[go: up one dir, main page]

CN119814446B - A network security access method, apparatus, device, and medium for large model services - Google Patents

A network security access method, apparatus, device, and medium for large model services

Info

Publication number
CN119814446B
CN119814446B CN202411976213.8A CN202411976213A CN119814446B CN 119814446 B CN119814446 B CN 119814446B CN 202411976213 A CN202411976213 A CN 202411976213A CN 119814446 B CN119814446 B CN 119814446B
Authority
CN
China
Prior art keywords
target
access
network
network access
group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411976213.8A
Other languages
Chinese (zh)
Other versions
CN119814446A (en
Inventor
杨子夜
文骞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Volcano Engine Technology Co Ltd
Original Assignee
Beijing Volcano Engine Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Volcano Engine Technology Co Ltd filed Critical Beijing Volcano Engine Technology Co Ltd
Priority to CN202411976213.8A priority Critical patent/CN119814446B/en
Publication of CN119814446A publication Critical patent/CN119814446A/en
Application granted granted Critical
Publication of CN119814446B publication Critical patent/CN119814446B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the disclosure relates to a network security access method, a device, equipment and a medium applied to a large model service, wherein the method comprises the steps of obtaining a network access request of a target container group, wherein the target container group belongs to a target working group, the target working group comprises at least one container group with the same function of a target application program, determining a target network access policy corresponding to the target working group, and executing access operation between the target container group corresponding to the network access request and the target access object if the target access object corresponding to the network access request is determined to be matched with the target network access policy, wherein the target access object comprises at least one of an external network object, an interactable object of the target container group outside a container arrangement platform and an internal object of the container arrangement platform. According to the technical scheme, network access management with different isolation degrees and finer granularity inside the application program is realized, so that the actual access requirements of different container groups can be met, and the security of network access can be ensured.

Description

Network security access method, device, equipment and medium applied to large model service
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a network access method, apparatus, device, and medium.
Background
In a cloud computing scenario, a cloud service provider of a Model-i-service (Model AS A SERVICE, maaS) may provide a large Model as a service to a user who wishes to run his own Model-related tasks in an isolated network environment, a task may include a container group (Pod) or multiple container groups. In the related art, uniform static network isolation outside an application program can be realized, but the security of the whole application program is very low when the isolation mode allows external network access, and the network access requirement of actual external access cannot be met when the external network access is not allowed, so that improvement is needed.
Disclosure of Invention
In order to solve the technical problems, the present disclosure provides a network access method, device, equipment and medium.
The embodiment of the disclosure provides a network access method, which comprises the following steps:
acquiring a network access request of a target container group, wherein the target container group belongs to a target work group, and the target work group comprises at least one container group with the same function of a target application program;
Determining a target network access strategy corresponding to the target working group;
And if the target access object corresponding to the network access request is determined to be matched with the target network access policy, executing access operation between the target container group corresponding to the network access request and the target access object, wherein the target access object comprises at least one of an external network object, an interactable object of the target container group outside a container arrangement platform and an internal object of the container arrangement platform.
The embodiment of the disclosure also provides a network access device, which comprises:
The system comprises an acquisition module, a storage module and a storage module, wherein the acquisition module is used for acquiring a network access request of a target container group, the target container group belongs to a target work group, and the target work group comprises at least one container group with the same function of a target application program;
the determining module is used for determining a target network access strategy corresponding to the target working group;
And the execution module is used for executing the access operation between the target container group corresponding to the network access request and the target access object if the target access object corresponding to the network access request is determined to be matched with the target network access policy, wherein the target access object comprises at least one of an external network object, an interactable object of the target container group outside a container arrangement platform and an internal object of the container arrangement platform.
The embodiment of the disclosure also provides electronic equipment, which comprises a processor, a memory for storing executable instructions of the processor, and the processor, wherein the processor is used for reading the executable instructions from the memory and executing the instructions to realize the network access method provided by the embodiment of the disclosure.
The present disclosure also provides a computer-readable storage medium storing a computer program for executing the network access method as provided by the embodiments of the present disclosure.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the advantages that the network access scheme provided by the embodiment of the disclosure obtains the network access request of the target container group, wherein the target container group belongs to the target work group, the target work group comprises at least one container group with the same function of the target application program, the target network access strategy corresponding to the target work group is determined, and if the target access object corresponding to the network access request is determined to be matched with the target network access strategy, the access operation between the target container group corresponding to the network access request and the target access object is executed, wherein the target access object comprises at least one of an external network object, an interactable object of the target container group outside the container arrangement platform and an internal object of the container arrangement platform. According to the technical scheme, aiming at the network access request of the target container group in the target working group of the target application program, access is allowed when the network access strategy corresponding to the target working group is matched with the target access object corresponding to the target access request, the container group with the same function in the same application program is divided into the corresponding working groups, and different network access strategies are set for different working groups, and as the network access strategies can control the access of external network objects, interactable objects and/or internal objects, network access management with different isolation degrees of finer granularity in the application program is realized, the actual access requirements of different container groups can be met, and the security of network access can be ensured.
Drawings
The above and other features, advantages, and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. The same or similar reference numbers will be used throughout the drawings to refer to the same or like elements. It should be understood that the figures are schematic and that elements and components are not necessarily drawn to scale.
Fig. 1 is a flow chart of a network access method according to some embodiments of the present disclosure;
FIG. 2 is a schematic diagram of a network access process provided by some embodiments of the present disclosure;
FIG. 3 is a schematic diagram of another network access process provided by some embodiments of the present disclosure;
Fig. 4 is a schematic diagram of a network access method according to some embodiments of the present disclosure;
FIG. 5 is a schematic diagram of a control plane architecture provided by some embodiments of the present disclosure;
fig. 6 is a schematic structural diagram of a network access device according to some embodiments of the present disclosure;
Fig. 7 is a schematic structural diagram of an electronic device according to some embodiments of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure have been shown in the accompanying drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but are provided to provide a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are for illustration purposes only and are not intended to limit the scope of the present disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order and/or performed in parallel. Furthermore, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "including" and variations thereof as used herein are intended to be open-ended, i.e., including, but not limited to. The term "based on" is based at least in part on. The term "one embodiment" means "at least one embodiment," another embodiment "means" at least one additional embodiment, "and" some embodiments "means" at least some embodiments. Related definitions of other terms will be given in the description below.
It should be noted that the terms "first," "second," and the like in this disclosure are merely used to distinguish between different devices, modules, or units and are not used to define an order or interdependence of functions performed by the devices, modules, or units.
It should be noted that references to "one", "a plurality" and "a plurality" in this disclosure are intended to be illustrative rather than limiting, and those of ordinary skill in the art will appreciate that "one or more" is intended to be understood as "one or more" unless the context clearly indicates otherwise.
The names of messages or information interacted between the various devices in the embodiments of the present disclosure are for illustrative purposes only and are not intended to limit the scope of such messages or information.
In cloud computing scenes such as a container arrangement platform, uniform static network isolation outside an application program can be realized, but in the isolation mode, in order to ensure normal use of the application program, the setting of the access range of the whole application program is required according to the maximum access range required by a container group in the application program. For example, if there is one container group in the application program, external network access needs to be performed, and thus the application program needs to be allowed to perform external network access as a whole, and the security of the application program is very low. Or in order to ensure the security of the application program, the application program can be forbidden to access the external network, but at this time, the container group actually having the external network access requirement in the application program cannot normally operate, and the application program cannot normally operate. Or may allow external network access to the application as a whole and communicate in an encrypted manner between groups of containers within the application. However, this approach has excessive overhead, which affects the normal operation of the application.
In summary, a method for improving the security of application network access and guaranteeing the normal operation of an application program is needed.
In order to solve the above-mentioned problems, embodiments of the present disclosure provide a network access method, which is described below with reference to specific embodiments.
Fig. 1 is a flow chart of a network access method provided in some embodiments of the present disclosure, where the method may be performed by a network access device, and the method may also be performed by a system for managing network access of a target application, where the device may be implemented by using software and/or hardware, and may be generally integrated in an electronic device. As shown in fig. 1, the method includes:
step 101, obtaining a network access request of a target container group, wherein the target container group belongs to a target work group, and the target work group comprises at least one container group with the same function of a target application program.
The target Application may be an Application (APP) where the target workgroup is located, and the target Application may include one or more workgroups (Workerset). The application may be a distributed application in a model or service, or may be an application deployed based on custom resources (Custom Resource Definition, CRD). Alternatively, the application may be an application that performs related data processing based on the generative model, or the application may be an application that performs model training based on the generative model. The present embodiment is not limited to the type of the generative model, and for example, the generative model may include one or more of a graph-text model, a graph-inference model, a meridional graph model, a Wen Shengwen model, and a large language model. The large language model may be a natural language based processing model that may learn rules, structures, etc. of natural language, understand the meaning of natural language and based on the understood meaning, generate coherent text with correct syntax and semantics.
The target work group may be a work group in which the target container group is located, the target work group may include only the target container group, or the target work group may include the target container group and one or more container groups having the same function as the target container group. The work group may be a collection of container groups divided according to functions of the container groups, and the work group may be a minimum unit for performing network access policy management in the embodiment of the present disclosure, for example, one work group may be a work group having a function of a text-to-graphics. It will be appreciated that if an application is used to implement a task and the task includes multiple sub-tasks, then the set of containers in one workgroup in the application may be used to implement the same one sub-task. The target container set may be a container set currently performing network access, and the target container set may be an initiator of network access or a receiver of network access, which is not limited in this embodiment. The group of containers may be the smallest scheduling and management unit in the container technology. The network access request may be a request for network access by the container group and an outside of the container group. The network access request may be initiated by the target container group to the outside of the target container group, or the network access request may be initiated by the outside of the target container group to the target container group, which is not limited in this embodiment.
In some embodiments of the present disclosure, the target application includes a plurality of work groups corresponding to a plurality of functions, each work group including at least one container group of the same function. In this embodiment, if the target application corresponds to a task, the task may be implemented by cooperation of multiple subtasks, the subtasks may correspond to functions, the target application may correspond to multiple functions, each function corresponds to one work group, and the target application may correspond to multiple work groups. And each work group includes one or more container groups therein. Fig. 2 is a schematic diagram of a network access process provided in some embodiments of the present disclosure, and as shown in fig. 2, a visual language model application may correspond to a dialog management function, a decode driver function, and a fill driver function. The dialog management function may be implemented by a dialog management container group in a dialog management workgroup, the decode driver function may be implemented by a decode driver container group in a decode driver workgroup, and the fill driver function may be implemented by a fill function container group in a fill driver workgroup.
It will be appreciated that the composition of the group of containers in the same application is relatively complex. The container groups may communicate with each other, but the network access requirements of each container group are not the same. For container groups in the same application program, the one or more container groups can be divided into corresponding working groups according to the functions of the container groups, and the container groups included in one working group are container groups with the same functions. In the embodiment of the disclosure, a target container group in a target application program generates a network access requirement in a running process, the target container group can generate and send a network access request, and a network access device acquires the network access request. Or a network access request for the target set of containers may be generated in the network, which network access device obtains.
As shown in fig. 2, the control plane of the vpn may interact with the data plane of the region 1 vpn (Virtual Private Cloud, VPC) and the data plane of the region 2 vpn, where a data plane may be understood as a cluster. The visual language model application of the custom resource can be deployed in the data plane of the region 1 virtual private cloud and the data plane of the region 2 virtual private cloud respectively. In the data plane of the region 1 virtual private cloud, the visual language model application comprises 3 different work groups, and the container groups corresponding to the 3 work groups can be respectively a dialogue processing container group, a decoding driving container group and a pre-filling driving container group. The group of containers can be processed through the dialogue to receive the request outside the data plane and connect to the external network to download pictures or connect to the internal network for resource statistics. Requests from the dialog processing container group may be received by decoding the driver container group or the pre-filled container group and processing of a Token may be performed.
Step 102, determining a target network access strategy corresponding to the target working group.
The target network access policy may be a network access policy according to which the target workgroup performs network access, where the target network access policy may characterize a network access range of a container group in the target workgroup.
In the embodiment of the disclosure, for the container groups, the container groups with different functions may have corresponding network access requirements, so that different working groups may have corresponding network access policies. There are a number of ways in which the network access device may determine the target network access policy, and this embodiment is not limiting. For example, the network access device may obtain a relationship between a work group manually configured by a manager and a network access policy, and perform a query operation on the relationship according to a target work group, to determine a target network access policy corresponding to the target work group. Or in the case where the workgroup is configured with a network isolation tag, the network access device may determine the target network access policy based on the network isolation tag.
In some embodiments of the present disclosure, before determining the target network access policy, the network access device may add a corresponding network isolation tag to the work group, and in particular the network access method further includes adding corresponding network isolation tags to a plurality of work groups included in the target application based on the network isolation relation library in response to a creation operation of the target application.
The creation operation may be an operation of creating the target application program, and the creation operation may further include an initial creation of the network access policy. The network access policy is used for defining a network access range or a network isolation range of a working group, and in particular, the limitation of the access object can be realized by setting the received access range and the transmitted access range of the exit. The access object may comprise at least one of an external network object, an interactable object of a target container group external to the container orchestration platform, and an internal object of the container orchestration platform. The network access policy may be understood as a network access criterion and may include an internet protocol (Internet Protocol, IP) address, port(s), etc. of a network request from a set of containers to initiate a network access, and/or an internet protocol address, port, etc. of a network access received by a set of containers.
Optionally, the network isolation relation library includes a plurality of network access policies with mapping relation and a plurality of network isolation labels, and each network access policy has mapping relation with one network isolation label. The network isolation tags may be used to identify network isolation levels. In this embodiment, the network isolation relation library may be a database recording network isolation relations. The network access policy recorded in the network isolation relation library may be set according to the user requirement, etc., without limitation in this embodiment. A network isolation relationship may be a mapping relationship between a network access policy and a network isolation label, which may be in one-to-one correspondence.
Optionally, the network isolation tag includes a plurality of levels, and the network isolation tags of different levels correspond to network access policies of different isolation degrees, and the higher the level is, the higher the isolation degree of the corresponding network access policy is. Wherein the level may be a level of internal partitioning of the network isolation tag. The degree of isolation may characterize the degree of isolation of the group of containers from access objects in the network environment. The number of the plurality of levels may be set according to the network environment, the user's demand, etc., and the embodiment is not limited.
For example, the plurality of levels may include a low level, a medium level, a next highest level, and a highest level. The network access policy corresponding to the low level may be that no network isolation exists, that is, the container group in the task group may be arbitrarily accessed to the network resource, the network access policy corresponding to the medium level may control that the network access policy may be accessed to an external network object in the external network of the control plane, an interactable object of the target container group outside the container arrangement platform, and an internal object of the container arrangement platform, the network access policy corresponding to the second level may control that the network access policy may be accessed to an interactable object of the target container group outside the container arrangement platform and an internal object of the container arrangement platform, and the network access policy corresponding to the highest level may control that the network access policy may be accessed to an internal object of the container arrangement platform, or may be accessed to a container group in the same cluster as a namespace (namespace) of the container group and the same application program to which the container group belongs. The network access policy corresponding to the highest level is the most strict network access policy, and can be understood as a backplane isolation policy.
In this embodiment, the user may perform a creation operation on the target application, and the network access device creates the target application in response to the creation operation. And in the process of dynamically creating the target application program, the network access device can allocate a unique application program identification (app-id) to the target, and the specific creation method of the target application program is not limited in this embodiment. And the network access device can also perform initialization creation on the network isolation relation library in response to the creation operation, and display the network isolation relation library to a manager, the manager can determine the network access policy adapted by each working group in the network isolation relation library, and perform label adding operation on the working group according to the network isolation label corresponding to the network access policy, and the network isolation device adds the network isolation label to the corresponding working group in response to the label adding operation. The label adding operation may be an operation of adding a network isolation label, and the label adding operation is not limited in this embodiment.
For example, for a distributed application in a model, i.e. a service, a corresponding network access policy may be set for different working groups in the distributed application, so as to effectively reduce an attack plane of a network attack. If the distributed application includes a working group A, a working group B and a working group C. The network access policy of the working group A, which is determined by the manager, can be used for accessing an external network object, the network access policy of the working group B, which is determined by the manager, can be used for accessing an interactable object, and the network access policy of the working group C, which is determined by the manager, can be used for receiving network access sent by a container group in the working group A and the working group B. Taking fig. 2 as an example, in the data plane of the region 2 vpn cloud, the network access policy of the work group where the session processing container group is located is that an external network object, an interactable object, and an internal object can be accessed. And decoding the network access policies of the set of drive containers and the pre-filled set of drive containers to access the internal object.
In the scheme, when the target application program is created, the network isolation label of each working group in the target application program is determined, and the network access strategy corresponding to each working group is represented briefly through the label, so that the efficient configuration of the network access strategy is realized.
In some embodiments of the present disclosure, determining a target network access policy corresponding to a target workgroup includes obtaining a target network isolation label corresponding to the target workgroup, and determining the network access policy corresponding to the target network isolation label as the target network access policy.
The target network isolation label may be a network isolation label corresponding to the target working group, and the target network isolation label may be used to identify a network isolation level corresponding to the target working group.
In this embodiment, the network access device may determine a target network isolation tag configured by the target working group, and perform a query operation on the network isolation relation library according to the target network isolation tag, to determine a target network access policy corresponding to the target network access policy. Therefore, the network access strategy corresponding to the working group is accurately and efficiently determined based on the network isolation label, and the network access strategy can be multiplexed for a plurality of times based on the network isolation label, so that the manpower resources consumed by repeatedly setting the same network access strategy are saved.
And 103, if the target access object corresponding to the network access request is determined to be matched with the target network access policy, executing access operation between the target container group corresponding to the network access request and the target access object, wherein the target access object comprises at least one of an external network object, an interactable object of the target container group outside the container arrangement platform and an internal object of the container arrangement platform.
Wherein the target access object may be an object that performs network interactions with the target container group. In some embodiments of the present disclosure, the target access object includes an ingress access object or an egress access object. Wherein the portal access object may be an object that initiates a network access request. An egress access object may be an object that receives a network access request, which may be understood as an accessed object. The access operation may be an access operation between the target container group and the target access object. The access operation may include an operation of the target container group to access the target access object, and may also include an operation of the target access object to access the target container group. An external network (Extranet) object may be an object located on an external network, which may be a network outside of the container orchestration platform on which the target set of containers is located, which may be understood as the internet or an open network allowing public access, also known as an Extranet.
The interactable object of the target container group outside the container orchestration platform may be an object which does not belong to the administrative scope of the container orchestration platform where the target container group is located but which may interact with the target container group in some way, e.g. the interactable object may comprise a resource, server or database outside the container orchestration platform in the same virtual local area network (Virtual Private Cloud, VPC) as the target container group. The interactable object may be an object pre-partitioned for the target set of containers outside of the container orchestration platform, e.g. the interactable object may be an object in a specific intranet outside of the container orchestration platform. The present embodiment does not limit the functions implemented by the interactable object, and for example, the interactable object may be used to implement services such as auditing services, video On Demand (VOD), and the like. Based on the interactable object, the scope of access can be controlled while network access to the object outside the container arrangement platform is achieved.
The internal objects of the container orchestration platform may be objects located in an internal network (Intranet) of the container orchestration platform, which may be a network environment built in the container orchestration platform. The present embodiment is not limited to this internal object, and for example, fig. 3 is a schematic diagram of another network access process provided in some embodiments of the present disclosure, where the internal object may be a Model Proxy (Model Proxy) in fig. 3, and the target container group may interact with the Model Proxy.
In the embodiment of the present disclosure, after determining the target network access policy, the network access device may execute the access operation between the target container group and the target access object according to the network location where the target access object corresponding to the network access request is located, if the network location matches the target network access policy. If the network location does not match the target network access policy, access operations between the target container group and the target access object are denied.
In some embodiments of the present disclosure, determining that a target access object corresponding to a network access request matches a target network access policy includes matching object information of the target access object corresponding to the network access request with ingress access information and egress access information included in the target network access policy, and determining that the target access object matches the target network access policy if the matching result is that the ingress access information or the egress access information includes the object information of the target access object.
The object information may be used to record a network location where the target access object is located, where the object information may include an internet protocol address, a port, and the like of the network location where the target access object is located. The portal access information may be used to record the receiving range of the target container group when receiving the network access, and may be understood as the range of the external access that the target container group can receive. The export access information may be used to record the access range of the target container group when the target container group performs network access to the outside, which may be understood as the range in which the target container group can initiate access to the outside.
In this embodiment, the network access device may determine object information of a target access object according to a network access request, if the network access request is received by a target container group, match the object information with entry access information, if the entry access information includes the object information, determine that the target access object is successfully matched with a target network access policy, and if the entry access information does not include the object information, determine that the target access object is failed to be matched with the target network access policy. If the network access request is sent by the target container group, the object information is matched with the export access information, if the export access information contains the object information, the target access object is determined to be successfully matched with the target network access policy, and if the export access information does not contain the object information, the target access object is determined to be failed to be matched with the target network access policy.
In the above scheme, aiming at different scenes of the network access request initiated and received by the target container group, whether the target access object is matched with the corresponding network access policy or not is judged through the corresponding access information, so that the network access method can cover various network scenes of the network access request initiated and received.
In some embodiments of the present disclosure, performing an access operation between a target container group and a target access object corresponding to a network access request includes sending the network access request to the target container group to perform the access operation of the target access object when the network access request is from the ingress access object, and sending the network access request to the egress access object to perform the access operation of the target container group when the network access request is from the target container group.
In this embodiment, after determining that the portal access information includes the object information of the target access object, if the network access request is sent from the portal access object to the target container group, the network access request is sent to the target container group, so as to implement the access operation of the portal access object to the target container group. After determining that the outlet access information includes the object information of the target access object, if the network access request is sent from the target container group to the outlet access object, sending the network access request to the outlet access object, so as to realize the operation of the target container group on the outlet access object. Thus, the execution of the access operation is achieved in case the network access policy allows the network access.
As shown in fig. 3, the graphic and text applications can be deployed through custom resources. The deployed applications such as the context application, the context graph application and the like can receive the traffic sent by the model agent or send the traffic to the model agent, and the model agent can be a control surface. The iconography application may include a iconography workgroup and its corresponding reasoning workgroup, the iconography workgroup including a iconography Wen Rongqi group, the reasoning workgroup including a plurality of reasoning container groups. The meridional chart application may include a meridional chart work group and its corresponding inference work group, the meridional chart work group including a meridional chart container group, the inference work group including a plurality of inference container groups. In addition, other custom resource applications or deployment applications may be used to provide headless inference services, including an inference workgroup, and the inference workgroup includes multiple inference container groups that can directly receive traffic from model agents. In addition, if there are multiple applications, the container groups between different applications do not communicate directly, e.g., the container groups in the graphic and text application do not communicate directly with the container groups in the graphic and text application, i.e., there is network isolation between the two container groups.
In addition, in fig. 3, the network isolation labels corresponding to the graph-text work group and the graph-text work group may be medium-level, and the network isolation label corresponding to the reasoning container group may be highest-level. Within the same application, a dynamic isolation policy may be employed to put through traffic interacting between groups of containers within, where put through may be understood as allowing traffic to be transferred. Specifically, the network access device may add application program identifiers to all container groups in the same application program instance, where the application program identifiers of the container groups in the same application program are the same, and based on the application program identifiers, network interworking of the container groups in the same application program may be achieved.
The network access scheme provided by the embodiment of the disclosure obtains a network access request of a target container group, wherein the target container group belongs to a target working group, the target working group comprises at least one container group with the same function of a target application program, a target network access policy corresponding to the target working group is determined, and if the target access object corresponding to the network access request is determined to be matched with the target network access policy, an access operation between the target container group corresponding to the network access request and the target access object is executed, wherein the target access object comprises at least one of an external network object, an interactable object of the target container group outside a container arrangement platform and an internal object of the container arrangement platform. According to the technical scheme, aiming at the network access request of the target container group in the target working group of the target application program, access is allowed when the network access strategy corresponding to the target working group is matched with the target access object corresponding to the target access request, the container group with the same function in the same application program is divided into the corresponding working groups, and different network access strategies are set for different working groups, and as the network access strategies can control the access of external network objects, interactable objects and/or internal objects, network access management with different isolation degrees of finer granularity in the application program is realized, the actual access requirements of different container groups can be met, and the security of network access can be ensured. In addition, the granularity of the network access control is finer than that of the application program and coarser than that of the container group, so that the security in the network access process is effectively ensured while the normal network access requirement of the application program is met by proper granularity, and the network security of the target application program is improved based on smaller resource expenditure.
In the embodiment of the disclosure, corresponding network access policies are set for different working groups of the same application program. But because communication is required between the different work groups. For example, if there are a working group a and a working group B in the application, the network access policy of the working group a includes access to the external network object, and the working group B does not have the access right, but the working group B may communicate with the working group a, although in theory, the working group B may access the external network object through the working group a. But from the engineering perspective, only the working group A and the working group B are broken, so that the controlled external network access can be performed, and the security of the network access is improved compared with the security of the network access in the related technology. In addition, for this case, the network access device may limit the access operation of the work group a by means of network detection or the like, thereby further reducing the risk of network access.
In some embodiments of the present disclosure, the network access method further includes performing network access detection and/or tag anomaly detection on a to-be-detected container group of the target application, where the to-be-detected container group belongs to a to-be-detected work group, and the to-be-detected work group corresponds to a network access policy supporting access to external network objects and interactable objects.
Wherein, the detection program can be used for detecting whether the container group to be detected has abnormality. The working group to be detected can be a working group containing a group of containers to be detected. The container group to be detected may be a container group to be subjected to network access detection and/or tag abnormality detection, and the container group to be detected may be a container group authorized to be subjected to network access with an external network object and an interactable object.
The network access detection may be used to detect whether there is an abnormal access to the network access process of the group of containers to be detected. The present embodiment does not limit the abnormal access, and for example, the abnormal access may include one or more of access to an abnormal internet protocol address, access to an abnormal port, and access to an abnormal resource. Taking abnormal access as an access network for abnormal resources as an example, whether the type of the resources transmitted in the access process belongs to a target type or not can be determined through network access detection, and the target type can be the type of the resources transmitted in the actual running process of the container group to be detected. Actual operation is understood to mean operation in the absence of a safety anomaly in the group of containers to be tested. The present embodiment does not limit the resource type, and for example, the resource type may include pictures, video, audio, and the like. Taking the container group to be detected as a visual language model container group as an example, the target type corresponding to the visual language model container group can be a picture type. By the network access detection, whether the traffic sent and/or received by the container group to be detected is abnormal or not can be detected.
In this embodiment, the network access device may perform network access detection on the to-be-detected container set through the detection program, and if the to-be-detected container set does not pass the network access detection, issue a network access abnormality warning. Specifically, taking the detection of access to abnormal resources as an example, the network access device can detect whether the resource type of the transmission resource belongs to the target type in the actual running process of the container group to be detected, if so, determining that the container group to be detected passes the network access detection, otherwise, determining that the container group to be detected does not pass the network access detection, and issuing a corresponding warning. For example, the target type corresponding to the visual language model container set may be a picture type, and if the resource type of the transmission resource of the visual language model container set is not the picture type, it is determined that the container set does not pass the network access detection.
The label abnormality detection can be used for detecting whether an access range corresponding to a network isolation label of the to-be-detected working group is matched with a target access range, wherein the target access range can be a network range which is required to be accessed in the actual running process of a to-be-detected container group in the to-be-detected working group. By the label anomaly detection, more intimate detection can be performed for the work group to be detected supporting access to external network objects and/or interactable objects.
In this embodiment, the network access device may perform label abnormality detection on the to-be-detected container group through the detection program, and if the label abnormality detection is not performed, issue a label abnormality warning. Specifically, the network access device may detect whether the access range of the network isolation tag corresponding to the to-be-detected container group belongs to the target access range, if so, determine that the to-be-detected container group passes the tag abnormality detection, otherwise, determine that the to-be-detected container group does not pass the tag abnormality detection, and issue a corresponding warning. For example, for a container group implementing pure reasoning, accessing an internal object can meet the access requirement of normal operation of the container group to be detected, so that the corresponding target access range can be the internal object, and if the access range corresponding to the network isolation tag includes an interactable object or an external network object, it is determined that the container group to be detected does not pass the tag anomaly detection. Therefore, whether the work group to be detected adds the network isolation label according to the actual requirement of the work group to be detected is determined through detection.
Optionally, the network access device may also perform detection analysis on the traffic data sent by the to-be-detected container group through the data loss protection program.
Fig. 4 is a schematic diagram of a network access method according to some embodiments of the present disclosure, as shown in fig. 4, first, a network isolation relational library for a target application is initialized. Specifically, the network isolation relation library may be preset with a network access policy and a corresponding relation between network isolation labels, and the levels that the network isolation labels may include low level, medium level, second high level, and so on. Further, corresponding network isolation labels are added to the working groups in the target application program, so that the configuration of corresponding networks aiming at different working groups is realized. Further, after the target application completes deployment, the network access policies of the work groups in the target application are validated. The method comprises the steps of detecting a container group to be detected in an application program through a detection program, wherein the detection comprises network access detection of a medium-level network isolation tag and a container group corresponding to a secondary high-level network isolation tag, detecting whether the medium-level network isolation tag and the secondary high-level network isolation tag are wrongly marked on a work group to be detected, logging operation of the network isolation tag, and automatically detecting or manually detecting the log periodically. Further, the application terminates, which may be understood as the destruction of the application.
In the scheme, network access detection is used for detecting network behaviors of the container group in the work group with loose network isolation degree, and risks are generated after the container group is broken back in time. The network isolation labels of the working group are effectively and dynamically detected through label abnormality detection, so that the misuse probability of the network isolation labels with loose network isolation is reduced. And the change adjustment of the network isolation label is recorded through the security log, so that the change of the network isolation label can be traced back.
The network access method in the embodiment of the present disclosure is further described below by way of a specific example. An application program of the network access method can provide corresponding services based on a control plane, and fig. 5 is a schematic diagram of an architecture of the control plane provided by some embodiments of the present disclosure. The model of the data plane can be used as a service, and the model is realized as a service, and the data plane can be mainly a large model for adapting various model suppliers, and then the models are used for providing services of reasoning, fine tuning and the like. Essentially, the model as a service is Platform as a service (PaaS).
The system is dependent on Infrastructure as a service (IaaS) AS A SERVICE on a data plane, and a corresponding software stack can be provided on the data plane, and can be deployed on a managed cloud server (Elastic Compute Service, ECS) node as a service container group schedule, and in response to the scheduling of a user, the corresponding scheduling can be performed according to a scheduler. In fig. 5, the cloud server virtual machine (Elastic Compute Service Virtual Machine, ECS VM) has a plurality of User container groups (User Pod) and Service container groups (Service Pod).
Related tasks of a general model, i.e., a service, can be classified into an inference task and a training task (e.g., a dynamic fine tuning task), etc. And the task has three roles of a cloud service provider, a model provider and a user.
In particular, cloud service providers provide cloud services (e.g., infrastructure as a service or platform as a service) to serve entities of different model providers. The model provider has a large model and builds entities of services such as self reasoning tasks by using the cloud service provider. The entity that the user runs the application provided by the cloud service provider and the model provider. The user has corresponding network environment isolation requirements for the model provider and the cloud service provider. Specifically, when a user obtains a model, i.e., a service, from a cloud service provider, the user wants his own tasks to be able to run in an isolated network environment such as a secure sandbox. The security sandbox can realize security enhancement in terms of computation, network, storage and the like, can be designed based on a protection mechanism of privacy or confidential computation, and can be applied to the network access method provided by the embodiment of the disclosure.
In some embodiments of the present disclosure, the network access method may include, first, setting corresponding network access policies for different working groups in a distributed application of a model, i.e., a service, for the application, so as to effectively reduce an attack surface. For example, if the application includes 3 work groups, work group A, work group B, work group C. Workgroup a may access external network objects, workgroup B may access interactable objects, and workgroup C may receive network access of workgroup a and workgroup B. Specifically, a plurality of network access policies may be predefined, and when different working groups are configured before the application is started, the working groups are labeled with corresponding network isolation labels. Corresponding network access policies are provided for different network isolation tags.
Further, the container groups in the working group added with the medium-level network isolation label and the container groups in the working group added with the secondary-level network isolation label are more closely detected. Specifically, whether the abnormal flow occurs in the container group can be detected, and the flow of the container group is detected through a data loss protection program.
Further, in the container arrangement platform, whether the work group of each application program carries out network isolation label addition according to the corresponding requirement of the work group is detected. If an abnormal network isolation label is found, timely alarm processing is carried out on the network isolation label.
According to the network access scheme provided by the embodiment of the disclosure, on the basis that network isolation exists among container groups of different application programs, finer-granularity network access policy setting is performed for a work group in one application program, so that the application program has higher network security under the condition of normal operation. And the requirements of the model, namely the service in updating and iteration dimensions are met, and meanwhile, higher-level network isolation protection is still provided, so that the user data is prevented from leaking out of the security sandbox, and the network security is improved.
Fig. 6 is a schematic structural diagram of a network access device according to some embodiments of the present disclosure, where the device may be implemented by software and/or hardware, and may be generally integrated in an electronic device. As shown in fig. 6, the apparatus includes:
An obtaining module 601, configured to obtain a network access request of a target container group, where the target container group belongs to a target work group, and the target work group includes at least one container group with the same function of a target application program;
A determining module 602, configured to determine a target network access policy corresponding to the target working group;
An execution module 603, configured to execute an access operation between the target container group corresponding to the network access request and the target access object if it is determined that the target access object corresponding to the network access request matches the target network access policy, where the target access object includes at least one of an external network object, an interactable object of the target container group external to a container orchestration platform, and an internal object of the container orchestration platform.
In some embodiments of the present disclosure, the target application includes a plurality of work groups corresponding to a plurality of functions, each of the work groups including at least one container group of the same function, and the network access device further includes:
And the adding module is used for responding to the creation operation of the target application program and adding corresponding network isolation labels for a plurality of working groups included in the target application program based on a network isolation relation library.
In some embodiments of the present disclosure, the network isolation relation library includes a plurality of network access policies having a mapping relation and a plurality of network isolation labels, each of the network access policies having a mapping relation with one of the network isolation labels.
In some embodiments of the present disclosure, the network isolation tag includes a plurality of levels, and the network isolation tags of different levels correspond to network access policies of different isolation degrees, and the higher the level, the higher the isolation degree of the corresponding network access policy.
In some embodiments of the present disclosure, the determining module 602 specifically includes:
And acquiring a target network isolation label corresponding to the target working group, and determining a network access strategy corresponding to the target network isolation label as a target network access strategy.
In some embodiments of the present disclosure, determining that the target access object corresponding to the network access request matches the target network access policy includes:
Matching object information of a target access object corresponding to the network access request with inlet access information and outlet access information included in the target network access policy;
And if the matching result is that the object information of the target access object is included in the entrance access information or the exit access information, determining that the target access object is matched with the target network access policy.
In some embodiments of the present disclosure, the target access object includes an ingress access object or an egress access object, and the performing an access operation between the target container group corresponding to the network access request and the target access object includes:
when the network access request comes from the entrance access object, sending the network access request to the target container group to execute the access operation of the entrance access object;
when the network access request comes from the target container group, the network access request is sent to the export access object to execute the access operation of the target container group.
In some embodiments of the present disclosure, the network access device further includes:
The detection module is used for carrying out network access detection and/or label abnormality detection on the container group to be detected of the target application program, wherein the container group to be detected belongs to a work group to be detected, and the work group to be detected corresponds to a network access strategy supporting access to external network objects and interactable objects.
The network access device provided by the embodiment of the disclosure can execute the network access method provided by any embodiment of the disclosure, and has the corresponding functional modules and beneficial effects of the execution method.
The disclosed embodiments provide a computer program product comprising a computer program/instruction which, when executed by a processor, implements the steps of the network access method described above.
Fig. 7 is a schematic structural diagram of an electronic device according to some embodiments of the present disclosure.
Referring now in particular to fig. 7, a schematic diagram of an electronic device 700 suitable for use in implementing embodiments of the present disclosure is shown. The electronic device 700 in the embodiments of the present disclosure may include, but is not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (personal digital assistants), PADs (tablet computers), PMPs (portable multimedia players), in-vehicle terminals (e.g., in-vehicle navigation terminals), and the like, and stationary terminals such as digital TVs, desktop computers, and the like. The electronic device shown in fig. 7 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.
As shown in fig. 7, the electronic device 700 may include a processing means (e.g., a central processor, a graphics processor, etc.) 701, which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from a storage means 708 into a Random Access Memory (RAM) 703. In the RAM 703, various programs and data required for the operation of the electronic device 700 are also stored. The processing device 701, the ROM 702, and the RAM 703 are connected to each other through a bus 704. An input/output (I/O) interface 705 is also connected to bus 704.
In general, devices may be connected to I/O interface 705 including input devices 706 such as a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc., output devices 707 including a Liquid Crystal Display (LCD), speaker, vibrator, etc., storage devices 708 including, for example, magnetic tape, hard disk, etc., and communication devices 709. The communication means 709 may allow the electronic device 700 to communicate wirelessly or by wire with other devices to exchange data. While fig. 7 shows an electronic device 700 having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via communication device 709, or installed from storage 708, or installed from ROM 702. When executed by the processing device 701, performs the above-described functions defined in the network access method of the embodiment of the present disclosure.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of a computer-readable storage medium may include, but are not limited to, an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to electrical wiring, fiber optic cable, RF (radio frequency), and the like, or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network protocol, such as HTTP (HyperText Transfer Protocol ), and may be interconnected with any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the internet (e.g., the internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed networks.
The computer readable medium may be included in the electronic device or may exist alone without being incorporated into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to obtain a network access request of a target container group, wherein the target container group belongs to a target work group, the target work group comprises at least one container group of the same function of a target application program, determine a target network access policy corresponding to the target work group, and if it is determined that a target access object corresponding to the network access request matches the target network access policy, perform an access operation between the target container group corresponding to the network access request and the target access object, wherein the target access object comprises at least one of an external network object, an interactable object of the target container group outside a container arrangement platform, and an internal object of the container arrangement platform.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including, but not limited to, an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present disclosure may be implemented by means of software, or may be implemented by means of hardware. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.
The functions described above herein may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic that may be used include Field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems-on-a-chip (SOCs), complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It will be appreciated that prior to using the technical solutions disclosed in the embodiments of the present disclosure, the user should be informed and authorized of the type of information, the scope of use, the use scenario, etc. related to the present disclosure in an appropriate manner according to relevant legal regulations.
The foregoing description is only of the preferred embodiments of the present disclosure and description of the principles of the technology being employed. It will be appreciated by persons skilled in the art that the scope of the disclosure referred to in this disclosure is not limited to the specific combinations of features described above, but also covers other embodiments which may be formed by any combination of features described above or equivalents thereof without departing from the spirit of the disclosure. Such as those described above, are mutually substituted with the technical features having similar functions disclosed in the present disclosure (but not limited thereto).
Moreover, although operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of the present disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are example forms of implementing the claims.

Claims (11)

1. A network security access method applied to a large model service, comprising:
Acquiring a network access request of a target container group, wherein the network access request is a request for network access between the target container group and the outside of the target container group, and the target container group belongs to a target working group which comprises at least one container group with the same function of a target application program;
Determining a target network access policy corresponding to the target working group, wherein the target network access policy characterizes a network access range of a container group in the target working group;
And if the target access object corresponding to the network access request is determined to be matched with the target network access policy, executing access operation between the target container group corresponding to the network access request and the target access object, wherein the target access object comprises at least one of an external network object, an interactable object of the target container group outside a container arrangement platform and an internal object of the container arrangement platform.
2. The method of claim 1, wherein the target application comprises a plurality of work groups corresponding to a plurality of functions, each of the work groups comprising at least one container group of a same function, the method further comprising:
And responding to the creation operation of the target application program, and adding corresponding network isolation labels for a plurality of working groups included by the target application program based on a network isolation relation library.
3. The method of claim 2, wherein the network isolation relationship library comprises a plurality of network access policies having a mapping relationship and a plurality of network isolation labels, each of the network access policies having a mapping relationship with one of the network isolation labels.
4. The method of claim 2, wherein the network quarantine label includes a plurality of levels, different levels of network quarantine labels corresponding to different levels of quarantine network access policies, the higher the level, the higher the corresponding level of quarantine of the network access policies.
5. The method of claim 2, wherein determining the target network access policy corresponding to the target workgroup comprises:
And acquiring a target network isolation label corresponding to the target working group, and determining a network access strategy corresponding to the target network isolation label as a target network access strategy.
6. The method of claim 1, wherein determining that the target access object corresponding to the network access request matches the target network access policy comprises:
Matching object information of a target access object corresponding to the network access request with inlet access information and outlet access information included in the target network access policy;
And if the matching result is that the object information of the target access object is included in the entrance access information or the exit access information, determining that the target access object is matched with the target network access policy.
7. The method of claim 1, wherein the target access object comprises an ingress access object or an egress access object, and wherein the performing the access operation between the target container group and the target access object corresponding to the network access request comprises:
when the network access request comes from the entrance access object, sending the network access request to the target container group to execute the access operation of the entrance access object;
when the network access request comes from the target container group, the network access request is sent to the export access object to execute the access operation of the target container group.
8. The method according to claim 1, wherein the method further comprises:
And carrying out network access detection and/or label abnormality detection on the container group to be detected of the target application program, wherein the container group to be detected belongs to a work group to be detected, and the work group to be detected corresponds to a network access strategy supporting access to external network objects and interactable objects.
9. A network security access apparatus for use with a large model service, comprising:
the system comprises an acquisition module, a network access module and a storage module, wherein the acquisition module is used for acquiring a network access request of a target container group, wherein the network access request is a request for network access between the target container group and the outside of the target container group, the target container group belongs to a target work group, and the target work group comprises at least one container group with the same function of a target application program;
The determining module is used for determining a target network access strategy corresponding to the target working group, and the target network access strategy characterizes the network access range of the container group in the target working group;
And the execution module is used for executing the access operation between the target container group corresponding to the network access request and the target access object if the target access object corresponding to the network access request is determined to be matched with the target network access policy, wherein the target access object comprises at least one of an external network object, an interactable object of the target container group outside a container arrangement platform and an internal object of the container arrangement platform.
10. An electronic device, the electronic device comprising:
a processor;
a memory for storing the processor-executable instructions;
The processor is configured to read the executable instructions from the memory and execute the instructions to implement the network security access method of any one of claims 1-8 applied to large model services.
11. A computer readable storage medium, characterized in that the storage medium stores a computer program for executing the network security access method applied to a large model service according to any of the preceding claims 1-8.
CN202411976213.8A 2024-12-30 2024-12-30 A network security access method, apparatus, device, and medium for large model services Active CN119814446B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411976213.8A CN119814446B (en) 2024-12-30 2024-12-30 A network security access method, apparatus, device, and medium for large model services

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411976213.8A CN119814446B (en) 2024-12-30 2024-12-30 A network security access method, apparatus, device, and medium for large model services

Publications (2)

Publication Number Publication Date
CN119814446A CN119814446A (en) 2025-04-11
CN119814446B true CN119814446B (en) 2025-12-19

Family

ID=95269072

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411976213.8A Active CN119814446B (en) 2024-12-30 2024-12-30 A network security access method, apparatus, device, and medium for large model services

Country Status (1)

Country Link
CN (1) CN119814446B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116015875A (en) * 2022-12-26 2023-04-25 北京火山引擎科技有限公司 Container environment safety protection method, device, equipment and storage medium
CN119071071A (en) * 2024-08-29 2024-12-03 北京火山引擎科技有限公司 A network access method, device, equipment and medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10396997B2 (en) * 2016-12-14 2019-08-27 International Business Machines Corporation Container-based operating system and method
CN109561108B (en) * 2019-01-07 2020-09-01 中国人民解放军国防科技大学 Policy-based container network resource isolation control method
CN113572838B (en) * 2021-07-22 2023-04-07 北京金山云网络技术有限公司 Network access method, device, equipment and medium based on Kubernetes
CN115001780B (en) * 2022-05-26 2024-09-06 深圳小雨点数字技术有限公司 Access control method, device, equipment and readable storage medium
CN118041616A (en) * 2024-02-02 2024-05-14 抖音视界有限公司 Method, apparatus, electronic device and program product for processing access request

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116015875A (en) * 2022-12-26 2023-04-25 北京火山引擎科技有限公司 Container environment safety protection method, device, equipment and storage medium
CN119071071A (en) * 2024-08-29 2024-12-03 北京火山引擎科技有限公司 A network access method, device, equipment and medium

Also Published As

Publication number Publication date
CN119814446A (en) 2025-04-11

Similar Documents

Publication Publication Date Title
US10614233B2 (en) Managing access to documents with a file monitor
US20230021216A1 (en) Systems and methods for deploying secure edge platforms
US11676158B2 (en) Automatic remediation of non-compliance events
JP6730997B2 (en) Method, computer program, computer system for security within an infrastructure defined by software
US11550567B2 (en) User and entity behavior analytics of infrastructure as code in pre deployment of cloud infrastructure
US10579814B2 (en) Monitoring and preventing unauthorized data access
US9799003B2 (en) Context-dependent transactional management for separation of duties
US11038892B2 (en) Dynamically generating restriction profiles for managed devices
US11470068B2 (en) System and methods for securely storing data for efficient access by cloud-based computing instances
US20200195675A1 (en) Detecting Unauthorized User Actions
CN119071071B (en) Network access method, device, equipment and medium
US20220191238A1 (en) Automated seamless recovery
US11556650B2 (en) Methods and systems for preventing utilization of problematic software
US10831868B2 (en) Global license spanning multiple timezones in a rate-based system
US10248406B2 (en) Locale object management
US20240103903A1 (en) Dynamic pod priority inference utilizing service mesh telemetry data
CN119814446B (en) A network security access method, apparatus, device, and medium for large model services
CN118295806A (en) A distributed task processing method and device
CN119883512B (en) Model task processing method, device, equipment and medium
CN120342698B (en) Network security access method, device, equipment and medium for large model task
CN120315812B (en) Container safety creation method, medium, equipment and product in large model scene
WO2020232157A1 (en) System and methods for generating secure ephemeral cloud-based computing resources for data operations
CN116149822B (en) Task execution method, device, electronic device and storage medium
CN114640585B (en) Resource updating method and device, electronic equipment and storage medium
US12321480B2 (en) System and methods for dynamic tags

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant