Keywords

1 Introduction

The so-called “cloud-network integration” means that the cloud is cloud computing, the network is the communication network, the network is the foundation, the cloud is the core, the network moves with the cloud, and the cloud-network is integrated. Cloud-network integration is China’s digital economy development strategy and enterprise digital transformation strategy with Chinese characteristics [1]. Among them, cloud-network integration is the foundation, cloud-network security is the support, digital platform is the hub, and scientific and technological innovation is the core.

At this stage, the main problems faced by cloud-network operation support means are that the cloud-network operation support system is too scattered, the BMO data of cloud-network operation is not fully connected, the improvement of data enabled cloud-network operation efficiency is not obvious, and the application of AI injection into intelligent cloud-network operation is not widely used [2]. The common goal is to establish an AI enabled digital platform, fully understand the needs of customers, implement data-based decisions, provide digital business service capability and efficient response operation system quickly, and adapt to the rapid development of industrial digitization.

The new generation cloud-network operation business system should have key technologies such as digital twinning of cloud-network resources [3], decoupled acquisition and control of atomic power, big data and AI enabling, cloud-network integration security operation. It corresponds to the resource center, acquisition and control center, big data and AI center and cloud-network security operation center of the system.

  • Digital twinning of cloud-network resources [4]. The resource center is responsible for digitizing cloud-network operation elements, depicting “cloud, network, edge and end” resource information, realizing unified integrated management of resources and network operation data, and providing standardized end-to-end cloud-network related resource data service capabilities and business service capabilities.

  • Atomic power decoupling acquisition and control. The acquisition and control center is an important foundation for cloud-network integrated operation[5].

  • Big data and AI empowerment. The big data and AI center is responsible for making full use of big data and AI capabilities, connecting BMO domains and enabling scenario applications, such as security policy model of “intelligent data flow” [6].

  • Cloud-network integration security operation. The cloud-network security center is responsible for establishing a hierarchical, domain and hierarchical cloud-network security protection system and a hierarchical and linked cloud-network integration security operation strategy to meet the security needs of data flow in the business deployment phase and establishing the risk monitoring capability of user personal information protection by scenarios to meet the security needs of user personal information and other important data flow in the online service phase.

2 Intelligent Data Flow Security Strategy Model of Cloud-Network Integration

The security policy model of intelligent data flow, as shown in Fig. 1, can call different data flow intelligent models according to different scenario applications, such as the security protection inter layer linkage strategy and control rules of “network moves with cloud and cloud moves with data”, and automatically divide new specific security area boundaries and security levels according to the security linkage between different layers.

Fig. 1.
figure 1

Security policy model of intelligent data flow.

Full size image
  1. a)

    Intelligent data flow in simple cloud scenes

    • Data to flow: data capacity, data classification, protection requirements, etc.

    • Data flow analysis of simple cloud scenario: including reasoning and judgment based on boundary constraints and expert rules, data flow strategy and multi scheme decision-making selection, cloud-network characteristic capacity, protection level, unit energy consumption of equipment, etc.

    • Application scenario: when the data flow changes in a single cloud or two clouds, the rule-based intelligent model is preferred.

  2. b)

    Intelligent data flow in complex cloud scenes

    • Feature extraction: flow data, multi-dimensional feature parameters of cloud and topological relationship of multi cloud entities.

    • Data flow analysis of complex cloud scene: intelligent judgment based on AI model and selection of Machine Learning Clustering Algorithm

    • Application scenario: when the data flow changes in multiple clouds and there are multidimensional and complex nonlinear characteristics, it is more suitable to apply the intelligent model based on AI algorithm.

  3. c)

    Database, intelligent model and self-learning

    • Database: including cloud feature database, hierarchical security component database and data flow case database.

    • Intelligent model: including expert rule base and AI algorithm base. The expert rule base is divided into single feature rule and compound feature rule; AI algorithm, such as:

      1. a.

        Partition clustering: K-means, k-medoids

      2. b.

        Hierarchical clustering: birch, cure

      3. c.

        Cluster density: dbcsi, scan

      4. d.

        Grid clustering: sting, cliqu

      5. e.

        Mixed clustering: Gaussian mixture model, clique

    • The self-learning of intelligent model: is to save the output result “data flow scheme” executed by each strategy model to the data flow case base, and then regularly call the latest case base for AI algorithm learning and training, so as to update the relevant model parameters of AI algorithm in time.

3 Hierarchical Linkage Cloud-Network Integration Security Operation System Based on the Security Policy Model of Intelligent Data Flow

Intelligent operation is a new digital operation capability, and it will also be a necessary capability for enterprise digital transformation [7]. At present, intelligent operation needs to gradually realize intelligent operation from single scenario to global intelligent operation.

Aiming at the characteristics of “the network follows the cloud and the cloud follows the data” of the cloud-network integration business system and the security protection requirements of the hierarchical and domain classification of the security domain classification unit of the cloud-network integration business system, based on the research experience of the industry in network and information security strategy, this paper proposes a hierarchical linkage cloud-network integration security operation strategy to meet the security operation requirements of the cloud-network integration business system.

3.1 Cloud-Network Security Protection System with Layers, Regions and Levels

According to the national standard of Chinese information technology GB/T 22239-2019 basic requirements for network security classification protection of information security technology, the security equipment or security components distributed in the network are classified according to “network, cloud, application, data and terminal”, so as to realize the hierarchical decoupling, flexible arrangement and open ability of atomic capability of cloud security resources. The hierarchical security capability components of “network cloud application data terminal” of cloud-network integration business system are shown in Table 1 below.

Table 1. List of hierarchical security capability components of cloud-network system.
Full size table

The security capability components of each layer are as follows:

  1. a)

    “Network” layer security capability component.

  2. b)

    “Cloud” layer security capability component.

  3. c)

    “Application” layer security capability component.

  4. d)

    “Data” layer security capability component.

  5. e)

    “Terminal” layer security capability component.

3.2 Hierarchical Linkage Cloud-Network Integration Security Operation System Based on the Security Policy Model of Intelligent Data Flow

The hierarchical linkage cloud-network integration security operation system based on the security policy model of intelligent data flow is shown in Fig. 2.

Fig. 2.
figure 2

Cloud-network integration security operation system with hierarchical linkage based on the security policy model of intelligent data flow.

Full size image

The core modules include: cloud-network integration security policy management point, hierarchical and domain security policy blockchain, “hierarchical linkage” security policy, and hierarchical and domain security control.

  • Cloud integrated security policy management point: the security administrator configures the security policy in the cloud integrated security domain unit through the security policy management point, including the setting of security parameters, unified security marks for subjects and objects, authorization of subjects, configuration of trusted authentication policies, etc.

  • Hierarchical and domain security policy blockchain: timely release to the security policy execution-point of each layer through the blockchain.

  • “Layered linkage” security strategy: the execution-point of each layer's security strategy is responsible for the query and linkage adjustment of this layer's security strategy and security control rules; The “layered linkage” security policy rule base can call the security linkage rules between different layers according to the security protection inter layer linkage policy and control rules of “the network moves with the cloud and the cloud moves with the number”, and automatically divide the new specific security area boundary and security level.

  • Hierarchical and sub domain hierarchical security control: implement security policies and security control rules hierarchically, carry out “network cloud application data terminal” hierarchical and sub domain security level protection according to the security level of cloud-network integrated security domain unit, and automatically control the security equipment or security components distributed in the network.

3.3 Feasibility Verification of Cloud-Network Integration “Intelligent Data Flow” Security Strategy

Verification Flow Chart

Hierarchical linkage cloud-network integration security operation flow chart, as shown in Fig. 3.

Fig. 3.
figure 3

Hierarchical linkage cloud-network integration security operation flow chart.

Full size image

According to Fig. 3, the following simulation verifies the security strategy of cloud-network integration “intelligent data flow”. Since there are only two clouds in the application scenario, the simple cloud scenario expert rule model will be called in the simulation process.

Application Case of Hierarchical Rules

Through the security policy management point, the security administrator configures the security policy in the cloud-network integrated security domain unit, including the setting of security parameters, unified security marks (Se_Token) for subjects and objects, boundary range of security area (Zone_defense), authorization of subjects, configuration of trusted authentication strategy, etc.

$$ Security\_Police\{ Se\_Token\left( {Subjects, \, Objects} \right), \, Zone\_defense\} $$

S0: Cloud-Network Characteristics and Initialization Security Policy Parameters of Layered and Domain

  1. 1.

    S01 Existing Cloud Feature “Layered Linkage” Security Policy Rule Base

    $$ SPRB(zone0,\,\,zone1,\,\,zone2\,\, \ldots ) $$

    • Cloud C1, 500 GB of available storage space, corresponding network boundaries N1 and N2, and the initial protection level is level 2.

    • Cloud C2, available storage space 2000 GB, corresponding network boundaries N3 and N4, initial protection level 2.

  2. 2.

    S02 Initial Security Policy Parameters

    $$ SP0\{ ST(Subj0,Obj0), \, Zone0\} $$

    • Cloud C1, used storage space 400 gb, remaining available storage space 100 GB, corresponding network boundaries N1 and N2, initial protection level 2.

    • Cloud C2, unused, remaining available storage space 2000 g, corresponding network boundaries N3 and N4, initial protection level 2. (See Table 2)

    Table 2. Cloud-network integration “intelligent data flow” process table (initial state).
    Full size table

S1: Cloud-Network Integration Security Policy Configuration

$$ SP\{ST\left(Subj, \,Obj \right), \, Zone\} $$

  • Operation 1: add 150 GB data storage and related application deployment, with level 3 security protection.

  • Operation 2: reduce 100 GB data storage and related application deployment, with level 3 security protection.

S2: Hierarchical and Domain-Based Security Policy Blockchain

Timely release to the security policy execution-point of each layer through the blockchain.

S3: “Layered Linkage” Security Policy Model

  1. 1.

    S31: Implementation Points of Security Policies at All Levels

    Receive the security policy issued by the security policy blockchain, call S32 layered linkage security policy rules to calculate the minimum protection area (MinZone) and security protection level (MaxST), form the adjusted overall requirements of cloud-network security protection, then determine the security policy of this layer, and query the security capability components of relevant security protection levels of this layer according to the cloud-network integration layered protection security capability component system diagram and security protection level, And issue relevant security policy adjustment instructions at all levels.

  2. 2.

    S32: “Layered Linkage” Security Policy Rule Base

    $$ SPRB \, (zone0, \, zone1, \, zone2 \ldots ) $$

    According to the security protection linkage strategy and control rules of “the network moves with the cloud and the cloud moves with the data”, the security linkage rules between different layers can be called to automatically divide the new specific security area boundary and security level(1).

    $$ \begin{array}{*{20}l} {\,\,\,\,\,\,SP\, = \,SP\, + \,SP0} \hfill \\ {SP\, = \,\{ MaxST\left( {Subj0\, + \,Subj, \, Obj0\, + \,Obj} \right), \, MinZone\} } \hfill \\ \end{array} $$
    (1)
  1. a)

    Operation 1: Add a Protection Object

    Scheme 1: C1 first and then C2, and determine the minimum protection area (MinZone) according to the capacity of the protected object:

    $$ 400\,GB+150\,GB=550\,GB $$

    Determine the safety protection level (MaxST) according to the highest level of the protected object:

    Adjust the security protection level of C1, C2 and corresponding network boundary to level 3.

    • Cloud C1, 500 GB of used storage space, no remaining available storage space, corresponding network boundaries N1 and N2, need to be reinforced with protection level 3.

    • Cloud C2, 50 GB used this time, 1950 GB of remaining available storage space, corresponding network boundaries N3 and N4, need to be reinforced with protection level 3.

    Similarly, scheme 2, C2 first and then C1… and so on. (See Table 3).

    Table 3. Cloud-network integration “intelligent data flow” process table (operation 1)
    Full size table
  2. b)

    Operation 2: Reduce Protected Objects

    Similarly…… (See Table 4).

    Table 4. Cloud-network integration “intelligent data flow” process table (operation 2)
    Full size table

S4: Hierarchical Security Control

After each security operation policy adjustment operation, immediately receive and execute the security policy adjustment instructions of each layer, query the corresponding security capability components in the hierarchical security capability component list of cloud-network integration business system according to Table 1, and automatically control the security equipment or security components distributed in the cloud-network integration system, that is, the network, cloud, application, data, terminal to load and reinforce the corresponding level of safety protection equipment and application safety components respectively.

By adding and reducing protection objects and protection requirements, the protection strategies of "network, cloud, application, data and terminal" of the cloud system have been adjusted automatically and implemented through the hierarchical security control points.

3.3.1 Application Case of Intelligent Multi-cloud Resource Scheduling

Feature Selection in the Sample Space of Resource Scheduling AI Algorithm in Multi-cloud Scenarios

General principles to be followed:

  1. 1.

    Private cloud resources are scheduled and used preferentially. Only when private cloud resources are insufficient can they be dispatched to the industry cloud or public cloud.

  2. 2.

    Sort according to the billing cost of the industry cloud or public cloud, and give priority to the low-cost industry cloud or public cloud.

  3. 3.

    Evaluate the security capability of the public cloud according to the business or data security level, and calculate it as a resource scheduling parameter measure. Data security capability is an important indicator to evaluate the public cloud.

  4. 4.

    Evaluate according to indicators such as public cloud reliability and resource effectiveness, and calculate them as scheduling parameter measures.

The above principles can be used as a basis for evaluating the importance of feature parameters when AI algorithm selects feature space. In order to better reflect the principles of resource scheduling in a multi-cloud scenario, the operation log of each multi-cloud resource scheduling is generalized. Each scheduling operation is taken as a feature sequence, and features with strong correlation are selected for vector representation, which is stored in the case database as a case training set.

The characteristic variable name conforming to the above scheduling principle is generalized to < c1_ free_ space >, < c2_ free_ space >, < c1_ safety_ level >, < c2_ safety_ level >, < c1_ unit price >, < c2_ Unit price >, which respectively represents the utilization rate, security level and unit price of economic indicators of the cloud. And < demand_cloud_space >, < demand_safety_level > representing resource scheduling requirements. Due to < c1_ safety_ level >, < c2_ safety_ level >, < c1_ unit price >, < c2_ unit price > the relevant features are relatively stable in resource scheduling. The relevant features are not considered temporarily. Here, only important features are considered to form the sample feature space.

Multi-cloud Resource Scheduling Method Based on KNN Algorithm

The advantage of KNN algorithm is that it can deal with classification problems and regression problems. At the same time, it has strong anti-interference and high accuracy. The low efficiency of the algorithm can be avoided by updating the control sample size, which is more suitable for the operation log size of multi-cloud resource scheduling.

Now only the features < c1_ free_ space >, < c2_ free_ space > in the feature space are taken, assuming that the unknown samples are serialized as follows:

$$ \left( {{\text{demand}}\_{\text{cloud}}\_{\text{space}}, \, {\text{c}}1\_{\text{free}}\_{\text{space}}, \, {\text{c}}2\_{\text{free}}\_{\text{space}}} \right) = (100, 350, 200)\, {\text{take}} \; {\text{k}} = 3. $$

Query the training sample Table 5, calculate the nearest neighbor distance, and determine that the samples with ID6, ID7, and ID8 are k nearest neighbor samples. ID6 and ID7 belong to class 2 and ID8 belong to class 1. Thus, this time, they are classified as class 2 and the corresponding policy_ scheme (50, 50), where cloud1 and cloud2 respectively schedule 50 GB of resource space. (See Table 5).

Table 5. Training sample set
Full size table

4 Risk Monitoring Capability System for Personal Privacy Data Protection by Scenario System Based on the Security Policy Model of Intelligent Data Flow

The effective methods for monitoring the personal information protection risk of the business system are as follows:

  • First of all, according to the user's personal information protection compliance requirements, the basic model library of user's personal information protection risk monitoring of the business system is established.

  • Then, according to the specific situation of the business function process of the business system, the key node view of personal information protection monitoring of each business process of the business system is established.

  • Finally, in combination with personal information protection requirements, according to the basic model library of business system users' personal information protection risk monitoring, corresponding risk detection models are allocated to form a scenario specific business risk identification model for risk identification and analysis.

In this way, it not only solves the problem of visual display of key nodes of user's personal information protection in the business system; It also meets the accurate requirements of the risk monitoring model of each key node, thus improving the accuracy and efficiency of the user's personal information protection risk monitoring.

4.1 List of Basic Risk Models for Rule-Based Personal Privacy Protection

The basic risk models for rule-based personal privacy protection are shown in Table 6.

The basic risk models can be divided into five categories:

  1. a)

    account risk model.

  2. b)

    exposure risk model.

  3. c)

    authority risk model.

  4. d)

    transmission risk model.

  5. e)

    abnormal behavior risk model.

Table 6. List of risk models for rule-based personal privacy protection.
Full size table

4.2 Risk Identification of Personal Privacy Data Protection in Complex Scenarios

Risk Identification of Personal Privacy Data Protection in Complex Scenarios Based on Rules

Batch information export is an important and complex scenario for personal privacy data protection. Here, it is simply divided into two stages: authentication and authorization and information export. It is shown in Fig. 4.

Fig. 4.
figure 4

Batch information export.

Full size image

Batch Information Export Scenario Risk Monitoring Process

  • Step 1: establish batch information according to the management requirements and export the scene management requirements feature matrix.

  • Step 2: data identification and analysis, that is, access monitoring business system scenarios, mirror business system scenarios, user access traffic data, batch export related multi log multi-dimensional data modeling, including approval, bank mode, permission range and other data for feature rule modeling.

  • Step 3: risk identification based on rule model, extract and identify models according to key data requirements through protocol analysis and request data analysis, including data type, regular expression, eigenvalue matching, rule matching, behavior matching, etc.

  • Step 4: risk identification of AI model by scenario, comparative analysis of various scenario features based on AI and big data technology, and identification of risk scenarios - batch export of AI model feature matching algorithm. Through UEBA user behavior analysis technology, according to the behavior baseline of big data statistical analysis, judge whether it belongs to abnormal behavior derived from batch information, and identify corresponding risks.

  • Step 5: analyze the authentication model, approve the score scenario information, and judge the compliance of scenario behavior - compare and identify the access behavior and risk of batch exported user information.

  • Step 6: optimize AI algorithm model to realize self-learning. Based on AI technologies such as machine learning and NLP, the AI algorithm model, strategy and feature base are derived by iteratively optimizing batch information.

5 Conclusion

The security domain unit of cloud-network integration business system has the characteristics of “network cloud application data terminal” layered and sub-domain hierarchical protection and “network moves with cloud and cloud moves with data”. This paper puts forward the intelligent data flow security strategy model of cloud-network integration, including expert rule judgment system of simple cloud scene and AI algorithm application model of complex cloud scene, which can be applied to hierarchical linkage cloud-network integration security operation system and risk monitoring capability system for personal privacy data protection by scenario system. With the acceleration of enterprise digital transformation and the massive growth of cloud-network integration services, AI algorithm application model of complex cloud scene is an important content of in-depth research in the field of intelligent security operation of cloud-network integration in the next stage.