CN111800291A - Service function chain deployment method and device - Google Patents

Abstract

Embodiments of the present invention provide a method and device for deploying a service function chain. The above method includes: selecting a VNF from preset virtualized network function VNFs of each service type of the service type requested by a service request, and obtaining the number of VNFs Respectively, each number of VNF sets within the preset number range; obtain each first combination, wherein each first combination includes a VNF set corresponding to each service type; based on the adjusted security value and deployment of each second combination Consumption, select a second combination for deploying the service function chain to be deployed in each of the second combinations, the second combination is: the first combination whose security value is greater than the expected security value; The middle VNF deploys the to-be-deployed service function chain according to a preset logical sequence. When the solution provided by the embodiment of the present invention is applied to deploy the service function chain, the security of the deployed service function chain can be improved.

Description

A service function chain deployment method and device

technical field

The present invention relates to the technical field of communication security, and in particular, to a method and device for deploying a service function chain.

Background technique

The service function chain is a set of ordered VNFs (Virtual Network Functions, virtualized network functions), and the VNFs are used to provide services. Since a service request may include a series of service types to be requested, when the service requests are different, the service types included in the service requests are also different, so the VNFs in the service function chain used to respond to the service requests are also different.

In order to satisfy different service requests of users, it is necessary to deploy service function chains for different service requests, so as to respond to user service requests based on the deployed service function chains. In the prior art, when deploying a service function chain, generally based on the service type of each service requested by the business request, a VNF is randomly selected from each preset VNF of the service type of each service, and the deployment is based on the selected VNFs. Service function chain.

However, due to the random selection of VNFs, the selected VNFs may be less secure, and less secure VNFs are vulnerable to cyber attackers, resulting in less secure service function chains deployed.

SUMMARY OF THE INVENTION

The purpose of the embodiments of the present invention is to provide a service function chain deployment method and device, so as to improve the security of the deployed service function chain. The specific technical solutions are as follows:

In a first aspect, an embodiment of the present invention provides a service function chain deployment method, and the method includes:

Determine the expected security value of the service function chain to be deployed according to the business request to be responded;

For each service type of the service requested by the service request to be responded, select a VNF from each preset virtualized network function VNF of the service type, and obtain a VNF set whose number of VNFs is each within the preset number range;

Combining the obtained VNF sets to obtain each first combination, wherein each first combination includes a VNF set corresponding to each service type;

For each first combination, calculate the security value of the first combination according to the security value of each VNF in the first combination;

For each second combination, according to the security value of the second combination, adjust the total resource consumption of the VNFs in the second combination as deployment consumption, and adjust the total resource consumption of the VNFs in the second combination according to the actual total occupied resources of the second combination. Two combinations of safety values, wherein the second combination is: a first combination in which the safety value of the first combination is greater than the expected safety value;

Based on the adjusted security value and deployment consumption of each second combination, a second combination for deploying the service function chain to be deployed is selected in each second combination, and the VNF in the selected second combination is set according to the preset The to-be-deployed service function chain is deployed in a logical sequence.

In an embodiment of the present invention, the above-mentioned expected security value is a security value for the service function chain,

For each first combination, calculating the security value of the first combination according to the security value of each VNF in the first combination, including:

The safety value θ of each first combination is calculated according to the following expression:

Among them, X represents the number of service types corresponding to the VNFs in the first combination, x represents the sequence number of the service types corresponding to the VNFs in the first combination, _Δx represents the security value of the xth service type, and _kx represents the xth The security weight of the service type, n _x represents the number of VNFs in the VNF set corresponding to the xth service type.

In an embodiment of the present invention, the above-mentioned expected security value is a security value for the VNF in the service function chain,

For each first combination, calculating the security value of the first combination according to the security value of each VNF in the first combination, including:

The safety value μ of each first combination is calculated according to the following expression:

Among them, X represents the number of service types corresponding to the VNFs in the first combination, x represents the sequence number of the service types corresponding to the VNFs in the first combination, _Δx represents the security value of the xth service type, and _kx represents the xth The security weight of the service type, n _x represents the number of VNFs in the VNF set corresponding to the xth service type.

In an embodiment of the present invention, the above-mentioned determination of the expected security value of the service function chain to be deployed according to the service request to be responded includes:

When the service request to be responded carries the expected service security value of the requested service, the expected service security value is used as the expected security value of the service function chain to be deployed;

When the service request to be responded does not carry the expected service security value of the requested service, the preset expected security value is used as the expected security value of the service function chain to be deployed.

In an embodiment of the present invention, for each second combination, the total resource consumption of deploying VNFs in the second combination is adjusted according to the security value of the second combination as deployment consumption, and according to the VNFs in the second combination The actual total occupied resources, adjust the security value of the second combination, including:

For each second combination, calculate the sum of the total resource consumption of deploying VNFs in the second combination and the security value of the second combination, use the calculated value as the deployment consumption of the second combination, and calculate the second combination The sum of the actual total occupied resources of the inner VNF and the security value of the second combination is taken as the adjusted security value of the second combination.

In an embodiment of the present invention, the above-mentioned second combination selected for deploying the to-be-deployed service function chain from each second combination includes:

Calculate the ratio between the adjusted security value of each second combination and the deployment consumption, and use the second combination with the largest ratio as the second combination for deploying the service function chain to be deployed.

In an embodiment of the present invention, after the VNF in the selected second combination deploys the to-be-deployed service function chain according to a preset logical sequence, the method further includes:

Evaluate the performance values of the VNFs in the selected second combination;

Selecting a working VNF for work among the selected VNFs of the second combination based on the assessed work performance value of the VNF and the security value of the VNF;

The service request to be responded is responded to based on the determined working VNF.

In one embodiment of the present invention, the above-mentioned method further includes:

According to the preset period, based on the historical security value of each VNF, the security value T of the current period of each VNF is determined according to the following expression:

大于预设阈值。Among them, T ₀ is the evaluation result of the security value of the VNF in the current cycle, i is the sequence number of the cycle, I is the number of cycles from the initial cycle to the current cycle, T _i is the security value of the VNF in the ith cycle, and α is the security value of the VNF is the security weight of the value evaluation result, β _i is the security weight of the security value of the VNF in the ith cycle, and

greater than the preset threshold.

In a second aspect, an embodiment of the present invention provides an apparatus for deploying a service function chain, where the apparatus includes:

The expected security value determination module is used to determine the expected security value of the service function chain to be deployed according to the business request to be responded;

The VNF set obtaining module is configured to, for each service type of the service requested by the service request to be responded, select a VNF from each preset virtualized network function VNF of the service type, and obtain the number of VNFs in the preset number range respectively Each number of VNF sets within;

The first combination obtaining module is used to combine the obtained VNF sets to obtain each first combination, wherein each first combination includes a VNF set corresponding to each service type;

a security value calculation module, configured to calculate the security value of the first combination according to the security value of each VNF in the first combination for each first combination;

The data calculation module is configured to, for each second combination, adjust the total resource consumption of deploying VNFs in the second combination according to the security value of the second combination, as the deployment consumption, and according to the actual total resource consumption of the VNFs in the second combination. Occupy resources, and adjust the security value of the second combination, where the second combination is: the security value of the first combination is greater than the expected security value of the first combination;

The service function chain deployment module is configured to select a second combination for deploying the service function chain to be deployed in each second combination based on the adjusted security value and deployment consumption of each second combination, and assign the selected In the second combination, the VNF deploys the to-be-deployed service function chain according to a preset logical sequence.

In an embodiment of the present invention, the above-mentioned expected security value is a security value for the service function chain,

The safety value calculation module is specifically configured to calculate the safety value θ of each first combination according to the following expression:

Among them, X represents the number of service types corresponding to the VNFs in the first combination, x represents the sequence number of the service types corresponding to the VNFs in the first combination, _Δx represents the security value of the xth service type, and _kx represents the xth The security weight of the service type, n _x represents the number of VNFs in the VNF set corresponding to the xth service type.

In an embodiment of the present invention, the above-mentioned expected security value is a security value for the VNF in the service function chain,

The safety value calculation module is specifically configured to calculate the safety value μ of each first combination according to the following expression:

Among them, X represents the number of service types corresponding to the VNFs in the first combination, x represents the sequence number of the service types corresponding to the VNFs in the first combination, _Δx represents the security value of the xth service type, and _kx represents the xth The security weight of the service type, n _x represents the number of VNFs in the VNF set corresponding to the xth service type.

In an embodiment of the present invention, the above-mentioned desired security value determination module is specifically configured to use the desired service security value as the service function to be deployed when the service request to be responded carries the desired service security value of the requested service The expected security value of the chain; when the service request to be responded does not carry the expected service security value of the requested service, the preset expected security value is used as the expected security value of the service function chain to be deployed.

In an embodiment of the present invention, the above-mentioned data calculation module is specifically configured to, for each second combination, calculate the sum of the total resource consumption of VNFs in the deployment of the second combination and the security value of the second combination, and calculate the calculated The value is taken as the deployment consumption of the second combination, and the sum of the actual total occupied resources of VNFs in the second combination and the security value of the second combination is calculated, and the calculated value is used as the adjusted security value of the second combination.

In an embodiment of the present invention, the above-mentioned service function chain deployment module is specifically used to calculate the ratio between the adjusted security value of each second combination and the deployment consumption, and the second combination with the largest ratio is used for deploying the to-be-deployed The second combination of service function chains is deployed, and the VNFs in the selected second combination are deployed in the to-be-deployed service function chain according to a preset logical sequence.

In an embodiment of the present invention, the above-mentioned device further includes:

a work performance value evaluation module, configured to evaluate the work performance value of the VNF in the selected second combination after the service function chain deployment module;

a working VNF selection module for selecting a working VNF for working among the selected second combined VNFs based on the assessed working performance value of the VNF and the safety value of the VNF;

A service request response module, configured to respond to the service request to be responded based on the determined working VNF.

In an embodiment of the present invention, the above-mentioned device further includes: a VNF security value calculation module,

The VNF security value calculation module is specifically used to determine the security value T of each VNF in the current period according to the following expression based on the historical security value of each VNF according to a preset period:

大于预设阈值。Among them, T ₀ is the evaluation result of the security value of the VNF in the current cycle, i is the sequence number of the cycle, I is the number of cycles from the initial cycle to the current cycle, T _i is the security value of the VNF in the ith cycle, and α is the security value of the VNF is the security weight of the value evaluation result, β _i is the security weight of the security value of the VNF in the ith cycle, and

greater than the preset threshold.

In a third aspect, an embodiment of the present invention provides an electronic device, including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus;

memory for storing computer programs;

The processor is configured to implement the method steps described in the first aspect above when executing the program stored in the memory.

It can be seen from the above that when the solution provided by the embodiment of the present invention is applied to construct the service function chain, since it is based on the security value of the first combination and the expected security value of the service function chain to be deployed, the determined second combination is selected for the service function chain. Deploy the second combination of the service function chain to be deployed, and because the security value of the first combination can reflect the security of the VNF in the first combination, the above expected security value reflects the expected degree of security of the service function chain to be deployed. Therefore, , based on the selected second combination for deploying the service function chain to be deployed, each VNF deploys the service function chain, and on the basis of meeting the security requirements of the deployed service function chain, improves the deployed service function chain. safety.

In addition, since the VNFs are selected from the VNFs of each service type requested by the business request, the VNF sets of which the number of VNFs are respectively within the preset number range are obtained, and the obtained VNF sets are combined. Compared with selecting only one VNF in the prior art, selecting each number of VNFs within a preset number range can reduce the probability of being attacked by a network attacker and improve the security of the deployed service function chain.

Finally, because it is based on the adjusted security value and deployment consumption of each second combination, the second combination for deploying the service function chain to be deployed is selected, and because the adjusted security value of the second combination more accurately reflects the second combination For the security of the VNF, the deployment consumption of the second combination more accurately reflects the total resource consumption of the VNF in the deployment of the second combination. Therefore, based on the adjusted security value and deployment consumption of each second combination, the service function to be deployed is selected for deployment. On the basis of improving the security of the service function chain to be deployed, the second combination of the chain reduces the consumption of deploying the service function chain to be deployed, thereby improving resource utilization.

Description of drawings

In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

1 is a schematic flowchart of a first service function chain deployment method provided by an embodiment of the present invention;

2 is a schematic flowchart of a dynamic selection method according to an embodiment of the present invention;

3a is a schematic flowchart of a second service function chain deployment method provided by an embodiment of the present invention;

3b is a block diagram of a service function chain deployment architecture provided by an embodiment of the present invention;

4 is a schematic structural diagram of an apparatus for deploying a service function chain according to an embodiment of the present invention;

FIG. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed ways

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

Referring to FIG. 1 , FIG. 1 is a schematic flowchart of a first method for deploying a service function chain according to an embodiment of the present invention. The foregoing method includes S101-S106.

S101: Determine the expected security value of the service function chain to be deployed according to the service request to be responded.

The above service request to be responded is used to request to obtain a service. For example, the above-mentioned services may be: a video download service, a web page download service, and the like.

The service function chain is a collection or chain composed of VNFs in a preset logical order. The service function chain can cut out multiple virtual end-to-end networks on a unified network infrastructure. The network to the bearer network and then to the core network is logically isolated, so the above service function chain can also be called network slicing. The service function chain is suitable for various types of business applications, and it will make it possible to support various requirements with the most granular granularity on the general network infrastructure.

The expected security value of the service function chain can be understood as the value that the security of the expected service function chain can achieve.

Since users usually expect that the security provided by services can be guaranteed to ensure that important data is not stolen, when users send service requests, they usually add the expected service security value of the service function chain to be deployed in the service request. The expected business security value may be a security score or the like.

Based on this, in an embodiment of the present invention, when the service request to be responded carries the expected service security value of the requested service, the expected service security value is used as the expected security value of the service function chain to be deployed.

Specifically, when the above-mentioned expected service security value is a security score, the above-mentioned expected service security value may be divided into security levels, for example, the security level may be divided into 5 levels. Among them, 5 is the highest, 4 is high, 3 is medium, 2 is normal, and 1 is low.

When the expected service security value exceeds the preset security value range, the expected service security value may be normalized, and correspond to levels 1-5 according to the preset interval.

In this way, the expected security value of the service function chain to be deployed can be made consistent with the expected service security value of the user, thereby meeting the security requirement of the user to be deployed service function chain.

In an embodiment of the present invention, when the service request to be responded does not carry the expected service security value of the requested service, the preset expected security value is used as the expected security value of the service function chain to be deployed.

The above-mentioned preset expected safety value may be set by the staff according to experience.

In this way, using the preset expected security value as the expected security value of the service function chain to be deployed can ensure the security of the service function chain to be deployed.

S102: For each service type of the service requested by the service request to be responded, select a VNF from each VNF of the service type, and obtain a VNF set of which the number of VNFs is each within a preset number range.

The above-mentioned preset quantity range can be set by the staff according to experience, for example: the above-mentioned preset quantity range can be [1, 5].

The above-mentioned preset quantity range can also be determined according to the expected safety value determined in S101. For example, the above-mentioned preset quantity range is proportional to the expected safety value. When the expected safety value is higher, the above-mentioned preset quantity range is also larger. When the expected safety value is lower, the above-mentioned preset quantity range is also smaller.

The number of VNFs is each number within the preset number range. It can be understood that each VNF in the VNF set is used to provide services of the same service type, and the number of VNFs in the VNF set is each number within the preset number range. For example: Suppose service type A includes VNF ₁ , VNF ₂ , VNF ₃ , ..., VNF _n , wherein VNF ₁ , VNF ₂ , VNF ₃ , ... , VNF _n are all used to provide services of service type A, pre- Set the number range to [1,5], then you can get the VNF set with the number of VNFs 1, the VNF set with the number of VNFs 2, the VNF set with the number of VNFs 3, the VNF set with the number of VNFs 4, and the number of VNFs 5. VNF set.

Specifically, when selecting VNFs from each VNF of each service type, a random selection method can be used to select VNFs from each functionally equivalent VNF included in the heterogeneous function execution pool, so that the number of VNFs is respectively the preset number range. Each number of VNF sets within.

The foregoing heterogeneous function execution pool includes VNFs of various service types, and each VNF of each service type may also be referred to as each VNF of equivalent function.

In an embodiment of the present invention, a dynamic selection algorithm may also be used to select VNFs from the VNFs of each service type requested by the service request to be responded to, and obtain VNF sets of which the number of VNFs is each within the preset number range. .

Referring to FIG. 2, FIG. 2 is a schematic flowchart of a dynamic selection method provided by an embodiment of the present invention. 2 includes heterogeneous function execution pool 1, heterogeneous function execution pool 2, VNF ₁₁ , VNF ₁₂ , ..., VNF _1n , VNF ₂₁ , VNF ₂₂ , ..., VNF _2n , VNF pool, service 1, service 2. VNF _1x , VNF _1y , VNF _2x , VNF _2y .

Wherein, the heterogeneous function execution pool 1 includes VNF ₁₁ , VNF ₁₂ , ..., VNF _1n . VNF ₁₁ , VNF ₁₂ , . . . , VNF _1n are all used to provide service 1 .

VNF ₂₁ , VNF ₂₂ , . . . , VNF _2n in the heterogeneous function execution pool 2 . VNF ₂₁ , VNF ₂₂ , . . . , VNF _2n are all used to provide service 2 .

The VNF pool includes VNF _1x , VNF _1y , VNF _2x , and VNF _2y , wherein VNF _1x and VNF _1y are two VNFs dynamically selected from the heterogeneous function execution pool 1, and VNF _2x and VNF _2y are from the heterogeneous function execution pool Two VNFs dynamically selected in 2.

S103: Combine each of the obtained VNF sets to obtain each of the first combinations.

Wherein, each first combination includes a VNF set corresponding to each service type. For example, it is assumed that the VNF set corresponding to service type St ₁ includes: VNF set ₁₁ and VNF set ₁₂ , and the VNF set corresponding to service type St ₂ includes: VNF set ₂₁ and VNF set ₂₂ . Then four sets of first combinations can be obtained, namely: (VNF set ₁₁ , VNF set ₂₁ ), (VNF set ₁₁ , VNF set ₂₂ ), (VNF set ₁₂ , VNF set ₂₁ ), (VNF set ₁₂ , VNF set ₂₂ ).

Specifically, a preset combination mode may be used to combine each obtained VNF set to obtain each first combination. For example, the above-mentioned preset combination modes may include: random combination, directional combination, and the like.

S104: For each first combination, calculate the security value of the first combination according to the security value of each VNF in the first combination.

The security value of each VNF in the first combination reflects the security level of each VNF. Therefore, the security value of the first combination can be calculated according to the security value of each VNF in the second combination.

Specifically, when calculating the security value of each first combination, the sum of the security values of each VNF in the first combination may be calculated, and the calculated value may be used as the security value of the first combination.

Since the security value of the first combination is used for comparison with the expected security value of the service function chain to be deployed, the security value type of the first combination is related to the type of the expected security value of the service function chain to be deployed. Based on this, in an embodiment of the present invention, when the expected security value is the security value for the service function chain, the security value θ of each first combination can be calculated according to the following expression:

Among them, X represents the number of service types corresponding to the VNFs in the first combination, x represents the sequence number of the service types corresponding to the VNFs in the first combination, _Δx represents the security value of the xth service type, and _kx represents the xth The security weight of the service type, n _x represents the number of VNFs in the VNF set corresponding to the xth service type.

Wherein, _Δx may be the product of the xth service type including the security values of each VNF.

In this way, according to the security value of the service type, the security weight of the service type, and the number of VNFs included in the service type, the total security value of the VNFs in the first combination can be calculated more accurately.

In an embodiment of the present invention, when the expected security value is the security value for the VNF in the service function chain, the security value μ of each first combination can be calculated according to the following expression:

Among them, X represents the number of service types corresponding to the VNFs in the first combination, x represents the sequence number of the service types corresponding to the VNFs in the first combination, _Δx represents the security value of the xth service type, and _kx represents the xth The security weight of the service type, n _x represents the number of VNFs in the VNF set corresponding to the xth service type.

In this way, according to the security value of the service type, the security weight of the service type, the number of the service type, and the number of VNFs included in the service type, the average security value of the VNFs in the first combination can be calculated more accurately.

S105: For each second combination, according to the security value of the second combination, adjust the total resource consumption of the VNFs in the deployment of the second combination as deployment consumption, and adjust the actual total occupied resources of the VNFs in the second combination according to the second combination. The safe value of this second combination.

The above-mentioned second combination is the first combination in which the safety value of the first combination is greater than the expected safety value.

Since the expected security value is a value that the security of the service function chain to be deployed is expected to reach, when the security value of the second combination is greater than the expected security value, the security of the service function chain deployed based on the VNFs in each second combination can be guaranteed The security can meet the demand for the security of the service function chain.

The above total resource consumption of the VNFs in the deployment of the second combination can be understood as: the sum of the resources consumed by the VNFs in the deployment of the second combination. The resources consumed by each VNF in the above-mentioned deployment of the second combination include computing resources, storage resources, network resources, and the like.

Since the deployment consumption of the second combination is related to the security value of the second combination, for example: when the security value of the second combination is higher, the deployment consumption of the second combination is more; when the security value of the second combination is lower, the second combination deployment consumes less. Therefore, according to the security value of the second combination, the total resource consumption of deploying the VNFs in the second combination can be adjusted as deployment consumption.

Specifically, when calculating the deployment consumption of each second combination, the deployment consumption of the second combination may be determined according to the total resource consumption of VNFs in the deployment of the second combination, the weight of the total resource consumption, and the security value of the second combination.

The actual total resources occupied by the VNFs in the second combination are: the sum of the resources actually occupied by the VNFs in the second combination. The actual occupied resources of the VNF may include the actual occupied computing resources of the VNF, the actual occupied storage resources, the actual occupied network resources, and the like.

Since the security of the second combination is related to the actual total resources occupied by the VNFs of the second combination, for example: when the actual total resources occupied by the VNFs of the second combination are more, the security of the second combination is also higher; The lower the actual total occupied resources of the VNFs, the lower the security of the second combination. Therefore, the security value of each second combination can be adjusted according to the actual total resources occupied by the VNFs in each second combination.

Specifically, when adjusting the security value of each second combination, the security value adjustment range may be determined according to the actual total occupied resources of the VNFs in the second combination and the weight of the actual total occupied resources, and the second security value adjustment range may be adjusted according to the determined security value adjustment range. Combined safe value.

S106: Based on the adjusted security value and deployment consumption of each second combination, select a second combination for deploying the service function chain to be deployed in each second combination, and set the VNF in the selected second combination according to the preset Deploy the service function chain to be deployed in logical order.

Since the adjusted security value of the second combination can more accurately reflect the security of the second combination, the deployment consumption of the second combination reflects the total resource consumption when each VNF of the second combination is deployed. The adjusted security value and deployment consumption of the second combination, and selecting the second combination for deploying the service function chain to be deployed in each second combination can ensure that the service functions deployed by each VNF in the selected second combination can be guaranteed. Based on the security of the chain, it saves the resource consumption of deploying VNF, thereby improving resource utilization.

Specifically, when selecting the second combination for deploying the service function chain to be deployed, the adjusted security value of the second combination may be within the preset security value range, and the deployment consumption of the second combination may be within the preset deployment consumption The second combination within the scope serves as the second combination for deploying the service function chain to be deployed. The above-mentioned preset safety value range and preset deployment consumption range can be set by the staff based on experience.

In an embodiment of the present invention, the ratio between the adjusted security value of each second combination and the deployment consumption can be calculated, and the second combination with the largest ratio is used as the second combination for deploying the service function chain to be deployed.

In this way, the ratio between the adjusted security value of each second combination and the deployment consumption is calculated, and the second combination with the largest ratio is used as the second combination for deploying the service function chain to be deployed. On the basis of the safety value of , the consumption of VNFs in the deployment of the second combination is reduced, and the resource utilization rate is improved.

Since the service function chain consists of a set of ordered VNFs, after the second combination for deploying the service function chain to be deployed is determined, that is, after each VNF for deploying the service function chain to be deployed is determined, the selected VNFs are connected in a preset logical order to form a service function chain.

It can be seen from the above that when the solution provided by this embodiment is applied to construct the service function chain, since it is based on the security value of the first combination and the expected security value of the service function chain to be deployed, the determined second combination is selected for deployment. The second combination of the service function chain to be deployed, and because the security value of the first combination can reflect the security of the VNF in the first combination, and the above expected security value reflects the expected degree of security of the service function chain to be deployed. Therefore, The service function chain is deployed based on each VNF in the second combination selected for deploying the service function chain to be deployed, and the security of the deployed service function chain is improved on the basis of meeting the security requirements of the deployed service function chain sex.

In addition, since the VNFs are selected from the VNFs of each service type requested by the business request, the VNF sets of which the number of VNFs are respectively within the preset number range are obtained, and the obtained VNF sets are combined. Compared with selecting only one VNF in the prior art, selecting each number of VNFs within a preset number range can reduce the probability of being attacked by a network attacker and improve the security of the deployed service function chain.

Finally, because it is based on the adjusted security value and deployment consumption of each second combination, the second combination for deploying the service function chain to be deployed is selected, and because the adjusted security value of the second combination more accurately reflects the second combination For the security of the VNF, the deployment consumption of the second combination more accurately reflects the total resource consumption of the VNF in the deployment of the second combination. Therefore, based on the adjusted security value and deployment consumption of each second combination, the service function to be deployed is selected for deployment. On the basis of improving the security of the service function chain to be deployed, the second combination of the chain reduces the consumption of deploying the service function chain to be deployed, thereby improving resource utilization.

In an embodiment of the present invention, for each second combination in the above S105 can be implemented in the following manner, according to the security value of the second combination, adjust the total resource consumption of the VNF in the deployment of the second combination, as the deployment consumption, and The security value of the second combination is adjusted according to the actual total resources occupied by the VNFs in the second combination.

For each second combination, calculate the sum of the total resource consumption of deploying VNFs in the second combination and the security value of the second combination, use the calculated value as the deployment consumption of the second combination, and calculate the second combination The sum of the actual total occupied resources of the inner VNF and the security value of the second combination is taken as the adjusted security value of the second combination.

For example: assuming that the actual total resources occupied by VNFs in the second combination is S ₁ and the security value of the second combination is N ₁ , the sum of the actual total resources occupied by VNFs in the second combination and the security value of the second combination can be calculated as : S ₁ +N ₁ . Assuming that the total resource consumption of VNFs in the deployment of the second combination is S ₂ and the security value of the second combination is N ₂ , the sum of the total resource consumption of the VNFs in the deployment of the second combination and the security value of each second combination can be calculated as: S ₂ +N ₂ .

In this way, by calculating the sum of the actual total resources occupied by VNFs in the second combination and the security value of the second combination, the adjusted security value of the second combination can be obtained more accurately. The sum of the security values of the two combinations can more accurately obtain the deployment consumption of the second combination.

In an embodiment of the present invention, on the basis of the foregoing embodiment, the following steps B1 to B3 may be further included.

Step B1: Evaluate the performance value of the VNF in the selected second combination.

The working performance value of the above VNF can be understood as: the value of the performance parameter when the VNF is working. The working performance value of the VNF above reflects the working state of the VNF.

Specifically, a statistical analysis method may be used to evaluate the work performance value of the VNF in the second combination according to the recorded historical work performance value of the VNF in the second combination.

The historical working performance value of the VNF in the second combination can be understood as: the performance value of the VNF in the second combination when it was working before.

The above statistical analysis methods include taking the maximum value, taking the average and the like.

Specifically, the simulated working performance value of the VNF in the second combination in the simulated working environment may also be recorded, and the working performance value of the VNF in the second combination may be evaluated according to the recorded simulated working performance value.

Step B2: Based on the evaluated work performance value of the VNF and the security value of the VNF, a working VNF for work is selected among the selected second combined VNFs.

Since the number of VNFs belonging to the same service in the second combination may be multiple, a working VNF for work needs to be selected, so as to respond to a service request based on the selected working VNF.

Specifically, when selecting a working VNF for working in the selected second combination of VNFs, the working performance value of the VNF may be within the preset performance value range, and the VNF security value may be within the preset VNF security value range. VNF as working VNF.

The above-mentioned preset performance range and preset VNF security value range can be set by staff according to experience.

Specifically, when selecting a working VNF for working in the selected second combination of VNFs, the working performance value of the VNF, the security value of the VNF, the weight corresponding to the working performance value of the VNF, and the corresponding security value of the VNF may also be used. The weights to select the working VNF.

Step B3: Responding to the service request to be responded based on the determined working VNF.

Specifically, the working VNF can provide services to users, thereby responding to service requests to be responded.

In this way, according to the evaluated working performance value of the VNF and the security value of the VNF, selecting a working VNF for working in the selected second combination of VNFs can make the selected working VNF on the basis of improving working efficiency, Improves the security value of the service function chain to be deployed.

In an embodiment of the present invention, on the basis of the above-mentioned embodiment, it may further include determining the security value T of each VNF in the current period according to the following expression based on the historical security value of each VNF according to a preset period:

大于预设阈值，例如：上述预设阈值可以为0.5、0.4等。Among them, T ₀ is the evaluation result of the security value of the VNF in the current cycle, i is the sequence number of the cycle, I is the number of cycles from the initial cycle to the current cycle, T _i is the security value of the VNF in the ith cycle, and α is the security value of the VNF is the security weight of the value evaluation result, β _i is the security weight of the security value of the VNF in the ith cycle, and

is greater than the preset threshold, for example, the preset threshold may be 0.5, 0.4, or the like.

Specifically, it can be evaluated according to the VNF type, the traffic demand sum of all adjacent links connected to the VNF, the number of VNFs directly connected to other VNFs, the VNF resources and security requirements, and the data integrity and confidentiality in the VNF. , grading the security level of each VNF, and using the level of the VNF as the initial trust degree of the VNF.

In this way, the security value of the VNF is updated according to the preset interval, so that the security value of each VNF is more in line with the actual working condition of the VNF.

In one embodiment of the present invention, after the service function chain to be deployed is deployed, the real-time security value of the service function chain can be evaluated according to the current working state of the deployed service function chain according to a preset interval.

The real-time safety value θ _t of the service function chain can be evaluated according to the following expression:

为服务功能链的安全值评估结果的安全权重，

为第i个周期的服务功能链的安全值的安全权重。Among them, θ ₀ is the security value evaluation result of the service function chain in the current cycle, i is the sequence number of the cycle, I is the number of cycles from the initial cycle to the current cycle, θ _i is the security value of the service function chain in the ith cycle,

The security weight of the result evaluation result for the security value of the service function chain,

is the security weight of the security value of the service function chain in the ith cycle.

The service function chain deployment solution provided by the embodiment of the present invention will be specifically described below through specific embodiments. 3a and 3b, FIG. 3a is a schematic flowchart of a second service function chain deployment method provided by an embodiment of the present invention, and FIG. 3b is a block diagram of a service function chain deployment architecture provided by an embodiment of the present invention.

In Fig. 3a, the first step is to determine the deployment request of the service function chain according to the business request to be responded.

Step 2: According to the determined deployment request of the service function chain, the dynamic selection algorithm is used to determine the functionally equivalent VNFs in the heterogeneous function execution pool, and each functionally equivalent VNF forms a VNF set.

The third step: combine the obtained VNF sets to obtain each first combination, and evaluate the security value of each first combination.

Step 4: Based on the actual total resources occupied by the VNFs of the second combination and the total resource consumption of the VNFs in the deployment of the second combination, the second combination for deploying the service function chain is selected.

Step 5: Deploy the service function chain based on the selected second combination and the network infrastructure.

In Figure 3b, it includes a service request layer, an input module, a heterogeneous function execution pool, a dynamic selector, a VNF pool, a trust evaluation layer, a decision output layer, a revenue calculation module, and a timing module. Among them, the trust evaluation layer includes VNF security level value evaluation, service function chain trust degree evaluation and network resource trust degree evaluation.

The service request layer is used to receive the service request to be responded, obtain the expected security value of the service function chain to be deployed, and generate a service function chain deployment request.

The input module is used to receive the service function chain deployment request sent by the business request layer.

The heterogeneous function execution pool includes multiple VNFs with equivalent functions.

The dynamic selector is used to select VNFs from the heterogeneous function execution pool according to the expected security value of the service function chain to be deployed.

The VNF pool includes individual VNFs selected by dynamic selectors.

The trust evaluation layer is used to evaluate the security value of each combination composed of each VNF in the VNF pool. Among them, the trust evaluation layer includes VNF security level value evaluation, service function chain trust degree evaluation and network resource trust degree evaluation.

Specifically, the VNF security level value evaluation is used to evaluate the security value of each VNF. The service function chain trust evaluation is used to evaluate the security value of the service function chain to be deployed. The network resource trust evaluation is used to evaluate the actual resources occupied by each VNF and the resource consumption of deploying each VNF.

The decision output layer is used to evaluate the work performance of each VNF to be deployed in the service function chain.

The revenue calculation module is used to calculate the security value and deployment consumption of the service function chain to be deployed, and determine the VNFs that constitute the service function chain to be deployed.

The timing module is used to re-evaluate the security value of the VNF and the security value of the service function chain according to a preset interval.

Corresponding to the above service function chain deployment method, an embodiment of the present invention further provides a service function chain deployment apparatus.

Referring to FIG. 4 , FIG. 4 is a schematic structural diagram of an apparatus for deploying a service function chain according to an embodiment of the present invention. The foregoing apparatus includes 401 to 406 .

An expected security value determination module 401, configured to determine the expected security value of the service function chain to be deployed according to the service request to be responded;

The VNF set obtaining module 402 is configured to, for each service type of the service requested by the service request to be responded, select a VNF from each preset virtualized network function VNF of the service type, and obtain the number of VNFs as a preset number respectively The various number of VNF sets within the scope;

The first combination obtaining module 403 is configured to combine the obtained VNF sets to obtain each first combination, wherein each first combination includes a VNF set corresponding to each service type;

a security value calculation module 404, configured to, for each first combination, calculate the security value of the first combination according to the security value of each VNF in the first combination;

The data calculation module 405 is configured to, for each second combination, adjust the total resource consumption of deploying VNFs in the second combination according to the security value of the second combination, as the deployment consumption, and according to the actual VNF in the second combination. total occupied resources, and adjust the security value of the second combination, where the second combination is: the security value of the first combination is greater than the expected security value of the first combination;

The service function chain deployment module 406 is configured to select a second combination for deploying the service function chain to be deployed in each second combination based on the adjusted security value and deployment consumption of each second combination, and assign the selected In the second combination of , the VNF deploys the to-be-deployed service function chain according to a preset logical sequence.

It can be seen from the above that when the solution provided by this embodiment is applied to construct the service function chain, since it is based on the security value of the first combination and the expected security value of the service function chain to be deployed, the determined second combination is selected for deployment. The second combination of the service function chain to be deployed, and because the security value of the first combination can reflect the security of the VNF in the first combination, and the above expected security value reflects the expected degree of security of the service function chain to be deployed. Therefore, The service function chain is deployed based on each VNF in the second combination selected for deploying the service function chain to be deployed, and the security of the deployed service function chain is improved on the basis of meeting the security requirements of the deployed service function chain sex.

In addition, since the VNFs are selected from the VNFs of each service type requested by the business request, the VNF sets of which the number of VNFs are respectively within the preset number range are obtained, and the obtained VNF sets are combined. Compared with selecting only one VNF in the prior art, selecting each number of VNFs within a preset number range can reduce the probability of being attacked by a network attacker and improve the security of the deployed service function chain.

Finally, because it is based on the adjusted security value and deployment consumption of each second combination, the second combination for deploying the service function chain to be deployed is selected, and because the adjusted security value of the second combination more accurately reflects the second combination For the security of the VNF, the deployment consumption of the second combination more accurately reflects the total resource consumption of the VNF in the deployment of the second combination. Therefore, based on the adjusted security value and deployment consumption of each second combination, the service function to be deployed is selected for deployment. On the basis of improving the security of the service function chain to be deployed, the second combination of the chain reduces the consumption of deploying the service function chain to be deployed, thereby improving resource utilization.

In an embodiment of the present invention, the expected security value is a security value for the service function chain,

The safety value calculation module is specifically configured to calculate the safety value θ of each first combination according to the following expression:

Among them, X represents the number of service types corresponding to the VNFs in the first combination, x represents the sequence number of the service types corresponding to the VNFs in the first combination, _Δx represents the security value of the xth service type, and _kx represents the xth The security weight of the service type, n _x represents the number of VNFs in the VNF set corresponding to the xth service type.

In this way, according to the security value of the service type, the security weight of the service type, and the number of VNFs included in the service type, the total security value of the VNFs in the first combination can be calculated more accurately.

In an embodiment of the present invention, the expected security value is a security value for the VNF in the service function chain,

The safety value calculation module is specifically configured to calculate the safety value μ of each first combination according to the following expression:

Among them, X represents the number of service types corresponding to the VNFs in the first combination, x represents the sequence number of the service types corresponding to the VNFs in the first combination, _Δx represents the security value of the xth service type, and _kx represents the xth The security weight of the service type, n _x represents the number of VNFs in the VNF set corresponding to the xth service type.

In this way, according to the security value of the service type, the security weight of the service type, the number of service types, and the number of VNFs included in the service type, the average security value of the VNFs in the first combination can be more accurately calculated.

In an embodiment of the present invention, the expected security value determination module is specifically configured to use the expected service security value as the service to be deployed when the service request to be responded carries the expected service security value of the requested service The expected security value of the function chain; when the service request to be responded does not carry the expected service security value of the requested service, the preset expected security value is used as the expected security value of the service function chain to be deployed.

In this way, the expected security value of the service function chain to be deployed can be made consistent with the expected business security value of the user, thereby meeting the security requirements of the user to be deployed in the service function chain; the preset expected security value is used as the expectation of the service function chain to be deployed. The security value can ensure the security of the service function chain to be deployed.

In an embodiment of the present invention, the data calculation module is specifically configured to, for each second combination, calculate the sum of the total resource consumption of VNFs in the deployment of the second combination and the security value of the second combination, and calculate the The value of the second combination is used as the deployment consumption of the second combination, and the sum of the actual total occupied resources of VNFs in the second combination and the security value of the second combination is calculated, and the calculated value is used as the adjusted security value of the second combination. .

In this way, by calculating the sum of the actual total resources occupied by VNFs in the second combination and the security value of the second combination, the adjusted security value of the second combination can be obtained more accurately. The sum of the security values of the two combinations can more accurately obtain the deployment consumption of the second combination.

In an embodiment of the present invention, the service function chain deployment module is specifically configured to calculate the ratio between the adjusted security value of each second combination and the deployment consumption, and use the second combination with the largest ratio as the one for deploying the to-be-deployed The second combination of service function chains is deployed, and the VNFs in the selected second combination are deployed in the to-be-deployed service function chain according to a preset logical sequence.

In this way, the ratio between the adjusted security value of each second combination and the deployment consumption is calculated, and the second combination with the largest ratio is used as the second combination for deploying the service function chain to be deployed. On the basis of the safety value of , the consumption of VNFs in the deployment of the second combination is reduced, and the resource utilization rate is improved.

In an embodiment of the present invention, the device further includes:

a work performance value evaluation module, configured to evaluate the work performance value of the VNF in the selected second combination after the service function chain deployment module;

a working VNF selection module for selecting a working VNF for working among the selected second combined VNFs based on the assessed working performance value of the VNF and the safety value of the VNF;

A service request response module, configured to respond to the service request to be responded based on the determined working VNF.

In this way, according to the evaluated working performance value of the VNF and the security value of the VNF, selecting a working VNF for working in the selected second combination of VNFs can make the selected working VNF on the basis of improving working efficiency, Improves the security value of the service function chain to be deployed.

In an embodiment of the present invention, the device further includes: a VNF security value calculation module,

The VNF security value calculation module is specifically used to determine the security value T of each VNF in the current period according to the following expression based on the historical security value of each VNF according to a preset period:

大于预设阈值。Among them, T ₀ is the evaluation result of the security value of the VNF in the current cycle, i is the sequence number of the cycle, I is the number of cycles from the initial cycle to the current cycle, T _i is the security value of the VNF in the ith cycle, and α is the security value of the VNF is the security weight of the value evaluation result, β _i is the security weight of the security value of the VNF in the ith cycle, and

greater than the preset threshold.

In this way, the security value of the VNF is updated according to the preset interval, so that the security value of each VNF is more in line with the actual working condition of the VNF.

Corresponding to the foregoing service function chain deployment method, an embodiment of the present invention further provides an electronic device.

Referring to FIG. 5, FIG. 5 is a schematic structural diagram of an electronic device provided by an embodiment of the present invention, including a processor 501, a communication interface 502, a memory 503, and a communication bus 504, wherein the processor 501, the communication interface 502, and the memory 503 pass through The communication bus 504 completes the communication with each other,

a memory 503 for storing computer programs;

The processor 501 is configured to implement the service function chain deployment method provided by the embodiment of the present invention when executing the program stored in the memory 503 .

The communication bus mentioned in the above electronic device may be a peripheral component interconnect standard (Peripheral Component Interconnect, PCI) bus or an Extended Industry Standard Architecture (Extended Industry Standard Architecture, EISA) bus or the like. The communication bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in the figure, but it does not mean that there is only one bus or one type of bus.

The communication interface is used for communication between the above electronic device and other devices.

The memory may include random access memory (Random Access Memory, RAM), and may also include non-volatile memory (Non-Volatile Memory, NVM), such as at least one disk memory. Optionally, the memory may also be at least one storage device located away from the aforementioned processor.

The above-mentioned processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; may also be a digital signal processor (Digital Signal Processing, DSP), an application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.

In another embodiment provided by the present invention, a computer-readable storage medium is also provided, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the computer program provided by the embodiment of the present invention is implemented. Service function chain deployment method.

In yet another embodiment provided by the present invention, a computer program product including instructions is also provided, which, when executed on a computer, enables the computer to implement the service function chain deployment method provided by the embodiment of the present invention.

It can be seen from the above that when the solution provided by this embodiment is applied to construct the service function chain, since it is based on the security value of the first combination and the expected security value of the service function chain to be deployed, the determined second combination is selected for deployment. The second combination of the service function chain to be deployed, and because the security value of the first combination can reflect the security of the VNF in the first combination, and the above expected security value reflects the expected degree of security of the service function chain to be deployed. Therefore, The service function chain is deployed based on each VNF in the second combination selected for deploying the service function chain to be deployed, and the security of the deployed service function chain is improved on the basis of meeting the security requirements of the deployed service function chain sex.

In addition, since the VNFs are selected from the VNFs of each service type requested by the business request, the VNF sets of which the number of VNFs are respectively within the preset number range are obtained, and the obtained VNF sets are combined. Compared with selecting only one VNF in the prior art, selecting each number of VNFs within a preset number range can reduce the probability of being attacked by a network attacker and improve the security of the deployed service function chain.

Finally, because it is based on the adjusted security value and deployment consumption of each second combination, the second combination for deploying the service function chain to be deployed is selected, and because the adjusted security value of the second combination more accurately reflects the second combination For the security of the VNF, the deployment consumption of the second combination more accurately reflects the total resource consumption of the VNF in the deployment of the second combination. Therefore, based on the adjusted security value and deployment consumption of each second combination, the service function to be deployed is selected for deployment. On the basis of improving the security of the service function chain to be deployed, the second combination of the chain reduces the consumption of deploying the service function chain to be deployed, thereby improving resource utilization.

In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present invention are generated. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device. The computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server or data center Transmission to another website site, computer, server, or data center is by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.). The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes an integration of one or more available media. The usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVD), or semiconductor media (eg, Solid State Disk (SSD)), among others.

It should be noted that, in this document, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any relationship between these entities or operations. any such actual relationship or sequence exists. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element.

Each embodiment in this specification is described in a related manner, and the same and similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the embodiments of the apparatus, electronic equipment, and computer-readable storage medium, since they are basically similar to the method embodiments, the description is relatively simple.

The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims (10)

1. A service function chain deployment method, wherein the method comprises: Determine the expected security value of the service function chain to be deployed according to the business request to be responded; For each service type of the service requested by the service request to be responded, select a VNF from each preset virtualized network function VNF of the service type, and obtain a VNF set whose number of VNFs is each within the preset number range; Combining the obtained VNF sets to obtain each first combination, wherein each first combination includes a VNF set corresponding to each service type; For each first combination, calculate the security value of the first combination according to the security value of each VNF in the first combination; For each second combination, according to the security value of the second combination, adjust the total resource consumption of the VNFs in the second combination as deployment consumption, and adjust the total resource consumption of the VNFs in the second combination according to the actual total occupied resources of the second combination. Two combinations of safety values, wherein the second combination is: a first combination in which the safety value of the first combination is greater than the expected safety value; Based on the adjusted security value and deployment consumption of each second combination, a second combination for deploying the service function chain to be deployed is selected in each second combination, and the VNF in the selected second combination is set according to the preset The to-be-deployed service function chain is deployed in a logical sequence. 2. The method according to claim 1, wherein the expected security value is a security value for a service function chain, For each first combination, calculating the security value of the first combination according to the security value of each VNF in the first combination, including: The safety value θ of each first combination is calculated according to the following expression:

Among them, X represents the number of service types corresponding to the VNFs in the first combination, x represents the sequence number of the service types corresponding to the VNFs in the first combination, _Δx represents the security value of the xth service type, and _kx represents the xth The security weight of the service type, n _x represents the number of VNFs in the VNF set corresponding to the xth service type. 3. The method according to claim 1, wherein the expected security value is a security value for the VNF in the service function chain, For each first combination, calculating the security value of the first combination according to the security value of each VNF in the first combination, including: The safety value μ of each first combination is calculated according to the following expression:

Among them, X represents the number of service types corresponding to the VNFs in the first combination, x represents the sequence number of the service types corresponding to the VNFs in the first combination, _Δx represents the security value of the xth service type, and _kx represents the xth The security weight of the service type, n _x represents the number of VNFs in the VNF set corresponding to the xth service type. 4. The method according to claim 1, wherein, determining the expected security value of the service function chain to be deployed according to the service request to be responded, comprising: When the service request to be responded carries the expected service security value of the requested service, the expected service security value is used as the expected security value of the service function chain to be deployed; When the service request to be responded does not carry the expected service security value of the requested service, the preset expected security value is used as the expected security value of the service function chain to be deployed. 5. The method according to claim 1, wherein, for each second combination, according to the security value of the second combination, the total resource consumption of deploying the VNF in the second combination is adjusted as deployment consumption, And according to the actual total occupied resources of VNFs in the second combination, adjusting the security value of the second combination includes: For each second combination, calculate the sum of the total resource consumption of deploying VNFs in the second combination and the security value of the second combination, use the calculated value as the deployment consumption of the second combination, and calculate the second combination The sum of the actual total occupied resources of the inner VNF and the security value of the second combination is taken as the adjusted security value of the second combination. 6. The method according to claim 1, wherein the selecting the second combination for deploying the to-be-deployed service function chain in each of the second combinations comprises: Calculate the ratio between the adjusted security value of each second combination and the deployment consumption, and use the second combination with the largest ratio as the second combination for deploying the service function chain to be deployed. 7. The method according to any one of claims 1-6, wherein after the VNF in the selected second combination deploys the to-be-deployed service function chain according to a preset logical sequence, the method further comprises: Evaluate the performance values of the VNFs in the selected second combination; Selecting a working VNF for work among the selected VNFs of the second combination based on the assessed work performance value of the VNF and the security value of the VNF; The service request to be responded is responded to based on the determined working VNF. 8. The method according to any one of claims 1-6, wherein the method further comprises: According to the preset period, based on the historical security value of each VNF, the security value T of the current period of each VNF is determined according to the following expression:

Among them, T ₀ is the evaluation result of the security value of the VNF in the current cycle, i is the sequence number of the cycle, I is the number of cycles from the initial cycle to the current cycle, T _i is the security value of the VNF in the ith cycle, and α is the security value of the VNF is the security weight of the value evaluation result, β _i is the security weight of the security value of the VNF in the ith cycle, and

greater than the preset threshold. 9. A service function chain deployment device, wherein the device comprises: The expected security value determination module is used to determine the expected security value of the service function chain to be deployed according to the business request to be responded; The VNF set obtaining module is configured to, for each service type of the service requested by the service request to be responded, select a VNF from each preset virtualized network function VNF of the service type, and obtain the number of VNFs in the preset number range respectively Each number of VNF sets within; The first combination obtaining module is used to combine the obtained VNF sets to obtain each first combination, wherein each first combination includes a VNF set corresponding to each service type; a security value calculation module, configured to calculate the security value of the first combination according to the security value of each VNF in the first combination for each first combination; The data calculation module is configured to, for each second combination, adjust the total resource consumption of deploying VNFs in the second combination according to the security value of the second combination, as the deployment consumption, and according to the actual total resource consumption of the VNFs in the second combination. Occupy resources, and adjust the security value of the second combination, where the second combination is: the security value of the first combination is greater than the expected security value of the first combination; The service function chain deployment module is configured to select a second combination for deploying the service function chain to be deployed in each second combination based on the adjusted security value and deployment consumption of each second combination, and assign the selected In the second combination, the VNF deploys the to-be-deployed service function chain according to a preset logical sequence. 10. An electronic device, comprising a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus; memory for storing computer programs; The processor is configured to implement the method steps described in any one of claims 1-8 when executing the program stored in the memory.

Images