CN116684274A - Cloud security service function chain automatic arrangement system and method based on SDN - Google Patents
Cloud security service function chain automatic arrangement system and method based on SDN Download PDFInfo
- Publication number
- CN116684274A CN116684274A CN202310712511.5A CN202310712511A CN116684274A CN 116684274 A CN116684274 A CN 116684274A CN 202310712511 A CN202310712511 A CN 202310712511A CN 116684274 A CN116684274 A CN 116684274A
- Authority
- CN
- China
- Prior art keywords
- service
- network
- arrangement
- module
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 230000006870 function Effects 0.000 claims description 95
- 230000006399 behavior Effects 0.000 claims description 24
- 238000005516 engineering process Methods 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 11
- 238000006243 chemical reaction Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 7
- 230000003993 interaction Effects 0.000 claims description 7
- 238000013507 mapping Methods 0.000 claims description 7
- 238000001514 detection method Methods 0.000 claims description 6
- 238000005457 optimization Methods 0.000 claims description 6
- 238000000605 extraction Methods 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000013461 design Methods 0.000 claims description 4
- 230000002045 lasting effect Effects 0.000 claims description 4
- 238000003058 natural language processing Methods 0.000 claims description 4
- 230000008447 perception Effects 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000002265 prevention Effects 0.000 claims description 3
- 230000000007 visual effect Effects 0.000 claims description 3
- 230000001934 delay Effects 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 claims description 2
- 230000005856 abnormality Effects 0.000 claims 1
- 238000011160 research Methods 0.000 description 5
- 239000000284 extract Substances 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/40—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/50—Network service management, e.g. ensuring proper service fulfilment according to agreements
- H04L41/5041—Network service management, e.g. ensuring proper service fulfilment according to agreements characterised by the time relationship between creation and deployment of a service
- H04L41/5051—Service on demand, e.g. definition and deployment of services in real time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/76—Routing in software-defined topologies, e.g. routing between virtual machines
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
- H04L67/63—Routing a service request depending on the request content or context
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an automatic cloud security service function chain arranging system and method based on SDN, which are used for automatically arranging cloud security service function chains. The system comprises an application layer, a control layer and a service request behavior description (SBD), wherein the application layer is used for receiving the service request of a user, translating the service request into the SBD, transmitting the SBD to the control layer, and simultaneously returning an arrangement result to be presented to the user; the control layer is used for generating an optimal arrangement strategy by utilizing an automatic arrangement method based on a greedy algorithm according to the SBD and the acquired network state, converting a deployment strategy and a routing strategy contained in the arrangement strategy into a corresponding security domain demand behavior description SDBD, and then issuing the SDBD to the network layer through the SDN controller; and the network layer is used for executing corresponding deployment and routing operation according to the issued arrangement strategy, generating a corresponding security service function chain and returning a result. The invention realizes the centralized management of virtual safety resources, automatically generates and deploys the safety service function chains meeting the requirements of users, and effectively improves the performances of safety, flexibility and the like of the cloud network.
Description
Technical Field
The invention relates to an automatic cloud security service function chain arranging system and method based on SDN, and belongs to the field of network security.
Background
With the continuous development of cloud computing and big data technology, the cloud security problem is receiving more and more attention. The cloud security has the core problem of protecting cloud data, and ensuring that the data is not acquired or tampered by malicious attackers. In conventional network security, it is often necessary to coordinate a plurality of security devices, such as firewalls, intrusion detection systems, security gateways, etc., to complete a complete security service function chain. With the increasing scale of networks and the continuous change of network attack modes, manual configuration is difficult to meet the requirements of network security.
Currently, software defined networking SDN has become one of the important technologies for cloud network management. SDN separates network infrastructure from network control logic so that network resources can be centrally managed and programmed, thereby improving flexibility and expandability of the network. In addition, many network devices such as routers and switches support virtualization technology, and multiple network function modules can be combined into a single hardware device, so that the number of devices and the deployment cost are reduced, and meanwhile, the security of the network is enhanced.
However, in the existing internet, the network function is deployed on the dedicated hardware, and when the network service is updated or a new service is online, the dedicated hardware needs to be reconfigured, so that the network expandability is poor, the deployment period of the new service is long, the dedicated hardware is expensive, the requirements on technicians are high, and the on-demand distribution and on-demand change of the network service are difficult to dynamically realize. In addition, the tight coupling of the control layer and the infrastructure layer causes difficulty in device management, and uniform management and resource optimization of the network are difficult. With the continuous expansion of the network scale, the requirements of brand new application scenes and personalized users on the network are higher and higher, and the number of hardware devices and the maintenance frequency are also higher and higher. Therefore, how to automatically arrange the cloud security service function chain is researched, the efficiency and the quality of the cloud network security guarantee are improved, and the research is a hot spot of current research.
Aiming at the current situation, research on an automatic scheduling technology of a cloud security protection function chain based on SDN is carried out, and the problem to be solved in the field is urgent.
Disclosure of Invention
Aiming at the defect of arrangement of the existing cloud security service function chains, the invention provides an automatic arrangement system and method of cloud security service function chains based on SDN, which interact with virtual security resources in the cloud through an SDN controller, automatically arrange the security service function chains according to user requirements, and finally deploy the whole security service function chains into a network to provide more efficient and intelligent network security guarantee.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
an SDN-based cloud security service function chain automatic orchestration system, comprising: an application layer, a control layer and a network layer;
the application layer comprises a Web interaction module and a demand processing module;
the Web interaction module is used for providing a visual operation interface, so that a user can fill in the safety service requirements conveniently, divide the safety domain and visually arrange the safety service function chains; and forwarding the demands of the users to a demand processing module, and displaying the arranged results to the users.
The demand processing module is used for analyzing and processing the demands of the users, translating the safety service demands in the forms of voice, text, images and the like submitted by the users through natural language processing technologies such as voice recognition, information extraction and the like, obtaining service identification SID and service demand behavior description SBD, managing and issuing the service demands to the service arrangement module in the control layer.
Further, the application layer relates to a service identification SID and a service requirement behavior description SBD.
The SID contains fields such as service number, service name, service type, detail type, version number, host, data type, etc., and the relevant meaning is as follows: the service sequence number represents the sequence number of the service request and can uniquely mark the service request once; the service type comprises a service function chain, a content cache, a time sensitive network, a deterministic network and the like; the detailed type indicates the specific type of the service, for example, the service function chain has specific types such as deployment, migration, fault detection and the like; the version number represents the version of the virtual network resource provided by the system; the host represents the service node to which the request is sent; the data type represents the format of the data part SBD, and there are json, yaml, xml formats, etc., used for the server to parse the request message.
The content of the SBD is related to a specific service type, describing detailed requirement information of the service. The SBD includes a service name, an application scenario, a service level, a source node, a destination node, the number of functions, a virtual network function 1, virtual network functions 2, …, and a virtual network function N. The SDB content is related to a specific service type and describes detailed requirement information for that service.
The control layer comprises a service arrangement module, an algorithm library module, a data perception and storage module, a deployment routing module and an SDN controller;
the service arrangement module is used for receiving the service requirement behavior description SBD sent by the upper layer, and carrying out preliminary analysis through a big data technology, a behavior matching mechanism and the like to obtain formatted user requirements. Meanwhile, an algorithm library module is called to calculate and obtain an optimized arrangement strategy; on the other hand, the optimal arrangement strategy returned from the algorithm library module is analyzed to perform deployment result conversion and routing result conversion. Firstly, analyzing deployment results in an arrangement strategy, determining a bottom physical node mapped by each network function and required hardware resources, converting the bottom physical node and the required hardware resources into security domain demand behavior description SDBD in a corresponding format, and sending the security domain demand behavior description SDBD to a deployment routing module for resource scheduling and creating a container. And then analyzing a routing result in the strategy, generating a flow table rule according to the link mapping relation, converting the flow table rule into SDBD in a corresponding format, and finally transmitting the SDBD to a deployment routing module for issuing a flow table.
And the algorithm library module is used for calculating an optimal arrangement strategy by adopting an automatic arrangement method based on a greedy algorithm after receiving the request sent by the service arrangement module, and returning the obtained optimal arrangement strategy to the service arrangement module. The algorithm library module is extensible, and more algorithms can be added in the algorithm set in the future along with expansion of business scenes and advancement of new algorithm researches.
Further, the automatic programming method based on the greedy algorithm comprises the following steps:
the service function chain SFC is composed of a plurality of virtual network functions VNFs in sequence, so that for arrangement of the VNFs in the SFC, the VNF arrangement position is considered to reduce the deployment cost, reduce the network load and the transmission delay, and meanwhile, the sequence of VNF deployment is also considered. Therefore, a greedy algorithm thought is adopted to optimize the SFC arrangement problem so as to achieve the aim of minimizing network delay and load.
In the SFC orchestration optimization problem, one VNF is responsible for handling specific network service functions running on virtual machines, with V= { V i,j ,0≤j≤N j The set of system VNFs is denoted, where v i,j Jth VNF instance, N, representing class i network function j Representing the number of VNF instances of the class i network function. For a network consisting of VNFs and switches, an undirected graph g= (V u S, EV u EU) is used, where S represents SFF in the system, i.e. the set of switches in the physical network, and EV and EU represent the set of links between VNF and switch and between switch and switch, respectively.
The purpose of SFC arrangement optimization is to determine that the delay and the load of a link set through which traffic passes are minimum, and the size of the delay and the load state of nodes among links are represented by using a W link weight based on a minimum weight method of the delay and the load, specifically as follows:
wherein w is p,q Represents the traffic delay and load state from node p to node q, lt represents the inter-link traffic transmission delay,for VNF instance v i,p To which the exchange s is connected x Link between->For VNF instance v j,p To which the exchange s is connected y Link between->For the exchange s x And s y The transmission delay between VNF instances is the sum of these three link delays. l (L) q V is j,p L is as follows q V is j,p And alpha and beta are coefficients, the value of the coefficients represents the emphasis point of the network optimization index, and when alpha and beta are equal, the transmission delay and the load are equally important.
The SFC orchestration design considers the limitations of CPU, memory and bandwidth, and the CPU, memory and bandwidth of all VNFs deployed on the same physical node may not exceed the capacity limitations of that physical node. We use F to represent the physical node and λ to represent the mapping relationship between VNF instance and physical node, so the CPU constraint design is as follows:
using gamma to represent the mapping relation between logical link and physical link and using link i,j Representing the physical link from the inode to the j-node, the bandwidth constraint is designed as follows:
the SFC automatic arrangement method based on greedy algorithm is characterized in that the SFC related information and a network topological graph are input, and a service chain SC deployed for SFC is output. The method is divided into two stages altogether, wherein a greedy algorithm is used for constructing an initial service chain for SFC deployment requests in the first stage. Firstly, starting from an entrance switch, determining the deployment position of the next service function according to the shortest link weight principle, continuously iterating, determining the deployment positions of all the service functions in the service function set SF, and constructing an initial service chain SC. And in the second stage, a service chain with smaller sum of link weights is searched globally, so that the problem that a local optimal solution is easy to occur in a greedy algorithm is solved. And replacing the VNF in the service chain SC constructed in the first stage with the VNF instance of the same service function type to construct a new service chain, comparing the weight of the new service chain with the weight of the old service chain, and updating the current service chain SC if the weight of the new service chain is smaller.
And the data sensing and storing module is used for acquiring the bottom network topology and the resource information in real time by calling the SDN controller and storing the bottom network topology and the resource information in a database in a lasting way. Meanwhile, the network state is monitored in real time, faults are rapidly found and positioned when the faults occur, the fault reasons are automatically analyzed and recovery is attempted, and an alarm is triggered when an emergency situation occurs.
The routing module is deployed, a security domain is constructed according to the decision result and the security domain function behavior description SDBD, a customized virtual network function is deployed by calling the SDN controller, and a special path is constructed by issuing a flow table.
And the SDN controller is used for separating control from forwarding, and is responsible for collecting network equipment information, making a network topology structure and deciding the flow direction of network traffic, and providing corresponding functions for other modules of the control layer. And simultaneously, network devices of all network layers are managed in a centralized mode, and control commands are issued to the devices, so that centralized management and control of network layer resources are realized.
Further, the control layer relates to a security domain identification SDID and a security domain requirement behavior description SDBD.
The SDID comprises a security domain number, a security domain name, a security domain type, a service type, a version number, a host, a data type and other fields, and the meanings of the related fields are as follows: the security domain type comprises a general system domain, an operation and maintenance management domain, a core system domain and the like; the service type represents the service type of the upper layer service identification SID; the data type indicates the format of the data portion SDBD, as well as json, yaml, xml.
The SDBD contains security domain name, service level, source IP, destination IP, SFC path, number of functions, bandwidth, latency, VNF1-CPU, VNF 1-memory, VNF 1-storage, etc. The content of the SDBD, which relates to the specific service type and group type, describes the detailed parameters and configuration required for the security domain.
The network layer comprises a virtual switch, a security service function chain and a security resource pool;
and the virtual switch is used for providing a data forwarding function based on the rule of the flow table.
And the security service function chain is used for constructing a security function service chain required by the user according to the deployment strategy.
And the secure resource pool provides needed virtual resources, such as a virtual firewall, a virtual intrusion detection system, a virtual intrusion prevention system and the like.
The beneficial effects of the invention are as follows:
the degree of automation is high: the automatic arrangement method based on the greedy algorithm is designed, the safety service function chain can be automatically arranged according to the user demands and the network state, the diversified demands of the user can be rapidly adapted, and the reliability and the response speed of the safety service are improved. The flexibility is high: under the management of the SDN controller, network resources are automatically deployed and routed according to the arrangement strategy, so that the time and cost of manual configuration are greatly reduced, and the flexibility and reliability of the network are improved. The safety is high: and the SDN controller is used for carrying out centralized management and monitoring on a plurality of safety devices, so that the overall safety of the network is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of an automatic arranging system for cloud security service function chains based on SDN according to the present invention.
Fig. 2 is a layout flow chart of the cloud security service function chain automatic layout system based on SDN according to the present invention.
Fig. 3 is a flow chart of an automatic programming method based on greedy algorithm according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention discloses an automatic cloud security service function chain arranging system and method based on SDN, which are used for automatically arranging cloud security service function chains. The system comprises an application layer, a control layer and a service request behavior description (SBD), wherein the application layer is used for receiving the service request of a user, translating the service request into the SBD, transmitting the SBD to the control layer, and simultaneously returning an arrangement result to be presented to the user; the control layer is used for generating an optimal arrangement strategy by utilizing an automatic arrangement method based on a greedy algorithm according to the SBD and the acquired network state, converting a deployment strategy and a routing strategy contained in the arrangement strategy into a corresponding security domain demand behavior description SDBD, and then issuing the SDBD to the network layer through the SDN controller; and the network layer is used for executing corresponding deployment and routing operation according to the issued arrangement strategy, generating a corresponding security service function chain and returning the result to the upper layer.
Fig. 1 is a schematic diagram of an automatic arranging system of cloud security service function chains based on SDN according to the present invention. The system specifically comprises an application layer, a control layer and a network layer.
The application layer comprises a Web interaction module and a demand processing module;
the Web interaction module adopts Vue+element UI to realize a Web graphic interface, and a user can input SFC requests on the interface according to own requirements. The user only needs to input information such as application scenes, service levels, source nodes, destination nodes, network functions and the like, and specific network parameters such as IP addresses, CPU, memory, bandwidth, time delay and the like are not required to be provided. In addition, the user can arrange the security service function chain according to the self requirement.
After receiving the service request, the demand processing module translates the security service demands in the form of voice, text, image and the like submitted by the user through natural language processing technologies such as voice recognition, information extraction and the like, converts the security service demands into unified standard SID and SBD forms, and then sends the security service demands to the service arrangement module of the control layer.
The control layer comprises a service arrangement module, an algorithm library module, a data perception and storage module, a deployment routing module and an SDN controller;
the service arrangement module is a back-end application program developed by Java language and monitors the 8080 port. After monitoring the (SID, SBD) request message sent by the demand management module at the 8080 port, the service orchestration module primarily analyzes the request message into SDBD, extracts the service function chain request parameters with complete information and detail from the SDBD, inputs the service function chain request parameters into the algorithm library module, and invokes an internal algorithm to calculate the SFC orchestration strategy.
After receiving the SFC deployment strategy returned by the algorithm library module, the service arrangement module starts to perform second conversion, and the conversion is divided into two parts of deployment result conversion and routing result conversion. Firstly, analyzing deployment results in the strategy, determining the bottom physical node mapped by each network function and required hardware resources, converting the bottom physical node into SDBD in yaml format, and sending the SDBD to a deployment routing module for resource scheduling and creating a container. And then analyzing a routing result in the arrangement strategy, generating a flow table rule according to the link mapping relation, converting the flow table rule into an SDBD in json format, and finally transmitting the SDBD to a deployment routing module for issuing a flow table.
The algorithm library module mainly adopts Python language to write and realize SFC arrangement algorithm, and after receiving SFC request information input by the service arrangement module, the data perception and storage module is called to acquire network topology information, node resources and network resource information. An automatic orchestration method based on greedy algorithm is employed to calculate an optimal orchestration strategy in combination with service requests and network status. And after the calculation is completed, returning the arrangement strategy result to the service arrangement module. Meanwhile, the algorithm library module is extensible, and more algorithms can be added in the algorithm set in the future along with expansion of business scenes and advancement of new algorithm research.
The data sensing and storing module is mainly realized by adopting a MySQL database, and the state of the bottom network component is sensed in real time by calling the SDN controller, wherein the node resources comprise a CPU, a memory, a storage capacity and the like, and the network resources comprise a bandwidth, a time delay and the like, the node resources are stored in the database in a lasting manner, in addition, the network topology information is stored by using a gml file, and the information can be called by other modules at any time.
The deployment route module is divided into a resource scheduling module and a route control module, wherein the resource scheduling module is mainly realized by a Kubernetes container arrangement management system, and the route control module is mainly realized by calling an SDN controller. After receiving the arrangement policy, scheduling hardware resources on corresponding physical nodes according to yaml data by using a Kubernetes through an SDN controller, creating a container and deploying corresponding network functions in the container, and simultaneously generating an OpenFlow flow table according to json data through the SDN controller and issuing the OpenFlow flow table to a virtual switch at the bottom layer. And finally, the deployment routing module updates the physical resources consumed by the SFC arrangement to the database, and simultaneously writes the detailed information of the SFC arrangement into the database, so that the user can inquire and modify the information conveniently.
The SDN controller is realized by an open source ODL controller and is responsible for collecting network equipment information, making a network topology structure and deciding the flow direction of network traffic, and providing interface forms such as OSGi, REST API and the like for other modules of a control layer to call corresponding functions. Meanwhile, network devices of all network layers are managed in a centralized mode by adopting interface protocols such as OpenFlow, NETCONF, SNMP and the like, and control commands are issued to the devices, so that centralized management and control of network layer resources are realized.
The network layer comprises a virtual switch, a security service function chain and a security resource pool;
the virtual switch is realized by an OpenvSwtch virtual switch, and is responsible for receiving an OpenFlow flow table issued by the SDN controller and forwarding a data packet according to a flow table rule.
The safety service function chain is mainly realized through the scheduling of Kubernetes, and is responsible for receiving the deployment strategy issued by the SDN controller and forming the safety service function chain meeting the user demands through the scheduling of Kubernetes and the network functions required by deployment.
The secure resource pool is mainly realized by a Docker container, is responsible for receiving the dispatching of Kubernetes and deploying the required network functions, and provides the required secure virtual resources such as virtual firewall, virtual intrusion detection system, virtual intrusion prevention system and the like for users.
Fig. 2 is a layout flow chart of an automatic cloud security service function chain layout system based on SDN, which is specifically as follows:
step S201: the user inputs a service request through the Web interaction module, the request being an intention message in natural language, including text, voice, image, etc.
Step S202: the demand processing module analyzes the user intention through natural language processing technologies such as voice recognition, information extraction and the like to obtain the service demand behavior description SBD, and simultaneously, the SBD is uniformly managed and is issued to the service arrangement module. The SBD contains specific keywords such as service type, application scene, service level, network function and the like.
Step S203: and after receiving the SBD, the service arrangement module performs attribute extraction and feature analysis on the SBD, and preliminarily converts the SBD into a security domain functional behavior description SDBD. In the conversion process, the service arrangement module dynamically allocates resources for the designated security domain through a big data technology according to information such as application scenes, service levels and the like, for example: the method and the system match the service function chains with higher service levels under the high security scene with security components such as a firewall, an intrusion detection system and the like, and allocate resources such as higher CPU, memory and the like for the security components so as to meet the higher service quality required by users. And finally, the security domain function behavior description SDBD is arranged into a standard algorithm input parameter table, and the standard algorithm input parameter table is sent to an algorithm library module to call an algorithm calculation strategy.
Step S204: the algorithm library module firstly extracts the application scene of the request after receiving the input message, and simultaneously requests the data sensing and storage module to acquire the current network state information.
Step S205: the data sensing and storing module senses network component information such as a container, a virtual switch and the like in real time by calling the SDN controller and returns the network component information to the arrangement algorithm module, and the network component information is stored in a database in a lasting mode, and once a node in the network has an overload or even a fault, the information can be updated into the database in time.
Step S206: and the algorithm library module adopts an automatic arrangement method based on a greedy algorithm to carry out analysis decision according to the user demands and the hardware resources and network state information of the underlying network component. If the optimal arrangement strategy is successfully calculated, returning the optimal arrangement strategy to the service arrangement module; and otherwise, returning a deployment failure message to the service orchestration module.
Step S207: and the service orchestration module supplements the optimal orchestration strategy to the security domain function behavior description SDBD after receiving the optimal orchestration strategy, generates a service request message containing the SDID and the SDBD according to the optimal orchestration strategy, and calls the deployment routing module to execute the deployment strategy and the routing strategy.
Step S208: the deployment routing module extracts the arrangement policy to generate a deployment policy and a routing policy, and invokes the SDN controller to issue to the network layer. The deployment routing module first executes a scheduling command according to a deployment policy, creates a container on a policy-specified underlying physical node, and deploys specified network functions. After the container is deployed successfully, a flow table rule is generated according to the routing strategy and is issued to the virtual switch of the network component layer.
Step S209: the network layer performs deployment and routing. And deploying a security service function chain according to the deployment strategy, and issuing a flow table to the corresponding virtual switch according to the routing strategy. If the arrangement is successful, returning an arrangement success message to the upper layer and the user; and otherwise, the message of the programming failure is put back.
Step S210: and finishing the arrangement of the security service function chain requested by the user.
Fig. 3 is a flowchart of an automatic programming method based on greedy algorithm according to the present invention, specifically as follows:
step S301: input network topology graph g= (V u S, EV u EU), service function set sf= { SF of SFC i Preferential constraints between SFC service functions
Step S302: the current location is initialized to the ingress switch.
Step S303: and according to the current SFC service function set, searching all available VNF examples without preferential constraint, and putting all the examples into the AF set.
Step S304:from the current position v can be reached i,j And satisfies CPU and bandwidth constraint, and the current position is set to f i,j Is added to the set FP, wherein the CPU constraint is +.>Bandwidth constraint of
Step S305: according to the formulaAnd calculating the weight of each link in the FP set, and selecting the link with the smallest weight as the shortest link.
Step S306: the shortest link is added to the set of service links SC.
Step S307: network service sf i The service function set SF is removed.
Step S308: judging whether SF is empty, if so, going to step 9; and otherwise, returning to the step 3.
Step S309: sequentially traversing N belonging to the original SF j Sf > 1 i And v in SC i,j E SC as the currently selected VNF instance.
Step S310: traversing in turn belonging to sf i Is different from the original v i,j V of (2) i,j′ . Will v i,j Replaced by v i,j′ A new service function chain SC' is generated.
Step S311: use ifReplacing the current SC with SC'; otherwise, the method is unchanged.
Step S312: if sf i V in (b) i,j′ After the traversal is finished, go to step S313; otherwise, the process returns to step S310.
Step S313: if SF in original SF i After the traversal is finished, go to step S314; otherwise, the process returns to step S309.
Step S314: and outputting a safety function service chain, and ending the algorithm.
The invention provides an automatic arranging system and method for cloud security service function chains based on SDN, which can automatically arrange the needed security service function chains according to the user demands, automatically sense the network state, calculate out the optimal arranging strategy and perform corresponding automatic arrangement, and can intensively control and manage virtual security resources based on an SDN controller, thereby effectively solving the problems of complexity, low virtual security resource utilization rate, poor expandability and the like of manual configuration.
The above embodiments are merely examples of the present invention and are not intended to limit the present invention, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention are included in the scope of the present invention.
Claims (6)
1. An automatic cloud security service function chain arranging system and method based on SDN is characterized in that: comprising the following steps: an application layer, a control layer and a network layer;
the application layer is used for providing a visual interface to receive the service demands of the user, translating the service demands into service demand behavior descriptions SBDs of cloud security network services, issuing the service demand behavior descriptions SBDs to the control layer, and simultaneously returning an arrangement result to be presented to the user;
the control layer is used for describing the SBD and the acquired network state according to the service demand behaviors, generating an optimal arrangement strategy by using an automatic arrangement method based on a greedy algorithm, converting a deployment strategy and a routing strategy contained in the arrangement strategy into corresponding security domain demand behavior description SDBD, and then issuing the SDBD to the network layer through the SDN controller;
the network layer is used for executing corresponding deployment and routing operation according to the issued arrangement strategy, generating a corresponding security service function chain and returning the result to the upper layer.
2. The automatic arranging system and method for cloud security service function chains based on SDN as defined in claim 1, wherein the application layer comprises a Web interaction module and a demand processing module;
the Web interaction module is used for providing a visual operation interface, so that a user can fill in security service requirements conveniently, divide security domains and visually arrange a security service function chain; forwarding the demands of the users to a demand processing module, and displaying the arranged results to the users;
the demand processing module is used for analyzing and processing demands of users, translating safety service demands in the forms of voice, text, images and the like submitted by the users through natural language processing technologies such as voice recognition, information extraction and the like, obtaining service identification SID and service demand behavior description SBD, managing and issuing the service demands to the service arrangement module in the control layer.
3. The cloud security service function chain automatic arrangement system and method based on SDN of claim 1, wherein the control layer comprises a service arrangement module, an algorithm library module, a deployment routing module, a data perception and storage module and an SDN controller;
the service arrangement module is used for receiving the service requirement behavior description SBD sent by the upper layer, carrying out preliminary analysis through a big data technology, a behavior matching mechanism and the like to obtain formatted user requirements, and simultaneously calling the algorithm library module to calculate and obtain an optimized arrangement strategy; on the other hand, the method is used for analyzing the optimal arrangement strategy returned from the algorithm library module, carrying out deployment result conversion and routing result conversion, firstly analyzing the deployment result in the arrangement strategy, determining the bottom physical node mapped by each network function and the required hardware resource, converting the bottom physical node into a security domain demand behavior description SDBD with a corresponding format, sending the security domain demand behavior description SDBD to the deployment routing module for resource scheduling and creating a container, then analyzing the routing result in the strategy, generating a flow table rule according to a link mapping relation, likewise converting the flow table rule into the SDBD with the corresponding format, and finally sending the SDBD to the deployment routing module for issuing a flow table;
the algorithm library module is used for calculating an optimal arrangement strategy by adopting an automatic arrangement method based on a greedy algorithm after receiving the request sent by the service arrangement module, and returning the obtained optimal arrangement strategy to the service arrangement module;
the data sensing and storing module is used for acquiring the topology and resource information of the bottom network in real time by calling the SDN controller, storing the topology and resource information in a database in a lasting manner, monitoring the network state in real time, quickly finding and positioning faults when abnormality occurs, automatically analyzing the fault reasons and attempting to recover, and triggering an alarm when emergency occurs;
the deployment routing module is used for constructing a security domain according to the decision result and the security domain function behavior description SDBD, deploying a customized virtual network function by calling the SDN controller, and constructing a special path by issuing a flow table;
the SDN controller is used for separating control from forwarding, is responsible for collecting network equipment information, making a network topology structure and deciding the flow direction of network traffic, provides corresponding functions for other modules of a control layer, simultaneously manages network equipment of all network layers in a centralized mode, and issues control commands to the equipment, thereby realizing centralized management and control of network layer resources.
4. The automatic arranging system and method for cloud security service function chains based on SDN as defined in claim 1, wherein the network layer comprises a virtual switch, a security service function chain and a security resource pool;
the virtual switch is used for providing a data forwarding function based on a flow table rule;
the safety service function chain is used for constructing a safety function service chain required by a user according to a deployment strategy;
the secure resource pool provides virtual resources required by users, such as virtual firewalls, virtual intrusion detection systems, virtual intrusion prevention systems, and the like.
5. The algorithm library module according to claim 3, wherein the greedy algorithm-based automatic arrangement method is specifically as follows:
in the service function chain SFC orchestration optimization problem, one virtual network function VNF is responsible for handling a specific network service function running on a virtual machine, with V= { V i,j ,0≤j≤N j The set of system VNFs is denoted, where v i,j Jth VNF instance, N, representing class i network function j Representing the number of VNF instances of the class i network function; for a network composed of VNFs and switches, it is represented by an undirected graph g= (V u S, EV u EU), where S represents SFF in the system, i.e. the set of switches in the physical network, and EV and EU represent the link sets between VNF and switch and between switch and switch, respectively;
considering the limitation of CPU, memory and bandwidth when SFC arrangement design, the CPU, memory and bandwidth of all VNs deployed on the same physical node cannot exceed the capacity limitation of the physical node; using F to represent a physical node, λ to represent a mapping relationship between VNF instances and the physical node, and the CPU constraint design is as follows:
using gamma to represent the mapping relation between logical link and physical link and using link i,j Representing the physical link from the inode to the j-node, the bandwidth constraint is designed as follows:
the SFC automatic arrangement method based on the greedy algorithm is characterized in that the SFC related information and a network topological graph are input, and a service chain SC deployed for SFC is output; the method is divided into two stages, wherein a greedy algorithm is used for constructing an initial service chain for the SFC deployment request in the first stage; firstly, starting from an entrance switch, determining the deployment position of the next service function by using a W link weight based on a minimum weight method of time delay and load and according to a link weight shortest principle, continuously iterating, determining the deployment positions of all the service functions in a service function set SF, and constructing an initial service chain SC; the second stage searches a service chain with smaller sum of link weights in the global to solve the problem that a greedy algorithm is easy to generate a local optimal solution result; and replacing the VNF in the service chain SC constructed in the first stage with the VNF instance of the same service function type to construct a new service chain, comparing the weight of the new service chain with the weight of the old service chain, and updating the current service chain SC if the weight of the new service chain is smaller.
6. The greedy algorithm-based automatic orchestration method according to claim 5, wherein the W-link weights are calculated using the following formula:
wherein w is p,q Represents the traffic delay and load state from node p to node q, lt represents the inter-link traffic transmission delay,for VNF instance v i,p To which the exchange s is connected x Link between->For VNF instance v j,p To which the exchange s is connected y Link between->For the exchange s x And s y The transmission delay between the VNF examples is the sum of the three link delays; l (L) q V is j,p Is the existing negative of (2)Load, L q V is j,p And alpha and beta are coefficients, the value of the coefficients represents the emphasis point of the network optimization index, and when alpha and beta are equal, the transmission delay and the load are equally important.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310712511.5A CN116684274A (en) | 2023-06-15 | 2023-06-15 | Cloud security service function chain automatic arrangement system and method based on SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310712511.5A CN116684274A (en) | 2023-06-15 | 2023-06-15 | Cloud security service function chain automatic arrangement system and method based on SDN |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116684274A true CN116684274A (en) | 2023-09-01 |
Family
ID=87785286
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310712511.5A Pending CN116684274A (en) | 2023-06-15 | 2023-06-15 | Cloud security service function chain automatic arrangement system and method based on SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116684274A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116886777A (en) * | 2023-09-06 | 2023-10-13 | 苏州浪潮智能科技有限公司 | Service flow distribution method and device for container arrangement platform |
-
2023
- 2023-06-15 CN CN202310712511.5A patent/CN116684274A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116886777A (en) * | 2023-09-06 | 2023-10-13 | 苏州浪潮智能科技有限公司 | Service flow distribution method and device for container arrangement platform |
| CN116886777B (en) * | 2023-09-06 | 2024-01-26 | 苏州浪潮智能科技有限公司 | Service flow distribution method and device for container arrangement platform |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112953778B (en) | Intention-driven-based service arrangement system and method in intelligent fusion identification network | |
| US9762451B2 (en) | Network resource matching | |
| US9686146B2 (en) | Reconfiguring interrelationships between components of virtual computing networks | |
| CN103514245B (en) | Creation user it is visible processing tracking can search for and global data base | |
| CN111683074A (en) | NFV-based secure network architecture and network security management method | |
| CN114167760A (en) | Intention-driven network management system and method | |
| CN110661842B (en) | Resource scheduling management method, electronic equipment and storage medium | |
| CN114039858B (en) | Computing network resource fusion method, device, equipment and storage medium | |
| CN112565336A (en) | Intelligent Internet of things centralized control method, system, medium, equipment and application | |
| CN109462511B (en) | Network establishing method and device | |
| CN113709810B (en) | Method, equipment and medium for configuring network service quality | |
| CN116324714A (en) | Combining domain-specific language with generic language for serverless networking functionality | |
| Petroulakis et al. | Semiotics architectural framework: End-to-end security, connectivity and interoperability for industrial iot | |
| CN116684274A (en) | Cloud security service function chain automatic arrangement system and method based on SDN | |
| CN113778615B (en) | Rapid and stable network shooting range virtual machine construction system | |
| US20220179711A1 (en) | Method For Platform-Based Scheduling Of Job Flow | |
| EP3637690B1 (en) | Service configuration-driven flow table method and device | |
| CN116235477A (en) | Identifying an execution environment for deploying network functions | |
| CN116324712A (en) | Domain specific language for serverless network functionality | |
| CN114827002B (en) | Multi-domain network security path calculation method, system, device, medium and terminal | |
| CN112532408A (en) | Method, device and storage medium for extracting fault propagation conditions | |
| TW201931227A (en) | Interface system of virtual and physical integrated network with resources topology | |
| CN114756301B (en) | Log processing method, device and system | |
| CN114944979A (en) | Multi-management-domain communication method and device | |
| CN106533720B (en) | Compiling method and device for network service request and controller |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |