CN116886309A

CN116886309A - Slice security mapping method and system for intelligent identification network

Info

Publication number: CN116886309A
Application number: CN202310839075.8A
Authority: CN
Inventors: 权伟; 刘明远; 高德云; 罗一鸣; 罗延; 邓君; 王新宇; 郭子琛
Original assignee: Beijing Jiaotong University
Current assignee: Beijing Jiaotong University
Priority date: 2023-07-10
Filing date: 2023-07-10
Publication date: 2023-10-13

Abstract

The invention provides a slice security mapping method and a slice security mapping system for an intelligent identification network, belongs to the technical field of Internet of things communication, provides an API (application program interface) externally accessed by a high-availability slice system, can respond to a user request at a higher speed and a lower cost, improves the efficiency of user identity data verification and the system performance when facing replay attack, and realizes the function of recording user interaction behavior; the use requirement of a user can be accurately reflected, and the VNF disaster recovery switching function when the node is unavailable in the slicing use process is realized; under the conditions of improving the resource utilization rate, the cost profit margin and the like, the security control constraint is introduced through the security arrangement algorithm, so that the security performance of the arrangement algorithm is improved; data encryption is carried out on the arrangement signaling; the programmable transmission forwarding function of the data layer is realized, the slice network is constructed for the bottom layer transmission equipment, and the user data is converted into slice data in different network protocol forms to be transmitted in the network.

Description

Slice security mapping method and system for intelligent identification network

Technical Field

The invention relates to the technical field of Internet of things communication, in particular to a slice security mapping method and system of an intelligent identification network.

Background

The traditional internet architecture aims at improving the universality and the isomerism of the network, and along with the continuous expansion of the scale of the network and the gradual increase of application scenes, the defects that the traditional internet architecture carries data but the specific meaning of the data is unknown are also gradually revealed. In face of the diversified business demands nowadays, the traditional internet architecture is difficult to manage and control, performance indexes are not easy to measure, network security problems are also endless, and researchers begin to explore new network architectures gradually.

The development of network function virtualization NFV and other technologies makes a virtualization mechanism become one of important architecture attributes of the internet, and the core idea is that multiple virtual networks share the same set of physical infrastructure, bear different communication protocols and support different virtual functions on the virtual networks. Kim et al propose a network architecture using a multi-resource infrastructure, which can apply NFV technology, so that network operators can run various end-to-end network customization services on the same basic device based on different network protocol systems, and extend the virtualization technology to shared devices. Albert et al propose a 4D network architecture that divides the network into four planes: the decision plane, propagation plane, discovery plane and data plane separate decision logic from forwarding logic, and routers and switches forward packets under the requirements of the decision plane, collecting measurement data to help the decision plane control the network. The internet of things promotes the integration of the physical world and the virtual world, more and more resources are virtualized and software defined, and sensor equipment in an intelligent environment framework provides rich information through NFV and other technologies. The national science foundation of the United states provides a GENI plan, and the defects of the traditional Internet and the technical trend of the next generation Internet are analyzed, so that a series of measures for improving the network performance are provided, and the method becomes one of research hotspots of a novel Internet architecture. The novel internet architecture is innovated and explored in the aspects of decision control, data plane forwarding and the like, but can not meet the requirements of centralized control cooperation among resources and individual customization of huge slicing user groups when facing a novel technology of network slicing, which needs highly centralized resources and services. Therefore, zhang Hongke institution team based on the identification network and intelligent identification network concept provides SINET, which can flexibly realize connection and mapping of virtual network function in combination with slicing arrangement policy, and provides end-to-end customized slicing service for users.

SINET satisfies personalized service requirements by integrating multidimensional resources, and the whole architecture is divided into three layers: an intelligent service layer, a resource adaptation layer and a network component layer. The intelligent service layer is responsible for managing the identification and some specific behaviors describing the slice service, and is also responsible for managing the mapping relation between the identification and the behaviors. The resource adaptation layer can dynamically match a corresponding network slice arrangement algorithm according to service requirements issued by the intelligent service layer, manage the VNF resources, and send an arrangement result to the network component layer to generate a corresponding NSI. And the network component layer designs forwarding logic of the data layer according to the arrangement mapping result, constructs a slicing entity and completes delivery of communication data and collection of network information. SINET realizes network integrated service system, and provides differentiated service, unified scheduling and management for realizing network slicing on the basis of guaranteeing basic performance requirements of communication service. SINET can support abstracting the existing network resources into logic services, converting the business requirements of users into call requirements of the abstract resources, and constructing a model to describe slicing states by collecting parameter information of a bottom layer network and related requirements of slicing users.

The slicing system provides user authentication services for slicing users in the form of RESTful API, meaning representational state transfer (Representational State Transfer, REST), a software architecture style, proposed by Roy in 2000. REST is a design and development way for network applications, with the advantages of reduced development complexity and improved system scalability. REST defines a set of architecture principles according to which developers can process and transfer the state of network resources in HTTP fashion. Aiming at the safety problem of accessing a service system by using RESTful API by a user, a series of researches are developed by students at home and abroad. Specifically, tao et al propose a resource whitelist and token checking mechanism based on RESTful architecture, which can reduce the pressure of advanced security domain servers while reducing the risk of network attacks. Serme et al state that current mainstream service providers are turning to REST-based services and propose a REST security protocol to provide secure service communication, and ensure communication security by using certificate signing, symmetric encryption, and the like. Hittu et al describe middleware in the Internet of things that exposes device data and hides details through the RESTful API, thereby acting as an interface for user interaction with sensor data. Huang et al proposes a token-based user authentication mechanism for protecting interaction information of RESTful APIs from theft, where a client generates a one-time token using a public token, a private token, and a timestamp, and verifies it by a server, so that each communication is valid only for a fixed period of time.

The slicing needs to be arranged to realize the data forwarding function in the bottom layer network, the 5G slicing network uses users as centers, the service mode of the traditional network singleization is changed, customized services according to needs are provided for different users based on a general shared infrastructure, the QoS requirements of the users are met by the arrangement algorithm of the VNF in the slicing arrangement process, and the arrangement algorithm needs to have the requirements of high efficiency, high performance and high safety. In the prior art, different slice arrangement and deployment algorithms are designed based on different optimization targets. Specifically, cao et al propose a sliced VNF layout optimization algorithm based on various genetic algorithms, taking bandwidth consumption and maximum link utilization as optimization targets. Savi et al, with the goal of improving slice orchestration performance, propose the following concepts of handover costs and upgrade costs as constraints for sharing resources between multiple VNFs. Liang et al provides a packet-based VNF arrangement mapping strategy aiming at the side channel attack risk existing in slice deployment, and improves the security of arrangement mapping at the expense of arrangement benefits such as partial resource utilization rate. Khettab et al propose an algorithm for automatically scaling slices, solving the security problems brought to slice management by flexibility and elastic support of a slice network. Zahel et al propose heuristic and meta-heuristic models based on genetic algorithms to optimize the slice orchestration process with the aim of minimizing the total power consumption in the slice orchestration process. Zhu et al established a game mechanism to adjust the mapping scheme of sliced resources to reduce network costs. Baungartner et al propose a linear programming algorithm in combination with a network topology optimization scheme with the goal of minimizing mapping costs. Cohen et al propose an approximation algorithm with optimization goals of reducing the mapping cost and reducing the operating cost of slice orchestration mapping. And the like propose a SecPSO algorithm, the utilization rate of network physical link resources and network benefits are used as optimization targets based on a particle swarm algorithm, slice safety isolation evaluation values are used as constraint conditions, and the mapping arrangement process of network slices is optimized.

When a physical node mapped by the VNF is down or the node is unavailable due to different attack modes such as virus attack, the VNF set mapped on the node is unavailable, and slice reconstruction is needed to restore the normal function of the slice, so that the virtual network mapping (Survivable Virtual Network Embedding, SVNE) method mainly surrounds survivability for scene research. Wang et al propose a VNF node backup mechanism based on node importance measurement, which improves the reliability of network slicing by backing up key virtual network function nodes. Choldhury et al propose a set of VNF mapping dedicated protection mechanisms that provide redundant mutually exclusive backup resources for resources of each dimension of a single VNF, so that the network can be quickly restored. Kibaliva et al propose a slice reconstruction algorithm based on a multi-level graph that allows non-critical users to use backup resources that are not used by high priority users and reduces the probability of preemption they may experience. Rahman et al propose a heuristic hybrid strategy that uses pre-reserved quotas to backup VNFs on each physical link. Hu et al propose a VNF mapping framework to handle single physical node failures, and if a failed node runs a certain virtual network service, the framework will restore the node and make the service it executes survivable.

The Chinese patent application with the application number of CN202210003854X discloses a network slice arrangement algorithm based on particle swarm inheritance, and the technology has the following defects in use: after the security authentication is carried out, the user authentication information is not fused into the slice mapping arrangement scheme, and the mapping security is not effectively improved through the user information; the mapping algorithm only focuses on the convergence benefit on performance and income, ignores the security risks such as information leakage and the like possibly caused by excessive recycling of the container, and has the security to be improved; slice mapping can only use an IPV4 network and cannot adapt to the network background of coexistence of multiple network protocols in future.

The Chinese patent application with the application number of CN2021115984643 discloses a 5G-based network slice resource arrangement and mapping method, which has the following defects in use: the described guarantee of slice reliability refers to the integrity of the slice life cycle, and the authentication safety in the use process of the slice, the data leakage safety in the mapping link and the safety in the data transmission process are still not guaranteed; the lack of a unified identifier description service management mechanism has poor expansibility.

In summary, the construction and arrangement of the network slice has become a research hotspot, however, the security problem exposed in the construction and arrangement process of the network slice presents a great challenge to the usability and application popularization of the slice; on one hand, the user authentication mechanism of the slice system interaction interface is not perfect, and the unified data verification and the security guarantee for preventing replay attack are lacking; on the other hand, the slice arrangement algorithm is focused on optimizing arrangement performance and income, and the security threat formed by co-resident attack on slices is not concerned.

Disclosure of Invention

The invention aims to provide a slice security mapping method and a system for an intelligent identification network, which are used for solving at least one technical problem in the background technology.

In order to achieve the above purpose, the present invention adopts the following technical scheme:

in one aspect, the present invention provides a slice security mapping system for a smart identification network, comprising:

the user authentication module is used for realizing identity authentication when a slicing user accesses the intelligent fusion identification network slicing system, and a trusted access channel is established between the slicing system and the user by adopting a signature authentication algorithm;

the slice control module is used for receiving the topology information collected by the processing data transmission module, mapping the slice use intention of the user into a virtual network function unit (VNF) set to be started, and providing horizontal reconfiguration switching of the VNF when the VNF fails or the node is not available;

The slice arranging module is used for arranging and mapping the VNF list generated by the slice control module on the bottom network by adopting a slice arranging algorithm, and encrypting the arranging information by adopting an encryption algorithm based on SM9 and utilizing a user identity;

and the data transmission module is used for realizing the arrangement mapping result generated by the slice arrangement module on a programmable function node of a network component layer, realizing the forwarding logic of the slice by utilizing a programmable language P4 of a data plane, packaging user data into different types of slices for transmission, and carrying out global sensing and recording on the topology of the slice based on in-band sensing telemetry of INT.

In a second aspect, the present invention provides a slice security mapping method of a smart fusion identification network implemented by using the system as described above, including:

the method comprises the steps that identity authentication is carried out when a slicing user accesses an intelligent identification network slicing system, and a trusted access channel is established between the slicing system and the user by adopting a signature authentication algorithm;

the method comprises the steps of receiving topology information collected by a processing data transmission module, mapping slice use intention of a user into a virtual network function unit (VNF) set to be started, and providing horizontal reconfiguration switching of the VNF when the VNF breaks down or a node is not available;

Arranging and mapping the VNF list generated by the slice control module on a bottom network by adopting a slice arranging algorithm, and encrypting the arranging information by utilizing a user identity by adopting an encryption algorithm based on SM 9;

and (3) realizing the arrangement mapping result generated by the slice arrangement module on a programmable functional node of a network component layer, realizing the forwarding logic of the slice by using a programmable language P4 of a data plane, packaging user data into different types of slices for transmission, and performing global perception and recording on the topology of the slice based on in-band perception telemetry of INT.

In a third aspect, the present invention provides a non-transitory computer readable storage medium for storing computer instructions which, when executed by a processor, implement a slice security mapping method of a smart identification network as described above.

In a fourth aspect, the invention provides a computer program product comprising a computer program for implementing the slice security mapping method of a smart identification network as described above when run on one or more processors.

In a fifth aspect, the present invention provides an electronic device, comprising: a processor, a memory, and a computer program; wherein the processor is connected to the memory, and the computer program is stored in the memory, and when the electronic device is running, the processor executes the computer program stored in the memory, so that the electronic device executes the instructions for implementing the slice security mapping method of the smart identification network as described above.

Term interpretation:

(1) software defined network: software Defined Network the software-defined network is a novel network innovation architecture proposed by the Clean-Slate topic research group of the university of Steady, and is an implementation manner of network virtualization. The core technology OpenFlow separates the control surface from the data surface of the network equipment, so that flexible control of network flow is realized, the network becomes more intelligent as a pipeline, and a good platform is provided for innovation of the core network and application.

(2) P4 programmable data plane: programming Protocol-independent Packet Processors, P4 is a domain specific language for network devices that specifies how data plane devices (switches, NICs, routers, filters, etc.) handle data packets.

(3) Intelligent fusion identification network: smart Integration Identifier Networking SINET is a novel network architecture, proposed by the Zhang Hongke university of Beijing transportation team, and is preceded by an identification network and a smart identification network.

(4) Network slice: network Slicing is a virtualization that allows multiple logical networks to run on a shared physical Network infrastructure. Each logical network is isolated from the others and can provide customized network characteristics such as bandwidth, latency, capacity, etc. Meanwhile, each logic network comprises computing and storage resources besides network resources.

(5) Network slice example: network Slice instance NSI is the core for implementing the network slicing concept, which is an end-to-end logical network comprising a series of network functions, resources and connections.

(6) Network function virtualization: network Functions Virtualization, NFV uses virtualization technology to divide the functions of the network node hierarchy into several functional blocks, which are implemented in software, and are not limited to hardware architecture.

(7) Virtual network function: virtual Network Function the VNF is a network function running in NFV context.

(8) In-band network telemetry: in-bandNetwork Telemetry, INT is a network monitoring framework that collects and reports network status directly from the data plane.

The invention has the beneficial effects that: the slice security arrangement mechanism based on the intelligent identification network improves the security of the user authentication and slice arrangement process, provides a horizontal disaster recovery scheme for slices, and completes delivery of slice data and collection of network information; the slicing user authentication algorithm based on the user trust and the signature abstract is provided, so that the interaction process can be checked, the authentication efficiency is improved, the request data length and the system response time are reduced, and the user request acceptance rate is improved; the method comprises the steps of providing a slice reconstruction algorithm based on intent translation and k-means clustering, constructing a slice vector model, completing a mapping process between user demands and available virtual network functions, completing horizontal replacement of the virtual network functions on unavailable nodes, and improving availability and disaster recovery capability of slices; the slice arranging algorithm based on the mapping safety level is provided, so that the mapping safety level is higher than a threshold value while arranging performance is improved, and the safety in the slice arranging process is improved; in addition, encryption and decryption processing based on SM9 is carried out on the mapping signaling by using the user identity, so that the data privacy security of the slicing user is protected; the P4-based construction slice and in-band network telemetry algorithm is provided, slices of different protocol types, including IPv4 slices, IPv6 slices and intelligent fusion identification network slices, can be customized as required, and network information, including bandwidth, queue depth, time delay and the like, is collected in real time.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a functional schematic diagram of a security orchestration mechanism model for intelligent identification network slices according to an embodiment of the invention.

Fig. 2 is a functional schematic diagram of a slice security orchestration mechanism system according to an embodiment of the present invention.

Fig. 3 is a flowchart of a user authentication module according to an embodiment of the present invention.

FIG. 4 is a flowchart illustrating the steps of an HMAC-SHA256 algorithm according to an embodiment of the invention.

FIG. 5 is a schematic diagram of an identifier mapping and management workflow according to an embodiment of the present invention.

Fig. 6 is a block diagram of slice lifecycle management according to an embodiment of the present invention.

Fig. 7 is a functional block diagram of a signaling security encryption and decryption module according to an embodiment of the present invention.

Fig. 8 is a flow chart of header parsing of a slice packet according to an embodiment of the present invention.

FIG. 9 is a diagram of the INT header format of an in-band perceptual telemetry sub-module according to an embodiment of the present invention.

FIG. 10 is a diagram illustrating a model of operation of an in-band sensing telemetry module according to an embodiment of the invention.

FIG. 11 is a flow chart illustrating the processing of an in-band sense telemetry module packet according to an embodiment of the invention.

Fig. 12 is a flow chart of a programmable function node in an in-band aware telemetry sub-module according to an embodiment of the present invention when receiving a data packet.

Wherein: 1-subnet gateway routing; 2-accessing control equipment; 3-slice controller; 4-a programmable function node; 5-an orchestration controller; 6-slice forwarding device.

Detailed Description

Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements throughout or elements having like or similar functionality. The embodiments described below by way of the drawings are exemplary only and should not be construed as limiting the invention.

It will be appreciated by those skilled in the art that the drawings are merely schematic representations of examples and that the elements of the drawings are not necessarily required to practice the invention.

Network slicing satisfies the communication demands placed by different slicing users and network service providers by sharing a common physical infrastructure on which multiple logically isolated virtual networks are created. The network slicing system can be mapped into a VNF set according to user requirements by the aid of the NFV, cloud network, SDN and other technologies, NSI is formed by connecting VNF units, and the NSI is mapped in general-purpose equipment such as an underlying network component to run slicing functions. In the above background, how to conduct security design in the orchestration process with low cost of time, money and the like becomes an important challenge for popularization and application of network slices.

Therefore, the slice security arrangement mechanism designed in this embodiment needs to have the following features:

(1) The method provides the API which is externally accessed by the high-availability slicing system, can respond to the user request at a faster speed and lower cost, improves the efficiency of user identity data verification and the system performance when facing replay attack, and realizes the function of recording the user interaction behavior.

(2) The similarity mapping function of slicing use requirements of users and the available VNs in the slicing system is realized, the use requirements of the users can be accurately reflected, and the VNF disaster recovery switching function when nodes are not available in the slicing use process is realized.

(3) The potential data leakage and attack risks in the using process of the VNF of the same resident basic equipment are considered, a security arrangement algorithm is realized, and under the conditions of improving the resource utilization rate, the cost profit margin and the like, the constraint of security control is introduced, so that the security performance of the arrangement algorithm is improved. And meanwhile, data encryption is carried out on the arrangement signaling, so that the privacy security of the user data is ensured.

(4) The programmable transmission forwarding function of the data layer is realized, the slice network is constructed for the bottom layer transmission equipment, and the user data is converted into slice data in different network protocol forms to be transmitted in the network. In addition, resource information and the like in the slice topology are detected, recorded in a log and the like, so that an in-band network telemetry function is realized.

The design of the intelligent identification network slice security arrangement mechanism model is shown in figure 1. When a slicing user accesses the intelligent identification network slicing system, a request data packet carrying access data is sent, and the data packet reaches access control equipment 2 positioned in an intelligent service layer after passing through a subnet gateway route 1. The request data packet performs user authentication at the access control device 2, and if the access request is judged to be a legal request by the slice control system after the authentication is finished, the configuration information of the user is analyzed and processed, and the configuration information of the user is transferred to the slice control cluster formed by the slice controller 3 through the slice forwarding device 6 in the control link. The slice control cluster manages the service identifier, distributes corresponding identifiers for the user, the access position, the contact terminal, the position and the follow-up service, analyzes the historical interaction behavior and the network condition of the user, calculates the user trust attribute of the current slice interaction, and records the related information into a database. The slice control cluster regularly carries out global network state sensing, analyzes the use condition and the residual resource distribution condition of the programmable function node 4 and each link, and constructs a virtual and physical network resource distribution model on the basis. After the available resource condition and the user configuration condition are obtained, user intention translation work is carried out, the optimal VNF is matched according to the function and performance requirements of the user, and arrangement configuration information is generated to provide services for the user. The slice control cluster also bears the management function of the slice life cycle, and provides services such as slice reconstruction, offline and the like through monitoring the use condition and the state of the slice.

The slice control cluster sends the arrangement configuration information to an arrangement control cluster consisting of an arrangement controller 5 at the resource adaptation layer through a control link, the arrangement control cluster has the function of managing the slice arrangement mapping algorithm, the arrangement algorithm is selected according to the user requirements, the VNF and the requirements of the request link, the user trust attribute is combined, the slice mapping signaling is issued for the network component layer under the condition of ensuring the arrangement benefit, and the arrangement algorithm ensures the safety of the arrangement result. The related mapping signaling is subjected to signaling security encryption processing so as to prevent the mapping signaling from being tampered and falsified.

After the slice mapping signaling is issued to the programmable function node 4 located at the network component layer, the programmable function node 4 performs slice encapsulation and forwarding on the user data. The programmable function nodes 4 are loaded with P4 data plane programmable languages, match corresponding encapsulation and forwarding logic for different data packets through preset forwarding logic, collect network topology resources regularly, feed topology information back to an intelligent service layer, and have a multi-protocol cooperative forwarding function, so that the nodes can adapt to a network with a complex protocol.

In this embodiment, the slice security arrangement mechanism system is designed as shown in fig. 2, and is divided into four modules, which are respectively: the device comprises a user authentication module, a slice control module, a slice arrangement module and a data transmission module.

The specific functions of each module are as follows:

(1) The user authentication module is responsible for realizing the identity authentication when the slicing user accesses the intelligent fusion identification network slicing system, namely, the digital identity of an operator is identified in the slicing system, and the legitimacy of the identity of an accessing person is verified. The module establishes a trusted access channel between the slicing system and the user by adopting a signature authentication algorithm, wherein the authentication algorithm comprises: digest algorithms and signature algorithms. The module provides a trust degree algorithm to provide data support for slice life cycle management and arrangement algorithm management.

(2) The slicing control module is responsible for realizing the core control function of the intelligent identification network slicing system. The slicing control module supports the application cooperation of various controllers, and ensures the normal operation turnover function of the slicing system. The input of the module is user configuration information, after the user configuration information is received, the user is analyzed about the resource requirement of the slice through the user intention translation module, the virtual/physical network resource management module provides corresponding resource data quantity for the user intention translation module after the system resource is arranged, so that resource matching is carried out, the whole service process is used for obtaining the service identification management and monitoring of the intelligent identification network, participating in the life cycle management of the slice, and the slice arrangement configuration is transmitted to the slice arrangement module.

(3) The slice arrangement module is responsible for realizing the mapping process of intelligent identification network slices at the network component layer. The module comprises an arrangement algorithm management module, a signaling security encryption and a slice arrangement control cluster. The arrangement algorithm management is responsible for analyzing the user requirements and network conditions, different slice arrangement mapping methods are adopted to meet the performance requirements of the user on slice use, an intelligent identification network slice arrangement algorithm is designed, arrangement benefits are ensured, and meanwhile, arrangement meets certain safety requirements. The signaling security encryption module can ensure the information security in the transmission process of the slice mapping command and enhance the security of the mapping link. The slice arrangement control cluster is responsible for mapping corresponding arrangement commands to a network component layer to form a network slice entity, so that a slice network is constructed with high reliability and high efficiency, and the slice state is monitored.

(4) The data transmission module is responsible for realizing the data transmission function of the network component layer. The module collects and processes network topology information through INT, provides network real-time resource information for the slice arranging module, combines a P4 programmable data plane to write a data layer forwarding command, has the characteristics of repeated configuration, platform independence and protocol independence, flexibly transmits user data in a slice form of multiple protocols, and provides data support for the slice control module.

In this embodiment, the user authentication module needs to ensure the access security of the slicing user accessing the intelligent fusion identification network slicing system through the external API, and the flow chart of the module is shown in fig. 3. The access process is given identification management through the service identification management service, and relevant data are stored in a database for inquiry. After the access legitimacy of the user identity is confirmed, the use requirement of the user on the slice is acquired, and the identification management of the access process trust degree is given according to the user trust degree algorithm, so that data preparation with safety attributes is provided for slice arrangement.

In this embodiment, the design of the user signature authentication sub-module is as follows:

when a slicing user accesses the intelligent identification network slicing system and applies for slicing resources, slice types are selected according to own bandwidth requirements, acceptable time delay requirements, safety requirements and other requirements, and corresponding user requirement metadata are generated. The user demand metadata of the part calculates a data abstract through an abstract algorithm, the abstract algorithm is disclosed for intelligent identification network slicing systems and slicing users, key fields requested by users are spliced through the abstract algorithm adopted in the implementation, and SummaryData consists of SINET_Access_ Key, typeData, MD5Data, signatureMethod and Timestamp. The SummaryData is a spliced data abstract. SINET_Access_Key stores the identity information of the slicing user, the intelligent identification network slicing system performs user identity verification according to the SINET_Access_Key, typeData stores the service request information of the slicing user, MD5Data is a sequence generated after the service request information is encrypted and protected, falsification or falsification of the intercepted request information can be avoided, signature method can be assigned by the user, other signature algorithms can be assigned by the user, and Timestamp stores the validity period of the slicing user request process and is used for resisting replay attacks. The data summary SummaryData generates a unique signature under a signature algorithm in combination with a slicing key, the signature algorithm is also disclosed for the intelligent fusion identification network slicing system, and is usually a hash algorithm or an encryption algorithm, and the module adopts a hash algorithm HMAC-SHA256 as the signature algorithm during signature authentication.

The HMAC-SHA256 algorithm is an HMAC algorithm for generating hash values by SHA-256 method, and the process of the HMAC algorithm is shown in formula (4-1):

where k is the key, k' is the key derived from k, m is the message that needs to be signed and authenticated, H is the cryptographic HASH function, stuff is the bit stuffing.

The HMAC-SHA256 algorithm is shown in equation (4-2):

where SHA256 is a SHA-256 encryption algorithm, the output hash value is 256 bits in length.

The HMAC-SHA256 algorithm steps are shown in fig. 4, where first a key k 'is calculated, if the length of the key k is smaller than 512 bits of the length of SHA-256, 0 needs to be added at the end of the bits of the key k until the length of the key k is 512 bits, and then the key k' is obtained; if the length of the key k is greater than 512 bits, the key k' is a hash value obtained by processing the key k through the SHA-256 function. SHA-256 is a hash function which can convert a message with any length into a hash value with a length of 256 bits, the conversion process firstly cuts the message to be processed into a sub-messages with a length of 512 bits, wherein the last sub-message is subjected to bit complementation, then a sub-message iterations are carried out, and the final iteration result is that the length is256 bits hash value. Performing exclusive OR operation on the obtained key k' and a sequence circularly filling 00110110 bits into 512 bits to obtain a sequence result S with the length of 512 bits _A . Splicing the sequence result to the head of the message m needing signature authentication, taking the spliced result as the input of the SHA-256 function, and outputting a hash value H with the length of 256 bits _A . Performing exclusive OR operation on the key k' and a sequence which circularly fills the 01011100 bit sequence to 512 bits to obtain a sequence result S with the length of 512 bits _B . Will H _A Splice at S _B And then, taking the splicing result as the input of the SHA-256 function, and outputting to obtain the user signature with the length of 256 bits. The end-slice user sends the request metadata and the generated user signature to the access control device of the intelligent identification network slicing system.

After the access control equipment acquires the data sequence sent by the slicing user, the access control equipment calculates and acquires the abstract according to the published abstract algorithm, then calculates and acquires the user signature according to the HMAC-SHA256 algorithm, and verifies the legitimacy of the access request of the slicing user by comparing the signature with the idempotent of the signature carried by the request of the slicing user.

In this embodiment, the design of the user trust submodule is as follows:

after the validity verification of the slicing user request is completed, the user authentication module evaluates the access behavior of the slicing user according to the historical interaction behavior of the user and combines an interaction evaluation mechanism to calculate the user trust degree.

Setting the interaction value V of the user _n The calculation mode is shown in the formula (4-3):

wherein n is the historical times of the slicing user accessing the intelligent identification network slicing system, the system records the historical access data of the slicing user through a queue Q, the length is l, and when the historical access statistics times of the slicing user are greater than l, the first queue is clearedThe portion accesses the user data that is recorded earlier. Alpha is a coefficient factor, and the influence amplitude of slice user access data existing in each history stage on the trust degree calculation can be adjusted, so that the correction amplitude of access data with shorter occurrence time on the trust degree is larger. η (eta) _i Accessing security evaluation data of intelligent identification network slicing system for ith slicing user, and evaluating normal positive number eta _p Obtaining a negative f when evaluating abnormal access data _i η _n Wherein f _i For the adjustment factor, the calculation process is as shown in formula (4-4):

wherein V is _i-1 The interaction value of the last visit of the slicing user is obtained.

In this embodiment, the change trend of the slice user trust is simulated through a Logistic curve, as shown in formula (4-5):

wherein D (0) is the initial confidence level, F is the maximum limit value of the confidence level, a regulates the curve change amplitude, and a is more than 0. Interaction value V of slicing user _n Substituting the user access trust degree into the formula (4-5) and setting F=1 to obtain the trust degree of the user accessAs shown in the formula (4-6):

wherein, the liquid crystal display device comprises a liquid crystal display device, smaller values of (c) indicate lower confidence.

The intelligent service layer of the intelligent identification network slicing system can adjust the access authority of slicing users according to the user trust level and in combination with the access control strategy. First, users are divided according to their trust level. If the user has poor historical interaction behavior evaluation, relatively low trust degree is obtained through calculation, namely D is smaller than L, wherein L is a trust degree access threshold, and the user is refused to use the slicing resources. And if the user has historical interaction behavior evaluation meeting the strategy, namely D & gtL, allowing the user to access the slice resources in a short period, wherein if the trust degree is higher, namely D & gtH & gtL, H is a trust threshold value, allowing the user to access the slice resources in a long period. By introducing the concept of slicing user trust, the effective duration of user access is set, the efficiency of access decision can be improved, and the dynamic change of the user on the resource access authority can be realized.

In addition, the user trust degree is added into the slice arrangement algorithm as one of convergence conditions, the slice arrangement strategy is adjusted by combining network available resources, the arrangement benefit is improved, and meanwhile, the arrangement safety and reliability can be enhanced.

In this embodiment, for the slice control module, the module is responsible for receiving topology information collected by the processing data transmission module, mapping the slice usage intent of the user to a set of virtual network function units VNFs to be started, and providing horizontal reconfiguration switching of the VNFs when the VNFs fail or the nodes are unavailable. This module design is divided into a user intent translation sub-module design and a slice lifecycle management sub-module design.

In this embodiment, the design of the user intention translation submodule is as follows:

the user intention translation module is designed to enable a user to input service demands, convert the demands into data configuration of the VNF through a slice control system in the intelligent service layer of the intelligent identification network, and execute resource arrangement. The slice control module monitors physical link topology information in the network component layer in real time, and accordingly statistics of virtual available resource sets is completed, and the bottom network topology in the network component layer is represented by G: g= (N, L, B, D)Where N represents programmable function nodes in the network topology, L represents network topology links between the programmable function nodes, B represents bandwidth of the network topology, and D represents latency of the network topology. Correspondingly, slice network topology with G ^v The representation is: g ^v ＝(N ^v ,L ^v ,B ^v ,D ^v ) Wherein N is ^v Programmable functional node representing slice topology, L ^v Representing links in a slice topology, B ^v Bandwidth resources representing slice topology, D ^v Representing the time delay of the slice topology. In C _N ＝{c _band ,c _cpu "represents a set of resources in the underlying network, where c _band 、c _cpu Representing network bandwidth resources and memory resources of the server, respectively. Assuming that there are S NSIs to be mapped to the network component layer, NSIs are denoted by the character v, and the jth NSI is denoted by v _j ，v _j Is denoted as G _j ^v ＝(N _j ^v ,L _j ^v ,B _j ^v ,D _j ^v ) Correspondingly, defineV is _j The set of resources required.

In this embodiment, a cosine similarity matching method is combined to map the user intention into a VNF set in the intelligent identification network slicing system. Dividing the VNF in the intelligent identification network slicing system into vectors according to different dimensions such as bandwidth, time delay, memory, communication security level, function label and the like, dividing each dimension into a certain number level, corresponding user intention to a vector set of each dimension space, and finding an available VNF which is most matched with the resource allocation situation required by the user intention through a user intention cosine similarity algorithm to form NSI.

Cosine similarity measures the similarity of two vectors by cosine values of included angles of the two vectors in the vector space, and the closer the similarity is to 1, the closer the included angle of the two vectors is to 0, and the closer the two vectors are proved to be. Setting a vector Vector->The coordinates in the two-dimensional space are (x) ₁ ,y ₁ ) And (x) ₂ ,y ₂ ) The cosine similarity calculation formula of the two vectors is shown in (4-7):

the slice user inputs the required function service list requirement, sets the required resource list set for each function service, after receiving the user requirement, the slice control system converts the user requirement into a VNF requirement set corresponding to the VNF resource attribute, matches the user requirement list with the available VNF list set extracted from the slice control system database through a cosine similarity algorithm, and screens according to the VNF difference degree, wherein the difference degree calculation method formula is shown in (4-8):

wherein Diff represents a difference value, the closer the value is to 0, the closer the similarity between the VNF required by the user and the VNF available in the slice control system is, alpha and beta respectively represent the vector length of the available VNF and the vector length required by the user, cos theta represents the cosine similarity of two vectors, and lambda and mu respectively represent adjustment coefficients of the vector length ratio and the cosine similarity. And comparing the user demand vector set with the available vector set, screening out the available vector with the minimum difference as a mapping object of the user demand vector, and finally obtaining a mapping vector set.

The specific algorithm process is as shown in algorithm 1:

the user intention cosine similarity algorithm performs similarity comparison by inputting a user intention vector and an available slice VNF vector set, and limits the minimum similarity size involved in the comparison process by setting a matching threshold. Step 2 initializes a number of intermediate variables, including the dimensions to which the vector relates, the size of the set of available slice VNFs, and sets an initial best matching slice vector and best variance value. And 3-9, carrying out user intention cosine similarity algorithm matching on the full-dimension attribute of each available slice, calculating a difference value, updating the VNF vector and the optimal difference value of the best matching slice, and finally returning the best matching result through the step 10.

In order to adapt to different network protocol types, the slicing service is marked and managed, version information, service condition, identity and position information of slicing users and the like of the slicing service are recorded, and in the embodiment, the slicing service is managed by adopting a service identifier. When a slicing user accesses the intelligent identification network slicing system service, the slicing controller provides slicing service for the user, records service identification, designs the version ID of the Integer data type to identify slicing versions, the initial version is 1, the slicing versions are gradually increased when the user puts forward new demands or the slicing network link faults need to be rearranged, the slicing user can read slice running state parameters and slicing parameters of each version through the data records of the slicing version ID and the slicing ID, the corresponding slicing version ID can be selected for backtracking, and the slicing control system can also extract information of each version of the slicing according to the version ID. In order to facilitate distinguishing different slices, a slice ID field of an Integer data type is designed and is a main field in service identification management and is recorded in a database of a service identification as a primary key, and a slice user and a slice control system can quickly lock a slice object through the slice ID so as to search other record information about the slice. In order to mark the resource data amount contained in the slice, a slice parameter field with the length of 5 Integer data types and 20 bytes is designed, and the bandwidth requirement, the CPU requirement, the security level requirement, the time delay requirement and a reserved field of the slice are respectively stored, and the performance parameter requirement carried by the slice can be read from the fields. The states of the slice include a design state, an instantiation not in use, a use state, a reconstruction state, a failure state, and an offline state, and the usable state of the slice is identified by a state parameter field of the intelger data type. In addition, the user identity and the access position identity of the Integer data type are designed, the access state of the slicing user is recorded, the communication terminal of the slicing network is recorded through the target access identity and the target access position identity of the Integer data type, the subsequent slicing data packet forwarding carries the key data for communication, and the communication efficiency is improved. The protocol type adopted by the slice is marked by the protocol identifier of the Integer data type, so that protocol restoration and the like can be conveniently carried out on the outlet side of the slice, and the content distribution of the identifier is shown in the following table 1.

TABLE 1

The workflow of the module is shown in fig. 5, and firstly, the slicing user and the slicing contact terminal request to access the intelligent fusion identification slicing system through the access control equipment. And after receiving the access request, the access control equipment submits the related identity information and the access information submitted by the user to the slice controller cluster. After the steps of identity verification and the like are completed, the slice controller cluster distributes the identity identification and the position identification to the access control equipment, and meanwhile, the identification information is stored and recorded in the database. When the slice user sends data, the data can carry the identification information of the user and the slice contact terminal when the data reaches the programmable node, so that the data is forwarded to participate in the slice mapping strategy, slice management service operation and the like adopted by the follow-up according to the identification.

In this embodiment, the design of the slice lifecycle management sub-module is as follows:

network slice lifecycle management mainly includes the following processes: firstly, a slice needs to be defined, and the VNF set needed by a slice user is connected to form an NSI. After the slice composition is defined, the slice needs to be instantiated. The instantiation phase requires the slice orchestration controller to reserve relevant resources for the slices, create the slices and issue relevant forwarding flow table information onto the programmable function nodes of the network component layer, while activating and making available the corresponding VNF functions on these programmable function nodes. During the active phase, the state of the network slice will be monitored. After the slicing is successfully instantiated, the monitoring program continuously feeds back the slicing operation state information and records the slicing operation state in a database according to service requirements. When the user's demand changes, the programmable function node is unusual or the link is unusual, will carry out the reconfiguration of section, will remap the VNF to carry out the instantiation operation etc. of section, feed back again to section control system and monitor etc. with reconfiguration result and link state information after accomplishing the reconfiguration. When the slice reaches the service life or the user loses the use requirement, the slice enters a offline state, at the moment, the relevant VNF function on the programmable function node is required to be closed, slice forwarding information is deleted by the arrangement controller in a mode of issuing a flow table, and meanwhile, the use state and the like of the slice in the database are updated, so that the offline work of the slice is completed.

The system divides the life cycle of the slice into five stages of slice design, slice instantiation, slice state detection, slice reconstruction and slice offline, and the module division is shown in fig. 6. And in the slice design stage, combining and designing the VNF covered by the slice according to the functional requirement proposed by the user, mapping the user requirement into a VNF set through a user intention translation module, and connecting the VNF set to form the NSI. The slice instantiation phase maps the designed NSI to the underlying physical network through the orchestration controller cluster. The slice state monitoring stage is to observe the running state of the slice, record the use log, network condition, downtime state and the like, and collect bandwidth and time delay information and the like in the network topology through in-band sensing telemetry in the network component layer. The slice reconstruction stage is to reconstruct and map slices according to slice states and user requirements. And in the slice offline stage, recovering network resources of the slice, and releasing slice connection.

In the slice reconstruction stage, if a programmable function node fails and a VNF needs to be rearranged and mapped, the invention provides a VNF reconstruction algorithm based on a k-means clustering algorithm, and by dividing all VNF sets into k clusters, objects in the clusters are similar to each other, objects between the clusters are dissimilar, and the VNF can be replaced among the nodes in the clusters. In this embodiment, a clustering algorithm based on partitioning is selected, and assuming that the number of programmable function nodes is N, the node set is partitioned into k subsets, that is, k classes are formed, N function nodes are partitioned into the k classes, so that the center distance from each function node to the corresponding class is minimum, and the clustering basis is an error square sum criterion, as shown in formula (4-9):

Wherein the method comprises the steps ofRepresents the ith cluster center, E _i Represents the ith sample subset, N _i Representing the number of programmable function nodes contained in the ith cluster, x represents one sample in the subset, and S is the square of the total error generated. By finding the appropriate a _i And (3) enabling the S global to be minimum, wherein the VNF reconstruction algorithm flow based on the k-means clustering algorithm is as shown in algorithm 2:

/>

N _i ＝N _i -1 (4-13)

N _k ＝N _k +1 (4-16)

VNF reconstruction algorithm based on k-means clustering obtains error square, each cluster set and replacement node x after k-means clustering and replacement node selection according to programmable function node set, fault node and cluster number ₁ ',...,x _n '. And step 2, in an initialization stage, carrying out initial division and sum on clusters, and carrying out initialization calculation on related intermediate variable values. Step 3 to step 18 are sample correction stages, and the cluster division result is calculated through iterative loop. Step 19 to step 25 select a replacement node of the failed node from the clusters, if the size of the cluster is not 1, the replacement node is another random node in the same cluster as the failed node, and the failed node and the replacement node are removed from the selectable node set. If the size of the cluster is 1, namely, only 1 node is failed in the cluster, the k value of the cluster is proved to be larger, and the calculation process of re-dividing the cluster in the next round is carried out after the k value is reduced. The purpose of steps 26 to 29 is to repartition the k value of the above-mentioned failed node without the replacement node object, and then loop until all failed nodes complete the replacement of the node. Step 30 returns the square of the error, the classification result of each cluster and the set of replacement nodes. Selection of k-value The elbow method can be used to select a value where the sum of squares of total errors decreases no longer significantly, i.e. at the inflection point.

In this embodiment, the slice arrangement module is responsible for arranging and mapping the VNF list generated by the slice control module on the underlying network, designing a slice arrangement algorithm, optimizing arrangement performance, and improving security in the arrangement process, and encrypting the arrangement information by using a user identity identifier by adopting an encryption algorithm based on SM 9. The module design is divided into an algorithm arranging sub-module design and a signaling security encryption sub-module design.

The design for the orchestration algorithm sub-module is as follows:

defining the node utilization level as NSI maps onto a programmable function node that can provide the ratio of the amount of resources used by the slicing user to the amount of resources required by the NSI. Let instance v _j When there are k VNFs to be mapped to the network component layer, and the number of programmable function nodes of the network component layer is R, the node utilization level after the mapping of the ith VNF is finishedThe calculation mode is shown in the formula (4-17):

wherein the balance multiple delta ₁ And delta ₂ Can be used for adjusting v _j The ratio of the amount of resources required, delta ₁ +δ ₂ ＝1，Available bandwidth resources left for programmable function node +. >For the remaining available CPU resources, +.>V is _j Mapping bandwidth resources required on the ith programmable function node,/and/or>V is _j The CPU resources required at the ith programmable function node are mapped. The node utilization level corresponding to NSI +.>As shown in formulas (4-18):

where k is the total number of nodes that need to be mapped at the network element layer programmable function node, the node utilization level of the NSI can be calculated by evaluating a weighted average of the node utilization levels of the programmable function nodes,the larger the value of (c) represents the higher the node utilization level, and the smaller the value represents the lower the node utilization level. v _j Mapping security level +.>As shown in the formula (4-19):

wherein, the liquid crystal display device comprises a liquid crystal display device,is v _j Node utilization level of->Is v _j User confidence, epsilon ₁ +ε ₂ =1, the value balance rating weight can be adjusted according to the requirement, and the specific process of the safety level mapping algorithm is as followsMethod 3 shows:

step 2 is an initialization stage, parameter values required by an algorithm are set, and steps 3 to 10 are a second stage, aiming at circularly calculating the user trust according to the historical interaction evaluation value of the userStep 11 is a third stage, according to v _j Calculating the node utilization level, step 12 and step 13 as final stages, calculating and returning the mapped security level +. >

First, a particle group with the size R is initialized, and a single particle represents a network slice example v _j Setting v to the mapping method of (2) _j A total nodes need to be mapped and position _i ＝(position _i1 ,position _i2 ,...,position _iA ) Mapping position for particle i, where i ε [1, R]，position _ia The network function a is mapped on a specific location in the physical network on behalf of particle i. The velocity update of the particles is shown in equation (4-20) and the position update is shown in equation (4-21):

v _i (n+1)＝ωv _i (n)+c ₁ rand()(pbest _i (n)-present _i (n))+c ₂ rand()(gbest _i (n)-present _i (n)) (4-20)

position _i (n+1)＝position _i (n)+v _i (n+1) (4-21)

the optimization function of the system programming algorithm is shown in the formula (4-22):

max{p·c' _band +(c _band -c' _band )·b+dc' _cpu }

subject to

wherein v is _i (n) the offset velocity of particle i, position _i (n) is the position of the particle in the physical network, ω is the inertia coefficient for adjusting the search speed of the position space, c ₁ And c ₂ As a learning coefficient of particles, pbest _i (n) represents the optimal value of the particle current-period mapping, gbest _i (n) is the best mapping value among all particles. c' _band V is _j Allocated bandwidth, c' _cpu V is _j Allocated CPU resource, p is v _j B is the unit bandwidth benefit when allocated to non-slice use, d is v _j And (3) distributing unit CPU income, wherein gamma is a safety threshold. Definition of the intelligent identification network slice orchestration algorithm (RUSA) flow is shown in algorithm 4:

step 2-6, initializing intermediate variables related to the arrangement algorithm, including the initial position and the initial speed of a particle swarm, step 7-step 11, according to the safety performance requirement of slice mapping, combining with an actual physical resource set, circularly obtaining an optimal mapping position, ensuring arrangement benefits, enabling a mapping result to meet a safety threshold gamma, and finally returning to the optimal mapping position through step 12.

The design of the signaling security encryption sub-module is as follows:

the signaling security encryption and decryption module of the slice arranging module is shown in fig. 7, the module merges an identification allocation mechanism of the intelligent fusion identification network, designs an intelligent fusion identification network signaling security encryption algorithm based on SM9, and performs data encryption security processing on the instructions forwarded in the arranging module. The encryption algorithm is an encryption algorithm with the identification built on the bilinear pair, and provides encryption and decryption services for the signaling sending process in the arranging process of the slicing user through the user identification of the slicing user, and the encryption algorithm is more beneficial to the control of the slicing control system on the arranging safety because a certificate library or a key library of a third party is not needed in the utilizing process, and the problems of long period and high cost consumption in the encryption and decryption process are also alleviated to a certain extent.

Let the arrangement signaling be the bit length of the signal stream S, l be S, the length of the User' S identity user_ID be user_len, the length of the destination access identity dest_ID be dest_len, the encryption algorithm flow is shown as algorithm 5. First, group G is calculated ₁ Element Q of (B) _B Then generating random number r, and calculating group G ₁ Element C of (2) ₁ Group G _T Elements g and w of (b). The method for encrypting the plaintext in the algorithm is a block cipher algorithm combined with a key derivative function, so that an integer klen is calculated and C is calculated ₂ And C ₃ And a final ciphertext C is obtained.

Let mlen be C ₂ The length of the identity identifier user_id of the User is user_len, the length of the destination access identity identifier dest_id is dest_len, and the decryption algorithm flow is shown as algorithm 6. The algorithm first checks the bit string C in the final ciphertext C ₁ Whether or not it is elliptic curve G ₁ The above point is checked and calculated to obtain group G _T The element w 'in (a) is converted into a bit string, the encryption plaintext in the algorithm is a block cipher algorithm combined with a key derivation function, so that an integer klen is calculated in decryption, and M' is calculated. Finally, u is calculated and combined with the bit string C ₃ And comparing and outputting a plaintext M'.

The signaling forwarded in the arrangement module can be encrypted and protected through the intelligent fusion identification network signaling security encryption and decryption algorithm based on SM9, so that the arrangement signaling is prevented from being stolen to reveal user privacy data, and the security of the intelligent fusion identification network slicing system mapping process is enhanced.

In this embodiment, the data transmission module is responsible for implementing the arrangement mapping result generated by the slice arrangement module on the programmable function node of the network component layer, implementing the forwarding logic of the slice by using the programmable language P4 of the data plane, encapsulating the user data into different types of slices for transmission, and in addition, designing an in-band sensing telemetry function based on INT, and performing global sensing and recording on the slice topology. The module design is divided into a programmable forwarding sub-module design and an in-band sensing telemetry sub-module design.

The design of the programmable forwarding sub-module in this embodiment is as follows:

three slice network data transmission formats are designed, and are respectively: the transmission protocols of the IPv4 slice, the IPv6 slice and the SINET slice, that is, the network layer include the above three types, wherein the mapping relationship of the protocol type EtherType in the ethernet field is shown in table 2 below, and the message format is shown in fig. 8.

Table 2 protocol type mapping relationship

Wherein the mapping field of the IPv4 slice in the Ethernet is 0x0800, the mapping field of the IPv6 slice is 0x86dd, and the mapping field of the SINET slice in the Ethernet is 0x8999. In the slice encapsulation phase, the programmable switch will add encapsulation headers for each protocol type slice based on the sliced user's original data packets. Accordingly, the protocol type of the ethernet data field needs to be updated accordingly, and when the slice data is about to be transmitted out of the slice network, i.e. the slice data arrives at the last forwarding programmable function node, the restoration of the ethernet protocol field is completed.

The field functions of the three slice transport data headers are set forth separately, with the header field functions of the IPv4 slices as shown in table 3 below.

Table 3 header field function of IPv4 slices

The module design supports three protocol slice cooperative transmission modes of ipv4/ipv6/SINET, each slice logical isolation is not affected, a user can select a single protocol slice form to transmit data, can select to switch slice transmission forms of other protocol types according to own requirements and protocol states of a contact terminal, or can select more than two different protocol slice transmission modes to transmit data. Since the IPv6 protocol is a network protocol proposed in recent years, and has a relatively short lifetime, the IPv4 protocol is still currently the base protocol operated by most of the internet devices, and ports of most of the devices are still configured with IPv4 addresses, so that the present mode design supports slicing of the IPv4 protocol type to provide communications for users. In addition, the slice of the IPv6 protocol type is designed, so that protocol updating of partial equipment can be accepted, and an IPv6 communication mode is provided for the partial equipment. In addition, SINET slices are designed, identity identification and access identification are provided, and the flexibility of communication is improved. The header field function of an IPv6 slice is shown in table 4 below:

Table 4 header field function of IPv6 slices

The header field function of the SINET slice is shown in Table 5 below:

table 5 header field function of SINET slice

Next, forwarding logic when the programmable function node receives slice data is designed, and fig. 9 is a flow chart of a header parsing process.

First, the header parsing flow after the arrival of the packet:

(1) After the data packet arrives, firstly extracting the Ethernet field, checking the protocol type, judging the slice type, and extracting the IPv4 header, the IPv6 header or the SINET header.

(2) If the SINET slice type is adopted, the src_id_len field of the SINET slice type is also required to be extracted, the length of the host node identifier carried by the SINET slice type is judged, and the host node identifiers with different lengths are extracted by transferring to a corresponding analysis process according to the judgment result.

(3) If the SINET slice type is used, the pid field is also required to be extracted for identifying and restoring the user protocol type.

After the header parsing flow of the slice data packet is completed, the related actions of processing the slice need to be designed:

(1) Firstly, an SINET encapsulated execution action is needed, the stream table information needed by the entry comprises destination mac addresses, source and destination programmable function node identifiers, a host identifier and an output port, a SINET slice header can be assembled for a user through the action, identifiers are transmitted to indicate forwarding paths of slices, and the encapsulation actions of the lengths are matched according to the corresponding quantity of node identifiers of different lengths indicated by the transmitted src_id_len.

(2) And the encapsulating action of the IPv6 slice data packet, which is used for creating an IPv6 slice and forwarding the slice data packet, wherein the ingress parameters are a destination mac address, an egress port, a source IPv6 address and a destination IPv6 address.

(3) And based on the forwarding action of the IPv4 slice identifier, the ingress is a destination mac address and an egress port, and is used for indicating the transmission path of the slice.

(4) Based on the forwarding actions of SINET slice identification, the incoming reference is a destination mac address and an outgoing port, and a corresponding number of forwarding actions are required to be designed according to different lengths of the adopted host identification.

(5) Based on the forwarding action of IPv6 slice identification, the input parameter is a destination mac address and an output port, and the slice forwarding path is set according to the identification.

(6) The SINET slice data package is released, when the SINET slice data packet reaches the last programmable function node, and the SINET slice data packet is about to be transmitted out of the slice network, the slice type needs to be restored to the corresponding protocol type of the user original data packet, and the incoming port comprises a destination mac address and an outgoing port.

(7) The action of eliminating the encapsulation of IPv6 slice data is carried out, the principle is the same as above, the needed entry is the destination mac address and the exit port, the slice protocol is restored to the data protocol when the user accesses, and the slice data is delivered.

(8) And when the slice data does not match any table, namely the slice forwarding logic is not satisfied, the packet is discarded.

Then, the above actions are assembled into a table corresponding to the flow table, and the relevant function design of the table is as follows in table 6:

table 6 programmable forwarding sub-module table related function design

When the programmable function node receives the user data packet, the user data packet is assembled into the slice type of the corresponding protocol according to the mapping result in a matching mode of the table to forward, and when the user selects the multi-protocol slice, the protocol type of the data packet conversion is controlled through a register. The proportion of packets sent will also be set by the value of the register and control the bandwidth occupied by the slice, etc.

In this embodiment, the design of the in-band sensing telemetry sub-module is as follows:

the module adopts INT technology to extract network topology information from a network component layer, can acquire network information such as bandwidth, transmission delay, packet loss condition, queue depth condition and the like of a slice by adding detection information to the head of a data packet on a programmable function node of a slice transmission path, and feeds data back to a slice control module to serve as a data support for adjusting the life cycle and mapping strategy of the slice by the slice control system. The INT header is designed firstly, and based on the original IPV4 header structure, additional Probe, probe_data and probe_fwd headers are designed after the IPV4 data field and the TCP/UDP data field, the INT header format of the finally designed in-band sensing telemetry sub-module is shown in figure 10, and the functions of the fields in the header are shown in table 7.

TABLE 7 in-band awareness telemetry sub-module INT header field function

In the module, INT detection messages periodically traverse the whole slicing network from an INT sending source to acquire network topology information such as bandwidth, time delay, packet loss and queue depth conditions, the information is tidied and fed back to an in-band sensing telemetry control plane at an INT receiving end to be stored and used by other modules, and the data packet conditions sent by slicing users in the network are recorded in real time and uploaded to the control plane. The Probe in the detection message is used as a detection identifier to record the number of the traversing programmable function nodes on a certain slice at present, and each detection message carries a Probe header. The probe_fwd header is used for indicating a path for the Probe header, the direction of the Probe is controlled through an egress_spec field, and the expansion function is to assign node identification to the programmable function node through a swid field and assign specific packet sending proportion to slices at different ports of the node. At the INT transmitting source, a probe_fwd header which is equal to the number of the programmable function nodes in the detection path is constructed for the detection message in advance according to the topology information. The probe_data header records the byte number, the entry data packet number, the exit data packet number, the queue depth, the packet arrival time, the departure time and other data of the programmable function node about each slice port, the data are stored on the bit number of the port number corresponding to the register, the update is carried out when a Probe message arrives, the probe_data header is constructed, and the corresponding probe_data header is constructed by the programmable function node every time. And finally, the assembled detection message reaches an INT receiving end, the information of the probe_data header is extracted and uploaded to an in-band sensing telemetry control plane for analysis and storage, and the information is recorded in a log. The operation model of the in-band sensing telemetry module is shown in fig. 11.

Next, the data acquisition flow is designed, and fig. 12 is a flow chart of processing when a programmable function node in the in-band sensing telemetry sub-module receives a data packet:

(1) In order to periodically perceive the resource information of each link in the slice network, it is necessary to periodically transmit an INT probe message at the INT transmitting end. The INT sending source initializes the detection message, constructs an Ethernet header according to topology information, sets the Ethernet type EtherType as the INT detection message, initializes the Probe message header, and sets hop_cnt as 0, which represents that no programmable function node has passed at the moment. In addition, the INT source needs to set a learn field according to the requirement, and if a slicing user has a requirement of using multiple slices, the rate of sending packets at each slice can be initialized for the user through the learn field. And initializing the probeFwd header, adding a corresponding number of probeFwd headers for the detection message according to the number of the programmable function node switches required to pass through on the detection path, and setting an egress_spec field value for each probeFwd header according to the path which is required to be detected to represent a data packet output port when the data packet arrives at the corresponding programmable function node.

(2) When receiving the detection message, the programmable function node selects the analysis flow of the header according to the etherType of the Ethernet header. If the types are IPv4, IPv6 and SINET messages, the representative is normal user slice data flow, and the data packet header is analyzed according to slice forwarding logic and the subsequent forwarding flow is continued. If the type is INT Probe packet, firstly, the Probe header is extracted, and whether the Probe packet contains the probe_data header is judged according to the value of the hop_cnt field in the Probe header. The hop_cnt is 0 time, which means that the INT detection packet at this time has not passed through the programmable function node, at this time, the probe_fwd header is analyzed to obtain the output port of the detection message, and if the user has a requirement, the slice packet sending proportion of the multiple slices which is expected to be used can be extracted. The hop_cnt being greater than 0 represents that the Probe packet received by the programmable function node has passed through some nodes before, and the probe_data header of the recorded topology information is stored, at this time, a corresponding number of probe_data are circularly extracted, and after the extraction of the probe_data header is completed, the probe_fwd header is extracted.

(3) After the header is parsed by the programmable function node, the data packet needs to be further processed according to the extracted header information. Firstly, the value of the port value bit number when the data packet enters the node is read by means of a register to obtain the number of the data packet received from the corresponding port in one detection period, and the number is added with one on the basis, if the data packet is not a Probe header, the new data packet number is continuously stored in the register of the corresponding port bit number, otherwise, the data packet is cleared, which means that the counting is completed in one period.

(4) After counting the number of the data packets, if the user opens the mode of transmitting data in multiple slices, the number of the data packets transmitted from each output port corresponding to the programmable function node slice is required to be read from a register, the number of the data packets is matched with the port for transmitting the data packet, and the set packet transmitting proportion is queried.

(5) If the Probe detection message is detected, setting the packet sending proportion of the corresponding port for the programmable function node according to the value of the learn field; if the data stream is a common slice data stream, judging the current packet sending port according to the packet sending number acquired in the step (4), and transmitting the port number to the node in a metadata mode.

(6) When determining the transmitting port, the value stored in the register is updated according to the number of the data packets transmitted at present and the number of the data packets transmitted at the corresponding port according to the set packet transmission proportion of each path to determine the next packet transmitting port, and then the data packets are transmitted from the corresponding port.

(7) At the transmitting port, the values of the fields of the probe_data need to be set by a register, and topology information is counted. Firstly, reading the value of a register with the corresponding port number as the bit number, acquiring the number of data packets sent from the port in one detection period, if the data packet is not a Probe detection message, representing that the period is not ended, adding the data packet into the register with the corresponding port number on the basis of the existing data, and storing the data packet into the register with the corresponding port number again to achieve the aim of updating the data. If the period is over, the data is cleared, meaning that a new round of statistical period is started. In addition, the number of bytes sent from the corresponding port needs to be obtained in the same manner, the time of the first data packet sent from the corresponding port at the beginning of the reading period from the register is stored in the last_time field, the current system time is stored in the cur_time field, the number of the entry data packets is stored in the pckcont field, the number of the exit data packets is stored in the enckcont field, and the queue depth when the data packet is processed is obtained from the metadata and is stored in the qdepth field. In addition, the bos field of the probe_data is set to 1 according to whether the probe_hop_cnt is 1, so as to identify the next header parsing of the node.

When the INT receiving end receives the INT detection packet, the bandwidth of the slice can be calculated according to the byte_cnt field and the difference value between the cur_time and the last_time in the ProbeData, the queue depth is obtained by qdepth, the packet loss rate is obtained by the difference value between the enpckcont and the pckcont, the delay can be obtained by the difference between the cur_time of the first ProbeData header and the cur_time of the new ProbeData header, and the topology information is printed in an in-band telemetry sensing control plane in a log form for the control plane to read the information.

Example 2

Embodiment 2 provides a non-transitory computer readable storage medium for storing computer instructions that, when executed by a processor, implement a slice security mapping method for a smart identification network.

Example 3

This embodiment 3 provides a computer program product comprising a computer program for implementing a slice security mapping method of a smart identification network when run on one or more processors.

Example 4

Embodiment 4 provides an electronic apparatus including: a processor, a memory, and a computer program; wherein the processor is connected to the memory, and the computer program is stored in the memory, and when the electronic device is running, the processor executes the computer program stored in the memory, so that the electronic device executes the instructions for implementing the slice security mapping method of the intelligent identification network.

In summary, the slice security mapping method and system for the intelligent identification network according to the embodiments of the present invention can prevent tampering, falsification, replay and repudiation through the digest algorithm and the signature algorithm during user authentication. The user trust degree can be calculated through a user trust degree algorithm, the issuing judgment of the flow table is affected, and the safety performance of slice arrangement is enhanced. The intelligent identification network can be used for carrying out identification management on the slice service and carrying out abstract management on the bottom network resource, so that full life cycle management of the slice, user intention translation work and the like are realized. The performance benefit and the safety performance of slice arrangement can be improved through a slice arrangement algorithm based on the mapping safety level. The method can adapt to networks of various protocols, and has strong expansion performance. The exchanger of the data plane forwarding node is loaded with P4 language and has the function of self-defining data packet forwarding processing logic. The switch of the data plane forwarding node is provided with INT code logic, and topology information such as time delay, bandwidth, queue depth and the like in the bottom layer network topology can be collected. The exchanger of the data plane forwarding node is provided with P4 language, can identify network protocol through intelligent fusion, and has communication function among various complex protocols. The control signaling in the slice arranging process is safely controlled by the identification encryption and decryption algorithm based on SM9, so that the safety in the slice arranging process can be enhanced. Slice lifecycle management in the SDN application layer has a function of connecting to a Mysql database, and can write slice state data into the database at regular time for recording and tracing slice state information. The SDN controller has the function of reading configuration information in the configuration file. The SDN network controller may generate a corresponding flow table according to the slice orchestration requirement and issue the flow table to a programmable switching node of the data plane.

The invention designs a slice security arrangement mechanism and system based on a smart identification network based on the smart identification network architecture, which can uniformly manage information of various services, switches, hosts, users and the like in slices through identification. The method has the specific advantages that: the validity of the slicing user identity is confirmed through a user signature authentication mechanism, the safety and the usability of the interactive API are enhanced, and the safety of information interaction between the slicing system and the user can be enhanced to a certain extent. Through the user trust degree model, safety protection is provided for the arranging process based on historical interaction data of the slicing user and the slicing system, and a trust degree dimension attribute is added for the user for slicing access judgment. The mapping between the user intention and the VNF is completed by designing a user intention cosine similarity algorithm, and the disaster tolerance level is improved by a clustering-based VNF reconstruction algorithm. The intelligent identification network slice arrangement algorithm is provided to improve the slice arrangement safety level and performance, ensure the performance benefit of slice arrangement and improve the safety of slice mapping. The signaling in the designed slice arranging process is subjected to SM9 security encryption, so that the security of arranging command issuing can be enhanced, the privacy data of a user is protected to a certain extent, and the security of the communication process is enhanced. The proposed data transmission mechanism can realize the encapsulation and forwarding of slice data of different protocol types by using a P4 programmable language, provides data communication service support for networks of different protocols as required, and has higher expansibility. The INT is used for collecting network information, and data support is provided for life cycle management of the slice, so that the slice network is dynamically updated, reconstructed and the like, and the flexibility is high.

While the foregoing description of the embodiments of the present invention has been presented in conjunction with the drawings, it should be understood that it is not intended to limit the scope of the invention, but rather, it should be understood that various changes and modifications could be made by one skilled in the art without the need for inventive faculty, which would fall within the scope of the invention.

Claims

1. A slice security mapping system for a smart identification network, comprising:

2. The smart identification network slicing security mapping system of claim 1, wherein the user authentication module comprises a user signature authentication sub-module and a user trust sub-module;

the user signature authentication sub-module adopts a summary algorithm that key fields of a user request are spliced to obtain a data summary, the identity information of a slicing user is saved, a sequence generated after the service request information is encrypted and protected by the service request information of the slicing user is saved, and the validity period of the service request process of the slicing user is saved; a hash algorithm HMAC-SHA256 is adopted as a signature algorithm in signature authentication;

and the user trust degree submodule is used for evaluating the access behaviors of the slicing user according to the historical interaction behaviors of the user and combining an interaction evaluation mechanism after the validity verification of the slicing user request is completed, and calculating the user trust degree of the slicing user.

3. The slice security mapping system of a smart identification network of claim 1, wherein the slice control module comprises a user intent translation sub-module and a slice lifecycle management sub-module;

the user intention translation submodule is used for converting service requirements input by a user into data configuration of the VNF through a slice control system in the intelligent service layer of the intelligent identification network and executing resource arrangement; the method comprises the steps of combining a cosine similarity matching method to map user service requirements into a VNF set in a intelligent identification network slicing system; vector sets of feature dimension spaces of the intelligent identification network slicing system corresponding to the user service demands are searched for an available VNF which is most matched with the resource allocation situation of the user service demands through a user intention cosine similarity algorithm to form NSI;

the slice life cycle management sub-module is used for connecting VNF sets required by slice users to form NSI, instantiating the slices, continuously feeding back slice running state information, and recording the slice running state in a database according to service requirements; when the demand of a user changes, the programmable function node is abnormal or the link is abnormal, the slice is reconstructed, the VNF is remapped, the slice is instantiated, and after the reconstruction is completed, the reconstruction result and the link state information are fed back to the slice control system again for monitoring and monitoring.

4. The slice security mapping system of a smart identification network of claim 1, wherein the slice orchestration module comprises an orchestration algorithm sub-module and a signaling security encryption sub-module;

the programming algorithm submodule is used for defining that when the node utilization level is NSI and is mapped to the programmable function node, the programmable function node can provide the ratio of the resource quantity used by a slicing user to the resource quantity required by NSI; setting parameter values required by an algorithm, circularly calculating user trust according to a historical interaction evaluation value of a user, calculating node utilization level according to slice instance information, and calculating and returning to a mapping security level;

the signaling security encryption sub-module is used for carrying out data encryption security processing on the command forwarded in the arranging module based on an intelligent identification network signaling security encryption algorithm of SM 9; the security encryption algorithm is established on the bilinear pair and provided with an identification encryption algorithm, and the encryption and decryption service is provided for the signaling sending process in the arrangement process of the slicing user through the user identification of the slicing user.

5. The slice security mapping system of a smart identification network of claim 4, wherein said slice orchestration algorithm comprises: initializing intermediate variables, wherein the intermediate variables comprise initial positions and initial speed of particle swarms; and according to the safety performance requirement of slice mapping, combining with the actual physical resource set, circularly obtaining the optimal mapping position, ensuring that the mapping result meets the safety threshold while arranging the benefits, and returning to the optimal mapping position.

6. The smart fuse identification network slicing security mapping system of claim 4, wherein the SM 9-based smart fuse identification network signaling security encryption algorithm comprises: first, group G is calculated ₁ Element Q of (B) _B Then generating random number r, and calculating group G ₁ Element C of (2) ₁ Group G _T Elements g and w of (a); wherein, the method for encrypting the plaintext is a block cipher algorithm combined with a key derivation function, so that an integer klen is calculated and C is calculated ₂ And C ₃ And obtaining a final ciphertext C;

the intelligent fusion identification network signaling security decryption algorithm based on SM9 comprises the following steps: first check the bit string C in the final ciphertext C ₁ Whether or not it is elliptic curve G ₁ The above point is checked and calculated to obtain group G _T Converting the element w' of (a) into a bit string; the method of encrypting plaintext in the algorithm is a block cipher algorithm combined with a key derivation function, becauseThe integer klen is calculated in decryption, and M' is calculated; finally, u is calculated and combined with the bit string C ₃ And comparing and outputting a plaintext M'.

7. A slice security mapping method for a smart identification network implemented using a system as claimed in any one of claims 1 to 6, comprising:

8. A computer program product comprising a computer program for implementing the slice security mapping method of the smart identification network of claim 7 when run on one or more processors.

9. A non-transitory computer readable storage medium storing computer instructions that, when executed by a processor, implement the slice security mapping method of the smart identification network of claim 7.

10. An electronic device, comprising: a processor, a memory, and a computer program; wherein the processor is connected to the memory, and wherein the computer program is stored in the memory, which processor executes the computer program stored in the memory when the electronic device is running, to cause the electronic device to execute instructions for implementing the slice security mapping method of the smart identification network as defined in claim 7.