WO2022001004A1 - Secure network construction method and apparatus, device, and computer storage medium - Google Patents

Secure network construction method and apparatus, device, and computer storage medium Download PDF

Info

Publication number
WO2022001004A1
WO2022001004A1 PCT/CN2020/134819 CN2020134819W WO2022001004A1 WO 2022001004 A1 WO2022001004 A1 WO 2022001004A1 CN 2020134819 W CN2020134819 W CN 2020134819W WO 2022001004 A1 WO2022001004 A1 WO 2022001004A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
network element
security
secure
module
Prior art date
Application number
PCT/CN2020/134819
Other languages
French (fr)
Chinese (zh)
Inventor
兰天
何明
苏自翔
叶雷
郝记生
Original Assignee
中移(成都)信息通信科技有限公司
中国移动通信集团有限公司
中国电子科技集团公司第三十研究所
楚天龙股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中移(成都)信息通信科技有限公司, 中国移动通信集团有限公司, 中国电子科技集团公司第三十研究所, 楚天龙股份有限公司 filed Critical 中移(成都)信息通信科技有限公司
Publication of WO2022001004A1 publication Critical patent/WO2022001004A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities

Definitions

  • the configuration module may be used to implement functions such as OSS.
  • the security network may include multiple network elements, and the network elements constitute network slices.
  • Configuration information of at least one network slice required by the security network to be generated can be acquired by the configuration module, and the configuration module sends the configuration information to the network element search module.
  • the standard network element is only used to distinguish it from the security network element, but is not used to limit the standard conditions that the network element meets.
  • the network element management module may implement functions such as SMM.
  • obtaining the secure network slice according to the third network element set includes: if the physical resource consumption required by the third network element set meets the physical resource consumption condition, obtaining the secure network slice according to the third network element set.
  • FIG. 7 is a schematic structural diagram of an apparatus for constructing a secure network provided by an embodiment of the present disclosure.
  • the apparatus for constructing a secure network may include: a configuration module 710 , a network element search module 720 , and a network element management module 730 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments of the present invention provide a secure network construction method and apparatus, a device, and a computer storage medium. The secure network construction method is applied to a secure network system. The system comprises: a configuration module, a network element searching module, and a network element management module. The secure network construction method comprises: the configuration module obtains configuration information of at least one network slice, the configuration information comprising a first security level parameter of the network slice; the network element searching module obtains at least one target standard network element corresponding to the first security level parameter; the network element management module generates a routing rule according to the at least one target standard network element and at least one target security network element; and a network management module determines a secure network according to the routing rule, the target standard network element, and the target security network element.

Description

安全网络构建方法、装置、设备和计算机存储介质Secure network construction method, apparatus, device and computer storage medium
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请主张在2020年6月28日在中国提交的中国专利申请号No.202010599875.3的优先权,其全部内容通过引用包含于此。This application claims priority to Chinese Patent Application No. 202010599875.3 filed in China on June 28, 2020, the entire contents of which are incorporated herein by reference.
技术领域technical field
本公开属于通信网络领域,尤其涉及一种安全网络构建方法、装置、设备和计算机存储介质。The present disclosure belongs to the field of communication networks, and in particular, relates to a method, apparatus, device and computer storage medium for constructing a secure network.
背景技术Background technique
随着通信网络的商业化,在通信网络的设计时,会考虑网络接入的移动性、可靠性和安全性,例如,通过身份标识、认证授权、信道与承载加密、访问控制等方式,提供安全通信能力。With the commercialization of communication networks, the mobility, reliability and security of network access will be considered in the design of communication networks. Secure communication capabilities.
然而,随着通信技术的不断发展,新一代的通信技术同样在安全性方面有很高的需求。例如,5G网络引入网络切片技术,使一张网络可以同时支持多种不同类型的业务场景。因此,需要一种安全网络,用来满足各行各业行业的不同用户安全需求,以及提供灵活的安全保障,以实现通信网络的安全。However, with the continuous development of communication technology, the new generation of communication technology also has high demands in terms of security. For example, 5G networks introduce network slicing technology, so that one network can support multiple different types of business scenarios at the same time. Therefore, a security network is required to meet the security requirements of different users in all walks of life and to provide flexible security guarantees so as to realize the security of the communication network.
发明内容SUMMARY OF THE INVENTION
本公开实施例提供一种安全网络构建方法、装置、设备和计算机存储介质,在构建安全网络的过程中,不仅能够降低网络的复杂度,而且还能降低构建成本。The embodiments of the present disclosure provide a method, apparatus, device, and computer storage medium for constructing a secure network, which can not only reduce the complexity of the network, but also reduce the construction cost in the process of constructing the secure network.
第一方面,本公开实施例提供一种安全网络构建方法,方法应用于安全网络系统,系统包括:配置模块、网元查找模块、网元管理模块和网络构建模块;安全网络构建方法包括:配置模块获取至少一个网络切片的配置信息,配置信息包括网络切片的第一安全等级参数;In a first aspect, embodiments of the present disclosure provide a method for constructing a secure network. The method is applied to a secure network system. The system includes: a configuration module, a network element search module, a network element management module, and a network construction module; the method for constructing a secure network includes: configuring The module obtains configuration information of at least one network slice, where the configuration information includes a first security level parameter of the network slice;
网元查找模块获取对应第一安全等级参数的至少一个目标标准网元;The network element search module obtains at least one target standard network element corresponding to the first security level parameter;
网元管理模块根据至少一个目标网元和至少一个目标安全网元,生成路 由规则;The network element management module generates routing rules according to at least one target network element and at least one target security network element;
网络构建模块根据路由规则、目标标准网元和目标安全网元,确定安全网络。The network building module determines a secure network according to routing rules, target standard network elements and target security network elements.
在第一方面的一些可实现方式中,配置信息还包括:网络切片的配置参数。In some implementations of the first aspect, the configuration information further includes: configuration parameters of the network slice.
在第一方面的一些可实现方式中,安全网络系统还包括网元建立模块,网元建立模块包括第一安全等级参数的对应的多个网元;In some implementations of the first aspect, the secure network system further includes a network element establishment module, and the network element establishment module includes a plurality of network elements corresponding to the first security level parameter;
网元查找模块从网元建立模块中查找满足网络切片的配置信息的第一网元;The network element search module searches for the first network element that satisfies the configuration information of the network slice from the network element establishment module;
若网元建立模块包括第一网元,且第一网元的运行状态为正常,则网元查找模块将第一网元确定为目标标准网元。If the network element establishing module includes the first network element, and the running state of the first network element is normal, the network element searching module determines the first network element as the target standard network element.
在第一方面的一些可实现方式中,方法还包括:若网元建立模块不包括满足网络切片的配置信息的第一网元,则网元建立模块根据网络切片的配置参数,建立对应第一安全等级参数的第二网元;In some implementations of the first aspect, the method further includes: if the network element establishment module does not include a first network element that satisfies the configuration information of the network slice, the network element establishment module establishes a corresponding first network element according to the configuration parameters of the network slice the second network element of the security level parameter;
网元查找模块获取第二网元的运行状态;The network element search module obtains the running state of the second network element;
若第二网元的运行状态为正常,则网元查找模块将第二网元确定为目标标准网元。If the running state of the second network element is normal, the network element search module determines the second network element as the target standard network element.
在第一方面的一些可实现方式中,安全网络系统还包括网元规划模块;在确定安全网络之后,方法还包括:网元规划模块获取安全网络切片的应用需求信息;In some implementations of the first aspect, the secure network system further includes a network element planning module; after determining the secure network, the method further includes: the network element planning module obtains application requirement information of the secure network slice;
网元规划模块根据遗传学算法,从安全网络中获取满足应用需求信息的目标应用网元,得到安全网络切片。The network element planning module obtains the target application network elements that meet the application requirement information from the security network according to the genetic algorithm, and obtains the security network slice.
在第一方面的一些可实现方式中,应用需求信息包括安全网络切片所需的第二安全等级参数;In some implementations of the first aspect, the application requirement information includes a second security level parameter required for secure network slicing;
根据遗传学算法,从安全网络中获取满足应用需求信息的目标应用网元,得到安全网络切片,包括:According to the genetic algorithm, the target application network elements that meet the application requirement information are obtained from the security network, and the security network slice is obtained, including:
根据第二安全等级参数,获取对应第二安全等级参数的第一网元集合;obtaining, according to the second security level parameter, a first set of network elements corresponding to the second security level parameter;
对第一网元集合进行交叉操作和变异操作,得到第二网元集合;Perform a crossover operation and a mutation operation on the first set of network elements to obtain a second set of network elements;
从第二网元集合获取满足应用需求信息的第三网元集合;Obtain a third set of network elements that meets the application requirement information from the second set of network elements;
根据第三网元集合得到安全网络切片。A secure network slice is obtained according to the third set of network elements.
在第一方面的一些可实现方式中,第一网元集合包括至少一个类别的至少一个第一应用网元,每个第一应用网元与对应安全等级参数的安全网元链接;In some implementations of the first aspect, the first network element set includes at least one first application network element of at least one category, and each first application network element is linked to a security network element corresponding to a security level parameter;
对第一网元集合进行交叉操作和变异操作,得到第二网元集合,包括:Perform crossover and mutation operations on the first set of network elements to obtain a second set of network elements, including:
对第一网元集合中每个类别的第一应用网元和安全网元进行交叉操作,得到第四网元集合;Perform a cross operation on the first application network element and the security network element of each category in the first network element set to obtain a fourth network element set;
对第四网元集合进行变异操作,得到第二网元集合。A mutation operation is performed on the fourth set of network elements to obtain a second set of network elements.
在第一方面的一些可实现方式中,对第四网元集合进行变异操作,得到第二网元集合,包括:根据应用需求信息,从第四网元集合中获取选取满足应用需求的至少一个第二应用网元和不满足应用需求信息的第三应用网元;In some implementations of the first aspect, performing a mutation operation on the fourth set of network elements to obtain the second set of network elements includes: obtaining and selecting at least one set of network elements that meets the application requirements from the fourth set of network elements according to the application requirement information The second application network element and the third application network element that does not meet the application requirement information;
根据每个第二应用网元与每个第三应用网元,得到第二网元集合。According to each second application network element and each third application network element, a second network element set is obtained.
在第一方面的一些可实现方式中,根据第三网元集合得到安全网络切片,包括:In some implementations of the first aspect, the secure network slice is obtained according to the third set of network elements, including:
若第三网元集合所需的物理资源消耗满足物理资源消耗条件,则根据第三网元集合得到安全网络切片。If the physical resource consumption required by the third network element set satisfies the physical resource consumption condition, a secure network slice is obtained according to the third network element set.
在第一方面的一些可实现方式中,方法还包括:若第三网元集合所需的物理资源消耗不满足物理资源消耗条件,则对第三网元集合继续执行交叉操作和变异操作的迭代计算,直到获得物理资源消耗满足物理资源消耗条件的网元集合,得到安全网络切片。In some implementations of the first aspect, the method further includes: if the physical resource consumption required by the third network element set does not meet the physical resource consumption condition, continuing to perform the iteration of the crossover operation and the mutation operation on the third network element set Calculation is performed until a set of network elements whose physical resource consumption meets the physical resource consumption condition is obtained, and a secure network slice is obtained.
第二方面,本公开提供一种安全网络构建装置,装置包括:配置模块,用于获取至少一个网络切片的配置信息,配置信息包括网络切片的第一安全等级参数;In a second aspect, the present disclosure provides an apparatus for constructing a secure network, the apparatus comprising: a configuration module configured to acquire configuration information of at least one network slice, where the configuration information includes a first security level parameter of the network slice;
网元查找模块,用于获取对应第一安全等级参数的至少一个目标标准网元和至少一个目标安全网元;a network element search module, configured to obtain at least one target standard network element and at least one target security network element corresponding to the first security level parameter;
网元管理模块,用于根据至少一个目标网元和至少一个目标安全网元,生成路由规则;a network element management module, configured to generate routing rules according to at least one target network element and at least one target security network element;
网络构建模块,用于根据路由规则、目标标准网元和目标安全网元,确定安全网络。A network building module for determining a secure network based on routing rules, target standard network elements, and target security network elements.
第三方面,本公开提供一种安全网络构建设备,该设备包括:处理器以及存储有计算机程序指令的存储器;处理器执行计算机程序指令时实现第一方面或者第一方面任一可实现方式中所述的安全网络构建方法。In a third aspect, the present disclosure provides a device for constructing a secure network, the device comprising: a processor and a memory storing computer program instructions; when the processor executes the computer program instructions, the first aspect or any implementation manner of the first aspect is implemented. The security network construction method.
第四方面,本公开提供一种计算机可读存储介质,计算机可读存储介质上存储有计算机程序指令,计算机程序指令被处理器执行时实现第一方面或者第一方面任一可实现方式中所述的安全网络构建方法。In a fourth aspect, the present disclosure provides a computer-readable storage medium, where computer program instructions are stored thereon, and when the computer program instructions are executed by a processor, the first aspect or any implementation manner of the first aspect is implemented. The security network construction method described above.
本公开实施例的安全网络构建方法,由于构建安全网络的配置信息中,包括所需的网络切片和所需的安全等级,因此,在构建安全网络时,将目标网元和对应所需安全等级的安全网元链接,使得安全网络能够满足不同安全等级需求的网络切片的构建和应用,对行业用户的应用和需求提供灵活、可定制性的差异化安全保障,同时,还能够降低网络的复杂度,以及降低构建成本。In the method for constructing a secure network according to the embodiment of the present disclosure, since the configuration information for constructing a secure network includes required network slices and required security levels, when constructing a secure network, the target network element and the corresponding required security level are The secure network element link enables the secure network to meet the construction and application of network slicing requirements of different security levels, provides flexible and customizable differentiated security guarantees for the applications and needs of industry users, and at the same time, can reduce the complexity of the network. degree, and reduce construction costs.
附图说明Description of drawings
为了更清楚地说明本公开实施例的技术方案,下面将对本公开实施例中所需要使用的附图作简单的介绍,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solutions of the embodiments of the present disclosure more clearly, the accompanying drawings required in the embodiments of the present disclosure will be briefly introduced below. For those of ordinary skill in the art, under the premise of no creative work, the Additional drawings can be obtained from these drawings.
图1是本公开实施例提供的一种基于NFV MANO的多重安全等级网络构建框架示意图;1 is a schematic diagram of a network construction framework with multiple security levels based on NFV MANO provided by an embodiment of the present disclosure;
图2是本公开实施例提供的一种NFV MANO的功能示意图;2 is a functional schematic diagram of an NFV MANO provided by an embodiment of the present disclosure;
图3是本公开实施例提供的一种NFV MANO的多重安全等级网络系统示意图;3 is a schematic diagram of a network system with multiple security levels of NFV MANO provided by an embodiment of the present disclosure;
图4是本公开实施例提供的一种安全网络构建方法的流程示意图;4 is a schematic flowchart of a method for constructing a secure network provided by an embodiment of the present disclosure;
图5是本公开实施例提供的另一种安全网络构建方法的流程示意图;5 is a schematic flowchart of another method for constructing a secure network provided by an embodiment of the present disclosure;
图6是本公开实施例提供的一种获取安全网络切片方法的流程示意图;6 is a schematic flowchart of a method for obtaining a secure network slice provided by an embodiment of the present disclosure;
图7是本公开实施例提供的一种安全网络构建装的结构示意图;7 is a schematic structural diagram of a security network construction device provided by an embodiment of the present disclosure;
图8是本公开实施例提供的一种安全网络构建装设备的结构示意图。FIG. 8 is a schematic structural diagram of a device for constructing a secure network provided by an embodiment of the present disclosure.
具体实施方式detailed description
下面将详细描述本公开的各个方面的特征和示例性实施例,为了使本公开的目的、技术方案及优点更加清楚明白,以下结合附图及具体实施例,对本公开进行进一步详细描述。应理解,此处所描述的具体实施例仅被配置为解释本公开,并不被配置为限定本公开。对于本领域技术人员来说,本公开可以在不需要这些具体细节中的一些细节的情况下实施。下面对实施例的描述仅仅是为了通过示出本公开的示例来提供对本公开更好的理解。The features and exemplary embodiments of various aspects of the present disclosure will be described in detail below. In order to make the purpose, technical solutions and advantages of the present disclosure more clear, the present disclosure will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are only configured to explain the present disclosure, and not to limit the present disclosure. It will be apparent to those skilled in the art that the present disclosure may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present disclosure by illustrating examples of the present disclosure.
需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that, in this document, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any relationship between these entities or operations. any such actual relationship or sequence exists. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element defined by the phrase "comprises" does not preclude the presence of additional identical elements in a process, method, article, or device that includes the element.
本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。The term "and/or" in this article is only an association relationship to describe the associated objects, indicating that there can be three kinds of relationships, for example, A and/or B, it can mean that A exists alone, A and B exist at the same time, and A and B exist independently B these three cases.
随着通信技术的不断发展,新一代的通信技术同样在安全性方面有很高的需求。例如,第五代移动通信技术(5th-Generation,5G)网络引入网络切片技术,使一张网络可以同时支持多种不同类型的业务场景。With the continuous development of communication technology, the new generation of communication technology also has high demands in terms of security. For example, a fifth-generation mobile communication technology (5th-Generation, 5G) network introduces a network slicing technology, so that one network can support multiple different types of service scenarios at the same time.
现在,越来越多的企业通过部署各种网络功能设备来提高企业网络的安全性和性能。随着企业规模的增长,企业网络中部署的网络功能设备数量大幅增加,会出现部署网络功能设备开销大、网络功能设备管理难、网络功能设备失效率高等问题,因此,欧洲电信标准协会提出网络功能虚拟化(Network Function Virtualization,NFV),将传统的通讯技术产业(Communication Techonology,CT)的业务部署到云平台上,实现软硬件解耦、网元动态创建和提供虚拟资源,应用虚拟化技术将物理资源抽象化,形成可供上层应用的虚拟资源,实现网络功能的虚拟化,减少运营商的投资成本和业务开发、部署周期。Now, more and more enterprises are improving the security and performance of enterprise network by deploying various network-capable devices. With the growth of the enterprise scale, the number of network function devices deployed in the enterprise network has increased significantly, and there will be problems such as high cost of deploying network function devices, difficult management of network function devices, and high failure rate of network function devices. Network Function Virtualization (NFV), deploying traditional Communication Technology (CT) services on the cloud platform to realize software and hardware decoupling, dynamic creation of network elements and provision of virtual resources, and application of virtualization technology It abstracts physical resources to form virtual resources for upper-layer applications, realizes the virtualization of network functions, and reduces operators' investment costs and service development and deployment cycles.
在通信网络的商业化时,会考虑网络接入的移动性、可靠性和安全性,例如,通过身份标识、认证授权、信道与承载加密、访问控制等方式,提供安全通信能力。In the commercialization of communication networks, the mobility, reliability and security of network access will be considered, for example, through identification, authentication and authorization, channel and bearer encryption, access control, etc., to provide secure communication capabilities.
目前,基于5G专网的多重安全等级网络构建主要依托于网络切片的技术,但是网络切片面临的安全威胁包括切片的安全隔离保障、终端接入切片的安全保障、切片的安全管理保障等,其中,终端接入切片是在终端进行切片选择过程中,数据有可能被篡改或伪造,这可能导致切片选择错误,使终端不能从正确的切片获得服务或者使未订阅服务的终端被接入切片。At present, the construction of multi-level security network based on 5G private network mainly relies on the technology of network slicing, but the security threats faced by network slicing include the security isolation guarantee of slicing, the security guarantee of terminal access slicing, the security management guarantee of slicing, etc. , the terminal access slice is during the slice selection process of the terminal, the data may be tampered with or forged, which may lead to incorrect slice selection, so that the terminal cannot obtain services from the correct slice or the terminal that has not subscribed to the service is connected to the slice.
用户在网络切片选择过程中使用的隐私信息有可能被拦截或监听,如果终端接入切片缺乏认证和授权,则非授权的终端可能会进入到网络切片中消耗切片资源,如果对服务的接入缺乏合适的授权机制,则可能导致不同类型的攻击行为。如果终端接入过程没有受到保护,窃听接入链路的攻击者可能获得一些敏感服务权限,甚至得到相关的信息并劫持正在进行的会话注入自己的数据报文,攻击者还可通过重放窃听到的报文,导致系统不必要的运行超载,影响系统可用性和服务质量。The private information used by users in the network slice selection process may be intercepted or monitored. If the terminal access slice lacks authentication and authorization, unauthorized terminals may enter the network slice to consume slice resources. The lack of a proper authorization mechanism can lead to different types of attacks. If the terminal access process is not protected, an attacker who eavesdrops on the access link may obtain some sensitive service permissions, and even obtain relevant information and hijack the ongoing session to inject its own data packets. The attacker can also eavesdrop by replaying The received packets will cause unnecessary overloading of the system, affecting system availability and service quality.
因此,需要一种安全网络系统,用来满足各行各业行业的不同用户安全需求,以及提供灵活的安全保障,实现通信网络的安全和通信网络的服务质量。Therefore, there is a need for a security network system to meet the security requirements of different users in all walks of life, and to provide flexible security guarantees to realize the security of the communication network and the quality of service of the communication network.
为了避免切片网络存在的威胁,本申请提出一种适用于安全网络构建方法的安全网络系统,该安全网络系统基于网络功能虚拟化管理和编排(Network Functions Virtualization Management&Orchestration,NFV MANO)实现对多重安全等级网络的构建,其中,NFV MANO可以包括安全模块(Security Module,SM)资源管理和网络功能虚拟化(Network Function Virtualization,NFV)资源管理的相互融合,在虚拟化设施管理器(Virtualized infrastructure Manager,VIM)上增强对容器的管理和编排来满足不同安全等级的需求,以及满足各行各业行业的不同用户安全需求,提供灵活的安全保障,实现通信网络的安全,确保不同的用户资源、数据分布在各个独立的虚拟网络切片中的安全。In order to avoid the threat of slicing network, the present application proposes a security network system suitable for a security network construction method. Network construction, in which NFV MANO can include the integration of security module (Security Module, SM) resource management and network function virtualization (Network Function Virtualization, NFV) resource management, in the Virtualized Infrastructure Manager (Virtualized infrastructure Manager, VIM) ) to enhance the management and arrangement of containers to meet the needs of different security levels, as well as meet the security needs of different users in all walks of life, provide flexible security guarantees, realize the security of communication networks, and ensure that different user resources and data are distributed in Security in individual virtual network slices.
在介绍本公开的具体实施方式之前,首先介绍本公开实施方式所应用的 基于NFV MANO的多重安全等级网络构建框架,如图1所示。Before introducing the specific embodiments of the present disclosure, first introduce the network construction framework of multiple security levels based on NFV MANO applied by the embodiments of the present disclosure, as shown in FIG. 1 .
基于NFV MANO的多重安全等级网络构建框架可以包:网络功能虚拟化编排(NFV Orchestrator,NFVO)、安全模块编排(Security Module Orchestrator,SMO)、虚拟化网络功能管理(VNF Manager,VNFM)、安全模块管理器(Security Module Manager,SMM)以及虚拟化设施管理器(VIM)组成。The multi-level security network construction framework based on NFV MANO can include: network function virtualization orchestration (NFV Orchestrator, NFVO), security module orchestration (Security Module Orchestrator, SMO), virtualized network function management (VNF Manager, VNFM), security module Manager (Security Module Manager, SMM) and Virtualization Facilities Manager (VIM).
其中,NFVO和SMO主要负责对系统的业务流程的调度、资源编排,编排管理层接收来自操作支持系统(Operation Support Systems,OSS)的应用请求,NFVO和SMO通过应用程序接口(Application Programming Interface,APIs)与其对应的虚拟管理器交互,实现例如:流量引导、VNF和会话管理功能(Session Management Function,SMF)的实例化等功能。在一些实施例中,操作支持系统还可以被集成为业务支持系统(Business Support System,BSS),或者操作支持系统和业务支持系统被同时集成,例如,业务运营支撑系统(Business&Operation Support System,BOSS)。Among them, NFVO and SMO are mainly responsible for the scheduling and resource orchestration of the business process of the system. The orchestration management layer receives application requests from Operation Support Systems (OSS). NFVO and SMO use Application Programming Interface (APIs) ) interacts with its corresponding virtual manager to implement functions such as traffic steering, instantiation of VNF and Session Management Function (SMF). In some embodiments, the operation support system can also be integrated as a business support system (BSS), or the operation support system and the business support system are integrated at the same time, for example, a business operation support system (BOSS) .
VNFM和SMM主要负责虚拟路由、交换机、网元、安全组件等所有虚拟网元的全生命周期管理以及资源使用率动态调整。VNFM and SMM are mainly responsible for the full life cycle management of all virtual network elements such as virtual routers, switches, network elements, and security components, as well as dynamic adjustment of resource usage.
VIM主要负责物理资源(如:服务器、存储、网络、安全等)、虚拟资源(如:虚拟机)和软件资源(如:管理、监督)的生命周期管理,通过应用程序接口,向其他管理系统公开物理、虚拟资源。VIM is mainly responsible for the life cycle management of physical resources (such as: servers, storage, network, security, etc.), virtual resources (such as: virtual machines) and software resources (such as: management, supervision), through the application program interface, to other management systems Expose physical and virtual resources.
在一些实施例中,VNF、SMF的实例化和管理可以由NFVO和SMO负责,其中VNF、SMF包含描述符类型、名称、接口、内存大小、磁盘大小、供应商名称、安全等级属性等,NFVO和SMO对没有安等级属性的VNF、SMF可以通过添加安全属性,例如,可以将安全等级按照不同行业用户的需求分为多重安全等级,示例性的,可以将安全等级分为低、中、高3个安全等级。In some embodiments, the instantiation and management of VNFs, SMFs can be handled by NFVO and SMO, where VNFs, SMFs contain descriptor type, name, interface, memory size, disk size, vendor name, security level attributes, etc., NFVO And SMO can add security attributes to VNFs and SMFs without security level attributes. For example, the security levels can be divided into multiple security levels according to the needs of users in different industries. For example, the security levels can be divided into low, medium and high. 3 security levels.
其中,安全等级的设定可以根据统一数据管理功能(Unified Data Management,UDM)的多种不同安全等级的增强模块作为划分凭据,例如,按照安全等级的对虚拟化网络功能(VNF)和会话管理功能(SMF)进行区分,形成多个安全等级的网元集合,示例性的,当有低、中、高3个安全等级时,可以按照低、中、高形成低、中、高3个安全等级的网元集合。Among them, the setting of the security level can be based on a variety of enhanced modules of different security levels of the Unified Data Management (UDM) as the division credentials, for example, according to the security level, the virtualized network function (VNF) and session management Functions (SMF) are distinguished to form network element sets with multiple security levels. Exemplarily, when there are three security levels of low, medium, and high, three security levels of low, medium, and high can be formed according to low, medium, and high. A collection of network elements of a level.
SMM和VNFM根据所管理的网元集合中的类型进行划分,其中,SMM主要 负责对涉及安全类的网元管理(例如:主认证或二次认证)、资源管理、链接管理。VNFM负责标准网元、用户面功能(User Plane Function,UPF)等资源管理和网元管理。SMM and VNFM are divided according to the types in the managed network element set, wherein, SMM is mainly responsible for network element management (for example: primary authentication or secondary authentication), resource management, and link management related to security. The VNFM is responsible for resource management and network element management such as standard network elements and User Plane Function (UPF).
在一些实施例中,标准网元例如可以包括:网络切片选择功能(Network Slice Selection Function,NSSF)、网络能力开放功能(Network Exposure Function,NEF)、网络存储库功能(Network Repository Function,NRF)、鉴权服务功能(Authentication Server Function,AUSF)、会话管理功能(Session Management Function,SMF)、接入及移动性管理功能(Access and Mobility Management Function,AMF)等。In some embodiments, standard network elements may include, for example: Network Slice Selection Function (NSSF), Network Exposure Function (NEF), Network Repository Function (NRF), Authentication Server Function (AUSF), Session Management Function (SMF), Access and Mobility Management Function (AMF), etc.
在本公开实施例中,标准网元仅用于和安全网元进行区分,而不是用于限定网元满足的标准条件。In the embodiment of the present disclosure, the standard network element is only used to distinguish it from the security network element, but is not used to limit the standard conditions that the network element meets.
在实际应用时,首先,由VNFM管理体系准备好标准网元,之后在由SMM对不同安全等级的网元集合进行链接,最终形成不同安全等级的切片网络。In practical application, first, the standard network elements are prepared by the VNFM management system, and then the network element sets of different security levels are linked by the SMM, and finally sliced networks of different security levels are formed.
需要注意的是,在本公开实施例中,标准网元仅用于和安全网元进行区分,而不是用于限定网元满足的标准条件。It should be noted that, in the embodiment of the present disclosure, the standard network element is only used to distinguish it from the security network element, but is not used to limit the standard conditions that the network element meets.
区别于相关技术中的网络编排方式,通过新增SMO,实现对NFVO涉及到的标准网元、SMO控制的安全类网元的进行统一协作编排,实现多重安全等级网络。Different from the network orchestration method in the related art, by adding SMO, the unified collaborative orchestration of standard network elements involved in NFVO and security network elements controlled by SMO is realized, and a network with multiple security levels is realized.
NFV MANO可以依托开源的管理和网络编排(Open Source Mano,OSM)、开源的云计算管理平台(OpenStack)等的组合进行联合部署,其中,OpenStack可以应用于VIM层,提供用于管理、监视和评估NFV基础结构中所有资源的标准化接口。NFV MANO can be jointly deployed relying on a combination of open source management and network orchestration (Open Source Mano, OSM), open source cloud computing management platform (OpenStack), etc. Standardized interfaces for evaluating all resources in the NFV infrastructure.
OSM可以充当网络服务编排器、管理器,并提供按需创建网络服务并返回服务对象的身份标识号(Identity Document,ID),能够对真实的电信级服务进行建模和自动化。OSM can act as a network service orchestrator and manager, and provide on-demand creation of network services and return the identity document (ID) of the service object, which can model and automate real carrier-class services.
本公开实施例的所描述的安全网络系统中,还可以网元规划模块。网元规划模块可以实现元素管理、生命周期管理、安全等级规则和管理以及资源管理等功能。In the security network system described in the embodiments of the present disclosure, a network element planning module may also be used. The network element planning module can implement functions such as element management, life cycle management, security level rules and management, and resource management.
示例性,结合图2所示的NFV MANO的功能示意图,其中,元素管理,是 指对VNF配置信息及软件镜像管理,保证VNF能正常解析。Exemplarily, in conjunction with the functional schematic diagram of the NFV MANO shown in Figure 2, the element management refers to the management of the VNF configuration information and software image to ensure that the VNF can be parsed normally.
生命周期管理,是指负责系统核心的安全网络服务调度,包括安全网络服务的创建、部署、终止、删除、查看等功能。Life cycle management refers to the scheduling of security network services at the core of the system, including functions such as creation, deployment, termination, deletion, and viewing of security network services.
安全等级规则和请求策略管理,是指管理系统中对多重安全等级的部署策略算法,包括策略创建、删除、查询等功能。Security level rule and request policy management refers to the deployment strategy algorithm for multiple security levels in the management system, including functions such as policy creation, deletion, and query.
资源管理,是指负责虚拟资源管理与物理资源管理。资源管理支持与VIM交互,负责获取物理资源与虚拟资源的监控信息,可以以图表的方式对监控数据进行展示。Resource management refers to the management of virtual resources and physical resources. Resource management supports interaction with VIM, and is responsible for obtaining monitoring information of physical resources and virtual resources, and can display monitoring data in the form of graphs.
对应上述对NFV MANO的功能描述,基于本公开实施例所描述的NFV MANO的多重安全等级网络构建框架和NFV MANO的功能,可以将NFV MANO的多重安全等级网络系统划分为5层,如图3所示,NFV MANO的多重安全等级网络系统示意图,可以包括BOSS应用层、OSM层、软件定义网络(Software Defined Netrork,SDN)管理和VIM管理层、物理资源层。Corresponding to the above functional description of NFV MANO, based on the multi-security level network construction framework of NFV MANO and the functions of NFV MANO described in the embodiments of the present disclosure, the multi-security level network system of NFV MANO can be divided into 5 layers, as shown in Figure 3 As shown, a schematic diagram of a network system with multiple security levels of NFV MANO, which can include BOSS application layer, OSM layer, Software Defined Network (SDN) management, VIM management layer, and physical resource layer.
其中,BOSS应用层主要实现Web界面服务为用户提供了多重安全等级的网络切片操作界面,例如,运营商通过应用层对多重安全等级的网络服务创建、部署等操作,将安全网络中涉及的部署元素、网络参数数据等信息下发给OSM层进行服务编排、资源编排以及监测等功能。Among them, the BOSS application layer mainly implements web interface services to provide users with a network slicing operation interface with multiple security levels. For example, operators can create and deploy network services with multiple security levels through the application layer. Elements, network parameter data and other information are sent to the OSM layer for service scheduling, resource scheduling, and monitoring functions.
通过OSM编排层下发配置命令对SDN管理和VIM资源管理,部署实施虚拟化基础设施、虚拟化安全设施实现以及引导用户面数据流量转发,最终控制物理资源实现网络切片。The OSM orchestration layer issues configuration commands to manage SDN and VIM resources, deploy and implement virtualized infrastructure, implement virtualized security facilities, guide user plane data traffic forwarding, and finally control physical resources to realize network slicing.
通过服务编排模块中的服务编排层对应用层请求中的每个虚拟化网络功能按照排序实例化到物理网络中,形成具有特定顺序的服务功能链,而这个具有特定顺序的服务功能链包括虚拟化基础设施和虚拟化安全设施所对应的网元链接而成,可以由SMO和SMM对标准网元链接不同安全等级的安全网元实现。The service orchestration layer in the service orchestration module instantiates each virtualized network function in the application layer request into the physical network in order to form a service function chain with a specific order, and this service function chain with a specific order includes virtual It is formed by linking the network elements corresponding to the virtualized infrastructure and the virtualized security facilities, which can be realized by linking the standard network elements with different security network elements by SMO and SMM.
而安全等级规则和请求策略管理模块作为多重安全等级的服务功能链提供策略,通过控制虚拟单元的路由规则模块把虚拟的标准网元和多重安全类网元进行链接,部署到VIM和SDN管理器中。在实现此策略时,由于对所有标准网元和安全类网元进行安全等级划分,分别形成不同安全等级的网元集 合,为了获取最优化的多重安全等级网络提供基础。The security level rule and request policy management module provides policies as a service function chain of multiple security levels, and links virtual standard network elements and multiple security network elements through the routing rule module of the control virtual unit, and deploys them to the VIM and SDN manager. middle. When implementing this strategy, all standard network elements and security network elements are divided into security levels, respectively forming network element sets with different security levels, which provides a basis for obtaining an optimized network with multiple security levels.
结合NFV MANO的多重安全等级网络构建框架的安全网络系统,下面对本公开实施例所提供的一种安全网络构建方法进行介绍。图4示出了本公开一个实施例提供的安全网络构建方法的流程示意图,其中包括:配置模块、网元查找模块和网元管理模块,如图4所示,该方法可以包括以下步骤:In conjunction with the secure network system of the multi-security level network construction framework of NFV MANO, a secure network construction method provided by the embodiments of the present disclosure will be introduced below. FIG. 4 shows a schematic flowchart of a method for constructing a secure network provided by an embodiment of the present disclosure, which includes: a configuration module, a network element search module, and a network element management module. As shown in FIG. 4 , the method may include the following steps:
S410、配置模块获取至少一个网络切片的配置信息,配置信息包括网络切片的第一安全等级参数。S410. The configuration module acquires configuration information of at least one network slice, where the configuration information includes a first security level parameter of the network slice.
配置模块可以用于实现如OSS的功能,在一些实施例中,安全网络可以包括多个网元,由网元组成网络切片。通过配置模块可以获取到将要生成的安全网络所需的至少一个网络切片的配置信息,配置模块将该配置信息发送给网元查找模块。The configuration module may be used to implement functions such as OSS. In some embodiments, the security network may include multiple network elements, and the network elements constitute network slices. Configuration information of at least one network slice required by the security network to be generated can be acquired by the configuration module, and the configuration module sends the configuration information to the network element search module.
第一安全等级参数可以包括不同等级安全网元的需求,例如,包括对高安全等级的网元的需求、对中安全等级的网元的需求等。The first security level parameter may include requirements for network elements with different levels of security, for example, including requirements for network elements with high security levels, requirements for network elements with medium security levels, and the like.
可选地,在一些实施例中,配置信息还可以包括网络切片的配置参数。Optionally, in some embodiments, the configuration information may further include configuration parameters of the network slice.
S420、网元查找模块获取对应第一安全等级参数的至少一个目标标准网元。S420. The network element search module acquires at least one target standard network element corresponding to the first security level parameter.
网元查找模块可以用于实现如SMO的功能。安全网络系统还可以包括网元建立模块,在一些实施例中,网元建立模块包括:不同功能的标准网元,例如NSSF、NEF、NRF、AUSF、SMF、AMF等,每个标准网元对应其所需连接的安全等级。也就是说,在网元建立模块中,每个安全等级都对应多个网元。The network element search module can be used to implement functions such as SMO. The secure network system may further include a network element establishment module. In some embodiments, the network element establishment module includes: standard network elements with different functions, such as NSSF, NEF, NRF, AUSF, SMF, AMF, etc., each standard network element corresponds to The security level of its required connection. That is to say, in the network element establishment module, each security level corresponds to multiple network elements.
可选地,网元建立模块可以用于实现如NFVO的功能。网元查找模块获取对应第一安全等级参数的至少一个目标标准网元和至少一个目标安全网元具体可以实现为:网元查找模块从网元建立模块中查找满足网络切片的配置信息的第一网元,若网元建立模块包括第一网元,且第一网元的运行状态为正常,则网元查找模块将第一网元确定为目标标准网元。Optionally, the network element establishment module may be used to implement functions such as NFVO. The acquisition by the network element search module of at least one target standard network element and at least one target security network element corresponding to the first security level parameter may be specifically implemented as follows: the network element search module searches the network element establishment module for a first network element that satisfies the configuration information of the network slice. The network element, if the network element establishment module includes the first network element, and the running state of the first network element is normal, the network element search module determines the first network element as the target standard network element.
其中,目标标准网元为满足网络切片的配置信息的标准网元。The target standard network element is a standard network element that satisfies the configuration information of the network slice.
在本公开实施例中,标准网元仅用于和安全网元进行区分,而不是用于限定网元满足的标准条件。In the embodiment of the present disclosure, the standard network element is only used to distinguish it from the security network element, but is not used to limit the standard conditions that the network element meets.
在一些实施例中,对应第一安全等级参数,若网元查找模块从网元建立 模块的不同安全等级的网元集合中,查找到满足配置参数的标准网元之后,查找该标准网元的运行状态。In some embodiments, corresponding to the first security level parameter, if the network element search module finds a standard network element that satisfies the configuration parameter from the network element sets of different security levels in the network element establishment module, it searches for the standard network element of the standard network element. Operating status.
网元查找模块接收网元建立模块反馈的该网元的运行状态,若该标准网元的运行状态为正常,则将该标准网元(第一网元)确定为目标标准网元。The network element search module receives the operation state of the network element fed back by the network element establishment module, and if the operation state of the standard network element is normal, the standard network element (the first network element) is determined as the target standard network element.
可以理解的是,当第一安全等级参数包括对不同安全等级的网元的需求时,网元查找模块按照所需求的安全等级,分别在不同的安全等级的标准网元集合中,查找所需的第一网元。It can be understood that when the first security level parameter includes the requirements for network elements of different security levels, the network element search module searches for the required security levels in the standard network element sets of different security levels according to the required security levels. the first network element.
在一些实施例中,可选地,若网元建立模块不包括满足网络切片的配置信息的第一网元,则网元建立模块根据网络切片的配置参数,建立对应第一安全等级参数的第二网元,网元查找模块获取第二网元的运行状态;若第二网元的运行状态为正常,则网元查找模块将第二网元确定为目标标准网元。In some embodiments, optionally, if the network element establishment module does not include the first network element that satisfies the configuration information of the network slice, the network element establishment module establishes the first network element corresponding to the first security level parameter according to the configuration parameters of the network slice. Two network elements, the network element search module obtains the running state of the second network element; if the running state of the second network element is normal, the network element search module determines the second network element as the target standard network element.
在一些实施例中,若网元建立模块不包括满足网络切片的配置信息的第一网元,则说明在网元建立模块中没有部署所需的安全等级的标准网元,因此,网元建立模块可以根据网元查找模块发送的网络切片配置参数,进行相应安全等级的标准网元的建立和部署,得到第二网元,其中,网元查找模块发送的网络切片配置参数可以包括具体标准网元的参数,以及标准网元对应的安全等级。In some embodiments, if the network element establishment module does not include the first network element that satisfies the configuration information of the network slice, it means that the standard network element of the required security level is not deployed in the network element establishment module. Therefore, the network element establishes The module may establish and deploy standard network elements of a corresponding security level according to the network slice configuration parameters sent by the network element search module to obtain a second network element, wherein the network slice configuration parameters sent by the network element search module may include specific standard network elements. Element parameters, and the security level corresponding to standard NEs.
在对应安全等级的标准网元部署完成后,网元建立模块可以向网元查找模块反馈标准网元建立成功的信息以及标准网元(第二网元)的运行状态。After the standard network element corresponding to the security level is deployed, the network element establishment module may feed back information on the successful establishment of the standard network element and the running status of the standard network element (second network element) to the network element search module.
在一些实施例中,标准网元建立成功的信息可以是创建成功标识符标识符,在此不做具体限定。In some embodiments, the information about the successful establishment of the standard network element may be an identifier of the successful establishment, which is not specifically limited herein.
在一些实施例中,当网元查找模块接收到标准网元(第二网元)的运行状态为正常时,网元查找模块将第二网元作为目标标准网元。In some embodiments, when the network element search module receives that the running state of the standard network element (the second network element) is normal, the network element search module uses the second network element as the target standard network element.
在部署好目标标准网元之后,网元查找模块以安全等级作为区分将涉及安全类网元信息发送给网元管理模块进行处理。After the target standard network element is deployed, the network element search module uses the security level as a distinction to send the network element information related to the security class to the network element management module for processing.
S430、网元管理模块根据至少一个目标网元和至少一个目标安全网元,生成路由规则。S430. The network element management module generates a routing rule according to at least one target network element and at least one target security network element.
其中,网元管理模块可以实现如SMM的功能。The network element management module may implement functions such as SMM.
具体可以是,网元管理模块确定每个目标标准网元的类别,以及根据每 个目标标准网元对应的安全等级,网元管理模块将每个目标标准网元的安全等级对应的目标安全网元激活,即实例化相应安全等级的安全网元。Specifically, the network element management module determines the category of each target standard network element, and according to the security level corresponding to each target standard network element, the network element management module assigns the target security network corresponding to the security level of each target standard network element Element activation, that is, instantiating a security network element of the corresponding security level.
其中,路由规则是指可以与目标标准网元进行通信连接的目标安全网元。The routing rule refers to a target security network element that can communicate with the target standard network element.
S440、网络管理模块根据路由规则、目标标准网元和目标安全网元,确定安全网络。S440. The network management module determines the secure network according to the routing rule, the target standard network element and the target security network element.
具体可以是,网络管理模块根据路由规则确定每个目标标准网元和其安全等级对应的目标安全网元的网络通信连接,最终得到所有目标标准网元和其安全等级对应的目标安全网元的链接,即得到能够满足不同安全等级需求的安全网络。Specifically, the network management module determines the network communication connection between each target standard network element and the target security network element corresponding to its security level according to the routing rule, and finally obtains all target standard network elements and the target security network element corresponding to its security level. link, that is, to obtain a secure network that can meet the requirements of different security levels.
本公开实施例的安全网络构建方法,由于构建安全网络的配置信息中,包括所需的网络切片和所需的安全等级,因此,在构建安全网络时,将目标网元和对应所需安全等级的安全网元链接,使得安全网络能够满足不同安全等级需求的网络切片的构建和应用,对行业用户的应用和需求提供灵活、可定制性的差异化安全保障,同时,还能够降低网络的复杂度。相较于在每个终端添加安全模块(Secure Element,SE)也降低安全网络降低构建成本。In the method for constructing a secure network according to the embodiment of the present disclosure, since the configuration information for constructing a secure network includes required network slices and required security levels, when constructing a secure network, the target network element and the corresponding required security level are The secure network element link enables the secure network to meet the construction and application of network slicing requirements of different security levels, provides flexible and customizable differentiated security guarantees for the applications and needs of industry users, and at the same time, can reduce the complexity of the network. Spend. Compared with adding a security module (Secure Element, SE) at each terminal, it also reduces the construction cost of the security network.
为了更加清楚的对本公开实施例进行描述,下面结合一个具体的示例对本公开实施例所描述的安全网络构建方法做进一步的说明,结合图5所示。In order to describe the embodiments of the present disclosure more clearly, the method for constructing a secure network described in the embodiments of the present disclosure will be further described below with reference to a specific example, which is shown in conjunction with FIG. 5 .
OSS向SMO发送安全网络建立所需的至少一个网络切片的配置信息,其中,配置信息至少包括所需的第一安全等级参数和所需网络切片的配置参数。SMO接收到配置信息后在NFVO不同安全等级的标准网元集合中查询标准网元是否已经部署,在一些实施例中,还包括查询用户面功能(UPF)是否准备就绪。The OSS sends configuration information of at least one network slice required for establishing a secure network to the SMO, where the configuration information at least includes the required first security level parameters and the required network slice configuration parameters. After receiving the configuration information, the SMO queries whether the standard network elements have been deployed in the standard network element sets of different security levels of NFVO, and in some embodiments, also includes querying whether the user plane function (UPF) is ready.
若NFVO中已经部署相应安全等级的标准网元,则确定已经部署相应安全等级的标准网元的运行状态。If the standard network element of the corresponding security level has been deployed in the NFVO, the running state of the standard network element of the corresponding security level is determined.
若NFVO中没有部署相应安全等级的标准网元,则在NFVO实例化相应安全等级的标准网元,即对相应安全等级的标准网元进行部署,在相应安全等级的标准网元部署完成后,NFVO向SMO反馈创建成功标识符标识符,以及所部署的相应安全等级的标准网元的运行状态。If the standard network elements of the corresponding security level are not deployed in NFVO, the standard network elements of the corresponding security level are instantiated in NFVO, that is, the standard network elements of the corresponding security level are deployed. After the standard network elements of the corresponding security level are deployed, The NFVO feeds back to the SMO the identifier of the successful creation, and the operating status of the deployed standard network elements of the corresponding security level.
在SMO获知相应安全等级的标准网元部署已经完成,且运行状态为正常 后,发起安全网元部署流程,即向SMM发出指示信息,指示信息例如:将所需的第一安全等级参数,以及满足配置参数的安全网元的信息发送给将SMM。SMM根据接收到的指示信息,生成路由规则,并基于路由规则,完成每个目标标准网元和其安全等级对应的目标安全网元的网络通信连接,得到安全网络。After the SMO learns that the standard network element deployment of the corresponding security level has been completed and the operating status is normal, it initiates the security network element deployment process, that is, sends instruction information to the SMM, such as: the required first security level parameters, and Information about the security network elements that satisfy the configuration parameters is sent to the SMM. The SMM generates routing rules according to the received instruction information, and based on the routing rules, completes the network communication connection between each target standard network element and the target security network element corresponding to its security level to obtain a secure network.
由于对所有标准网元和安全类网元进行安全等级划分,分别形成不同安全等级的网元集合,以及建立了标准网元与对标准网元所对应等级的安全网元之间的网络通信连接,因此,为获取最优化的多重安全等级网络提供基础。Due to the security level division of all standard network elements and security network elements, network element sets of different security levels are formed respectively, and network communication connections between standard network elements and security network elements of the corresponding level of standard network elements are established. , thus providing a basis for obtaining an optimal network with multiple security levels.
本公开实施例的所描述的安全网络系所包括的网元规划模块;在确定安全网络之后,安全网络构建方法还可以包括以下步骤:The network element planning module included in the security network system described in the embodiment of the present disclosure; after the security network is determined, the security network construction method may further include the following steps:
首先,网元规划模块获取安全网络切片的应用需求信息,然后,网元规划模块根据遗传学算法,从安全网络中获取满足应用需求信息的目标应用网元,得到安全网络切片。First, the network element planning module obtains the application requirement information of the secure network slice, and then the network element planning module obtains the target application network element that meets the application requirement information from the secure network according to the genetic algorithm, and obtains the secure network slice.
在安全网络构建完成后,安全网络所包括的标准网可以被选择组成安全网络切片,为用户提供网络业务的部署,为了方便描述,在选择标准网元的过程中,将安全网络所包括的标准网元称为应用网元,可以理解的是,应用网元与对应安全等级参数的安全网元链接。其中,应用需求信息例如是链路延迟要求、服务质量要求、带宽要求等网络业务部署时需满足的要求,在此不做具体的限定。After the security network is constructed, the standard network included in the security network can be selected to form a security network slice to provide users with the deployment of network services. For the convenience of description, in the process of selecting standard network elements, the standard The network element is called an application network element, and it can be understood that the application network element is linked with the security network element corresponding to the security level parameter. The application requirement information is, for example, requirements that need to be met during network service deployment, such as link delay requirements, service quality requirements, and bandwidth requirements, which are not specifically limited here.
应用需求信息包括安全网络切片所需的第二安全等级参数。The application requirement information includes second security level parameters required for secure network slicing.
第二安全等级参数例如可以是企业用户在进行网络业务部署时所需安全等级需求,第二安全等级参数可以包括网络业务所需的多个安全等级。The second security level parameter may be, for example, a security level requirement required by an enterprise user when deploying a network service, and the second security level parameter may include multiple security levels required by the network service.
其中,根据遗传学算法,从安全网络中获取满足应用需求信息的目标应用网元,得到安全网络切片,如图6所示,获得安全网络切片可以包括以下步骤:Among them, according to the genetic algorithm, the target application network element that meets the application requirement information is obtained from the safety network, and the safety network slice is obtained. As shown in Figure 6, obtaining the safety network slice may include the following steps:
S610、根据第二安全等级参数,获取对应第二安全等级参数的第一网元集合。S610. Acquire a first network element set corresponding to the second security level parameter according to the second security level parameter.
S620、对第一网元集合进行交叉操作和变异操作,得到第二网元集合。S620. Perform a crossover operation and a mutation operation on the first set of network elements to obtain a second set of network elements.
在一些实施例中,第一网元集合包括至少一个类别的至少一个第一应用网元,每个第一应用网元与对应安全等级参数的安全网元链接。In some embodiments, the first set of network elements includes at least one first application network element of at least one category, and each first application network element is linked to a security network element corresponding to a security level parameter.
因此,可选地,对第一网元集合进行交叉操作和变异操作,得到第二网元集合,具体可以包括:对第一网元集合中每个类别的第一应用网元和安全网元进行交叉操作,得到第四网元集合;对第四网元集合进行变异操作,得到第二网元集合。Therefore, optionally, performing a crossover operation and a mutation operation on the first network element set to obtain a second network element set may specifically include: performing a first application network element and a security network element of each category in the first network element set Perform a crossover operation to obtain a fourth set of network elements; perform a mutation operation on the fourth set of network elements to obtain a second set of network elements.
在一些实施例中,以应用网元的功能作为类别的划分,应用网元的功能例如可以包括NSSF、NEF、NRF、AUSF、SMF、AMF等功能的网元。In some embodiments, the function of the application network element is used as the classification, and the function of the application network element may, for example, include network elements with functions such as NSSF, NEF, NRF, AUSF, SMF, and AMF.
在一些实施例中,由于每个第一网元集合包括相同安全等级的第一应用网元,在进行交叉操作时,将第一应用网元和安全网元进行整体进行交叉,能够有效地降低了处理难度。同时,在交叉操作过程中,还可以根据交叉后个体的实际情况进行网络链路修复,或者重新生成应用网元和安全网元。In some embodiments, since each first network element set includes first application network elements of the same security level, when performing the crossover operation, the first application network element and the security network element are crossed as a whole, which can effectively reduce the processing difficulty. At the same time, during the crossover operation, the network link can be repaired according to the actual situation of the individual after the crossover, or the application network element and the security network element can be regenerated.
通过将相同安全等级的应用网元和安全网元进行交叉,尤其是将满足应用需求信息的应用网元和不满足应用需求的应用网元进行交叉,使得满足应用需求信息的应用网元能够链接更多的安全网元,得到新的应用网元的安全网元的链接,提高了相同安全等级的应用网元的适用性。By crossing application network elements and security network elements of the same security level, especially the application network elements that meet the application requirement information and the application network elements that do not meet the application requirements, the application network elements that meet the application requirement information can be linked. More secure network elements can be linked to the security network elements of new application network elements, which improves the applicability of application network elements of the same security level.
在一些实施例中,可选地,对第四网元集合进行变异操作,得到第二网元集合,具体可以包括:根据应用需求信息,从第四网元集合中获取选取满足应用需求的至少一个第二应用网元和不满足应用需求信息的第三应用网元;根据每个第二应用网元与每个第三应用网元,得到第二网元集合。In some embodiments, optionally, performing a mutation operation on the fourth set of network elements to obtain the second set of network elements may specifically include: obtaining and selecting from the fourth set of network elements, according to the application requirement information, at least one network element that meets the application requirements. A second application network element and a third application network element that does not meet the application requirement information; and a second network element set is obtained according to each second application network element and each third application network element.
S630、从第二网元集合获取满足应用需求信息的第三网元集合。S630. Acquire a third set of network elements that meets the application requirement information from the second set of network elements.
S640、根据第三网元集合得到安全网络切片。S640. Obtain a secure network slice according to the third network element set.
在一些实施例中,根据第三网元集合得到安全网络切片,包括:若第三网元集合所需的物理资源消耗满足物理资源消耗条件,则根据第三网元集合得到安全网络切片。In some embodiments, obtaining the secure network slice according to the third network element set includes: if the physical resource consumption required by the third network element set meets the physical resource consumption condition, obtaining the secure network slice according to the third network element set.
其中,物理资源消耗可以是网元对内存、中央处理器(Central Processing Unit,CPU)等物理资源的消耗,物理资源消耗条件可以是设置为,网元使用时所消耗的最小物理资源消耗。The physical resource consumption may be the consumption of physical resources such as memory and a central processing unit (CPU) by the network element, and the physical resource consumption condition may be set as the minimum physical resource consumption consumed by the network element when it is used.
在一些实施例中,可选地,根据第三网元集合所需的物理资源消耗满足物理资源消耗条件,作为是否需要继续迭代计算的判断条件,若第三网元集合所需的物理资源消耗不满足物理资源消耗条件,则对第三网元集合继续执 行交叉操作和变异操作的迭代计算,直到获得物理资源消耗满足物理资源消耗条件的网元集合,得到安全网络切片。In some embodiments, optionally, according to the physical resource consumption required by the third network element set meeting the physical resource consumption condition, as a judgment condition for whether to continue the iterative calculation, if the physical resource consumption required by the third network element set If the physical resource consumption condition is not met, the iterative calculation of the crossover operation and the mutation operation is continued on the third network element set until a network element set whose physical resource consumption meets the physical resource consumption condition is obtained, and a secure network slice is obtained.
对第三网元集合中所有满足应用需求信息的应用网元进行选择,在一些实施例中可以根据适用度函数对每个应用网元进行评价得到每个应用网元的适应度,根据适应度对应用网元排序,将所有网元中适应度差的网元排除掉,得到适应度较好的网元。Selecting all application network elements in the third network element set that meet the application requirement information. In some embodiments, each application network element may be evaluated according to the fitness function to obtain the fitness of each application network element. According to the fitness The application network elements are sorted, and the network elements with poor fitness are excluded from all network elements, and the network elements with better fitness are obtained.
在本公开实施例中,通过模仿生物进化中优胜劣汰的机制,根据第三网元集合得到安全网络切片,从中选择适应度好的个体保证整体应用网元的质量,若第三网元集合不能得到目标安全切片,则将适应度较差的个体进行排除,对第三网元集合中的应用网元继续进行迭代计算,最后得到满足物理资源消耗条件的网元集合,组成满足安全等级需求的安全网络切片。In the embodiment of the present disclosure, by imitating the mechanism of survival of the fittest in biological evolution, secure network slices are obtained according to the third network element set, and individuals with good fitness are selected from them to ensure the quality of the overall application network elements. For the target security slice, the individuals with poor fitness are excluded, and the iterative calculation is continued for the application network elements in the third network element set, and finally the network element set that meets the physical resource consumption conditions is obtained. Network Slicing.
通过本公开实施例的安全网络构建方法,5G网络切片技术可以面向不同垂直行业用户,满足不同应用的差异化安全需求,能够针对不同业务功能的虚拟网络切片的安全保护机制需要作出相应调整和改变,保障对行业用户和应用按需提供灵活、可定制性的差异化安全机制,保障信息的合法使用。Through the security network construction method of the embodiment of the present disclosure, the 5G network slicing technology can be oriented to users in different vertical industries, meet the differentiated security requirements of different applications, and can make corresponding adjustments and changes to the security protection mechanism of virtual network slicing with different business functions. , to ensure that industry users and applications are provided with flexible and customizable differentiated security mechanisms on demand to ensure the legitimate use of information.
图7是本公开实施例提供的一种安全网络构建装置的结构示意图,如图7所示,该安全网络构建装置可以包括:配置模块710、网元查找模块720、网元管理模块730。FIG. 7 is a schematic structural diagram of an apparatus for constructing a secure network provided by an embodiment of the present disclosure. As shown in FIG. 7 , the apparatus for constructing a secure network may include: a configuration module 710 , a network element search module 720 , and a network element management module 730 .
配置模块710,用于获取至少一个网络切片的配置信息,配置信息包括网络切片的第一安全等级参数。The configuration module 710 is configured to acquire configuration information of at least one network slice, where the configuration information includes a first security level parameter of the network slice.
网元查找模块720,用于获取对应第一安全等级参数的至少一个目标标准网元。The network element search module 720 is configured to acquire at least one target standard network element corresponding to the first security level parameter.
网元管理模块730,用于根据至少一个目标标准网元和至少一个目标安全网元,生成路由规则。The network element management module 730 is configured to generate routing rules according to at least one target standard network element and at least one target security network element.
网络管理模块740,用于根据路由规则、目标标准网元和目标安全网元,确定安全网络。The network management module 740 is configured to determine the secure network according to the routing rule, the target standard network element and the target security network element.
在一些实施例中,配置信息还包括:网络切片的配置参数。In some embodiments, the configuration information further includes: configuration parameters of the network slice.
在一些实施例中,安全网络系统还包括网元建立模块,网元建立模块包括第一安全等级参数的对应的多个网元;In some embodiments, the secure network system further includes a network element establishment module, and the network element establishment module includes a plurality of network elements corresponding to the first security level parameter;
网元查找模块从网元建立模块中查找满足网络切片的配置信息的第一网元;若网元建立模块包括第一网元,且第一网元的运行状态为正常,则网元查找模块将第一网元确定为目标标准网元。The network element search module searches for the first network element that satisfies the configuration information of the network slice from the network element establishment module; if the network element establishment module includes the first network element, and the running state of the first network element is normal, the network element search module The first network element is determined as the target standard network element.
在一些实施例中,若网元建立模块不包括满足网络切片的配置信息的第一网元,则网元建立模块根据网络切片的配置参数,建立对应第一安全等级参数的第二网元;网元查找模块获取第二网元的运行状态;若第二网元的运行状态为正常,则网元查找模块将第二网元确定为目标标准网元。In some embodiments, if the network element establishment module does not include a first network element that satisfies the configuration information of the network slice, the network element establishment module establishes a second network element corresponding to the first security level parameter according to the configuration parameters of the network slice; The network element search module obtains the running state of the second network element; if the running state of the second network element is normal, the network element search module determines the second network element as the target standard network element.
在一些实施例中,安全网络系统还包括网元规划模块;在确定安全网络之后,方法还包括:网元规划模块获取安全网络切片的应用需求信息;网元规划模块根据遗传学算法,从安全网络中获取满足应用需求信息的目标应用网元,得到安全网络切片。In some embodiments, the secure network system further includes a network element planning module; after determining the secure network, the method further includes: the network element planning module obtains application requirement information of the secure network slice; Obtain target application network elements in the network that meet the application requirement information, and obtain secure network slices.
在一些实施例中,应用需求信息包括安全网络切片所需的第二安全等级参数;网元规划模块根据遗传学算法,从安全网络中获取满足应用需求信息的目标应用网元,得到安全网络切片,包括:In some embodiments, the application requirement information includes a second security level parameter required for the secure network slice; the network element planning module obtains the target application network element that meets the application requirement information from the secure network according to a genetic algorithm, and obtains the secure network slice ,include:
网元规划模块根据第二安全等级参数,获取对应第二安全等级参数的第一网元集合;对第一网元集合进行交叉操作和变异操作,得到第二网元集合;从第二网元集合获取满足应用需求信息的第三网元集合;根据第三网元集合得到安全网络切片。The network element planning module obtains a first network element set corresponding to the second security level parameter according to the second security level parameter; performs a crossover operation and a mutation operation on the first network element set to obtain a second network element set; from the second network element The set acquires a third network element set that meets the application requirement information; and obtains a secure network slice according to the third network element set.
在一些实施例中,第一网元集合包括至少一个类别的至少一个第一应用网元,每个第一应用网元与对应安全等级参数的安全网元链接;网元规划模块对第一网元集合进行交叉操作和变异操作,得到第二网元集合,包括:对第一网元集合中每个类别的第一应用网元和安全网元进行交叉操作,得到第四网元集合;对第四网元集合进行变异操作,得到第二网元集合。In some embodiments, the first network element set includes at least one first application network element of at least one category, and each first application network element is linked to a security network element corresponding to a security level parameter; Perform a crossover operation and a mutation operation on the element set to obtain a second network element set, including: performing crossover operations on the first application network element and the security network element of each category in the first network element set to obtain a fourth network element set; The fourth network element set performs a mutation operation to obtain a second network element set.
在一些实施例中,对第四网元集合进行变异操作,得到第二网元集合,包括:网元规划模块根据应用需求信息,从第四网元集合中获取选取满足应用需求的至少一个第二应用网元和不满足应用需求信息的第三应用网元;根据每个第二应用网元与每个第三应用网元,得到第二网元集合。In some embodiments, performing a mutation operation on the fourth network element set to obtain the second network element set includes: the network element planning module, according to the application requirement information, obtains and selects at least one first network element set that meets the application requirement from the fourth network element set 2. An application network element and a third application network element that does not meet the application requirement information; a second network element set is obtained according to each second application network element and each third application network element.
在一些实施例中,网元规划模块根据第三网元集合得到安全网络切片,包括:若第三网元集合所需的物理资源消耗满足物理资源消耗条件,则根据 第三网元集合得到安全网络切片。In some embodiments, the network element planning module obtains the security network slice according to the third network element set, including: if the physical resource consumption required by the third network element set meets the physical resource consumption condition, obtaining the security network slice according to the third network element set Network Slicing.
在一些实施例中,若第三网元集合所需的物理资源消耗不满足物理资源消耗条件,则网元规划模块对第三网元集合继续执行交叉操作和变异操作的迭代计算,直到获得物理资源消耗满足物理资源消耗条件的网元集合,得到安全网络切片。In some embodiments, if the physical resource consumption required by the third network element set does not meet the physical resource consumption condition, the network element planning module continues to perform iterative calculation of the crossover operation and the mutation operation on the third network element set until the physical resource consumption is obtained. The set of network elements whose resource consumption satisfies the condition of physical resource consumption obtains a secure network slice.
可以理解的是,本公开实施例的安全网络构建装置,可以对应于本公开实施例描述的安全网络构建方法的执行主体,安全网络构建装置的各个模块/单元的操作和/或功能的具体细节可以参见上述本公开实施例描述的安全网络构建方法中的相应部分的描述,为了简洁,在此不再赘述。It can be understood that the device for constructing a secure network in the embodiment of the present disclosure may correspond to the execution body of the method for constructing a secure network described in the embodiment of the present disclosure, and the specific details of the operations and/or functions of each module/unit of the device for constructing a secure network. Reference may be made to the description of the corresponding part in the method for constructing a secure network described in the above embodiments of the present disclosure, which is not repeated here for brevity.
本公开实施例的安全网络构建装置,由于构建安全网络的配置信息中,包括所需的网络切片和所需的安全等级,因此,在构建安全网络时,将目标网元和对应所需安全等级的安全网元链接,使得安全网络能够满足不同安全等级需求的网络切片的构建和应用,实现对行业用户和应用的需求提供灵活、可定制性的差异化安全保障,同时,还能够降低网络的复杂度,安全网络降低构建成本。In the device for constructing a secure network according to the embodiment of the present disclosure, since the configuration information for constructing a secure network includes required network slices and required security levels, when constructing a secure network, the target network element and the corresponding required security level are set. The secure network element link enables the secure network to meet the construction and application of network slices that meet the requirements of different security levels, and provides flexible and customizable differentiated security guarantees for industry users and applications. Complexity, secure network reduces construction cost.
图8是本公开实施例提供的一种安全网络构建设备的硬件结构示意图。FIG. 8 is a schematic diagram of a hardware structure of a device for constructing a secure network provided by an embodiment of the present disclosure.
如图8所示,本实施例中的安全网络构建设备800包括输入设备801、输入接口802、中央处理器803、存储器804、输出接口805、以及输出设备806。其中,输入接口802、中央处理器803、存储器804、以及输出接口805通过总线810相互连接,输入设备801和输出设备806分别通过输入接口802和输出接口805与总线810连接,进而与安全网络构建设备800的其他组件连接。As shown in FIG. 8 , the secure network construction device 800 in this embodiment includes an input device 801 , an input interface 802 , a central processing unit 803 , a memory 804 , an output interface 805 , and an output device 806 . Among them, the input interface 802, the central processing unit 803, the memory 804, and the output interface 805 are connected to each other through the bus 810, and the input device 801 and the output device 806 are connected to the bus 810 through the input interface 802 and the output interface 805, respectively, and are further constructed with the safety network. Other components of device 800 are connected.
具体地,输入设备801接收来自外部的输入信息,并通过输入接口802将输入信息传送到中央处理器803;中央处理器803基于存储器804中存储的计算机可执行指令对输入信息进行处理以生成输出信息,将输出信息临时或者永久地存储在存储器804中,然后通过输出接口805将输出信息传送到输出设备806;输出设备806将输出信息输出到安全网络构建设备800的外部供用户使用。Specifically, the input device 801 receives input information from the outside, and transmits the input information to the central processing unit 803 through the input interface 802; the central processing unit 803 processes the input information based on the computer-executable instructions stored in the memory 804 to generate output information, temporarily or permanently store the output information in the memory 804, and then transmit the output information to the output device 806 through the output interface 805;
也就是说,图8所示的安全网络构建设备也可以被实现为包括:存储有 计算机可执行指令的存储器;以及处理器,该处理器在执行计算机可执行指令时可以实现结合本公开实施例中描述的安全网络构建方法。That is to say, the secure network construction device shown in FIG. 8 can also be implemented to include: a memory storing computer-executable instructions; and a processor, which, when executing the computer-executable instructions, can implement embodiments in conjunction with the present disclosure The secure network construction method described in .
在一个实施例中,图8所示的安全网络构建设备800包括:存储器804,用于存储程序;处理器803,用于运行存储器中存储的程序,以执行本公开实施例提供的安全网络构建方法。In one embodiment, the secure network construction device 800 shown in FIG. 8 includes: a memory 804 for storing a program; a processor 803 for running the program stored in the memory to execute the secure network construction provided by the embodiments of the present disclosure method.
本公开实施例还提供一种计算机可读存储介质,该计算机可读存储介质上存储有计算机程序指令;该计算机程序指令被处理器执行时实现本公开实施例提供的安全网络构建方法。Embodiments of the present disclosure further provide a computer-readable storage medium, where computer program instructions are stored thereon; when the computer program instructions are executed by a processor, the secure network construction method provided by the embodiments of the present disclosure is implemented.
需要明确的是,本公开并不局限于上文所描述并在图中示出的特定配置和处理。为了简明起见,这里省略了对已知方法的详细描述。在上述实施例中,描述和示出了若干具体的步骤作为示例。但是,本公开的方法过程并不限于所描述和示出的具体步骤,本领域的技术人员可以在领会本公开的精神后,做出各种改变、修改和添加,或者改变步骤之间的顺序。It is to be understood that the present disclosure is not limited to the specific configurations and processes described above and illustrated in the figures. For the sake of brevity, detailed descriptions of known methods are omitted here. In the above-described embodiments, several specific steps are described and shown as examples. However, the method process of the present disclosure is not limited to the specific steps described and shown, and those skilled in the art can make various changes, modifications and additions, or change the sequence of steps after understanding the spirit of the present disclosure .
以上所述的结构框图中所示的功能块可以实现为硬件、软件、固件或者它们的组合。当以硬件方式实现时,其可以例如是电子电路、专用集成电路(Application Specific Integrated Circuit,ASIC)、适当的固件、插件、功能卡等等。当以软件方式实现时,本公开的元素是被用于执行所需任务的程序或者代码段。程序或者代码段可以存储在机器可读介质中,或者通过载波中携带的数据信号在传输介质或者通信链路上传送。“机器可读介质”可以包括能够存储或传输信息的任何介质。机器可读介质的例子包括电子电路、半导体存储器设备、只读存储器(Read-Only Memory,ROM)、闪存、可擦除ROM(EROM)、软盘、CD-ROM、光盘、硬盘、光纤介质、射频(Radio Frequency,RF)链路,等等。代码段可以经由诸如因特网、内联网等的计算机网络被下载。The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it can be, for example, an electronic circuit, an application specific integrated circuit (ASIC), suitable firmware, a plug-in, a function card, and the like. When implemented in software, elements of the present disclosure are programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted over a transmission medium or communication link by a data signal carried in a carrier wave. A "machine-readable medium" may include any medium that can store or transmit information. Examples of machine-readable media include electronic circuits, semiconductor memory devices, read-only memory (ROM), flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio frequency (Radio Frequency, RF) link, etc. The code segments may be downloaded via a computer network such as the Internet, an intranet, or the like.
还需要说明的是,本公开中提及的示例性实施例,基于一系列的步骤或者装置描述一些方法或系统。但是,本公开不局限于上述步骤的顺序,也就是说,可以按照实施例中提及的顺序执行步骤,也可以不同于实施例中的顺序,或者若干步骤同时执行。It should also be noted that the exemplary embodiments mentioned in the present disclosure describe some methods or systems based on a series of steps or devices. However, the present disclosure is not limited to the order of the above steps, that is, the steps may be performed in the order mentioned in the embodiment, or may be different from the order in the embodiment, or several steps may be performed simultaneously.
以上所述,仅为本公开的具体实施方式,所属领域的技术人员可以清楚 地了解到,为了描述的方便和简洁,上述描述的系统、模块和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。应理解,本公开的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本公开揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本公开的保护范围之内。The above are only specific implementations of the present disclosure, and those skilled in the art can clearly understand that, for the convenience and brevity of the description, for the specific working process of the above-described systems, modules and units, reference may be made to the foregoing method embodiments The corresponding process in , will not be repeated here. It should be understood that the protection scope of the present disclosure is not limited to this, and any person skilled in the art can easily think of various equivalent modifications or replacements within the technical scope disclosed in the present disclosure, and these modifications or replacements should all cover within the scope of protection of the present disclosure.

Claims (13)

  1. 一种安全网络构建方法,应用于安全网络系统,所述系统包括:配置模块、网元查找模块和网元管理模块;所述方法包括:A method for constructing a secure network, applied to a secure network system, the system includes: a configuration module, a network element search module and a network element management module; the method includes:
    所述配置模块获取至少一个网络切片的配置信息,所述配置信息包括网络切片的第一安全等级参数;The configuration module acquires configuration information of at least one network slice, where the configuration information includes a first security level parameter of the network slice;
    所述网元查找模块获取对应所述第一安全等级参数的至少一个目标标准网元;The network element search module acquires at least one target standard network element corresponding to the first security level parameter;
    所述网元管理模块根据所述至少一个目标标准网元和至少一个目标安全网元,生成路由规则;The network element management module generates a routing rule according to the at least one target standard network element and the at least one target security network element;
    所述网络管理模块根据所述路由规则、目标标准网元和所述目标安全网元,确定安全网络。The network management module determines a secure network according to the routing rule, the target standard network element and the target security network element.
  2. 根据权利要求1所述的方法,其中,所述配置信息还包括:所述网络切片的配置参数。The method of claim 1, wherein the configuration information further comprises: configuration parameters of the network slice.
  3. 根据权利要求2所述的方法,其中,所述安全网络系统还包括网元建立模块,所述网元建立模块包括所述第一安全等级参数的对应的多个网元;The method according to claim 2, wherein the secure network system further comprises a network element establishment module, wherein the network element establishment module includes a plurality of network elements corresponding to the first security level parameter;
    所述网元查找模块从所述网元建立模块中查找满足所述网络切片的配置信息的第一网元;The network element search module searches for a first network element that satisfies the configuration information of the network slice from the network element establishment module;
    若所述网元建立模块包括所述第一网元,且所述第一网元的运行状态为正常,则所述网元查找模块将所述第一网元确定为所述目标标准网元。If the network element establishment module includes the first network element, and the running state of the first network element is normal, the network element search module determines the first network element as the target standard network element .
  4. 根据权利要求3所述的方法,还包括:The method of claim 3, further comprising:
    若所述网元建立模块不包括满足所述网络切片的配置信息的第一网元,则网元建立模块根据所述网络切片的配置参数,建立对应所述第一安全等级参数的第二网元;If the network element establishment module does not include a first network element that satisfies the configuration information of the network slice, the network element establishment module establishes a second network element corresponding to the first security level parameter according to the configuration parameters of the network slice Yuan;
    所述网元查找模块获取所述第二网元的运行状态;The network element search module obtains the running state of the second network element;
    若所述第二网元的运行状态为正常,则所述网元查找模块将所述第二网 元确定为所述目标标准网元。If the running state of the second network element is normal, the network element searching module determines the second network element as the target standard network element.
  5. 根据权利要求1所述的方法,其中,所述安全网络系统还包括网元规划模块;在所述确定安全网络之后,所述方法还包括:The method according to claim 1, wherein the secure network system further comprises a network element planning module; after the secure network is determined, the method further comprises:
    所述网元规划模块获取安全网络切片的应用需求信息;The network element planning module obtains the application requirement information of the secure network slice;
    所述网元规划模块根据遗传学算法,从所述安全网络中获取满足所述应用需求信息的目标应用网元,得到安全网络切片。The network element planning module acquires the target application network element that meets the application requirement information from the security network according to the genetic algorithm, and obtains a security network slice.
  6. 根据权利要求5所述的方法,其中,所述应用需求信息包括所述安全网络切片所需的第二安全等级参数;The method of claim 5, wherein the application requirement information includes a second security level parameter required by the secure network slice;
    所述根据遗传学算法,从所述安全网络中获取满足所述应用需求信息的目标应用网元,得到安全网络切片,包括:According to the genetic algorithm, the target application network element that meets the application requirement information is obtained from the security network, and the security network slice is obtained, including:
    根据所述第二安全等级参数,获取对应所述第二安全等级参数的第一网元集合;obtaining, according to the second security level parameter, a first set of network elements corresponding to the second security level parameter;
    对所述第一网元集合进行交叉操作和变异操作,得到第二网元集合;performing a crossover operation and a mutation operation on the first set of network elements to obtain a second set of network elements;
    从所述第二网元集合获取满足所述应用需求信息的第三网元集合;acquiring a third set of network elements that meets the application requirement information from the second set of network elements;
    根据所述第三网元集合得到所述安全网络切片。The secure network slice is obtained according to the third set of network elements.
  7. 根据权利要求6所述的方法,其中,所述第一网元集合包括至少一个类别的至少一个第一应用网元,每个所述第一应用网元与对应安全等级参数的安全网元链接;The method according to claim 6, wherein the first set of network elements includes at least one first application network element of at least one category, and each of the first application network elements is linked to a security network element corresponding to a security level parameter ;
    所述对所述第一网元集合进行交叉操作和变异操作,得到第二网元集合,包括:The performing crossover operation and mutation operation on the first set of network elements to obtain a second set of network elements, including:
    对所述第一网元集合中每个类别的第一应用网元和所述安全网元进行交叉操作,得到所述第四网元集合;Perform a cross operation on the first application network element of each category in the first network element set and the security network element to obtain the fourth network element set;
    对所述第四网元集合进行变异操作,得到所述第二网元集合。A mutation operation is performed on the fourth set of network elements to obtain the second set of network elements.
  8. 根据权利要求7所述的方法,其中,所述对所述第四网元集合进行变异操作,得到第二网元集合,包括:The method according to claim 7, wherein the performing a mutation operation on the fourth set of network elements to obtain the second set of network elements comprises:
    根据所述应用需求信息,从所述第四网元集合中获取选取满足所述应用需求的至少一个第二应用网元和不满足所述应用需求信息的第三应用网元;According to the application requirement information, obtain and select at least one second application network element that meets the application requirement and a third application network element that does not meet the application requirement information from the fourth network element set;
    根据每个所述第二应用网元与每个所述第三应用网元,得到第二网元集合。A second set of network elements is obtained according to each of the second application network elements and each of the third application network elements.
  9. 根据权利要求6或7所述的方法,其中,所述根据所述第三网元集合得到所述安全网络切片,包括:The method according to claim 6 or 7, wherein the obtaining the secure network slice according to the third network element set comprises:
    若所述第三网元集合所需的物理资源消耗满足物理资源消耗条件,则根据所述第三网元集合得到所述安全网络切片。If the physical resource consumption required by the third network element set satisfies the physical resource consumption condition, the secure network slice is obtained according to the third network element set.
  10. 根据权利要求8所述的方法,还包括:The method of claim 8, further comprising:
    若所述第三网元集合所需的物理资源消耗不满足所述物理资源消耗条件,则对第三网元集合继续执行交叉操作和变异操作的迭代计算,直到获得物理资源消耗满足所述物理资源消耗条件的网元集合,得到所述安全网络切片。If the physical resource consumption required by the third network element set does not meet the physical resource consumption condition, continue to perform the iterative calculation of the crossover operation and the mutation operation on the third network element set until the physical resource consumption is obtained that satisfies the physical resource consumption condition. A set of network elements for resource consumption conditions to obtain the secure network slice.
  11. 一种安全网络构建装置,包括:A safety network construction device, comprising:
    配置模块,用于获取至少一个网络切片的配置信息,所述配置信息包括网络切片的第一安全等级参数;a configuration module, configured to acquire configuration information of at least one network slice, where the configuration information includes a first security level parameter of the network slice;
    网元查找模块,用于获取对应所述第一安全等级参数的至少一个目标标准网元;a network element search module, configured to obtain at least one target standard network element corresponding to the first security level parameter;
    网元管理模块,用于根据所述至少一个目标标准网元和至少一个目标安全网元,生成路由规则;a network element management module, configured to generate routing rules according to the at least one target standard network element and the at least one target security network element;
    网络管理模块,用于根据所述路由规则、目标标准网元和所述目标安全网元,确定安全网络。A network management module, configured to determine a secure network according to the routing rule, the target standard network element and the target security network element.
  12. 一种安全网络构建设备,包括:处理器,以及存储有计算机程序指令的存储器;A secure network construction device, comprising: a processor, and a memory storing computer program instructions;
    所述处理器读取并执行所述计算机程序指令,以实现如权利要求1-10任意一项所述的安全网络构建方法。The processor reads and executes the computer program instructions to implement the method for constructing a secure network according to any one of claims 1-10.
  13. 一种计算机存储介质,其上存储有计算机程序指令,所述计算机程序指令被处理器执行时实现如权利要求1-10任意一项所述的安全网络构建方法。A computer storage medium on which computer program instructions are stored, and when the computer program instructions are executed by a processor, implement the method for constructing a secure network according to any one of claims 1-10.
PCT/CN2020/134819 2020-06-28 2020-12-09 Secure network construction method and apparatus, device, and computer storage medium WO2022001004A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010599875.3 2020-06-28
CN202010599875.3A CN113852479B (en) 2020-06-28 2020-06-28 Secure network construction method, device, equipment and computer storage medium

Publications (1)

Publication Number Publication Date
WO2022001004A1 true WO2022001004A1 (en) 2022-01-06

Family

ID=78972582

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/134819 WO2022001004A1 (en) 2020-06-28 2020-12-09 Secure network construction method and apparatus, device, and computer storage medium

Country Status (2)

Country Link
CN (1) CN113852479B (en)
WO (1) WO2022001004A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140122672A1 (en) * 2012-10-30 2014-05-01 Huawei Technologies Co., Ltd. Method and apparatus for configuring network policy of virtual network
CN104363159A (en) * 2014-07-02 2015-02-18 北京邮电大学 Virtual open network building system and method based on software definition network
CN104780056A (en) * 2014-01-13 2015-07-15 中国联合网络通信集团有限公司 Network management method and equipment
CN107846676A (en) * 2016-09-20 2018-03-27 北京信威通信技术股份有限公司 Safety communicating method and system based on network section security architecture
CN110401946A (en) * 2019-08-08 2019-11-01 广州爱浦路网络技术有限公司 The network dicing method and network slicing device of 5G core net
US20200068643A1 (en) * 2018-08-17 2020-02-27 At&T Intellectual Property I, L.P. Instantiating a slice of a 5g or other next generation service network in an underserved area

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2718136A1 (en) * 2007-04-23 2008-10-30 Scrutiny, Inc. Computing infrastructure
FI126417B (en) * 2015-12-10 2016-11-30 Airbus Defence & Space Oy Configuring the Network Security Entity
US10601932B2 (en) * 2017-06-09 2020-03-24 At&T Intellectual Property I, L.P. Next generation mobility core network controller for service delivery
WO2018234849A1 (en) * 2017-06-20 2018-12-27 Telefonaktiebolaget Lm Ericsson (Publ) Flow multiplexing in ipsec
CN111263404B (en) * 2018-11-30 2021-09-17 华为技术有限公司 Load control method, device and system
CN111131258B (en) * 2019-12-26 2022-04-08 中移(成都)信息通信科技有限公司 Safe private network architecture system based on 5G network slice

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140122672A1 (en) * 2012-10-30 2014-05-01 Huawei Technologies Co., Ltd. Method and apparatus for configuring network policy of virtual network
CN104780056A (en) * 2014-01-13 2015-07-15 中国联合网络通信集团有限公司 Network management method and equipment
CN104363159A (en) * 2014-07-02 2015-02-18 北京邮电大学 Virtual open network building system and method based on software definition network
CN107846676A (en) * 2016-09-20 2018-03-27 北京信威通信技术股份有限公司 Safety communicating method and system based on network section security architecture
US20200068643A1 (en) * 2018-08-17 2020-02-27 At&T Intellectual Property I, L.P. Instantiating a slice of a 5g or other next generation service network in an underserved area
CN110401946A (en) * 2019-08-08 2019-11-01 广州爱浦路网络技术有限公司 The network dicing method and network slicing device of 5G core net

Also Published As

Publication number Publication date
CN113852479A (en) 2021-12-28
CN113852479B (en) 2022-12-02

Similar Documents

Publication Publication Date Title
US11036536B2 (en) Method, apparatus, and system for deploying virtualized network function using network edge computing
US11706102B2 (en) Dynamically deployable self configuring distributed network management system
US10824454B2 (en) 5G dynamic slice and network identity instantiation, termination, and access management system and method
EP3595244B1 (en) Network slice management method, unit and system
CN107409089B (en) Method implemented in network engine and virtual network function controller
CN110476453A (en) For providing the service granting that network is sliced to client
US7710900B2 (en) Method and system for providing network management based on defining and applying network administrative intents
WO2017162089A1 (en) Service configuration method and device for network service
US11252196B2 (en) Method for managing data traffic within a network
WO2017166136A1 (en) Vnf resource allocation method and device
KR20170114923A (en) Method and apparatus for communicating using network slice
WO2019141089A1 (en) Network alarm method, device, system and terminal
CN111901154B (en) Safety architecture system based on NFV and safety deployment and safety threat processing method
US20170310561A1 (en) Network Control Method and Apparatus
WO2022001004A1 (en) Secure network construction method and apparatus, device, and computer storage medium
WO2018107480A1 (en) Service scheduling method and system
US11422845B2 (en) Native cloud live traffic migration to counter suspected harmful traffic
CN109120577B (en) Firewall deployment method and device
WO2019015563A1 (en) Initialization credentials generating method and device for virtual network function (vnf)
US20240147260A1 (en) Atomic deterministic next action manager
WO2023035777A1 (en) Network configuration method, proxy component, controller, electronic device and storage medium
WO2023202412A1 (en) Communication method and apparatus
Li et al. Design of General SDN Controller System Framework for Multi-domain Heterogeneous Networks
Jiang Achieving State Consistency and Security in Network Softwarization
WO2024091858A1 (en) Atomic deterministic next action

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20942826

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 20942826

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 03/07/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 20942826

Country of ref document: EP

Kind code of ref document: A1