[go: up one dir, main page]

CN115113982B - A security resource pool security service matching method, device and storage medium - Google Patents

A security resource pool security service matching method, device and storage medium Download PDF

Info

Publication number
CN115113982B
CN115113982B CN202210824160.2A CN202210824160A CN115113982B CN 115113982 B CN115113982 B CN 115113982B CN 202210824160 A CN202210824160 A CN 202210824160A CN 115113982 B CN115113982 B CN 115113982B
Authority
CN
China
Prior art keywords
real
container
time
ratio value
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210824160.2A
Other languages
Chinese (zh)
Other versions
CN115113982A (en
Inventor
程筱彪
徐雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202210824160.2A priority Critical patent/CN115113982B/en
Publication of CN115113982A publication Critical patent/CN115113982A/en
Application granted granted Critical
Publication of CN115113982B publication Critical patent/CN115113982B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • G06F9/505Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the load
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/50Indexing scheme relating to G06F9/50
    • G06F2209/5011Pool

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a secure resource pool secure service matching method, a secure resource pool secure service matching device and a storage medium, wherein the secure resource pool secure service matching method comprises the following steps: periodically counting real-time performance indexes of each container corresponding to the target security module in the security resource pool; obtaining a real-time capability value of each container according to the real-time performance index of each container; acquiring a target security service requirement of a target platform aiming at the target security module, and sequencing each container according to the real-time capability value according to the target security service requirement; and selecting the container with the largest real-time capability value from the sequenced containers to provide the target security service for the target platform. The method, the device and the storage medium can solve the problem that the existing matching scheme is poor in matching because the existing matching scheme is a scheme for polling all container resources generally and the conditions of high resource change speed and great difference of different requirements on consumption of safety resources in a cloud environment are not considered.

Description

Secure resource pool secure service matching method, device and storage medium
Technical Field
The present invention relates to the field of network technologies, and in particular, to a method, an apparatus, and a storage medium for secure service matching in a secure resource pool.
Background
The traditional security means are not suitable for boundary protection of cloud environment, so that the virtualization technology is adopted to run the security product capability in the pooled virtual environment, but because the cloud environment changes frequently, how to ensure that the most suitable security resource is accessed when new security service requirements exist becomes a difficult point.
The existing matching scheme is usually a scheme for polling all container resources to ensure that the access quantity of all security resources is approximately the same, however, the scheme does not consider the situations that the resource change speed is high and the consumption of security resources by different requirements is quite different in cloud environment, the accessed security resources are easily destroyed and do not occupy the security resources, or the consumption of security resources by certain requirements is far greater than that of other requirements, so that the situation that the actual load of the security resources is quite changed, and the matching is poor is caused.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method, a device and a storage medium for matching security services of a security resource pool, aiming at the defects of the prior art, so as to at least solve the problem of poor matching caused by the fact that the conventional matching scheme is a scheme for polling all container resources generally, and the conditions of high resource change speed and great consumption difference of different requirements on the security resources under the cloud environment are not considered.
In a first aspect, the present invention provides a method for matching security services of a security resource pool, the method comprising:
periodically counting real-time performance indexes of each container corresponding to the target security module in the security resource pool;
obtaining a real-time capability value of each container according to the real-time performance index of each container;
acquiring a target security service requirement of a target platform aiming at the target security module, and sequencing each container according to the real-time capability value according to the target security service requirement;
And selecting the container with the largest real-time capability value from the sequenced containers to provide the target security service for the target platform.
Further, the real-time performance index includes: the method specifically comprises the steps of obtaining a real-time capacity value of each container according to the real-time performance index of each container, wherein the real-time capacity value comprises the following steps of:
calculating to obtain CPU proportion values, bandwidth proportion values and memory proportion values of all containers according to the CPU real-time index, the bandwidth real-time index and the memory real-time index of each container;
Respectively carrying out normalization processing on the CPU proportion value, the bandwidth proportion value and the memory proportion value;
calculating the load score of each container according to the CPU proportion value, the bandwidth proportion value and the memory proportion value after normalization processing;
Obtaining a residual load score list of each container under the target security module according to the load scores;
and calculating the real-time capability value of each container according to the residual load score of each container in the residual load score list.
Further, the calculating according to the CPU real-time index, the bandwidth real-time index and the memory real-time index of each container obtains the CPU proportion value, the bandwidth proportion value and the memory proportion value of all containers specifically includes:
Dividing the sum of CPU maximum performance indexes of all containers corresponding to the target security module by the sum of CPU real-time indexes of all containers corresponding to the target security module to obtain CPU proportion values of all containers;
dividing the sum of bandwidth maximum performance indexes of all containers corresponding to the target security module by the sum of bandwidth real-time indexes of all containers corresponding to the target security module to obtain bandwidth proportion values of all containers;
dividing the sum of the maximum performance indexes of the memories of all the containers corresponding to the target security module by the sum of the real-time indexes of the memories of all the containers corresponding to the target security module to obtain the memory proportion value of all the containers.
Further, the normalizing process is performed on the CPU ratio value, the bandwidth ratio value, and the memory ratio value, and specifically includes:
Dividing the CPU proportion value by the sum of all proportion values to obtain a normalized CPU proportion value;
Dividing the bandwidth proportion value by the sum of all proportion values to obtain a normalized bandwidth proportion value;
dividing the memory proportion value by the sum of all the proportion values to obtain a normalized memory proportion value.
Further, the calculating the load score of each container according to the CPU proportion value, the bandwidth proportion value and the memory proportion value after normalization processing specifically includes:
Calculating the load score for each container according to the following formula:
Sx=WC*XC+WB*XB+WM*XM
Wherein S x represents the load score of the xth container, W C represents the CPU ratio value after normalization, W B represents the bandwidth ratio value after normalization, W M represents the memory ratio value after normalization, X C represents the average CPU load of the xth container, X B represents the average bandwidth load of the xth container, and X M represents the average memory load of the xth container, wherein the value of W C、WB、WM ranges from 0% to 100%.
Further, the obtaining the residual load score list of each container under the target security module according to the load score specifically includes:
Subtracting the load score of each container from 1 to obtain a residual load score of each container;
And constructing the residual load score list according to the residual load score of each container.
Further, the calculating the real-time capability value of each container according to the residual load score of each container in the residual load score list specifically includes:
The real-time capability value for each container is calculated according to the following formula:
Where R (S x) represents the real-time capability value of the xth container, S x represents the load score of the xth container, 1-S x represent the residual load score of the xth container, Representing the sum of the remaining load scores for all containers.
In a second aspect, the present invention provides a security service matching apparatus for a security resource pool, including:
the index statistics module is used for periodically counting the real-time performance index of each container corresponding to the target security module in the security resource pool;
the capacity value acquisition module is connected with the index statistics module and is used for acquiring the real-time capacity value of each container according to the real-time performance index of each container;
the capacity value ordering module is connected with the capacity value obtaining module and is used for obtaining target safety service requirements of a target platform aiming at the target safety module, and ordering each container according to the real-time capacity values according to the target safety service requirements;
And the security service matching module is connected with the capability value ordering module and is used for selecting the container with the largest real-time capability value from the ordered containers to provide the target security service for the target platform.
In a third aspect, the present invention provides a secure resource pool secure service matching apparatus, comprising a memory and a processor, the memory storing a computer program, the processor being arranged to run the computer program to implement the secure resource pool secure service matching method of the first aspect.
In a fourth aspect, the present invention provides a computer readable storage medium, on which a computer program is stored, the computer program implementing the secure resource pool secure service matching method according to the first aspect, when executed by a processor.
According to the security resource pool security service matching method, the security resource pool security service matching device and the storage medium, provided by the invention, under the conditions that the resource change speed is high and the consumption difference of different requirements on security resources is very large in a cloud environment, firstly, the real-time performance index of each container corresponding to a target security module in the security resource pool is counted periodically, then the real-time capacity value of each container is obtained according to the real-time performance index of each container, when the target security service requirement of a target platform for the target security module is obtained, each container is ordered according to the real-time capacity value according to the target security service requirement, and the container with the largest real-time capacity value is selected from the ordered containers to provide the target security service for the target platform.
Drawings
FIG. 1 is a flow chart of a secure resource pool secure service matching method according to embodiment 1 of the present invention;
Fig. 2 is a schematic structural diagram of a secure resource pool secure service matching apparatus according to embodiment 2 of the present invention;
fig. 3 is a schematic structural diagram of a secure resource pool security service matching device according to embodiment 3 of the present invention.
Detailed Description
In order to make the technical scheme of the present invention better understood by those skilled in the art, the following detailed description of the embodiments of the present invention will be given with reference to the accompanying drawings.
It is to be understood that the specific embodiments and figures described herein are merely illustrative of the invention, and are not limiting of the invention.
It is to be understood that the various embodiments of the invention and the features of the embodiments may be combined with each other without conflict.
It is to be understood that only the portions relevant to the present invention are shown in the drawings for convenience of description, and the portions irrelevant to the present invention are not shown in the drawings.
It should be understood that each unit and module in the embodiments of the present invention may correspond to only one physical structure, may be formed by a plurality of physical structures, or may be integrated into one physical structure.
It will be appreciated that, without conflict, the functions and steps noted in the flowcharts and block diagrams of the present invention may occur out of the order noted in the figures.
It is to be understood that the flowcharts and block diagrams of the present invention illustrate the architecture, functionality, and operation of possible implementations of systems, apparatuses, devices, methods according to various embodiments of the present invention. Where each block in the flowchart or block diagrams may represent a unit, module, segment, code, or the like, which comprises executable instructions for implementing the specified functions. Moreover, each block or combination of blocks in the block diagrams and flowchart illustrations can be implemented by hardware-based systems that perform the specified functions, or by combinations of hardware and computer instructions.
It should be understood that the units and modules related in the embodiments of the present invention may be implemented by software, or may be implemented by hardware, for example, the units and modules may be located in a processor.
Example 1:
the embodiment provides a secure resource pool secure service matching method, as shown in fig. 1, which includes:
step S101: and periodically counting real-time performance indexes of each container corresponding to the target security module in the security resource pool.
In this embodiment, the secure resource pool is a resource set for providing a secure service in the cloud computing platform, in which secure resources are provided externally in a service form, and the functions of the original physical security device are implemented by using a container. A security module refers to a collection of containers that provide the same security function. Each security module corresponds to a security capability including, for example, firewall, virus detection, intrusion prevention, SSL/ipsec vpn, database audit, WEB protection, log audit, host disinfection, bastion host, baseline verification, etc. The target security module may be any one of all security modules in the secure resource pool.
Specifically, the management system may count the real-time performance indexes of all the containers in the secure resource pool according to a fixed period, and classify the containers according to the provided security capability, and may also count the real-time performance indexes of each container corresponding to a certain security module in the secure resource pool according to a fixed period, where the performance indexes are used to characterize the performance of the container providing the corresponding security capability, where the real-time performance indexes may include: CPU real-time index, bandwidth real-time index and memory real-time index.
Step S102: and obtaining the real-time capability value of each container according to the real-time performance index of each container.
Optionally, the obtaining the real-time capability value of each container according to the real-time performance index of each container specifically includes:
calculating to obtain CPU proportion values, bandwidth proportion values and memory proportion values of all containers according to the CPU real-time index, the bandwidth real-time index and the memory real-time index of each container;
Respectively carrying out normalization processing on the CPU proportion value, the bandwidth proportion value and the memory proportion value;
calculating the load score of each container according to the CPU proportion value, the bandwidth proportion value and the memory proportion value after normalization processing;
Obtaining a residual load score list of each container under the target security module according to the load scores;
and calculating the real-time capability value of each container according to the residual load score of each container in the residual load score list.
In this embodiment, since different performance indexes have different influences on the service performance, different proportions are set for three real-time performance indexes to calculate the load scores of different security modules. The higher the utilization of a certain performance is, the more scarce the resource is, so the average utilization of all three performances of all containers of the whole security module is calculated as the proportion value of the three performance indexes.
The calculating according to the CPU real-time index, the bandwidth real-time index and the memory real-time index of each container to obtain the CPU proportion value, the bandwidth proportion value and the memory proportion value of all containers specifically includes:
Dividing the sum of CPU maximum performance indexes of all containers corresponding to the target security module by the sum of CPU real-time indexes of all containers corresponding to the target security module to obtain CPU proportion values of all containers;
dividing the sum of bandwidth maximum performance indexes of all containers corresponding to the target security module by the sum of bandwidth real-time indexes of all containers corresponding to the target security module to obtain bandwidth proportion values of all containers;
dividing the sum of the maximum performance indexes of the memories of all the containers corresponding to the target security module by the sum of the real-time indexes of the memories of all the containers corresponding to the target security module to obtain the memory proportion value of all the containers.
In this embodiment, taking a CPU as an example, the calculation formula of the CPU proportion values of all containers of the target security module is as follows:
where w C denotes a ratio value of the CPU, Representing the sum of the CPU maximum performance metrics for all containers of the target security module,And the sum of CPU real-time indexes of all containers of the target security module is represented, n is the total number of all containers of the target security module, and the maximum performance index refers to the maximum supportable performance index of the corresponding container.
Optionally, the normalizing the CPU ratio value, the bandwidth ratio value, and the memory ratio value respectively specifically includes:
Dividing the CPU proportion value by the sum of all proportion values to obtain a normalized CPU proportion value;
Dividing the bandwidth proportion value by the sum of all proportion values to obtain a normalized bandwidth proportion value;
dividing the memory proportion value by the sum of all the proportion values to obtain a normalized memory proportion value.
In this embodiment, the sum of all the ratio values is the sum of the ratio value of the CPU, the ratio value of the bandwidth and the ratio value of the memory, and taking the CPU as an example, the formula for normalizing the ratio value of the CPU is as follows:
Where W C represents the CPU ratio after normalization, W C represents the ratio of the CPU, W B represents the ratio of the bandwidth, and W M represents the ratio of the memory.
Optionally, the calculating the load score of each container according to the CPU proportion value, the bandwidth proportion value and the memory proportion value after normalization processing specifically includes:
Calculating the load score for each container according to the following formula:
Sx=WC*XC+WB*XB+WM*XM
Wherein S x represents the load score of the xth container, W C represents the CPU ratio value after normalization, W B represents the bandwidth ratio value after normalization, W M represents the memory ratio value after normalization, X C represents the average CPU load of the xth container, X B represents the average bandwidth load of the xth container, and X M represents the average memory load of the xth container, wherein the value of W C、WB、WM ranges from 0% to 100%.
In this embodiment, after the normalized ratio value is obtained, the management system sequentially calculates the load scores of all the containers under the target security module, where the value range of x is 1 to n, and n is the total number of all the containers of the target security module.
Optionally, the obtaining the remaining load score list of each container under the target security module according to the load score specifically includes:
Subtracting the load score of each container from 1 to obtain a residual load score of each container;
And constructing the residual load score list according to the residual load score of each container.
In this embodiment, assuming that the target security module is the 1 st security module in the secure resource pool, and the number of containers is n, the constructed remaining load score list is as follows:
In the formula, Indicating the load score of the 1 st container under the 1 st security module,Indicating the remaining load score for the 1 st container under the 1 st security module.
Optionally, the calculating the real-time capability value of each container according to the residual load score of each container in the residual load score list specifically includes:
The real-time capability value for each container is calculated according to the following formula:
Where R (S x) represents the real-time capability value of the xth container, S x represents the load score of the xth container, 1-S x represent the residual load score of the xth container, Representing the sum of the remaining load scores for all containers.
In this embodiment, the real-time capability value of each container is calculated according to the remaining load score of each container, and taking the target security module as the 1 st security module in the security resource pool as an example, the real-time capability value of the 1 st container in the 1 st security module is:
Wherein, Representing the sum of the remaining load scores of all containers of security module 1,Indicating the remaining load score for the 1 st container in the 1 st security module.
Step S103: acquiring a target security service requirement of a target platform aiming at the target security module, and sequencing each container according to the real-time capability value according to the target security service requirement;
Step S104: and selecting the container with the largest real-time capability value from the sequenced containers to provide the target security service for the target platform.
In this embodiment, when the target platform needs to use a certain security capability of the security resource pool, a container corresponding to the security capability is applied to the management system to provide security service for the target platform. Specifically, when the target platform needs to use the security capability corresponding to the target security module in the security resource pool, a target security service requirement is sent to the management system, and the management system sorts all containers under the target security module according to the requirement and ranks all containers according to the real-time capability value.
According to the secure resource pool secure service matching method provided by the embodiment of the invention, in consideration of the situations that the resource change speed is high and the consumption difference of different requirements on secure resources is large in a cloud environment, firstly, the real-time performance index of each container corresponding to a target secure module in the secure resource pool is counted periodically, then the real-time capability value of each container is obtained according to the real-time performance index of each container, when the target secure service requirement of a target platform for the target secure module is obtained, each container is ordered according to the real-time capability value according to the target secure service requirement, and the container with the largest real-time capability value is selected from the ordered containers to provide the target secure service for the target platform.
Example 2:
As shown in fig. 2, the present embodiment provides a secure resource pool secure service matching apparatus, configured to execute the secure resource pool secure service matching method, including:
The index statistics module 11 is used for periodically counting the real-time performance index of each container corresponding to the target security module in the security resource pool;
The capacity value obtaining module 12 is connected with the index statistics module 11, and is used for obtaining the real-time capacity value of each container according to the real-time performance index of each container;
The capability value ordering module 13 is connected with the capability value obtaining module 12, and is used for obtaining a target security service requirement of a target platform aiming at the target security module, and ordering each container according to the real-time capability value according to the target security service requirement;
and the security service matching module 14 is connected with the capability value sorting module 13 and is used for selecting the container with the largest real-time capability value from the sorted containers to provide the target security service for the target platform.
Optionally, the real-time performance index includes: CPU real-time index, bandwidth real-time index and memory real-time index, the capability value obtaining module 12 specifically includes:
The ratio value obtaining unit is used for calculating the CPU ratio value, the bandwidth ratio value and the memory ratio value of all the containers according to the CPU real-time index, the bandwidth real-time index and the memory real-time index of each container;
The normalization processing unit is used for respectively carrying out normalization processing on the CPU proportion value, the bandwidth proportion value and the memory proportion value;
The load scoring unit is used for calculating the load score of each container according to the CPU proportion value, the bandwidth proportion value and the memory proportion value after normalization processing;
The score list unit is used for obtaining a residual load score list of each container under the target security module according to the load score;
And the capacity value calculating unit is used for calculating the real-time capacity value of each container according to the residual load score of each container in the residual load score list.
Optionally, the ratio value obtaining unit specifically includes:
The first calculation unit is used for dividing the sum of the CPU maximum performance indexes of all containers corresponding to the target security module by the sum of the CPU real-time indexes of all containers corresponding to the target security module to obtain the CPU proportion value of all containers;
The second calculation unit is used for dividing the sum of the bandwidth maximum performance indexes of all the containers corresponding to the target security module by the sum of the bandwidth real-time indexes of all the containers corresponding to the target security module to obtain bandwidth proportion values of all the containers;
and the third calculation unit is used for dividing the sum of the maximum performance indexes of the memories of all the containers corresponding to the target security module by the sum of the real-time indexes of the memories of all the containers corresponding to the target security module to obtain the memory proportion value of all the containers.
Optionally, the normalization processing unit specifically includes:
A fourth calculation unit, configured to divide the CPU proportion value by a sum of all the proportion values to obtain a normalized CPU proportion value;
A fifth calculation unit, configured to divide the bandwidth proportion value by a sum of all the proportion values to obtain a bandwidth proportion value after normalization processing;
And a sixth calculation unit, configured to divide the memory proportion value by the sum of all the proportion values to obtain a normalized memory proportion value.
Optionally, the load scoring unit is specifically configured to calculate the load score of each container according to the following formula:
Sx=WC*XC+WB*XB+WM*XM
Wherein S x represents the load score of the xth container, W C represents the CPU ratio value after normalization, W B represents the bandwidth ratio value after normalization, W M represents the memory ratio value after normalization, X C represents the average CPU load of the xth container, X B represents the average bandwidth load of the xth container, and X M represents the average memory load of the xth container, wherein the value of W C、WB、WM ranges from 0% to 100%.
Optionally, the score list unit specifically includes:
A seventh calculation unit, configured to subtract the load score of each container from 1 to obtain a remaining load score of each container;
And the construction unit is used for constructing the residual load score list according to the residual load score of each container.
Optionally, the capability value calculating unit is specifically configured to calculate the real-time capability value of each container according to the following formula:
Where R (S x) represents the real-time capability value of the xth container, S x represents the load score of the xth container, 1-S x represent the residual load score of the xth container, Representing the sum of the remaining load scores for all containers.
Example 3:
referring to fig. 3, the present embodiment provides a secure resource pool secure service matching apparatus, comprising a memory 21 and a processor 22, the memory 21 storing a computer program, the processor 22 being arranged to run the computer program to perform the secure resource pool secure service matching method of embodiment 1.
The memory 21 is connected to the processor 22, the memory 21 may be a flash memory, a read-only memory, or other memories, and the processor 22 may be a central processing unit or a single chip microcomputer.
Example 4:
The present embodiment provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the secure resource pool secure service matching method in embodiment 1 described above.
Computer-readable storage media include volatile or nonvolatile, removable or non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, computer program modules or other data. Computer-readable storage media includes, but is not limited to, RAM (Random Access Memory ), ROM (Read-Only Memory), EEPROM (ELECTRICALLY ERASABLE PROGRAMMABLE READ ONLY MEMORY, charged erasable programmable Read-Only Memory), flash Memory or other Memory technology, CD-ROM (Compact Disc Read-Only Memory), digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer.
In the secure resource pool secure service matching apparatus and the storage medium provided in embodiments 2 to 4, considering the situations that the resource change speed is fast and the consumption of secure resources by different demands is very different in the cloud environment, firstly, the real-time performance index of each container corresponding to the target secure module in the secure resource pool is periodically counted, then the real-time performance index of each container is obtained according to the real-time performance index of each container, when the target secure service demand of the target platform for the target secure module is obtained, each container is ordered according to the real-time performance value according to the target secure service demand, and the container with the largest real-time performance value is selected from the ordered containers to provide the target secure service for the target platform.
It is to be understood that the above embodiments are merely illustrative of the application of the principles of the present invention, but not in limitation thereof. Various modifications and improvements may be made by those skilled in the art without departing from the spirit and substance of the invention, and are also considered to be within the scope of the invention.

Claims (8)

1.一种安全资源池安全服务匹配方法,其特征在于,包括:1. A security resource pool security service matching method, characterized by comprising: 周期性统计安全资源池中目标安全模块对应的每个容器的实时性能指标,所述实时性能指标包括:CPU实时指标、带宽实时指标和内存实时指标;Periodically collect statistics on the real-time performance indicators of each container corresponding to the target security module in the security resource pool, where the real-time performance indicators include: CPU real-time indicators, bandwidth real-time indicators, and memory real-time indicators; 根据所述每个容器的实时性能指标得到所述每个容器的实时能力值;Obtaining a real-time capability value of each container according to the real-time performance indicator of each container; 获取目标平台针对所述目标安全模块的目标安全服务需求,根据所述目标安全服务需求对所述每个容器按照所述实时能力值进行排序;Obtaining a target security service requirement of a target platform for the target security module, and sorting each container according to the real-time capability value according to the target security service requirement; 从排序后的容器中选择实时能力值最大的容器为所述目标平台提供目标安全服务;Selecting a container with the largest real-time capability value from the sorted containers to provide a target security service for the target platform; 所述根据所述每个容器的实时性能指标得到所述每个容器的实时能力值,具体包括:The obtaining the real-time capability value of each container according to the real-time performance indicator of each container specifically includes: 根据所述每个容器的CPU实时指标、带宽实时指标和内存实时指标计算得到所有容器的CPU比例值、带宽比例值以及内存比例值;Calculate the CPU ratio value, bandwidth ratio value and memory ratio value of all containers according to the CPU real-time index, bandwidth real-time index and memory real-time index of each container; 对所述CPU比例值、带宽比例值以及内存比例值分别进行归一化处理;Normalizing the CPU ratio value, bandwidth ratio value, and memory ratio value respectively; 根据归一化处理后的CPU比例值、带宽比例值以及内存比例值计算所述每个容器的负载得分;Calculate the load score of each container according to the normalized CPU ratio value, bandwidth ratio value, and memory ratio value; 根据所述负载得分得到所述目标安全模块下各个容器的剩余负载得分列表;Obtaining a list of remaining load scores of each container under the target security module according to the load score; 根据所述剩余负载得分列表中各个容器的剩余负载得分计算各个容器的实时能力值;Calculate the real-time capacity value of each container according to the remaining load score of each container in the remaining load score list; 所述根据所述每个容器的CPU实时指标、带宽实时指标和内存实时指标计算得到所有容器的CPU比例值、带宽比例值以及内存比例值,具体包括:The CPU ratio value, bandwidth ratio value and memory ratio value of all containers are calculated according to the CPU real-time index, bandwidth real-time index and memory real-time index of each container, specifically including: 将所述目标安全模块对应的所有容器的CPU最大性能指标之和除以所述目标安全模块对应的所有容器的CPU实时指标之和以得到所有容器的CPU比例值;Divide the sum of the CPU maximum performance indicators of all containers corresponding to the target security module by the sum of the CPU real-time indicators of all containers corresponding to the target security module to obtain the CPU ratio values of all containers; 将所述目标安全模块对应的所有容器的带宽最大性能指标之和除以所述目标安全模块对应的所有容器的带宽实时指标之和以得到所有容器的带宽比例值;The sum of the bandwidth maximum performance indicators of all containers corresponding to the target security module is divided by the sum of the bandwidth real-time indicators of all containers corresponding to the target security module to obtain the bandwidth ratio value of all containers; 将所述目标安全模块对应的所有容器的内存最大性能指标之和除以所述目标安全模块对应的所有容器的内存实时指标之和以得到所有容器的内存比例值。The sum of the maximum memory performance indicators of all containers corresponding to the target security module is divided by the sum of the memory real-time indicators of all containers corresponding to the target security module to obtain the memory ratio values of all containers. 2.根据权利要求1所述的安全资源池安全服务匹配方法,其特征在于,所述对所述CPU比例值、带宽比例值以及内存比例值分别进行归一化处理,具体包括:2. The security service matching method for a security resource pool according to claim 1, characterized in that the normalization of the CPU ratio value, the bandwidth ratio value and the memory ratio value respectively comprises: 将所述CPU比例值除以所有比例值之和以得到归一化处理后的CPU比例值;Dividing the CPU ratio value by the sum of all ratio values to obtain a normalized CPU ratio value; 将所述带宽比例值除以所有比例值之和以得到归一化处理后的带宽比例值;Dividing the bandwidth ratio value by the sum of all ratio values to obtain a normalized bandwidth ratio value; 将所述内存比例值除以所有比例值之和以得到归一化处理后的内存比例值。The memory ratio value is divided by the sum of all ratio values to obtain a normalized memory ratio value. 3.根据权利要求1所述的安全资源池安全服务匹配方法,其特征在于,所述根据归一化处理后的CPU比例值、带宽比例值以及内存比例值计算所述每个容器的负载得分,具体包括:3. The security service matching method for a security resource pool according to claim 1 is characterized in that the load score of each container is calculated according to the normalized CPU ratio value, bandwidth ratio value and memory ratio value, specifically comprising: 根据以下公式计算所述每个容器的负载得分:The load score for each container is calculated according to the following formula: Sx=WC*XC+WB*XB+WM*XM S x =W C *X C +W B *X B +W M *X M 式中,Sx表示第x个容器的负载得分,WC表示归一化处理后的CPU比例值,WB表示归一化处理后的带宽比例值,WM表示归一化处理后的内存比例值,XC表示第x个容器的平均CPU负载,XB表示第x个容器的平均带宽负载,XM表示第x个容器的平均内存负载,其中,WC、WB、WM的取值范围为0~100%。Wherein, Sx represents the load score of the x-th container, WC represents the normalized CPU ratio value, WB represents the normalized bandwidth ratio value, WM represents the normalized memory ratio value, XC represents the average CPU load of the x-th container, XB represents the average bandwidth load of the x-th container, and XM represents the average memory load of the x-th container. The values of WC , WB , and WM range from 0 to 100%. 4.根据权利要求1所述的安全资源池安全服务匹配方法,其特征在于,所述根据所述负载得分得到所述目标安全模块下各个容器的剩余负载得分列表,具体包括:4. The security resource pool security service matching method according to claim 1, characterized in that the step of obtaining a list of remaining load scores of each container under the target security module according to the load score specifically comprises: 分别将1减去每个容器的负载得分,得到每个容器的剩余负载得分;Subtract the load score of each container from 1 to obtain the residual load score of each container; 根据所述每个容器的剩余负载得分构建所述剩余负载得分列表。The remaining load score list is constructed according to the remaining load score of each container. 5.根据权利要求1所述的安全资源池安全服务匹配方法,其特征在于,所述根据所述剩余负载得分列表中各个容器的剩余负载得分计算各个容器的实时能力值,具体包括:5. The security service matching method for a security resource pool according to claim 1, characterized in that the step of calculating the real-time capability value of each container according to the remaining load score of each container in the remaining load score list specifically comprises: 根据以下公式计算各个容器的实时能力值:The real-time capability value of each container is calculated according to the following formula: 式中,R(Sx)表示第x个容器的实时能力值,Sx表示第x个容器的负载得分,1-Sx表示第x个容器的剩余负载得分,表示所有容器的剩余负载得分之和。In the formula, R( Sx ) represents the real-time capacity value of the x-th container, Sx represents the load score of the x-th container, and 1- Sx represents the remaining load score of the x-th container. Represents the sum of the remaining load scores of all containers. 6.一种安全资源池安全服务匹配装置,其特征在于,包括:6. A security resource pool security service matching device, characterized by comprising: 指标统计模块,用于周期性统计安全资源池中目标安全模块对应的每个容器的实时性能指标,所述实时性能指标包括:CPU实时指标、带宽实时指标和内存实时指标;An indicator statistics module is used to periodically count the real-time performance indicators of each container corresponding to the target security module in the security resource pool, and the real-time performance indicators include: CPU real-time indicators, bandwidth real-time indicators and memory real-time indicators; 能力值获取模块,与所述指标统计模块连接,用于根据所述每个容器的实时性能指标得到所述每个容器的实时能力值;A capability value acquisition module, connected to the indicator statistics module, for obtaining a real-time capability value of each container according to the real-time performance indicator of each container; 能力值排序模块,与所述能力值获取模块连接,用于获取目标平台针对所述目标安全模块的目标安全服务需求,根据所述目标安全服务需求对所述每个容器按照所述实时能力值进行排序;A capability value sorting module, connected to the capability value acquisition module, is used to obtain the target security service requirements of the target platform for the target security module, and sort each container according to the real-time capability value according to the target security service requirements; 安全服务匹配模块,与所述能力值排序模块连接,用于从排序后的容器中选择实时能力值最大的容器为所述目标平台提供目标安全服务;A security service matching module, connected to the capability value sorting module, for selecting a container with the largest real-time capability value from the sorted containers to provide a target security service for the target platform; 所述能力值获取模块具体包括:The capability value acquisition module specifically includes: 比例值获取单元,用于根据所述每个容器的CPU实时指标、带宽实时指标和内存实时指标计算得到所有容器的CPU比例值、带宽比例值以及内存比例值;A ratio value acquisition unit, used to calculate the CPU ratio value, bandwidth ratio value and memory ratio value of all containers according to the CPU real-time index, bandwidth real-time index and memory real-time index of each container; 归一化处理单元,用于对所述CPU比例值、带宽比例值以及内存比例值分别进行归一化处理;A normalization processing unit, used to perform normalization processing on the CPU ratio value, the bandwidth ratio value and the memory ratio value respectively; 负载得分单元,用于根据归一化处理后的CPU比例值、带宽比例值以及内存比例值计算所述每个容器的负载得分;A load score unit, used to calculate the load score of each container according to the normalized CPU ratio value, bandwidth ratio value and memory ratio value; 得分列表单元,用于根据所述负载得分得到所述目标安全模块下各个容器的剩余负载得分列表;A score list unit, used to obtain a remaining load score list of each container under the target security module according to the load score; 能力值计算单元,用于根据所述剩余负载得分列表中各个容器的剩余负载得分计算各个容器的实时能力值;a capacity value calculation unit, configured to calculate a real-time capacity value of each container according to the remaining load score of each container in the remaining load score list; 所述比例值获取单元具体包括:The ratio value acquisition unit specifically includes: 第一计算单元,用于将所述目标安全模块对应的所有容器的CPU最大性能指标之和除以所述目标安全模块对应的所有容器的CPU实时指标之和以得到所有容器的CPU比例值;A first calculation unit, configured to divide the sum of the CPU maximum performance indicators of all containers corresponding to the target security module by the sum of the CPU real-time indicators of all containers corresponding to the target security module to obtain CPU ratio values of all containers; 第二计算单元,用于将所述目标安全模块对应的所有容器的带宽最大性能指标之和除以所述目标安全模块对应的所有容器的带宽实时指标之和以得到所有容器的带宽比例值;A second calculation unit, configured to divide the sum of the bandwidth maximum performance indicators of all containers corresponding to the target security module by the sum of the bandwidth real-time indicators of all containers corresponding to the target security module to obtain bandwidth ratio values of all containers; 第三计算单元,用于将所述目标安全模块对应的所有容器的内存最大性能指标之和除以所述目标安全模块对应的所有容器的内存实时指标之和以得到所有容器的内存比例值。The third calculation unit is used to divide the sum of the maximum memory performance indicators of all containers corresponding to the target security module by the sum of the memory real-time indicators of all containers corresponding to the target security module to obtain the memory ratio values of all containers. 7.一种安全资源池安全服务匹配装置,其特征在于,包括存储器和处理器,所述存储器中存储有计算机程序,所述处理器被设置为运行所述计算机程序以实现如权利要求1-5中任一项所述的安全资源池安全服务匹配方法。7. A security resource pool security service matching device, characterized in that it includes a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to run the computer program to implement the security resource pool security service matching method as described in any one of claims 1-5. 8.一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1-5中任一项所述的安全资源池安全服务匹配方法。8. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the security resource pool security service matching method according to any one of claims 1 to 5 is implemented.
CN202210824160.2A 2022-07-14 2022-07-14 A security resource pool security service matching method, device and storage medium Active CN115113982B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210824160.2A CN115113982B (en) 2022-07-14 2022-07-14 A security resource pool security service matching method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210824160.2A CN115113982B (en) 2022-07-14 2022-07-14 A security resource pool security service matching method, device and storage medium

Publications (2)

Publication Number Publication Date
CN115113982A CN115113982A (en) 2022-09-27
CN115113982B true CN115113982B (en) 2024-11-22

Family

ID=83332643

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210824160.2A Active CN115113982B (en) 2022-07-14 2022-07-14 A security resource pool security service matching method, device and storage medium

Country Status (1)

Country Link
CN (1) CN115113982B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116016213B (en) * 2022-12-27 2024-11-15 绿盟科技集团股份有限公司 Traffic arrangement method, device, system and equipment based on network target range

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109408230A (en) * 2018-10-10 2019-03-01 中国科学院计算技术研究所 Docker container dispositions method and system based on energy optimization

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114064226A (en) * 2020-08-06 2022-02-18 中兴通讯股份有限公司 Resource coordination method and device for container cluster and storage medium
CN112559130B (en) * 2020-12-16 2024-01-19 恒生电子股份有限公司 Container distribution method, device, electronic equipment and storage medium
CN114675937A (en) * 2022-04-01 2022-06-28 北京广通优云科技股份有限公司 Container resource expansion and contraction method based on real-time use condition of container application

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109408230A (en) * 2018-10-10 2019-03-01 中国科学院计算技术研究所 Docker container dispositions method and system based on energy optimization

Also Published As

Publication number Publication date
CN115113982A (en) 2022-09-27

Similar Documents

Publication Publication Date Title
WO2022095351A1 (en) Target area division method and apparatus, and electronic device and storage medium
CN111507470B (en) A method and device for identifying abnormal accounts
CN112669138B (en) Data processing method and related equipment
CN110764898B (en) Task allocation method and device, readable storage medium and terminal equipment
CN109450956B (en) Network security assessment method, system, medium and computer system
CN111582678B (en) Event stream distribution method, event stream distribution device and electronic equipment
CN110610431A (en) Intelligent claim settlement method and intelligent claim settlement system based on big data
CN111464583A (en) Computing resource allocation method, device, server and storage medium
WO2016206557A1 (en) Risk identification method and apparatus
CN110188990B (en) Resource request and fund request splitting method, device and equipment
WO2019119635A1 (en) Seed user development method, electronic device and computer-readable storage medium
CN113537806A (en) Abnormal user identification method and device, electronic equipment and readable storage medium
CN115113982B (en) A security resource pool security service matching method, device and storage medium
CN117785456A (en) Resource scheduling method, device, storage medium and equipment
CN112631731A (en) Data query method and device, electronic equipment and storage medium
CN115033456A (en) Method and device for monitoring performance of front end of intranet, computer equipment and storage medium
CN112241820A (en) Risk identification method and device for key nodes in fund flow and computing equipment
CN113269179B (en) Data processing method, device, equipment and storage medium
CN113723522A (en) Abnormal user identification method and device, electronic equipment and storage medium
CN112819305A (en) Service index analysis method, device, equipment and storage medium
CN112949697A (en) Method and device for confirming pipeline abnormity and computer readable storage medium
CN110991241A (en) Abnormality recognition method, apparatus, and computer-readable medium
CN117708461A (en) User release content processing method, device, computing equipment and storage medium
CN114862108B (en) Site selection processing method and system for self-service equipment
CN110569475A (en) Evaluation method, device, equipment and storage medium for netizen influence

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant