WO2023061366A1

WO2023061366A1 - Resource access method and apparatus

Info

Publication number: WO2023061366A1
Application number: PCT/CN2022/124629
Authority: WO
Inventors: 陈学梁
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2021-10-14
Filing date: 2022-10-11
Publication date: 2023-04-20
Anticipated expiration: 2024-04-14
Also published as: CN115987534A

Abstract

The present application relates to the technical field of communications, and is used for providing a mechanism for determining a security risk that may occur in a mobile edge (ME) host. Provided are a resource access method and apparatus. The resource access method comprises: a first network element receiving information of a mobile edge host from a second network element, wherein the information of the mobile edge host comprises first information of a resource, which is provided by the mobile edge host, and/or second information that indicates behavior of accessing the mobile edge host; and determining a risk state according to the information of the mobile edge host, so as to provide a mechanism for determining a security risk of the ME host. In addition, the first network element determines a resource policy according to the risk state, and uses the corresponding resource policy, such that the security risk of the ME host is reduced in a timely manner, and the security of the ME host is improved, thereby improving the security of an MEC architecture.

Description

Resource access method and device

相关申请的交叉引用Cross References to Related Applications

本申请要求在2021年10月14日提交中国专利局、申请号为202111198509.8、申请名称为“一种资源访问方法及装置”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number 202111198509.8 and the application title "A resource access method and device" submitted to the China Patent Office on October 14, 2021, the entire contents of which are incorporated by reference in this application .

technical field

本申请涉及通信技术领域，尤其涉及一种资源访问方法及装置。The present application relates to the field of communication technologies, and in particular to a resource access method and device.

Background technique

多接入边缘计算(multi-access edge computing，MEC)架构为网络运营商和服务提供商提供了云计算和信息技术(information technology，IT)的服务环境。MEC架构包括移动边缘系统层(mobile edge system level)和ME主机层(mobile edge host level)。ME系统层用于全局掌控ME主机层，ME主机层包括ME主机以及用于管理ME主机的移动边缘平台管理器(mobile edge platform manager，MEPM)。第三方客户(例如，应用(application，APP)提供商)可将APP部署在MEC架构中的ME主机上，APP利用ME主机上的资源运行。其中，第三方客户可理解为使用MEC架构中的资源使用方，不属于该MEC架构。The multi-access edge computing (MEC) architecture provides a cloud computing and information technology (IT) service environment for network operators and service providers. The MEC architecture includes mobile edge system level and ME host level. The ME system layer is used to control the ME host layer globally. The ME host layer includes the ME host and a mobile edge platform manager (MEPM) for managing the ME host. A third-party client (for example, an application (application, APP) provider) may deploy the APP on the ME host in the MEC architecture, and the APP runs using resources on the ME host. Among them, third-party customers can be understood as users of resources in the MEC architecture, which do not belong to the MEC architecture.

为了保证MEC架构的安全性，目前提供了一种安全访问机制，通过该安全访问机制可对请求访问ME主机上的应用的外部用户的身份进行验证，如果身份验证通过，则允许该外部用户访问ME主机上的应用。这种安全访问机制可对外部用户的身份进行验证，能够排除身份不合法的外部用户。但这种安全访问机制仅对外部用户进行验证，但并未考虑ME主机内部可能出现的安全风险。In order to ensure the security of the MEC architecture, a security access mechanism is currently provided, through which the identity of the external user who requests to access the application on the ME host can be verified, and if the authentication passes, the external user is allowed to access Applications on the ME host. This security access mechanism can verify the identity of external users, and can exclude external users with illegal identities. However, this security access mechanism only authenticates external users, but does not consider possible security risks inside the ME host.

发明内容Contents of the invention

本申请实施例提供了一种资源访问方法及装置，用于提供一种确定ME主机可能出现的安全风险的机制。Embodiments of the present application provide a resource access method and device, which are used to provide a mechanism for determining possible security risks of an ME host.

第一方面，本申请实施例提供一种资源访问方法，该方法可以由第一网元执行，第一网元例如运营支持系统OSS或MEPM，或者第一网元为具有OSS或MEPM功能的通信装置，或者第一网元为具有OSS或MEPM功能的芯片系统等。该方法包括：第一网元从第二网元接收移动边缘主机的信息，所述移动边缘主机的信息包括第一资源的第一信息和/或指示访问所述移动边缘主机的行为的第二信息，所述第一资源为所述移动边缘主机提供的资源；所述第一网元根据所述移动边缘主机的信息确定风险状态，所述风险状态用于指示所述移动边缘主机是否存在安全风险；所述第一网元根据所述风险状态确定资源策略，所述资源策略用于指示访问所述移动边缘主机提供的资源的策略。其中，第二网元例如ME主机或MEPM，或者第二网元为具有ME主机或MEPM的通信装置，或者第二网元为具有ME主机或MEPM的芯片系统等。In the first aspect, the embodiment of the present application provides a resource access method, which can be executed by a first network element, such as an operation support system OSS or MEPM, or a communication network element with OSS or MEPM functions. The device, or the first network element is a chip system with an OSS or MEPM function. The method includes: the first network element receives information of a mobile edge host from a second network element, and the information of the mobile edge host includes first information of a first resource and/or second information indicating a behavior of accessing the mobile edge host Information, the first resource is a resource provided by the mobile edge host; the first network element determines the risk status according to the information of the mobile edge host, and the risk status is used to indicate whether the mobile edge host has security Risk: the first network element determines a resource policy according to the risk state, and the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host. Wherein, the second network element is, for example, an ME host or an MEPM, or the second network element is a communication device having the ME host or the MEPM, or the second network element is a chip system having the ME host or the MEPM, and the like.

在本申请实施例中，第一网元可根据第一信息和/或第二信息分析ME主机的风险状态，提供了一种确定ME主机的风险状态的机制，以确定ME主机可能出现的安全风险，本申请实施例由于考虑了ME主机内部可能出现的安全问题，因此可提升ME主机的安全性，也就能提升MEC架构的安全性。并且，如果ME主机存在安全风险，还可采取相应的资源策略，以及时地降低ME主机的安全风险，进一步保证了MEC架构的安全性。In the embodiment of this application, the first network element can analyze the risk status of the ME host according to the first information and/or the second information, and provide a mechanism for determining the risk status of the ME host, so as to determine the possible security risks of the ME host. Risks, because the embodiment of the present application considers the security issues that may occur inside the ME host, so the security of the ME host can be improved, and the security of the MEC architecture can also be improved. Moreover, if the ME host has a security risk, corresponding resource policies can be adopted to reduce the security risk of the ME host in a timely manner, further ensuring the security of the MEC architecture.

在一种可能的实施方式中，所述第一网元根据所述移动边缘主机的信息确定风险状态，包括：所述第一网元确定所述第一信息对应的第二资源是否异常，其中，如果所述第一信息对应的资源异常，确定所述风险状态为所述移动边缘主机存在被入侵的风险，所述第二资源属于所述第一资源；和/或，所述第一网元确定所述第二信息对应的行为是否异常，其中，如果所述第二信息对应的行为异常，确定所述风险状态为所述移动边缘主机存在被入侵的风险。In a possible implementation manner, the first network element determining the risk status according to the information of the mobile edge host includes: the first network element determining whether the second resource corresponding to the first information is abnormal, wherein , if the resource corresponding to the first information is abnormal, determining that the risk status is that the mobile edge host has a risk of being invaded, and the second resource belongs to the first resource; and/or, the first network The element determines whether the behavior corresponding to the second information is abnormal, wherein, if the behavior corresponding to the second information is abnormal, it is determined that the risk status is that the mobile edge host has a risk of being invaded.

在上述实施方式中，提供了多种确定ME主机的风险状态的方式。由于第一网元从第二网元接收第一信息和/或第二信息，这使得第一网元获取第一信息和/或第二信息的方式相对简单，且第一网元可直接对第一信息和/或第二信息进行分析，便可确定ME主机的风险状态，这样，使得第一网元确定该ME主机的风险状态的过程也简单。In the above embodiments, multiple ways of determining the risk status of the ME host are provided. Since the first network element receives the first information and/or the second information from the second network element, the way for the first network element to obtain the first information and/or the second information is relatively simple, and the first network element can directly By analyzing the first information and/or the second information, the risk status of the ME host can be determined. In this way, the process for the first network element to determine the risk status of the ME host is also simple.

在一种可能的实施方式中，所述第二资源包括第一硬件，所述第一信息包括第一标识，所述第一标识为所述第一硬件的标识；所述第一网元确定所述第一信息对应的第二资源是否异常，包括：如果所述第一标识与预存的第二标识不匹配，和/或所述第一标识与第三标识不匹配，所述第一网元确定所述第一硬件异常，所述第三标识为从第三网元接收的标识，且为第二硬件的标识，所述第二硬件为所述第一硬件变更后的硬件。In a possible implementation manner, the second resource includes first hardware, and the first information includes a first identifier, where the first identifier is an identifier of the first hardware; the first network element determines Whether the second resource corresponding to the first information is abnormal includes: if the first identifier does not match the pre-stored second identifier, and/or the first identifier does not match the third identifier, the first network The element determines that the first hardware is abnormal, the third identifier is an identifier received from a third network element, and is an identifier of second hardware, and the second hardware is hardware after the first hardware has been changed.

在上述实施方式中，第一网元可分析第一信息包括的第一硬件的第一标识与预存的第二标识是否匹配，和/或分析第一标识和从第三网元接收的第三标识是否匹配，进而确定ME主机中的第一硬件是否异常，提供了一种确定第二资源是否异常的方式。并且，匹配不同的标识，从而确定ME主机的第一硬件是否异常，这其中没有涉及复杂的数据分析过程，使得确定ME主机的风险状态的方式相对简单。并且，第三标识为第一硬件变更后的硬件的标识，将第一标识与第三标识进行匹配，这样考虑了第一硬件正常变更的情况，这样使得确定出的ME主机的风险状态的可靠性更高。In the above embodiment, the first network element may analyze whether the first identification of the first hardware included in the first information matches the pre-stored second identification, and/or analyze the first identification and the third identification received from the third network element. Whether the identifiers match, and then determine whether the first hardware in the ME host is abnormal provides a way to determine whether the second resource is abnormal. Moreover, matching different identifiers to determine whether the first hardware of the ME host is abnormal does not involve a complex data analysis process, making it relatively simple to determine the risk status of the ME host. Moreover, the third identification is the identification of the hardware after the first hardware change, and the first identification is matched with the third identification, which takes into account the normal change of the first hardware, so that the determined risk status of the ME host is reliable. Sex is higher.

在一种可能的实施方式中，所述第二资源包括所述移动边缘主机的第一类端口，所述第一类端口属于所述移动边缘主机中已开放的端口；所述第一网元确定所述第一信息对应的第二资源是否异常，包括：所述第一网元从第三网元接收第二类端口的信息，所述第二类端口为所述第三网元已向所述移动边缘主机申请开放的端口；如果所述第一类端口中的一个或多个端口不属于所述第二类端口，所述第一网元确定所述一个或多个端口异常。In a possible implementation manner, the second resource includes a first type port of the mobile edge host, and the first type port belongs to an opened port in the mobile edge host; the first network element Determining whether the second resource corresponding to the first information is abnormal includes: the first network element receiving information about a port of a second type from a third network element, where the port of the second type is the port that the third network element has sent to The mobile edge host applies for open ports; if one or more ports in the first type of ports do not belong to the second type of ports, the first network element determines that the one or more ports are abnormal.

在上述实施方式中，提供了一种确定ME主机提供的资源是否异常的方式。第一网元可分析ME主机已开放的第一类端口中是否存在未授权的端口，进而确定第二资源是否异常，无需经过复杂的数据分析处理，确定第二资源是否异常的方式相对简单。并且，该方式能够明确地确定出哪些端口是ME主机中已开放但未授权的端口，以便于后续对这些端口进行关闭等，有利于有针对性地降低ME主机存在的风险。In the foregoing implementation manners, a manner of determining whether the resource provided by the ME host is abnormal is provided. The first network element can analyze whether there are unauthorized ports in the first type of ports opened by the ME host, and then determine whether the second resource is abnormal, without complex data analysis and processing, and the method of determining whether the second resource is abnormal is relatively simple. Moreover, this method can clearly determine which ports are opened but not authorized ports in the ME host, so that these ports can be closed later, which is beneficial to reduce the risk of the ME host in a targeted manner.

在一种可能的实施方式中，所述第一网元根据所述风险状态确定资源策略，包括：如果所述风险状态为所述移动边缘主机存在被入侵的风险，所述第一网元确定所述资源策略为关闭所述一个或多个端口。In a possible implementation manner, the determining the resource policy by the first network element according to the risk status includes: if the risk status indicates that the mobile edge host has a risk of being intruded, the first network element determines The resource policy is closing the one or more ports.

在上述实施方式中，如果第一网元确定ME主机已开放的端口存在未授权的一个或多个端口，那么第一网元可以确定资源策略为关闭这一个或多个端口，后续可及时地关闭这一个或多个端口，从而降低ME主机存在的风险，提高MEC架构的安全性。In the above embodiment, if the first network element determines that there are one or more unauthorized ports on the ports that the ME host has opened, then the first network element can determine that the resource policy is to close the one or more ports, and the follow-up can be timely Close one or more ports, thereby reducing the risk of the ME host and improving the security of the MEC architecture.

在一种可能的实施方式中，所述第一网元根据所述风险状态确定资源策略，包括：如果所述风险状态为所述移动边缘主机存在被入侵的风险，所述第一网元确定所述资源策略为停用所述移动边缘主机或降低所述移动边缘主机的安全等级，其中，如果所述移动边缘主机的安全等级降低为第一安全等级，所述移动边缘主机不支持部署优先级高于第一优先级的应用，所述第一优先级是所述移动边缘主机的安全等级为所述第一安全等级的情况下可支持部署的应用的最高优先级。In a possible implementation manner, the determining the resource policy by the first network element according to the risk status includes: if the risk status indicates that the mobile edge host has a risk of being intruded, the first network element determines The resource policy is to deactivate the mobile edge host or reduce the security level of the mobile edge host, wherein, if the security level of the mobile edge host is reduced to the first security level, the mobile edge host does not support deployment priority The first priority is the highest priority of the application that can support deployment when the security level of the mobile edge host is the first security level.

在上述实施方式中，如果ME主机存在被入侵的风险，可选择停用ME主机，从而避免继续使用该ME主机引发其他更为严重的风险。或者，可选择降低ME主机的安全等级，并且安全等级越低，则ME主机支持部署的应用的最高优先级也就相对更低，这样保证高优先级的应用可部署在安全等级更高的ME主机上，以保证优先级更高的应用运行更稳定，另外，在安全等级较低的ME主机上依旧可部署优先级相对较低的应用，可以合理利用各个ME主机上的资源。In the above implementation manner, if the ME host has a risk of being invaded, the ME host may be deactivated, so as to avoid other more serious risks caused by continuing to use the ME host. Or, you can choose to lower the security level of the ME host, and the lower the security level, the lower the highest priority of the application that the ME host supports to deploy, so as to ensure that high-priority applications can be deployed on the ME with a higher security level. On the host to ensure that applications with higher priority run more stably. In addition, applications with relatively low priority can still be deployed on ME hosts with lower security levels, which can make rational use of resources on each ME host.

在一种可能的实施方式中，所述第一网元根据所述移动边缘主机的信息确定风险状态，包括：所述第一网元从第四网元接收访问请求，所述访问请求用于请求访问所述移动边缘主机的第三资源；所述第一网元根据所述移动边缘主机的信息，确定所述第三资源是否满足第一条件；如果所述第三资源不满足所述第一条件，确定所述风险状态为所述移动边缘主机存在被入侵的风险，或者，如果所述第三资源满足所述第一条件，确定所述风险状态为所述移动边缘主机不存在被入侵的风险。In a possible implementation manner, the determining the risk status by the first network element according to the information of the mobile edge host includes: the first network element receives an access request from a fourth network element, and the access request is used to Requesting access to a third resource of the mobile edge host; the first network element determines whether the third resource satisfies the first condition according to the information of the mobile edge host; if the third resource does not meet the first condition A condition, determining that the risk status is that the mobile edge host has a risk of being intruded, or, if the third resource satisfies the first condition, determining that the risk status is that the mobile edge host is not intruded risks of.

在上述实施方式中，第一网元在接收访问请求后，可根据ME主机的信息，分析该访问请求所请求的第三资源是否满足第一条件，从而确定该ME主机的风险状态，对访问请求所请求的第三资源的合法性进行分析，以排查第四网元可能存在的安全风险，从而减少了第四网元存在安全风险进而入侵ME主机的情况，提升了ME主机的安全性，进而提升了MEC架构的安全性。In the above embodiment, after receiving the access request, the first network element can analyze whether the third resource requested by the access request satisfies the first condition according to the information of the ME host, so as to determine the risk status of the ME host. Request to analyze the legitimacy of the requested third resource to check the possible security risks of the fourth network element, thereby reducing the situation that the fourth network element has security risks and then invades the ME host, and improves the security of the ME host. This improves the security of the MEC architecture.

在一种可能的实施方式中，所述第一条件包括如下一项或多项：所述第三资源所包括的资源数量未超出资源数量上限，所述资源数量上限是根据所述移动边缘主机的信息确定的；所述第三资源属于所述第一资源中可用的资源，所述第一信息包括所述第一资源的可用状态信息，所述可用状态信息用于表示所述第一资源中可用的资源；或，所述第三资源属于所述第一资源中重要程度低于预设重要程度的资源，所述第一信息包括所述第一资源的重要程度。In a possible implementation manner, the first condition includes one or more of the following: the number of resources included in the third resource does not exceed the upper limit of the number of resources, and the upper limit of the number of resources is determined according to the determined by the information; the third resource belongs to the resources available in the first resource, the first information includes availability status information of the first resource, and the availability status information is used to indicate the first resource or, the third resource belongs to a resource whose importance level is lower than a preset importance level among the first resources, and the first information includes the importance level of the first resource.

在上述实施方式中，提供了第一条件的多种可能。上述实施方式中，第一网元可根据ME主机的信息确定资源数量上限，例如，第一网元可将第一资源的数量确定为资源数量上限，进而第一网元可以确定访问请求所请求的第三资源是否超出资源数量上限，在第三资源未超出资源数量上限的情况下，确定第一网元不存在被入侵的风险，这样可以避免该访问请求耗尽ME主机的资源的情况，保证ME主机的安全性。上述实施方式中第一网元也可根据第一资源的可用状态信息，确定第三资源是否属于第一资源中可用的资源，在第三资源属于第一资源中可用的资源的情况下，确定第一网元不存在被入侵的风险，这样可避免该访问请求请求后使用ME主机中本不可用的资源的情况，提升ME主机的资源的安全性。上述实施方式中，第一网元也可以根据第一资源的重要程度，确定第三资源是否属于第一资源中重要程度低于预设重要程度的资源，在第三资源属于第一资源中重要程度低于预设重要程度的资源的情况下，确定第一网元不存在被入侵的风险，这样可避免访问请求请求过于重要的资源，以保证ME主机中重要资源的安全性。In the above embodiments, multiple possibilities of the first condition are provided. In the above embodiment, the first network element can determine the upper limit of the number of resources according to the information of the ME host. For example, the first network element can determine the number of the first resource as the upper limit of the number of resources, and then the first network element can determine the number of resources requested by the access request. Whether the third resource exceeds the upper limit of the number of resources. If the third resource does not exceed the upper limit of the number of resources, it is determined that the first network element does not have the risk of being invaded, so that the situation that the access request exhausts the resources of the ME host can be avoided. Ensure the security of the ME host. In the above embodiment, the first network element may also determine whether the third resource belongs to the resource available in the first resource according to the availability status information of the first resource, and determine whether the third resource belongs to the available resource in the first resource. The first network element does not have the risk of being invaded, which can avoid the use of unavailable resources in the ME host after the access request, and improve the security of the resources of the ME host. In the above implementation manner, the first network element may also determine whether the third resource belongs to the resources whose importance degree is lower than the preset importance degree among the first resources according to the importance degree of the first resource, and whether the third resource is important among the first resources In the case of a resource whose level is lower than the preset importance level, it is determined that the first network element does not have the risk of being invaded, so that access requests for resources that are too important can be avoided, so as to ensure the security of important resources in the ME host.

在一种可能的实施方式中，所述第一网元根据所述风险状态确定资源策略，包括：如果所述风险状态为所述移动边缘主机存在被入侵的风险，所述第一网元确定所述资源策略为拒绝访问所述第三资源；或者，如果所述风险状态所述移动边缘主机不存在被入侵的风险，所述第一网元确定所述资源策略为允许访问所述第三资源。In a possible implementation manner, the determining the resource policy by the first network element according to the risk status includes: if the risk status indicates that the mobile edge host has a risk of being intruded, the first network element determines The resource policy is denying access to the third resource; or, if the mobile edge host in the risk state is not at risk of being invaded, the first network element determines that the resource policy is allowing access to the third resource. resource.

在上述实施方式中，如果第一网元根据ME主机的风险状态，确定相应的资源策略，例如，如果ME主机存在被第四网元入侵的风险，第一网元确定资源策略为拒绝访问该第三资源，这样可以避免第四网元以访问资源为由入侵ME主机，提高了ME主机的安全性，进而提高了MEC架构的安全性。In the above embodiments, if the first network element determines the corresponding resource policy according to the risk status of the ME host, for example, if the ME host has the risk of being invaded by the fourth network element, the first network element determines that the resource policy is to deny access to the ME host. The third resource, which can prevent the fourth network element from invading the ME host on the grounds of accessing resources, which improves the security of the ME host, thereby improving the security of the MEC architecture.

在一种可能的实施方式中，所述方法还包括：所述第一网元向第五网元发送所述资源策略。In a possible implementation manner, the method further includes: the first network element sending the resource policy to a fifth network element.

在上述实施方式中，第一网元可将资源策略发送给第五网元，使得第五网元可以及时地根据资源策略，访问ME主机中的资源，有利于及时地控制ME主机可能的安全风险。In the above embodiment, the first network element can send the resource policy to the fifth network element, so that the fifth network element can access the resources in the ME host in a timely manner according to the resource policy, which is beneficial to timely control the possible security of the ME host. risk.

在一种可能的实施方式中，所述方法还包括：所述第一网元根据所述移动边缘主机的信息确定风险状态，包括：所述第一网元向第六网元发送所述移动边缘主机的信息；所述第一网元从所述第六网元接收所述风险状态的信息。In a possible implementation manner, the method further includes: the first network element determining the risk status according to the information of the mobile edge host, including: the first network element sending the mobile Information about edge hosts; the first network element receives information about the risk status from the sixth network element.

在上述实施方式中，第一网元可以将ME主机的信息发送给第六网元，然后由第六网元确定该风险状态，这样无需第一网元确定风险状态，减少第一网元的处理量。In the above embodiment, the first network element can send the information of the ME host to the sixth network element, and then the sixth network element determines the risk status, so that the first network element does not need to determine the risk status, reducing the first network element's throughput.

在一种可能的实施方式中，第一网元为OSS或MEPM。In a possible implementation manner, the first network element is an OSS or an MEPM.

在一种可能的实施方式中，第二网元为ME主机或MEPM。In a possible implementation manner, the second network element is an ME host or an MEPM.

在一种可能的实施方式中，第三网元为OSS。In a possible implementation manner, the third network element is an OSS.

在一种可能的实施方式中，第四网元为OSS、VIM或CISM。In a possible implementation manner, the fourth network element is an OSS, a VIM, or a CISM.

在一种可能的实施方式中，第五网元为MEPM、虚拟设施管理器VIM、ME主机或容器基础设施服务CISM。In a possible implementation manner, the fifth network element is a MEPM, a virtual facility manager VIM, an ME host, or a container infrastructure service CISM.

在一种可能的实施方式中，第六网元为OSS或多边缘编排器MEO。In a possible implementation manner, the sixth network element is an OSS or a multi-edge orchestrator MEO.

第二方面，本申请实施例提供了一种资源策略获取方法，该方法可以由第二网元执行，第二网元例如ME主机或MEPM，或者具有ME主机或MEPM功能的通信装置，或者具有ME主机或MEPM功能的芯片系统。该方法包括：第二网元获得移动边缘主机的信息，所述移动边缘主机的信息包括所述移动边缘主机提供的资源的第一信息和/或指示访问所述移动边缘主机的行为的第二信息；所述第二网元向第一网元发送所述移动边缘主机的信息；所述第二网元从所述第一网元接收资源策略，所述资源策略用于指示访问所述移动边缘主机的资源的策略。In the second aspect, the embodiment of the present application provides a resource policy acquisition method, which can be executed by a second network element, such as an ME host or MEPM, or a communication device with the ME host or MEPM function, or a System-on-a-chip for ME host or MEPM functions. The method includes: the second network element obtains the information of the mobile edge host, and the information of the mobile edge host includes first information of resources provided by the mobile edge host and/or second information indicating a behavior of accessing the mobile edge host information; the second network element sends the information of the mobile edge host to the first network element; the second network element receives a resource policy from the first network element, and the resource policy is used to indicate access to the mobile edge host The resource policy of the edge host.

在上述实施方式中，第二网元获得ME主机的信息之后，可以将ME主机的信息发送给第一网元，以便于第一网元确定ME主机的风险状态，并根据ME主机的风险状态确定相应的资源策略，并将该资源策略发送给第二网元，以便于第二网元及时转发该资源策略，或者及时地根据资源策略，访问ME主机提供的资源。In the above embodiment, after the second network element obtains the information of the ME host, it can send the information of the ME host to the first network element, so that the first network element can determine the risk status of the ME host, and according to the risk status of the ME host Determine the corresponding resource policy, and send the resource policy to the second network element, so that the second network element forwards the resource policy in time, or accesses the resource provided by the ME host in time according to the resource policy.

在一种可能的实施方式中，在所述第二网元向第一网元发送所述移动边缘主机的信息之前，所述方法还包括：确定根据所述移动边缘主机的信息无法判断所述移动边缘主机是否存在风险。In a possible implementation manner, before the second network element sends the information of the mobile edge host to the first network element, the method further includes: determining that the Are mobile edge hosts at risk?

在上述实施方式中，第二网元在确定无法根据ME主机的信息确定ME主机是否存在风险时，在第二网元确定无法判断ME主机的风险时，可以将ME主机的信息发送给第一网元，以便于第一网元及时确定ME主机的风险状态。In the above embodiment, when the second network element determines whether the risk of the ME host cannot be determined according to the information of the ME host, when the second network element determines that the risk of the ME host cannot be determined, the information of the ME host can be sent to the first network elements, so that the first network element can determine the risk state of the ME host in time.

上述第二方面及其实施方式的有益效果可以参考对第一方面的方法及其实施方式的有益效果的描述。For the beneficial effects of the above-mentioned second aspect and its implementation manners, reference may be made to the description of the beneficial effects of the method of the first aspect and its implementation manners.

第三方面，本申请实施例提供了一种资源访问方法，包括：第五网元从第一网元接收资源策略，所述资源策略用于指示访问移动边缘主机的资源的策略，所述资源策略是根据所述移动边缘主机的风险状态确定的，所述风险状态是根据所述移动边缘主机的信息确定的，所述移动边缘主机的信息包括第一资源的第一信息和/或指示访问所述移动边缘主机的行为的第二信息，所述风险状态用于指示所述移动边缘主机是否存在风险，所述第一资源为所述移动边缘主机提供的资源；所述第五网元根据所述资源策略访问所述移动边缘主机中的资源。In a third aspect, the embodiment of the present application provides a resource access method, including: a fifth network element receives a resource policy from the first network element, the resource policy is used to indicate a policy for accessing resources of a mobile edge host, and the resource The policy is determined based on the risk status of the mobile edge host, the risk status is determined based on the information of the mobile edge host, the information of the mobile edge host includes the first information of the first resource and/or indicates the access The second information about the behavior of the mobile edge host, the risk status is used to indicate whether the mobile edge host is at risk, the first resource is a resource provided by the mobile edge host; the fifth network element according to The resource policy accesses resources in the mobile edge host.

在一种可能的实施方式中，所述第五网元为MEPM、VIM、ME主机或CISM。In a possible implementation manner, the fifth network element is an MEPM, a VIM, an ME host, or a CISM.

第四方面，本申请实施例提供一种资源访问方法，该方法可通过通信系统实现，该通信系统包括第一网元和第二网元，其中，第一网元和第二网元的具体实现方式可参照前文。该资源访问方法中，第一网元可执行前文第一方面中的任一的方法，以及第二网元可执行前文第二方面中的任一的方法。In a fourth aspect, the embodiment of the present application provides a method for accessing resources, which can be implemented through a communication system, where the communication system includes a first network element and a second network element, where the specific details of the first network element and the second network element For the implementation method, please refer to the above. In the resource access method, the first network element may execute any method in the first aspect above, and the second network element may execute any method in the second aspect above.

可选的，该通信系统还可包括第四网元，第四网元的实现方式可参照前文。该资源访问方法中，第四网元可执行前文第三方面中任一的方法。Optionally, the communication system may further include a fourth network element, and reference may be made to the foregoing for an implementation manner of the fourth network element. In the resource access method, the fourth network element may execute any method in the third aspect above.

可选的，该通信系统还可包括第三网元，第三网元的实现方式可参照前文。该资源访问方法中，例如，第三网元将第二类端口的信息发送给第一网元。Optionally, the communication system may further include a third network element, and reference may be made to the foregoing for an implementation manner of the third network element. In this resource access method, for example, the third network element sends the information of the second type of port to the first network element.

第五方面，本申请实施例提供了一种通信系统，包括上述第一方面中的第一网元和上述第二方面中的第二网元。In a fifth aspect, the embodiment of the present application provides a communication system, including the first network element in the above first aspect and the second network element in the above second aspect.

可选的，该通信系统还包括上述第三方面的第四网元。Optionally, the communication system further includes the fourth network element in the above third aspect.

可选的，该通信系统还包括上述第三网元。第三网元的具体实现可参照前文。Optionally, the communications system further includes the foregoing third network element. For the specific implementation of the third network element, reference may be made to the foregoing.

第六方面，本申请实施例提供了一种通信装置，该通信装置可以为上述第一方面中的第一网元，或者为配置在第一网元中的电子设备(例如，芯片系统)，或者为包括该第一网元的较大设备。该第一网元包括用于执行上述第一方面或任一可选的实施方式的相应的手段(means)或模块。例如，该通信装置包括处理模块(有时也称为处理单元)和收发模块(有时也称为收发单元)。In a sixth aspect, an embodiment of the present application provides a communication device, which may be the first network element in the above first aspect, or an electronic device (for example, a chip system) configured in the first network element, Or it is a larger device including the first network element. The first network element includes corresponding means or modules for implementing the foregoing first aspect or any optional implementation manner. For example, the communication device includes a processing module (also called a processing unit sometimes) and a transceiver module (also called a transceiver unit sometimes).

例如，该收发模块用于从第二网元接收移动边缘主机的信息，所述移动边缘主机的信息包括第一资源的第一信息和/或指示访问所述移动边缘主机的行为的第二信息，所述第一资源为所述移动边缘主机提供的资源；该处理模块用于根据所述移动边缘主机的信息确定风险状态，所述风险状态用于指示所述移动边缘主机是否存在安全风险，以及根据所述风险状态确定资源策略，所述资源策略用于指示访问所述移动边缘主机提供的资源的策略。For example, the transceiver module is configured to receive information about the mobile edge host from the second network element, where the information about the mobile edge host includes first information about the first resource and/or second information indicating behavior of accessing the mobile edge host , the first resource is a resource provided by the mobile edge host; the processing module is configured to determine a risk status according to the information of the mobile edge host, and the risk status is used to indicate whether the mobile edge host has a security risk, And determining a resource policy according to the risk status, where the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host.

可选的，该通信还包括其他部件，例如，天线，输入输出模块，接口等等。这些部件可以是硬件，软件，或者软件和硬件的结合。Optionally, the communication further includes other components, for example, an antenna, an input and output module, an interface and so on. These components can be hardware, software, or a combination of software and hardware.

在一种可能的实施方式中，该处理模块包括边缘风险引擎模块和边缘资源策略管理模块，例如，该边缘风险引擎模块用于根据所述移动边缘主机的信息确定风险状态；该边缘资源策略管理模块用于根据所述风险状态确定资源策略。In a possible implementation manner, the processing module includes an edge risk engine module and an edge resource policy management module, for example, the edge risk engine module is used to determine the risk status according to the information of the mobile edge host; the edge resource policy management module A module for determining a resource policy based on the risk status.

在另一种可能的实施方式中，该处理模块包括中心风险引擎模块和中心资源策略管理模块，例如，该中心风险引擎模块用于根据所述移动边缘主机的信息确定风险状态；该中心资源策略管理模块用于根据所述风险状态确定资源策略。In another possible implementation manner, the processing module includes a central risk engine module and a central resource policy management module, for example, the central risk engine module is used to determine the risk status according to the information of the mobile edge host; the central resource policy The management module is used to determine resource policies according to the risk status.

第七方面，本申请实施例提供了一种通信装置，该通信装置可以为上述第二方面中的第二网元，或者为配置在第二网元中的电子设备(例如，芯片系统)，或者为包括该第一网元的较大设备。该第二网元包括用于执行上述第二方面或任一可选的实施方式的相应的手段(means)或模块。例如，该通信装置包括处理模块(有时也称为处理单元)和收发模块(有时也称为收发单元)。In the seventh aspect, the embodiment of the present application provides a communication device, and the communication device may be the second network element in the above second aspect, or an electronic device (for example, a chip system) configured in the second network element, Or it is a larger device including the first network element. The second network element includes corresponding means or modules for implementing the foregoing second aspect or any optional implementation manner. For example, the communication device includes a processing module (also called a processing unit sometimes) and a transceiver module (also called a transceiver unit sometimes).

例如，该处理模块用于获得移动边缘主机的信息，所述移动边缘主机的信息包括所述移动边缘主机提供的资源的第一信息和/或指示访问所述移动边缘主机的行为的第二信息；该收发模块用于向第一网元发送所述移动边缘主机的信息，以及从所述第一网元接收资源策略，所述资源策略用于指示访问所述移动边缘主机的资源的策略。For example, the processing module is configured to obtain the information of the mobile edge host, and the information of the mobile edge host includes first information of resources provided by the mobile edge host and/or second information indicating the behavior of accessing the mobile edge host The transceiving module is used to send the information of the mobile edge host to the first network element, and receive a resource policy from the first network element, the resource policy is used to indicate the policy for accessing the resources of the mobile edge host.

可选的，该通信装置还包括其他部件，例如，天线，输入输出模块，接口等等。这些部件可以是硬件，软件，或者软件和硬件的结合。Optionally, the communication device further includes other components, for example, an antenna, an input and output module, an interface, and the like. These components can be hardware, software, or a combination of software and hardware.

在一种可能的实施方式中，该处理模块包括风险感知代理模块，例如，该风险感知代理模块用于获得移动边缘主机的信息。In a possible implementation manner, the processing module includes a risk awareness agent module, for example, the risk awareness agent module is configured to obtain the information of the mobile edge host.

在一种可能的实施方式中，该处理模块还包括主机策略执行模块，该主机策略执行模块用于从所述第一网元接收资源策略。In a possible implementation manner, the processing module further includes a host policy execution module, where the host policy execution module is configured to receive a resource policy from the first network element.

第八方面，本申请实施例提供了一种通信装置，该通信装置可以为上述第三方面中的第五网元，或者为配置在第五网元中的电子设备(例如，芯片系统)，或者为包括该第五网元的较大设备。该第五网元包括用于执行上述第三方面或任一可选的实施方式的相应的手段(means)或模块。例如，该通信装置包括处理模块(有时也称为处理单元)和收发模块(有时也称为收发单元)。In an eighth aspect, an embodiment of the present application provides a communication device, which may be the fifth network element in the above third aspect, or an electronic device (for example, a chip system) configured in the fifth network element, Or it is a larger device including the fifth network element. The fifth network element includes corresponding means or modules for implementing the above third aspect or any optional implementation manner. For example, the communication device includes a processing module (also called a processing unit sometimes) and a transceiver module (also called a transceiver unit sometimes).

例如，该收发模块用于从第一网元接收资源策略，所述资源策略用于指示访问移动边缘主机的资源的策略，所述资源策略是根据所述移动边缘主机的风险状态确定的，所述风险状态是根据所述移动边缘主机的信息确定的，所述移动边缘主机的信息包括第一资源的第一信息和/或指示访问所述移动边缘主机的行为的第二信息，所述风险状态用于指示所述移动边缘主机是否存在风险，所述第一资源为所述移动边缘主机提供的资源；该处理模块用于根据所述资源策略访问所述移动边缘主机中的资源。For example, the transceiving module is configured to receive a resource policy from the first network element, the resource policy is used to indicate a policy for accessing resources of the mobile edge host, the resource policy is determined according to the risk status of the mobile edge host, the The risk status is determined according to the information of the mobile edge host, the information of the mobile edge host includes first information of the first resource and/or second information indicating the behavior of accessing the mobile edge host, and the risk The status is used to indicate whether the mobile edge host is at risk, and the first resource is a resource provided by the mobile edge host; the processing module is used to access resources in the mobile edge host according to the resource policy.

在一种可能的实施方式中，该处理模块包括资源策略执行模块，例如，该资源策略执行模块用于获得移动边缘主机的信息，该主机策略执行模块用于根据所述资源策略访问所述移动边缘主机中的资源。In a possible implementation manner, the processing module includes a resource policy execution module, for example, the resource policy execution module is used to obtain information about the mobile edge host, and the host policy execution module is used to access the mobile edge host according to the resource policy. Resources in edge hosts.

第九方面，本申请实施例提供一种通信装置，该通信装置可以为上述第一方面中的第一网元，或者为配置在第一网元中的电子设备(例如，芯片系统)，或者为包括该第一网元的较大设备。该第一网元包括用于执行上述第一方面或任一可选的实施方式的相应的手段(means)或模块。In a ninth aspect, an embodiment of the present application provides a communication device, which may be the first network element in the above first aspect, or an electronic device (for example, a chip system) configured in the first network element, or is a larger device including the first network element. The first network element includes corresponding means or modules for implementing the foregoing first aspect or any optional implementation manner.

在一种可能的实施方式中，该通信装置包括边缘风险引擎模块和边缘资源策略管理模块。In a possible implementation manner, the communication device includes an edge risk engine module and an edge resource policy management module.

例如，该边缘风险引擎模块用于从第二网元接收移动边缘主机的信息，所述移动边缘主机的信息包括第一资源的第一信息和/或指示访问所述移动边缘主机的行为的第二信息，所述第一资源为所述移动边缘主机提供的资源，以及根据所述移动边缘主机的信息确定风险状态，所述风险状态用于指示所述移动边缘主机是否存在安全风险；该边缘资源策略管理模块用于根据所述风险状态确定资源策略，所述资源策略用于指示访问所述移动边缘主机提供的资源的策略。For example, the edge risk engine module is configured to receive the information of the mobile edge host from the second network element, and the information of the mobile edge host includes the first information of the first resource and/or the first information indicating the behavior of accessing the mobile edge host Two information, the first resource is a resource provided by the mobile edge host, and the risk status is determined according to the information of the mobile edge host, and the risk status is used to indicate whether there is a security risk in the mobile edge host; the edge The resource policy management module is configured to determine a resource policy according to the risk status, and the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host.

在另一种可能的实施方式中，该通信装置包括中心风险引擎模块和中心资源策略管理模块。In another possible implementation manner, the communication device includes a central risk engine module and a central resource policy management module.

例如，该中心风险引擎模块用于从第二网元接收移动边缘主机的信息，所述移动边缘主机的信息包括第一资源的第一信息和/或指示访问所述移动边缘主机的行为的第二信息，所述第一资源为所述移动边缘主机提供的资源，以及根据所述移动边缘主机的信息确定风险状态，所述风险状态用于指示所述移动边缘主机是否存在安全风险；该中心资源策略管理模块用于根据所述风险状态确定资源策略，所述资源策略用于指示访问所述移动边缘主机提供的资源的策略。For example, the central risk engine module is configured to receive the information of the mobile edge host from the second network element, and the information of the mobile edge host includes the first information of the first resource and/or the first information indicating the behavior of accessing the mobile edge host Two information, the first resource is a resource provided by the mobile edge host, and the risk status is determined according to the information of the mobile edge host, and the risk status is used to indicate whether there is a security risk in the mobile edge host; the center The resource policy management module is configured to determine a resource policy according to the risk status, and the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host.

第十方面，本申请实施例提供一种通信装置，该通信装置可以为上述第一方面中的第一网元，或者为配置在第二网元中的电子设备(例如，芯片系统)，或者为包括该第一网元的较大设备。该第二网元包括用于执行上述第二方面或任一可选的实施方式的相应的手段(means)或模块。例如，该通信装置包括风险感知代理模块和主机策略执行模块。In a tenth aspect, the embodiment of the present application provides a communication device, which may be the first network element in the above first aspect, or an electronic device (for example, a chip system) configured in the second network element, or is a larger device including the first network element. The second network element includes corresponding means or modules for implementing the foregoing second aspect or any optional implementation manner. For example, the communication device includes a risk-aware proxy module and a host policy enforcement module.

例如，该风险感知代理模块用于获得移动边缘主机的信息，所述移动边缘主机的信息包括所述移动边缘主机提供的资源的第一信息和/或指示访问所述移动边缘主机的行为的第二信息，以及向第一网元发送所述移动边缘主机的信息；该主机策略执行模块用于从所述第一网元接收资源策略，所述资源策略用于指示访问所述移动边缘主机的资源的策略。For example, the risk awareness agent module is used to obtain the information of the mobile edge host, and the information of the mobile edge host includes the first information of resources provided by the mobile edge host and/or the first information indicating the behavior of accessing the mobile edge host. Two information, and sending the information of the mobile edge host to the first network element; the host policy execution module is used to receive a resource policy from the first network element, and the resource policy is used to indicate access to the mobile edge host resource strategy.

第十一方面，本申请实施例提供了一种通信装置，该通信装置可以为上述第三方面中的第五网元，或者为配置在第五网元中的电子设备(例如，芯片系统)，或者为包括该第五网元的较大设备。该第五网元包括用于执行上述第三方面或任一可选的实施方式的相应的手段(means)或模块。例如，该通信装置包括资源策略执行模块。In the eleventh aspect, the embodiment of the present application provides a communication device, which may be the fifth network element in the above third aspect, or an electronic device (for example, a chip system) configured in the fifth network element , or a larger device including the fifth network element. The fifth network element includes corresponding means or modules for implementing the above third aspect or any optional implementation manner. For example, the communications device includes a resource policy enforcement module.

例如，该资源策略执行模块用于从第一网元接收资源策略，所述资源策略用于指示访问移动边缘主机的资源的策略，所述资源策略是根据所述移动边缘主机的风险状态确定的，所述风险状态是根据所述移动边缘主机的信息确定的，所述移动边缘主机的信息包括第一资源的第一信息和/或指示访问所述移动边缘主机的行为的第二信息，所述风险状态用于指示所述移动边缘主机是否存在风险，所述第一资源为所述移动边缘主机提供的资源；以及根据所述资源策略访问所述移动边缘主机中的资源。For example, the resource policy execution module is configured to receive a resource policy from the first network element, the resource policy is used to indicate a policy for accessing resources of the mobile edge host, and the resource policy is determined according to the risk status of the mobile edge host , the risk status is determined according to the information of the mobile edge host, the information of the mobile edge host includes the first information of the first resource and/or the second information indicating the behavior of accessing the mobile edge host, the The risk status is used to indicate whether the mobile edge host is at risk, the first resource is a resource provided by the mobile edge host; and resources in the mobile edge host are accessed according to the resource policy.

第十二方面，本申请实施例提供一种通信系统，该通信系统包括第六方面所述的装置以及第七方面所述的装置。In a twelfth aspect, an embodiment of the present application provides a communication system, where the communication system includes the device described in the sixth aspect and the device described in the seventh aspect.

可选的，该通信系统还包括第八方面所述的装置。Optionally, the communication system further includes the device described in the eighth aspect.

第十三方面，本申请实施例提供一种通信系统，该通信系统包括第九方面所述的装置以及第十方面所述的装置。In a thirteenth aspect, an embodiment of the present application provides a communication system, where the communication system includes the device described in the ninth aspect and the device described in the tenth aspect.

可选的，该通信系统还包括第十一方面所述的装置。Optionally, the communication system further includes the device described in the eleventh aspect.

第十四方面，本申请实施例提供一种通信装置，包括：处理器和存储器；所述存储器用于存储一个或多个计算机程序，所述一个或多个计算机程序包括计算机执行指令，当所述资源访问装置运行时，所述处理器执行所述存储器存储的所述一个或多个计算机程序，以使得所述通信装置执行如第一方面、第二方面或第三方面中任意一项所述的方法。In a fourteenth aspect, the embodiment of the present application provides a communication device, including: a processor and a memory; the memory is used to store one or more computer programs, and the one or more computer programs include computer-executable instructions, when the When the resource access device is running, the processor executes the one or more computer programs stored in the memory, so that the communication device executes any one of the first aspect, the second aspect, or the third aspect. described method.

第十五方面，本申请实施例提供一种计算机可读存储介质，所述计算机可读存储介质用于存储计算机程序，当所述计算机程序在计算机上运行时，使得所述计算机执行第一方面、第二方面或第三方面中任意一项所述的方法。In a fifteenth aspect, an embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium is used to store a computer program, and when the computer program is run on a computer, the computer executes the first aspect , the method described in any one of the second aspect or the third aspect.

第十六方面，本申请实施例提供一种计算机程序产品，所述计算机程序产品存储有计算机程序，所述计算机程序包括程序指令，所述程序指令当被计算机执行时，使所述计算机执行第一方面、第二方面或第三方面中任意一项所述的方法。In a sixteenth aspect, the embodiment of the present application provides a computer program product, the computer program product stores a computer program, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the first The method according to any one of the first aspect, the second aspect or the third aspect.

第十七方面，本申请提供了一种芯片系统，该芯片系统包括处理器和接口，所述处理器用于从所述接口调用并运行指令，当所述处理器执行所述指令时，实现第一方面、第二方面或第三方面所述的方法。该芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。In a seventeenth aspect, the present application provides a chip system, the chip system includes a processor and an interface, the processor is used to call and run instructions from the interface, and when the processor executes the instructions, the first The method described in one aspect, the second aspect or the third aspect. The system-on-a-chip may consist of chips, or may include chips and other discrete devices.

第十八方面，本申请实施例还提供了一种计算机程序，当计算机程序在计算机上运行时，使得计算机执行上述第一方面、第二方面或第三方面中任意一项所述的方法。In the eighteenth aspect, the embodiment of the present application also provides a computer program, which when the computer program is run on the computer, causes the computer to execute the method described in any one of the first aspect, the second aspect or the third aspect.

上述第三方面至第十八方面及其实现方式的有益效果可以参考对第一方面的方法及其实施方式的有益效果的描述。For the beneficial effects of the above third aspect to the eighteenth aspect and the implementation manners thereof, reference may be made to the description of the beneficial effects of the method of the first aspect and the implementation manners thereof.

Description of drawings

图1A为本申请实施例适用的MEC架构的一种示意图；FIG. 1A is a schematic diagram of an MEC architecture applicable to an embodiment of the present application;

图1B为本申请实施例适用的MEC架构的一种示意图；FIG. 1B is a schematic diagram of an MEC architecture applicable to an embodiment of the present application;

图2为本申请实施例提供的资源访问方法的一种流程示意图一；FIG. 2 is a first schematic flow diagram of a resource access method provided by an embodiment of the present application;

图3为本申请实施例提供的资源访问方法的一种流程示意图二；FIG. 3 is a schematic flow diagram II of a resource access method provided by an embodiment of the present application;

图4为本申请实施例提供的资源访问方法的一种流程示意图三；FIG. 4 is a schematic flow diagram III of a resource access method provided by an embodiment of the present application;

图5为本申请实施例提供的资源访问方法的一种流程示意图四；FIG. 5 is a schematic flow diagram 4 of a resource access method provided by an embodiment of the present application;

图6为本申请实施例提供的资源访问方法的一种流程示意图五；FIG. 6 is a schematic flow diagram five of a resource access method provided by an embodiment of the present application;

图7为本申请实施例提供的资源访问方法的一种流程示意图六；FIG. 7 is a schematic flow diagram VI of a resource access method provided by an embodiment of the present application;

图8为本申请实施例提供的资源访问方法的一种流程示意图七；FIG. 8 is a schematic flow diagram VII of a resource access method provided by an embodiment of the present application;

图9为本申请实施例提供的资源访问方法的一种流程示意图八；FIG. 9 is a schematic flowchart eighth of a resource access method provided by an embodiment of the present application;

图10为本申请实施例提供的一种通信装置的一种结构示意图一；FIG. 10 is a first structural schematic diagram of a communication device provided by an embodiment of the present application;

图11为本申请实施例提供的一种通信装置的一种结构示意图二；FIG. 11 is a second structural schematic diagram of a communication device provided by an embodiment of the present application;

图12为本申请实施例提供的一种通信装置的一种结构示意图三；FIG. 12 is a schematic structural diagram III of a communication device provided in an embodiment of the present application;

图13A为本申请实施例提供的一种通信装置的一种结构示意图四；FIG. 13A is a fourth schematic structural diagram of a communication device provided by an embodiment of the present application;

图13B为本申请实施例提供的一种通信装置的一种结构示意图五；FIG. 13B is a schematic diagram of a fifth structure of a communication device provided by an embodiment of the present application;

图14为本申请实施例提供的一种通信装置的一种结构示意图六；FIG. 14 is a sixth structural diagram of a communication device provided in an embodiment of the present application;

图15为本申请实施例提供的一种通信装置的一种结构示意图七；FIG. 15 is a schematic structural diagram VII of a communication device provided in an embodiment of the present application;

图16为本申请实施例提供的在图1A中的MEC架构中部署图13A、图13B、图14和图15所示的装置的一种示意图；Fig. 16 is a schematic diagram of deploying the devices shown in Fig. 13A, Fig. 13B, Fig. 14 and Fig. 15 in the MEC architecture in Fig. 1A provided by the embodiment of the present application;

图17为本申请实施例提供的在图1B中的MEC架构中部署图13A、图13B、图14和图15所示的装置的另一种示意图；Fig. 17 is another schematic diagram of deploying the devices shown in Fig. 13A, Fig. 13B, Fig. 14 and Fig. 15 in the MEC architecture in Fig. 1B provided by the embodiment of the present application;

图18为本申请实施例提供的一种通信装置的一种结构示意图八；FIG. 18 is a schematic structural diagram eighth of a communication device provided in an embodiment of the present application;

图19为本申请实施例提供的一种通信装置的一种结构示意图九；FIG. 19 is a schematic structural diagram of a communication device provided in an embodiment of the present application (ninth);

图20为本申请实施例提供的一种通信装置的一种结构示意图十。FIG. 20 is a tenth schematic structural diagram of a communication device provided by an embodiment of the present application.

Detailed ways

为了使本申请的目的、技术方案和优点更加清楚，下面将结合附图对本申请作进一步地详细描述。方法实施例中的具体操作方法也可以应用于装置实施例或系统实施例中。In order to make the purpose, technical solution and advantages of the application clearer, the application will be further described in detail below in conjunction with the accompanying drawings. The specific operation methods in the method embodiments can also be applied to the device embodiments or system embodiments.

以下，对本申请实施例中的部分用语进行解释说明，以便于本领域技术人员理解。In the following, some terms used in the embodiments of the present application are explained, so as to facilitate the understanding of those skilled in the art.

1、本申请实施例中的网元，可以是单个物理设备，或者也可以是集成了多个设备的装置。本申请实施例所示的网元还可以是逻辑概念，例如为软件模块，或者为与各个网络设备提供的服务对应的网络功能，网络功能可以理解为虚拟化实现下的一个虚拟化功能，还可以理解为服务化网络下提供服务的网络功能，本申请实施例对此不作具体限定。1. The network element in the embodiment of the present application may be a single physical device, or may be a device integrating multiple devices. The network element shown in the embodiment of the present application can also be a logical concept, such as a software module, or a network function corresponding to the service provided by each network device. The network function can be understood as a virtualization function implemented under virtualization, or It can be understood as a network function that provides services under a service-based network, which is not specifically limited in this embodiment of the present application.

本申请实施例中，对于名词的数目，除非特别说明，表示“单数名词或复数名词”，即"一个或多个”。“至少一个”是指一个或者多个，“多个”是指两个或两个以上。“和/或”，描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B的情况，其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。例如，A/B，表示：A或B。“以下至少一项(个)”或其类似表达，是指的这些项中的任意组合，包括单项(个)或复数项(个)的任意组合。例如，a,b,或c中的至少一项(个)，表示：a,b,c,a和b,a和c,b和c,或a和b和c，其中a,b,c可以是单个，也可以是多个。In the embodiments of the present application, for the number of nouns, unless otherwise specified, it means "singular noun or plural noun", that is, "one or more". "At least one" means one or more, and "plurality" means two or more. "And/or" describes the association relationship of associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean: A exists alone, A and B exist at the same time, and B exists alone, where A, B can be singular or plural. The character "/" generally indicates that the contextual objects are an "or" relationship. For example, A/B means: A or B. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one item (piece) of a, b, or c means: a, b, c, a and b, a and c, b and c, or a and b and c, where a, b, c Can be single or multiple.

除非有特定的说明，本申请实施例提及“第一”、“第二”等序数词用于对多个对象进行区分，不用于限定多个对象的顺序、时序、优先级或者重要程度，例如，本申请实施例中的“第一信息”和“第二信息”用于表示两种信息，并不限定两个信息的出现顺序、时序、优先级或者重要程度等。又例如，本申请实施例中的“第一网元”和“第二网元”用于表示两个网元，并不限定两个网元的优先级或重要程度等。Unless otherwise specified, ordinal numerals such as "first" and "second" mentioned in the embodiments of this application are used to distinguish multiple objects, and are not used to limit the order, timing, priority or importance of multiple objects. For example, "first information" and "second information" in the embodiments of the present application are used to represent two kinds of information, and do not limit the appearance order, time sequence, priority or importance of the two information. As another example, the "first network element" and "second network element" in the embodiment of the present application are used to represent two network elements, and do not limit the priority or importance of the two network elements.

为了提高MEC架构的安全性，本申请实施例提供了一种技术方案。在该技术方案中，第一网元从第二网元接收ME主机的信息，该ME主机的信息包括第一信息和/或指示访问该ME主机的行为的第二信息，第一网元根据ME主机的信息，确定该ME主机的风险状态，提供了一种确定ME主机的风险状态的机制。并且，该技术方案关注了ME主机内部可能存在的安全风险，可提高ME主机的安全性，也就提高了MEC架构的安全性。并且，根据ME主机的风险状态，可及时地采取相应的资源策略，以降低ME主机的安全风险，从而保证了MEC架构的安全性。In order to improve the security of the MEC architecture, an embodiment of the present application provides a technical solution. In this technical solution, the first network element receives the information of the ME host from the second network element, the information of the ME host includes the first information and/or the second information indicating the behavior of accessing the ME host, and the first network element according to The information of the ME host determines the risk status of the ME host and provides a mechanism for determining the risk status of the ME host. Moreover, this technical solution pays attention to the possible security risks inside the ME host, which can improve the security of the ME host, and also improve the security of the MEC architecture. Moreover, according to the risk status of the ME host, corresponding resource policies can be adopted in a timely manner to reduce the security risk of the ME host, thereby ensuring the security of the MEC architecture.

本申请实施例提供的技术方案可以适用于任意的MEC架构，下面对MEC架构进行示例介绍。The technical solutions provided in the embodiments of the present application may be applicable to any MEC architecture, and the following describes an example of the MEC architecture.

请参照图1A，为本申请实施例适用的MEC架构的一种示意图。该MEC架构包括ME系统层和ME主机层。ME系统层包括运营支持系统(operations support system，OSS)、多边缘编排器(mobile edge orchestrator，MEO)、面向用户服务门户(customer-facing service portal，CFS Portal)、用户终端应用(user application，UE APP)和用户应用生命周期代理(user app life cycle management proxy，UE APP LCM proxy)。ME主机层包括ME主机、MEPM、虚拟设施管理器(virtualized infrastructure manager，VIM)和其他ME主机。Please refer to FIG. 1A , which is a schematic diagram of an MEC architecture applicable to this embodiment of the present application. The MEC architecture includes the ME system layer and the ME host layer. ME system layer includes operations support system (operations support system, OSS), multi-edge orchestrator (mobile edge orchestrator, MEO), customer-facing service portal (customer-facing service portal, CFS Portal), user terminal application (user application, UE APP) and user application lifecycle management proxy (user app life cycle management proxy, UE APP LCM proxy). The ME host layer includes ME host, MEPM, virtualized infrastructure manager (virtualized infrastructure manager, VIM) and other ME hosts.

下面先对ME系统层包括的各个部分的功能进行介绍。The functions of each part included in the ME system layer are firstly introduced below.

OSS，属于MEC架构中的最高级别的管理实体。OSS可从面向用户服务门户接收业务请求，并将该业务请求发送给MEO。MEO可对业务请求进行进一步处理。业务请求例如，实例化应用请求或终止应用请求。实例化请求用于请求实例化ME APP，终止ME APP请求用于终止之前实例化后的ME APP。其中，ME APP可以理解为部署在ME主机中的APP，例如实现某种业务的APP，需要在ME主机中部署ME APP，为用户提供相应的后台支持。OSS is the highest level management entity in the MEC architecture. OSS can receive service requests from the user-oriented service portal and send the service requests to MEO. MEO can further process the service request. A business request is, for example, a request to instantiate an application or a request to terminate an application. The instantiation request is used to request the instantiation of ME APP, and the termination ME APP request is used to terminate the previously instantiated ME APP. Among them, ME APP can be understood as an APP deployed in the ME host. For example, an APP that implements a certain business needs to deploy ME APP in the ME host to provide users with corresponding background support.

MEO，属于MEC架构中的上层管理实体。MEO用于宏观管控MEC架构中的资源。例如，MEO从OSS接收业务请求，MEO衡量该业务请求的所需资源和每个ME主机的可用的资源，从而选择合适的ME主机处理该业务请求。其中，MEC架构中的资源可按照呈现形式划分为硬件或软件两大类。MEC架构中的资源又可以按照资源的用途划分多种，例如，计算资源、存储资源、网络资源和应用的镜像资源等。MEO belongs to the upper management entity in the MEC architecture. MEO is used to macro-control the resources in the MEC architecture. For example, the MEO receives a service request from the OSS, and the MEO weighs the required resources of the service request and the available resources of each ME host, so as to select a suitable ME host to process the service request. Among them, the resources in the MEC architecture can be divided into two categories: hardware or software according to the form of presentation. The resources in the MEC architecture can be divided into multiple types according to the usage of the resources, for example, computing resources, storage resources, network resources, and application image resources.

面向客户服务门户，是运营商面向第三方客户订阅并监控ME APP的门户。第三方客户(例如，APP提供商)可以通过面向客户服务门户，选择订购一套满足其需求的ME APP。或者第三方客户可以将其提供的应用接入到ME主机中，还可以配置该应用使用的时间和地点等。The customer service portal is the portal for operators to subscribe and monitor ME APP for third-party customers. Third-party customers (for example, APP providers) can choose to order a set of ME APPs that meet their needs through the customer service portal. Or third-party customers can connect the application provided by them to the ME host, and can also configure the time and place for using the application.

UE APP，可以理解为部署在用户侧的APP，UE APP通常用于根据用户的操作等，生成业务请求等。UE APP can be understood as an APP deployed on the user side. UE APP is usually used to generate service requests based on user operations.

用户应用生命周期代理，用于提供转发代理服务。例如，用户应用生命周期代理可以从UE APP接收相应的业务请求，并将该业务请求转发给OSS或MEO等。The user application lifecycle agent is used to provide forwarding agent services. For example, the user application life cycle agent can receive the corresponding service request from UE APP, and forward the service request to OSS or MEO, etc.

需要说明的是，在图1A所示的MEC架构中虽然示意了面向客户服务门户、UE APP和用户应用生命周期代理，但实际面向客户服务门户、UE APP和用户应用生命周期代理可以通常视为外部网元。这里的外部网元是指不属于MEC架构中的网元。It should be noted that in the MEC architecture shown in Figure 1A, although the customer service portal, UE APP and user application life cycle agent are illustrated, the actual customer service portal, UE APP and user application life cycle agent can be generally regarded as external network element. The external network element here refers to a network element that does not belong to the MEC architecture.

下面对ME主机层中的各个部分的功能进行介绍。The functions of each part in the ME host layer are introduced below.

ME主机，通过服务器实现。ME主机包括ME平台(mobile edge platform，MEP)、ME APP(一个ME APP可包括一个或多个服务)和虚拟化基础设施(virtualization infrastructure，VI)。MEP可以实现ME服务、服务注册、流量规则控制和DNS处理中的一项或多项功能。VI用于为ME APP提供运行载体的虚拟化管理程序，载体例如虚拟机(virtual machine，VM)实例。VI包括数据平面(Data Plane，DP)，又称为数据转发平面，该数据平面可实现数据转发和流量路由等功能。ME APP是运行在VI提供的载体上的应用。The ME host is realized through the server. ME host includes ME platform (mobile edge platform, MEP), ME APP (one ME APP can include one or more services) and virtualization infrastructure (virtualization infrastructure, VI). MEP can implement one or more functions of ME service, service registration, flow rule control and DNS processing. VI is used to provide ME APP with a virtualization management program running a carrier, such as a virtual machine (virtual machine, VM) instance. VI includes the data plane (Data Plane, DP), also known as the data forwarding plane, which can realize functions such as data forwarding and traffic routing. ME APP is an application running on the carrier provided by VI.

MEPM，属于MEC架构中的上层管理实体。MEPM用于管理MEP元素、管理ME APP生命周期、以及管理ME应用规则和需求等。管理ME APP生命周期包括创建ME APP和终止ME APP。其中，ME应用规则和需求例如，MEAPP认证、流量规则、域名系统(domain name system，DNS)配置和冲突协调等。MEPM belongs to the upper management entity in the MEC architecture. MEPM is used to manage MEP elements, manage ME APP life cycle, and manage ME application rules and requirements, etc. Managing ME APP life cycle includes creating ME APP and terminating ME APP. Among them, the ME application rules and requirements include, for example, MEAPP authentication, traffic rules, domain name system (domain name system, DNS) configuration, conflict coordination, and the like.

VIM，用于管理ME APP的虚拟化资源的分配和释放。VIM还可以管理ME APP的镜像资源。另外，VIM还可以负责收集虚拟化资源的信息，并将虚拟化资源的信息分别发送给MEO和MEPM等。VIM is used to manage the allocation and release of virtualized resources of ME APP. VIM can also manage the mirror resources of ME APP. In addition, the VIM can also be responsible for collecting the information of the virtualized resources, and sending the information of the virtualized resources to the MEO and the MEPM respectively.

下面介绍图1A中的MEC架构涉及的接口。The interfaces involved in the MEC architecture in FIG. 1A are introduced below.

MEC架构中的接口又称为参考点。接口包括三种类型的接口，具体包括MEC架构与外部网元与交互的接口(采用Mx表示)，与MEC架构中的管理实体交互的接口(采用Mm表示)，以及与MEP交互的接口(采用Mp表示)。下面对图1A所示的各个接口进行介绍。Interfaces in the MEC architecture are also called reference points. The interface includes three types of interfaces, specifically including the interface for interaction between the MEC architecture and external network elements (indicated by Mx), the interface for interaction with the management entity in the MEC architecture (indicated by Mm), and the interface for interaction with the MEP (indicated by Mp indicates). Each interface shown in FIG. 1A is introduced below.

Mx1，面向用户服务门户(视为外部网元的一种)与OSS之间的通信接口。Mx1 is for the communication interface between the user service portal (considered as a kind of external network element) and the OSS.

Mx2，用户应用生命周期代理(视为外部网元的一种)与UEAPP之间的通信接口。Mx2, the communication interface between the user application lifecycle agent (considered as a kind of external network element) and UEAPP.

Mm1，OSS与MEO之间的通信接口。Mm1, communication interface between OSS and MEO.

Mm2，OSS与MEPM之间的通信接口。Mm2, communication interface between OSS and MEPM.

Mm3，MEO与MEPM之间的通信接口，例如，MEO和MEPM之间可以通过接口Mm3提供ME APP相关的策略。Mm3, the communication interface between MEO and MEPM, for example, ME APP-related policies can be provided through the interface Mm3 between MEO and MEPM.

Mm4，MEO与VIM之间的通信接口，例如，MEO与VIM之间可以通过接口Mm4来管理虚拟化资源和ME APP的镜像，同时维持可用的资源的信息。Mm4, the communication interface between MEO and VIM. For example, the interface Mm4 can be used between MEO and VIM to manage virtualization resources and ME APP images, while maintaining information about available resources.

Mm5，MEMP与MEP之间的通信接口。Mm5, communication interface between MEMP and MEP.

Mm6，MEMP与VIM之间的通信接口。Mm6, communication interface between MEMP and VIM.

Mm7，VIM与VI之间的通信接口。Mm7, communication interface between VIM and VI.

Mm8，用户应用生命周期代理与OSS之间的通信接口。Mm8, the communication interface between the user application lifecycle agent and OSS.

Mm9，用户应用生命周期代理与MEO之间的通信接口。Mm9, communication interface between user application lifecycle agent and MEO.

Mp1，ME APP与MEP之间的通信接口。Mp1, communication interface between ME APP and MEP.

Mp2，MEP与VI之间的通信接口。Mp2, the communication interface between MEP and VI.

Mp3，MEP与其他MEP之间的通信接口。Mp3, the communication interface between MEP and other MEPs.

应理解，图1A介绍各个网元(如ME主机、VIM、MEPM、OSS、MEO等)仅为示例而非限定，在标准演进的过程中，上述各网元的名称可以发生变化，各网元执行的功能可以被进一步地拆分或组合，本申请实施例不做限制。It should be understood that the introduction of each network element (such as ME host, VIM, MEPM, OSS, MEO, etc.) in FIG. The executed functions may be further divided or combined, which is not limited in this embodiment of the present application.

请参照图1B，为本申请实施例适用的MEC架构的另一种示意图。相较于图1A所示的MEC架构，在图1B所示的MEC架构中增设了容器基础设施服务(container infrastructure service management，CISM)。Please refer to FIG. 1B , which is another schematic diagram of the MEC architecture applicable to the embodiment of the present application. Compared with the MEC architecture shown in FIG. 1A , a container infrastructure service (container infrastructure service management, CISM) is added to the MEC architecture shown in FIG. 1B .

CISM，用于管理容器资源，管理容器资源包括容器的创建、更新(updating)、查询、弹性伸缩(scaling)和终止(terminating)等。在图1B所示的架构中，ME APP除了运行在虚拟机上，还可以运行在CISM管理的容器上。另外，CISM还可以通过Mm10与MEPM通信。例如，CISM还可以负责收集容器的信息，并通过Mm10向MEPM发送容器的信息。CISM is used to manage container resources, including container creation, updating, querying, scaling, and terminating. In the architecture shown in Figure 1B, in addition to running on virtual machines, ME APP can also run on containers managed by CISM. In addition, CISM can also communicate with MEPM through Mm10. For example, CISM can also be responsible for collecting container information and sending container information to MEPM via Mm10.

可选的，图1B所示的MEC架构还可包括容器引擎(container runtime)。该容器引擎可用于管理容器的运行情况。在图1B中以虚线框示意该容器引擎为可选的部分。Optionally, the MEC architecture shown in FIG. 1B may also include a container engine (container runtime). The container engine can be used to manage the running of containers. In FIG. 1B , the container engine is indicated as an optional part by a dotted box.

另外，图1B中除了CISM之外的其他网元(例如，ME主机、VIM、MEPM、OSS、MEO等)的功能可以参照图1A论述的内容，此处不再一一列举。In addition, functions of network elements other than the CISM (eg, ME host, VIM, MEPM, OSS, MEO, etc.) in FIG. 1B can refer to the content discussed in FIG. 1A , and will not be listed here.

应理解，图1B介绍各个网元(如ME主机、VIM、MEPM、OSS、MEO、CISM等)仅为示例而非限定，在标准演进的过程中，上述各网元的名称可以发生变化，各网元执行的功能可以被进一步地拆分或组合，本申请实施例不做限制。It should be understood that the introduction of each network element (such as ME host, VIM, MEPM, OSS, MEO, CISM, etc.) in FIG. The functions performed by the network elements may be further divided or combined, which is not limited in this embodiment of the present application.

需要说明的是，上述图1A和图1B是对本申请实施例适用的MEC架构的两种示例，实际本申请实施例中的方法适用但不限于如图1A和图1B所示的MEC架构。It should be noted that the above-mentioned FIG. 1A and FIG. 1B are two examples of the MEC architecture applicable to the embodiment of the present application, and the actual method in the embodiment of the application is applicable to but not limited to the MEC architecture shown in FIG. 1A and FIG. 1B .

如图2所示，为本申请实施例提供的一种资源访问方法的流程示意图。As shown in FIG. 2 , it is a schematic flow chart of a resource access method provided by the embodiment of the present application.

S201，第二网元确定第一ME主机的信息。S201. The second network element determines information about the first ME host.

第二网元例如为图1A或图1B中所示的ME主机或者MEPM。如果第二网元为第一ME主机，那么该第一ME主机可直接采集第一ME主机的信息，相当于确定了第一ME主机的信息。如果第二网元为MEPM，MEPM可以从第一ME主机接收该第一ME主机的信息，相当于确定了第一ME主机的信息。需要说明的是，MEC架构包括一个或多个ME主机，本申请实施例中是以ME主机为第一ME主机为例进行介绍，该第一ME主机可视为一个或多个ME主机中的任意一个ME主机。The second network element is, for example, the ME host or MEPM shown in FIG. 1A or FIG. 1B . If the second network element is the first ME host, then the first ME host can directly collect the information of the first ME host, which is equivalent to determining the information of the first ME host. If the second network element is the MEPM, the MEPM may receive the information of the first ME host from the first ME host, which is equivalent to determining the information of the first ME host. It should be noted that the MEC architecture includes one or more ME hosts. In the embodiment of this application, the ME host is used as the first ME host as an example. The first ME host can be regarded as one or more ME hosts. Any ME host.

其中，第一ME主机的信息包括第一信息和/或第二信息。第一信息为第一资源的信息，第一资源为第一ME主机提供的资源，第二信息用于指示访问第一ME主机的行为。下面对第一信息和第二信息分别进行介绍。Wherein, the information of the first ME host includes the first information and/or the second information. The first information is the information of the first resource, the first resource is the resource provided by the first ME host, and the second information is used to indicate the behavior of accessing the first ME host. The first information and the second information are introduced respectively below.

1、第一信息。1. The first message.

该第一资源包括第一ME主机提供的硬件和/或软件。第一ME主机提供的硬件是指第一ME主机整机，以及第一ME主机包括的各个零部件，各个零部件例如包括第一ME主机中的网卡、第一ME主机中的中央处理器(central processing unit，CPU)、第一ME主机中的硬盘、或第一ME主机中的主板等硬件中的一项或多项。第一ME主机提供的软件例如包括第一ME主机的端口或第一ME主机部署的VM等软件中的一项或多项。需要说明的是，第一ME主机的端口是指软件上的逻辑端口，与物理上的端口相对，例如，第一ME主机安装的操作系统中可对其他网元开放的端口，又可以称为操作系统端口、协议端口或者网络端口等。这里的其他网元可理解为除了第一ME主机之外的网元。在没有特别指明的情况下，本申请实施例中涉及的端口是指软件上的逻辑端口。The first resource includes hardware and/or software provided by the first ME host. The hardware provided by the first ME host refers to the whole machine of the first ME host, and each component that the first ME host includes. Each component includes, for example, a network card in the first ME host, a central processing unit (CPU) in the first ME host. Central processing unit (CPU), the hard disk in the first ME mainframe, or one or more items of hardware such as the mainboard in the first ME mainframe. The software provided by the first ME host includes, for example, one or more items of software such as a port of the first ME host or a VM deployed by the first ME host. It should be noted that the port of the first ME host refers to the logical port on the software, as opposed to the physical port. For example, the port that can be opened to other network elements in the operating system installed on the first ME host can also be called Operating system port, protocol port or network port, etc. Other network elements here may be understood as network elements other than the first ME host. Unless otherwise specified, the ports involved in the embodiments of the present application refer to logical ports on software.

可选的，第一信息包括如下(1)至(4)中的一项或多项。Optionally, the first information includes one or more of the following (1) to (4).

(1)、第一资源的标识。(1) The identifier of the first resource.

第一资源是第一ME主机能够提供的资源的通称，但第一ME主机能够提供的资源可能包括一种或多种类型的资源，另外每种类型的资源的数量可能是一个或多个，相应的，第一资源也就包括该一种或多种类型的资源。该第一资源的标识包括该一种或多种类型中的每种类型的资源的标识。该第一资源还可包括每种类型资源中每个资源的标识。标识用于指示相应的资源。The first resource is a general term for the resources that the first ME host can provide, but the resources that the first ME host can provide may include one or more types of resources, and the number of each type of resource may be one or more, Correspondingly, the first resource also includes the one or more types of resources. The identification of the first resource includes an identification of each type of resource of the one or more types. The first resource may also include an identification of each resource of each type of resource. The ID is used to indicate the corresponding resource.

(2)、第一资源的类型信息。例如，第一资源的类型信息包括该一种或多种类型中每种类型的资源的类型信息。其中一种类型的资源的类型信息用于描述该类型的资源所对应的类型。可选的，该一种或多种类型可以是第一资源包括的资源所属的大类，一种或多种类型例如包括软件或硬件。或者，该一种或多种类型也可以是第一资源包括的资源具体所属的类型，例如包括CPU、端口、硬盘和主板等。(2) Type information of the first resource. For example, the type information of the first resource includes type information of each type of resource of the one or more types. The type information of one type of resource is used to describe the type corresponding to this type of resource. Optionally, the one or more types may be a general category to which the resources included in the first resource belong, and the one or more types include, for example, software or hardware. Alternatively, the one or more types may also be specific types of resources included in the first resource, such as CPU, port, hard disk, and motherboard.

(3)、该第一资源的数量以及第一资源的使用信息。(3) The quantity of the first resource and the usage information of the first resource.

第一资源的数量包括一种或多种类型中的每种类型的资源的数量可理解为属于该类型的资源的总数量。第一资源的使用信息包括该一种或多种类型中的每种类型的资源的使用信息。每种类型的资源的使用信息可理解为属于该类型的所有资源的使用信息。第一资源的使用信息还包括属于相应类型中的每个资源的使用信息。下面以每个资源的使用信息为例，对使用信息的含义进行介绍。至于每类资源的使用信息则包括属于该类资源中每个资源的使用信息，下文不再一一列举。The quantity of the first resource includes the quantity of each type of resource in one or more types, which may be understood as the total quantity of resources belonging to the type. The usage information of the first resource includes usage information of each type of resource of the one or more types. The use information of each type of resource can be understood as the use information of all resources belonging to that type. The usage information of the first resource also includes usage information of each resource belonging to the corresponding type. The following uses the usage information of each resource as an example to introduce the meaning of the usage information. As for the use information of each type of resource, it includes the use information of each resource belonging to this type of resource, which will not be listed one by one below.

其中一个资源的使用信息用于描述该资源的使用情况。例如一个资源的使用信息包括如下A、B、或C中的一项或多项。其中A为一个资源对应的可用状态信息或不可用状态信息，B为一个资源的使用状态信息，C为一个资源的使用进度信息。下面分别介绍这几种信息。The usage information for one of the resources is used to describe the usage of the resource. For example, the usage information of a resource includes one or more of the following A, B, or C. Wherein A is available status information or unavailable status information corresponding to a resource, B is usage status information of a resource, and C is usage progress information of a resource. These types of information are introduced below.

A，一个资源的可用状态信息或不可用状态信息。A, available status information or unavailable status information of a resource.

第一资源包括一个或多个资源，其中一个资源要么属于可用的资源，要么是属于不可用的资源。如果一个资源属于可用的资源，那么该第一信息可包括该资源的可用状态信息，一个资源的可用状态信息用于指示该资源属于可用的资源。例如，可用状态信息用“0”表示。第一资源中属于可用的资源各自的可用状态信息的集合可以称为第一资源的可用状态信息。The first resource includes one or more resources, one of which is either an available resource or an unavailable resource. If a resource is an available resource, the first information may include availability status information of the resource, and the availability status information of a resource is used to indicate that the resource is an available resource. For example, available status information is represented by "0". The set of available status information of available resources in the first resource may be referred to as the available status information of the first resource.

如果一个资源属于不可用的资源，那么第一信息可包括该资源的不可用状态信息，一个资源的不可用状态信息用于指示资源属于不可用的资源，例如，不可用状态信息用“1”表示。例如，一个资源为端口4，该端口4的可用状态信息设置为“1”，则表示该端口4属于不可用的资源。第一资源中属于不可用的资源各自的不可用状态信息的集合可以称为第一资源的不可用状态信息。If a resource is an unavailable resource, the first information may include unavailable status information of the resource, and the unavailable status information of a resource is used to indicate that the resource belongs to an unavailable resource. For example, the unavailable status information uses "1" express. For example, if a resource is port 4, and the availability status information of the port 4 is set to "1", it indicates that the port 4 is an unavailable resource. A collection of unavailable status information of unavailable resources in the first resource may be referred to as unavailable status information of the first resource.

可选的，第一信息可仅包括第一资源的可用状态信息。这种情况下，第一资源中不具有可用状态信息的资源则属于第一资源中不可用的资源。Optionally, the first information may only include availability status information of the first resource. In this case, resources that do not have availability status information among the first resources belong to unavailable resources among the first resources.

可选的，第一资源包括的资源属于可用的资源还是不可用的资源可以是预配置在第一ME主机中，或者也可以通过协议预定义，本申请实施例对此不做限定。或者，第一资源包括的资源属于可用的资源还是不可用的资源可根据实际需求设定，例如，ME主机虽然可以提供某些资源，但某些资源可用后可能会对ME主机造成风险，那么这些资源的可用状态信息可设置为属于不可用的资源，相应的，第一信息也就可包括这些资源的不可用状态信息。Optionally, whether the resource included in the first resource is an available resource or an unavailable resource may be pre-configured in the first ME host, or may also be predefined through a protocol, which is not limited in this embodiment of the present application. Alternatively, whether the resources included in the first resource are available resources or unavailable resources can be set according to actual needs. For example, although the ME host can provide some resources, some resources may cause risks to the ME host after they are available, then The availability status information of these resources may be set to belong to unavailable resources, and correspondingly, the first information may also include the unavailability status information of these resources.

B，一个资源的使用状态信息。B, the usage status information of a resource.

一个资源的使用状态信息用于指示该资源是否已被使用。一个资源的使用状态信息可能是用于指示资源未被使用的第三状态、或者用于指示资源被使用的第四状态。其中，资源被使用，可以理解为该资源所包括的全部资源或部分资源被使用。例如，第三状态用“0”表示，表示该资源未被使用，第四状态用“1”表示，表示该资源中的部分或全部已被使用。The usage state information of a resource is used to indicate whether the resource has been used. The usage status information of a resource may be a third status indicating that the resource is not used, or a fourth status indicating that the resource is used. Wherein, the resource is used may be understood as the use of all or part of the resources included in the resource. For example, the third state is represented by "0", indicating that the resource is not used, and the fourth state is represented by "1", representing that part or all of the resource has been used.

需要说明的是，资源是否可用与资源是否被使用没有必然的联系。例如，某类资源属于可用的资源，但该类资源有可能未被使用或被使用。又例如，某类资源属于不可用的资源，该类资源也有可能未被使用或被非法使用。It should be noted that whether a resource is available is not necessarily related to whether the resource is used. For example, a certain type of resource is an available resource, but this type of resource may not be used or may be used. For another example, a certain type of resource is an unavailable resource, and this type of resource may also be unused or illegally used.

C，一个资源的使用进度信息。C, the usage progress information of a resource.

一个资源的使用进度信息用于表示资源被使用的程度。例如，使用进度信息通过已经使用的该资源的部分与该资源的总量的之间的比值进行表示。例如，CPU的使用进度信息为20％，可以理解为当前已经使用该CPU的20％。The usage progress information of a resource is used to indicate the extent to which the resource is used. For example, the use progress information is represented by a ratio between the part of the resource that has been used and the total amount of the resource. For example, if the usage progress information of the CPU is 20%, it may be understood that 20% of the CPU has been used currently.

(4)、第一资源的重要程度。(4) The importance of the first resource.

第一资源的重要程度包括一种或多种类型中的每种类型的资源的重要程度，每种类型的资源的重要程度用于表征该资源的重要性。同种类型的资源的重要程度可以是相同的，不同类型的资源的重要程度可能相同，也可能不同。每种类型的资源的重要程度可以预配置在第一网元中，或者协议规定的，本申请实施例对此不做限定。重要程度的表示方式可以有多种，例如，资源的重要程度可以以数字表示，数字越大，表明该资源的重要程度越高。The importance of the first resource includes the importance of each type of resource in one or more types, and the importance of each type of resource is used to represent the importance of the resource. The importance of resources of the same type may be the same, and the importance of resources of different types may be the same or different. The importance of each type of resource may be pre-configured in the first network element, or stipulated in a protocol, which is not limited in this embodiment of the present application. There are many ways to express the importance. For example, the importance of a resource can be expressed by a number. The larger the number, the higher the importance of the resource.

2、第二信息。2. Second information.

第二信息用于描述访问第一ME主机的行为。访问第一ME主机的行为可进一步理解为访问第一ME主机所提供的资源的行为。The second information is used to describe the behavior of accessing the first ME host. The behavior of accessing the first ME host can be further understood as the behavior of accessing the resources provided by the first ME host.

可选的，第二信息包括历史访问请求所请求的第一ME主机的资源的信息和访问第一ME主机的具体事件信息。历史访问请求是指在当前时刻之前用于请求访问第一ME主机的资源的请求。历史访问请求可能有一个或多个，该第二信息对应包括一个或多个历史访问请求中每个历史访问请求所请求的第一ME主机的资源的信息和访问第一ME主机的具体事件信息。Optionally, the second information includes resource information of the first ME host requested by the historical access request and specific event information of accessing the first ME host. A historical access request refers to a request for accessing resources of the first ME host before the current time. There may be one or more historical access requests, and the second information corresponds to the resource information of the first ME host requested by each of the one or more historical access requests and the specific event information of accessing the first ME host .

示例性的，第二信息例如包括接口调用信息、容器引擎运行信息或第一ME主机的系统运行信息等信息中的一项或多项。接口调用信息例如为调用基于内核的虚拟机(kernel-based virtual machine，KVM)接口的信息。其中，KVM接口用于在第一ME主机安装的操作系统中创建虚拟机监控程序，使得第一ME主机能够运行多个隔离的虚拟环境(如VM)。容器引擎运行信息用于描述容器引擎的行为。其中，容器引擎可部署在ME主机中，容器引擎可为ME主机提供相互隔离的运行环境(如容器)。Exemplarily, the second information includes, for example, one or more items of information such as interface call information, container engine running information, or system running information of the first ME host. The interface calling information is, for example, information about calling a kernel-based virtual machine (kernel-based virtual machine, KVM) interface. Wherein, the KVM interface is used to create a virtual machine monitoring program in the operating system installed on the first ME host, so that the first ME host can run multiple isolated virtual environments (such as VM). The container engine running information is used to describe the behavior of the container engine. Wherein, the container engine can be deployed in the ME host, and the container engine can provide mutually isolated operating environments (such as containers) for the ME host.

S202，第二网元向第一网元发送第一ME主机的信息。相应的，第一网元从第二网元接收该第一ME主机的信息。S202. The second network element sends information about the first ME host to the first network element. Correspondingly, the first network element receives the information of the first ME host from the second network element.

第一ME主机的信息可参照前文。第一网元例如为图1A或图1B所示的MEPM、OSS或者MEO。如果第一网元为MEPM，第二网元可为第一ME主机。如果第一网元为OSS或MEO，那么第二网元可为MEPM。For information about the first ME host, refer to the foregoing. The first network element is, for example, the MEPM, OSS or MEO shown in FIG. 1A or FIG. 1B . If the first network element is a MEPM, the second network element may be the first ME host. If the first network element is OSS or MEO, then the second network element can be MEPM.

S203，第一网元根据第一ME主机的信息，确定风险状态。S203, the first network element determines the risk status according to the information of the first ME host.

风险状态用于指示第一ME主机是否存在安全风险。该风险状态分为两种，即第一ME主机不存在安全风险和第一ME主机存在安全风险。第一ME主机不存在安全风险可理解为第一ME主机不存在被入侵的风险。第一ME主机存在安全风险可理解为第一ME主机存在被入侵的风险。下面对两种风险状态的确定方式进行介绍。The risk status is used to indicate whether the first ME host has a security risk. The risk state is divided into two types, that is, the first ME host does not have a security risk and the first ME host has a security risk. That the first ME host does not have a security risk can be understood as that the first ME host does not have the risk of being invaded. The fact that the first ME host has a security risk can be understood as that the first ME host has a risk of being invaded. The following is an introduction to the determination methods of the two risk states.

由于第一ME主机的安全风险可能是已存在，或者可能是因第四网元访问可能造成第一ME主机的安全风险。第四网元为MEC架构中可访问第一ME主机的网元，第四网元，例如OSS、VIM或CISM等。相应的，第一ME主机的风险状态也可以分别以第一ME主机和第四网元为风险排查主体进行确定。下面分别以第一ME主机和第四网元为不同的风险排查主体的情况下，第一ME主机的风险状态的含义进行分别介绍。The security risk of the first ME host may already exist, or the security risk of the first ME host may be caused by the access of the fourth network element. The fourth network element is a network element in the MEC architecture that can access the first ME host, such as OSS, VIM or CISM. Correspondingly, the risk status of the first ME host may also be determined with the first ME host and the fourth network element as risk investigation subjects. The meanings of the risk status of the first ME host are respectively introduced below when the first ME host and the fourth network element are used as different risk investigation subjects.

第一种，以第一ME主机为风险排查主体。The first one is to take the first ME host as the subject of risk investigation.

以第一ME主机为风险排查主体，如果确定第一ME主机为风险主体的概率小于或等于第一概率，则视为该第一ME主机当前是安全的，即第一ME主机的风险状态为第一ME主机不存在被入侵的风险。第一概率可以预配置在第一网元中。第一概率的取值可以根据需求设置，本申请实施例对此不做限定。Taking the first ME host as the subject of risk investigation, if it is determined that the probability of the first ME host being the risk subject is less than or equal to the first probability, it is considered that the first ME host is currently safe, that is, the risk status of the first ME host is There is no risk of being invaded by the first ME host. The first probability may be preconfigured in the first network element. The value of the first probability may be set according to requirements, which is not limited in this embodiment of the present application.

以第一ME主机为风险排查主体，如果确定第一ME主机属于风险主体的概率大于或等于第二概率，则视为该第一ME主机当前是不安全的，即第一ME主机的风险状态为第一ME主机不存在被入侵的风险。第二概率可以预配置在第一网元中，第二概率的取值可以根据需求设置，本申请实施例对此不做限定。第二概率的取值大于或等于第一概率的取值。Taking the first ME host as the subject of risk investigation, if it is determined that the probability that the first ME host belongs to the risk subject is greater than or equal to the second probability, it is considered that the first ME host is currently unsafe, that is, the risk status of the first ME host There is no risk of intrusion for the first ME host. The second probability may be pre-configured in the first network element, and the value of the second probability may be set according to requirements, which is not limited in this embodiment of the present application. The value of the second probability is greater than or equal to the value of the first probability.

可选的，如果第二概率的取值大于第一概率的取值，那么以第一ME主机为安全风险排查主体，如果确定第一ME主机属于风险主体的概率大于第一概率且小于第二概率，确定第一ME主机的风险状态暂无法判断。Optionally, if the value of the second probability is greater than the value of the first probability, then take the first ME host as the security risk investigation subject, if it is determined that the probability that the first ME host belongs to the risk subject is greater than the first probability and less than the second Probability, determining the risk status of the first ME host cannot be judged temporarily.

第二种，以第四网元为风险排查主体。The second is to use the fourth network element as the main body of risk investigation.

以第四网元为安全风险排查主体，如果确定第四网元属于风险主体的概率小于或等于第三概率，则视为该第四网元当前是安全的，由于第四网元是安全的，确定第四网元访问ME主机属于合法的访问过程，相应的，确定ME主机不存在被入侵的风险。第三概率可以预配置在第一网元中。第三概率的取值可以根据需求设置，本申请实施例对此不做限定。第三概率的取值与第一概率的取值可以相同，例如，第三概率的取值和第一概率的取值均为0；或者，第三概率的取值与第一概率的取值也可以不同。Take the fourth network element as the subject of security risk investigation, if it is determined that the probability that the fourth network element belongs to the risk subject is less than or equal to the third probability, it is considered that the fourth network element is currently safe, because the fourth network element is safe , it is determined that the fourth network element's access to the ME host is a legal access process, and correspondingly, it is determined that there is no risk of the ME host being intruded. The third probability may be preconfigured in the first network element. The value of the third probability may be set according to requirements, which is not limited in this embodiment of the present application. The value of the third probability and the value of the first probability can be the same, for example, the value of the third probability and the value of the first probability are both 0; or, the value of the third probability and the value of the first probability It can also be different.

以第四网元为风险排查主体，如果确定第四网元属于风险主体的概率大于第四概率，则视为第四网元当前是不安全的，由于第四网元是安全的，确定第四网元访问ME主机属于不合法的访问过程，相应的，确定ME主机存在被入侵的风险。第四概率可以预配置在第一网元中，第四概率的取值可以根据需求设置，本申请实施例对此不做限定。第四概率的取值大于或等于第三概率的取值。Taking the fourth network element as the subject of risk investigation, if it is determined that the probability that the fourth network element belongs to the risk subject is greater than the fourth probability, it is considered that the fourth network element is currently unsafe. Since the fourth network element is safe, it is determined that the fourth network element Accessing the ME host by the four network elements is an illegal access process, and accordingly, it is determined that the ME host is at risk of being invaded. The fourth probability may be pre-configured in the first network element, and the value of the fourth probability may be set according to requirements, which is not limited in this embodiment of the present application. The value of the fourth probability is greater than or equal to the value of the third probability.

可选的，如果第四概率的取值大于或等于第三概率的取值，那么以第一ME主机为安全风险排查主体，如果确定第一ME主机属于风险主体的概率大于第三概率小于第四概率，确定第一ME主机的风险状态暂无法判断。Optionally, if the value of the fourth probability is greater than or equal to the value of the third probability, then take the first ME host as the security risk investigation subject, if it is determined that the probability that the first ME host belongs to the risk subject is greater than the third probability and less than the third probability Four probabilities, determining the risk status of the first ME host cannot be judged temporarily.

由于第一网元根据第一ME主机的信息确定风险状态的方式与风险排查主体相关，下面介绍风险状态的确定方式。Since the manner in which the first network element determines the risk status based on the information of the first ME host is related to the subject of risk investigation, the following describes how to determine the risk status.

方式一，以第一ME主机为风险排查主体，第一网元根据第一ME主机的信息，确定第一ME主机的风险状态。Method 1: The first ME host is used as the subject of risk investigation, and the first network element determines the risk status of the first ME host according to the information of the first ME host.

第一网元确定第一ME主机的信息，对第一ME主机进行分析，从而确定该第一ME主机的风险状态为第一ME主机存在被入侵的风险，或者不存在被入侵的风险。The first network element determines the information of the first ME host, analyzes the first ME host, and determines that the risk status of the first ME host is that the first ME host has a risk of being intruded, or that there is no risk of being intruded.

其中，第一ME主机的信息不同，第一网元的分析内容以及确定方式也会相应不同，下面分别介绍。Wherein, the information of the first ME host is different, and the analysis content and determination method of the first network element will be correspondingly different, which will be introduced respectively below.

方式一的第一种实现方式，ME主机的信息包括第一信息，第一网元根据第一信息确定第一ME主机的风险状态。In a first implementation manner of mode 1, the information of the ME host includes first information, and the first network element determines the risk status of the first ME host according to the first information.

第一信息的含义可参照前文。第一网元对第一信息进行分析，可确定第一信息对应的第二资源是否异常。第二资源为第一资源中的部分或全部资源。如果第二资源异常，确定第一ME主机的风险状态为第一ME主机存在被入侵的风险。如果第二资源正常，或者不存在异常，则确定第一ME主机的风险状态为第一ME主机不存在被入侵的风险。For the meaning of the first information, refer to the foregoing. The first network element analyzes the first information to determine whether the second resource corresponding to the first information is abnormal. The second resource is part or all of the first resource. If the second resource is abnormal, it is determined that the risk status of the first ME host is that the first ME host has a risk of being invaded. If the second resource is normal, or there is no abnormality, it is determined that the risk status of the first ME host is that the first ME host does not have a risk of being invaded.

如果第二资源包括的资源的类型不同，那么分析第二资源是否异常，也有不同分析方式，下面分别介绍。If the types of resources included in the second resource are different, then there are different analysis methods for analyzing whether the second resource is abnormal, which will be introduced separately below.

方式一的第一种实现方式下的子实现方式1，第二资源包括硬件。In the sub-implementation mode 1 of the first implementation mode of the mode 1, the second resource includes hardware.

如果第二资源包括硬件，硬件可能被植入恶意软件的硬件替换，或者该硬件可能被不法拆卸，或者第一ME主机被装载额外的非法硬件等，这些情况均可能导致第一ME主机中的数据被盗取，甚至导致第一ME主机以及第一ME主机所在的ME站点瘫痪等。由此可见，分析第一ME主机的硬件是否异常具有重要意义。因此，本申请实施例提供一种判断硬件是否异常的机制。例如，第一网元分析第一ME主机中的第一硬件的标识的变化情况，以确定第一硬件是否存在异常，第一硬件包括第一ME主机中的部分或全部硬件。如果第一硬件包括第一ME主机中的多个硬件，那么这多个硬件可以是同种类型的硬件，或者也可以是多种类型的硬件。If the second resource includes hardware, the hardware may be replaced by hardware implanted with malicious software, or the hardware may be illegally disassembled, or the first ME host may be loaded with additional illegal hardware, etc. The data is stolen, and even lead to paralysis of the first ME host and the ME site where the first ME host is located. It can be seen that it is of great significance to analyze whether the hardware of the first ME host is abnormal. Therefore, the embodiment of the present application provides a mechanism for judging whether the hardware is abnormal. For example, the first network element analyzes the change of the identification of the first hardware in the first ME host to determine whether the first hardware is abnormal, and the first hardware includes part or all of the hardware in the first ME host. If the first hardware includes multiple pieces of hardware in the first ME host, the pieces of hardware may be the same type of hardware, or may be multiple types of hardware.

在第一种可能的实施方式中，第一信息包括第一硬件的第一标识，第一标识例如是从第二网元接收的。第一网元根据第一标识与第一网元预存的第二标识之间的匹配结果，确定第一硬件是否存在异常。如果第一网元确定第一标识与第二标识匹配成功，表示第一硬件的标识未发生变化，第一网元可确定第一硬件没有出现异常，即第一硬件正常，进而确定第一ME主机不存在被入侵的风险。而如果第一标识与第二标识不匹配，或者说匹配失败，表示第一硬件的标识发生了变化，第一网元可确定第一硬件异常，从而确定第一ME主机存在被入侵的风险。In a first possible implementation manner, the first information includes a first identifier of the first hardware, for example, the first identifier is received from the second network element. The first network element determines whether the first hardware is abnormal according to a matching result between the first identifier and the second identifier prestored by the first network element. If the first network element determines that the first identifier matches the second identifier successfully, indicating that the identifier of the first hardware has not changed, the first network element can determine that the first hardware is not abnormal, that is, the first hardware is normal, and then determine the first ME There is no risk of the host being compromised. And if the first identification does not match the second identification, or if the matching fails, it means that the identification of the first hardware has changed, and the first network element can determine that the first hardware is abnormal, thereby determining that the first ME host has a risk of being invaded.

示例性的，如果第一标识与第二标识相同，或者采用预设算法，对第二标识进行处理之后的结果与第一标识相同，或者采用预设算法对第一标识进行处理后的结果与第二标识相同，确定第一标识与第二标识匹配。其中，预设算法例如哈希算法或椭圆曲线密码学(elliptic curve cryptography)，本申请实施例对此不做限定。如果第一标识与第二标识不相同，或者采用预设算法，对第二标识进行处理之后的结果与第一标识不相同，或者采用预设算法对第一标识进行处理后的结果与第二标识不相同，确定第一标识与第二标识不匹配。Exemplarily, if the first identifier is the same as the second identifier, or a preset algorithm is used, the result of processing the second identifier is the same as the first identifier, or the result of processing the first identifier using a preset algorithm is the same as The second identifier is the same, and it is determined that the first identifier matches the second identifier. Wherein, the preset algorithm is, for example, hash algorithm or elliptic curve cryptography (elliptic curve cryptography), which is not limited in this embodiment of the present application. If the first logo is not the same as the second logo, or the result of processing the second logo is different from the first logo using a preset algorithm, or the result of processing the first logo using a preset algorithm is different from the second logo. The identifiers are different, and it is determined that the first identifier does not match the second identifier.

下面以第一标识为例，对本申请实施例中的第一标识的表示形式进行介绍。The following uses the first identifier as an example to introduce the representation form of the first identifier in the embodiment of the present application.

如果第一硬件包括第一ME主机中的一个硬件，那么该第一标识可为第一硬件的硬件标识，第一硬件的硬件标识包括第一硬件的媒体存取控制(media access control，MAC)地址、序列号、通用唯一识别码(universally unique identifier，UUID)、或全局唯一标识符(globally unique identifier，GUID)等。If the first hardware includes a piece of hardware in the first ME host, the first identification may be a hardware identification of the first hardware, and the hardware identification of the first hardware includes a media access control (media access control, MAC) of the first hardware Address, serial number, universally unique identifier (UUID), or globally unique identifier (globally unique identifier, GUID), etc.

或者，第一标识也可以是根据预设算法对第一硬件的硬件标识进行处理生成的。第一算法可预配置在第一网元中。预设算法可参照前文。Alternatively, the first identification may also be generated by processing the hardware identification of the first hardware according to a preset algorithm. The first algorithm may be preconfigured in the first network element. For the preset algorithm, please refer to the above.

例如，第一硬件为网卡，该网卡的MAC地址为123，那么第一标识为123。或者，第一网元可根据哈希算法对该网卡的MAC地址进行计算，将得到的信息作为第一标识，第一标识例如为“40bd001563085fc35165329ea1ff5c5ecbdbbeef”。For example, if the first hardware is a network card, and the MAC address of the network card is 123, then the first identifier is 123. Alternatively, the first network element may calculate the MAC address of the network card according to a hash algorithm, and use the obtained information as the first identifier, for example, "40bd001563085fc35165329ea1ff5c5ecbdbbeef".

如果第一硬件包括多个硬件，该第一标识可以是根据这多个硬件的标识获得的，例如一个硬件对应一个标识。可选的，第一标识为多个硬件的多个硬件标识的组合，多个标识的组合顺序可以是预配置在第一网元中。或者，第一标识可以是根据预设算法对多个硬件标识的组合进行处理生成的。If the first hardware includes multiple pieces of hardware, the first identification may be obtained from the identifications of the multiple pieces of hardware, for example, one piece of hardware corresponds to one piece of identification. Optionally, the first identifier is a combination of multiple hardware identifiers of multiple hardware, and the combination sequence of the multiple identifiers may be pre-configured in the first network element. Alternatively, the first identifier may be generated by processing a combination of multiple hardware identifiers according to a preset algorithm.

例如，第一硬件包括多个硬件，多个硬件包括第一网卡、CPU、硬盘和主板。网卡的硬件标识为网卡的MAC地址；CPU的硬件标识为CPU的硬件型号；第一ME主机整机的硬件标识为第一ME主机的GUID；主板的硬件标识为主板的UUID。其中，网卡的MAC地址为123，CPU的硬件型号为AS，第一ME主机的GUID为234，主板的UUID为789。例如，第一标识采用多个硬件标识的组合的表示，例如第一标识为123AS234789。或者，第一标识为采用哈希算法对多个硬件标识的组合(即123AS234789)进行计算得到的信息，例如第一标识为f314669c651cc4b6f1d7014397766325b0ca5189。For example, the first hardware includes a plurality of hardware, and the plurality of hardware includes a first network card, a CPU, a hard disk, and a motherboard. The hardware identification of the network card is the MAC address of the network card; the hardware identification of the CPU is the hardware model of the CPU; the hardware identification of the first ME host machine is the GUID of the first ME host; the hardware identification of the main board is the UUID of the main board. Among them, the MAC address of the network card is 123, the hardware model of the CPU is AS, the GUID of the first ME host is 234, and the UUID of the main board is 789. For example, the first identifier is represented by a combination of multiple hardware identifiers, for example, the first identifier is 123AS234789. Alternatively, the first identifier is information obtained by calculating a combination of multiple hardware identifiers (namely 123AS234789) using a hash algorithm, for example, the first identifier is f314669c651cc4b6f1d7014397766325b0ca5189.

需要说明的是，第二标识的表现形式也可参照第一标识的表现形式，第二标识的表现形式与第一标识的表现形式可以相同，也可以不同。例如，第一标识为采用预设算法对硬件标识进行处理得到的，第二标识为硬件标识。这种情况下，如果采用预设算法对第二标识进行处理后的结果如果与第一标识相同，则第一网元确定第一标识与第二标识匹配。It should be noted that the expression form of the second logo can also refer to the expression form of the first logo, and the expression form of the second logo can be the same as or different from that of the first logo. For example, the first identification is obtained by processing the hardware identification using a preset algorithm, and the second identification is the hardware identification. In this case, if the result of processing the second identifier by using a preset algorithm is the same as the first identifier, the first network element determines that the first identifier matches the second identifier.

综上可知，该第一标识是第二网元采集的第一ME主机中的第一硬件当前的标识，该第一标识表示的是第一ME主机的第一硬件。而第一网元预存的第二标识可以是第一ME主机上报的该第一硬件的标识。或者，第二标识是第一网元主动向第一ME主机请求得到的。由于第一网元确定第一标识与第一网元确定第二标识在时间上可能存在一定的时间间隔，例如，第二标识是第一网元在接收第一标识之前从第一ME主机接收的，那么第二标识可以理解为第一硬件之前的标识。如果第一ME主机在这时间间隔内被非法入侵，那么可能出现第一标识与第二标识不匹配的情况，因此根据第一标识与第二标识的匹配情况，从而能够确定第一硬件是否异常。In summary, the first identifier is the current identifier of the first hardware in the first ME host collected by the second network element, and the first identifier indicates the first hardware of the first ME host. The second identifier pre-stored by the first network element may be the identifier of the first hardware reported by the first ME host. Alternatively, the second identifier is obtained by the first network element actively requesting from the first ME host. Since there may be a certain time interval between the first network element determining the first identification and the first network element determining the second identification, for example, the second identification is received by the first network element from the first ME host before receiving the first identification. , then the second identification can be understood as the identification before the first hardware. If the first ME host is illegally invaded within this time interval, the first identification may not match the second identification, so according to the matching of the first identification and the second identification, it can be determined whether the first hardware is abnormal .

在第二种可能的实施方式中，第一信息包括第一硬件的第一标识，第一标识的含义和表现形式可参照前文。第一网元根据第一标识与第三标识之间的匹配结果，确定第一硬件是否存在异常。第三标识例如第一网元从第三网元接收的，用于表示第一硬件变更后的第二硬件的标识，第三网元例如为图1A或图1B中的OSS等。如果第一网元确定第一标识与第三标识匹配，表示第一硬件当前的标识与第二硬件的第三标识匹配，第一网元可确定第一硬件没有出现异常，即第一硬件正常，进而确定第一ME主机不存在被入侵的风险。如果第一网元确定第一标识与第三标识不匹配，或者说匹配失败，那么表示第一硬件当前的第一标识与第二硬件的第三标识不匹配，第一网元确定第一硬件异常，从而确定第一ME主机存在被入侵的风险。其中，匹配成功和匹配不成功的含义可参照前文论述内容。In a second possible implementation manner, the first information includes a first identifier of the first hardware, and the meaning and expression form of the first identifier may refer to the foregoing. The first network element determines whether the first hardware is abnormal according to the matching result between the first identifier and the third identifier. The third identifier, for example, is received by the first network element from the third network element, and is used to represent the identifier of the second hardware after the first hardware is changed, and the third network element is, for example, the OSS in FIG. 1A or FIG. 1B . If the first network element determines that the first identifier matches the third identifier, which means that the current identifier of the first hardware matches the third identifier of the second hardware, the first network element can determine that there is no abnormality in the first hardware, that is, the first hardware is normal , so as to determine that the first ME host does not have the risk of being invaded. If the first network element determines that the first identification does not match the third identification, or that the matching fails, it means that the current first identification of the first hardware does not match the third identification of the second hardware, and the first network element determines that the first hardware abnormality, so that it is determined that the first ME host has a risk of being invaded. Wherein, the meanings of successful matching and unsuccessful matching can refer to the content discussed above.

其中，如果第一硬件正常变更为第二硬件，第三网元可以记录该第二硬件的第三标识和第一硬件的第一标识。此时，第一网元从第二网元接收的第一硬件的第一标识实际上就是该第一硬件变更后的第二硬件的标识，即第三标识。相应的，第一网元确定该第一标识与第三标识匹配。如果第一硬件被非法入侵，而第一硬件的标识被非法改变，那么第三网元中则无法记录非法改变后的标识，此时，第一网元从第二网元接收的第一标识实际则是第一硬件被非法入侵后的标识，因此第一标识则无法与第三标识匹配。Wherein, if the first hardware is normally changed to the second hardware, the third network element may record the third identifier of the second hardware and the first identifier of the first hardware. At this time, the first identifier of the first hardware received by the first network element from the second network element is actually the identifier of the second hardware after the first hardware has been changed, that is, the third identifier. Correspondingly, the first network element determines that the first identifier matches the third identifier. If the first hardware is illegally invaded and the identification of the first hardware is illegally changed, then the illegally changed identification cannot be recorded in the third network element. At this time, the first identification received by the first network element from the second network element In fact, it is the identification after the first hardware has been illegally invaded, so the first identification cannot match the third identification.

可选的，在第一硬件正常变更时，第三网元还可以记录第一硬件发生变更的时间，以及记录第一硬件的第一标识等。Optionally, when the first hardware is changed normally, the third network element may also record the time when the first hardware is changed, record the first identifier of the first hardware, and the like.

需要说明的是，第三标识的表现形式也可参照第一标识的表现形式，第三标识的表现形式与第一标识的表现形式可以相同，也可以不同。例如，第一标识为采用预设算法对硬件标识进行处理得到的，第三标识为硬件标识。这种情况下，如果采用预设算法对第三标识进行处理后的结果如果与第一标识相同，则确定第一标识与第三标识匹配。It should be noted that the expression form of the third mark may also refer to the expression form of the first mark, and the expression form of the third mark may be the same as or different from that of the first mark. For example, the first identification is obtained by processing the hardware identification by using a preset algorithm, and the third identification is the hardware identification. In this case, if the result of processing the third identifier using a preset algorithm is the same as the first identifier, it is determined that the first identifier matches the third identifier.

在第三种可能的实施方式中，第一信息包括第一硬件的第一标识。第一网元根据第一标识与第二标识的匹配结果，以及第一标识与第三标识的匹配结果，确定第一硬件是否存在异常。如果第一标识与第二标识不匹配，且第一标识与第三标识也不匹配，表示第一硬件当前的第一标识与预存的第二标识不同，且与变更后的第二硬件的第三标识也不同，那么表示第一硬件很有可能存在被非法替换等情况，第一网元确定第一硬件异常，从而确定第一ME主机存在被入侵的风险。如果第一标识与第二标识匹配，第一标识和第三标识也匹配，或者如果第一标识与第二标识匹配，第一标识与第三标识不匹配，或者如果第一标识与第二标识不匹配，第一标识与第三标识匹配，第一网元确定第一硬件正常，从而确定第一ME主机不存在被入侵的风险。In a third possible implementation manner, the first information includes a first identifier of the first hardware. The first network element determines whether the first hardware is abnormal according to the matching result of the first identification and the second identification, and the matching result of the first identification and the third identification. If the first identification does not match the second identification, and the first identification does not match the third identification, it means that the current first identification of the first hardware is different from the pre-stored second identification, and is different from the second identification of the changed second hardware. The three identifications are also different, which means that the first hardware is likely to be illegally replaced. The first network element determines that the first hardware is abnormal, thereby determining that the first ME host has a risk of being invaded. If the first identifier matches the second identifier, the first identifier and the third identifier also match, or if the first identifier matches the second identifier, the first identifier does not match the third identifier, or if the first identifier matches the second identifier No match, the first identifier matches the third identifier, and the first network element determines that the first hardware is normal, thereby determining that the first ME host does not have a risk of being invaded.

第一种实现方式下的子实现方式2，第二资源包括软件。In the sub-implementation mode 2 of the first implementation mode, the second resource includes software.

如果第二资源包括软件，那么该软件可能存在被篡改、被植入非法软件的情况，这些可能导致第一ME主机的不可用软件被启用，甚至导致第一ME主机瘫痪以及第一ME主机所在的ME站点瘫痪等，由此可见，分析第一ME主机的软件是否异常具有重要意义。为此，本申请实施例提供一种判断软件是否异常的机制。例如，第一网元可以根据第一ME主机是否已开放但未授权的端口，分析第一ME主机中的端口是否存在异常。如果第一类端口中的一个或多个端口不属于第二类端口，那么表示这一个或多个端口属于未授权的端口，第一网元确定这一个或多个端口异常，从而确定第一ME主机存在被入侵的风险。如果第一类端口中的所有端口均属于第二类端口，第一网元确定第一类端口均正常，从而确定第一ME主机不存在被入侵的风险。If the second resource includes software, the software may be tampered with or implanted with illegal software, which may cause the unavailable software of the first ME host to be enabled, or even cause the first ME host to be paralyzed and where the first ME host is located. It can be seen that it is of great significance to analyze whether the software of the first ME host is abnormal. For this reason, the embodiment of the present application provides a mechanism for judging whether the software is abnormal. For example, the first network element may analyze whether the ports in the first ME host are abnormal according to whether the ports on the first ME host are opened but not authorized. If one or more ports in the first type of ports do not belong to the second type of ports, it means that the one or more ports belong to unauthorized ports, and the first network element determines that the one or more ports are abnormal, thereby determining that the first The ME host is at risk of being hacked. If all the ports in the first type of ports belong to the second type of ports, the first network element determines that all the first type of ports are normal, thereby determining that the first ME host does not have a risk of being invaded.

其中，第一信息包括第一类端口的信息，第二资源包括ME主机中的第一类端口。第一类端口是指第一ME主机中已开放的端口，第一类端口可进一步理解为第一ME主机中已开放的端口的集合，第一类端口可包括一个或多个端口。第四网元可通过第一类端口访问第一ME主机。第四网元的含义可参照前文。第一类端口的信息例如，属于第一类端口的端口的端口号。Wherein, the first information includes the information of the first type of port, and the second resource includes the first type of port in the ME host. The first type of ports refers to the ports that have been opened in the first ME host. The first type of ports may be further understood as a collection of opened ports in the first ME host. The first type of ports may include one or more ports. The fourth network element can access the first ME host through the first type of port. For the meaning of the fourth network element, reference may be made to the foregoing. The information of the first type of port is, for example, the port number of the port belonging to the first type of port.

正常情况下，第一ME主机中的端口不是直接对外开放的，而是需要通过第三网元向第一ME主机申请开放，第三网元会记录已向第一ME主机申请开放的端口的信息，即第二类端口的信息。第二类端口的信息例如，属于第二类端口的端口的端口号。但如果第一ME主机被非法入侵，那么第一ME主机中的某些端口可能被非法开启，但这种情况下，第三网元无法获得这些端口的信息。因此本申请实施例中，第一网元可对比第一类端口是否均属于第二类端口，从而分析第一ME主机是否开放了未授权的端口，从而确定ME主机中的端口是否异常。Under normal circumstances, the ports in the first ME host are not directly open to the outside world, but need to apply for opening to the first ME host through the third network element, and the third network element will record the ports that have been applied for opening to the first ME host. Information, that is, the information of the second type of port. The information of the second type of port is, for example, the port number of the port belonging to the second type of port. However, if the first ME host is illegally invaded, some ports in the first ME host may be illegally opened, but in this case, the third network element cannot obtain the information of these ports. Therefore, in the embodiment of the present application, the first network element can compare whether the ports of the first type belong to the ports of the second type, thereby analyzing whether the first ME host has opened an unauthorized port, thereby determining whether the ports in the ME host are abnormal.

需要说明的是，第一类端口可能包括属于第一状态的端口，还可能包括属于第二状态的端口，本申请实施例对此不做限定。It should be noted that the first type of ports may include ports belonging to the first state, and may also include ports belonging to the second state, which is not limited in this embodiment of the present application.

如果第一类端口包括属于第二状态的端口，也就意味着第一ME主机开启了本不可用的端口，那么第一ME主机存在安全风险的可能性更大。可选的，第一网元可在确定第一类端口中包括属于第二状态的端口的情况下，对比第一类端口与第二类端口，确定第一ME主机的风险状态。这样确定出的第一ME主机的风险状态为第一ME主机存在安全风险的可能性更高。并且，可相对减少第一网元确定端口异常的次数，从而减少第一网元的处理量。If the ports of the first type include ports belonging to the second state, it means that the first ME host has opened an unusable port, and the first ME host is more likely to have a security risk. Optionally, the first network element may determine the risk status of the first ME host by comparing the ports of the first type with the ports of the second type when determining that the ports of the first type include ports belonging to the second state. The risk status of the first ME host determined in this way is that the possibility that the first ME host has a security risk is higher. In addition, the number of times the first network element determines that the port is abnormal can be relatively reduced, thereby reducing the processing amount of the first network element.

第一种实现方式下的子实现方式3，第二资源包括硬件和软件。In the sub-implementation mode 3 of the first implementation mode, the second resource includes hardware and software.

如果第一网元确定硬件和软件中的至少一种出现异常，那么第一网元确定第一ME主机存在被入侵的风险。如果第一网元确定硬件和软件均正常，第一网元确定第一ME主机不存在被入侵的风险。确定硬件是否异常，以及确定软件是否异常的方式可以参照前文，此处不再一一列举。If the first network element determines that at least one of hardware and software is abnormal, then the first network element determines that the first ME host has a risk of being invaded. If the first network element determines that both the hardware and the software are normal, the first network element determines that the first ME host does not have a risk of being invaded. The methods for determining whether the hardware is abnormal and whether the software is abnormal can be referred to above, and will not be listed here.

第二种实现方式，第一ME主机的信息包括第二信息，第一网元根据第二信息确定第一ME主机的风险状态。In a second implementation manner, the information of the first ME host includes the second information, and the first network element determines the risk status of the first ME host according to the second information.

具体的，第一网元确定第二信息对应的行为是否异常，进而确定第一ME主机的风险状态。如果第二信息对应的行为异常，第一网元确定风险状态为第一ME主机存在被入侵的风险。如果第二信息对应的行为正常，确定风险状态为移动边缘主机不存在被入侵的风险。Specifically, the first network element determines whether the behavior corresponding to the second information is abnormal, and then determines the risk status of the first ME host. If the behavior corresponding to the second information is abnormal, the first network element determines that the risk status is that the first ME host has a risk of being invaded. If the behavior corresponding to the second information is normal, it is determined that the risk status is that the mobile edge host does not have a risk of being invaded.

示例性的，第一网元可预配置有至少一种异常行为。如果第一网元确定第二信息对应的行为属于至少一种异常行为，那么第一网元确定第一ME主机存在被入侵的风险。如果第一网元确定第二信息对应的行为均不属于至少一种异常行为，那么第一网元确定第一ME主机不存在被入侵的风险。Exemplarily, the first network element may be preconfigured with at least one abnormal behavior. If the first network element determines that the behavior corresponding to the second information belongs to at least one abnormal behavior, then the first network element determines that the first ME host has a risk of being invaded. If the first network element determines that the behavior corresponding to the second information does not belong to at least one abnormal behavior, then the first network element determines that the first ME host does not have a risk of being invaded.

例如，第一网元预配置有至少一个异常行为包括豆荚(pod)访问不属于该pod管理的容器，则属于异常行为。如果第一网元根据第二信息，确定该pod访问了不属于该pod管理的容器，则第一网元确定该第一ME主机的行为异常，进而确定该第一ME主机的风险状态为存在被入侵的风险。For example, if the first network element is pre-configured with at least one abnormal behavior including pods (pods) accessing containers that are not managed by the pod, this is an abnormal behavior. If the first network element determines that the pod has accessed a container that is not managed by the pod according to the second information, the first network element determines that the behavior of the first ME host is abnormal, and then determines that the risk status of the first ME host is present risk of being hacked.

方式二，以第四网元为风险排查主体，第一网元根据第一ME主机的信息，确定第四网元发送的访问请求所请求的第三资源是否满足第一条件，进而确定第一ME主机的风险状态。如果第三资源满足该第一条件，表示该访问请求合法，那么表示发送该访问请求的第四网元不存在风险，或者存在风险的概率小于第三概率，相应的，确定风险状态为第一ME主机不存在被入侵的风险。如果第三资源不满足该第一条件，表示该访问请求不合法，那么表示发送该访问请求的第四网元存在风险，或者存在风险的概率大于或等于第四概率，相应的，确定风险状态为第一ME主机存在被第四网元入侵的风险。Method 2: The fourth network element is used as the subject of risk investigation, and the first network element determines whether the third resource requested by the access request sent by the fourth network element satisfies the first condition based on the information of the first ME host, and then determines whether the first The risk status of the ME host. If the third resource satisfies the first condition, it means that the access request is legal, then it means that the fourth network element sending the access request has no risk, or the probability of risk is less than the third probability, and correspondingly, determine the risk status as the first There is no risk of the ME host being invaded. If the third resource does not meet the first condition, it means that the access request is illegal, then it means that the fourth network element sending the access request has a risk, or the probability of the risk is greater than or equal to the fourth probability, and correspondingly, determine the risk status There is a risk that the first ME host is invaded by the fourth network element.

如果第四网元需要访问第一ME主机的第三资源，第四网元可以向第一网元发送访问请求。该访问请求用于请求访问ME主机的第三资源。需要说明的是，第四网元有可能并不清楚第一ME主机能够提供的资源，或者在第四网元被入侵的情况，因此第四网元虽然是想请求第一ME主机的资源，但第四网元实际所请求的第三资源中的部分或全部有可能是第一ME主机中无法提供的资源，也就是说，第三资源中的部分或全部资源可能并不属于第一资源。当然，第三资源也可能全部属于第一资源。If the fourth network element needs to access the third resource of the first ME host, the fourth network element may send an access request to the first network element. The access request is used to request access to the third resource of the ME host. It should be noted that the fourth network element may not know the resources that the first ME host can provide, or in the case of the fourth network element being invaded, so although the fourth network element wants to request the resources of the first ME host, However, some or all of the third resources actually requested by the fourth network element may be resources that cannot be provided by the first ME host, that is, some or all of the third resources may not belong to the first resource . Of course, all the third resources may also belong to the first resources.

作为一个示例，第一条件包括如下①至③中的一项或多项。As an example, the first condition includes one or more of the following ① to ③.

①第三资源属于第一ME主机中可用的资源。① The third resource belongs to the resources available in the first ME host.

示例性的，第一ME主机的信息包括第一信息，第一信息包括一种或多种类型中的每种类型的资源的使用信息，具体例如，第一信息包括第一资源中的一种或多种类型中每种类型的资源的可用状态信息。那么第一网元根据该第一信息确定第一ME主机中可用的资源。这种情况下，第一网元可根据一种或多种类型中的每种类型的资源的使用信息，确定第一ME主机中可用的资源。进而第一网元可确定第三资源是否属于第一ME主机中可用的资源。Exemplarily, the information of the first ME host includes first information, and the first information includes usage information of each type of resource among one or more types, specifically, for example, the first information includes one of the first resources or available status information for each type of resource of multiple types. Then the first network element determines available resources in the first ME host according to the first information. In this case, the first network element may determine the resources available in the first ME host according to usage information of each type of resource of one or more types. Furthermore, the first network element may determine whether the third resource belongs to the resources available in the first ME host.

②第三资源所包括的资源数量未超出资源数量上限，资源数量上限是根据第一ME主机的信息确定的。② The quantity of resources included in the third resource does not exceed the upper limit of resource quantity, which is determined according to the information of the first ME host.

示例性的，第一ME主机的信息包括第一信息，第一信息包括第一资源的使用进度信息和第一资源的标识。那么第一网元可根据该第一信息，确定第一ME主机中当前未使用的资源的信息，并将该资源数量上限确定为该第一ME主机当前未使用的资源的数量。进而第一网元可判断第三资源是否超出资源数量上限。Exemplarily, the information of the first ME host includes first information, and the first information includes usage progress information of the first resource and an identifier of the first resource. Then the first network element may determine the information of the currently unused resources in the first ME host according to the first information, and determine the upper limit of the number of resources as the number of currently unused resources of the first ME host. Furthermore, the first network element may determine whether the third resource exceeds the upper limit of the resource quantity.

或者，第一ME主机的信息包括第一信息和第二信息，第一信息包括第一资源的数量，第二信息包括一个或多个历史访问请求所请求的第一ME主机的资源的信息。第一网元根据该第一信息和第二信息，例如，第一网元从第一资源中排除历史访问请求已经请求访问过的资源，从而确定第一ME主机当前未使用的资源的信息，并将该资源数量上限确定为该第一ME主机当前未使用的资源的数量。进而第一网元可判断第三资源是否超出资源数量上限。Alternatively, the information of the first ME host includes first information and second information, the first information includes the quantity of the first resource, and the second information includes information about resources of the first ME host requested by one or more historical access requests. According to the first information and the second information, for example, the first network element excludes resources that have been requested to be accessed by historical access requests from the first resources, thereby determining information about resources that are not currently used by the first ME host, And the upper limit of the resource quantity is determined as the quantity of resources not currently used by the first ME host. Furthermore, the first network element may determine whether the third resource exceeds the upper limit of the resource quantity.

或者，第一ME主机的信息包括第一信息，第一信息包括第一资源的数量。第一网元可将该资源数量上限确定为将第一资源的数量。进而第一网元可判断第三资源是否超出资源数量上限。Alternatively, the information of the first ME host includes first information, and the first information includes the quantity of the first resource. The first network element may determine the upper limit of the resource quantity as the quantity of the first resource. Furthermore, the first network element may determine whether the third resource exceeds the upper limit of the resource quantity.

或者，第一ME主机的信息包括第二信息，第二信息包括一个或多个历史访问请求所请求的第一ME主机的资源的信息。第一网元根据该第二信息，确定一个或多个历史访问请求中，请求的资源的数量最多的第一历史访问请求，并将该资源数量上限确定为该第一历史访问请求所请求的资源的数量。进而第一网元可判断第三资源是否超出资源数量上限。Alternatively, the information of the first ME host includes second information, and the second information includes information about resources of the first ME host requested by one or more historical access requests. According to the second information, the first network element determines the first historical access request that requests the largest number of resources among the one or more historical access requests, and determines the upper limit of the number of resources as the resource requested by the first historical access request the number of resources. Furthermore, the first network element may determine whether the third resource exceeds the upper limit of the resource quantity.

需要说明的是，如果第一资源包括多种类型的资源，那么每种类型的资源也可对应存在相应的资源数量上限，每种类型的资源对应的资源数量上限的设置方式可参照前文。It should be noted that if the first resource includes multiple types of resources, each type of resource may also have a corresponding upper limit on the number of resources. For the setting method of the upper limit on the number of resources corresponding to each type of resource, refer to the foregoing.

③第三资源属于第一资源，且属于第一ME主机中重要程度低于预设重要程度的资源。③ The third resource belongs to the first resource, and belongs to resources in the first ME host whose importance is lower than the preset importance.

示例性的，第一ME主机的信息包括第一信息，第一信息包括第一资源的重要程度。第一网元可确定该第三资源是否属于第一ME主机中重要程度低于预设重要程度的资源。预设重要程度可预配置在第一网元中。Exemplarily, the information of the first ME host includes first information, and the first information includes the importance of the first resource. The first network element may determine whether the third resource belongs to resources in the first ME host whose importance is lower than a preset importance. The preset importance can be preconfigured in the first network element.

可选的，第一网元可为不同的访问请求，配置不同的第一条件，下面进行示例介绍。Optionally, the first network element may configure different first conditions for different access requests, and an example is introduced below.

示例一，访问请求为端口开放请求。该端口开放请求用于申请开放第一ME主机的端口。该端口开放请求申请开放的端口即为第三资源。Example 1, the access request is a port opening request. The port opening request is used to apply for opening the port of the first ME host. The port for which the port opening request applies for opening is the third resource.

如果第一条件包括属于第一ME主机中可用的资源，那么第一网元可判断第三资源是否属于第一ME主机中可用的资源，如果第三资源属于第一ME主机中可用的资源，则第一网元确定第三资源满足第一条件，从而确定第一ME主机的风险状态为不存在被入侵的风险。如果第三资源中的部分或全部不属于第一ME主机中可用的资源，则第一网元确定第三资源不满足第一条件，从而确定第一ME主机的风险状态为存在被入侵的风险。If the first condition includes resources available in the first ME host, the first network element may determine whether the third resource belongs to the resources available in the first ME host, and if the third resource belongs to the resources available in the first ME host, Then the first network element determines that the third resource satisfies the first condition, thereby determining that the risk status of the first ME host is no risk of intrusion. If part or all of the third resource does not belong to the resources available in the first ME host, the first network element determines that the third resource does not meet the first condition, thereby determining that the risk status of the first ME host is a risk of being invaded .

或者，如果第一条件包括属于第一ME主机中可用的资源，以及未超出资源数量上限，那么第一网元可判断第三资源是否属于第一ME主机中可用的资源，且判断第三资源是否超出资源数量上限。如果第三资源属于第一ME主机中可用的资源，且第三资源的数量超出资源数量上限，则第一网元确定第三资源满足第一条件，从而确定第一ME主机的风险状态为不存在被入侵的风险。如果第三资源不属于第一ME主机中可用的资源和/或第三资源的数量超出资源数量上限，则第一网元确定第三资源不满足第一条件，从而确定第一ME主机的风险状态为存在被入侵的风险。Alternatively, if the first condition includes resources available in the first ME host and the upper limit of the number of resources is not exceeded, then the first network element may determine whether the third resource belongs to the resources available in the first ME host, and determine whether the third resource Whether the resource limit is exceeded. If the third resource belongs to the resources available in the first ME host, and the quantity of the third resource exceeds the upper limit of the resource quantity, the first network element determines that the third resource satisfies the first condition, thereby determining that the risk status of the first ME host is not There is a risk of being hacked. If the third resource does not belong to the resources available in the first ME host and/or the quantity of the third resource exceeds the resource limit, the first network element determines that the third resource does not meet the first condition, thereby determining the risk of the first ME host The status is at risk of being compromised.

示例二，访问请求为实例化应用请求。该实例化应用请求用于请求第一ME主机中的资源，以部署相应的ME APP。该实例化应用请求所请求的资源即为第三资源。In the second example, the access request is a request for instantiating an application. The instantiated application request is used to request resources in the first ME host to deploy corresponding ME APP. The resource requested by the instantiation application request is the third resource.

如果第一条件包括未超出资源数量上限，那么第一网元可确定第三资源的数量是否超出资源数量上限。如果第三资源包括多种类型的资源，如果第三资源中多种类型的资源均未超出相应类型的资源数量上限，则确定该第三资源满足第一条件，从而确定第一ME主机的风险状态为不存在被入侵的风险。如果第一网元确定第三资源中存在至少一种类型的资源的数量超过该类型的资源数量上限，则确定该第三资源不满足第一条件，从而确定第一ME主机的风险状态为存在被入侵的风险。If the first condition includes that the upper limit of resource quantity is not exceeded, then the first network element may determine whether the quantity of the third resource exceeds the upper limit of resource quantity. If the third resource includes multiple types of resources, if none of the multiple types of resources in the third resource exceeds the upper limit of the number of resources of the corresponding type, it is determined that the third resource satisfies the first condition, thereby determining the risk of the first ME host The status is not at risk of being compromised. If the first network element determines that the quantity of at least one type of resource in the third resource exceeds the upper limit of the resource quantity of this type, then determine that the third resource does not meet the first condition, thereby determining that the risk status of the first ME host is present risk of being hacked.

如果该第一条件包括未超出资源数量上限，以及属于第一ME主机中可用的资源，那么第一网元可确定第三资源的数量是否超出资源数量上限，确定第三资源是否属于第一 ME主机中可用的资源。如果第三资源包括多种类型的资源，如果第三资源中多种类型的资源均未超出相应类型的资源数量上限，且第三资源属于第一ME主机可用的资源，则确定该第三资源满足第一条件，从而确定第一ME主机的风险状态为不存在被入侵的风险。如果第一网元确定第三资源中存在至少一种类型的资源的数量超过该类型的资源数量上限和/或第三资源不属于第一ME主机可用的资源，则确定该第三资源不满足第一条件，从而确定第一ME主机的风险状态为存在被入侵的风险。If the first condition includes not exceeding the upper limit of the number of resources and belonging to the resources available in the first ME host, then the first network element may determine whether the number of the third resource exceeds the upper limit of the number of resources, determine whether the third resource belongs to the first ME The resources available in the host. If the third resource includes multiple types of resources, if the multiple types of resources in the third resource do not exceed the upper limit of the number of resources of the corresponding type, and the third resource belongs to the resources available to the first ME host, then determine the third resource The first condition is met, so it is determined that the risk status of the first ME host is no risk of intrusion. If the first network element determines that the number of at least one type of resource in the third resource exceeds the upper limit of the number of resources of this type and/or the third resource does not belong to the resources available to the first ME host, then it is determined that the third resource does not meet the requirements. The first condition is to determine that the risk status of the first ME host is a risk of being invaded.

示例三，访问请求为资源删除请求。资源删除请求用于请求删除第一ME主机中的资源。该资源删除请求所请求删除的资源即为第三资源。Example 3, the access request is a resource deletion request. The resource deletion request is used to request to delete resources in the first ME host. The resource requested to be deleted by the resource deletion request is the third resource.

如果第一条件包括属于第一ME主机中重要程度低于预设重要程度的资源，那么第一网元确定第三资源是否属于第一ME主机中重要程度低于预设重要程度的资源。如果第三资源属于第一ME主机中重要程度低于预设重要程度的资源，则确定第三资源满足第一条件，从而确定第一ME主机的风险状态为不存在被入侵的风险。如果第三资源属于第一ME主机中重要程度高于预设重要程度的资源，则确定第三资源不满足第一条件，从而确定第一ME主机的风险状态为存在被入侵的风险。If the first condition includes resources belonging to the first ME host whose importance is lower than the preset importance, then the first network element determines whether the third resource belongs to the resources of the first ME host whose importance is lower than the preset importance. If the third resource belongs to a resource whose importance level is lower than a preset importance level in the first ME host, it is determined that the third resource satisfies the first condition, thereby determining that the risk status of the first ME host is no risk of intrusion. If the third resource belongs to a resource whose importance is higher than a preset importance in the first ME host, it is determined that the third resource does not meet the first condition, thereby determining that the risk status of the first ME host is a risk of intrusion.

示例四，访问请求为VM创建请求。该VM创建请求用于请求在第一ME主机中创建VM，该VM请求所请求创建的VM则视为第三资源。如果第一条件包括未超出资源数量上限，那么第三网元确定第三资源是否满足第一条件。确定第三资源是否满足该第一条件的方式可参照前文论述的内容。Example 4, the access request is a VM creation request. The VM creation request is used to request to create a VM in the first ME host, and the VM requested by the VM request is regarded as a third resource. If the first condition includes that the resource quantity upper limit is not exceeded, then the third network element determines whether the third resource satisfies the first condition. For a manner of determining whether the third resource satisfies the first condition, reference may be made to the content discussed above.

需要说明的是，上述是对访问请求进行示例说明，本申请实施例中的访问请求包括但不限于上述列举的几种。It should be noted that the above is an example description of the access request, and the access request in the embodiment of the present application includes but is not limited to the several types listed above.

第三种实现方式，第一ME主机的信息包括第一信息和第二信息，第一网元根据第一信息和第二信息确定第一ME主机的风险状态。In a third implementation manner, the information of the first ME host includes first information and second information, and the first network element determines the risk status of the first ME host according to the first information and the second information.

如果第二资源异常，且确定第二信息对应的行为异常，确定该风险状态为第一ME主机存在被入侵的风险。如果第一网元确定第二资源正常和/或第二信息对应的行为正常，确定该风险状态为第一ME主机不存在被入侵的风险。其中，确定第二资源是否异常的方式可参照前文，以及确定第二信息对应的行为是否异常的方式可参照前文。If the second resource is abnormal, and it is determined that the behavior corresponding to the second information is abnormal, it is determined that the risk status is that the first ME host has a risk of being invaded. If the first network element determines that the second resource is normal and/or the behavior corresponding to the second information is normal, it is determined that the risk status is that the first ME host does not have a risk of being invaded. For the manner of determining whether the second resource is abnormal, refer to the foregoing, and for the manner of determining whether the behavior corresponding to the second information is abnormal, refer to the foregoing.

在第三种实现方式中，第一网元是在确定第二资源异常，且确定第二信息对应的行为异常的情况下，才会确定第一ME主机存在被入侵的风险，这样减少将第一ME主机的风险状态误判为存在安全风险的情况，使得确定出的第一ME主机的风险状态更可靠。In the third implementation manner, the first network element determines that the first ME host has a risk of being invaded only when it is determined that the second resource is abnormal and the behavior corresponding to the second information is abnormal, which reduces the risk of the second The risk status of a ME host is misjudged as a situation where there is a security risk, so that the determined risk status of the first ME host is more reliable.

需要说明的是，上述方式一和方式二均是以第一网元直接确定第一ME主机的风险状态的为例。但实际上第一网元可从其他网元获取该第一ME主机的风险状态。在如下方式三中，以其他网元为第六网元为例进行介绍。其中，第六网元例如为图1A或图1B所示的OSS或MEO。It should be noted that, both of the first method and the second method above take an example in which the first network element directly determines the risk status of the first ME host. But in fact, the first network element can obtain the risk status of the first ME host from other network elements. In the following manner three, an introduction is made by taking the other network element as the sixth network element as an example. Wherein, the sixth network element is, for example, the OSS or MEO shown in FIG. 1A or FIG. 1B .

方式三，第六网元可以第一ME主机为风险排查主体，确定第一ME主机的风险状态。第六网元也可以第一ME主机为风险排查主体，确定第一ME主机的风险状态。Mode 3, the sixth network element may determine the risk status of the first ME host by using the first ME host as a subject of risk investigation. The sixth network element may also use the first ME host as a risk investigation subject to determine the risk status of the first ME host.

示例性的，第一网元在接收第一ME主机的信息之后，可将第一ME主机的信息发送给第六网元。第六网元根据该第一ME主机的信息，确定第一ME主机的风险状态。其中，第六网元确定风险状态的方式可参照前文第一网元确定风险状态的方式，此处不再一一列举。第六网元确定第一ME主机的风险状态之后，可将该风险状态发送给第一网元。相应的，该第一网元从第六网元接收该风险状态。Exemplarily, after receiving the information of the first ME host, the first network element may send the information of the first ME host to the sixth network element. The sixth network element determines the risk status of the first ME host according to the information of the first ME host. Wherein, the method for determining the risk state by the sixth network element may refer to the method for determining the risk state by the first network element above, and will not be listed here. After the sixth network element determines the risk status of the first ME host, it may send the risk status to the first network element. Correspondingly, the first network element receives the risk status from the sixth network element.

作为一个示例，如果第一网元为MEPM，MEPM在接收第一ME主机的信息之后，如果确定根据ME主机的信息无法确定该第一ME主机的风险状态的情况下，将第一ME主机的信息发送给第六网元。由于第六网元可获取更多的ME主机的信息，因此第六网元可结合该第一ME主机所在的ME站点中的除了该第一ME主机之外的其他ME主机的信息，确定该第一ME主机的风险状态。As an example, if the first network element is an MEPM, after the MEPM receives the information of the first ME host, if the MEPM determines that the risk status of the first ME host cannot be determined according to the information of the ME host, the The information is sent to the sixth network element. Since the sixth network element can acquire more information about ME hosts, the sixth network element can determine the Risk status of the first ME host.

S204，第一网元根据风险状态，确定资源策略。该资源策略用于指示访问第一ME主机提供的资源的策略。S204. The first network element determines a resource policy according to the risk state. The resource policy is used to indicate a policy for accessing resources provided by the first ME host.

示例性的，第一网元可预存不同风险状态，以及与每个风险状态对应的资源策略。第一网元确定该第一ME主机的风险状态之后，可确定该第一ME主机的风险状态对应的资源策略。并将该资源策略发送给第五网元，以便于第五网元根据该资源策略，访问第一ME主机中的资源。第五网元例如图1A或图1B中的ME主机、MEPM、VIM或CISM等。Exemplarily, the first network element may prestore different risk states and resource policies corresponding to each risk state. After the first network element determines the risk status of the first ME host, it may determine a resource policy corresponding to the risk status of the first ME host. And send the resource policy to the fifth network element, so that the fifth network element can access the resource in the first ME host according to the resource policy. The fifth network element is, for example, the ME host, MEPM, VIM, or CISM in FIG. 1A or FIG. 1B .

其中，第一ME主机选择的风险排查主体不同，确定风险状态的方式不同，以及确定出的风险状态不同，第一网元确定出的资源策略也有所不同，下面分情况进行介绍。Among them, the risk investigation subject selected by the first ME host is different, the method of determining the risk status is different, and the determined risk status is different, and the resource strategy determined by the first network element is also different. The following will introduce the situation.

情况一。Situation one.

如果第一网元以第一ME主机为风险排查主体，采用上述方式一的第一种实现方式下的子实现方式1，确定第一ME主机的风险状态为第一ME主机存在被入侵的风险，那么第一网元确定资源策略为停用第一ME主机，或者降低第一ME主机的安全等级。如果确定ME主机的风险状态为ME主机不存在被入侵的风险，则第一网元确定资源策略为空。资源策略为空可表示为不改变当前已使用的访问ME主机的资源的策略。If the first network element takes the first ME host as the subject of risk investigation, use the sub-implementation method 1 of the first implementation method of the above method 1 to determine the risk status of the first ME host as the risk of the first ME host being intruded , then the first network element determines that the resource policy is to deactivate the first ME host, or lower the security level of the first ME host. If it is determined that the risk state of the ME host is that there is no risk of the ME host being intruded, the first network element determines that the resource policy is empty. The resource policy being empty may mean that the currently used resource policy for accessing the ME host is not changed.

示例性的，停用第一ME主机包括关闭第一ME主机，或者将该第一ME主机从资源池中删除。资源池包括第五网元管理的多个ME主机。Exemplarily, deactivating the first ME host includes shutting down the first ME host, or deleting the first ME host from the resource pool. The resource pool includes multiple ME hosts managed by the fifth network element.

每个安全等级对应存在其能够支持部署的最高优先级的应用，例如，第一ME主机的安全等级为1，该第一ME主机能够支持部署的应用的最高优先级为3，也就是说，第一ME主机能够支持部署优先级为3以及优先级小于3的应用。或者例如，第一ME主机的安全等级为2，该第一ME主机能够支持部署的应用的最高优先级为4，也就是说，第一ME主机能够部署优先级为4以及优先级小于4的应用。其中，安全等级的数值越大，则表示第一ME主机越安全，应用的优先级的数值越大，则表示应用的优先级越高。如果第一ME主机的安全等级降低为第一安全等级，那么该第一ME主机不支持部署优先级高于第一优先级的应用，该第一优先级是第一ME主机的安全等级为该第一安全等级的情况下可支持部署的应用的最高优先级。可选的，各个应用的优先级可以是预配置在第五网元中的，以及每个安全等级所对应支持部署的应用的最高优先级也可预配置在第五网元中。Each security level corresponds to the application with the highest priority that it can support deployment. For example, the security level of the first ME host is 1, and the highest priority of the application that the first ME host can support deployment is 3, that is, The first ME host can support the deployment of applications with a priority of 3 and a priority lower than 3. Or for example, the security level of the first ME host is 2, and the highest priority of the first ME host that can support the deployment of applications is 4, that is, the first ME host can deploy applications with a priority of 4 or less than 4 application. Wherein, a larger value of the security level indicates that the first ME host is more secure, and a larger value of the application priority indicates a higher priority of the application. If the security level of the first ME host is reduced to the first security level, then the first ME host does not support the deployment of applications with a higher priority than the first priority. The first priority is that the security level of the first ME host is the The highest priority of applications that can be supported for deployment in the case of the first security level. Optionally, the priority of each application may be preconfigured in the fifth network element, and the highest priority of the application supported for deployment corresponding to each security level may also be preconfigured in the fifth network element.

情况二。Case two.

如果第一网元以第一ME主机为风险排查主体，采用上述第一种实现方式下的子实现方式2，或者采用上述第一种实现方式下的子实现方式3，确定ME主机的风险状态为ME主机存在被入侵的风险，第一网元确定该资源策略包括关闭该一个或多个端口和停用ME主机中的至少一项，或者，第一网元确定该资源策略包括关闭该一个或多个端口和降低ME主机的安全等级中的至少一项，或者，第一网元确定该资源策略为停用ME主机和降低ME主机的安全等级中的至少一项。如果确定第一ME主机的风险状态为第一ME主机不存在被入侵的风险，则第一网元确定资源策略为空。资源策略为空的含义可参照前文。其中，停用第一ME主机和降低第一ME主机的安全等级的含义或具体实现方式可参照前文。If the first network element takes the first ME host as the subject of risk investigation, use sub-implementation 2 under the first implementation above, or sub-implementation 3 under the first implementation above, to determine the risk status of the ME host There is a risk of the ME host being invaded, the first network element determines that the resource policy includes at least one of closing the one or more ports and disabling the ME host, or the first network element determines that the resource policy includes closing the one or multiple ports and lowering the security level of the ME host, or the first network element determines that the resource policy is at least one of deactivating the ME host and lowering the security level of the ME host. If it is determined that the risk state of the first ME host is that the first ME host has no risk of being invaded, the first network element determines that the resource policy is empty. The meaning of the resource policy being empty can be referred to above. For the meaning or specific implementation of deactivating the first ME host and lowering the security level of the first ME host, please refer to the above.

情况三。Case three.

如果第一网元以第一ME主机为风险排查主体，采用上述第二种实现方式，确定ME主机的风险状态为第一ME主机存在被入侵的风险，第一网元确定该资源策略包括停用ME主机，或者，降低第一ME主机的安全等级。如果确定第一ME主机的风险状态为第一ME主机不存在被入侵的风险，则确定资源策略为空。资源策略为空的含义可参照前文。其中，停用第一ME主机和降低第一ME主机的安全等级的含义或具体实现方式可参照前文。If the first network element takes the first ME host as the subject of risk investigation, and adopts the second implementation method above to determine that the risk status of the ME host is that the first ME host has a risk of being invaded, the first network element determines that the resource policy includes stopping Use the ME host, or, lower the security level of the first ME host. If it is determined that the risk status of the first ME host is that the first ME host has no risk of being invaded, it is determined that the resource policy is empty. The meaning of the resource policy being empty can be referred to above. For the meaning or specific implementation of deactivating the first ME host and lowering the security level of the first ME host, reference may be made to the foregoing.

情况四。Situation four.

如果第一网元以第四网元为风险排查主体，采用上述方式二，确定第一ME主机的风险状态为第一ME主机存在被第四网元入侵的风险，该第一网元确定该资源策略为拒绝访问第三资源。如果第一网元采用上述方式二，确定第一ME主机的风险状态为第一ME主机不存在被第四网元入侵的风险，该第一网元确定资源策略为允许访问第三资源。第三资源的含义可参照前文。If the first network element takes the fourth network element as the subject of risk investigation, adopt the above method 2 to determine that the risk status of the first ME host is that the first ME host has the risk of being invaded by the fourth network element, and the first network element determines that the The resource policy is to deny access to the third resource. If the first network element adopts the above method 2 and determines that the risk status of the first ME host is that the first ME host does not have the risk of being invaded by the fourth network element, the first network element determines that the resource policy is to allow access to the third resource. For the meaning of the third resource, please refer to the above.

情况五。Situation five.

如果第一网元采用方式三确定第一ME主机的风险状态，可能是以第一ME主机为风险排查主体，可能是以第四网元为风险排查主体，下面分别示例介绍。If the first network element uses method 3 to determine the risk status of the first ME host, the first ME host may be the main body of risk investigation, and the fourth network element may be the main body of risk investigation. Examples are introduced below.

例如，如果第一网元以第一ME主机为风险排查主体，确定第一ME主机存在被入侵的风险，第一网元确定资源策略包括停用ME主机或降低ME主机的安全等级。或者第一网元确定该资源策略还包括关闭一个或多个端口。如果确定第一ME主机不存在被入侵的风险，第一网元确定资源策略为空。For example, if the first network element takes the first ME host as the subject of risk investigation and determines that the first ME host is at risk of being invaded, the first network element determines that the resource policy includes disabling the ME host or lowering the security level of the ME host. Or the first network element determines that the resource policy also includes closing one or more ports. If it is determined that the first ME host does not have the risk of being invaded, the first network element determines that the resource policy is empty.

或者例如，如果第一网元以第四网元为风险排查主体，确定第一ME主机存在被第四网元入侵的风险，第一网元确定资源策略包括拒绝访问第三资源。如果确定第一ME主机不存在被第四网元入侵的风险，第一网元确定该资源策略为允许访问第三资源。Or for example, if the first network element takes the fourth network element as the subject of risk investigation and determines that the first ME host has a risk of being invaded by the fourth network element, the first network element determines that the resource policy includes denying access to the third resource. If it is determined that the first ME host does not have the risk of being invaded by the fourth network element, the first network element determines that the resource policy is to allow access to the third resource.

S205，第一网元将资源策略发送给第五网元。相应的，第五网元从第一网元接收该资源策略。该资源策略用于指示访问第一ME主机提供的资源的策略。S205. The first network element sends the resource policy to the fifth network element. Correspondingly, the fifth network element receives the resource policy from the first network element. The resource policy is used to indicate a policy for accessing resources provided by the first ME host.

如果第五网元为第一ME主机、VIM或CISM，那么第五网元可以根据资源策略，访问ME主机中的资源。If the fifth network element is the first ME host, VIM or CISM, then the fifth network element can access resources in the ME host according to the resource policy.

如果第五网元为MEPM，MEPM可以将该资源策略转发给第一ME主机、VIM或CISM等。If the fifth network element is the MEPM, the MEPM can forward the resource policy to the first ME host, VIM or CISM, and so on.

可选的，如果资源策略的具体内容不同，则第五网元可具体为不同的网元，下面进行示例介绍。Optionally, if the specific content of the resource policy is different, the fifth network element may be specifically a different network element, and an example is introduced below.

如果资源策略为关闭该一个或多个端口，那么第五网元可为第一ME主机。第一网元可将该资源策略发送给第一ME主机。第一ME主机根据该资源策略，关闭该第一或多个端口。If the resource policy is to close the one or more ports, then the fifth network element may be the first ME host. The first network element may send the resource policy to the first ME host. The first ME host closes the first or multiple ports according to the resource policy.

如果资源策略为停用第一ME主机，或者降低第一ME主机的安全等级，第五网元可为VIM或CISM。第一网元可将该资源策略发送给VIM或CISM。VIM或CISM根据该资源策略，停用第一ME主机，或者降低第一ME主机的安全等级。If the resource policy is to deactivate the first ME host, or lower the security level of the first ME host, the fifth network element can be a VIM or a CISM. The first network element may send the resource policy to the VIM or the CISM. According to the resource policy, the VIM or CISM deactivates the first ME host, or lowers the security level of the first ME host.

如果资源策略为拒绝访问第三资源，第五网元为第一ME主机、VIM或CISM。第一网元将资源策略发送给第一ME主机、VIM或CISM。第一ME主机、VIM或CISM拒绝访问第三资源。If the resource policy is to deny access to the third resource, the fifth network element is the first ME host, VIM or CISM. The first network element sends the resource policy to the first ME host, VIM or CISM. The first ME host, VIM or CISM denies access to the third resource.

如果资源策略为允许访问第三资源，第五网元为第一ME主机、VIM或CISM。第一网元将资源策略发送给第一ME主机、VIM或CISM。第一ME主机、VIM或CISM允许访问该第三资源。If the resource policy is to allow access to the third resource, the fifth network element is the first ME host, VIM or CISM. The first network element sends the resource policy to the first ME host, VIM or CISM. The first ME host, VIM or CISM allows access to this third resource.

作为一个示例，图2中的S205为可选的步骤。在图2中以虚线示意该可选的步骤。As an example, S205 in FIG. 2 is an optional step. This optional step is illustrated in dashed lines in FIG. 2 .

在图2所示的实施例中，第一网元可根据第一ME主机的信息，确定第一ME主机的风险状态，以提供了一种确定第一ME主机的风险状态的机制。由于该实施例考虑了第一ME主机的内部可能出现的安全风险，从而可以提高MEC架构的安全性。并且，根据ME主机的风险状态，确定ME主机的资源策略，以及时降低ME主机的安全风险，提升MEC架构的安全性。并且，图2所示的实施例中，提供了多种确定第一ME主机的风险状态的方式，以及提供了多种应对第一ME主机的风险状态的资源策略。In the embodiment shown in FIG. 2 , the first network element can determine the risk status of the first ME host according to the information of the first ME host, so as to provide a mechanism for determining the risk status of the first ME host. Since this embodiment considers possible security risks inside the first ME host, the security of the MEC architecture can be improved. Moreover, according to the risk status of the ME host, the resource policy of the ME host is determined, so as to reduce the security risk of the ME host in time and improve the security of the MEC architecture. Moreover, in the embodiment shown in FIG. 2 , multiple ways of determining the risk status of the first ME host are provided, and multiple resource strategies for dealing with the risk status of the first ME host are provided.

下面以第一网元为MEPM，第二网元为第一ME主机，第三网元为OSS，第五网元为VIM为例，以第一网元根据上述第一种实现方式下的子实现方式1，确定ME主机的风险状态为例，对各个网元之间的交互过程进行介绍。如图3所示，为本申请实施例提供的资源访问方法的一种流程示意图。In the following, the first NE is MEPM, the second NE is the first ME host, the third NE is OSS, and the fifth NE is VIM. Implementation mode 1, taking determining the risk state of the ME host as an example, introduces the interaction process between various network elements. As shown in FIG. 3 , it is a schematic flow chart of the resource access method provided by the embodiment of the present application.

S301，第一ME主机确定第一标识。S301. The first ME host determines a first identifier.

第一标识的含义可参照前文。需要说明的是，在本申请实施例中，是以MEC架构中的一个或多个ME主机中的任意一个ME主机为第一ME主机为例进行介绍。For the meaning of the first identifier, please refer to the above. It should be noted that, in the embodiment of the present application, any one of the one or more ME hosts in the MEC architecture is taken as the first ME host as an example for introduction.

S302，第一ME主机向MEPM发送第一标识。相应的，MEPM从第一ME主机接收该第一标识。S302. The first ME host sends the first identifier to the MEPM. Correspondingly, the MEPM receives the first identifier from the first ME host.

S303，MEPM确定第一标识与预存的第二标识不匹配。S303. The MEPM determines that the first identifier does not match the prestored second identifier.

第二标识的含义、以及MEPM确定第一标识与第二标识不匹配的方式可参照前文。需要说明的是，图3所示的实施例中是以第一标识与第二标识不匹配为例进行介绍，第一标识与第二标识匹配的情况可参照前文论述的内容。For the meaning of the second identifier and the manner in which the MEPM determines that the first identifier does not match the second identifier, reference may be made to the foregoing. It should be noted that, in the embodiment shown in FIG. 3 , the first identification does not match the second identification as an example for introduction, and the situation of the first identification matching the second identification can refer to the content discussed above.

S304，MEPM通过MEO向OSS发送第一请求。相应的，OSS通过MEO从MEPM接收第一请求。该第一请求用于请求获取第二硬件的第二标识。第二硬件和第三标识的含义可参照前文。S304. The MEPM sends a first request to the OSS through the MEO. Correspondingly, the OSS receives the first request from the MEPM through the MEO. The first request is used to request to acquire the second identification of the second hardware. For the meaning of the second hardware and the third identification, please refer to the above.

S304包括S304a，即MEPM向MEO发送第一请求，以及包括S304b，即MEO向OSS发送该第一请求。S304 includes S304a, that is, the MEPM sends the first request to the MEO, and includes S304b, that is, the MEO sends the first request to the OSS.

需要说明的是，本申请实施例中是以MEPM通过MEO向OSS发送第一请求为例进行介绍，但实际上MEPM也可以直接将第一请求发送给OSS。It should be noted that, in the embodiment of the present application, the MEPM sends the first request to the OSS through the MEO as an example for introduction, but in fact, the MEPM may also directly send the first request to the OSS.

S305，OSS通过MEO向MEPM发送第三标识。相应的，MEPM通过MEO从OSS接收该第三标识。S305. The OSS sends the third identifier to the MEPM through the MEO. Correspondingly, the MEPM receives the third identifier from the OSS through the MEO.

需要说明的是，本申请实施例中是以OSS通过MEO向MEPM发送第三标识为例进行介绍，但实际上OSS也可以直接将第三标识发送给MEPM。It should be noted that, in the embodiment of the present application, the OSS sends the third identifier to the MEPM through the MEO as an example for introduction, but in fact, the OSS may also directly send the third identifier to the MEPM.

S305包括S305a，即OSS向MEO发送第三标识，以及包括S305b，即MEO向MEPM发送该第三标识。S305 includes S305a, that is, the OSS sends the third identifier to the MEO, and includes S305b, that is, the MEO sends the third identifier to the MEPM.

S306，MEPM确定第三标识与第一标识不匹配。S306. The MEPM determines that the third identifier does not match the first identifier.

确定第三标识与第一标识不匹配的方式可参照前文。需要说明的是，图3所示的实施例中是以第三标识与第一标识不匹配为例进行介绍，第一标识与第三标识匹配的情况可参照前文论述的内容。For a manner of determining that the third identifier does not match the first identifier, reference may be made to the foregoing. It should be noted that, in the embodiment shown in FIG. 3 , an example in which the third identifier does not match the first identifier is used as an example. For the case where the first identifier matches the third identifier, reference may be made to the content discussed above.

需要说明的是，MEPM可以先执行S303，再执行S306。MEPM也可以同时执行S303和S306。MEPM也可以先执行S306，再执行S303，本申请实施例对此不做具体限定。It should be noted that, the MEPM may execute S303 first, and then execute S306. MEPM can also execute S303 and S306 at the same time. The MEPM may also execute S306 first, and then execute S303, which is not specifically limited in this embodiment of the present application.

S307，MEPM确定第一ME主机的风险状态为第一ME主机存在被入侵的风险。S307. The MEPM determines that the risk status of the first ME host is that the first ME host has a risk of being invaded.

风险状态、第一ME主机存在被入侵的风险的含义可参照前文。For meanings of the risk status and the risk that the first ME host is intruded, reference may be made to the foregoing.

S308，MEPM根据确定出的风险状态，确定资源策略为降低第一ME主机的安全等级。S308. According to the determined risk state, the MEPM determines that the resource policy is to lower the security level of the first ME host.

降低第一ME主机的安全等级的含义可以参照前文。需要说明的是，本申请实施例中是以资源策略为降低第一ME主机的安全等级为例进行说明。The meaning of lowering the security level of the first ME host can be referred to above. It should be noted that, in the embodiment of the present application, the resource policy is to lower the security level of the first ME host as an example for illustration.

S309，MEPM向VIM发送资源策略。相应的，VIM从MEPM接收该资源策略。S309. The MEPM sends the resource policy to the VIM. Correspondingly, the VIM receives the resource policy from the MEPM.

S310，VIM向第一ME主机发送停止指令。相应的，该第一ME主机从VIM接收该停止指令。该停止指令用于指示停止运行在第一ME主机上的优先级高于预设优先级的第一应用。第一ME主机接收该停止指令之后，可停止运行该第一应用。S310, the VIM sends a stop instruction to the first ME host. Correspondingly, the first ME host receives the stop instruction from the VIM. The stop instruction is used to instruct to stop the first application running on the first ME host whose priority is higher than the preset priority. After receiving the stop instruction, the first ME host can stop running the first application.

本申请实施例中是以在第一ME主机上的优先级高于预设优先级的应用为第一应用为例进行说明。In the embodiment of the present application, the application whose priority on the first ME host is higher than the preset priority is taken as the first application as an example for illustration.

S311，VIM确定在第二ME主机上部署第一应用。S311. The VIM determines to deploy the first application on the second ME host.

VIM将第一ME主机上运行的优先级过高的第一应用迁移部署到第二ME主机上，并在第二ME主机上运行该第一应用，以保证第一应用的数据的安全性。The VIM migrates and deploys the first application with too high priority running on the first ME host to the second ME host, and runs the first application on the second ME host, so as to ensure the security of the data of the first application.

需要说明的是，本申请实施例中是以第二ME主机为安全等级高于第一ME主机的ME主机为例进行介绍。It should be noted that, in the embodiment of the present application, the second ME host is used as an example to introduce the ME host whose security level is higher than that of the first ME host.

作为一个示例，S309-S311为可选的步骤，在图3中以虚线示意这些可选的步骤。As an example, S309-S311 are optional steps, and these optional steps are indicated by dotted lines in FIG. 3 .

在图3所示的实施例中，MEPM可以根据第一ME主机的硬件的标识的变化情况，分析第一ME主机中的硬件是否异常，从而确定第一ME主机是否存在被入侵的风险，提供了一种确定第一ME主机的风险状态的机制。并且，如果第一ME主机中的硬件存在异常，由VIM降低第一ME主机的安全等级，以保证优先级较高的应用可始终部署在安全等级较高的ME主机中，保证优先级较高的应用运行的稳定性。In the embodiment shown in FIG. 3, the MEPM can analyze whether the hardware in the first ME host is abnormal according to the change of the hardware identification of the first ME host, thereby determining whether the first ME host has a risk of being invaded, providing A mechanism for determining the risk status of a first ME host is provided. Moreover, if the hardware in the first ME host is abnormal, the VIM will lower the security level of the first ME host to ensure that applications with higher priority can always be deployed on the ME host with higher security level and ensure higher priority The stability of the application operation.

下面以第一网元为MEPM，第三网元为OSS，第二网元和第五网元均为第一ME主机为例，以第一网元根据上述第一种实现方式下的子实现方式2，确定ME主机的风险状态为例，对各个网元之间的交互过程进行介绍。如图4所示，为本申请实施例提供的资源访问方法的一种流程示意图。In the following, the first network element is MEPM, the third network element is OSS, the second network element and the fifth network element are both the first ME host as an example, and the first network element is implemented according to the first implementation mode above Method 2, taking determining the risk status of the ME host as an example, introduces the interaction process between various network elements. As shown in FIG. 4 , it is a schematic flowchart of a resource access method provided in the embodiment of the present application.

S401，OSS获取端口开放请求。S401. The OSS acquires a port opening request.

OSS可以从外部网元接收端口开放请求，相当于获取了端口开放请求。该端口开放请求和外部网元的含义可参照前文。或者，OSS可以根据用户的端口开放操作，生成端口开放请求，相当于获取了端口开放请求。The OSS can receive a port opening request from an external network element, which is equivalent to obtaining the port opening request. The port opening request and the meaning of the external network element can be referred to above. Alternatively, the OSS can generate a port opening request according to the user's port opening operation, which is equivalent to obtaining the port opening request.

S402，OSS记录端口开放请求所请求开放的端口的信息。S402. The OSS records information about the port requested to be opened by the port opening request.

OSS获取端口开放请求，并记录该端口开放请求所申请开放的端口的信息，该端口的信息例如为端口号。以此类推，OSS便可以获得第一ME主机中的第二类端口的信息。第二类端口的含义可参照前文。The OSS obtains the port opening request, and records the information of the port requested to be opened by the port opening request, where the port information is, for example, a port number. By analogy, the OSS can obtain the information of the second type of port in the first ME host. For the meaning of the second type of port, please refer to the previous section.

需要说明的是，S401-S402是对OSS获取第一ME主机中的第二类端口的信息的方式进行示例介绍，实际上OSS获取第二类端口的信息的方式还有多种，本申请实施例对此不做限定。It should be noted that S401-S402 is an example of how the OSS obtains the information of the second type of port in the first ME host. In fact, there are many ways for the OSS to obtain the information of the second type of port. This application implements Examples are not limited to this.

S403，第一ME主机确定在第一ME主机中的第一类端口的信息。S403, the first ME host determines the information of the first type of port in the first ME host.

第一ME主机检测自身当前开放的所有端口，以获得第一类端口的信息。第一类端口的含义可参照前文。The first ME host detects all the ports currently opened by itself, so as to obtain the information of the first type of ports. For the meaning of the first type of port, please refer to the previous section.

S404，第一ME主机将第一类端口的信息发送给MEPM。相应的，MEPM从第一ME主机接收该第一类端口的信息。S404, the first ME host sends the information of the first type of port to the MEPM. Correspondingly, the MEPM receives the information of the first type of port from the first ME host.

S405，MEPM向OSS发送第二请求。相应的，OSS从MEPM接收该第二请求。第二请求用于请求已向第一ME主机申请开放的端口的信息。S405. The MEPM sends a second request to the OSS. Correspondingly, the OSS receives the second request from the MEPM. The second request is used to request information about ports that have been applied to the first ME host for opening.

S406，OSS向MEPM发送第二类端口的信息。相应的，MEPM向OSS发送该第二类端口的信息。S406. The OSS sends the information of the second type of port to the MEPM. Correspondingly, the MEPM sends the information of the second type of port to the OSS.

需要说明的是，本申请实施例中是以OSS向MEPM送第二类端口的信息为例，实际OSS也可以通过MEO向MEPM发送第二类端口的信息。It should be noted that, in the embodiment of the present application, the OSS sends the information of the second-type port to the MEPM as an example, and the actual OSS may also send the information of the second-type port to the MEPM through the MEO.

S407，如果第一类端口中的一个或多个端口不属于第二类端口，MEPM确定第一ME主机的风险状态为第一ME主机存在被入侵的风险。S407. If one or more ports in the first type of ports do not belong to the second type of ports, the MEPM determines that the risk state of the first ME host is that the first ME host has a risk of being invaded.

S408，MEPM根据第一状态，确定资源策略为关闭一个或多个端口。S408. According to the first state, the MEPM determines that the resource policy is to close one or more ports.

S409，MEPM向第一ME主机发送资源策略。相应的，第一ME主机从MEPM接收该资源策略。S409, the MEPM sends the resource policy to the first ME host. Correspondingly, the first ME host receives the resource policy from the MEPM.

S410，第一ME主机关闭该第一个或多个端口。S410, the first ME host closes the first or multiple ports.

S411，第一ME主机向MEPM发送关闭成功响应。相应的，MEPM从该第一ME主机接收该关闭成功响应。该关闭成功响应用于表示第一ME主机已成功关闭该第一个或多个端口。S411. The first ME host sends a shutdown success response to the MEPM. Correspondingly, the MEPM receives the shutdown success response from the first ME host. The closing success response is used to indicate that the first ME host has successfully closed the first or multiple ports.

作为一个示例，S409-S411为可选的步骤。在图4中以虚线示意这些可选的步骤。As an example, S409-S411 are optional steps. These optional steps are illustrated in dashed lines in FIG. 4 .

在图4所示的实施例中，MEPM可判断第一类端口是否均属于第二类端口，以确定第一ME主机中是否存在未授权但已开放的端口，如果存在未授权但已开放的端口，表示第一ME主机异常，因此MEPM确定第一ME主机存在被入侵的风险，提供了一种确定第一ME主机的安全风险的机制。并且，如果第一ME主机存在未授权但已开放的端口，则由第一ME主机关闭这些端口，及时有针对性地降低第一ME主机存在的风险，提高第一ME主机的安全性。In the embodiment shown in Fig. 4, MEPM can judge whether the ports of the first type belong to the ports of the second type to determine whether there are unauthorized but opened ports in the first ME host. The port indicates that the first ME host is abnormal, so the MEPM determines that the first ME host has a risk of being invaded, and provides a mechanism for determining the security risk of the first ME host. Moreover, if there are unauthorized but opened ports on the first ME host, the first ME host closes these ports to reduce the risk of the first ME host in a timely and targeted manner and improve the security of the first ME host.

下面以第一网元为MEPM，第二网元为ME主机，第三网元为OSS，第五网元为VIM为例，以第一网元根据上述第二种实现方式，确定ME主机的风险状态为例，对各个网元之间的交互过程进行介绍。如图5所示，为本申请实施例提供的资源访问方法的一种流程示意图。In the following, the first network element is MEPM, the second network element is ME host, the third network element is OSS, and the fifth network element is VIM. The first network element determines the ME host according to the second implementation method. Taking the risk status as an example, the interaction process between each network element is introduced. As shown in FIG. 5 , it is a schematic flow chart of the resource access method provided by the embodiment of the present application.

S501，第一ME主机向MEPM发送第二信息。相应的，MEPM从第一ME主机接收该第二信息。第二信息的含义可参照前文。S501. The first ME host sends second information to the MEPM. Correspondingly, the MEPM receives the second information from the first ME host. The meaning of the second information can be referred to above.

S502，MEPM确定VIM的第二信息对应的行为异常，确定第一ME主机的风险状态为第一ME主机存在被入侵的风险。S502. The MEPM determines that the behavior corresponding to the second information of the VIM is abnormal, and determines that the risk status of the first ME host is that the first ME host has a risk of being invaded.

需要说明的是，S502是以MEPM确定第一ME主机的风险状态为例。在另一种可能的示例中，MEPM可将第二信息发送给OSS，由OSS确定该第一ME主机的风险状态。MEPM从OSS接收该第一ME主机的风险状态。这时，OSS相当于为第六网元的一种实例，而这种情况下相当于MEPM采用了上述方式三确定了第一ME主机的风险状态。It should be noted that S502 is an example where the MEPM determines the risk status of the first ME host. In another possible example, the MEPM may send the second information to the OSS, and the OSS determines the risk status of the first ME host. The MEPM receives the risk status of the first ME host from the OSS. At this time, the OSS is equivalent to an instance of the sixth network element, and in this case, it is equivalent to the MEPM adopting the third method above to determine the risk status of the first ME host.

在图5中，S502以双箭头线条表示，该双箭头示意了MEPM可以从OSS接收该第一 ME主机的风险状态的情况。In FIG. 5 , S502 is represented by a double arrow line, and the double arrow indicates that the MEPM can receive the risk status of the first ME host from the OSS.

S503，MEPM确定资源策略为停用第一ME主机。S503. The MEPM determines that the resource policy is to disable the first ME host.

S504，MEPM向VIM发送资源策略。相应的，VIM从MEPM接收该资源策略。S504. The MEPM sends the resource policy to the VIM. Correspondingly, the VIM receives the resource policy from the MEPM.

S505，VIM从资源池中剔除第一ME主机，并将部署在第一ME主机上的应用迁移到第二ME主机上。S505. The VIM removes the first ME host from the resource pool, and migrates the application deployed on the first ME host to the second ME host.

作为一个示例，S504-S505为可选的步骤。在图5中以虚线示意这些可选的步骤。As an example, S504-S505 are optional steps. These optional steps are illustrated in dashed lines in FIG. 5 .

在图5所示的实施例中，MEPM根据第二信息，确定访问第一ME主机的行为是否异常，如果访问第一ME主机的行为异常，确定第一ME主机存在被入侵的风险，提供了一种第一ME主机的风险状态的机制。且，如果访问第一ME主机的行为异常，则由VIM停用该第一ME主机，避免因第一ME主机被入侵而导致MEC架构瘫痪的情况，提高了MEC架构的安全性。In the embodiment shown in Figure 5, the MEPM determines whether the behavior of accessing the first ME host is abnormal according to the second information, and if the behavior of accessing the first ME host is abnormal, it determines that the first ME host is at risk of being invaded, providing A mechanism for the risk status of the first ME host. Moreover, if the behavior of accessing the first ME host is abnormal, the VIM will deactivate the first ME host, avoiding the paralysis of the MEC architecture due to the intrusion of the first ME host, and improving the security of the MEC architecture.

下面以第一网元为MEPM，第二网元为ME主机，第四网元为OSS，第五网元为VIM为例，以第一网元根据上述方式二，确定ME主机的风险状态为例，以访问请求为端口开放请求为例，对各个网元之间的交互过程进行介绍。如图6所示，为本申请实施例提供的资源访问方法的一种流程示意图。In the following, the first NE is MEPM, the second NE is the ME host, the fourth NE is OSS, and the fifth NE is VIM. The first NE determines the risk status of the ME host according to the above method 2. For example, taking the access request as a port opening request as an example, the interaction process between various network elements is introduced. As shown in FIG. 6 , it is a schematic flow chart of the resource access method provided by the embodiment of the present application.

S601，OSS获取端口开放请求。S601. The OSS acquires a port opening request.

OSS获取端口开放请求的方式可参照前文。For how OSS obtains the port opening request, refer to the previous section.

S602，OSS向MEPM发送端口开放请求。相应的，MEPM从OSS接收该端口开放请求。S602. The OSS sends a port opening request to the MEPM. Correspondingly, the MEPM receives the port opening request from the OSS.

S603，第一ME主机向MEPM发送第一信息。相应的，MEPM从第一ME主机接收该第一信息。该第一信息包括第一ME主机中可用的资源的信息，具体包括第一ME主机可用的端口的信息。S603. The first ME host sends first information to the MEPM. Correspondingly, the MEPM receives the first information from the first ME host. The first information includes information about resources available in the first ME host, and specifically includes information about ports available to the first ME host.

S604，MEPM如果确定端口开放请求所请求开放的端口属于第一ME主机中可用的资源，确定第一ME主机的风险状态为第一ME主机不存在被OSS入侵的风险。S604. If the MEPM determines that the port requested to be opened by the port opening request belongs to available resources in the first ME host, determine that the risk status of the first ME host is that the first ME host does not have a risk of being invaded by the OSS.

需要说明的是，本申请实施例中是以第一条件包括第一资源属于第一ME主机中可用的资源为例进行介绍。It should be noted that, in this embodiment of the present application, the introduction is made by taking the first condition including that the first resource belongs to available resources in the first ME host as an example.

在一种可能的实施例中，MEPM还可以验证该端口开放请求所请求的端口是否属于第一类端口，第一类端口的含义可参照前文。如果该端口开放请求所请求的端口属于第一类型端口，则无需执行S605-S607的步骤。如果该端口开放请求所请求的端口不属于第一类型端口，则继续执行后续步骤。In a possible embodiment, the MEPM may also verify whether the port requested by the port opening request belongs to the first type of port, and the meaning of the first type of port can be referred to above. If the port requested by the port opening request belongs to the first type of port, steps S605-S607 do not need to be performed. If the port requested by the port opening request does not belong to the first type of port, continue to perform subsequent steps.

S605，MEPM确定资源策略为允许开放该端口开放请求所请求开放的端口。S605. The MEPM determines that the resource policy is to allow opening of the port requested by the port opening request.

S606，MEPM将资源策略发送给第一ME主机。相应的，第一ME主机从MEPM接收该资源策略。S606. The MEPM sends the resource policy to the first ME host. Correspondingly, the first ME host receives the resource policy from the MEPM.

S607，第一ME主机开放该开放端口请求所请求开放的端口。S607, the first ME host opens the port requested by the open port request.

作为一个示例，S606-S607为可选的步骤。在图6中以虚线示意这些可选的步骤。As an example, S606-S607 are optional steps. These optional steps are illustrated in dashed lines in FIG. 6 .

在图6所示的实施例中，MEPM接收端口开放请求后，确定该端口开放请求所请求的端口是否属于第一ME主机可用的端口的信息，如果属于，确定第一ME主机不存在被第四网元入侵的风险，提供了一种确定ME主机可能的安全风险的机制。且，本申请实施例对端口开放请求进行验证，从而避免非法开启不可用的端口，提高了第一ME主机的安全性，从而提高了MEC架构的安全性。In the embodiment shown in Figure 6, after the MEPM receives the port opening request, it determines whether the port requested by the port opening request belongs to the information of the port available to the first ME host, and if it does, determines that the first ME host does not exist and is used by the second ME host. The risk of four network element intrusions provides a mechanism to determine the possible security risks of ME hosts. Moreover, the embodiment of the present application verifies the port opening request, thereby avoiding illegal opening of unusable ports, improving the security of the first ME host, thereby improving the security of the MEC architecture.

下面以第一网元为MEPM，第二网元为ME主机，第四网元为OSS，第五网元为VIM为例，以第一网元根据上述方式二，确定ME主机的风险状态为例，以访问请求为实例化应用请求为例，对各个网元之间的交互过程进行介绍。如图7所示，为本申请实施例提供的资源访问方法的一种流程示意图。In the following, the first NE is MEPM, the second NE is the ME host, the fourth NE is OSS, and the fifth NE is VIM. The first NE determines the risk status of the ME host according to the above method 2. As an example, taking an access request as an instantiated application request as an example, the interaction process between various network elements is introduced. As shown in FIG. 7 , it is a schematic flow chart of the resource access method provided by the embodiment of the present application.

下面结合图7所示的资源访问方法的流程图，对本申请实施例中的资源访问方法进行介绍。The following describes the resource access method in the embodiment of the present application with reference to the flow chart of the resource access method shown in FIG. 7 .

S701，OSS通过MEO向MEPM发送实例化应用请求。相应的，该MEPM通过MEO从OSS接收该实例化应用请求。该实例化应用的含义可参照前文。S701. The OSS sends an application instantiation request to the MEPM through the MEO. Correspondingly, the MEPM receives the application instantiation request from the OSS through the MEO. The meaning of the instantiated application can be referred to above.

S701包括S701a，即OSS向MEO发送实例化应用请求，以及S701b，即MEO向MEPM发送该实例化应用请求。S701 includes S701a, that is, the OSS sends an application instantiation request to the MEO, and S701b, that is, the MEO sends the application instantiation request to the MEPM.

S702，第一ME主机向MEPM发送第一主机的信息。相应的，MEPM从第一ME主机接收该第一主机的信息。S702. The first ME host sends the information of the first host to the MEPM. Correspondingly, the MEPM receives the information of the first host from the first ME host.

S703，MEPM如果确定实例化应用请求所请求的第一资源超过资源数量上限，确定第一ME主机的风险状态为第一ME主机存在被OSS入侵的风险。S703. If the MEPM determines that the first resource requested by the instantiated application exceeds the resource limit, determine that the risk state of the first ME host is that the first ME host has a risk of being invaded by the OSS.

S704，MEPM确定资源策略为拒绝访问第一资源。S704. The MEPM determines that the resource policy is denying access to the first resource.

S705，MEPM通过MEO向OSS发送第一拒绝响应。相应的，OSS通过MEO从MEPM接收该第一拒绝响应。该第一拒绝响应用于表示拒绝该OSS发起的实例化应用请求。S705. The MEPM sends a first rejection response to the OSS through the MEO. Correspondingly, the OSS receives the first rejection response from the MEPM through the MEO. The first rejection response is used to indicate rejection of the application instantiation request initiated by the OSS.

S705包括S705a，即MEPM向MEO发送第一拒绝响应，以及S705b，即MEO向OSS发送该第一拒绝响应。S705 includes S705a, that is, the MEPM sends the first rejection response to the MEO, and S705b, that is, the MEO sends the first rejection response to the OSS.

作为一个示例，S705为可选的步骤。在图7中以虚线示意该可选的步骤。As an example, S705 is an optional step. This optional step is illustrated in dashed lines in FIG. 7 .

在图7所示的实施例中，MEPM接收实例化应用请求后，确定该实例化应用请求所请求的资源是否超过资源数量上限，如果该实例化应用请求所请求的资源超过资源数量上限，确定第一ME主机存在被第四网元入侵的风险，提供了一种确定第一ME主机可能的安全风险的机制。且，该实施例中能够对实例化应用请求进行验证，从而避免非法的实例化应用请求耗尽第一ME主机的资源等情况，提高了第一ME主机的安全性，从而提高了MEC架构的安全性。In the embodiment shown in FIG. 7, after receiving the instantiation application request, the MEPM determines whether the resource requested by the instantiation application request exceeds the upper limit of the resource quantity, and if the resource requested by the instantiation application request exceeds the upper limit of the resource quantity, determine The first ME host has a risk of being invaded by the fourth network element, and a mechanism for determining the possible security risk of the first ME host is provided. Moreover, in this embodiment, the instantiation application request can be verified, thereby avoiding situations such as illegal instantiation application requests exhausting the resources of the first ME host, improving the security of the first ME host, thereby improving the reliability of the MEC architecture. safety.

下面以第一网元为MEPM，第二网元为ME主机，第四网元为CISM，第五网元为VIM为例，以第一网元根据上述方式二，确定ME主机的风险状态为例，以访问请求为资源删除请求为例，对各个网元之间的交互过程进行介绍。如图8所示，为本申请实施例提供的资源访问方法的一种流程示意图。In the following, the first network element is MEPM, the second network element is ME host, the fourth network element is CISM, and the fifth network element is VIM. The first network element determines the risk status of ME host according to the above method 2. For example, taking an access request as a resource deletion request as an example, the interaction process between various network elements is introduced. As shown in FIG. 8 , it is a schematic flowchart of a resource access method provided in the embodiment of the present application.

S801，CISM向MEPM发送资源删除请求。相应的，MEPM从CISM接收该资源删除请求。S801. The CISM sends a resource deletion request to the MEPM. Correspondingly, the MEPM receives the resource deletion request from the CISM.

S802，第一ME主机向MEPM发送第一ME主机的信息。S802. The first ME host sends information about the first ME host to the MEPM.

S803，MEPM如果确定资源删除请求所请求删除的第一资源的重要程度高于预设重要程度，确定第一ME主机的风险状态为第一ME主机存在被CISM入侵的风险。S803. If the MEPM determines that the importance of the first resource requested to be deleted by the resource deletion request is higher than the preset importance, determine that the risk status of the first ME host is that the first ME host has a risk of being invaded by the CISM.

S804，MEPM确定资源策略为拒绝删除第一资源。S804. The MEPM determines that the resource policy is to refuse to delete the first resource.

S805，MEPM向CISM发送第二拒绝响应。相应的，CISM从MEPM接收该第二拒绝响应。该第二拒绝响应用于拒绝该资源删除请求。S805. The MEPM sends a second rejection response to the CISM. Correspondingly, the CISM receives the second rejection response from the MEPM. The second rejection response is used to reject the resource deletion request.

作为一个示例，S805为可选的步骤。在图8中以虚线示意这些可选的步骤。As an example, S805 is an optional step. These optional steps are illustrated in dashed lines in FIG. 8 .

在图8所示的实施例中，MEPM接收资源删除请求后，确定该资源删除请求所请求的删除的资源的重要程度是否低于预设重要程度，如果该资源删除请求所请求的删除的资源的重要程度高于预设重要程度，确定第一ME主机存在被第四网元入侵的风险，提供了一种确定第一ME主机是否存在安全风险的机制。且，该实施例中能够对资源删除请求进行验证，从而避免非法的资源删除请求删除第一ME主机的重要资源，提高了第一ME主机的安全性，从而提高了MEC架构的安全性。In the embodiment shown in FIG. 8 , after receiving the resource deletion request, the MEPM determines whether the importance of the resource deleted requested by the resource deletion request is lower than the preset importance level, if the resource deleted requested by the resource deletion request The importance degree is higher than the preset importance degree, and it is determined that the first ME host has a risk of being invaded by the fourth network element, and a mechanism for determining whether the first ME host has a security risk is provided. Moreover, in this embodiment, the resource deletion request can be verified, thereby avoiding illegal resource deletion requests from deleting important resources of the first ME host, improving the security of the first ME host, thereby improving the security of the MEC architecture.

下面以第一网元为MEPM，第二网元为ME主机，第四网元为CISM，第五网元为VIM为例，以第一网元根据上述方式二，确定ME主机的风险状态为例，以访问请求为VM创建请求为例，对各个网元之间的交互过程进行介绍。如图9所示，为本申请实施例提供的资源访问方法的一种流程示意图。In the following, the first network element is MEPM, the second network element is ME host, the fourth network element is CISM, and the fifth network element is VIM. The first network element determines the risk status of ME host according to the above method 2. For example, taking the access request as a VM creation request as an example, the interaction process between various network elements is introduced. As shown in FIG. 9 , it is a schematic flow chart of the resource access method provided by the embodiment of the present application.

S901，CISM向MEPM发送VM创建请求。相应的，MEPM从CISM接收该VM创建请求。该VM创建请求的含义可参照前文。S901. The CISM sends a VM creation request to the MEPM. Correspondingly, the MEPM receives the VM creation request from the CISM. The meaning of the VM creation request can be referred to above.

S902，第一ME主机向MEPM发送第一ME主机的信息。相应的，MEPM从第一ME主机接收该第一ME主机的信息。S902. The first ME host sends information about the first ME host to the MEPM. Correspondingly, the MEPM receives the information of the first ME host from the first ME host.

S903，如果VM创建请求所请求的第一资源超过资源数量上限，确定第一ME主机的风险状态为第一ME主机的风险状态为第一ME主机存在被CISM入侵的风险。S903. If the first resource requested by the VM creation request exceeds the upper limit of resource quantity, determine that the risk status of the first ME host is that the risk status of the first ME host is that the first ME host has a risk of being invaded by the CISM.

可选的，该资源数量上限为历史访问请求所请求的资源的最大数量。这种情况下，本申请实施例相当于根据历史访问请求所请求的资源的数量，以发现本次VM创建请求所请求的第一资源是否异常。Optionally, the upper limit of the number of resources is the maximum number of resources requested by historical access requests. In this case, the embodiment of the present application is equivalent to finding out whether the first resource requested by this VM creation request is abnormal according to the number of resources requested by historical access requests.

S904，MEPM确定资源策略为拒绝访问第一资源。S904. The MEPM determines that the resource policy is denying access to the first resource.

S905，MEPM向CISM发送第三拒绝响应。相应的，CISM从MEPM接收该第三拒绝响应。该第三拒绝响应用于拒绝该VM创建请求。S905. The MEPM sends a third rejection response to the CISM. Correspondingly, the CISM receives the third rejection response from the MEPM. The third rejection response is used to reject the VM creation request.

作为一个示例，S905为可选的步骤。在图9中以虚线示意S905为可选的步骤。As an example, S905 is an optional step. In FIG. 9 , S905 is indicated by a dotted line as an optional step.

在图9所示的实施例中，MEPM接收VM创建请求后，确定该VM创建请求所请求的创建资源是否超过资源数量上限，如果该VM创建请求所请求的创建资源超过资源数量上限，确定第一ME主机存在被第四网元入侵的风险，提供了一种确定ME主机的风险状态的机制。且，该实施例中能够对VM创建请求进行验证，从而避免非法的VM创建请求耗尽第一ME主机的资源，或者占用第一ME主机中的大量资源的情况，提高了第一ME主机的安全性，从而提高了MEC架构的安全性。In the embodiment shown in FIG. 9 , after the MEPM receives the VM creation request, it determines whether the creation resource requested by the VM creation request exceeds the upper limit of the number of resources, and if the creation resource requested by the VM creation request exceeds the upper limit of the number of resources, determine the first An ME host has a risk of being invaded by the fourth network element, and a mechanism for determining the risk status of the ME host is provided. Moreover, in this embodiment, the VM creation request can be verified, thereby avoiding that the illegal VM creation request exhausts the resources of the first ME host, or occupies a large amount of resources in the first ME host, and improves the security of the first ME host. Security, thereby improving the security of the MEC architecture.

图10示出了一种通信装置的结构示意图。其中，该通信装置可以实现前文第一网元的功能。该通信装置可以是硬件结构、软件模块、或硬件结构加软件模块。该通信装置可以由芯片系统实现。本申请实施例中，芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。该通信装置可以包括收发模块1001和处理模块1002。Fig. 10 shows a schematic structural diagram of a communication device. Wherein, the communication device can realize the function of the first network element mentioned above. The communication device may be a hardware structure, a software module, or a hardware structure plus a software module. The communication device can be implemented by a chip system. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices. The communication device may include a transceiver module 1001 and a processing module 1002 .

例如，该收发模块1001可以用于执行从第二网元接收第一ME主机的信息的步骤，还可以执行向第五网元发送资源策略的步骤，还可以用于支持本文所描述的技术的其它过程。收发模块1001用于通信装置和其它模块进行通信，其可以是电路、器件、接口、总线、软件模块、收发器或者其它任意可以实现通信的装置。示例性的，该收发模块1001可以用于执行图2所示的实施例中的S202，即从第二网元接收第一ME主机的信息。还可以执行图2中的S205，即向第五网元发送资源策略。例如，该处理模块1002可以用于执行图2中S203和S204。For example, the transceiver module 1001 can be used to perform the step of receiving the information of the first ME host from the second network element, and can also perform the step of sending the resource policy to the fifth network element, and can also be used to support the technology described herein other processes. The transceiver module 1001 is used for the communication device to communicate with other modules, and it may be a circuit, device, interface, bus, software module, transceiver or any other device capable of realizing communication. Exemplarily, the transceiving module 1001 may be configured to execute S202 in the embodiment shown in FIG. 2 , that is, receive the information of the first ME host from the second network element. S205 in FIG. 2 may also be executed, that is, sending the resource policy to the fifth network element. For example, the processing module 1002 may be used to execute S203 and S204 in FIG. 2 .

可选的，该处理模块1002包括边缘风险引擎模块和边缘资源策略管理模块(在图10 中未示意)，例如，该边缘风险引擎模块用于执行S203；该边缘资源策略管理模块用于执行S204。Optionally, the processing module 1002 includes an edge risk engine module and an edge resource policy management module (not shown in FIG. 10 ), for example, the edge risk engine module is used to execute S203; the edge resource policy management module is used to execute S204 .

可选的，该处理模块1002包括中心风险引擎模块和中心资源策略管理模块(在图10中未示意)，例如，该中心风险引擎模块用于执行S203；该中心资源策略管理模块用于执行S204。Optionally, the processing module 1002 includes a central risk engine module and a central resource policy management module (not shown in FIG. 10 ), for example, the central risk engine module is used to perform S203; the central resource policy management module is used to perform S204 .

其中，上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述，在此不再赘述。Wherein, all relevant content of each step involved in the above-mentioned method embodiment can be referred to the function description of the corresponding function module, and will not be repeated here.

图11示出了一种通信装置的结构示意图。其中，该通信装置可以实现前文第二网元的功能。该通信装置可以是硬件结构、软件模块、或硬件结构加软件模块。该通信装置可以由芯片系统实现。本申请实施例中，芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。该通信装置可以包括收发模块1101和处理模块1102。Fig. 11 shows a schematic structural diagram of a communication device. Wherein, the communication device can realize the function of the aforementioned second network element. The communication device may be a hardware structure, a software module, or a hardware structure plus a software module. The communication device can be implemented by a chip system. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices. The communication device may include a transceiver module 1101 and a processing module 1102 .

例如，该处理模块1102可以用于执行图2中S201，还可以用于支持本文所描述的技术的其它过程。例如，该收发模块1101用于通信装置和其它模块进行通信，其可以是电路、器件、接口、总线、软件模块、收发器或者其它任意可以实现通信的装置。示例性的，该收发模块1101可以用于执行图2所示的实施例中的将第一ME主机的信息发送给第一网元的步骤。For example, the processing module 1102 may be used to execute S201 in FIG. 2 , and may also be used to support other processes of the technology described herein. For example, the transceiver module 1101 is used by the communication device to communicate with other modules, which may be a circuit, device, interface, bus, software module, transceiver or any other device capable of realizing communication. Exemplarily, the transceiver module 1101 may be configured to execute the step of sending the information of the first ME host to the first network element in the embodiment shown in FIG. 2 .

可选的，该处理模块1102包括风险感知代理模块(在图11中未示意)，例如，该风险感知代理模块用于执行S201。Optionally, the processing module 1102 includes a risk awareness agent module (not shown in FIG. 11 ), for example, the risk awareness agent module is used to execute S201.

可选的，如果第二网元与第五网元为同一个网元，该处理模块1102还包括主机策略执行模块(在图11中未示意)，该主机策略执行模块可用于执行S205。Optionally, if the second network element and the fifth network element are the same network element, the processing module 1102 further includes a host policy enforcement module (not shown in FIG. 11 ), and the host policy enforcement module may be used to execute S205.

图12示出了一种通信装置的结构示意图。其中，该通信装置可以实现前文第五网元的功能。该通信装置可以是硬件结构、软件模块、或硬件结构加软件模块。该通信装置可以由芯片系统实现。本申请实施例中，芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。该通信装置可以包括收发模块1201和处理模块1202。Fig. 12 shows a schematic structural diagram of a communication device. Wherein, the communication device can realize the function of the fifth network element mentioned above. The communication device may be a hardware structure, a software module, or a hardware structure plus a software module. The communication device can be implemented by a chip system. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices. The communication device may include a transceiver module 1201 and a processing module 1202 .

例如，该收发模块1201可以用于执行图2中的从第一网元接收资源策略的步骤，还可以用于支持本文所描述的技术的其它过程。例如，该处理模块1202用于通信装置和其它模块进行通信，其可以是电路、器件、接口、总线、软件模块、收发器或者其它任意可以实现通信的装置。示例性的，该处理模块1202可以用于根据资源策略访问ME主机中的资源，例如执行如图3所示的S310和S311。For example, the transceiver module 1201 can be used to execute the step of receiving the resource policy from the first network element in FIG. 2 , and can also be used to support other processes of the technology described herein. For example, the processing module 1202 is used by a communication device to communicate with other modules, which may be a circuit, device, interface, bus, software module, transceiver or any other device capable of realizing communication. Exemplarily, the processing module 1202 may be configured to access resources in the ME host according to a resource policy, for example, execute S310 and S311 as shown in FIG. 3 .

可选的，该处理模块1202包括资源策略执行模块(在图12中未示意)，该资源策略执行模块用于根据该资源策略ME主机中的资源。Optionally, the processing module 1202 includes a resource policy execution module (not shown in FIG. 12 ), the resource policy execution module is used for resources in the ME host according to the resource policy.

本申请实施例还提供一种通信系统，该通信系统可包括如图10和图11所示的装置。可选的，该通信系统还包括如图12所示的装置。An embodiment of the present application also provides a communication system, and the communication system may include devices as shown in FIG. 10 and FIG. 11 . Optionally, the communication system further includes an apparatus as shown in FIG. 12 .

图13A示出了一种通信装置的结构示意图。其中，该通信装置可以实现前文第一网元的功能。该通信装置可以是硬件结构、软件模块、或硬件结构加软件模块。该通信装置可以由芯片系统实现。本申请实施例中，芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。该通信装置可以包括边缘风险引擎模块1301和边缘资源策略管理模块1302，例如，该边缘风险引擎模块1301用于从第二网元接收第一ME主机的信息的步骤、以及S203；该边缘资源策略管理模块1302用于执行S204。FIG. 13A shows a schematic structural diagram of a communication device. Wherein, the communication device can realize the function of the first network element mentioned above. The communication device may be a hardware structure, a software module, or a hardware structure plus a software module. The communication device can be realized by a chip system. In the embodiment of the present application, the system-on-a-chip may consist of chips, or may include chips and other discrete devices. The communication device may include an edge risk engine module 1301 and an edge resource policy management module 1302. For example, the edge risk engine module 1301 is used to receive the information of the first ME host from the second network element, and S203; the edge resource policy The management module 1302 is configured to execute S204.

图13B示出了一种通信装置的结构示意图。其中，该通信装置可以实现前文第一网元的功能。该通信装置可以是硬件结构、软件模块、或硬件结构加软件模块。该通信装置可以由芯片系统实现。本申请实施例中，芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。Fig. 13B shows a schematic structural diagram of a communication device. Wherein, the communication device can realize the function of the first network element mentioned above. The communication device may be a hardware structure, a software module, or a hardware structure plus a software module. The communication device can be implemented by a chip system. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices.

该通信装置可以包括中心风险引擎模块1303和中心资源策略管理模块1304，例如，该中心风险引擎模块1303用于从第二网元接收第一ME主机的信息的步骤、以及S203；该中心资源策略管理模块1304用于执行S204。The communication device may include a central risk engine module 1303 and a central resource policy management module 1304. For example, the central risk engine module 1303 is used to receive the first ME host information from the second network element, and S203; the central resource policy The management module 1304 is configured to execute S204.

图14示出了一种通信装置的结构示意图。其中，该通信装置可以实现前文第五网元的功能。该通信装置可以是硬件结构、软件模块、或硬件结构加软件模块。该通信装置可以由芯片系统实现。本申请实施例中，芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。该通信装置可以包括风险感知代理模块1401，例如，该风险感知代理模块1401用于执行S201。Fig. 14 shows a schematic structural diagram of a communication device. Wherein, the communication device can realize the function of the fifth network element mentioned above. The communication device may be a hardware structure, a software module, or a hardware structure plus a software module. The communication device can be implemented by a chip system. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices. The communication device may include a risk awareness agent module 1401, for example, the risk awareness agent module 1401 is configured to perform S201.

可选的，该通信装置可以还包括主机策略执行模块1402，该主机策略执行模块1402可用于根据资源策略，访问ME主机中的资源。在图14中以虚线框示意该主机策略执行模块1402为可选的。Optionally, the communication device may further include a host policy execution module 1402, which is configured to access resources in the ME host according to resource policies. In FIG. 14 , the host policy enforcement module 1402 is indicated by a dotted line box, which is optional.

图15示出了一种通信装置的结构示意图。其中，该通信装置可以实现前文第五网元的功能。该通信装置可以是硬件结构、软件模块、或硬件结构加软件模块。该通信装置可以由芯片系统实现。本申请实施例中，芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。该通信装置可以包括资源策略执行模块1501，该资源策略执行模块1501可用于根据该资源策略，访问ME主机中的资源。Fig. 15 shows a schematic structural diagram of a communication device. Wherein, the communication device can realize the function of the fifth network element mentioned above. The communication device may be a hardware structure, a software module, or a hardware structure plus a software module. The communication device can be implemented by a chip system. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices. The communication device may include a resource policy execution module 1501, and the resource policy execution module 1501 may be used to access resources in the ME host according to the resource policy.

图10、图11、图12、图13A、图13B、图14和图15对模块的划分是示意性的，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，另外，在本申请各个实施例中的各功能模块可以集成在一个处理器中，也可以是单独物理存在，也可以两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现，也可以采用软件功能模块的形式实现。Fig. 10, Fig. 11, Fig. 12, Fig. 13A, Fig. 13B, Fig. 14 and Fig. 15 are schematic for the division of modules, which are only a logical function division, and there may be other division methods in actual implementation. In addition, in Each functional module in each embodiment of the present application may be integrated into one processor, or physically exist separately, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules.

本申请实施例提供一种通信系统，该通信系统可包括如图13A和图14所示的装置。可选的，该通信系统还包括如图15所示的装置。An embodiment of the present application provides a communication system, and the communication system may include devices as shown in FIG. 13A and FIG. 14 . Optionally, the communication system further includes an apparatus as shown in FIG. 15 .

本申请实施例提供一种通信系统，该通信系统可包括如图13B和图14所示的装置。可选的，该通信系统还包括如图15所示的装置。An embodiment of the present application provides a communication system, and the communication system may include devices as shown in FIG. 13B and FIG. 14 . Optionally, the communication system further includes an apparatus as shown in FIG. 15 .

请参照图16，为本申请实施例提供的一种在图1A所示的MEC架构中部署图13A、图13B、图14和图15所示的通信装置的一种示意图，或者可理解为本申请实施例提供的通信系统的一种结构示意图。Please refer to Figure 16, which is a schematic diagram of deploying the communication devices shown in Figure 13A, Figure 13B, Figure 14 and Figure 15 in the MEC architecture shown in Figure 1A provided by the embodiment of this application, or it can be understood as this A schematic structural diagram of a communication system provided in an embodiment of the application.

如图16所示，OSS包括中心风险引擎模块和中心策略管理模块；MEPM包括边缘风险引擎模块和边缘资源策略管理；ME主机(第二网元的一种示例)包括风险感知代理模块和主机策略执行模块；VIM(作为第五网元的一种示例)包括策略执行模块。As shown in Figure 16, OSS includes a central risk engine module and a central policy management module; MEPM includes an edge risk engine module and edge resource policy management; ME host (an example of a second network element) includes a risk-aware agent module and a host policy Execution module; the VIM (as an example of the fifth network element) includes a policy enforcement module.

可选的，第四网元可为图16中OSS和/或VIM。其中，图16中的各个模块的功能可参照前文。Optionally, the fourth network element may be the OSS and/or VIM in FIG. 16 . Wherein, the function of each module in Fig. 16 can refer to the above.

可选的，ME主机中的MEP中部署有业务策略执行模块，该业务策略执行模块用于接收MEPM发送的业务策略，执行相应的业务。Optionally, a service policy execution module is deployed in the MEP in the ME host, and the service policy execution module is used to receive the service policy sent by the MEPM and execute corresponding services.

可选的，风险感知代理模块可通过接口Mm12与MEPM通信，例如，风险感知代理模块通过Mm12向MEPM发送ME主机的信息。ME主机的信息可参照前文。Optionally, the risk awareness agent module may communicate with the MEPM through the interface Mm12, for example, the risk awareness agent module sends information about the ME host to the MEPM through Mm12. For information about the ME host, please refer to the preceding text.

可选的，VIM中的主机策略执行模块可通过接口Mm13与MEPM通信，例如，MEPM可通过Mm12向VIM中的主机策略执行模块发送资源策略。其中，资源策略的含义可参照前文。Optionally, the host policy enforcement module in the VIM can communicate with the MEPM through the interface Mm13, for example, the MEPM can send resource policies to the host policy enforcement module in the VIM through Mm12. Among them, the meaning of the resource policy can refer to the above.

在一种可能的实施方式中，MEPM中的边缘风险引擎模块根据ME主机的信息无法确定该ME主机的风险状态时，可以将ME主机的信息发送给OSS，由中心风险引擎模块根据ME主机的信息，确定ME主机的风险状态，并且由中心策略管理模块确定该ME主机的资源策略。In a possible implementation, when the edge risk engine module in MEPM cannot determine the risk status of the ME host according to the information of the ME host, it can send the information of the ME host to OSS, and the central risk engine module can information, determine the risk status of the ME host, and determine the resource policy of the ME host by the central policy management module.

需要说明的是，在图16中以虚线框示意在图1A新增的模块，图16中各个网元或接口的功能可参照图1A论述的内容。It should be noted that, in FIG. 16 , the newly added modules in FIG. 1A are shown in dotted boxes, and the functions of each network element or interface in FIG. 16 can refer to the content discussed in FIG. 1A .

请参照图17，为本申请实施例提供的一种在图1B所示的MEC架构中部署图13A、图13B、图14和图15所示的通信装置的另一种示意图，或者可理解为本申请实施例提供的通信系统的一种结构示意图。Please refer to FIG. 17, which is another schematic diagram of deploying the communication devices shown in FIG. 13A, FIG. 13B, FIG. 14 and FIG. 15 in the MEC architecture shown in FIG. 1B provided by the embodiment of this application, or it can be understood as A schematic structural diagram of a communication system provided in an embodiment of the present application.

如图17所示，OSS(作为第三网元的一种示例)包括中心风险引擎模块和中心策略管理模块；MEPM(作为第一网元的一种示例)包括边缘风险引擎模块和边缘资源策略管理；ME主机(第二网元的一种示例)包括风险感知代理模块和主机策略执行模块；VIM(作为第五网元的一种示例)包括策略执行模块；CISM(作为第五网元的一种示例)包括策略执行模块。As shown in Figure 17, OSS (as an example of the third network element) includes a central risk engine module and a central policy management module; MEPM (as an example of the first network element) includes an edge risk engine module and an edge resource policy Management; ME host (an example of the second network element) includes a risk awareness agent module and a host policy execution module; VIM (as an example of the fifth network element) includes a policy execution module; CISM (as the fifth network element One example) includes a policy enforcement module.

可选的，第四网元可为图17中的OSS、CISM或VIM中的一个或多个。Optionally, the fourth network element may be one or more of the OSS, CISM, or VIM in FIG. 17 .

可选的，ME主机中的MEP中还可部署有业务策略执行模块，业务策略执行模块的功能可参照前文。Optionally, a service policy execution module may also be deployed in the MEP in the ME host, and the function of the service policy execution module may refer to the foregoing.

可选的，CISM中的资源策略执行模块可通过Mm14与ME主机中的容器引擎通信，以管理容器的运行情况。另外，CISM中的资源策略执行模块可通过Mm15与MEPM通信，例如，MEPM可通过Mm15向CISM发送资源策略。Optionally, the resource policy execution module in the CISM can communicate with the container engine in the ME host through Mm14 to manage the running status of the container. In addition, the resource policy execution module in the CISM can communicate with the MEPM through Mm15, for example, the MEPM can send the resource policy to the CISM through Mm15.

需要说明的是，在图17中以虚线框示意在图1B新增的模块，图17中各个网元或接口的功能可参照图1B论述的内容。It should be noted that in Figure 17, the modules newly added in Figure 1B are shown in dotted boxes, and the functions of each network element or interface in Figure 17 can refer to the content discussed in Figure 1B.

如图18所示为本申请实施例提供的通信装置的结构示意图，其中，通信装置可以是第一网元，或者是能够实现第一网元的功能。其中，通信装置可以为芯片系统。本申请实施例中，芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。FIG. 18 is a schematic structural diagram of a communication device provided by an embodiment of the present application, where the communication device may be a first network element, or be capable of implementing functions of the first network element. Wherein, the communication device may be a system on a chip. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices.

通信装置包括至少一个处理器1801，用于实现或用于支持通信装置实现图2至图9中第一网元的功能。示例性地，处理器1801可以根据ME主机的信息，确定ME主机的风险状态，以及根据ME主机的风险状态，确定资源策略，具体参见方法示例中的详细描述，此处不做赘述。The communication device includes at least one processor 1801, configured to implement or support the communication device to implement the functions of the first network element in FIG. 2 to FIG. 9 . Exemplarily, the processor 1801 can determine the risk status of the ME host according to the information of the ME host, and determine the resource policy according to the risk status of the ME host. For details, refer to the detailed description in the method example, and details are not repeated here.

通信装置还可以包括接口1802，用于通过传输介质和其它设备进行通信，从而用于通信装置和其它设备进行通信。示例性地，该其它设备可以是服务器。处理器1801可以利用接口1802收发数据。The communication device may also include an interface 1802 for communicating with other devices through a transmission medium, so that the communication device communicates with other devices. Exemplarily, the other device may be a server. The processor 1801 can use the interface 1802 to send and receive data.

通信装置还可以包括至少一个存储器1803，用于存储程序指令和/或数据。存储器1803和处理器1801耦合。本申请实施例中的耦合是装置、单元或模块之间的间接耦合或通信连接，可以是电性，机械或其它的形式，用于装置、单元或模块之间的信息交互。处理器1801可能和存储器1803协同操作。处理器1801可能执行存储器1803中存储的程序指令。所述至少一个存储器1803中的至少一个可以包括于处理器1801中。当处理器1801执行存储器1803中的程序指令时，可以实现图2至图9中所示的实施例中任一的资源访问方法。The communication device may also include at least one memory 1803 for storing program instructions and/or data. The memory 1803 is coupled to the processor 1801. The coupling in the embodiments of the present application is an indirect coupling or a communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules. The processor 1801 may cooperate with the memory 1803 . Processor 1801 may execute program instructions stored in memory 1803 . At least one of the at least one memory 1803 may be included in the processor 1801 . When the processor 1801 executes the program instructions in the memory 1803, any resource access method in the embodiments shown in FIG. 2 to FIG. 9 may be implemented.

作为一个示例，图18中的存储器1803为可选的部分，在图18中以虚线框示意。例如，存储器1803与处理器1801耦合设置。As an example, the memory 1803 in FIG. 18 is an optional part, which is indicated by a dashed box in FIG. 18 . For example, the memory 1803 is coupled with the processor 1801.

本申请实施例中不限定上述接口1802、处理器1801以及存储器1803之间的具体连接介质。本申请实施例在图18中以接口1802、处理器1801以及存储器1803之间通过总线连接，总线在图18中以粗线表示，其它部件之间的连接方式，仅是进行示意性说明，并不引以为限。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示，图18中仅用一条粗线表示，但并不表示仅有一根总线或一种类型的总线。The embodiment of the present application does not limit the specific connection medium among the interface 1802, the processor 1801, and the memory 1803. In the embodiment of the present application, in FIG. 18, the interface 1802, the processor 1801, and the memory 1803 are connected through a bus. The bus is represented by a thick line in FIG. Do not limit yourself. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 18 , but it does not mean that there is only one bus or one type of bus.

在本申请实施例中，处理器1801可以是通用处理器、数字信号处理器、专用集成电路、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件，可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以体现为硬件处理器执行完成，或者用处理器中的硬件及软件模块组合执行完成。In this embodiment of the application, the processor 1801 may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, and may implement Or execute the methods, steps and logic block diagrams disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the methods disclosed in connection with the embodiments of the present application may be implemented by a hardware processor, or by a combination of hardware and software modules in the processor.

在本申请实施例中，存储器1803可以是非易失性存储器，比如硬盘(hard disk drive，HDD)或固态硬盘(solid-state drive，SSD)等，还可以是易失性存储器(volatile memory)，例如随机存取存储器(random-access memory，RAM)。存储器是能够用于携带或存储具有指令或数据结构形式的期望的程序代码并能够由计算机存取的任何其他介质，但不限于此。本申请实施例中的存储器还可以是电路或者其它任意能够实现存储功能的装置，用于存储程序指令和/或数据。In the embodiment of the present application, the memory 1803 may be a non-volatile memory, such as a hard disk (hard disk drive, HDD) or a solid-state drive (solid-state drive, SSD), etc., and may also be a volatile memory (volatile memory), For example random-access memory (random-access memory, RAM). A memory is, but is not limited to, any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory in the embodiment of the present application may also be a circuit or any other device capable of implementing a storage function, and is used for storing program instructions and/or data.

如图19所示为本申请实施例提供的通信装置的结构示意图，其中，通信装置可以是第二网元，或者是能够实现第二网元的功能。其中，通信装置可以为芯片系统。本申请实施例中，芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。FIG. 19 is a schematic structural diagram of a communication device provided by an embodiment of the present application, where the communication device may be a second network element, or be capable of implementing a function of the second network element. Wherein, the communication device may be a system on a chip. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices.

通信装置包括至少一个处理器1901，用于实现或用于支持通信装置实现本申请图2中第二网元的功能，或者实现图2至图9中的第二网元的功能。示例性地，处理器1901可以获得ME主机的信息，具体参见方法示例中的详细描述，此处不做赘述。The communication device includes at least one processor 1901, configured to implement or support the communication device to implement the functions of the second network element in FIG. 2 of this application, or implement the functions of the second network element in FIGS. 2 to 9 . Exemplarily, the processor 1901 may obtain the information of the ME host, for details, refer to the detailed description in the method example, and details are not repeated here.

另外，该通信装置还可包括接口1902。可选的，该通信装置还包括存储器1903，在图19中以虚线框示意该存储器1903为可选的部分。处理器1901、接口1902和存储器1903的具体实现方式可参照前文。In addition, the communications device may further include an interface 1902 . Optionally, the communication device further includes a memory 1903, which is indicated by a dashed box in FIG. 19 as an optional part. For specific implementation manners of the processor 1901, the interface 1902, and the memory 1903, reference may be made to the foregoing.

如图20所示为本申请实施例提供的通信装置的结构示意图，其中，通信装置可以是第二网元，或者是能够实现第二网元的功能。其中，通信装置可以为芯片系统。本申请实施例中，芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。FIG. 20 is a schematic structural diagram of a communication device provided by an embodiment of the present application, where the communication device may be a second network element, or be capable of implementing a function of the second network element. Wherein, the communication device may be a system on a chip. In the embodiment of the present application, the system-on-a-chip may be composed of chips, or may include chips and other discrete devices.

通信装置包括至少一个处理器2001，用于实现或用于支持通信装置实现本申请图2中第二网元的功能，或者实现图2至图9中的第二网元的功能。示例性地，处理器2001可以获得ME主机的信息，具体参见方法示例中的详细描述，此处不做赘述。The communication device includes at least one processor 2001, configured to implement or support the communication device to implement the functions of the second network element in FIG. 2 of the present application, or implement the functions of the second network element in FIGS. 2 to 9 . Exemplarily, the processor 2001 may obtain the information of the ME host, for details, refer to the detailed description in the method example, and details are not repeated here.

另外，该通信装置还可包括接口2002。可选的，该通信装置还包括存储器2003，在图20中以虚线框示意该存储器2003为可选的部分。处理器2001、接口2002和存储器2003的具体实现方式可参照前文。In addition, the communication device may further include an interface 2002 . Optionally, the communication device further includes a memory 2003, which is indicated by a dashed box in FIG. 20 as an optional part. For specific implementation manners of the processor 2001, the interface 2002, and the memory 2003, reference may be made to the foregoing.

本申请实施例提供了一种芯片系统，该芯片系统包括处理器，还可以包括接口，用于实现前述方法中第一网元、第二网元、第三网元、第四网元或第五网元的功能。该芯片系统可以由芯片构成，也可以包含芯片和其他分立器件。An embodiment of the present application provides a chip system. The chip system includes a processor and may also include an interface for implementing the first network element, the second network element, the third network element, the fourth network element, or the first network element in the foregoing method. The functions of the five network elements. The system-on-a-chip may consist of chips, or may include chips and other discrete devices.

本申请实施例中还提供一种计算机可读存储介质，该计算机可读存储介质用于存储计算机程序，当该计算机程序在计算机上运行时，使得该计算机执行图2至图9中所示的实施例中任一的资源访问方法。An embodiment of the present application also provides a computer-readable storage medium, which is used to store a computer program, and when the computer program is run on a computer, the computer executes the computer program shown in FIGS. 2 to 9. The resource access method in any one of the embodiments.

本申请实施例中还提供一种计算机程序产品，该计算机程序产品存储有计算机程序，该计算机程序包括程序指令，该程序指令当被计算机执行时，使得计算机执行图2至图9中所示的实施例中任一的资源访问方法。An embodiment of the present application also provides a computer program product, the computer program product stores a computer program, the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the steps shown in Fig. 2 to Fig. 9 . The resource access method in any one of the embodiments.

本申请实施例提供的方法中，可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时，全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、网络设备、用户设备或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中，或者从一个计算机可读存储介质向另一个计算机可读存储介质传输，例如，所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line，简称DSL)或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机可以存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如，软盘、硬盘、磁带)、光介质(例如，数字视频光盘(digital video disc，简称DVD))、或者半导体介质(例如，SSD)等。The methods provided in the embodiments of the present application may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, network equipment, user equipment or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (such as coaxial cable, optical fiber, digital subscriber line (DSL) or wireless (such as infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. integrated with one or more available media. The available medium can be a magnetic medium (for example, a floppy disk, a hard disk, a magnetic tape), optical media (for example, digital video disc (digital video disc, DVD for short)), or semiconductor media (for example, SSD).

显然，本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样，倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内，则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the application without departing from the spirit and scope of the application. In this way, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalent technologies, the present application is also intended to include these modifications and variations.

Claims

A resource access method, characterized by comprising:

The first network element receives the information of the mobile edge host from the second network element, the information of the mobile edge host includes first information of the first resource and/or second information indicating a behavior of accessing the mobile edge host, the said The first resource is a resource provided by the mobile edge host;

The first network element determines a risk status according to the information of the mobile edge host, and the risk status is used to indicate whether the mobile edge host has a security risk;

The first network element determines a resource policy according to the risk status, where the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host.

The method according to claim 1, wherein the first network element determines the risk status according to the information of the mobile edge host, comprising:

The first network element determines whether the second resource corresponding to the first information is abnormal, wherein, if the resource corresponding to the first information is abnormal, determining that the risk status is that the mobile edge host has a risk of being invaded, said second resource belongs to said first resource; and/or,

The first network element determines whether the behavior corresponding to the second information is abnormal, wherein, if the behavior corresponding to the second information is abnormal, it is determined that the risk status is that the mobile edge host has a risk of being invaded.

The method according to claim 2, wherein the second resource includes first hardware, the first information includes a first identifier, and the first identifier is an identifier of the first hardware;

The first network element determining whether the second resource corresponding to the first information is abnormal includes:

If the first identifier does not match the prestored second identifier, and/or the first identifier does not match the third identifier, the first network element determines that the first hardware is abnormal, and the third identifier is The identifier received from the third network element is the identifier of the second hardware, and the second hardware is the modified hardware of the first hardware.

The method according to claim 2 or 3, wherein the second resource includes a first type port of the mobile edge host, and the first type port belongs to an opened port in the mobile edge host;

The first network element receives information of a second type of port from a third network element, and the second type of port is a port that the third network element has applied for opening from the mobile edge host;

If one or more ports in the first type of ports do not belong to the second type of ports, the first network element determines that the one or more ports are abnormal.

The method according to claim 4, wherein the first network element determines a resource policy according to the risk status, comprising:

If the risk state is that the mobile edge host has a risk of being invaded, the first network element determines that the resource policy is to close the one or more ports.

The method according to any one of claims 2-5, wherein the first network element determines a resource policy according to the risk status, comprising:

If the risk status is that the mobile edge host has a risk of being intruded, the first network element determines that the resource policy is to disable the mobile edge host or reduce the security level of the mobile edge host, wherein, if The security level of the mobile edge host is reduced to a first security level, and the mobile edge host does not support applications with a deployment priority higher than the first priority, and the first priority is that the security level of the mobile edge host is The case of the first security level may support the highest priority of deployed applications.

The first network element receives an access request from a fourth network element, where the access request is used to request access to a third resource of the mobile edge host;

The first network element determines whether the third resource satisfies the first condition according to the information of the mobile edge host;

If the third resource does not meet the first condition, determine that the risk status is that the mobile edge host has a risk of being intruded, or, if the third resource meets the first condition, determine the risk The status is that the mobile edge host does not have the risk of being intruded.

The method according to claim 7, wherein the first condition includes one or more of the following:

The number of resources included in the third resource does not exceed the upper limit of the number of resources, and the upper limit of the number of resources is determined according to the information of the mobile edge host;

The third resource belongs to available resources among the first resources, the first information includes available status information of the first resource, and the available status information is used to indicate available resources among the first resources; or,

The third resource belongs to resources whose importance is lower than a preset importance among the first resources, and the first information includes the importance of the first resource.

The method according to claim 7 or 8, wherein the first network element determines a resource policy according to the risk status, comprising:

If the risk state is that the mobile edge host has a risk of being invaded, the first network element determines that the resource policy is to deny access to the third resource; or,

If the risk status of the mobile edge host does not have a risk of intrusion, the first network element determines that the resource policy is to allow access to the third resource.

The method according to any one of claims 1-9, wherein the method further comprises:

The first network element sends the resource policy to a fifth network element.

The first network element sends the information of the mobile edge host to a sixth network element;

The first network element receives the risk status information from the sixth network element.

A resource access method, characterized by comprising:

The second network element obtains the information of the mobile edge host, where the information of the mobile edge host includes first information of a first resource and/or second information indicating a behavior of accessing the mobile edge host, where the first resource is the resources provided by the mobile edge host;

The second network element sends the information of the mobile edge host to the first network element;

The second network element receives a resource policy from the first network element, where the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host.

The method according to claim 12, wherein before the second network element sends the information of the mobile edge host to the first network element, the method further comprises:

The second network element determines that it cannot be determined whether the mobile edge host is at risk according to the information of the mobile edge host.

A resource access method, characterized by comprising:

The first network element determines a resource policy according to the risk state, and the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host;

The first network element sends the resource policy to the second network element.

The method according to claim 14, wherein the first network element determines the risk status according to the information of the mobile edge host, comprising:

The method according to claim 15, wherein the second resource includes first hardware, the first information includes a first identifier, and the first identifier is an identifier of the first hardware;

The method according to claim 15 or 16, wherein the second resource includes a first type port of the mobile edge host, and the first type port belongs to an opened port in the mobile edge host;

The method according to claim 14, characterized in that the method further comprises:

If the first network element determines that the third resource does not meet the first condition, determine that the risk status is that the mobile edge host has a risk of being intruded, or if it determines that the third resource meets the The first condition is to determine that the risk status is that the mobile edge host does not have a risk of being invaded.

The method according to claim 18, wherein the first condition includes one or more of the following:

A communication device, characterized by comprising:

A transceiver module, configured to receive information about a mobile edge host from a second network element, where the information about the mobile edge host includes first information about a first resource and/or second information indicating a behavior of accessing the mobile edge host, so The first resource is a resource provided by the mobile edge host;

A processing module, configured to determine a risk status according to the information of the mobile edge host, where the risk status is used to indicate whether the mobile edge host has a security risk, and to determine a resource policy according to the risk status, the resource policy A policy used to indicate access to resources provided by the mobile edge host.

The device according to claim 20, wherein the processing module is specifically used for:

Determine whether the second resource corresponding to the first information is abnormal, wherein, if the resource corresponding to the first information is abnormal, determine that the risk status is that the mobile edge host has a risk of being invaded, and the second resource belongs to The first resource; and/or, determining whether the behavior corresponding to the second information is abnormal, wherein, if the behavior corresponding to the second information is abnormal, it is determined that the risk status is that the mobile edge host has an intruded risk.

The device according to claim 21, wherein the second resource includes first hardware, the first information includes a first identifier, and the first identifier is an identifier of the first hardware; the processing Modules are used specifically for:

If the first identifier does not match the prestored second identifier, and/or the first identifier does not match the third identifier, it is determined that the first hardware is abnormal, and the third identifier is received from a third network element is the identifier of the second hardware, and the second hardware is the modified hardware of the first hardware.

The device according to claim 21 or 22, wherein the second resource includes a first type port of the mobile edge host, and the first type port belongs to an opened port in the mobile edge host;

The transceiver module is further configured to receive information of a second type of port from a third network element, and the second type of port is a port that the third network element has applied to the mobile edge host for opening;

The processing module is specifically configured to, if one or more ports in the first type of ports do not belong to the second type of ports, determine that the one or more ports are abnormal.

The device according to claim 23, wherein the processing module is specifically used for:

If the risk status is that the mobile edge host has a risk of being invaded, it is determined that the resource policy is to close the one or more ports.

The device according to any one of claims 21-24, wherein the processing module is specifically used for:

If the risk state is that the mobile edge host has a risk of being intruded, determine that the resource policy is to disable the mobile edge host or reduce the security level of the mobile edge host, wherein, if the mobile edge host's The security level is reduced to the first security level, the mobile edge host does not support the deployment of applications with a higher priority than the first priority, and the first priority is that the security level of the mobile edge host is the first security level The highest priority of the application that can support deployment under the circumstances.

The device according to claim 20, characterized in that,

The transceiver module is further configured to receive an access request from a fourth network element, where the access request is used to request access to a third resource of the mobile edge host;

The processing module is specifically configured to determine whether the third resource meets the first condition according to the information of the mobile edge host, and if the third resource does not meet the first condition, determine that the risk status is The mobile edge host has a risk of intrusion, or, if the third resource satisfies the first condition, determine that the risk status is that the mobile edge host has no risk of intrusion.

The device according to claim 26, wherein the first condition includes one or more of the following:

The device according to claim 26 or 27, wherein the processing module is specifically used for:

If the risk status is that the mobile edge host has a risk of being invaded, determine that the resource policy is to deny access to the third resource; or,

If there is no risk of the mobile edge host being intruded in the risk state, determine that the resource policy is to allow access to the third resource.

The device according to any one of claims 20-28, wherein the transceiver module is also used for:

Send the resource policy to the fifth network element.

The device according to claim 20, wherein the transceiver module is further configured to send information about the mobile edge host to a sixth network element, and receive information about the risk status from the sixth network element ;

The processing module is specifically configured to acquire the risk status information from the transceiver module.

A communication device, characterized by comprising:

A processing module, configured to obtain the information of the mobile edge host, and obtain the information of the mobile edge host, where the information of the mobile edge host includes first information of the first resource and/or second information indicating the behavior of accessing the mobile edge host , the first resource is a resource provided by the mobile edge host;

A transceiver module, configured to send information about the mobile edge host to a first network element, and receive a resource policy from the first network element, where the resource policy is used to indicate a policy for accessing resources provided by the mobile edge host.

The device according to claim 31, wherein the processing module is also used for:

It is determined that whether the mobile edge host is at risk cannot be determined according to the information of the mobile edge host.

A communication system, characterized by comprising: the device according to any one of claims 20-30 and the device according to any one of claims 31-32.

A communication device, characterized in that it includes: a processor and a memory; the memory is used to store one or more computer programs, the one or more computer programs include computer-executable instructions, and when the resource access device is running , the processor executes the one or more computer programs stored in the memory, so that the communication device executes the method according to any one of claims 1-13.

A chip system, characterized in that the chip system includes:

A processor and an interface, the processor is used to call and execute instructions from the interface, and when the processor executes the instructions, the method according to any one of claims 1-19 is implemented.

A computer-readable storage medium, characterized in that, the computer-readable storage medium is used to store a computer program, and when the computer program is run on a computer, the computer executes any one of claims 1-19 the method described.