CN118484267B

CN118484267B - Cloud computing-based online service computing power optimization method and system

Info

Publication number: CN118484267B
Application number: CN202410775448.4A
Authority: CN
Inventors: 蔡兵; 李黎明; 叶明�; 谢春利; 曹晋辉; 肖正欣; 吕欢; 青鑫
Original assignee: Chengdu Rural Commercial Bank Co ltd
Current assignee: Chengdu Rural Commercial Bank Co ltd
Priority date: 2024-06-17
Filing date: 2024-06-17
Publication date: 2024-10-29
Anticipated expiration: 2044-06-17
Also published as: CN118484267A

Abstract

The invention relates to the technical field of information, in particular to a cloud computing-based online service computing power optimization method and system, wherein the method comprises the following steps: setting a regression model for the core service according to the resource usage amount and the KPI, and predicting the expected processing time of the core service under different resource allocation schemes according to the regression model; performing virtual machine resource allocation by combining service division and security level, prohibiting resource migration for the virtual machines corresponding to the service with high security level, acquiring resource migration risk between each virtual machine, and determining whether the current virtual machine is allowed to perform resource migration to the target host; and monitoring the service condition of the computing power resources of the banking business system in real time, and determining whether the virtual machine corresponding to the high-security core business can perform resource migration and the resource migration volume according to the expected processing time and the resource migration risk when the high-security core business cannot meet the timeliness requirement. The invention realizes reasonable allocation and management of resources of banking system.

Description

Cloud computing-based online service computing power optimization method and system

Technical Field

The invention relates to the technical field of information, in particular to a cloud computing-based online service computing power optimization method and system.

Background

In a banking system, the separation of front-end service and background processing and the design of a layering business system bring challenges in terms of resource allocation and safety guarantee while improving the system performance and maintainability. Aiming at the real-time requirements and the security level of different services, how to dynamically allocate in limited virtual machine resources and maximally improve the operation efficiency of the whole system on the premise of ensuring the security of core services becomes a technical problem to be solved. In an actual banking scenario, high security level services generally have higher requirements on real-time performance and data consistency, so migration of virtual machines where the services are located needs to be reduced as much as possible to reduce potential security risks. However, when the system is faced with a shortage of computational power resources, excessive limiting virtual machine migration may in turn lead to a decrease in overall performance. How to find a balance point between security and efficiency and dynamically adjust a virtual machine migration strategy becomes a technical difficulty. In addition, how to use memory symmetry to perform security detection in the migration process of the virtual machine is also a problem worth going deep into consideration. Because of the complex and variable memory states during migration, conventional security detection methods may be difficult to apply. How to design a high-efficiency and reliable memory security detection mechanism, to realize real-time monitoring and abnormal behavior detection of the migration process, is important to guarantee the security of the bank core business.

Disclosure of Invention

The invention aims to provide a cloud computing-based online service computing power optimization method and system, which realize reasonable allocation and management of resources by means of hierarchical design, reasonable division of a virtualized resource pool, establishment of a resource scheduling priority mechanism and the like on a banking system so as to solve at least one of the problems in the prior art.

In a first aspect, the present invention provides a cloud computing-based online service computing power optimization method, the method comprising:

the method comprises the steps that a front-end service layer and a back-end processing layer of a banking system are respectively deployed on a first computing node and a second computing node, wherein the first computing node is a high-performance computing node, and the second computing node is a high-throughput computing node;

Dividing a virtualized resource pool into a first virtualized resource pool and a second virtualized resource pool, wherein the first virtualized resource pool is used for storing core services, and the second virtualized resource pool is used for storing common services;

determining the security level of each service, and setting a security management mechanism of the virtual machine according to the security level of each service;

Based on an analytic hierarchy process, respectively sequencing priorities of the services of the first virtualized resource pool and the second virtualized resource pool to form a service priority list, and realizing resource allocation of the services according to the service priority list;

Acquiring performance data of the virtual machine in real time, analyzing the resource use condition of the virtual machine according to an abnormality detection algorithm through the performance data, and performing dynamic resource scheduling when the abnormality condition occurs to the virtual machine;

Setting a regression model for the core service according to the resource usage amount and the KPI, and predicting the expected processing time of the core service under different resource allocation schemes according to the regression model;

Performing virtual machine resource allocation by combining service division and security level, prohibiting resource migration for the virtual machines corresponding to the service with high security level, acquiring resource migration risk between each virtual machine, and determining whether the current virtual machine is allowed to perform resource migration to the target host;

and monitoring the service condition of the computing power resources of the banking business system in real time, and determining whether the virtual machine corresponding to the high-security core business can perform resource migration and the resource migration volume according to the expected processing time and the resource migration risk when the high-security core business cannot meet the timeliness requirement.

In a second aspect, the present invention provides a cloud computing-based online service computing power optimization system, the system comprising:

the first optimization module is used for respectively deploying a front-end service layer and a back-end processing layer of the banking system on a first computing node and a second computing node, wherein the first computing node is a high-performance computing node, and the second computing node is a high-throughput computing node;

The second optimizing module is used for dividing the virtualized resource pool into a first virtualized resource pool and a second virtualized resource pool, wherein the first virtualized resource pool is used for storing core services, and the second virtualized resource pool is used for storing common services;

the third optimization module is used for determining the security level of each service and setting a security management mechanism of the virtual machine according to the security level of each service;

the fourth optimization module is used for sequencing the priorities of the services of the first virtualized resource pool and the second virtualized resource pool based on an analytic hierarchy process to form a service priority list, and realizing resource allocation of the services according to the service priority list;

The fifth optimizing module is used for acquiring the performance data of the virtual machine in real time, analyzing the resource use condition of the virtual machine according to the performance data by an abnormality detection algorithm, and carrying out dynamic resource scheduling when the abnormality condition occurs to the virtual machine;

A sixth optimization module, configured to set a regression model for the core service according to the resource usage amount and the KPI, and predict expected processing time of the core service under different resource allocation schemes according to the regression model;

A seventh optimizing module, configured to combine the service division and the security level to perform virtual machine resource allocation, prohibit resource migration for the virtual machines corresponding to the service with a high security level, obtain a resource migration risk between each virtual machine, and determine whether the current virtual machine is allowed to perform resource migration to the target host;

And the eighth optimization module is used for monitoring the use condition of the computing power resources of the banking system in real time, and determining whether the virtual machine corresponding to the high-security core service can perform resource migration and the resource migration volume according to the expected processing time and the resource migration risk when the high-security core service cannot meet the timeliness requirement.

In a third aspect, the present invention provides a computer device comprising: memory and processor and computer program stored on the memory, which when executed on the processor, implements a cloud computing based online service computing power optimization method as defined in any of the above methods.

In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a cloud computing based online service computing power optimization method as defined in any one of the above methods.

The invention discloses a cloud computing-based online service computing power optimization method and system. The method mainly solves the core problems of low efficiency and high safety risk in the banking system. By means of hierarchical design, reasonable division of virtualized resource pools, establishment of a resource scheduling priority mechanism and the like of the banking system, reasonable allocation and management of resources are realized. Particularly, in the aspects of key service processing and high-security service guarantee, the security risks such as data leakage and network attack are effectively reduced by combining the service division, security level evaluation and real-time monitoring technology, and the stability and security of the system are improved. Meanwhile, the processing capacity and performance of the system are enhanced by optimizing the resource utilization and processing efficiency, so that banking business can be operated more efficiently and safely.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic flow chart of a cloud computing-based online service computing power optimization method according to an embodiment of the present invention;

Fig. 2 is a schematic structural diagram of a cloud computing online service computing power optimization system according to an embodiment of the present invention.

Detailed Description

In the following description, for purposes of explanation and not limitation, specific details are set forth such as the particular system architecture, techniques, etc., in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.

It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It should also be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.

As used in the present description and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".

Furthermore, the terms "first," "second," "third," and the like in the description of the present specification and in the appended claims, are used for distinguishing between descriptions and not necessarily for indicating or implying a relative importance.

Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.

Referring to fig. 1, an embodiment of the present invention provides a cloud computing-based online service computing power optimization method, which includes:

S101, a front-end service layer and a back-end processing layer of a banking system are respectively deployed on a first computing node and a second computing node, wherein the first computing node is a high-performance computing node, and the second computing node is a high-throughput computing node.

In the embodiment, the banking system is designed in a layered manner, front-end service and background processing are separated, the front-end service is deployed on a high-performance computing node, the background processing is deployed on a high-throughput computing node, the efficiency of batch processing is improved, and reasonable allocation of resources is realized through layered scheduling.

According to the functions and characteristics of the banking system, the system is divided into a front-end service layer and a background processing layer by adopting a hierarchical design principle. By performing deployment planning on the front-end service layer, a high-performance computing node is selected as a deployment target, and a front-end service running environment meeting the user interaction requirement is obtained. And adopting the high-throughput computing nodes as a deployment target of a background processing layer, and optimally designing batch processing tasks to obtain an efficient background processing operation environment. If the demand of the front-end service on the computing resources is high, the front-end service is preferentially deployed on the high-performance computing nodes, and user interaction experience is guaranteed. If the data throughput of the background processing task is larger, the background processing task is preferentially deployed on the high-throughput computing node, so that the batch processing efficiency is improved. And according to the real-time requirement of the service system, designing a reasonable hierarchical scheduling strategy, dynamically adjusting the resource allocation of the front-end service and the background processing, and determining an optimal resource use scheme.

For example, a banking system needs to process 10 tens of thousands of transaction requests during peak daily hours, and also needs to complete batch processing of transactions on the same day at night, which involves settlement work for 500 tens of thousands of transaction records. For this purpose, the system is divided into a front-end service layer and a background processing layer. In the deployment planning of the front-end service layer, considering that more than 300 transaction requests may need to be processed per second, computing nodes configured as a 32-core CPU and a 64GB memory are selected as deployment targets so as to ensure quick response to the interaction requirements of users. Such a configuration may allow the front-end service to maintain the ability to process at least 400 transactions per second during peak periods, exceeding average demand levels, and leave room for handling bursty traffic. For the background processing layer, since a large number of data read and write operations are involved, a computing node equipped with high-speed SSD storage and a high-bandwidth network interface is selected as a deployment target. For example, a node configured as a 16-core CPU, 128GB of memory, and having a network bandwidth of 10Gbps and 2TBSSD is selected to ensure high data throughput during bulk processing. Such a configuration allows the system to reach an efficiency of processing more than 100 tens of thousands of transactions per hour at night, and to complete all batch settlement tasks within 5 hours. When faced with the situation that computing resources are limited, for example, only 5 high-performance computing nodes and 5 high-throughput computing nodes are available, dynamic adjustment policies will be formulated according to the actual requirements of front-end services and background processing. If the number of active users of the front-end service increases to 15 ten thousand at a certain time point, the computing demand increases, and a high-performance computing node may be temporarily allocated from the background processing layer to support the front-end service, so that the user experience is ensured not to be affected. Accordingly, resources of the background processing layer may be replenished during off-peak hours to maintain the progress of the batch processing tasks.

S102, dividing the virtualized resource pool into a first virtualized resource pool and a second virtualized resource pool, wherein the first virtualized resource pool is used for storing core services, and the second virtualized resource pool is used for storing common services.

In this embodiment, the virtualized resource pool is divided according to the characteristics and requirements of banking business, and the resources are divided into a key business resource pool and a non-key business resource pool, wherein the key business resource pool is mainly used for core business of external quick settlement, the non-key business resource pool is mainly used for business with higher non-real-time requirement of common transfer in overseas and internal, and meanwhile, security level evaluation is performed on the business.

And analyzing the characteristics and the requirements of banking businesses, determining the division principle of the virtualized resource pool, and obtaining the division scheme of the key business resource pool and the non-key business resource pool. And carrying out risk assessment on banking businesses by adopting a security level assessment method to obtain security levels of different businesses, wherein the security levels are used as reference bases for resource division. According to the real-time requirements of core services such as out-of-environment rapid settlement on resources, the core services are divided into a key service resource pool, and the high priority and low delay of the core services are ensured. If the service belongs to the service with higher non-real-time requirements such as overseas and in-home ordinary transfer, the service is divided into a non-key service resource pool, and the priority and response speed requirements on the resources are reduced. The resources of the key service resource pool are optimally configured, such as bandwidth is increased, CPU and memory performance are improved, and a high-performance resource environment meeting the core service requirements is obtained. And carrying out elastic expansion design on the non-key business resource pool, dynamically adjusting resource allocation according to the change of the business volume, judging whether capacity expansion or capacity shrinkage is needed, and realizing the maximization of the resource utilization rate. The resource pool is uniformly managed and monitored by adopting a virtualization management platform, and the resource allocation strategy is dynamically optimized by monitoring the service use condition and the service running state in real time, so that the stable running of the key service and the non-key service is ensured.

Specifically, when the banking business is analyzed, indexes such as business flow, concurrent user number, transaction amount and the like can be adopted to evaluate the resource requirements of different businesses. For example, for an out-of-the-environment quick settlement service, which requires 100 transactions per second, the average transaction amount per transaction is 10 ten thousand yuan, then the amount of funds that the service needs to process per second can be estimated by the formula "transaction amount per second x average transaction amount". According to the data, the out-of-environment quick settlement service can be determined to belong to the key service, and the out-of-environment quick settlement service needs to be divided into a key service resource pool. When the security level is evaluated, a risk matrix method can be adopted, and the risk matrix method is divided into three levels of high, medium and low according to the possibility and influence degree of potential safety hazards of the service. For example, for the risk of leakage of the customer sensitive information, the occurrence probability of the risk is judged to be medium according to the number of leakage events in the past year and the importance of the leakage data, and the influence degree is high, so that the security level of the risk is high. The formula "security level=likelihood×influence level" can be used to quantify the security level of different services, where the likelihood and influence level are respectively valued at 1-3 and 1-5, and the security level is valued in the range of 1-15. The higher the security level, the greater the security risk of the service, and more security protection resources need to be allocated. For the services divided into the key service resource pool, the resources thereof need to be optimally configured. For the off-line quick settlement business which needs to process 100 transactions per second, a server with higher performance, such as IntelXeonGold6148 processors, 2933MT/sDDR memory and the like, can be adopted, and the average transaction response time is controlled within 50 milliseconds through network bandwidth optimization, application program optimization and the like. Network devices such as stack switches may also be used to boost the network bandwidth of the server to 40Gbps to support highly concurrent transaction requests. For the non-key business resource pool, an elastic expansion mode can be adopted to dynamically adjust the resource allocation according to the change of the business volume. for the internal general transfer service, a reference configuration, such as a IntelXeonSilver4116 processor and a 2400MT/sDDR memory server, can be set, and the capacity can be automatically expanded or contracted according to the change of the service volume. When the traffic exceeds the processing capacity of the reference configuration, the capacity can be expanded by adding a new server node, and when the traffic is reduced, the capacity can be contracted by closing an idle node, so that the maximization of the resource utilization rate is realized. In order to realize unified management and monitoring of the resource pool, a virtualized management platform such as VMWAREVSPHERE, OPENSTACK can be adopted. Through the platform, the use conditions of resources such as a server, a storage, a network and the like, such as CPU occupancy rate, memory use rate, disk I/O and the like, can be monitored in real time, and alarm or automatic operation is triggered according to a preset threshold value. When the CPU occupancy rate of a certain server node exceeds 80%, automatic capacity expansion operation can be triggered, and new CPU resources are added for the node; when the traffic flow decreases, an automatic capacity reduction operation can be triggered, and idle nodes are closed to save the cost. Through real-time monitoring and automatic operation and maintenance, the stable operation of key business and non-key business can be ensured, and the availability and performance of the system are improved.

S103, determining the security level of each service, and setting a security management mechanism of the virtual machine according to the security level of each service.

In some embodiments, the determining the security level of each service, setting a security management mechanism of the virtual machine according to the security level of each service, specifically includes:

based on an information security risk assessment model, acquiring a risk value of each service through a service risk assessment factor, and determining the security level of each service according to the risk value;

According to the security level of each service, a multi-level virtualized security domain is set, and isolation and interaction between virtual machines corresponding to the services with different security levels are determined through the virtualized security domain;

determining the operation authorities of different manager roles of the virtual machine according to the RBAC model;

DPI detection is carried out for network traffic among a plurality of interactable virtual machines, traffic detection data are obtained, an anomaly detection model is established according to the traffic detection data, the anomaly detection model is used for detecting whether the interaction among the plurality of virtual machines has abnormal traffic, and if the interaction exists, the abnormal traffic is blocked or limited.

In the embodiment, the security level of different services is obtained by evaluating the security level of the services, and the security level is used as an important basis for virtual machine resource allocation. And designing a multi-level virtualized security domain according to the security level of the service, and implementing network isolation and access control on the services with different security levels to prevent the low-security level service from accessing the resources of the high-security level service. And (3) performing fine-grained control on the management authority of the virtual machine by adopting a role-based access control (RBAC) mechanism, and determining the operation authority of different roles on the virtual machine, such as creation, deletion, migration and the like, so as to prevent unauthorized operation. For the service with high security level, the migration function is forbidden in the configuration of the virtual machine, so that sensitive data is prevented from being leaked in the migration process, and higher data protection capability is obtained. And (3) identifying abnormal communication among the virtual machines by carrying out Deep Packet Inspection (DPI) on network traffic of the virtual machines, judging whether data leakage risks exist or not, and timely blocking illegal communication. On a communication link between virtual machines, an encryption transmission protocol, such as SSL/TLS, is started to encrypt sensitive data, and even if the data is intercepted, the data cannot be cracked, so that the confidentiality of the data is ensured. By adopting a trusted computing technology, the virtual machine is subjected to integrity verification when being started, is continuously monitored during the operation period, and is immediately isolated once the virtual machine is tampered or infected with a malicious program, so that the security threat is prevented from spreading.

Specifically, when the security level of the service is evaluated, an information security risk evaluation model, such as OCTAVE, NISTSP, 800-30, may be used to quantitatively evaluate factors such as the asset value, threat probability, vulnerability, etc. of the service, and the risk value of each service is calculated by the formula "risk value=asset value×threat probability×vulnerability", and is classified into three security levels of high, medium and low according to the risk value. For example, for a customer personal information management system, whose asset value is 5 (very high), threat probability is 4 (high), vulnerability is 3 (medium), and risk value is 5×4×3=60, belonging to a high security level. When the virtualized security domain is designed, the zero trust security model can be consulted, and the micro-segmentation technology is adopted to carry out network isolation on the services with different security levels. An independent VLAN can be divided for the service with high security level, and strict ACL rules are configured, so that only necessary communication traffic is allowed to enter and exit, and other services are forbidden to access. Meanwhile, a security policy can be configured on the virtual switch or the distributed fireproof wall, and fine-grained control can be performed on east-west traffic between the virtual machines. For control of virtual machine management rights, an RBAC model may be used to divide administrator roles into multiple levels, such as a system administrator, security administrator, audit administrator, etc., and assign each role a corresponding operation right. For example, a system administrator has full control authority of a virtual machine, and can perform operations such as creation, deletion, migration and the like; security administrators can only perform security-related operations, such as configuring firewall rules, audit logs, etc.; the audit administrator can only check the system log and audit report, and has no right to modify the system configuration. Through the RBAC matrix, the operation authority of each role on different virtual machines can be accurately defined, and the responsibility separation and minimum authority principle is realized. When DPI detection is performed on network traffic of the virtual machines, an anomaly detection algorithm based on machine learning, such as OneClassSVM, isolationForest, can be adopted, an anomaly detection model is built by learning the characteristics of normal traffic, and anomaly communication between the virtual machines is identified in real time. Various characteristics of the traffic, such as source/destination IP, port number, protocol type, data packet size, etc., can be extracted, and converted into numerical vectors which can be processed by a machine learning algorithm through characteristic engineering and data preprocessing, and then predicted by using a trained anomaly detection model to judge whether the traffic is abnormal. When an abnormality is detected, an alarm can be triggered according to a preset threshold value, and abnormal flow is automatically blocked or limited. When encrypted transmission is enabled between virtual machines, a TLS1.3 protocol may be used, and a key exchange algorithm of full forward security (PFS), such as ECDHE, is used to prevent the security of the historical communication data from being affected after the session key is cracked. Meanwhile, high-strength symmetric encryption algorithms such as AES-GCM and the like can be used, so that confidentiality and integrity of data are guaranteed. For example, when the virtual machine a needs to send sensitive data to the virtual machine B, a ECDHE algorithm is first used to negotiate a temporary session key, then the data is encrypted by AES-GCM using the key, and then the ciphertext is transmitted to the virtual machine B through the network. Even if an attacker intercepts the ciphertext, the plaintext data cannot be decrypted because the session key is not available. For trusted computing of the virtual machine, a TPM (trusted platform module) chip can be used to measure and verify an operating system and an application program of the virtual machine when the virtual machine is started, so that the virtual machine is ensured not to be tampered with maliciously. The TPM chip may be embedded in a virtual machine template and the hash values of the operating system and critical applications stored therein. When the virtual machine is started, the TPM chip measures the current system state, calculates a hash value and compares the hash value with a pre-stored value, and if the hash value is inconsistent with the pre-stored value, the system is tampered, and the starting process needs to be stopped. During the running of the virtual machine, VBS (virtual basic security) technology can be used, and a hardware-assisted memory isolation mechanism is utilized to prevent malicious programs from accessing or modifying key kernel data structures, so that the security of the system is improved. Once the virtual machine is found to be infected with a malicious program, it can be immediately quarantined into a separate secure sandbox, preventing the threat from spreading to other virtual machines or hosts.

S104, based on an analytic hierarchy process, the priorities of the services are respectively ordered for the first virtualized resource pool and the second virtualized resource pool, a service priority list is formed, and resource allocation of the services is realized according to the service priority list.

In some embodiments, the performing, based on the analytic hierarchy process, prioritization of each service for the first virtualized resource pool and the second virtualized resource pool to form a service priority list specifically includes:

according to the multiple service evaluation dimensions, obtaining importance weights and timeliness weights of the services of the first virtualized resource pool and the second virtualized resource pool through an analytic hierarchy process;

And respectively determining the priority of each service of the first virtualized resource pool and the priority of each service of the second virtualized resource pool according to the importance weight and the timeliness weight to form a service priority list.

In this embodiment, a priority mechanism of resource scheduling is established, different priorities are set according to importance and timeliness of the service, and continuity of the key quick transfer service is ensured.

By evaluating the importance and timeliness of the service, the priority level of different services is obtained by adopting a method combining quantification and qualitative as the basis of resource scheduling. According to the priority level, a multi-level queue scheduling algorithm is designed, service requests with different priorities are distributed to corresponding queues, and scheduling sequence and resource distribution proportion are determined. And a dynamic priority adjustment mechanism is adopted to dynamically adjust the priority of the service request according to the real-time flow and the waiting time of the service request, so that the condition that the low-priority service cannot obtain resources for a long time is avoided. For critical services, such as fast transfer service, the highest priority is set, and a proprietary resource pool is reserved for the critical services, so that the continuity and low delay of the critical services are ensured. The service request is monitored in real time to obtain the resource use condition and performance index, such as CPU occupancy rate, memory use rate, response time, etc., and judge whether the priority adjustment or the resource expansion needs to be triggered. And if the resource usage amount of the service request exceeds a preset threshold, triggering a resource capacity expansion mechanism, and distributing additional resources from the idle resource pool to ensure the continuous operation of the service.

In particular, AHP (analytic hierarchy process) may be employed to determine priority levels of different services when evaluating the importance and timeliness of the services. For example, for the fast transfer service, the importance weight is 0.6 and the timeliness weight is 0.3 by evaluating from the dimensions of fund amount, customer experience, compliance risk and the like and calculating the matrix, and the comprehensive priority level is 0.6x5+0.3x4=4.2, wherein 5 and 4 are the highest levels of importance and timeliness respectively. When the scheduling algorithm is designed, a multi-stage feedback queue algorithm can be adopted to divide the priority level into a plurality of levels, and each level corresponds to an independent queue. 5 priority levels may be set, corresponding to 5 queues Q1-Q5, with Q1 having the highest priority and Q5 having the lowest priority. When the service request arrives, the service request is put into the corresponding queue according to the priority level, and the scheduler processes the requests in each queue in sequence from high to low according to the priority level of the queue.

In some embodiments, the allocating resources to each service according to the service priority list specifically includes:

Based on the service priority list, realizing resource scheduling of each service according to a multi-stage feedback queue algorithm, a time slice rotation algorithm and an aging algorithm;

Establishing a resource cost model according to resource unit price and service income at different times;

determining the resource demand trend of the first virtualized resource pool and the second virtualized resource pool in a preset future time period according to a time sequence algorithm;

and determining an optimal resource allocation scheme according to the resource cost model and the resource demand trend.

In this embodiment, for requests in the same queue, a time slice rotation algorithm may be used to ensure fairness, i.e., after each request runs one time slice in the present queue, if it has not been executed, it enters the next-stage queue to wait. In order to avoid that the low priority service cannot obtain the resource for a long time, an aging algorithm can be adopted to attenuate the waiting time of the request, and when the waiting time exceeds a certain threshold value, the priority is increased by one level. For example, for a request in the Q5 queue, if its waiting time exceeds 10 minutes, it is moved to the Q4 queue until it eventually enters the Q1 queue to be processed. For critical services, such as fast transfer, a resource reservation and preemption mechanism may be employed to ensure that sufficient resources are available. 20% of CPU resources and 30% of memory resources can be reserved for the quick transfer service, when the request arrives, if the current resources are insufficient, the resource preemption is triggered, and the resources of the low-priority service are released to the high-priority service for use. When the resource monitoring and prediction are carried out, a time sequence algorithm such as ARIMA, prophet can be adopted, a prediction model is established according to the historical data of the service request, and the resource demand in a future period is estimated in advance. By analyzing the request amount and resource usage of the quick transfer service in the past month, the future week is predicted to need 100 CPU cores and 200GB of memory every day on average, and 200 CPU cores and 500GB of memory in peak period. According to the prediction result, the capacity expansion and the preheating of the resources can be performed in advance, and the condition that the service is interrupted due to insufficient resources is avoided. Meanwhile, a resource cost model can be established, and an optimal resource allocation scheme is calculated according to resource unit price and service benefits in different time periods. More high-performance resources such as SSD hard disk, trillion network card and the like can be added in the business peak period, and a part of idle resources can be released in the business valley period, so that the cost is saved. By monitoring the service performance index, such as response time, throughput, etc., in real time, the resource configuration can be continuously optimized, and the optimal balance of service performance and cost can be realized.

S105, acquiring performance data of the virtual machine in real time, analyzing the resource use condition of the virtual machine according to the performance data by an abnormality detection algorithm, and carrying out dynamic resource scheduling when the abnormality condition occurs to the virtual machine.

In some embodiments, the analyzing the resource usage of the virtual machine according to the anomaly detection algorithm through the performance data, and performing dynamic resource scheduling when the anomaly occurs in the virtual machine specifically includes:

forming a multi-dimensional time sequence data set according to the performance data of the virtual machine;

Performing cluster analysis on the multi-dimensional time sequence data set based on a K-Means algorithm, and determining K performance mode clusters through Euclidean distance between each data point of every two dimensions in the multi-dimensional time sequence data set;

Determining whether the virtual machine has abnormal resource use conditions according to the comparison between the value of the central point of each performance mode cluster and a preset value;

When the virtual machine has abnormal resource use conditions, a response time regression model is established according to historical response time data of corresponding services of the virtual machine under different resource use conditions, and dynamic resource scheduling is carried out for the virtual machine through the response time regression model.

In this embodiment, by deploying the virtualization management platform, real-time performance indexes of the virtual machine, such as CPU utilization, memory utilization, network throughput, and the like, are obtained, so as to form time-series data of the performance of the virtual machine. And adopting an anomaly detection algorithm, such as K-Means, GMM and the like, performing cluster analysis on the performance data of the virtual machine, judging whether an anomaly resource use mode exists, and determining potential performance bottlenecks. If the memory or CPU utilization rate of the single virtual machine is found to be continuously higher than a threshold value (such as 90%), triggering a resource shortage alarm, and determining whether dynamic resource scheduling is needed according to the resource demand and the priority of the service.

In the virtualization management platform, a performance monitoring function of vSphere can be used, and performance indexes of the virtual machine, including CPU (Central processing Unit) utilization rate, memory utilization rate, disk I/O (input/output) rate, network bandwidth and the like, are acquired every 5 seconds to form a multi-dimensional time sequence data set. The data sets may then be clustered using the K-Means algorithm, dividing similar performance patterns into the same cluster. The CPU utilization rate and the memory utilization rate can be used as two dimensions, euclidean distance between each data point is calculated, and k performance mode clusters are obtained by minimizing the square sum of the distances in the clusters through iterative optimization. If the CPU usage rate or the memory usage rate of the central point of a certain cluster exceeds 90%, the cluster represents an abnormal resource usage mode, and attention needs to be paid. If the memory utilization rate of a virtual machine is found to be continuously higher than 90%, and the virtual machine runs an overseas quick settlement service, the SLA of the service requires the transaction response time to be not more than 500 milliseconds. A simple linear regression model can be built by analyzing the historical response time data of the service at different memory usage rates, response time = a x memory usage rate + b, where a and b are the parameters to be fitted. Solving by a least square method, a=2.5, b= -50, i.e. response time=2.5×memory usage-50 is obtained. From this model, it can be seen that when the memory usage exceeds 80%, the response time will exceed 500 milliseconds, failing to meet the SLA requirements. Therefore, more memory resources need to be allocated to the virtual machine, or migrated to a host with lower memory utilization.

S106, setting a regression model for the core service according to the resource usage amount and the KPI, and predicting the expected processing time of the core service under different resource allocation schemes according to the regression model.

In this embodiment, key Performance Indicators (KPIs) defined in their Service Level Agreements (SLAs), such as transaction response time, throughput, etc., are obtained as measures of business timeliness for key businesses, such as out-of-the-environment quick settlement and in-the-environment second to account. By analyzing the historical data of the key business, a regression model between the resource usage amount and the KPI is established, and the expected processing time of the business under different resource allocation schemes is predicted, so that the minimum resource requirement meeting the timeliness requirement is obtained.

And S107, performing virtual machine resource allocation by combining service division and security level, prohibiting resource migration for the virtual machines corresponding to the service with high security level, acquiring the resource migration risk between each virtual machine, and determining whether the current virtual machine is allowed to perform resource migration to the target host.

In some embodiments, the acquiring the resource migration risk between each virtual machine, and determining whether the current virtual machine is allowed to perform resource migration to the target host specifically includes:

Obtaining migration risk factors of each virtual machine, and setting different weights for each migration risk factor, wherein the migration risk factors comprise performance loss, interruption time and target host resource utilization rate in the migration process;

acquiring a migration process actual value corresponding to each migration risk factor of each virtual machine, and determining the migration risk value of each virtual machine according to the weight of each migration risk factor and the migration process actual value;

And determining whether the current virtual machine is allowed to carry out resource migration on the target host according to the comparison between the migration risk value and the preset migration risk value.

In the embodiment, virtual machine resource allocation is performed by combining service division and security level, service with high security level is limited, migration of virtual machines in the service is forbidden, risk of accidental leakage of data is reduced, and service information security is guaranteed.

When the migration risk is evaluated, a fuzzy comprehensive evaluation method can be used, and a plurality of factors such as performance loss, interruption time, target host resource utilization rate and the like in the migration process are considered. First, these factors are classified into several classes according to importance, and are given different weights. The weight of the performance loss is 0.4, the weight of the interrupt time is 0.3, and the weight of the target host resource utilization is 0.3. And giving corresponding scores according to the actual values of the factors. The performance loss during migration is rated as 0.1 if it is predicted to be 10%, as 0.3 if the interruption time is predicted to be 30 seconds, and as 0.4 if the resource utilization of the target host is 60%. Finally, a migration risk value of 0.4×0.1+0.3×0.3+0.3×0.4=0.25 is calculated by a weighted average method, which indicates that the migration risk is low and the migration can be performed. When the virtual machine migration is carried out, the online migration technology such as vMotion can be used, and the memory state and disk data of the virtual machine are transferred from a source host to a target host through a plurality of steps such as pre-copying, real-time synchronization and snapshot, so that seamless migration without interruption of service is realized. In the pre-copy stage, the memory page of the virtual machine may be silently copied to the target host in the background until a certain threshold (e.g., 95%) is reached. Then, in the real-time synchronization phase, the virtual machine on the source host is paused for several seconds, the remaining dirty pages are copied to the target host, and the running state of the virtual machine is restored on the target host. Finally, a snapshot is created for the virtual machine on the source host and is used as a rollback point to prevent migration failure from needing rollback. The whole migration process can be completed within tens of seconds, and the influence on the service is very small. After migration is completed, dynamic adjustment is needed to be carried out on resource allocation of the virtual machine so as to adapt to the change of service load. A Dynamic Resource Scheduling (DRS) function of vSphere may be used to automatically allocate and balance resources in the host cluster based on the resource utilization and priority of the virtual machines. The DRS uses an algorithm based on market economics, the resources of the host are regarded as commodities, the resource requirements of the virtual machine are regarded as purchasing power, and the optimal allocation of the resources is realized through supply and demand matching and price adjustment. When the CPU demand of a virtual machine increases, the purchasing power of the virtual machine also increases, and the DRS allocates more CPU resources to the virtual machine until the equilibrium state is reached. On the contrary, when the resource utilization rate of one virtual machine is low, the DRS releases the occupied resources and distributes the resources to other virtual machines needing the resources, so that the overall resource utilization efficiency is improved.

S108, monitoring the use condition of the computing power resources of the banking business system in real time, and determining whether the virtual machine corresponding to the high-security core business can perform resource migration and the resource migration volume according to the expected processing time and the resource migration risk when the high-security core business cannot meet the timeliness requirement.

In this embodiment, if the expected processing time of the service is longer than the SLA requirement and the migration risk is lower than the threshold, the online migration of the high-security service virtual machine is triggered, and the online migration is transferred to the host with lower resource utilization rate, and the resource allocation of the virtual machine is dynamically adjusted, so as to ensure the continuous timeliness of the service.

In some embodiments, the method further comprises:

Based on a memory symmetry detection algorithm, monitoring memory data of the virtual machine corresponding to the core service in real time in a resource migration process, and obtaining memory fingerprint characteristics;

Based on a machine learning algorithm, a memory abnormality detection model is established through the memory fingerprint characteristics, and whether the memory data is abnormal or not is detected according to the memory abnormality detection model;

Triggering the Swift gateway to send a security alarm to a security management platform when the memory data is abnormal;

Recording the memory data according to the Swift gateway and forming log data, and performing association analysis on the log data to form threat information;

and dynamically adjusting the strategy and parameters of the virtual machine corresponding to the core service in the resource migration process based on the threat information.

In this embodiment, when the virtual machine migration is performed on the settlement data by the high-security and high-timeliness overseas settlement service, the key information of the amount, time, and settlement place is processed through the Swift gateway. And monitoring the memory data change in real time when the virtual machine is migrated, triggering a safety alarm through a data system of the gateway once abnormal fluctuation of the memory is detected, and timely preventing potential network attack or data leakage risks.

By analyzing the data flow of the overseas settlement business, the key information which needs to be processed by the Swift gateway is determined, including the amount, time, settlement place and the like, so as to form a structured data format. And (3) performing real-time monitoring on memory data in the migration process of the virtual machine by adopting a memory symmetry detection algorithm, such as Merkle tree, bloom filter and the like, so as to obtain the fingerprint characteristics of the memory state. And constructing an anomaly detection model according to the fingerprint characteristics of the memory, and judging whether the memory data has anomaly fluctuation or not through a machine learning algorithm such as One-Class SVM, isolation Forest and the like to obtain anomaly scores. If the abnormal score exceeds the preset threshold, triggering a safety alarm, sending the abnormal condition to a safety management platform through a data system of the Swift gateway, and starting a plan flow. By carrying out association analysis on log data of the Swift gateway, tracking the source and the destination of abnormal data, judging whether potential network attack or data leakage risks exist or not, and forming threat information. And dynamically adjusting the strategy and parameters of virtual machine migration, such as limiting the range of a target host for migration, increasing the frequency of memory scanning and the like, according to threat information, thereby improving the security of the migration process. Sensitive data in the migration process is protected by adopting a data desensitization and encryption technology, such as homomorphic encryption of fields such as amount and time by using a Format-PRESERVING ENCRYPTION (FPE) algorithm, so that confidentiality of the data in the use and transmission processes is ensured.

For example, in performing an overseas settlement business data flow analysis, the analysis system may screen out relevant information from millions of transaction records. For example, for a transaction, the key information may include dollars of 10,000, time of 2023, 4, 15, 14:32gmt, and settlement place of london. This information is formatted in JSON or XML format and sent through the Swift gateway. In the migration process of the virtual machine, a Merkle tree algorithm is used for monitoring the memory data of 64GB in real time. The monitoring system may generate a fingerprint feature of the memory every 5 minutes, which is a string of hash values that may represent the current memory state. The constructed abnormality detection model adopts One-ClassSVM algorithm, and a sample of normal memory fingerprint characteristics is input in the learning stage. In real-time monitoring, the model may give an anomaly score, e.g., 2 (between 0 and 1, closer to 1 indicating more anomaly). Setting the preset threshold to be 8, and triggering a security alarm if an anomaly score corresponding to a certain generated memory fingerprint feature is found to be 85 in the monitoring. Once the security alarm is triggered, the abnormal information is packaged into a message, for example, the information including abnormal scores, time stamps and the like, and the information is sent to the security management platform through a data system of the Swift gateway. In log data association analysis, by checking log records before and after an abnormal event, it is possible to find that a certain IP address performs unusual network access before and after the occurrence of the abnormal event. For example, before an exception scoring 85 memory event occurs, the system log shows that an unknown IP address was tried 100 times to connect to the virtual machine's remote management interface 5 minutes before the exception time. Dynamically adjusting the virtual machine migration strategy aiming at threat information, if an abnormal event is found to be related to network traffic surge of a certain data center, the virtual machine migration to the data center can be temporarily forbidden, and the memory scanning frequency of all the virtual machines is increased, and the virtual machine migration is promoted from once every 5 minutes to once every minute. Protection of sensitive data is critical during virtual machine migration. Sensitive data is encrypted using the Format-PreservingEncryption (FPE) algorithm, for example, dollars 10,000 may be encrypted as "3C2A19B4", and time "2023-04-15T14:32:00Z" as "AB129F7E23D4". The FPE ensures that the encrypted data remains in the original format, facilitating data processing and analysis, while ensuring confidentiality of the data.

In some embodiments, after triggering the Swift gateway to send the security alarm to the security management platform when the abnormal situation occurs in the memory data, the method further includes:

Acquiring a memory snapshot of the abnormal condition of the memory data;

Analyzing the memory snapshot based on a memory evidence obtaining tool, determining whether settlement data of the core service are consistent before and after resource migration, and triggering a data recovery flow if the settlement data are inconsistent;

performing secondary check on the settlement data after data recovery, and triggering a security event processing flow if the settlement data after data recovery still has the problem of data omission or leakage;

Judging whether the abnormal condition of the memory data is caused by the large data increment according to the memory usage curve and the alarm time point, if so, adopting a data cleaning technology to clean the memory data, and analyzing the memory data after the data cleaning through a malicious code detection tool.

In this embodiment, after the security alarm is triggered, when the memory of the settlement data is greatly reduced, the key information of the amount of money, time and settlement place migrated during the out-of-the-environment rapid settlement is rechecked, so that the important privacy data of the client is prevented from being missed, when the memory is greatly increased, the data is cleaned, the malicious implanted virus or the key information is prevented from being changed, and the migration of the virtual machine for the high-security service is timely suspended.

The type and the level of the security alarm are analyzed, the alarm caused by the memory abnormality is determined, and the memory snapshot and the related log when the abnormality occurs are obtained and used as the basis for data recovery and investigation. And (3) performing deep analysis on the memory snapshot by adopting a memory evidence obtaining tool such as Volatility, rekall and the like, extracting key settlement data such as the amount of money, time, settlement place and the like, comparing the key settlement data with the data before migration, and judging whether the data is lost or tampered. If the key settlement data is found to be missing or inconsistent, triggering a data recovery flow, and re-acquiring the complete settlement data by rolling back to a state before migration or retrieving from a backup system. And (3) performing secondary checking on the restored settlement data, particularly the parts related to the privacy of the clients, such as account numbers, names, addresses and the like, so as to ensure that no omission or leakage exists, and if the problems are found, responding according to the data security event processing flow. Judging whether the memory abnormality is caused by the large increase or decrease of data according to the memory usage curve and the alarm time point, and identifying and deleting suspicious processes, files and network connection by adopting a data cleaning technology such as white list filtering, behavior analysis and the like under the condition of memory increase. And (3) performing virus scanning and behavior analysis on the cleaned memory data through malicious code detection tools such as VirusTotal, cuckoo Sandbox and the like to determine whether malicious program implantation or key data tampering exists, and isolating and cleaning if so. And starting an emergency plan according to the severity and the influence range of the security alarm, suspending the migration of the virtual machine of the affected service, and resuming the migration after the data recovery and the system reinforcement are completed, so as to ensure the continuity of the service and the integrity of the data.

Specifically, when the security monitoring system finds that the memory with the same severity level is abnormal, firstly, a snapshot of the system memory when the alarm occurs is obtained, and a LiME (LinuxMemoryExtractor) module of Linux is used to export the memory data to a disk file, such as a mem. Dump, by loading a device driver in the kernel. The memory snapshot may then be analyzed using Volatility tools and a list of processes at which the alarm occurred may be listed using plug-in linux pslist, and if a suspicious process is found, such as a hack tool like sqlmap, nmap, etc., it may be determined that the alarm was caused by a hacking intrusion. Next, it is necessary to check whether or not the critical settlement data is tampered with or deleted. The key files in memory, such as/usr/local/swift/bin/swift-config, may be searched using the Volatility linux_find_file plug-in. The linux_dump_map plug-in is then used to export the file content, as compared to the file before migration, and if the file hash value (e.g., MD5 or SHA 256) is found to be inconsistent, it indicates that the file has been tampered with. The linux_strings plug-in may also be used to search the memory for keywords, such as "amount=10000"、"date=20230401"、"location=NewYork", to see if a complete settlement record can be found, and if not, it may be that the data is deleted. If confirming that the settlement data is tampered or deleted, the emergency plan needs to be triggered immediately, all the running virtual machine migration tasks are suspended, the connection with an external network is cut off, and further loss of the data is prevented. And then, attempting to recover settlement data from the backup system, synchronizing the data on the backup server into the production environment by using tools such as rsync and the like, and performing integrity check again to ensure the consistency of the data. If the memory exception is caused by a sharp increase in the amount of data, it is necessary to consider whether there is a malicious program that generates a large amount of garbage data in the background. The linux_procfs plug-in of Volatility can be used to view the I/O statistics of a process, and if the number of written bytes of a process is found to be much higher than that of other processes, such as 10GB/s, it is likely to be a malicious program. The linux-procdump plug-in can be used for exporting executable files of suspicious processes, uploading the executable files to an online virus scanning platform such as VirusTotal for detection, and if a report shows common malicious code characteristics such as shell adding, anti-debugging, code injection and the like, further analysis of malicious code behaviors is required. A malicious code analysis environment can be built by CuckooSandbox, suspicious files are submitted to a sandbox to run, behavior logs of the malicious codes are collected, such as file reading and writing, registry modification, network communication and the like, and main functions and purposes of the malicious codes are analyzed by combining with disassembly tools such as IDAPro and the like. For example, if malicious code attempts to connect to a known C & C server, such as 23.95.211.99, and downloads encrypted payload, it may be determined that this is a remote Trojan; if malicious code modifies the login credentials of the system, such as changing the port of sshd to 8888, it may be to establish a backdoor; if malicious code reads a large number of sensitive files, such as/etc/shadow,/var/lib/mysql, etc., it may be that the data is stolen. According to the analysis result of the malicious code, a corresponding clearing and repairing scheme can be formulated, such as deleting the malicious code and the file generated by the malicious code, recovering tampered configuration, resetting the leaked credentials and the like, and a cloud service provider can be contacted to isolate and reconstruct the infected virtual machine so as to prevent the malicious code from spreading. Finally, the security events need to be summarized, the processes of memory anomaly detection and malicious code analysis are perfected, the security policy of virtual machine migration is optimized, for example, the technologies of memory encryption, integrity check and the like are adopted, the overall defensive capability of the system is improved, and the occurrence of similar events is reduced as much as possible.

Referring to fig. 2, an embodiment of the present invention provides a cloud computing-based online service computing power optimization system 2, the system 2 comprising:

the first optimizing module 201 is configured to deploy a front-end service layer and a back-end processing layer of the banking system to a first computing node and a second computing node, where the first computing node is a high-performance computing node, and the second computing node is a high-throughput computing node;

A second optimizing module 202, configured to divide a virtualized resource pool into a first virtualized resource pool and a second virtualized resource pool, where the first virtualized resource pool is used for storing core services, and the second virtualized resource pool is used for storing normal services;

A third optimization module 203, configured to determine a security level of each service, and set a security management mechanism of the virtual machine according to the security level of each service;

a fourth optimizing module 204, configured to sort priorities of each service in the first virtualized resource pool and the second virtualized resource pool based on an analytic hierarchy process, form a service priority list, and implement resource allocation for each service according to the service priority list;

A fifth optimizing module 205, configured to obtain performance data of the virtual machine in real time, analyze a resource usage situation of the virtual machine according to an anomaly detection algorithm through the performance data, and perform dynamic resource scheduling when the anomaly situation occurs in the virtual machine;

a sixth optimization module 206, configured to set a regression model for the core service according to the resource usage amount and KPI, and predict expected processing time of the core service under different resource allocation schemes according to the regression model;

A seventh optimizing module 207, configured to combine the service division and the security level to perform virtual machine resource allocation, prohibit resource migration for the virtual machines corresponding to the service with a high security level, obtain a resource migration risk between each virtual machine, and determine whether the current virtual machine is allowed to perform resource migration to the target host;

And an eighth optimizing module 208, configured to monitor the use condition of the computing power resource of the banking system in real time, and determine whether the virtual machine corresponding to the high-security core service can perform resource migration and the resource migration volume according to the expected processing time and the resource migration risk when the high-security core service cannot meet the timeliness requirement.

It can be understood that the content in the cloud computing online service computing power optimization method embodiment shown in fig. 1 is applicable to the cloud computing online service computing power optimization system embodiment, and the functions specifically realized by the cloud computing online service computing power optimization system embodiment are the same as those of the cloud computing online service computing power optimization method embodiment shown in fig. 1, and the beneficial effects achieved by the cloud computing online service computing power optimization method embodiment shown in fig. 1 are the same as those achieved by the cloud computing online service computing power optimization method embodiment shown in fig. 1.

It should be noted that, because the content of information interaction and execution process between the above systems is based on the same concept as the method embodiment of the present invention, specific functions and technical effects thereof may be referred to in the method embodiment section, and will not be described herein.

It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the system is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, the specific names of the functional units and modules are only for distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

In the disclosed embodiments of the application, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other ways. For example, the apparatus/terminal device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical function division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Claims

1. A cloud computing-based online service computing power optimization method, the method comprising:

2. The method according to claim 1, wherein the determining the security level of each service sets a security management mechanism of the virtual machine according to the security level of each service, specifically includes:

3. The method according to claim 1, wherein the performing, based on the hierarchical analysis, prioritization of the respective services for the first virtualized resource pool and the second virtualized resource pool to form a service priority list specifically includes:

4. The method according to claim 1, wherein the allocating resources to each service according to the service priority list specifically includes:

5. The method according to claim 1, wherein the analyzing the resource usage of the virtual machine according to the anomaly detection algorithm through the performance data, and performing dynamic resource scheduling when the anomaly occurs in the virtual machine, specifically comprises:

6. The method according to claim 1, wherein the obtaining the risk of resource migration between each virtual machine, and determining whether the current virtual machine is allowed to migrate resources to the target host, specifically comprises:

7. The method according to any one of claims 1 to 6, further comprising:

Triggering a Swift gateway to send a security alarm to a security management platform when the memory data is abnormal;

8. The method of claim 7, wherein when the abnormal condition occurs in the memory data, triggering the Swift gateway to send the security alarm to the security management platform further comprises:

Acquiring a memory snapshot of the abnormal condition of the memory data;

9. A cloud computing based online service computing power optimization system, the system comprising: