integrating multiple devices. The network element shown in the embodiment of the present application may also be a logic concept, for example, a software module, or a network function corresponding to a service provided by each network device, where the network function may be understood as a virtualization function implemented in virtualization, and may also be understood as a network function providing a service in a service network, and this is not particularly limited in the embodiment of the present application.
In the embodiments of the present application, the number of nouns means "singular nouns or plural nouns" or "one or more" unless otherwise specified. "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a alone, A and B together, and B alone, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. For example, A/B, represents: a or B. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, represents: a, b, c, a and b, a and c, b and c, or a and b and c, wherein a, b and c can be single or multiple.
Unless specifically stated otherwise, the ordinal numbers such as "first", "second", and the like in the embodiments of the present application are used for distinguishing a plurality of objects and are not used for limiting the order, timing, priority, or importance of the plurality of objects, for example, "first information" and "second information" in the embodiments of the present application are used for indicating two kinds of information and are not used for limiting the order, timing, priority, or importance of two kinds of information. For another example, the "first network element" and the "second network element" in the embodiment of the present application are used to indicate two network elements, and the priority, the importance degree, and the like of the two network elements are not limited.
In order to improve the security of the MEC architecture, the embodiment of the application provides a technical scheme. In the technical scheme, a first network element receives information of an ME host from a second network element, the information of the ME host comprises first information and/or second information indicating a behavior of accessing the ME host, the first network element determines a risk state of the ME host according to the information of the ME host, and a mechanism for determining the risk state of the ME host is provided. In addition, the technical scheme pays attention to the possible security risk in the ME host, and can improve the security of the ME host, so that the security of the MEC architecture is improved. And according to the risk state of the ME host, a corresponding resource strategy can be adopted in time to reduce the security risk of the ME host, so that the security of the MEC architecture is ensured.
The technical scheme provided by the embodiment of the application can be applied to any MEC architecture, and the MEC architecture is introduced as an example.
Fig. 1A is a schematic view of an MEC architecture applicable to the embodiment of the present application. The MEC architecture includes an ME system layer and an ME host layer. The ME system layer includes an Operation Support System (OSS), a multi-edge organizer (MEO), a user-facing service Portal (CFS Portal), a user terminal application (UE APP), and a user application life cycle proxy (UE APP LCM proxy). The ME host layer includes ME hosts, MEPMs, virtual Infrastructure Managers (VIMs), and other ME hosts.
The functions of the respective sections included in the ME system layer will be described first.
And the OSS belongs to the management entity at the highest level in the MEC architecture. The OSS may receive a service request from the user-oriented services portal and send the service request to the MEO. The MEO may further process the service request. The service request is, for example, an instantiate application request or a terminate application request. The instantiation request is for requesting instantiation of the ME APP, and the termination ME APP request is for terminating the ME APP after the instantiation before. The ME APP may be understood as an APP deployed in an ME host, for example, an APP for implementing a certain service, and needs to be deployed in the ME host to provide corresponding background support for a user.
MEO, belonging to an upper management entity in the MEC architecture. The MEOs are used to macroscopically govern resources in the MEC architecture. For example, an MEO receives a service request from an OSS, and the MEO measures the required resources of the service request and the available resources of each ME host to select the appropriate ME host to process the service request. The resources in the MEC architecture can be divided into two major classes, namely hardware and software, according to the presentation form. The resources in the MEC architecture may be divided into a plurality of types according to the usage of the resources, such as computing resources, storage resources, network resources, and mirror resources of applications.
The customer service facing portal is a portal for an operator to subscribe and monitor the ME APP facing a third party customer. A third party customer (e.g., APP provider) may choose to subscribe to a set of ME APPs that meet his needs through a customer-oriented services portal. Or the third party client can access the application provided by the third party client to the ME host, and can configure the time and the place of the application.
The UE APP may be understood as an APP deployed on the user side, and is generally used for generating a service request and the like according to an operation of a user and the like.
The user applies a lifecycle proxy for providing a forwarding proxy service. For example, the user application lifecycle agent may receive a corresponding service request from the UE APP and forward the service request to the OSS or MEO, etc.
It should be noted that, although the customer service portal, the UE APP and the user application lifecycle agent are illustrated in the MEC architecture shown in fig. 1A, the customer service portal, the UE APP and the user application lifecycle agent may be generally regarded as external network elements. An external network element here refers to a network element that does not belong in the MEC architecture.
The functions of the respective parts in the ME host layer are described below.
And the ME host is realized by a server. The ME host includes an ME platform (MEP), ME APPs (one may include one or more services), and a Virtualization Infrastructure (VI). The MEP may implement one or more of ME services, service registration, traffic rule control, and DNS processing. VI is used to provide a virtualized hypervisor running a carrier, such as a Virtual Machine (VM) instance, for ME APP. VI includes a Data Plane (DP), also called Data forwarding Plane, which can implement functions of Data forwarding and traffic routing. ME APP is an application running on the support provided by VI.
The MEPM belongs to an upper management entity in the MEC architecture. The MEPM is used for managing MEP elements, managing ME APP lifecycle, managing ME application rules and requirements, and the like. Managing the ME APP lifecycle includes creating the ME APP and terminating the ME APP. Where ME applies rules and requirements such as MEAPP authentication, traffic rules, domain Name System (DNS) configuration and conflict coordination, etc.
And the VIM is used for managing the allocation and release of the virtualized resources of the ME APP. The VIM may also manage the mirroring resources of the ME APP. In addition, the VIM may also be responsible for collecting information of virtualized resources and sending the information of virtualized resources to the MEO, the MEPM, and the like, respectively.
The following describes the interfaces involved in the MEC architecture of fig. 1A.
The interfaces in the MEC architecture are also referred to as reference points. The interfaces include three types of interfaces, specifically, an interface (denoted by Mx) of the MEC architecture interacting with external network elements, an interface (denoted by Mm) interacting with a management entity in the MEC architecture, and an interface (denoted by Mp) interacting with the MEP. The respective interfaces shown in fig. 1A are described below.
Mx1, a user oriented services portal (considered as a kind of external network element) and OSS.
Mx2, the communication interface between the user application lifecycle agent (considered as one of the external network elements) and UEAPP.
Mm1, the communication interface between OSS and MEO.
Mm2, communication interface between OSS and MEPM.
Mm3, a communication interface between MEO and MEPM, e.g., ME APP related policies may be provided between MEO and MEPM through interface Mm 3.
Mm4, a communication interface between MEOs and VIMs, for example, between MEOs and VIMs, virtualized resources and mirroring of ME APPs may be managed through interface Mm4 while maintaining information of available resources.
Mm5, communication interface between MEMP and MEMP.
Mm6, communication interface between MEMP and VIM.
Mm7, communication interface between VIM and VI.
Mm8, the communication interface between the user application lifecycle agents and the OSS.
Mm9, the communication interface between the user application lifecycle agents and MEOs.
Mp1, communication interface between ME APP and MEP.
Mp2, communication interface between MEP and VI.
Mp3, the communication interface between MEPs and other MEPs.
It should be understood that fig. 1A introduces various network elements (e.g., ME host, VIM, MEPM, OSS, MEO, etc.) by way of example and not limitation, names of the network elements may change during the standard evolution process, and functions performed by the network elements may be further split or combined, which is not limited in the embodiment of the present application.
Fig. 1B is a schematic view of an MEC architecture according to an embodiment of the present disclosure. Compared with the MEC architecture shown in fig. 1A, a Container Infrastructure Service (CISM) is added to the MEC architecture shown in fig. 1B.
The CISM is used for managing container resources, and the container resources include creation, update (updating), query, elastic scaling (scaling), termination (terminating) and the like of a container. In the architecture shown in fig. 1B, the ME APP may run on a CISM managed container in addition to the virtual machine. In addition, the CISM may also communicate with the MEPM through Mm 10. For example, the CISM may also be responsible for collecting container information and sending the container information to the MEPM through Mm 10.
Optionally, the MEC architecture shown in fig. 1B may further include a container engine (container runtime). The container engine may be used to manage the operation of the container. The container engine is illustrated in FIG. 1B as an optional part in a dashed box.
In addition, the functions of other network elements (e.g., ME host, VIM, MEPM, OSS, MEO, etc.) except for the CISM in fig. 1B may be discussed with reference to fig. 1A, and are not listed here.
It should be understood that fig. 1B introduces various network elements (e.g., ME host, VIM, MEPM, OSS, MEO, CISM, etc.) by way of example only and not limitation, names of the above network elements may change during the standard evolution process, and functions performed by the network elements may be further split or combined, which is not limited in the embodiment of the present application.
It should be noted that fig. 1A and fig. 1B described above are two examples of MEC architectures applicable to the embodiment of the present application, and the method in the embodiment of the present application is applicable to, but not limited to, the MEC architectures shown in fig. 1A and fig. 1B.
Fig. 2 is a schematic flowchart of a resource access method according to an embodiment of the present application.
S201, the second network element determines information of the first ME host.
The second network element is, for example, an ME host or an MEPM shown in fig. 1A or 1B. If the second network element is the first ME host, the first ME host can directly collect the information of the first ME host, which is equivalent to determining the information of the first ME host. If the second network element is an MEPM, the MEPM may receive information of the first ME host from the first ME host, which corresponds to the information that the first ME host is determined. It should be noted that the MEC architecture includes one or more ME hosts, and in this embodiment, the ME host is taken as an example of a first ME host, and the first ME host may be regarded as any one of the one or more ME hosts.
The information of the first ME host comprises first information and/or second information. The first information is information of a first resource, the first resource is a resource provided by the first ME host, and the second information is used for indicating a behavior for accessing the first ME host. The first information and the second information are described below, respectively.
1. The first information.
The first resource includes hardware and/or software provided by the first ME host. The hardware provided by the first ME host refers to the complete first ME host and each component included in the first ME host, where each component includes one or more of a network card in the first ME host, a Central Processing Unit (CPU) in the first ME host, a hard disk in the first ME host, or a motherboard in the first ME host. The software provided by the first ME host includes, for example, one or more of a port of the first ME host or a VM deployed by the first ME host. It should be noted that the port of the first ME host refers to a logical port on software, and is opposite to a physical port, for example, a port that can be opened to other network elements in an operating system installed in the first ME host may also be referred to as an operating system port, a protocol port, a network port, or the like. Other network elements here are understood to be network elements other than the first ME host. The ports referred to in the embodiments of the present application refer to logical ports on software, unless otherwise specified.
Optionally, the first information includes one or more of the following (1) to (4).
(1) An identification of the first resource.
The first resource is a generic term for the resource that the first ME host can provide, but the resource that the first ME host can provide may include one or more types of resources, and further the number of each type of resource may be one or more, and accordingly, the first resource also includes the one or more types of resources. The identification of the first resource includes an identification of resources of each of the one or more types. The first resource may also include an identification of each of the resources of each type. The identity is used to indicate the corresponding resource.
(2) Type information of the first resource. For example, the type information of the first resource includes type information of each of the one or more types of resources. The type information of one type of resource is used for describing the type corresponding to the type of resource. Alternatively, the one or more types may be a broad class to which the resource included in the first resource belongs, and the one or more types include, for example, software or hardware. Alternatively, the one or more types may also be types to which the resource included in the first resource specifically belongs, and include, for example, a CPU, a port, a hard disk, a motherboard, and the like.
(3) The amount of the first resource and usage information of the first resource.
The amount of the first resource comprises the amount of each of the one or more types of resources, which may be understood as the total amount of resources belonging to that type. The usage information for the first resource includes usage information for each of the one or more types of resources. The usage information of each type of resource can be understood as usage information of all resources belonging to that type. The usage information of the first resource further includes usage information of each resource belonging to the corresponding type. The meaning of the usage information will be described below by taking the usage information of each resource as an example. The usage information of each type of resource includes the usage information of each resource belonging to the type of resource, which is not listed below.
The use information of one resource is used for describing the use condition of the resource. For example, the usage information of one resource includes one or more of the following A, B, or C. Wherein, a is available state information or unavailable state information corresponding to a resource, B is use state information of a resource, and C is use progress information of a resource. These pieces of information are described separately below.
A, available state information or unavailable state information of one resource.
The first resource comprises one or more resources, wherein a resource is either an available resource or an unavailable resource. The first information may include availability status information of a resource if the resource belongs to an available resource, the availability status information of a resource indicating that the resource belongs to an available resource. For example, the available state information is represented by "0". The set of the respective available state information belonging to the available resources in the first resource may be referred to as available state information of the first resource.
If a resource belongs to an unavailable resource, the first information may include unavailable status information of the resource, the unavailable status information of a resource being used to indicate that the resource belongs to an unavailable resource, e.g., the unavailable status information is denoted by "1". For example, if a resource is port 4, the available status information of the port 4 is set to "1", which indicates that the port 4 belongs to the unavailable resource. The set of respective unavailability status information of the first resource that belongs to the unavailable resource may be referred to as unavailability status information of the first resource.
Alternatively, the first information may include only available state information of the first resource. In this case, the resource having no available state information in the first resource belongs to the resource that is not available in the first resource.
Optionally, whether a resource included in the first resource belongs to an available resource or an unavailable resource may be pre-configured in the first ME host, or may be predefined through a protocol, which is not limited in this embodiment of the present application. Alternatively, whether the resource included in the first resource is an available resource or an unavailable resource may be set according to actual requirements, for example, although the ME host may provide some resources, some resources may pose a risk to the ME host after being available, the available status information of these resources may be set as belonging to the unavailable resource, and accordingly, the first information may include the unavailable status information of these resources.
B, usage status information of one resource.
The use state information of a resource is used to indicate whether the resource has been used. The use state information of one resource may be a third state indicating that the resource is not used or a fourth state indicating that the resource is used. Here, the resource is used, and it is understood that all or part of the resource included in the resource is used. For example, the third state is represented by "0" indicating that the resource is not used, and the fourth state is represented by "1" indicating that part or all of the resource has been used.
It should be noted that whether a resource is available or not is not necessarily linked to whether a resource is used or not. For example, a certain type of resource belongs to available resources, but it is possible that the resource is unused or used. As another example, a resource of a certain type may be an unavailable resource, and may be unused or illegally used.
And C, using progress information of one resource.
The usage progress information of a resource is used to indicate the degree to which the resource is used. For example, the usage progress information is represented by a ratio between a portion of the resource that has been used and a total amount of the resource. For example, the usage progress information of the CPU is 20%, and it can be understood that 20% of the CPU has been currently used.
(4) The importance of the first resource.
The importance level of the first resource includes an importance level of each of one or more types of resources, the importance level of each type of resource being used to characterize the importance of the resource. The importance of the same type of resource may be the same, and the importance of different types of resources may be the same or different. The importance of each type of resource may be pre-configured in the first network element or specified by a protocol, which is not limited in this embodiment of the present application. The degree of importance may be expressed in various ways, for example, the degree of importance of a resource may be expressed as a number, with a larger number indicating a higher degree of importance of the resource.
2. And second information.
The second information is used to describe the behavior of accessing the first ME host. The act of accessing the first ME host may be further understood as an act of accessing a resource provided by the first ME host.
Optionally, the second information includes information of a resource of the first ME host requested by the historical access request and information of a specific event accessing the first ME host. A historical access request refers to a request to access a resource of the first ME host prior to the current time. The historical access request may have one or more, and the second information correspondingly includes information of the resource of the first ME host requested by each of the one or more historical access requests and specific event information for accessing the first ME host.
Illustratively, the second information includes, for example, one or more of interface call information, container engine operation information, or system operation information of the first ME host. The interface call information is, for example, information for calling a kernel-based virtual machine (KVM) interface. Wherein the KVM interface is used to create a virtual machine monitor in an operating system installed by the first ME host such that the first ME host is capable of running a plurality of isolated virtual environments (e.g., VMs). The container engine operation information is used to describe the behavior of the container engine. Wherein the container engine can be deployed in the ME host, and the container engine can provide mutually isolated operating environments (such as containers) for the ME host.
S202, the second network element sends the information of the first ME host to the first network element. Accordingly, the first network element receives information of the first ME host from the second network element.
The information of the first ME host can be referred to above. The first network element is, for example, an MEPM, an OSS, or an MEO shown in fig. 1A or fig. 1B. The second network element may be a first ME host if the first network element is an MEPM. If the first network element is an OSS or an MEO, the second network element may be an MEPM.
S203, the first network element determines the risk state according to the information of the first ME host.
The risk status is used to indicate whether a security risk exists for the first ME host. The risk status is divided into two categories, namely, first ME host is not at security risk and first ME host is at security risk. The absence of a security risk for the first ME host may be understood as the absence of a risk of the first ME host being hacked. The existence of a security risk for the first ME host may be understood as the existence of a risk of the first ME host being hacked. Two ways of determining the risk status are described below.
The security risk of the first ME host may be pre-existing, or may be due to a fourth network element access. The fourth network element is a network element accessible to the first ME host in the MEC architecture, and the fourth network element is, for example, an OSS, a VIM, or a CISM. Correspondingly, the risk state of the first ME host may also be determined by using the first ME host and the fourth network element as the risk investigation subject, respectively. In the following, the meaning of the risk status of the first ME host is described separately, with the first ME host and the fourth network element as different risk troubleshooting agents.
First, a first ME host is used as a risk investigation subject.
And taking the first ME host as a risk checking subject, and if the probability that the first ME host is the risk subject is determined to be less than or equal to the first probability, determining that the first ME host is safe at present, namely the risk state of the first ME host is that the first ME host has no risk of being invaded. The first probability may be pre-configured in the first network element. The value of the first probability can be set according to requirements, and the embodiment of the application does not limit the value.
And taking the first ME host as a risk checking subject, and if the probability that the first ME host belongs to the risk subject is determined to be greater than or equal to the second probability, determining that the first ME host is currently unsafe, namely the risk state of the first ME host is that the first ME host does not have the risk of being invaded. The second probability may be preconfigured in the first network element, and a value of the second probability may be set according to a requirement, which is not limited in this embodiment of the application. The value of the second probability is greater than or equal to the value of the first probability.
Optionally, if the value of the second probability is greater than that of the first probability, the first ME host is used as a security risk troubleshooting agent, and if it is determined that the probability that the first ME host belongs to the risk agent is greater than the first probability and less than the second probability, it is determined that the risk state of the first ME host cannot be judged temporarily.
And in the second mode, a fourth network element is used as a risk investigation subject.
And taking the fourth network element as a security risk troubleshooting subject, if the probability that the fourth network element belongs to the risk subject is determined to be less than or equal to the third probability, determining that the fourth network element is safe at present, and determining that the fourth network element has legal access process to the ME host because the fourth network element is safe, and correspondingly determining that the ME host does not have the risk of being invaded. The third probability may be preconfigured in the first network element. The value of the third probability can be set according to requirements, and the embodiment of the application does not limit the value. The value of the third probability and the value of the first probability may be the same, for example, the value of the third probability and the value of the first probability are both 0; alternatively, the value of the third probability may be different from the value of the first probability.
And if the probability that the fourth network element belongs to the risk subject is determined to be greater than the fourth probability, the fourth network element is considered to be unsafe at present, and because the fourth network element is safe, the fourth network element is determined to belong to an illegal access process when accessing the ME host, and correspondingly, the ME host is determined to have the risk of being invaded. The fourth probability may be preconfigured in the first network element, and a value of the fourth probability may be set according to a requirement, which is not limited in this embodiment of the application. The value of the fourth probability is greater than or equal to the value of the third probability.
Optionally, if the value of the fourth probability is greater than or equal to the value of the third probability, the first ME host is used as a security risk troubleshooting subject, and if it is determined that the probability that the first ME host belongs to the risk subject is greater than the third probability and smaller than the fourth probability, it is determined that the risk state of the first ME host cannot be judged temporarily.
Since the manner in which the first network element determines the risk status according to the information of the first ME host is related to the risk investigation subject, the manner in which the risk status is determined is described below.
In the first mode, the first ME host is used as a risk troubleshooting agent, and the first network element determines the risk state of the first ME host according to the information of the first ME host.
And the first network element determines the information of the first ME host and analyzes the first ME host so as to determine that the risk state of the first ME host is that the first ME host has the risk of being invaded or does not have the risk of being invaded.
The information of the first ME host is different, and the analysis content and the determination method of the first network element are also correspondingly different, which are described below.
In a first implementation manner of the first implementation manner, the information of the ME host includes first information, and the first network element determines the risk state of the first ME host according to the first information.
The meaning of the first information can be referred to above. The first network element analyzes the first information and can determine whether the second resource corresponding to the first information is abnormal. The second resource is part or all of the first resource. And if the second resource is abnormal, determining that the risk state of the first ME host is that the first ME host has the risk of being invaded. And if the second resource is normal or abnormal, determining that the risk state of the first ME host is that the first ME host has no risk of being invaded.
If the types of the resources included in the second resource are different, then whether the second resource is abnormal or not is analyzed, and there are different analysis manners, which are described below respectively.
Sub-implementation 1 in the first implementation of the first implementation, the second resource includes hardware.
If the second resource includes hardware, the hardware may be replaced by hardware implanted with malicious software, or the hardware may be illegally disassembled, or the first ME host is loaded with additional illegal hardware, etc., which may cause data in the first ME host to be stolen, and even cause the first ME host and the ME site where the first ME host is located to be paralyzed, etc. Therefore, it is significant to analyze whether the hardware of the first ME host is abnormal. Therefore, the embodiments of the present application provide a mechanism for determining whether hardware is abnormal. For example, the first network element analyzes a change in the identity of first hardware in the first ME host to determine whether an anomaly exists in the first hardware, the first hardware including some or all of the hardware in the first ME host. If the first hardware includes multiple pieces of hardware in the first ME host, the multiple pieces of hardware may be the same type of hardware, or may be multiple types of hardware.
In a first possible implementation, the first information includes a first identification of the first hardware, the first identification being received from the second network element, for example. And the first network element determines whether the first hardware is abnormal or not according to a matching result between the first identifier and a second identifier prestored by the first network element. If the first network element determines that the first identifier is successfully matched with the second identifier, which indicates that the identifier of the first hardware is not changed, the first network element may determine that the first hardware is not abnormal, that is, the first hardware is normal, and further determine that the first ME host is not at risk of being invaded. And if the first identifier is not matched with the second identifier or the matching fails, indicating that the identifier of the first hardware is changed, the first network element may determine that the first hardware is abnormal, thereby determining that the first ME host has a risk of being invaded.
Illustratively, if the first identifier is the same as the second identifier, or a preset algorithm is adopted, the result obtained after the second identifier is processed is the same as the first identifier, or the result obtained after the first identifier is processed by the preset algorithm is the same as the second identifier, it is determined that the first identifier is matched with the second identifier. The preset algorithm is, for example, a hash algorithm or elliptic curve cryptography (elliptic curve cryptography), and this is not limited in the embodiment of the present application. And if the first identifier is different from the second identifier, or a preset algorithm is adopted, the result obtained after the second identifier is processed is different from the first identifier, or the result obtained after the first identifier is processed by the preset algorithm is different from the second identifier, and the first identifier is determined to be not matched with the second identifier.
The first identifier is taken as an example, and the expression form of the first identifier in the embodiment of the present application is described below.
If the first hardware comprises one of the first ME hosts, the first identifier may be a hardware identifier of the first hardware, and the hardware identifier of the first hardware comprises a Media Access Control (MAC) address, a serial number, a Universally Unique Identifier (UUID), a Globally Unique Identifier (GUID), or the like of the first hardware.
Alternatively, the first identifier may be generated by processing a hardware identifier of the first hardware according to a preset algorithm. The first algorithm may be pre-configured in the first network element. The preset algorithm can be referred to above.
For example, if the first hardware is a network card, and the MAC address of the network card is 123, the first identifier is 123. Or, the first network element may calculate the MAC address of the network card according to a hash algorithm, and use the obtained information as a first identifier, where the first identifier is, for example, "40bd001563085fc35165329ea1ff5c5 ecbdpbbeef".
If the first hardware comprises a plurality of pieces of hardware, the first identifier may be obtained according to identifiers of the plurality of pieces of hardware, for example, one piece of hardware corresponds to one identifier. Optionally, the first identifier is a combination of multiple hardware identifiers of multiple hardware, and an order of combining the multiple identifiers may be preconfigured in the first network element. Alternatively, the first identifier may be generated by processing a combination of multiple hardware identifiers according to a preset algorithm.
For example, the first hardware includes a plurality of pieces of hardware, and the plurality of pieces of hardware include a first network card, a CPU, a hard disk, and a motherboard. The hardware identifier of the network card is the MAC address of the network card; the hardware identification of the CPU is the hardware model of the CPU; the hardware identification of the first ME host complete machine is the GUID of the first ME host; the hardware identification of the mainboard is the UUID of the mainboard. The MAC address of the network card is 123, the hardware model of the CPU is AS, the GUID of the first ME host is 234, and the UUID of the mainboard is 789. For example, the first identifier is represented by a combination of a plurality of hardware identifiers, such AS 123AS234789. Alternatively, the first identifier is information obtained by calculating a combination of multiple hardware identifiers (i.e. 123AS 234789) by using a hash algorithm, for example, the first identifier is f314669c651cc4b6f1d7014397766325b0ca5189.
The expression form of the second marker may refer to the expression form of the first marker, and the expression form of the second marker may be the same as or different from the expression form of the first marker. For example, the first identifier is obtained by processing a hardware identifier by using a preset algorithm, and the second identifier is the hardware identifier. In this case, if the result of processing the second identifier by using the preset algorithm is the same as the first identifier, the first network element determines that the first identifier matches the second identifier.
In summary, it can be known that the first identifier is a current identifier of first hardware in the first ME host acquired by the second network element, and the first identifier represents the first hardware of the first ME host. The second identifier pre-stored by the first network element may be an identifier of the first hardware reported by the first ME host. Or the second identifier is obtained by the first network element actively requesting from the first ME host. Since the first network element determines that the first identity may be temporally spaced from the first network element determining that the second identity may be temporally spaced, e.g. the second identity is received by the first network element from the first ME host before receiving the first identity, the second identity may be understood as the identity before the first hardware. If the first ME host is illegally intruded in the time interval, the first identifier may not be matched with the second identifier, and thus, according to the matching condition of the first identifier and the second identifier, whether the first hardware is abnormal or not can be determined.
In a second possible implementation, the first information includes a first identifier of the first hardware, and the meaning and expression of the first identifier can refer to the foregoing. And the first network element determines whether the first hardware is abnormal or not according to the matching result between the first identifier and the third identifier. The third identifier, for example, an identifier of the second hardware after the first hardware is changed, where the first network element receives the third identifier from a third network element, and the third network element is, for example, an OSS in fig. 1A or fig. 1B, or the like. If the first network element determines that the first identifier is matched with the third identifier, which indicates that the current identifier of the first hardware is matched with the third identifier of the second hardware, the first network element may determine that the first hardware is not abnormal, that is, the first hardware is normal, and further determine that the first ME host does not have the risk of being invaded. And if the first network element determines that the first identifier is not matched with the third identifier or the matching fails, the first network element indicates that the current first identifier of the first hardware is not matched with the third identifier of the second hardware, and the first network element determines that the first hardware is abnormal, so that the first ME host is determined to have the risk of being invaded. Wherein, the meaning of successful matching and unsuccessful matching can refer to the content discussed in the foregoing.
Wherein, if the first hardware is normally changed into the second hardware, the third network element may record the third identifier of the second hardware and the first identifier of the first hardware. At this time, the first identifier of the first hardware received by the first network element from the second network element is actually the identifier of the second hardware after the first hardware is changed, that is, the third identifier. Accordingly, the first network element determines that the first identifier matches the third identifier. If the first hardware is illegally intruded and the identifier of the first hardware is illegally changed, the third network element cannot record the identifier after the illegal change, and at this time, the first identifier received by the first network element from the second network element is actually the identifier after the first hardware is illegally intruded, so that the first identifier cannot be matched with the third identifier.
Optionally, when the first hardware is normally changed, the third network element may further record a time when the first hardware is changed, record a first identifier of the first hardware, and the like.
The expression form of the third marker may refer to the expression form of the first marker, and the expression form of the third marker may be the same as or different from the expression form of the first marker. For example, the first identifier is obtained by processing a hardware identifier by using a preset algorithm, and the third identifier is a hardware identifier. In this case, if the result of processing the third identifier by using the preset algorithm is the same as the first identifier, it is determined that the first identifier matches the third identifier.
In a third possible implementation, the first information includes a first identification of the first hardware. And the first network element determines whether the first hardware is abnormal or not according to the matching result of the first identifier and the second identifier and the matching result of the first identifier and the third identifier. If the first identifier is not matched with the second identifier, and the first identifier is not matched with the third identifier, it indicates that the current first identifier of the first hardware is different from the pre-stored second identifier, and is also different from the changed third identifier of the second hardware, and it indicates that the first hardware is likely to be illegally replaced, and the like, and the first network element determines that the first hardware is abnormal, thereby determining that the first ME host is at risk of being invaded. If the first identifier is matched with the second identifier, the first identifier is also matched with the third identifier, or if the first identifier is matched with the second identifier, the first identifier is not matched with the third identifier, or if the first identifier is not matched with the second identifier, the first identifier is matched with the third identifier, and the first network element determines that the first hardware is normal, so that the first ME host is determined not to have the risk of being invaded.
Sub-implementation 2 in the first implementation, the second resource comprises software.
If the second resource comprises software, the software may be tampered, embedded with illegal software, which may cause the unavailable software of the first ME host to be enabled, even cause the first ME host to crash, the ME site where the first ME host is located to crash, and the like, and thus, it is important to analyze whether the software of the first ME host is abnormal. Therefore, the embodiment of the present application provides a mechanism for determining whether software is abnormal. For example, the first network element may analyze whether there is an anomaly in a port in the first ME host based on whether the first ME host has an open but unauthorized port. If one or more ports in the first type of ports do not belong to the second type of ports, indicating that the one or more ports belong to unauthorized ports, the first network element determines that the one or more ports are abnormal, and thus determines that the first ME host is at risk of being hacked. And if all the ports in the first class of ports belong to the second class of ports, the first network element determines that the first class of ports are normal, so that the first ME host is determined to have no risk of being invaded.
The first information comprises information of a first type port, and the second resource comprises the first type port in the ME host. The first type of port refers to an already opened port in the first ME host, and the first type of port may be further understood as a set of already opened ports in the first ME host, and the first type of port may include one or more ports. The fourth network element may access the first ME host through the first type of port. The meaning of the fourth network element can be referred to in the foregoing. The information of the first type of port is, for example, a port number of a port belonging to the first type of port.
Normally, the port in the first ME host is not directly opened to the outside, but needs to apply for opening to the first ME host through the third network element, and the third network element records the information of the port that has applied for opening to the first ME host, that is, the information of the second type port. The information of the second type of port is, for example, a port number of a port belonging to the second type of port. However, if the first ME host is hacked illegally, some ports in the first ME host may be unlawfully opened, but in this case, the third network element cannot obtain information about these ports. Therefore, in this embodiment of the present application, the first network element may compare whether the first class of ports all belong to the second class of ports, so as to analyze whether the first ME host opens an unauthorized port, thereby determining whether the port in the ME host is abnormal.
It should be noted that the first type of ports may include a port in a first state, and may also include a port in a second state, which is not limited in this embodiment of the present application.
If the first type of port comprises a port belonging to the second state, meaning that the first ME host opens an otherwise unavailable port, then there is a greater likelihood that the first ME host is at a security risk. Optionally, the first network element may compare the first class of ports with the second class of ports to determine the risk status of the first ME host when determining that the first class of ports includes a port belonging to the second status. The risk state of the first ME host thus determined is more likely to present a security risk to the first ME host. Moreover, the number of times of determining the port abnormality by the first network element can be relatively reduced, so that the processing amount of the first network element is reduced.
Sub-implementation 3 in the first implementation, the second resource includes hardware and software.
If the first network element determines that at least one of hardware and software is abnormal, the first network element determines that the first ME host is at risk of being hacked. And if the first network element determines that the hardware and the software are normal, the first network element determines that the first ME host has no risk of being invaded. The manner of determining whether hardware is abnormal and determining whether software is abnormal is described above, and is not further listed herein.
In a second implementation manner, the information of the first ME host includes second information, and the first network element determines the risk status of the first ME host according to the second information.
Specifically, the first network element determines whether a behavior corresponding to the second information is abnormal, and further determines a risk state of the first ME host. And if the behavior corresponding to the second information is abnormal, the first network element determines that the risk state is that the first ME host has the risk of being invaded. And if the behavior corresponding to the second information is normal, determining that the risk state is that the mobile edge host has no risk of being invaded.
Illustratively, the first network element may be preconfigured with at least one abnormal behavior. And if the first network element determines that the behavior corresponding to the second information belongs to at least one abnormal behavior, the first network element determines that the first ME host has the risk of being invaded. And if the first network element determines that the behaviors corresponding to the second information do not belong to at least one abnormal behavior, the first network element determines that the first ME host does not have the risk of being invaded.
For example, the first network element is preconfigured with at least one abnormal behavior including a pod (pod) accessing a container not belonging to the pod management, and belonging to the abnormal behavior. And if the first network element determines that the pod accesses the container which does not belong to the pod management according to the second information, the first network element determines that the behavior of the first ME host is abnormal, and further determines that the risk state of the first ME host is the risk of being invaded.
And the first network element determines whether a third resource requested by an access request sent by the fourth network element meets a first condition according to the information of the first ME host, and further determines the risk state of the first ME host. If the third resource meets the first condition, indicating that the access request is legal, indicating that the fourth network element sending the access request has no risk, or the probability of the risk is smaller than the third probability, and accordingly determining that the risk state is that the first ME host has no risk of being invaded. If the third resource does not satisfy the first condition, indicating that the access request is illegal, indicating that a fourth network element sending the access request has a risk, or the probability of the risk is greater than or equal to the fourth probability, and accordingly determining that the risk state is that the first ME host has a risk of being invaded by the fourth network element.
The fourth network element may send an access request to the first network element if the fourth network element needs to access the third resource of the first ME host. The access request is for requesting access to a third resource of the ME host. It should be noted that, it may be unclear, or in the case of intrusion by the fourth network element, that the resource that can be provided by the first ME host is available, and therefore, although the fourth network element wants to request the resource of the first ME host, part or all of the third resource actually requested by the fourth network element may be a resource that cannot be provided by the first ME host, that is, part or all of the third resource may not belong to the first resource. Of course, the third resources may also all belong to the first resource.
As one example, the first condition includes one or more of the following (1) to (3).
(1) The third resource belongs to a resource available in the first ME host.
Illustratively, the information of the first ME host includes first information including usage information of each of the one or more types of resources, and specifically for example, the first information includes availability status information of each of the one or more types of resources of the first resource. The first network element determines the resources available in the first ME host from the first information. In this case, the first network element may determine the resources available in the first ME host based on the usage information for each of the one or more types of resources. The first network element may then determine whether the third resource belongs to a resource available in the first ME host.
(2) The third resource includes a resource amount that does not exceed a resource amount upper limit, which is determined according to information of the first ME host.
Illustratively, the information of the first ME host includes first information including usage progress information of the first resource and an identification of the first resource. The first network element may determine, from the first information, information of resources that are not currently used in the first ME host and may limit the amount of resources to the amount of resources that are not currently used by the first ME host. The first network element may then determine whether the third resource exceeds the upper limit of the number of resources.
Alternatively, the information of the first ME host includes first information including an amount of the first resource and second information including information of resources of the first ME host requested by the one or more historical access requests. The first network element determines information of resources currently not used by the first ME host based on the first information and the second information, e.g., the first network element excludes resources from the first resource that the historical access request has requested to access, and determines the upper limit for the number of resources as the number of resources currently not used by the first ME host. The first network element may then determine whether the third resource exceeds the upper limit of the number of resources.
Alternatively, the information of the first ME host includes first information including the number of the first resource. The first network element may cap the number of resources to a number that will be the first resource. The first network element may then determine whether the third resource exceeds the upper limit of the number of resources.
Alternatively, the information of the first ME host includes second information including information of resources of the first ME host requested by the one or more historical access requests. And the first network element determines a first historical access request with the largest quantity of requested resources in one or more historical access requests according to the second information, and determines the upper limit of the quantity of the resources as the quantity of the resources requested by the first historical access request. The first network element may then determine whether the third resource exceeds the upper limit of the number of resources.
It should be noted that, if the first resource includes multiple types of resources, there may be a corresponding upper limit for the number of resources for each type of resource, and the manner of setting the upper limit for the number of resources for each type of resource may refer to the foregoing.
(3) The third resource belongs to the first resource and belongs to a resource with the importance degree lower than the preset importance degree in the first ME host.
Illustratively, the information of the first ME host includes first information including a degree of importance of the first resource. The first network element may determine whether the third resource belongs to a resource of which the importance level in the first ME host is lower than a preset importance level. The preset importance level may be preconfigured in the first network element.
Alternatively, the first network element may configure different first conditions for different access requests, which is described as an example below.
Example one, the access request is a port open request. The port open request is used to apply for opening a port of the first ME host. The port which is applied for opening by the port opening request is the third resource.
If the first condition includes belonging to resources available in the first ME host, the first network element may determine whether the third resource belongs to resources available in the first ME host, and if the third resource belongs to resources available in the first ME host, the first network element determines that the third resource satisfies the first condition, thereby determining that the risk status of the first ME host is that there is no risk of being hacked. If part or all of the third resource does not belong to the resources available in the first ME host, the first network element determines that the third resource does not satisfy the first condition, thereby determining that the risk status of the first ME host is at risk of being hacked.
Alternatively, if the first condition includes belonging to a resource available in the first ME host and not exceeding the upper limit of the number of resources, the first network element may determine whether the third resource belongs to a resource available in the first ME host and determine whether the third resource exceeds the upper limit of the number of resources. If the third resource belongs to the resources available in the first ME host and the number of the third resource exceeds the upper limit of the number of resources, the first network element determines that the third resource satisfies the first condition, thereby determining that the risk status of the first ME host is that there is no risk of intrusion. If the third resource does not belong to the available resources in the first ME host and/or the number of the third resources exceeds the upper limit of the number of resources, the first network element determines that the third resource does not satisfy the first condition, thereby determining that the risk status of the first ME host is that there is a risk of being hacked.
Example two, the access request is an instantiate application request. The instantiated application request is for requesting a resource in the first ME host to deploy a corresponding ME APP. The instantiated application requests the requested resource to be the third resource.
If the first condition includes that the upper limit of the number of resources is not exceeded, the first network element may determine whether the number of the third resources exceeds the upper limit of the number of resources. And if the third resource comprises multiple types of resources, if the multiple types of resources in the third resource do not exceed the upper limit of the number of the resources of the corresponding type, determining that the third resource meets the first condition, and thus determining that the risk state of the first ME host is that no risk of being invaded exists. And if the first network element determines that the number of the resources of at least one type in the third resources exceeds the upper limit of the number of the resources of the type, determining that the third resources do not meet the first condition, and determining that the risk state of the first ME host is the risk of being invaded.
If the first condition includes that the upper limit for the number of resources is not exceeded and that the third resource belongs to resources available in the first ME host, then the first network element may determine whether the number of third resources exceeds the upper limit for the number of resources and whether the third resource belongs to resources available in the first ME host. And if the third resource comprises multiple types of resources, if the multiple types of resources in the third resource do not exceed the upper limit of the number of the resources of the corresponding types and the third resource belongs to the resources available to the first ME host, determining that the third resource meets the first condition, and thus determining that the risk state of the first ME host is that no risk of being invaded exists. And if the first network element determines that the number of at least one type of resource in the third resources exceeds the upper limit of the number of the type of resources and/or the third resources do not belong to the resources available to the first ME host, determining that the third resources do not meet the first condition, and determining that the risk state of the first ME host is the risk of being invaded.
Example three, the access request is a resource delete request. The resource delete request is for requesting deletion of a resource in the first ME host. The resource requested to be deleted by the resource deletion request is the third resource.
If the first condition includes belonging to a resource of which the importance level in the first ME host is lower than the preset importance level, the first network element determines whether the third resource belongs to a resource of which the importance level in the first ME host is lower than the preset importance level. And if the third resource belongs to the resource with the importance degree lower than the preset importance degree in the first ME host, determining that the third resource meets the first condition, and thus determining that the risk state of the first ME host is the condition that the risk of the intrusion does not exist. And if the third resource belongs to the resource with the importance degree higher than the preset importance degree in the first ME host, determining that the third resource does not meet the first condition, and determining that the risk state of the first ME host is the risk of being invaded.
Example four, the access request is a VM create request. The VM creation request requests creation of a VM in the first ME host, the VM requested creation of the VM treated as a third resource. If the first condition comprises that the upper limit of the number of resources is not exceeded, the third network element determines whether the third resource satisfies the first condition. The manner of determining whether the third resource satisfies the first condition may refer to the foregoing discussion.
It should be noted that the foregoing is an example of an access request, and the access request in the embodiment of the present application includes, but is not limited to, the foregoing several types.
In a third implementation manner, the information of the first ME host includes first information and second information, and the first network element determines the risk state of the first ME host according to the first information and the second information.
And if the second resource is abnormal and the behavior corresponding to the second information is determined to be abnormal, determining that the risk state is that the first ME host has the risk of being invaded. And if the first network element determines that the second resource is normal and/or the behavior corresponding to the second information is normal, determining that the risk state is that the first ME host does not have the risk of being invaded. The manner of determining whether the second resource is abnormal may refer to the preamble, and the manner of determining whether the behavior corresponding to the second information is abnormal may refer to the preamble.
In a third implementation manner, the first network element determines that the first ME host has a risk of being invaded only when determining that the second resource is abnormal and determining that the behavior corresponding to the second information is abnormal, so that the situation that the risk state of the first ME host is misjudged as having a security risk is reduced, and the determined risk state of the first ME host is more reliable.
It should be noted that, both the first and second manners are examples in which the first network element directly determines the risk status of the first ME host. But in practice the first network element may obtain the risk status of the first ME host from other network elements. In the following third mode, the other network element is taken as an example of a sixth network element. The sixth network element is, for example, an OSS or a MEO shown in fig. 1A or fig. 1B.
In a third manner, the sixth network element may determine the risk state of the first ME host by using the first ME host as a risk troubleshooting agent. The sixth network element may also determine the risk status of the first ME host by using the first ME host as a risk checking agent.
For example, the first network element may send the information of the first ME host to the sixth network element after receiving the information of the first ME host. And the sixth network element determines the risk state of the first ME host according to the information of the first ME host. The manner in which the sixth network element determines the risk status may refer to the manner in which the first network element determines the risk status, which is not listed here. After the sixth network element determines the risk status of the first ME host, the risk status may be sent to the first network element. Accordingly, the first network element receives the risk status from the sixth network element.
As an example, if the first network element is an MEPM, after receiving the information of the first ME host, the MEPM sends the information of the first ME host to the sixth network element if it is determined that the risk status of the first ME host cannot be determined according to the information of the ME host. Since the sixth network element may obtain more information of the ME host, the sixth network element may determine the risk status of the first ME host by combining information of other ME hosts except the first ME host in the ME site where the first ME host is located.
S204, the first network element determines a resource strategy according to the risk state. The resource policy is to indicate a policy to access a resource provided by the first ME host.
For example, the first network element may pre-store different risk states, and a resource policy corresponding to each risk state. After the first network element determines the risk status of the first ME host, a resource policy corresponding to the risk status of the first ME host may be determined. And sending the resource policy to the fifth network element, so that the fifth network element accesses the resource in the first ME host according to the resource policy. The fifth network element is, for example, an ME host, MEPM, VIM, or CISM in fig. 1A or fig. 1B.
The first ME host selects different risk troubleshooting agents, determines different risk states, and determines different resource policies for the first network element, which is described in the following cases.
Case one.
If the first network element uses the first ME host as a risk investigation subject, and it is determined that the risk state of the first ME host is that the first ME host has a risk of being invaded by using the sub implementation manner 1 in the first implementation manner of the above-described manner one, the first network element determines that the resource policy is to deactivate the first ME host, or to reduce the security level of the first ME host. And if the risk state of the ME host is determined to be that the ME host has no risk of being invaded, the first network element determines that the resource policy is null. A resource policy of null may be represented as a policy that does not change the resources currently in use that access the ME host.
Illustratively, deactivating the first ME host includes shutting down the first ME host or deleting the first ME host from the resource pool. The resource pool includes a plurality of ME hosts managed by a fifth network element.
Each security level corresponds to the application having the highest priority that it can support deployment, e.g., the security level of the first ME host is 1, and the first ME host can support the application having the highest priority that it can support deployment is 3, i.e., the first ME host can support applications having a deployment priority of 3 and a priority of less than 3. Or for example, the security level of the first ME host is 2, and the highest priority of the applications that the first ME host can support deployed is 4, that is, the first ME host can deploy applications with a priority of 4 and a priority of less than 4. The larger the value of the security level is, the more secure the first ME host is, and the larger the value of the priority of the application is, the higher the priority of the application is. If the security level of the first ME host is lowered to a first security level, the first ME host does not support applications having a higher deployment priority than the first priority of the highest priority applications that can support deployment if the security level of the first ME host is the first security level. Optionally, the priority of each application may be preconfigured in the fifth network element, and the highest priority of the application supported to be deployed corresponding to each security level may also be preconfigured in the fifth network element.
And (5) the second case.
If the first network element uses the first ME host as a risk troubleshooting agent, determining that the risk status of the ME host is that the ME host has a risk of being invaded by using the sub implementation 2 in the first implementation manner or using the sub implementation 3 in the first implementation manner, determining that the resource policy includes at least one of closing the one or more ports and deactivating the ME host by the first network element, or determining that the resource policy includes at least one of closing the one or more ports and reducing the security level of the ME host by the first network element, or determining that the resource policy is at least one of deactivating the ME host and reducing the security level of the ME host by the first network element. And if the risk state of the first ME host is determined to be that the first ME host has no risk of being invaded, the first network element determines that the resource policy is empty. The meaning that the resource policy is empty can be referred to above. The meaning or specific implementation of deactivating the first ME host and lowering the security level of the first ME host may refer to the foregoing.
And (5) the third case.
If the first network element uses the first ME host as a risk troubleshooting agent, the second implementation manner is adopted to determine that the risk state of the ME host is that the first ME host has a risk of being invaded, and the first network element determines that the resource policy includes disabling the ME host, or reducing the security level of the first ME host. And if the risk state of the first ME host is determined that the first ME host has no risk of being invaded, determining that the resource policy is null. The meaning that the resource policy is empty can be referred to above. Where the meaning or specific implementation of deactivating the first ME host and lowering the security level of the first ME host may be as previously referred to.
Case four.
If the first network element uses the fourth network element as a risk troubleshooting subject, determining that the risk state of the first ME host is that the first ME host has a risk of being invaded by the fourth network element by adopting the second mode, and determining that the resource policy is to deny access to the third resource by the first network element. If the first network element adopts the second mode, the risk state of the first ME host is determined that the first ME host has no risk of being invaded by the fourth network element, and the first network element determines that the resource policy is to allow the access to the third resource. The meaning of the third resource can be referred to above.
And a fifth case.
If the first network element determines the risk status of the first ME host in the third manner, the first ME host may be used as a risk troubleshooting agent, and the fourth network element may be used as a risk troubleshooting agent, which are described in the following examples.
For example, if the first network element takes the first ME host as a risk troubleshooting agent, it is determined that the first ME host is at risk of being hacked, and the first network element determines that the resource policy includes deactivating the ME host or lowering a security level of the ME host. Or the first network element determines that the resource policy further includes closing one or more ports. And if the first ME host is determined not to have the risk of being invaded, the first network element determines that the resource policy is empty.
Or, for example, if the first network element uses the fourth network element as a risk troubleshooting agent, it is determined that the first ME host is at risk of being invaded by the fourth network element, and the first network element determines that the resource policy includes denial of access to the third resource. If the first ME host is determined not to be at risk of being invaded by the fourth network element, the first network element determines the resource policy as allowing to access the third resource.
S205, the first network element sends the resource policy to the fifth network element. Accordingly, the fifth network element receives the resource policy from the first network element. The resource policy is to indicate a policy to access a resource provided by the first ME host.
If the fifth network element is the first ME host, VIM, or CISM, the fifth network element may access the resource in the ME host according to the resource policy.
If the fifth network element is an MEPM, the MEPM may forward the resource policy to the first ME host, the VIM, or the CISM, etc.
Optionally, if the specific content of the resource policy is different, the fifth network element may be a different network element, which is described as an example below.
The fifth network element may be the first ME host if the resource policy is to close the one or more ports. The first network element may send the resource policy to the first ME host. The first ME host closes the first one or more ports according to the resource policy.
If the resource policy is to deactivate the first ME host or to reduce the security level of the first ME host, the fifth network element may be a VIM or a CISM. The first network element may send the resource policy to the VIM or the CISM. The VIM or the CISM deactivates the first ME host or reduces the security level of the first ME host according to the resource policy.
And if the resource policy is to deny access to the third resource, the fifth network element is the first ME host, the VIM or the CISM. And the first network element sends the resource strategy to the first ME host, the VIM or the CISM. The first ME host, VIM, or CISM denies access to the third resource.
And if the resource policy is to allow access to the third resource, the fifth network element is the first ME host, the VIM or the CISM. And the first network element sends the resource strategy to the first ME host, the VIM or the CISM. The first ME host, VIM, or CISM allows access to the third resource.
As an example, S205 in fig. 2 is an optional step. This optional step is illustrated in dashed lines in fig. 2.
In the embodiment shown in fig. 2, the first network element may determine the risk status of the first ME host based on the information of the first ME host to provide a mechanism for determining the risk status of the first ME host. Since this embodiment takes into account security risks that may occur inside the first ME host, the security of the MEC architecture may be improved. And according to the risk state of the ME host, determining the resource strategy of the ME host, reducing the security risk of the ME host in time and improving the security of the MEC architecture. Also, in the embodiment shown in fig. 2, various ways of determining the risk status of the first ME host are provided, as well as various resource policies to cope with the risk status of the first ME host.
Taking the first network element as an MEPM, the second network element as a first ME host, the third network element as an OSS, and the fifth network element as a VIM as an example, the first network element determines the risk state of the ME host according to the sub-implementation mode 1 in the first implementation mode, and introduces the interaction process between the network elements. Fig. 3 is a schematic flowchart of a resource access method according to an embodiment of the present application.
S301, the first ME host determines a first identity.
The meaning of the first identifier can be referred to above. It should be noted that, in the embodiment of the present application, an example is described in which any one of one or more ME hosts in the MEC architecture is a first ME host.
S302, the first ME host sends a first identifier to the MEPM. Accordingly, the MEPM receives the first identity from the first ME host.
S303, the MEPM determines that the first identifier does not match the pre-stored second identifier.
The meaning of the second identifier, and the manner in which the MEPM determines that the first identifier does not match the second identifier, can be found above. It should be noted that, in the embodiment shown in fig. 3, the first identifier and the second identifier are not matched for example, and the foregoing discussion may be referred to in the case of matching the first identifier and the second identifier.
S304, the MEPM sends a first request to the OSS through the MEO. Accordingly, the OSS receives a first request from the MEPM through the MEO. The first request is for obtaining a second identification of the second hardware. The meaning of the second hardware and the third identifier may be referred to above.
S304 includes S304a, i.e., MEPM sends the first request to MEO, and S304b, i.e., MEO sends the first request to OSS.
It should be noted that, in the embodiment of the present application, the MEPM sends the first request to the OSS through the MEO as an example, but the MEPM may also directly send the first request to the OSS.
S305, the OSS sends a third identification to the MEPM through the MEO. Accordingly, the MEPM receives the third identification from the OSS through the MEO.
It should be noted that, in the embodiment of the present application, the description is given by taking an example in which the OSS sends the third identifier to the MEPM through the MEO, but the OSS may also directly send the third identifier to the MEPM.
S305 comprises S305a, i.e. the OSS sends the third identity to the MEO, and S305b, i.e. the MEO sends the third identity to the MEPM.
S306, the MEPM determines that the third identifier does not match the first identifier.
The manner of determining that the third identifier does not match the first identifier may refer to the foregoing. It should be noted that, in the embodiment shown in fig. 3, the third identifier is not matched with the first identifier, and the foregoing discussion may be referred to in the case that the first identifier is matched with the third identifier.
It should be noted that the MEPM may first execute S303 and then execute S306. The MEPM may also perform S303 and S306 simultaneously. The MEPM may also execute S306 first and then execute S303, which is not specifically limited in this embodiment of the application.
S307, the MEPM determines that the risk state of the first ME host is that the first ME host is at risk of being invaded.
The meaning of the risk status, the first ME host being at risk of being hacked, can be referred to above.
S308, the MEPM determines the resource strategy to reduce the security level of the first ME host according to the determined risk state.
The meaning of lowering the security level of the first ME host can be referred to above. It should be noted that, in the embodiment of the present application, the resource policy is taken as an example to reduce the security level of the first ME host.
S309, the MEPM sends the resource policy to the VIM. Accordingly, the VIM receives the resource policy from the MEPM.
S310, the VIM sends a stop instruction to the first ME host. Accordingly, the first ME host receives the stop instruction from the VIM. The stop instruction is used for indicating to stop a first application which runs on the first ME host and has a priority higher than a preset priority. The first ME host may stop running the first application after receiving the stop instruction.
In the embodiment of the present application, an application with a priority higher than a preset priority on the first ME host is described as an example of the first application.
S311, the VIM determines to deploy the first application on the second ME host.
And the VIM migrates and deploys the first application with the high priority running on the first ME host to the second ME host and runs the first application on the second ME host so as to ensure the security of the data of the first application.
It should be noted that, in the embodiment of the present application, the description is given by taking the example where the second ME host is an ME host with a higher security level than the first ME host.
As an example, S309-S311 are optional steps, which are illustrated in FIG. 3 by dashed lines.
In the embodiment shown in fig. 3, the MEPM may analyze whether the hardware in the first ME host is abnormal according to a change of the identification of the hardware of the first ME host, so as to determine whether the first ME host is at risk of being invaded, and a mechanism for determining the risk status of the first ME host is provided. And if the hardware in the first ME host is abnormal, the VIM reduces the security level of the first ME host so as to ensure that the application with higher priority can be always deployed in the ME host with higher security level and ensure the running stability of the application with higher priority.
Taking the first network element as an MEPM, the third network element as an OSS, and both the second network element and the fifth network element as a first ME host, taking the first network element determining the risk state of the ME host according to the sub-implementation mode 2 in the first implementation mode as an example, an interaction process between the network elements is introduced. Fig. 4 is a schematic flowchart of a resource access method according to an embodiment of the present application.
S401, the OSS acquires a port opening request.
The OSS may receive a port open request from an external network element, which is equivalent to obtaining the port open request. The meaning of the port open request and the external network element can be referred to above. Alternatively, the OSS may generate a port opening request according to a port opening operation of the user, which is equivalent to acquiring the port opening request.
S402, the OSS records the information of the port requested to be opened by the port opening request.
The OSS acquires the port opening request, and records information of a port for which the port opening request applies for opening, where the port information is, for example, a port number. By analogy, the OSS may obtain information for the second type of port in the first ME host. The meaning of the second type of port can be referred to above.
It should be noted that, in S401 to S402, an example of a manner in which the OSS acquires information of a second type of port in the first ME host is described, and actually, the OSS acquires information of a second type of port in various manners, which is not limited in this embodiment of the present application.
S403, the first ME host determines the information of the first type of port in the first ME host.
The first ME host detects all ports which are currently opened by the first ME host so as to obtain the information of the first type of ports. The meaning of the first type of port can be referred to above.
S404, the first ME host sends the information of the first type port to the MEPM. Accordingly, the MEPM receives information for the first type of port from the first ME host.
S405, the MEPM sends a second request to the OSS. Accordingly, the OSS receives the second request from the MEPM. The second request is for information that an open port has been applied for the first ME host.
And S406, the OSS sends the information of the second type of port to the MEPM. Accordingly, the MEPM sends the information of the second type port to the OSS.
It should be noted that, in the embodiment of the present application, the information of the second type port is sent to the MEPM by the OSS as an example, and the actual OSS may also send the information of the second type port to the MEPM through the MEO.
S407, if one or more ports in the first class of ports do not belong to the second class of ports, the MEPM determines that the risk state of the first ME host is that the first ME host is at risk of being invaded.
The MEPM determines the resource policy to close one or more ports according to the first status S408.
S409, the MEPM sends the resource strategy to the first ME host. Accordingly, the first ME host receives the resource policy from the MEPM.
S410, the first ME host closes the first one or more ports.
S411, the first ME host sends a closing success response to the MEPM. Accordingly, the MEPM receives the close success response from the first ME host. The close success response is to indicate that the first ME host has successfully closed the first one or more ports.
As one example, S409-S411 are optional steps. These optional steps are illustrated in dashed lines in fig. 4.
In the embodiment shown in fig. 4, the MEPM may determine whether the first class of ports all belong to the second class of ports to determine whether unauthorized but opened ports exist in the first ME host, and if unauthorized but opened ports exist, it indicates that the first ME host is abnormal, so the MEPM determines that the first ME host has a risk of being hacked, and provides a mechanism for determining a security risk of the first ME host. And if the first ME host has unauthorized but opened ports, the ports are closed by the first ME host, so that the risk of the first ME host is timely and pertinently reduced, and the security of the first ME host is improved.
Taking the first network element as an MEPM, the second network element as an ME host, the third network element as an OSS, and the fifth network element as a VIM as an example, the first network element determines the risk state of the ME host according to the second implementation manner, and introduces the interaction process between the network elements. Fig. 5 is a schematic flowchart of a resource access method according to an embodiment of the present application.
S501, the first ME host sends second information to the MEPM. Accordingly, the MEPM receives the second information from the first ME host. The meaning of the second information can be referred to above.
S502, the MEPM determines that the behavior corresponding to the second information of the VIM is abnormal, and determines that the risk state of the first ME host is that the first ME host has the risk of being invaded.
It should be noted that S502 exemplifies the MEPM determining the risk status of the first ME host. In another possible example, the MEPM may send the second message to the OSS, which determines a risk status of the first ME host. The MEPM receives the risk status of the first ME host from the OSS. The OSS is now equivalent to an example of a sixth network element, in which case the MEPM determines the risk status of the first ME host in the manner described above.
In fig. 5, S502 is represented by a double arrow line, which illustrates a case where the MEPM can receive the risk status of the first ME host from the OSS.
The MEPM determines the resource policy to deactivate the first ME host S503.
S504, the MEPM sends the resource strategy to the VIM. Accordingly, the VIM receives the resource policy from the MEPM.
S505, the VIM removes the first ME host from the resource pool, and migrates the application deployed on the first ME host to the second ME host.
As one example, S504-S505 are optional steps. These optional steps are illustrated in dashed lines in fig. 5.
In the embodiment shown in fig. 5, the MEPM determines whether the behavior of accessing the first ME host is abnormal according to the second information, and if the behavior of accessing the first ME host is abnormal, determines that the first ME host is at risk of being invaded, and provides a mechanism for the risk status of the first ME host. And if the behavior of accessing the first ME host is abnormal, the VIM disables the first ME host, thereby avoiding the condition that the MEC architecture is paralyzed due to the invasion of the first ME host and improving the security of the MEC architecture.
Taking the first network element as the MEPM, the second network element as the ME host, the fourth network element as the OSS, and the fifth network element as the VIM as an example, taking the first network element as an example of determining the risk state of the ME host according to the second method, and taking the access request as the port open request as an example, the interaction process between the network elements is introduced. Fig. 6 is a schematic flowchart of a resource access method according to an embodiment of the present application.
S601, the OSS acquires a port opening request.
The manner in which the OSS obtains the port open request can be referred to above.
And S602, the OSS sends a port opening request to the MEPM. Accordingly, the MEPM receives the port open request from the OSS.
S603, the first ME host sends the first information to the MEPM. Accordingly, the MEPM receives the first information from the first ME host. The first information includes information of resources available in the first ME host, and specifically includes information of ports available to the first ME host.
S604, if the MEPM determines that the port requested to be opened by the port opening request belongs to the available resources in the first ME host, the risk state of the first ME host is determined as that the first ME host has no risk of being invaded by the OSS.
It should be noted that, in the embodiment of the present application, the first condition includes that the first resource belongs to a resource available in the first ME host.
In a possible embodiment, the MEPM may also verify whether the port requested by the port opening request belongs to the first type of port, and the meaning of the first type of port may be referred to above. If the port requested by the port open request belongs to the first type port, the steps of S605-S607 need not be performed. And if the port requested by the port opening request does not belong to the first type port, continuing to execute the subsequent steps.
S605, the MEPM determines that the resource policy is to allow opening the port requested to be opened by the port opening request.
S606, the MEPM sends the resource policy to the first ME host. Accordingly, the first ME host receives the resource policy from the MEPM.
S607, the first ME host opens the port requested to be opened by the port opening request.
As one example, S606-S607 are optional steps. These optional steps are illustrated in dashed lines in fig. 6.
In the embodiment shown in fig. 6, after the MEPM receives the port opening request, it determines whether the port requested by the port opening request belongs to the information of the port available to the first ME host, and if so, determines that the first ME host does not have the risk of being invaded by the fourth network element, and provides a mechanism for determining the possible security risk of the ME host. Moreover, the port opening request is verified in the embodiment of the application, so that the unavailable port is prevented from being illegally opened, the security of the first ME host is improved, and the security of the MEC framework is improved.
Taking the first network element as an MEPM, the second network element as an ME host, the fourth network element as an OSS, and the fifth network element as a VIM as an example, taking the first network element determining the risk state of the ME host according to the second mode, and taking the access request as an example application request, as an example, an interaction process between the network elements is introduced. Fig. 7 is a schematic flowchart of a resource access method according to an embodiment of the present application.
The resource access method in the embodiment of the present application is described below with reference to a flowchart of the resource access method shown in fig. 7.
S701, the OSS sends an instantiation application request to the MEPM through the MEO. Accordingly, the MEPM receives the instantiated application request from the OSS through the MEO. The meaning of this instantiated application can be referred to above.
S701 includes S701a, i.e., the OSS sends an instantiated application request to the MEO, and S701b, i.e., the MEO sends the instantiated application request to the MEPM.
S702, the first ME host sends the information of the first host to the MEPM. Accordingly, the MEPM receives information of the first ME host from the first host.
S703, if the MEPM determines that the first resource requested by the instantiation application request exceeds the upper limit of the resource quantity, the risk state of the first ME host is determined as that the risk of the first ME host being invaded by the OSS exists.
S704, the MEPM determines the resource policy as denying access to the first resource.
The MEPM sends a first reject response to the OSS through the MEO S705. Accordingly, the OSS receives the first reject response from the MEPM via the MEO. The first reject response is indicative of a rejection of the OSS-initiated instantiated application request.
S705 includes S705a, i.e., the MEPM sends a first reject response to the MEO, and S705b, i.e., the MEO sends the first reject response to the OSS.
As an example, S705 is an optional step. This optional step is illustrated in dashed lines in fig. 7.
In the embodiment shown in fig. 7, after receiving the instantiated application request, the MEPM determines whether the resource requested by the instantiated application request exceeds the upper limit of the number of resources, and if the resource requested by the instantiated application request exceeds the upper limit of the number of resources, determines that the first ME host is at risk of being invaded by the fourth network element, and provides a mechanism for determining a possible security risk of the first ME host. In addition, in the embodiment, the instantiated application request can be verified, so that the situations that the illegal instantiated application request exhausts the resources of the first ME host and the like are avoided, the security of the first ME host is improved, and the security of the MEC architecture is improved.
Taking the first network element as the MEPM, the second network element as the ME host, the fourth network element as the CISM, and the fifth network element as the VIM as an example, taking the first network element as an example of determining the risk state of the ME host according to the second method, and taking the access request as an example of the resource deletion request, the interaction process between the network elements is introduced. Fig. 8 is a schematic flowchart of a resource access method according to an embodiment of the present application.
S801, the CISM sends a resource deletion request to the MEPM. Accordingly, the MEPM receives the resource delete request from the CISM.
S802, the first ME host sends information of the first ME host to the MEPM.
S803, if the MEPM determines that the importance degree of the first resource requested to be deleted by the resource deletion request is higher than the preset importance degree, the risk state of the first ME host is determined as that the first ME host has the risk of being invaded by the CISM.
S804, the MEPM determines that the resource strategy is to refuse to delete the first resource.
S805, the MEPM sends a second rejection response to the CISM. Accordingly, the CISM receives the second reject response from the MEPM. The second reject response is for rejecting the resource deletion request.
As one example, S805 is an optional step. These optional steps are illustrated in dashed lines in fig. 8.
In the embodiment shown in fig. 8, after receiving the resource deletion request, the MEPM determines whether the importance level of the deleted resource requested by the resource deletion request is lower than a preset importance level, and if the importance level of the deleted resource requested by the resource deletion request is higher than the preset importance level, determines that the first ME host is at risk of being invaded by the fourth network element, and provides a mechanism for determining whether the first ME host has a security risk. In addition, the embodiment can verify the resource deletion request, thereby avoiding that an illegal resource deletion request deletes important resources of the first ME host, improving the security of the first ME host, and improving the security of the MEC architecture.
Taking the first network element as the MEPM, the second network element as the ME host, the fourth network element as the CISM, and the fifth network element as the VIM as an example, taking the first network element as an example to determine the risk state of the ME host according to the second method, and taking the access request as the example to create the VM request, the interaction process between the network elements is introduced. Fig. 9 is a schematic flowchart of a resource access method according to an embodiment of the present application.
S901, the CISM sends a VM creation request to the MEPM. Accordingly, the MEPM receives the VM creation request from the CISM. The meaning of the VM create request can be referred to above.
S902, the first ME host sends information of the first ME host to the MEPM. Accordingly, the MEPM receives information of the first ME host from the first ME host.
S903, if the first resource requested by the VM creation request exceeds the upper limit of the resource quantity, determining that the risk state of the first ME host is that the risk of the first ME host being invaded by the CISM exists.
Optionally, the upper limit of the number of resources is the maximum number of resources requested by the historical access request. In this case, the embodiment of the present application is equivalent to the number of resources requested according to the historical access request, so as to find whether the first resource requested by the current VM creation request is abnormal.
S904, the MEPM determines the resource policy as denying access to the first resource.
S905, the MEPM sends a third rejection response to the CISM. Accordingly, the CISM receives the third reject response from the MEPM. The third reject response is to reject the VM create request.
As one example, S905 is an optional step. S905 is illustrated in dashed lines in fig. 9 as an optional step.
In the embodiment shown in fig. 9, after the MEPM receives the VM creation request, it determines whether the creation resource requested by the VM creation request exceeds the upper limit of the resource number, and if the creation resource requested by the VM creation request exceeds the upper limit of the resource number, it determines that the first ME host is at risk of being invaded by the fourth network element, and a mechanism for determining the risk status of the ME host is provided. In addition, in the embodiment, the VM creation request can be verified, so that the situation that an illegal VM creation request exhausts resources of the first ME host or occupies a large amount of resources in the first ME host is avoided, the security of the first ME host is improved, and the security of the MEC architecture is improved.
Fig. 10 shows a schematic configuration of a communication apparatus. Wherein the communication device may implement the functionality of the first network element. The communication means may be a hardware structure, a software module, or a hardware structure plus a software module. The communication means may be implemented by a system-on-chip. In the embodiment of the present application, the chip system may be formed by a chip, and may also include a chip and other discrete devices. The communication device may include a transceiver module 1001 and a processing module 1002.
For example, the transceiver module 1001 may be configured to perform the step of receiving information of the first ME host from the second network element, may also perform the step of sending the resource policy to the fifth network element, and may also be configured to support other processes of the technology described herein. The transceiver module 1001 is used for communication between a communication device and other modules, and may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device capable of implementing communication. Illustratively, the transceiver module 1001 may be configured to execute S202 in the embodiment shown in fig. 2, that is, receive information of the first ME host from the second network element. S205 in fig. 2, that is, sending the resource policy to the fifth network element, may also be performed. For example, the processing module 1002 may be configured to execute S203 and S204 in fig. 2.
Optionally, the processing module 1002 includes an edge risk engine module and an edge resource policy management module (not illustrated in fig. 10), for example, the edge risk engine module is configured to execute S203; the edge resource policy management module is configured to execute S204.
Optionally, the processing module 1002 includes a central risk engine module and a central resource policy management module (not illustrated in fig. 10), for example, the central risk engine module is configured to execute S203; the central resource policy management module is configured to execute S204.
All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
Fig. 11 shows a schematic configuration of a communication apparatus. Wherein the communication apparatus may implement the functionality of the second network element. The communication means may be a hardware structure, a software module, or a hardware structure plus a software module. The communication means may be implemented by a system-on-chip. In the embodiment of the present application, the chip system may be formed by a chip, and may also include a chip and other discrete devices. The communication device may include a transceiver module 1101 and a processing module 1102.
For example, the processing module 1102 may be configured to perform S201 of fig. 2, and may also be configured to support other processes for the techniques described herein. For example, the transceiver module 1101 is used for communication between a communication device and other modules, and may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device capable of realizing communication. For example, the transceiver module 1101 may be configured to perform the step of sending the information of the first ME host to the first network element in the embodiment shown in fig. 2.
Optionally, the processing module 1102 includes a risk awareness agent module (not illustrated in fig. 11), for example, the risk awareness agent module is configured to execute S201.
Optionally, if the second network element and the fifth network element are the same network element, the processing module 1102 further includes a host policy executing module (not shown in fig. 11), and the host policy executing module may be configured to execute S205.
All relevant contents of the steps related to the method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
Fig. 12 shows a schematic configuration of a communication apparatus. Wherein, the communication apparatus may implement the function of the foregoing fifth network element. The communication means may be a hardware structure, a software module, or a hardware structure plus a software module. The communication means may be implemented by a system-on-chip. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices. The communication device may include a transceiver module 1201 and a processing module 1202.
For example, the transceiver module 1201 may be used to perform the steps of receiving the resource policy from the first network element in fig. 2, and may also be used to support other processes of the techniques described herein. For example, the processing module 1202 is used for communication with a communication device and other modules, and may be a circuit, a device, an interface, a bus, a software module, a transceiver, or any other device capable of realizing communication. Illustratively, the processing module 1202 may be configured to access a resource in the ME host according to a resource policy, such as executing S310 and S311 as shown in FIG. 3.
Optionally, the processing module 1202 includes a resource policy enforcement module (not shown in fig. 12) for enforcing the resource in the ME host according to the resource policy.
All relevant contents of the steps related to the method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
Embodiments of the present application also provide a communication system, which may include the apparatus shown in fig. 10 and 11. Optionally, the communication system further comprises a device as shown in fig. 12.
Fig. 13A shows a schematic configuration of a communication apparatus. Wherein the communication device may implement the functionality of the first network element. The communication means may be a hardware structure, a software module, or a hardware structure plus a software module. The communication means may be implemented by a system-on-chip. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices. The communication apparatus may include an edge risk engine module 1301 and an edge resource policy management module 1302, for example, the edge risk engine module 1301 is configured to receive information of the first ME host from the second network element, and S203; the edge resource policy management module 1302 is configured to execute S204.
All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
Fig. 13B shows a schematic configuration of a communication apparatus. Wherein, the communication apparatus may implement the function of the first network element. The communication means may be a hardware structure, a software module, or a hardware structure plus a software module. The communication means may be implemented by a system-on-chip. In the embodiment of the present application, the chip system may be formed by a chip, and may also include a chip and other discrete devices.
The communication device may include a central risk engine module 1303 and a central resource policy management module 1304, for example, the central risk engine module 1303 is configured to receive information of the first ME host from the second network element, and S203; the central resource policy management module 1304 is configured to perform S204.
All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
Fig. 14 shows a schematic configuration of a communication apparatus. Wherein the communication apparatus may implement the function of the fifth network element. The communication means may be a hardware structure, a software module, or a hardware structure plus a software module. The communication means may be implemented by a system-on-chip. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices. The communication device may comprise a risk awareness agent module 1401, e.g. the risk awareness agent module 1401 is configured to perform S201.
Optionally, the communication device may further comprise a host policy enforcement module 1402, and the host policy enforcement module 1402 may be configured to access the resource in the ME host according to the resource policy. The host policy enforcement module 1402 is illustrated in FIG. 14 as an optional dashed box.
All relevant contents of the steps related to the method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
Fig. 15 shows a schematic configuration of a communication apparatus. Wherein the communication apparatus may implement the function of the fifth network element. The communication means may be a hardware structure, a software module, or a hardware structure plus a software module. The communication means may be implemented by a system-on-chip. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices. The communications apparatus can include a resource policy enforcement module 1501 that can be used to access resources in an ME host according to the resource policy.
All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
Fig. 10, fig. 11, fig. 12, fig. 13A, fig. 13B, fig. 14, and fig. 15 are schematic diagrams illustrating the division of modules, which is only one logical function division, and there may be another division manner in actual implementation. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
Embodiments of the present application provide a communication system, which may include the apparatus shown in fig. 13A and fig. 14. Optionally, the communication system further comprises a device as shown in fig. 15.
Embodiments of the present application provide a communication system, which may include the apparatus shown in fig. 13B and fig. 14. Optionally, the communication system further comprises a device as shown in fig. 15.
Referring to fig. 16, a schematic diagram of a communication apparatus shown in fig. 13A, 13B, 14 and 15 deployed in the MEC architecture shown in fig. 1A according to an embodiment of the present application is provided, or may be understood as a structural schematic diagram of a communication system according to an embodiment of the present application.
As shown in fig. 16, the OSS includes a central risk engine module and a central policy management module; the MEPM comprises an edge risk engine module and edge resource policy management; the ME host (an example of a second network element) includes a risk awareness agent module and a host policy enforcement module; the VIM (as an example of a fifth network element) includes a policy enforcement module.
Optionally, the fourth network element may be an OSS and/or a VIM in fig. 16. The functions of the respective modules in fig. 16 can refer to the foregoing.
Optionally, a service policy execution module is deployed in an MEP in the ME host, and the service policy execution module is configured to receive a service policy sent by the MEPM and execute a corresponding service.
Optionally, the risk awareness agent module may communicate with the MEPM via interface Mm12, e.g., the risk awareness agent module sends information of the ME host to the MEPM via Mm 12. The information of the ME host can be referred to above.
Optionally, the host policy enforcement module in the VIM may communicate with the MEPM via interface Mm13, e.g., the MEPM may send the resource policy to the host policy enforcement module in the VIM via Mm 12. The meaning of the resource policy can be referred to above.
In one possible implementation, when the edge risk engine module in the MEPM cannot determine the risk status of the ME host according to the information of the ME host, the information of the ME host may be sent to the OSS, the central risk engine module determines the risk status of the ME host according to the information of the ME host, and the central policy management module determines the resource policy of the ME host.
It should be noted that, in fig. 16, a new module in fig. 1A is indicated by a dashed box, and the functions of each network element or interface in fig. 16 can be discussed with reference to fig. 1A.
Referring to fig. 17, another schematic diagram of a communication device shown in fig. 13A, fig. 13B, fig. 14, and fig. 15 deployed in the MEC architecture shown in fig. 1B is provided for an embodiment of the present application, or may be understood as a structural schematic diagram of a communication system provided in an embodiment of the present application.
As shown in fig. 17, the OSS (as an example of a third network element) includes a central risk engine module and a central policy management module; the MEPM (as an example of a first network element) includes an edge risk engine module and edge resource policy management; the ME host (an example of a second network element) includes a risk awareness agent module and a host policy enforcement module; the VIM (as an example of a fifth network element) includes a policy enforcement module; the CISM (as an example of a fifth network element) includes a policy enforcement module.
Optionally, the fourth network element may be one or more of OSS, CISM, or VIM in fig. 17.
Optionally, a service policy execution module may be further deployed in the MEP in the ME host, and the function of the service policy execution module may refer to the foregoing.
Optionally, the resource policy enforcement module in the CISM may communicate with the container engine in the ME host through Mm14 to manage the operation of the container. In addition, the resource policy enforcement module in the CISM may communicate with the MEPM through Mm15, e.g., the MEPM may send resource policies to the CISM through Mm 15.
In one possible implementation, when the edge risk engine module in the MEPM cannot determine the risk status of the ME host according to the information of the ME host, the information of the ME host may be sent to the OSS, the central risk engine module determines the risk status of the ME host according to the information of the ME host, and the central policy management module determines the resource policy of the ME host.
It should be noted that fig. 17 illustrates the added modules in fig. 1B by dashed lines, and the functions of the network elements or interfaces in fig. 17 can be discussed with reference to fig. 1B.
Fig. 18 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application, where the communication apparatus may be a first network element, or may implement a function of the first network element. The communication device may be a system on a chip. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
The communication device comprises at least one processor 1801 for implementing or for supporting the communication device to implement the functionality of the first network element in fig. 2 to 9. For example, the processor 1801 may determine the risk state of the ME host according to the information of the ME host, and determine the resource policy according to the risk state of the ME host, which is specifically described in detail in the method example, and is not described herein again.
The communications apparatus may also include an interface 1802 for communicating with other devices over a transmission medium, and thus for the communications apparatus to communicate with other devices. Illustratively, the other device may be a server. The processor 1801 may send and receive data using the interface 1802.
The communication device may also include at least one memory 1803 for storing program instructions and/or data. The memory 703 is coupled to the processor 1801. The coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be in an electrical, mechanical or other form, which is used for information interaction between the devices, units or modules. The processor 701 may cooperate with the memory 1803. The processor 1801 may execute program instructions stored in the memory 1803. At least one of the at least one memory 1803 may be included in the processor 1801. The resource access method of any of the embodiments shown in fig. 2-9 may be implemented when the processor 1801 executes program instructions in the memory 1803.
As an example, the memory 1803 in fig. 18 is an optional part, and is illustrated by a dashed box in fig. 18. For example, a memory 1803 is coupled to the processor 1801.
The embodiment of the present application does not limit the specific connection medium among the interface 1802, the processor 1801, and the memory 1803. In the embodiment of the present application, the interface 1802, the processor 1801, and the memory 1803 are connected by a bus in fig. 18, the bus is represented by a thick line in fig. 18, and the connection manner among other components is only schematically illustrated and is not limited thereto. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 18, but that does not indicate only one bus or type of bus.
In this embodiment, the processor 1801 may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement or execute the methods, steps, and logic blocks disclosed in this embodiment. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the methods disclosed in connection with the embodiments of the present application may be embodied as hardware processors, or may be implemented as a combination of hardware and software modules in the processors.
In this embodiment, the memory 1803 may be a non-volatile memory, such as a Hard Disk Drive (HDD) or a solid-state drive (SSD), and may also be a volatile memory (RAM), for example. The memory is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.
Fig. 19 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application, where the communication apparatus may be a second network element or may implement a function of the second network element. The communication device may be a system on a chip. In the embodiment of the present application, the chip system may be formed by a chip, and may also include a chip and other discrete devices.
The communication device comprises at least one processor 1901 for implementing or for supporting the communication device to implement the functionality of the second network element in fig. 2 of the present application, or to implement the functionality of the second network element in fig. 2 to 9. For example, the processor 1901 may obtain information of the ME host, which is specifically described in the detailed description of the method example, and is not described herein again.
Additionally, the communication device may also include an interface 1902. Optionally, the communication device further comprises a memory 1903, the memory 1903 being an optional part illustrated in fig. 19 as a dashed box. The processor 1901, interface 1902, and memory 1903 may be implemented as described above.
Fig. 20 is a schematic structural diagram of a communication apparatus according to an embodiment of the present application, where the communication apparatus may be a second network element or may implement a function of the second network element. The communication device may be a system on a chip. In the embodiment of the present application, the chip system may be composed of a chip, and may also include a chip and other discrete devices.
The communication device comprises at least one processor 2001 for implementing or for enabling the communication device to implement the functionality of the second network element in fig. 2 of the present application, or to implement the functionality of the second network element in fig. 2 to 9. For example, the processor 2001 may obtain information of the ME host, which is specifically described in the detailed description of the method example, and is not described herein again.
In addition, the communication device may also include an interface 2002. Optionally, the communication device further comprises a memory 2003, which memory 2003 is an optional part illustrated in fig. 20 as a dashed box. Specific implementations of the processor 2001, interface 2002 and memory 2003 are as described above.
An embodiment of the present application provides a chip system, where the chip system includes a processor, and may further include an interface, configured to implement the functions of the first network element, the second network element, the third network element, the fourth network element, or the fifth network element in the foregoing method. The chip system may be formed by a chip, and may also include a chip and other discrete devices.
Also provided in an embodiment of the present application is a computer-readable storage medium for storing a computer program, which, when run on a computer, causes the computer to execute the resource access method in any one of the embodiments shown in fig. 2 to 9.
There is also provided in an embodiment of the present application a computer program product storing a computer program, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform the resource access method of any of the embodiments shown in fig. 2 to 9.
The method provided by the embodiment of the present application may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, a network appliance, a user device, or other programmable apparatus. The computer instructions may be stored in or transmitted from a computer-readable storage medium to another computer-readable storage medium, e.g., from one website, computer, server, or data center, over a wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.) network, the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more integrated servers, data centers, etc. the available medium may be magnetic (e.g., floppy disks, hard disks, tapes), optical (e.g., digital Video Disks (DVDs)), or semiconductor media (e.g., SSDs), etc.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (15)
1. A method for accessing resources, comprising:
a first network element receives information of a mobile edge host from a second network element, wherein the information of the mobile edge host comprises first information of a first resource and/or second information indicating the behavior of accessing the mobile edge host, and the first resource is a resource provided by the mobile edge host;
the first network element determines a risk state according to the information of the mobile edge host, wherein the risk state is used for indicating whether the mobile edge host has a safety risk or not;
and the first network element determines a resource policy according to the risk state, wherein the resource policy is used for indicating a policy for accessing resources provided by the mobile edge host.
2. The method of claim 1, wherein determining the risk status according to the information of the mobile edge host by the first network element comprises:
the first network element determines whether a second resource corresponding to the first information is abnormal, wherein if the resource corresponding to the first information is abnormal, the risk state is determined as that the mobile edge host has a risk of being invaded, and the second resource belongs to the first resource; and/or the presence of a gas in the gas,
and the first network element determines whether the behavior corresponding to the second information is abnormal, wherein if the behavior corresponding to the second information is abnormal, the risk state is determined to be that the mobile edge host has the risk of being invaded.
3. The method of claim 2, wherein the second resource comprises first hardware, wherein the first information comprises a first identifier, and wherein the first identifier is an identifier of the first hardware;
the determining, by the first network element, whether the second resource corresponding to the first information is abnormal includes:
and if the first identifier is not matched with a pre-stored second identifier and/or the first identifier is not matched with a third identifier, the first network element determines that the first hardware is abnormal, the third identifier is an identifier received from a third network element and is an identifier of second hardware, and the second hardware is the hardware after the first hardware is changed.
4. The method according to claim 2 or 3, wherein the second resource comprises a first type of port of the mobile edge host, the first type of port belonging to an opened port in the mobile edge host;
the determining, by the first network element, whether the second resource corresponding to the first information is abnormal includes:
the first network element receives information of a second type of port from a third network element, wherein the second type of port is a port which is applied for opening by the third network element to the mobile edge host;
and if one or more ports in the first class of ports do not belong to the second class of ports, the first network element determines that the one or more ports are abnormal.
5. The method of claim 4, wherein determining, by the first network element, a resource policy based on the risk status comprises:
and if the risk state is that the mobile edge host has the risk of being invaded, the first network element determines the resource policy to close the one or more ports.
6. The method according to any of claims 2-5, wherein the determining, by the first network element, a resource policy based on the risk status comprises:
if the risk state is that the mobile edge host is at risk of being invaded, the first network element determines that the resource policy is to stop the mobile edge host or reduce the security level of the mobile edge host, wherein if the security level of the mobile edge host is reduced to a first security level, the mobile edge host does not support an application with a deployment priority higher than the first priority, and the first priority is the highest priority of the applications which can support deployment under the condition that the security level of the mobile edge host is the first security level.
7. The method of claim 1, wherein determining the risk status according to the information of the mobile edge host by the first network element comprises:
the first network element receives an access request from a fourth network element, wherein the access request is used for requesting to access a third resource of the mobile edge host;
the first network element determines whether the third resource meets a first condition according to the information of the mobile edge host;
and if the third resource does not satisfy the first condition, determining that the risk state is that the mobile edge host has the risk of being invaded, or if the third resource satisfies the first condition, determining that the risk state is that the mobile edge host does not have the risk of being invaded.
8. The method of claim 7, wherein the first condition comprises one or more of:
the resource quantity included in the third resource does not exceed a resource quantity upper limit, and the resource quantity upper limit is determined according to the information of the mobile edge host;
the third resource belongs to an available resource in the first resources, the first information includes available status information of the first resource, and the available status information is used for indicating the available resource in the first resources; or the like, or, alternatively,
the third resource belongs to a resource with an importance degree lower than a preset importance degree in the first resource, and the first information includes the importance degree of the first resource.
9. The method according to claim 7 or 8, wherein the determining, by the first network element, a resource policy according to the risk status comprises:
if the risk state is that the mobile edge host has a risk of being invaded, the first network element determines that the resource policy is to refuse to access the third resource; alternatively, the first and second electrodes may be,
and if the mobile edge host is not invaded in the risk state, the first network element determines that the resource policy is to allow the access to the third resource.
10. The method according to any one of claims 1-9, further comprising:
and the first network element sends the resource strategy to a fifth network element.
11. The method of claim 1, wherein determining the risk status according to the information of the mobile edge host by the first network element comprises:
the first network element sends the information of the mobile edge host to a sixth network element;
the first network element receives the information of the risk status from the sixth network element.
12. A communications apparatus, comprising:
a transceiver module, configured to receive information of a mobile edge host from a second network element, where the information of the mobile edge host includes first information of a first resource and/or second information indicating a behavior of accessing the mobile edge host, and the first resource is a resource provided by the mobile edge host;
a processing module, configured to determine a risk state according to the information of the mobile edge host, where the risk state is used to indicate whether the mobile edge host has a security risk, and determine a resource policy according to the risk state, where the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host.
13. A communications apparatus, comprising: a processor and a memory; the memory is for storing one or more computer programs, the one or more computer programs comprising computer executable instructions, which when executed by the resource access device, cause the communication device to perform the method of any of claims 1-11, the one or more computer programs stored by the memory being executable by the processor.
14. A chip system, comprising:
a processor and an interface, the processor to invoke and execute instructions from the interface, the instructions when executed by the processor implementing the method of any of claims 1-11.
15. A computer-readable storage medium for storing a computer program which, when run on a computer, causes the computer to perform the method of any one of claims 1-11.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111198509.8A CN115987534A (en) | 2021-10-14 | 2021-10-14 | Resource access method and device |
| PCT/CN2022/124629 WO2023061366A1 (en) | 2021-10-14 | 2022-10-11 | Resource access method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111198509.8A CN115987534A (en) | 2021-10-14 | 2021-10-14 | Resource access method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115987534A true CN115987534A (en) | 2023-04-18 |
Family
ID=85968646
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111198509.8A Pending CN115987534A (en) | 2021-10-14 | 2021-10-14 | Resource access method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115987534A (en) |
| WO (1) | WO2023061366A1 (en) |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2579745B (en) * | 2016-02-25 | 2021-02-03 | Intel Corp | Platform for computing at the mobile edge |
| EP3703337B1 (en) * | 2017-11-22 | 2022-12-21 | Huawei Technologies Co., Ltd. | Mobile edge host-machine service notification method and apparatus |
| CN110730499B (en) * | 2018-07-16 | 2021-06-15 | 华为技术有限公司 | MEC information acquisition method and device |
| US10884814B2 (en) * | 2018-09-28 | 2021-01-05 | Intel Corporation | Mobile edge-cloud security infrastructure |
| CN111182551B (en) * | 2020-01-07 | 2022-09-02 | 中国联合网络通信集团有限公司 | Network security protection method and system |
| CN111614657B (en) * | 2020-05-18 | 2021-06-04 | 北京邮电大学 | Mobile edge security service method and system based on mode selection |
-
2021
- 2021-10-14 CN CN202111198509.8A patent/CN115987534A/en active Pending
-
2022
- 2022-10-11 WO PCT/CN2022/124629 patent/WO2023061366A1/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023061366A1 (en) | 2023-04-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11036836B2 (en) | Systems and methods for providing real time security and access monitoring of a removable media device | |
| US11991051B2 (en) | Providing mobile device management functionalities | |
| US10819715B2 (en) | Automated security policy generation for controllers | |
| US10075532B2 (en) | Method and system for controlling remote session on computer systems | |
| US8813169B2 (en) | Virtual security boundary for physical or virtual network devices | |
| CN105302092B (en) | Process control software security architecture based on least privileges | |
| EP2318975B1 (en) | Protecting a virtual guest machine from attacks by an infected host | |
| EP3179697A1 (en) | Validating the identity of a mobile application for mobile application management | |
| KR102117724B1 (en) | Managing distributed operating system physical resources | |
| EP3265949B1 (en) | Operating system management | |
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| CN115203653A (en) | Associating user accounts with enterprise workspaces | |
| US11595426B2 (en) | Risk based virtual workspace delivery | |
| EP3090338A2 (en) | Providing mobile device management functionalities | |
| WO2021108943A1 (en) | Systems and methods for automated application launching | |
| CN115987534A (en) | Resource access method and device | |
| US11507408B1 (en) | Locked virtual machines for high availability workloads | |
| US20230412641A1 (en) | Deduplication of endpoint images | |
| US20240143850A1 (en) | Protection of processing devices having multi-port hardware components | |
| US11748505B2 (en) | Secure data processing in a third-party cloud environment | |
| US20240111513A1 (en) | Pausing automatic software updates of virtual machines |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |