CN116319098B - Edge computing server safety interconnection system - Google Patents

Edge computing server safety interconnection system Download PDF

Info

Publication number
CN116319098B
CN116319098B CN202310571527.9A CN202310571527A CN116319098B CN 116319098 B CN116319098 B CN 116319098B CN 202310571527 A CN202310571527 A CN 202310571527A CN 116319098 B CN116319098 B CN 116319098B
Authority
CN
China
Prior art keywords
server
individual
gru network
information
network model
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310571527.9A
Other languages
Chinese (zh)
Other versions
CN116319098A (en
Inventor
彭凯
李志康
徐博
李书胜
何建文
邓天平
沈永超
彭聪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hubei Chutianyun Co ltd
Huazhong University of Science and Technology
Original Assignee
Hubei Chutianyun Co ltd
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hubei Chutianyun Co ltd, Huazhong University of Science and Technology filed Critical Hubei Chutianyun Co ltd
Priority to CN202310571527.9A priority Critical patent/CN116319098B/en
Publication of CN116319098A publication Critical patent/CN116319098A/en
Application granted granted Critical
Publication of CN116319098B publication Critical patent/CN116319098B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2557Translation policies or rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1008Server selection for load balancing based on parameters of servers, e.g. available memory or workload

Abstract

The invention provides a secure interconnection system of edge computing servers, which comprises: the encryption connection module in the source server searches a data encryption algorithm with the destination server based on the IP address quick matching algorithm and executes encryption communication between the source server and the destination server; the resource scheduling module is used for solving parameter information of the GRU network model based on a DBO algorithm and constructing the GRU network model; based on the built GRU network model, predicting the future time t of the source server, calculating the proportion of the distributed computing power resources of each encrypted link; and allocating corresponding computing power resources for each encryption link based on the computing power resource proportion. The invention integrates IPSec technology and edge computing server safety communication, designs an IP quick search algorithm and a DBO-GRU link load prediction model, and provides high-speed, stable and safe protection for communication between each edge computing server and a remote cloud computing server.

Description

Edge computing server safety interconnection system
Technical Field
The invention relates to the field of data communication, in particular to a secure interconnection system of edge computing servers.
Background
Edge computing is designed initially to offload complex tasks to an edge platform server deployed near a terminal for data processing and computing operations, and then to extract valid data for transfer to a remote cloud computing server. In an actual application scene, important information is often required to be transmitted among a plurality of edge platform servers, a plurality of edge computing servers and a remote cloud computing server form a brand-new communication interconnection system, and data transmitted in the system have high value, so how to realize safe and stable data communication among the servers is a problem to be solved.
In the current edge computing security field, researchers focus on secure data transmission between terminal devices (such as intelligent home, industrial robots and other internet of things devices) and edge computing servers, and research on secure interconnection between each edge computing server and a remote cloud computing server is neglected.
IPSec is a communication protocol with higher security, and due to the characteristic of Jiang Pushi, it can be cross-combined with different application scenarios, so some researchers try to apply IPSec between an edge computing device and an application system, but have not extended the application scenario to the communication scenario between edge computing servers, and implementation of the IPSec security protocol can limit the performance of the network. Meanwhile, under the condition that a plurality of IPSec encrypted links exist, the problem of unbalanced data processing time of each link is easy to occur.
Disclosure of Invention
In order to fill the research blank of the secure communication among servers in the edge computing scene and solve the problems in the IPSec technical scheme, the invention provides an edge computing server secure interconnection system, which comprises a plurality of edge cloud servers and a remote center cloud server, wherein each server comprises an encryption connection module and a resource scheduling module;
the encryption connection module in the source server is used for searching a data encryption algorithm with the destination server based on an IP address quick matching algorithm and executing encryption communication between the source server and the destination server according to the data encryption algorithm;
the resource scheduling module in the source server performs global optimal position locking based on a Dung Beetle Optimization (DBO) algorithm, takes the position information of population individuals positioned at optimal positions as parameter information of a GRU network model, and builds the GRU network model; based on the built GRU network model, predicting the future time t of the source server, and calculating the proportion of the distributed computing power resources of each encrypted link according to the data load of each encrypted link; and allocating corresponding computing power resources for each encryption link based on the proportion of the computing power resources allocated to each encryption link.
According to the edge computing server security interconnection system provided by the invention, the IPSec technology is fused with the edge computing server security communication, an IP quick search algorithm and a DBO-GRU link load prediction model are designed, and high-speed, stable and safe protection is provided for the communication between each edge computing server and the remote cloud computing server.
Drawings
Fig. 1 is a schematic structural diagram of a secure interconnection system of an edge computing server according to the present invention;
FIG. 2 is a schematic diagram of the overall flow of encrypted communications;
FIG. 3 is a schematic diagram of an IP matching flow in the SPD;
FIG. 4 is a simplified schematic diagram of a DBO-GRU model;
FIG. 5 is a schematic diagram of the internal structure of a cyclic body unit in a GRU network model;
fig. 6 is a schematic diagram of a connection mode of a cyclic body unit of the GRU network model.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention. In addition, the technical features of each embodiment or the single embodiment provided by the invention can be combined with each other at will to form a feasible technical scheme, and the combination is not limited by the sequence of steps and/or the structural composition mode, but is necessarily based on the fact that a person of ordinary skill in the art can realize the combination, and when the technical scheme is contradictory or can not realize, the combination of the technical scheme is not considered to exist and is not within the protection scope of the invention claimed.
Fig. 1 is a schematic diagram of an edge computing server security interconnection system provided by the present invention, where the system includes a plurality of edge cloud servers and a remote central cloud server, and each server includes an encryption connection module and a resource scheduling module.
It can be understood that, as shown in fig. 1, in the application scenario of the method of the present invention, a plurality of edge cloud servers and a remote center cloud server form a communication interconnection system for transmitting high-value information. The invention deploys two important modules, namely an encryption connection module and a resource scheduling module, for each server (comprising each edge server and a central cloud server).
And the encryption connection module in the source server searches a data encryption algorithm with the destination server based on the IP address quick matching algorithm, and executes encryption communication between the source server and the destination server according to the data encryption algorithm.
As an embodiment, the encryption connection module in the source server searches a data encryption algorithm with the destination server based on an IP address quick matching algorithm, and performs encrypted communication between the source server and the destination server according to the data encryption algorithm, including: searching whether a data encryption algorithm corresponding to IP address information of a destination server exists in a security alliance SA of the source server, and if so, executing encryption communication between the source server and the destination server based on the data encryption algorithm, wherein the security alliance SA loads the data encryption algorithm information with the IP address information; if the IP address information of the destination server does not exist, searching whether the IP address information of the destination server exists in a security policy database SPD of the source server, if the IP address information of the destination server exists, negotiating the source server and the destination server, and executing encrypted communication of the source server and the destination server according to a negotiated data encryption algorithm; otherwise, the communication between the source server and the destination server is refused, and the security policy database SPD loads the security policy with the IP address information.
It can be understood that the encryption connection module deployed by the invention mainly works as follows: a designated encrypted communication link is established and maintained. An overall flow chart for opening encrypted communications between two servers is shown in fig. 2. In the IPsec encryption communication scenario adopted in the present invention, the SPD (security policy database) will load a large amount of security policies with IP address information, and the SA (security association) will load a large amount of data encryption algorithm information with IP address information. When a server A (source server) wants to transmit data to a server B (destination server), the server A firstly searches own security alliance SA, checks whether data encryption algorithm information corresponding to IP address information of the server B exists in the security alliance SA, if so, starts encryption communication, operates data according to a designated encryption mode and then transmits the data to the server B; if not, searching the security policy database SPD of the user. Searching IP address information of the server B when searching the SPD, if the IP address information does not exist, the server A does not have the authority to transmit data to the server B, and communication is not allowed; if so, the server A and the server B carry out an IKE (Internet key exchange protocol) negotiation step, the data encryption algorithm between the server A and the server B is negotiated, whether the data encryption algorithm conflicts or not is checked after successful negotiation, the security association SA in the server A is updated, then encryption communication is started, and the data is transmitted to the server B after being operated according to a specified encryption mode. In order to improve the speed of IPSec negotiation and access communication, the invention designs an IP address quick matching algorithm, thereby greatly reducing the time consumption of quick search SA and quick search SPD.
As an embodiment, the searching, in the security association SA of the source server, whether there is a data encryption algorithm corresponding to the IP address information of the destination server includes: the IP address matching engine based on the tree bitmap performs quick search to find whether IP address information of a destination server exists in the IP address information stored in the security alliance SA of the source server, and if so, a data encryption algorithm corresponding to the IP address information is obtained; if the IP address information of the destination server does not exist, searching whether the IP address information of the destination server exists in a security policy database SPD of the source server, if the IP address information of the destination server exists, negotiating the source server and the destination server, and executing encrypted communication of the source server and the destination server according to a negotiated data encryption algorithm, wherein the method comprises the following steps: adopting a line segment tree algorithm to quickly find whether an IP range class rule matched with the IP address information of a destination server exists in a security policy database SPD of a source server, and if so, the security policy database SPD has an IP information rule matched with the IP address information of the destination server; if the IP address class rule is not matched, the IP address lookup engine based on the tree bitmap rapidly retrieves the IP address information of the target server in the IP address class rule, and if the IP address class rule is matched, the security policy database SPD has an IP information rule matched with the IP address information of the target server; if no match exists in the security association SA and the security policy database SPD, the destination server is not on the communicable list of the source server, and communication between the source server and the destination server is refused.
It can be appreciated that in order to reduce the limitation of the implementation of the IPSec protocol on the network performance, the present invention designs an IP address fast matching algorithm according to a realistic application scenario to increase the speed of IPSec negotiation and access communication. For IP address information in a range form, a line segment tree structure is adopted to store the IP address information for subsequent rapid matching preparation, and for the explicitly designated IP address information, a TreeBitmap algorithm is adopted. The two are combined to realize the rapid matching of the IP information in the practical application.
Specifically, since the IP address information stored in the security association SA of the server is a specific IP address that is explicitly specified, the rapid search is performed by using an IP address matching engine based on a Tree Bitmap (Tree Bitmap), and whether the IP address of the server B exists in the IP information stored in the SA of the server a is found.
Since two types of IP information rules may be stored in the security policy database SPD, one type is an IP range class rule, and the other type is an IP address class rule, and a specific retrieval flow is shown in fig. 3. Searching whether an IP range class rule can include the IP address of the server B, performing quick matching by adopting a Segment tree (Segment tree) algorithm by adopting a matching algorithm, and if the matching rule is matched with the IP range class rule, indicating that an IP information rule capable of matching with the IP address of the server B exists in the SPD; if the IP range class rule is not matched, the IP address of the server B is quickly searched in the IP address class rule by using an IP address search engine based on a Tree Bitmap (Tree Bitmap), and if the IP address class rule is matched, the fact that the IP information rule which can be matched with the IP address of the server B exists in the SPD is indicated.
If the SPD has an IP information rule which can be matched with the IP address of the server B, the encryption connection modules of the server A and the server B start IKE negotiation and exchange isakmp data packets, and after the negotiation is successfully completed, the negotiation result is added into the SA policy list. The negotiation result information includes: IP addresses at both ends of the link, packet encryption form, link lifetime, etc.
As an embodiment, the source server negotiates with the destination server, and then further includes: updating the security alliance SA based on the negotiated data encryption algorithm, and performing conflict detection on all the updated data encryption algorithms in the security alliance SA, if the conflict occurs, deleting the original data encryption algorithm, and reserving the newly added data encryption algorithm.
It can be understood that after the server a and the server B negotiate the data encryption algorithm, the encryption connection modules of the two servers perform rule conflict detection on the existing data encryption algorithm in the security association SA, and the principle of 'first in first out' is adopted, if the newly added data encryption algorithm conflicts with the original data encryption algorithm, the original data encryption algorithm is deleted, and the newly added data encryption algorithm is saved.
The encrypted communication between the server a and the server B is performed according to the data encryption algorithm retrieved in the security association SA or the data encryption algorithm negotiated by the server a and the server B.
After establishing encryption communication between a source server and a destination server, a resource scheduling module in the source server performs global optimal position locking based on a DBO algorithm, takes position information of population individuals positioned at optimal positions as parameter information of a GRU network model, and builds the GRU network model; based on the built GRU network model, predicting the future time t of the source server, and calculating the proportion of the distributed computing power resources of each encrypted link according to the data load of each encrypted link; and allocating corresponding computing power resources for each encryption link based on the proportion of the computing power resources allocated to each encryption link.
It can be understood that in order to solve the problem of unbalanced data processing time of each link under the condition of multiple links, the invention combines a Dung Beetle Optimization (DBO) algorithm with a gating and circulating unit (GRU) neural network to design a DBO-GRU model, realizes quick prediction of data load of each link by using the model, realizes resource scheduling based on a prediction result, and reasonably distributes calculation resources to each link according to actual conditions.
The invention solves the optimal parameter information of the GRU network model by utilizing the DBO algorithm. Specifically, initializing parameters of a Dung Beetle Optimization (DBO) algorithm, and randomly searching a plurality of candidate solutions in a three-dimensional space to serve as individuals, wherein the jth individualIs the coordinates of (a)Wherein->Neuron count representing layer 1 hidden layer of GRU network, < >>Neuron count representing layer 2 hidden layer of GRU network, < >>Representing the learning rate of the GRU network. Referring to fig. 4, the GRU network model mainly includes an input layer, two hidden layers and an output layer.
Assume that the number of neurons of the input layer of the GRU network isThen->The position selection of (2) follows the optimization region boundary defined by the formulas (1), (2) and (3), namely +.>Is optimized in an optimization area.
Assume that the number of randomly selected candidate solutions at the time of initializing DBO algorithm parameters isConstructing +.>And training the GRU network models, and carrying out load prediction on the test set.
The initialized random individuals are divided into 4 groups, 4 different behavior logics, namely rolling behavior, propagation behavior, foraging behavior and theft behavior, are respectively executed, the grouping proportion is 6:6:7:11 according to the sequence, and the maximum iteration number is set to be H.
And checking the group to which each individual belongs in turn and executing iteration, and if the individual belongs to different behavior logic groups, updating the position information of the individual in different modes. After finishing one iteration training on all GRU network models, updating the position information of each individual, updating the parameter information of all GRU network models based on the updated position information of each individual, and continuing the iteration training based on the updated GRU network models until the number of iteration training reaches the maximum iteration number to obtain the final position information of each individual; based on the final position information of each individual, the optimal position information of the population is found, the global optimal solution at the moment is obtained and is used as the parameter information of the GRU network model, and the GRU network model is built.
It can be understood that after a plurality of initial candidate solutions in the three-dimensional space are randomly searched as initial individuals, a round of iterative training is performed on all the initial individuals, after the training, the position information of each initial individual is updated, the parameter information of the GRU network model corresponding to each individual is updated based on the updated position information of each individual, the test set is predicted based on the updated GRU network model, the test set is predicted based on each GRU network model, and the optimal position information of the population, namely the optimal position information of all the individuals and the worst position information of the population, namely the worst position information of all the individuals, are found from all the individuals based on the prediction result.
And performing a second round of iterative training of all individuals, updating the position information of each individual based on the optimal position information and the worst position information of the population determined in the first round, and continuously performing iterative training on each individual until the iteration number reaches the maximum iteration number to obtain the final position information of each individual. And finding out the optimal position information of the population based on the final position information of each individual, and constructing a GRU network model by taking the optimal position information of the population as the parameter information of the GRU network model.
As the location information of each individual is updated,and according to the behavior logic of the individual, adopting corresponding rules to update. Specifically, when an individual performs a rolling behavior position iteration, 90% of the probability of the individual performs barrier-free rolling logic, and 10% of the probability of the individual performs barrier-free rolling logic. Randomly generating a positive fraction less than 1, and if it is less than 0.9, updating the individual location according to equation (4)Otherwise updating the individual position +.>
Wherein, the liquid crystal display device comprises a liquid crystal display device,represents the individual +.1 after the h+1 iteration>Position information of->Represents the individual after the h iteration->Position information of->Represents the individual +.1 after the h-1 th iteration>Position information of->Represents the worst position of the population after the h iteration,>representing natural coefficient, only two values are respectively-1 or 1, and the probability of occurrence of the two values is represented by clothesThe server administrator sets in advance that the default probabilities are 50%, k represents the deflection coefficient, and the value of the deflection coefficient is set in the value interval (0,0.2]And b represents the light intensity deflection coefficient, and the value is randomly taken between the value intervals (0, 1).
The meaning of each character in formula (5) is as follows:represents the rotation angle in the logic of the obstructed rolling ball, and in the value interval [0,]random values are obtained. If->Randomly get to 0, < >>,/>When the iteration is performed, the iteration individual position is defaulted to be unchanged.
The individual performs propagation behavior position iteration, the propagation area is divided by using the formula (6), and after the division is successful, the individual position is updated by using the formula (7)
Wherein Lb and Ub are the lower and upper bounds, respectively, of the optimization region,and->The lower and upper bounds of the breeding area, respectively,/->H is the current iteration number, H is the maximum iteration number, +.>Representing local optimal position information of the subject, i.e. optimal position information of the subject from the first iteration to the current h iteration, wherein lb=,Ub=1,/>The number of neurons of the input layer of the GRU network model.
(7);
Where b1 and b2 are two random independent vectors of size 1×d, D being the dimension of the optimization problem, in this case three-dimensional.
The individual performs foraging behavior position iteration, the formula (8) is utilized to divide the optimal foraging area, and after division is successful, the formula (9) is utilized to update the individual position
The meaning of each character in formula (8) is as follows:and->The lower and upper bounds of the best foraging area respectively,and representing the optimal position of the population after the h iteration.
The meaning of each character in formula (9) is as follows: c1 is a random number subject to normal distribution, C2 is a random independent vector of size 1 XD, its modulus lies in interval (0, 1), D is the dimension of the optimization problem, and in the present invention is three-dimensional.
The individual performs theft location iteration, updating the individual location according to equation (10)
The meaning of each character in formula (10) is as follows: s is a constant value, g is a random vector of size 1 XD that obeys normal distribution, D is the dimension of the optimization problem, and is three-dimensional in the present invention.
After performing one round of iterative training on all individuals and updating the position information, updating a corresponding GRU network model based on the updated position information of each individual, predicting a test set based on each updated GRU network model, setting the number of times of prediction as n, and setting a predicted value asThe actual value is set to +.>Calculating the fitness of each individual by the formula (11)>. The smaller the fitness, the better the location of the individual in the population. At the time of the h round of iteration, the individual with the smallest fitness is called the optimal population position, and the sitting mark is +.>The individual with the greatest fitness is called the worst population position, and the coordinates are marked as +.>
(11)。
The resource scheduling module of the server acquires a global optimal solution according to the DBO algorithm, extracts key parameters of the global optimal GRU network model from the position information of the population individuals corresponding to the solution, builds the GRU network model according to the parameters, and trains by utilizing a training set.
When the GRU network model is built, firstly, a circulating body unit of the GRU network model is built, and then the connection of the circulating body unit is realized. Compared with an LSTM network model popular in the field of time sequence prediction, the GRU can realize the same function as an LSTM neural network by only introducing two gating mechanisms of an update gate and a reset gate, so that the operation speed is improved, the system memory is saved, the training difficulty is reduced to some extent, and the internal structure of a circulating body unit of the GRU neural network is shown in figure 5. Meanwhile, unlike LSTM, the cyclic body unit of the GRU neural network has only two input variables of the input at the current moment and the hidden layer state at the previous moment, and the connection manner of the cyclic ground unit is shown in fig. 6. H in fig. 5 represents a hidden layer state, x represents input information,representing Sigmoid function, r representing reset gate, z representing update gate, +.>Representing residual memory.
Based on the built GRU network model, predicting the data load of each encrypted link of the server, specifically, a resource scheduling module of the server collects original data from the encrypted links maintained by the server, and counts the total flow quantity flowing in each encrypted link in a fixed time interval. The resource scheduling module of the server pre-processes the original data, eliminates abnormal data, fills incomplete data, converts the arranged data into a matrix form, arranges a test set and a training set, and prepares for the subsequent input of the GRU network model.
The resource scheduling module of the server carries out the load prediction of each link data at a certain time t in the future according to the collected original data by training a successful global optimal GRU network model, and the obtained predicted values are named as follows,/>,……,/>1, 2., p represents an encrypted link.
The resource scheduling module of the server sets dynamic resource weights according to the importance of each encryption link at the time t, and sequentially names as follows,/>,……,/>The weight values are all greater than or equal to 1, and are set to 1 under the default condition, and the server administrator can dynamically adjust the weight values according to the link importance in the actual situation.
The resource scheduling module of the server calculates the duty ratio of the computing power resource to be distributed in the total resource of the mth IPSec link at the moment t according to the predicted value of the link load and the dynamic resource weight of the link by a formula (12). Wherein the ratio of the computing power resources allocated to each encryption link in the total resources is calculated according to the following formula>
(12)。
And the resource scheduling module of the server allocates computing resources to each link when the time t arrives according to the calculated resource allocation proportion of each encrypted link, so as to realize the balance of the data processing time of each link.
The invention provides a safe interconnection system of edge computing servers, which has the following beneficial effects:
1. the invention fills the research blank of the safety communication among servers in the edge computing scene, introduces the IPSec encryption transmission protocol into the safety communication, and realizes the strong safety of data encryption and the high convenience of link maintenance.
2. According to the invention, an IP address quick search algorithm is designed according to a practical application scene, and a line segment tree structure algorithm is adopted for quick IP matching aiming at a range type IP rule; aiming at the IP rule of the address class, a treebit map structure algorithm is adopted to carry out rapid IP matching, thereby greatly improving the speed of IPSec negotiation and access communication and reducing the limitation of the implementation of the IPSec protocol to the network performance.
3. According to the invention, a Dung Beetle Optimization (DBO) algorithm is creatively combined into a GRU network model, link data load prediction is rapidly and accurately carried out, dynamic weight of link importance is combined on the basis of load prediction, reasonable scheduling of computational power resources is realized, and data processing time of each IPSec encryption link is balanced.
4. Compared with the LSTM network model popular in the time sequence prediction field, the GRU network model adopted by the invention is used as a variant of the LSTM neural network, so that the problems of longer training time and lower training efficiency of the LSTM neural network are better solved while the prediction accuracy is higher, the prediction effect is better in the aspect of time sequence prediction, and the method has the characteristics of stable prediction process, high prediction accuracy and high training speed.
5. Compared with other population optimization algorithms, the Dung Beetle Optimization (DBO) algorithm adopted by the invention uses a novel search mechanism, can thoroughly explore the search space by utilizing information of different time periods, can overcome the local optimal solution trap, and has stronger global search capability. Meanwhile, key parameters in the process of iterative population individual position have the characteristic of dynamic change, and the exploration and development states of the DBO algorithm can be further stimulated.
In the foregoing embodiments, the descriptions of the embodiments are focused on, and for those portions of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (9)

1. The edge computing server security interconnection system is characterized by comprising a plurality of edge cloud servers and a remote center cloud server, wherein each server comprises an encryption connection module and a resource scheduling module;
the encryption connection module in the source server searches a data encryption algorithm with the destination server based on an IP address quick matching algorithm, and executes encryption communication between the source server and the destination server according to the data encryption algorithm;
the resource scheduling module in the source server performs global optimal position locking based on a Dung Beetle Optimization (DBO) algorithm, takes the position information of population individuals positioned at optimal positions as parameter information of a GRU network model, and builds the GRU network model; based on the built GRU network model, predicting the future time t of the source server, and calculating the proportion of the distributed computing power resources of each encrypted link according to the data load of each encrypted link; and allocating corresponding computing power resources for each encryption link based on the proportion of the computing power resources allocated to each encryption link.
2. The secure interconnection system according to claim 1, wherein the encryption connection module in the source server searches for a data encryption algorithm with the destination server based on an IP address quick match algorithm, and performs encrypted communication of the source server and the destination server according to the data encryption algorithm, comprising:
searching whether a data encryption algorithm corresponding to IP address information of a destination server exists in a security alliance SA of the source server, and if so, executing encryption communication between the source server and the destination server based on the data encryption algorithm, wherein the security alliance SA loads the data encryption algorithm information with the IP address information;
if the IP address information of the destination server does not exist, searching whether the IP address information of the destination server exists in a security policy database SPD of the source server, if the IP address information of the destination server exists, negotiating the source server and the destination server, and executing encrypted communication of the source server and the destination server according to a negotiated data encryption algorithm; otherwise, the communication between the source server and the destination server is refused, and the security policy database SPD loads the security policy with the IP address information.
3. The secure interconnection system according to claim 2, wherein the searching in the security association SA of the source server for the existence of the data encryption algorithm corresponding to the IP address information of the destination server comprises:
the IP address matching engine based on the tree bitmap performs quick search to find whether IP address information of a destination server exists in the IP address information stored in the security alliance SA of the source server, and if so, a data encryption algorithm corresponding to the IP address information is obtained;
if the IP address information of the destination server does not exist, searching whether the IP address information of the destination server exists in a security policy database SPD of the source server, if the IP address information of the destination server exists, negotiating the source server and the destination server, and executing encrypted communication of the source server and the destination server according to a negotiated data encryption algorithm, wherein the method comprises the following steps:
adopting a line segment tree algorithm to quickly find whether an IP range class rule matched with the IP address information of a destination server exists in a security policy database SPD of a source server, and if so, the security policy database SPD has an IP information rule matched with the IP address information of the destination server;
if the IP address class rule is not matched, the IP address lookup engine based on the tree bitmap rapidly retrieves the IP address information of the target server in the IP address class rule, and if the IP address class rule is matched, the security policy database SPD has an IP information rule matched with the IP address information of the target server;
if no match exists in the security association SA and the security policy database SPD, the destination server is not on the communicable list of the source server, and communication between the source server and the destination server is refused.
4. The secure interconnection system according to claim 2, wherein the source server negotiates with a destination server, and further comprising:
updating the security alliance SA based on the negotiated data encryption algorithm, and performing conflict detection on all the updated data encryption algorithms in the security alliance SA, if the conflict occurs, deleting the original data encryption algorithm, and reserving the newly added data encryption algorithm.
5. The security interconnection system according to claim 1, wherein the resource scheduling module in the source server performs global optimal location locking based on a dung beetle optimizing DBO algorithm, uses location information of population individuals located at an optimal location as parameter information of a GRU network model, and builds the GRU network model, and includes:
randomly searching for a plurality of initial candidate solutions in the three-dimensional space as initial individuals, wherein the jth individualIs the coordinates of (a)Wherein->The number of neurons representing the first hidden layer of the GRU network model,/and the like>The number of neurons representing the hidden layer of the second layer of the GRU network model, < + >>Representing the learning rate of the GRU network model;
for the followingIndividual initial individuals, construct->A plurality of GRU network models;
performing iterative training on all the GRU network models, updating the position information of each individual after performing iterative training on all the GRU network models once, updating the parameter information of all the GRU network models based on the updated position information of each individual, and continuing iterative training based on the updated GRU network models until the number of iterative training reaches the maximum iterative number to obtain the final position information of each individual;
and finding out the optimal position information of the population based on the final position information of each individual, and constructing a GRU network model by taking the optimal position information of the population as the parameter information of the GRU network model.
6. The system of claim 5, wherein the performing the iterative training on all the GRU network models, after performing the iterative training on all the GRU network models once, updates the location information of each individual, includes:
will beDividing the initial individuals into four groups according to a set proportion, and updating the position information of each individual based on a corresponding strategy after iterative training of the corresponding GRU network model according to the group to which each individual belongs.
7. The security interconnect system of claim 6, wherein the link is toDividing the initial individuals into four groups according to a set proportion, and updating the position information of each individual based on a corresponding strategy after iterative training of a corresponding GRU network model according to the group to which each individual belongs, wherein the method comprises the following steps:
dividing the initial individuals into 4 groups according to the proportion, wherein the behavior logics of the 4 groups are respectively rolling ball behaviors, propagation behaviors, foraging behaviors or theft behaviors;
each individual is checked in turn, and when the individual belongs to a rolling ball behavior, a rolling ball behavior position iteration strategy is executed, including:
randomly generating a positive fraction less than 1, and if it is less than 0.9, updating the individual location information according to the following formula
Wherein, the liquid crystal display device comprises a liquid crystal display device,represents the individual +.1 after the h+1 iteration>Position information of (a),/>Represents the individual after the h iteration->Position information of->Represents the individual +.1 after the h-1 th iteration>Position information of->Represents the worst position of the population after the h iteration,>represents natural coefficients, respectively-1 or 1, k represents deflection coefficients, in a value interval (0,0.2]The value of the light intensity deflection coefficient is randomly chosen, b represents the light intensity deflection coefficient, and the value is randomly chosen between the value intervals (0, 1);
if the randomly generated positive decimal number is greater than 0.9, the individual location information is updated according to the following formula
Wherein, the liquid crystal display device comprises a liquid crystal display device,representing the rotation angle in the logic of the obstructed ball, in the value interval [0, ]>]Random values of the two parts if->Randomly get to 0, < >>,/>When the iteration is performed, defaulting to the iteration individual position without any change;
when the individual belongs to reproductive behavior, performing a reproductive behavior location iteration strategy, including:
propagation region division is performed based on the following formula:
wherein Lb and Ub are the lower and upper bounds, respectively, of the optimization region,and->The lower and upper bounds of the breeding area, respectively,/->H is the current iteration number, H is the maximum iteration number, +.>Representing local optimal position information of the subject, i.e. optimal position information of the subject from the first iteration number to the h iteration number, wherein ub= = ->,Lb=1,/>The number of neurons of an input layer of the GRU network model;
based on the propagation region, the individual position is updated according to the following formulaInformation setting
Wherein b1 and b2 are two random independent vectors of size 1×d, D is the dimension of the optimization problem, d=3;
when the individual belongs to foraging behaviors, executing a foraging behavior position iteration strategy, wherein the method comprises the following steps:
the optimal foraging area division is performed according to the following formula:
wherein, the liquid crystal display device comprises a liquid crystal display device,and->Lower and upper bounds, respectively, of the best foraging area,/->Representing the optimal position of the population after the h iteration;
updating individual location information based on the partitioned optimal foraging area according to the following formula
Wherein, C1 is a random number obeying normal distribution, C2 is a random independent vector with a size of 1×d, its modulus value is in interval (0, 1), D is the dimension of the optimization problem, and d=3;
when an individual is subject to theft,performing theft location iterative policies to update individual locations
Where S is a constant value, g is a random vector of size 1×d subject to normal distribution, D is the dimension of the optimization problem, and d=3.
8. The security interconnection system of claim 7, wherein updating the parameter information of all the GRU network models based on the updated location information of each individual, and continuing the iterative training based on the updated GRU network models until the number of iterative training reaches the maximum number of iterations, and obtaining the final location information of each individual, comprises:
after one iteration training is completed on all GRU network models, updating the position information of each individual, and updating the parameter information of all GRU network models based on the updated position information of each individual;
predicting the data load of the test set by n times based on the updated GRU network model, wherein n is a positive integer, and calculating the adaptability of each individual according to the prediction resultIn the h round of iteration, the individual with the smallest fitness is called the optimal population position, and the sitting mark is +.>The individual with the greatest fitness is called the worst population position, and the coordinates are marked as +.>
Wherein, according to the n times predicted valueAnd actual value +.>Calculating fitness of each individual +.>
Wherein, the liquid crystal display device comprises a liquid crystal display device,indicating fitness of the jth individual.
9. The secure interconnection system according to claim 1, wherein the predicting the future time t of the origin server based on the built GRU network model, calculating the proportion of the computing power resources allocated to each encrypted link according to the data load of each encrypted link, comprises:
according to the data loads of each encrypted link of the source server at a plurality of historical moments, predicting the future moment t of the source server through a built GRU network model, wherein the data loads of each encrypted link are sequentially obtained as predicted values,/>,……,/>1, 2..p represents an encrypted link;
according to the importance of each encryption link at the future time t, setting the dynamic resource weight of each encryption link, which are in turn,/>,……,/>
Calculating the duty ratio of the computing power resource to be distributed to the mth IPSec link in the future time t in the total resource based on the following formula according to the data load predicted value of each encryption link and the link dynamic resource weight
Wherein, m is more than or equal to 1 and less than or equal to p.
CN202310571527.9A 2023-05-20 2023-05-20 Edge computing server safety interconnection system Active CN116319098B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310571527.9A CN116319098B (en) 2023-05-20 2023-05-20 Edge computing server safety interconnection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310571527.9A CN116319098B (en) 2023-05-20 2023-05-20 Edge computing server safety interconnection system

Publications (2)

Publication Number Publication Date
CN116319098A CN116319098A (en) 2023-06-23
CN116319098B true CN116319098B (en) 2023-07-21

Family

ID=86781950

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310571527.9A Active CN116319098B (en) 2023-05-20 2023-05-20 Edge computing server safety interconnection system

Country Status (1)

Country Link
CN (1) CN116319098B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184744A (en) * 2014-09-11 2014-12-03 东南大学 IPSec security alliance hardware lookup device and method based on IPv6
CN108322361A (en) * 2018-01-24 2018-07-24 杭州迪普科技股份有限公司 Service traffics statistical method and device in a kind of IPSec vpn tunnelings
CN113364811A (en) * 2021-07-05 2021-09-07 北京慧橙信息科技有限公司 Network layer safety protection system and method based on IKE protocol
CN113505049A (en) * 2021-05-24 2021-10-15 昆山九华电子设备厂 Cloud computing platform load prediction method based on firefly algorithm and BP neural network
CN114745378A (en) * 2022-02-14 2022-07-12 优刻得科技股份有限公司 Function module distribution method and system based on edge cloud scene
CN115250205A (en) * 2022-09-22 2022-10-28 湖北省楚天云有限公司 Data sharing method and system based on alliance chain, electronic device and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050102514A1 (en) * 2003-11-10 2005-05-12 Telefonaktiebolaget Lm Ericsson (Publ) Method, apparatus and system for pre-establishing secure communication channels
US20070248091A1 (en) * 2006-04-24 2007-10-25 Mohamed Khalid Methods and apparatus for tunnel stitching in a network
CN116155477B (en) * 2023-04-18 2023-07-18 湖北省楚天云有限公司 IPsec anti-replay method and system based on dynamic sliding window

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104184744A (en) * 2014-09-11 2014-12-03 东南大学 IPSec security alliance hardware lookup device and method based on IPv6
CN108322361A (en) * 2018-01-24 2018-07-24 杭州迪普科技股份有限公司 Service traffics statistical method and device in a kind of IPSec vpn tunnelings
CN113505049A (en) * 2021-05-24 2021-10-15 昆山九华电子设备厂 Cloud computing platform load prediction method based on firefly algorithm and BP neural network
CN113364811A (en) * 2021-07-05 2021-09-07 北京慧橙信息科技有限公司 Network layer safety protection system and method based on IKE protocol
CN114745378A (en) * 2022-02-14 2022-07-12 优刻得科技股份有限公司 Function module distribution method and system based on edge cloud scene
CN115250205A (en) * 2022-09-22 2022-10-28 湖北省楚天云有限公司 Data sharing method and system based on alliance chain, electronic device and storage medium

Also Published As

Publication number Publication date
CN116319098A (en) 2023-06-23

Similar Documents

Publication Publication Date Title
Man et al. Intelligent intrusion detection based on federated learning for edge-assisted internet of things
CN113282368B (en) Edge computing resource scheduling method for substation inspection
Liao et al. Information-centric massive IoT-based ubiquitous connected VR/AR in 6G: A proposed caching consensus approach
CA3080050A1 (en) Training tree-based machine-learning modeling algorithms for predicting outputs and generating explanatory data
CN111787114A (en) Novel block chain network architecture construction method
WO2023216489A1 (en) Computing power network node evaluation and operation method and apparatus
CN111585811A (en) Virtual optical network mapping method based on multi-agent deep reinforcement learning
Revanesh et al. Artificial neural networks-based improved Levenberg–Marquardt neural network for energy efficiency and anomaly detection in WSN
Yapp et al. Communication-efficient and Scalable Decentralized Federated Edge Learning.
Jia et al. Hybrid grasshopper optimization algorithm and differential evolution for global optimization
CN116319098B (en) Edge computing server safety interconnection system
WO2022095246A1 (en) Edge smart grid cooperative decision-making method based on differential privacy mechanism
Zhang et al. Cfsl: A credible federated self-learning framework
Amponsah et al. An enhanced class topper algorithm based on particle swarm optimizer for global optimization
Kaur et al. Soft computing techniques for clustering in WSN
CN115150335B (en) Optimal flow segmentation method and system based on deep reinforcement learning
CN113645702B (en) Internet of things system supporting block chain and optimized by strategy gradient technology
Chen et al. A Data Propagation Method of Internet of Vehicles Based on Sharding Blockchain
Qizhao et al. Efficient federated learning for fault diagnosis in industrial cloud-edge computing
Xu et al. Optimization of cooperative offloading model with cost consideration in mobile edge computing
Ramya et al. Lightweight Unified Collaborated Relinquish Edge Intelligent Gateway Architecture with Joint Optimization
Zhang et al. Online joint scheduling of delay-sensitive and computation-oriented tasks in edge computing
CN117709404A (en) Privacy protection neural network architecture optimization method based on federal learning framework
CN113965358B (en) Network security detection method and system for comprehensive energy system
WO2023115506A1 (en) Systems and methods for enabling automated transfer learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant