计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (5): 375-383.doi: 10.11896/jsjkx.240500033

• 信息安全 • 上一篇    下一篇

基于深度强化学习的微服务工作流容侵调度算法

李远博1,2, 扈红超1, 杨晓晗1, 郭威1, 刘文彦1,3   

  1. 1 信息工程大学信息技术研究所 郑州 450000
    2 洛阳理工学院计算机学院 河南 洛阳 471000
    3 网络空间安全教育部重点实验室 郑州 450000
  • 收稿日期:2024-05-09 修回日期:2024-09-14 出版日期:2025-05-15 发布日期:2025-05-12
  • 通讯作者: 扈红超(hhcndsc@163.com)
  • 作者简介:(200900501775@lit.edu.cn)
  • 基金资助:
    国家自然科学基金(62072467);国家重点研发计划(2021YFB1006201);河南省科技攻关项目(242102210127);河南省重大科技专项(221100211200-02)

Intrusion Tolerance Scheduling Algorithm for Microservice Workflow Based on Deep Reinforcement Learning

LI Yuanbo1,2, HU Hongchao1, YANG Xiaohan1, GUO Wei1, LIU Wenyan1,3   

  1. 1 Institute of Information Technology,Information Engineering University,Zhengzhou 450000,China
    2 School of Computer Science,Luoyang Institute of Science and Technology,Luoyang,Henan 471000,China
    3 Key Laboratory of Cyberspace Security,Ministry of Education,Zhengzhou 450000,China
  • Received:2024-05-09 Revised:2024-09-14 Online:2025-05-15 Published:2025-05-12
  • About author:LI Yuanbo,born in 1988,doctoral candidate.His main research interests include cloud computing,endogenous security and active defense.
    HU Hongchao,born in 1982,professor,Ph.D supervisor.His main research interests include cloud computing and network security.
  • Supported by:
    National Natural Science Foundation of China(62072467),National Key Research and Development Program of China(2021YFB1006201),Science and Technology Research Project of Henan Province(242102210127) and Major Science and Technology Special Projects of Henan Province(221100211200-02).

PDF (PC)

72

摘要: 随着微服务和容器技术的快速发展,云中执行的应用可以由多个具有依赖关系的微服务共同完成。然而,基于容器云的微服务由于共享资源而面临许多安全威胁。云中的攻击者可以通过侧通道、容器逃逸方式直接或间接地破坏它们,从而导致产生不正确的输出结果,这将给云中的用户带来巨大的损失。因此,在容器云环境下,提出了一种基于深度强化学习的微服务工作流容侵调度算法(ITSAMW),以提高系统的安全性。首先,该算法为每个微服务构建3个副本,并利用投票裁决机制保证安全性。算法研究了如何调度这些微服务副本,并证明了微服务入侵容忍调度需要满足的位置约束条件。其次,构建了微服务调度和完成时延模型,重新对微服务的安全调度问题进行了形式化描述定义,并利用深度强化学习的方法对问题进行了求解。最后,为了验证算法的有效性,使用Kubernetes搭建了容器云仿真平台,并使用入侵容忍度、完成时延和负载均衡性来对其进行评估。实验结果表明,与现有方法相比,ITSAMW在完成时延增加了17.6%的条件下,入侵容忍度提高了28.1%,负载均衡度降低了13.7%。

关键词: 微服务, 容器云, 工作流, 入侵容忍, 深度强化学习

Abstract: With the rapid development of microservices and container technology,applications executed in the cloud can be completed by multiple microservices with dependencies.However,microservices for container clouds face many security threats due to shared resources.Attackers in the cloud can destroy them directly or indirectly through side channels,container escape,resulting in incorrect output results,which will bring huge losses to users in the cloud.Therefore,an intrusion tolerance scheduling algorithm for microservice workflow(ITSAMW) is proposed to improve the security of the system under the container clouds.Firstly,ITSAMW builds three replicas of each microservice and uses a voting mechanism to guarantee security.ITSAMW studies how to schedule these microservice replicas and proves the location constraints that microservice intrusion tolerance scheduling needs to meet.Secondly,it constructs a microservices scheduling and completion delay model,redefines the security scheduling problem of microservices,and solves the problem with deep reinforcement learning.Finally,in order to verify the effectiveness of ITSAMW,experiments are conducted by using the container clouds simulation platform that Kubernetes builds and are evaluated by using intrusion tolerance,completion delay and load balancing.Experimental results show that compared with the existing methods,under the condition that the completion delay of ITSAMW is increased by 17.6%,the intrusion tolerance is increased by 28.1%,and the load balancing is reduced by 13.7%.

Key words: Microservices, Container cloud, Workflow, Intrusion tolerance, Deep reinforcement learning

中图分类号: 

  • TP393.08
[1]ZHOU X,PENG X,XIE T,et al.Fault Analysis and Debugging of Microservice Systems:Industrial Survey,Benchmark System,and Empirical Study[J].IEEE Transactions on Software Engineering,2021,47(2):243-260.
[2]KHAN M,TAHERI J,Al-DULAIMY A,et al.PerfSim:A Performance Simulator for Cloud Native Computing[J].IEEE Transactions on Cloud Computing,2021,11(2):1395-1413.
[3]AROUK O,NIKAEIN N.Kube5G:A Cloud-Native 5G Service Platform[C]// Proceedings of Global Communications Confe-rence(GLOBECOM).IEEE,2020:1-8.
[4]ZHAO P,WU L,HONG Z,et al.Research on Multi-cloud Access Control Policy Integration Framework[J].China Communications,2019,16(9):222-234.
[5]PEREIRA-VALE A,FERNANDEZ E B,MONGE R,et al.Security in Microservice-based Systems:A Multivocal Literature Review[J].Computers & Security,2021,103:102200.
[6]LI C,LIU J,WANG M,et al.Fault-tolerant Scheduling and Data Placement for Scientific Workflow Processing in Geo-distributed Clouds[J].Journal of Systems and Software,2022,187:111227.
[7]WEN Z,QASHA R,LI Z,et al.Dynamically Partitioning Workflow Over Federated Clouds for Optimising the Monetary Cost and Handling Run-time Failures[J].IEEE Transactions on Cloud Computing,2020,8(4):1093-1107.
[8]ZHOU X,ZHANG G,SUN J,et al.Minimizing Cost andMakespan for Workflow Scheduling in Cloud Using Fuzzy Domi-nance Sort Based HEFT[J].Future Generation Computer Systems,2019,93:278-289.
[9]WU Q,ISHIKAWA F,ZHU Q,et al.Deadline-Constrained Cost Optimization Approaches for Workflow Scheduling in Clouds[J].IEEE Transactions on Parallel and Distributed Systems,2017,28(12):3401-3412.
[10]ARABNEJAD V,BUBENDORFER K,NG B.Dynamic Multi-workflow Scheduling:A Deadline and Cost-aware Approach for Commercial Clouds[J].Future Generation Computer Systems,2019,100:98-108.
[11]ZHOU Z,YU S,CHEN W,et al.CE-IoT:Cost-effective Cloud-edge Resource Provisioning for Heterogeneous IoT Applications[J].IEEE Internet of Things Journal,2020,7(9):8600-8614.
[12]WANG S,DING Z,JIANG C.Elastic Scheduling for Microservice Applications in Clouds[J].IEEE Transactions on Parallel and Distributed Systems,2021,32(1):98-115.
[13]LI W,LI X,RUIZ R.Scheduling Microservice-based Workflows to Containers in on-demand Cloud Resources[C]//2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design(CSCWD).IEEE,2021:61-66.
[14]YAO G,DING Y,REN L,et al.An Immune System-inspiredRescheduling Algorithm for Workflow in Cloud Systems[J].Knowledge-Based Systems,2016,99:39-50.
[15]GILL S S,BUYYA R.SECURE:Self-protection Approach in Cloud Resource Management[J].IEEE Cloud Computing,2018,5(1):60-72.
[16]YAO G,DING Y,HAO K.Using Imbalance Characteristic for Fault-tolerant Workflow Scheduling in Cloud Systems[J].IEEE Transactions on Parallel and Distributed Systems,2017,28(12):3671-3683.
[17]ZHOU C,WANG T,LI L,et al.Makespan and Security-aware Workflow Scheduling for Cloud Service Cost Minimization Using Firefly Optimizer[C]//International Conference on Algorithms and Architectures for Parallel Processing.Springer Nature Switzerland,2023:620-641.
[18]MENG S,HUANG W,YIN X,et al.Security-aware DynamicScheduling for Real-time Optimization in Cloud-based Industrial Applications[J].IEEE Transactions on Industrial Informatics,2021,17(6):4219-4228.
[19]DING Y,YAO G,HAO K.Fault-tolerant Elastic Scheduling Algorithm for Workflow in Cloud Systems[J].Information Sciences,2018,393:47-65.
[20]WANG Y,GUO Y,GUO Z,et al.Protecting Scientific Workflows in Clouds with an Intrusion Tolerant System[J].IET Information Security,2020,14(2):157-165.
[21]LI H,GUO Y,SUN P,et al.An Optimal Defensive Deception Framework for the Container-based Cloud with Deep Reinforcement Learning[J].IET Information Security,2022,16(3):178-192.
[22]ZHOU D,CHEN H,CHENG G.A Security Containers Placement Algorithm Based on DQN for Microservices to Defend Against Co-Resident Threat[C]//2023 8th International Confe-rence on Computer and Communication Systems(ICCCS).IEEE,2023:683-688.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发