CN118449747B - Method, apparatus, electronic device, storage medium and computer program for application migration - Google Patents

Method, apparatus, electronic device, storage medium and computer program for application migration

Info

Publication number
CN118449747B
CN118449747B CN202410557526.3A CN202410557526A CN118449747B CN 118449747 B CN118449747 B CN 118449747B CN 202410557526 A CN202410557526 A CN 202410557526A CN 118449747 B CN118449747 B CN 118449747B
Authority
CN
China
Prior art keywords
target
node
migration
execution environment
trusted execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410557526.3A
Other languages
Chinese (zh)
Other versions
CN118449747A (en
Inventor
孙善宝
韩涛
孙宗臣
罗清彩
李远飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Inspur Science Research Institute Co Ltd
Original Assignee
Shandong Inspur Science Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Inspur Science Research Institute Co Ltd filed Critical Shandong Inspur Science Research Institute Co Ltd
Priority to CN202410557526.3A priority Critical patent/CN118449747B/en
Publication of CN118449747A publication Critical patent/CN118449747A/en
Application granted granted Critical
Publication of CN118449747B publication Critical patent/CN118449747B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/107License processing; Key processing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/108Transfer of content, software, digital rights or licenses
    • G06F21/1085Content sharing, e.g. peer-to-peer [P2P]
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0827Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving distinctive intermediate devices or communication paths
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Storage Device Security (AREA)

Abstract

本公开公开了应用迁移的方法、装置、电子设备、存储介质和计算机程序,涉及数据处理技术领域,通过引入随机共生可信执行环境机制,实现了可信执行环境的双重隔离,从而保护了应用程序实例的安全性,增加了外部攻击的难度。同时,引入了P2P共识网络作为管理节点的一部分,用于管理和维护整个系统的状态和一致性。通过采用随机选择和冗余机制选择多个备选迁移节点,并基于注意力机制的神经网络生成最佳迁移方案,可以有效提升迁移效率和安全性,同时混淆攻击者的攻击目标,增加了系统的整体安全性。最后,通过将整个迁移过程上链,确保数据处理过程中的数据不能被持久化存储,保证了数据的安全性、隐私性以及迁移过程的可追溯性。

This disclosure presents a method, apparatus, electronic device, storage medium, and computer program for application migration, relating to the field of data processing technology. By introducing a random coexistence trusted execution environment mechanism, it achieves dual isolation of the trusted execution environment, thereby protecting the security of application instances and increasing the difficulty of external attacks. Simultaneously, a P2P consensus network is introduced as part of the management nodes to manage and maintain the state and consistency of the entire system. By employing random selection and redundancy mechanisms to select multiple candidate migration nodes and generating the optimal migration scheme based on an attention-based neural network, migration efficiency and security can be effectively improved, while also obfuscating attackers' targets and increasing the overall security of the system. Finally, by putting the entire migration process on the blockchain, it is ensured that data during data processing cannot be persistently stored, guaranteeing data security, privacy, and the traceability of the migration process.

Description

Method, apparatus, electronic device, storage medium and computer program for application migration
Technical Field
The present disclosure relates to the field of data processing technologies, and in particular, to a method, an apparatus, an electronic device, a storage medium, and a computer program for application migration.
Background
In the field of computing today, particularly in the context of cloud computing and big data applications, data isolation and security have become critical considerations. In key business scenarios such as financial services, biological information processing, and intellectual property intensive, extremely high requirements are placed on security and privacy protection of data processing. These business scenarios typically involve the processing of sensitive data, such as personal identification information, medical records, financial transaction data, and the like. To ensure the security and compliance of these data, processing in a trusted execution environment (Trusted Execution Environment, TEE) is required to ensure that the data is not compromised or tampered with during processing and transmission.
The TEE trusted execution environment provides a safe area isolated from the outside, so that the computation and processing of sensitive data are isolated from the untrusted environment, and the risks of data leakage and security threat are reduced. TEE technology has unique advantages in protecting data security and privacy and is therefore widely used in various computing environments.
However, as business requirements and computing environments continue to change, in some business processes it may be desirable to dynamically migrate an application to another host during execution, such as for load balancing or system maintenance, etc. In addition, under some special business requirements, applications need to migrate to another node in an intermediate state of execution in order to utilize the resources of a particular host for computation. In this process, it must be ensured that the computation is only performed in a controlled TEE environment, while preventing potential security threats such as man-in-the-middle attacks and side channel attacks during migration. Under such a situation, how to design an effective dynamic trusted application migration method, and realize the trusted efficient migration of the application program while guaranteeing data isolation becomes a problem to be solved.
Disclosure of Invention
The disclosure provides an application migration method, an application migration device, electronic equipment, a storage medium and a computer program, and the main purpose is to realize trusted and efficient migration of an application program.
According to a first aspect of the present disclosure, there is provided a method of application migration, including:
Determining a target symbiotic trusted execution environment node where a target application program to be migrated is located, wherein the target symbiotic trusted execution environment node comprises a target management node and a target execution node, the target execution node is used for executing the target application program, and the target management node is used for managing migration of the target application program;
Determining a target migration node based on the target management node, wherein the target migration node is connected with the target symbiotic trusted execution environment node based on a consensus network, the consensus network is a network constructed based on a blockchain, the target migration node is a symbiotic trusted execution environment node, and the target management node is used for receiving the target application program;
performing key negotiation on the target migration node and the target symbiotic trusted execution environment node, and creating a secure channel between the target migration node and the target symbiotic trusted execution environment node;
loading an encrypted ciphertext corresponding to the target application program to the target migration node based on the secure channel;
decrypting the encrypted ciphertext based on the management node in the target migration node to obtain a decryption result, and performing integrity check on the decryption result;
Under the condition that the decryption result is complete and correct, creating an execution node which is the same as the target execution node in the target migration node according to the trusted execution environment information included in the decryption result, wherein the trusted execution environment information is the environment information of the target program running in the target execution node;
And running the target application program at the execution node according to the execution state information of the target application program at the target execution node, which is included in the decryption result.
Optionally, the determining the target symbiotic trusted execution environment node where the target application program to be migrated is located includes:
Determining resources and configuration information of a trusted execution environment required for running an application, wherein the resources and configuration information comprise a platform, hardware and dependent items, and the application and data running in the trusted execution environment;
Creating a symbiotic trusted execution environment node according to the resources and the configuration information, wherein the symbiotic trusted execution environment node runs the application program;
and under the condition that the application program is determined to be migrated, determining the application program as the target application program and determining the symbiotic trusted execution environment node as the target symbiotic trusted execution environment node.
Optionally, the determining, based on the target management node, the target migration node includes:
Collecting state information of all migration nodes on the consensus network based on the target management node, wherein the state information comprises states and resource conditions, and all the migration nodes are symbiotic trusted execution environment nodes;
The neural network model based on the attention mechanism determines the target migration node according to the state information, wherein the target migration node is a first preset number of symbiotic trusted execution environment nodes, the first preset number of symbiotic trusted execution environment nodes are used for receiving the target application program, and in addition, a second preset number of symbiotic trusted execution environment nodes connected with the consensus network are used for camouflage receiving the target application program.
Optionally, before the neural network model based on the attention mechanism determines the target migration node according to the state information, the method includes:
creating a migration task according to the state information and the migration requirement based on the target management node;
the information of the migration task is uplink and broadcast to all the migration nodes on the consensus network, so that each migration node executes corresponding operation according to the information of the migration task;
collecting the execution state information and the trusted execution environment information of the target application program at the target execution node based on the target management node;
And encrypting the execution state information and the trusted execution environment information to obtain the encrypted ciphertext.
Optionally, after the neural network model based on the attention mechanism determines the target migration node according to the state information, the method includes:
Receiving the target application program based on the first preset number of symbiotic trusted execution environment nodes corresponding to the target migration node respectively;
Executing the target application program based on the first preset number of symbiotic trusted execution environment nodes respectively to obtain respective execution results of the first preset number of symbiotic trusted execution environment nodes;
Detecting whether the second preset number of symbiotic trusted execution environment nodes are abnormal in the process of camouflage receiving the target application program or not, and obtaining a detection result;
And determining the accuracy and the credibility of the execution result according to the execution result and the detection result.
Optionally, the method includes:
Monitoring target state information of the target application program migration process based on a preset monitoring program;
and training and updating the neural network model according to the target state information. According to a second aspect of the present disclosure, there is provided an apparatus for application migration, comprising:
The first determining unit is used for determining a target symbiotic trusted execution environment node where a target application program to be migrated is located, wherein the target symbiotic trusted execution environment node comprises a target management node and a target execution node, the target execution node is used for executing the target application program, and the target management node is used for managing migration of the target application program;
The second determining unit is used for determining a target migration node based on the target management node, wherein the target migration node is connected with the target symbiotic trusted execution environment node based on a consensus network, the consensus network is a network constructed based on a blockchain, the target migration node is a symbiotic trusted execution environment node, and the target management node is used for receiving the target application program;
the first creating unit is used for carrying out key negotiation on the target migration node and the target symbiotic trusted execution environment node and creating a secure channel between the target migration node and the target symbiotic trusted execution environment node;
The loading unit is used for loading the encrypted ciphertext corresponding to the target application program to the target migration node based on the secure channel;
the decryption unit is used for decrypting the encrypted ciphertext based on the management node in the target migration node to obtain a decryption result, and carrying out integrity check on the decryption result;
The second creating unit is used for creating the same execution node as the target execution node in the target migration node according to the trusted execution environment information included in the decryption result under the condition that the decryption result is complete and correct, wherein the trusted execution environment information is the environment information of the target program running in the target execution node;
and the running unit is used for running the target application program at the execution node according to the execution state information of the target application program at the target execution node, which is included in the decryption result.
Optionally, the first determining unit includes:
a first determining module for determining resources and configuration information of a trusted execution environment required for running an application, the resources and configuration information including platforms, hardware and dependent items, and the application and data running in the trusted execution environment;
the creation module is used for creating a symbiotic trusted execution environment node according to the resources and the configuration information, and the symbiotic trusted execution environment node runs the application program;
And the second determining module is used for determining the application program as the target application program and determining the symbiotic trusted execution environment node as the target symbiotic trusted execution environment node under the condition that the application program is determined to be migrated.
Optionally, the second determining unit includes:
the acquisition module is used for acquiring state information of all migration nodes on the consensus network based on the target management node, wherein the state information comprises states and resource conditions, and all the migration nodes are symbiotic trusted execution environment nodes;
The determining module is used for determining the target migration node according to the state information based on a neural network model of an attention mechanism, wherein the target migration node is a first preset number of symbiotic trusted execution environment nodes, the first preset number of symbiotic trusted execution environment nodes are used for receiving the target application program, and in addition, a second preset number of symbiotic trusted execution environment nodes connected with the consensus network are used for masquerading and receiving the target application program.
Optionally, the device is further configured to:
creating a migration task according to the state information and the migration requirement based on the target management node;
the information of the migration task is uplink and broadcast to all the migration nodes on the consensus network, so that each migration node executes corresponding operation according to the information of the migration task;
collecting the execution state information and the trusted execution environment information of the target application program at the target execution node based on the target management node;
And encrypting the execution state information and the trusted execution environment information to obtain the encrypted ciphertext.
Optionally, the device is further configured to:
Receiving the target application program based on the first preset number of symbiotic trusted execution environment nodes corresponding to the target migration node respectively;
Executing the target application program based on the first preset number of symbiotic trusted execution environment nodes respectively to obtain respective execution results of the first preset number of symbiotic trusted execution environment nodes;
Detecting whether the second preset number of symbiotic trusted execution environment nodes are abnormal in the process of camouflage receiving the target application program or not, and obtaining a detection result;
And determining the accuracy and the credibility of the execution result according to the execution result and the detection result.
Optionally, the device is further configured to:
Monitoring target state information of the target application program migration process based on a preset monitoring program;
and training and updating the neural network model according to the target state information.
According to a third aspect of the present disclosure, there is provided an electronic device comprising:
at least one processor, and
A memory communicatively coupled to the at least one processor, wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of the first aspect.
According to a fourth aspect of the present disclosure, there is provided a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of the preceding first aspect.
According to a fifth aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the method of the first aspect described above.
The application migration method, the device, the electronic equipment, the storage medium and the computer program provided by the disclosure determine a target symbiotic trusted execution environment node where a target application program to be migrated is located, wherein the target symbiotic trusted execution environment node comprises a target management node and a target execution node, the target execution node is used for executing the target application program, and the target management node is used for managing the migration of the target application program; determining a target migration node based on a consensus network and the target symbiotic trusted execution environment node, wherein the target migration node is connected with the target symbiotic trusted execution environment node based on a consensus network, the consensus network is a network constructed based on a blockchain, the target migration node is a symbiotic trusted execution environment node, the target management node is used for receiving the target application program, performing key negotiation on the target migration node and the target symbiotic trusted execution environment node and creating a secure channel between the target migration node and the target symbiotic trusted execution environment node, loading an encrypted ciphertext corresponding to the target application program to the target migration node based on the secure channel, decrypting the encrypted ciphertext based on the management node in the target migration node to obtain a decryption result, performing integrity check on the decryption result, creating the same execution node as the target execution node in the target migration node according to the trusted execution environment information included in the decryption result under the condition that the decryption result is determined to be complete, the trusted execution environment information is environment information of the target program running on the target execution node, and the target application program is run on the execution node according to the execution state information of the target application program on the target execution node, which is included in the decryption result. Compared with the related art, the method has the advantages that the dual isolation of the trusted execution environment is realized by designing the random symbiotic trusted execution environment, the safety of the application program is protected, the P2P consensus network management node is introduced, single-point faults are avoided, node mutual trust is increased, the application program is migrated through the consensus network, the data in the migration process can not be stored in a lasting mode, the safety, the privacy and the traceability of the migration process of the data are guaranteed, and therefore the trusted efficient migration of the application program is realized.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention. In the drawings:
fig. 1 is a flowchart of a method for application migration according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of a trusted application migration node network architecture according to the present embodiment;
Fig. 3 is a schematic structural diagram of an apparatus for application migration according to an embodiment of the present disclosure;
FIG. 4 is a schematic structural diagram of another device for application migration according to an embodiment of the present disclosure;
Fig. 5 is a schematic block diagram of an example electronic device 300 provided by an embodiment of the present disclosure.
Detailed Description
The invention will be described in detail below with reference to the drawings in connection with embodiments. It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other.
The following detailed description is exemplary and is intended to provide further details of the invention. Unless defined otherwise, all technical terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments in accordance with the invention.
Furthermore, the terms first, second and the like in the description and in the claims of the present disclosure and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein.
Methods of application migration methods, apparatuses, electronic devices, storage media, and computer programs of embodiments of the present disclosure are described below with reference to the accompanying drawings.
To at least enable trusted and efficient migration of applications. The embodiment provides a method for application migration.
Fig. 1 is a flowchart of a method for application migration according to an embodiment of the present disclosure. As shown in fig. 1, the method comprises the steps of:
step 101, determining a target symbiotic trusted execution environment node where a target application program to be migrated is located, wherein the target symbiotic trusted execution environment node comprises a target management node and a target execution node, the target execution node is used for executing the target application program, and the target management node is used for managing migration of the target application program;
102, determining a target migration node based on the target management node, wherein the target migration node is connected with the target symbiotic trusted execution environment node based on a consensus network, the consensus network is a network constructed based on a blockchain, the target migration node is a symbiotic trusted execution environment node, and the target management node is used for receiving the target application program;
Step 103, performing key negotiation on the target migration node and the target symbiotic trusted execution environment node, and creating a secure channel between the target migration node and the target symbiotic trusted execution environment node;
Step 104, loading the encrypted ciphertext corresponding to the target application program to the target migration node based on the secure channel;
Step 105, decrypting the encrypted ciphertext based on the management node in the target migration node to obtain a decryption result, and performing integrity check on the decryption result;
step 106, under the condition that the decryption result is complete and correct, creating an execution node which is the same as the target execution node in the target migration node according to the trusted execution environment information included in the decryption result, wherein the trusted execution environment information is the environment information of the target program running in the target execution node;
And step 107, running the target application program at the execution node according to the execution state information of the target application program at the target execution node, which is included in the decryption result.
The application migration method includes the steps of determining a target symbiotic trusted execution environment node where a target application program to be migrated is located, wherein the target symbiotic trusted execution environment node comprises a target management node and a target execution node, the target execution node is used for executing the target application program, the target management node is used for managing migration of the target application program, determining a target migration node based on the target management node, the target migration node is connected with the target symbiotic trusted execution environment node based on a consensus network, the consensus network is a network constructed based on a block chain, the target migration node is a symbiotic trusted execution environment node, the target management node is used for receiving the target application program, conducting key negotiation on the target migration node and the target symbiotic trusted execution environment node, creating a secure channel between the target migration node and the target symbiotic trusted execution environment node, loading encrypted ciphertext corresponding to the target application program to the target migration node based on the secure channel, decrypting the encrypted ciphertext based on the management node in the target migration node, decrypting the encrypted ciphertext, and decoding the decrypted ciphertext, and creating a complete decryption result under the condition that the decryption result is identical to the target migration environment node is established under the condition that the complete decryption result is not verified by the target execution environment node, the trusted execution environment information is environment information of the target program running on the target execution node, and the target application program is run on the execution node according to the execution state information of the target application program on the target execution node, which is included in the decryption result. Compared with the related art, the method has the advantages that the dual isolation of the trusted execution environment is realized by designing the random symbiotic trusted execution environment, the safety of the application program is protected, the P2P consensus network management node is introduced, single-point faults are avoided, node mutual trust is increased, the application program is migrated through the consensus network, the data in the migration process can not be stored in a lasting mode, the safety, the privacy and the traceability of the migration process of the data are guaranteed, and therefore the trusted efficient migration of the application program is realized.
As a refinement of the embodiment of the present disclosure, when the determining the target symbiotic trusted execution environment node where the target application needs to be migrated in step 101 is performed, for example, but not limited to, determining resources and configuration information of a trusted execution environment required for running the application, where the resources and configuration information include platforms, hardware, and dependencies, and the application and data running in the trusted execution environment, creating a symbiotic trusted execution environment node according to the resources and configuration information, where the symbiotic trusted execution environment node runs the application, and determining that the application is the target application and determining that the symbiotic trusted execution environment node is the target symbiotic trusted execution environment node when the application needs to be migrated.
As a refinement of the foregoing embodiment, when the determining the target migration node based on the target management node in step 102 is performed, an implementation manner may be adopted, but is not limited to, for example, that the state information of all migration nodes on the consensus network is collected based on the target management node, where the state information includes a state and a resource condition, and all migration nodes are symbiotic trusted execution environment nodes, the target migration node is determined based on the state information by a neural network model of an attention mechanism, and is a first preset number of symbiotic trusted execution environment nodes, where the first preset number of symbiotic trusted execution environment nodes are used for receiving the target application program, and in addition, a second preset number of symbiotic trusted execution environment nodes connected with the consensus network are used for disguising to receive the target application program.
In some embodiments, the determination of the target migration node may also be selected based on a random selection mechanism.
As a refinement of the above embodiment, before the neural network model based on the attention mechanism determines the target migration node according to the state information, the method may also adopt, but is not limited to, implementation manners, such as creating a migration task based on the target management node according to the state information and migration requirements, linking and broadcasting information of the migration task to all migration nodes on the consensus network, so that each migration node performs a corresponding operation according to the information of the migration task, collecting the execution state information and the trusted execution environment information of the target application program at the target execution node based on the target management node, and encrypting the execution state information and the trusted execution environment information to obtain the encrypted ciphertext.
As a refinement of the above embodiment, after the neural network model based on the attention mechanism determines the target migration node according to the state information, the method may also adopt, but is not limited to, implementation manners, for example, receiving the target application program respectively based on the first preset number of symbiotic trusted execution environment nodes corresponding to the target migration node, executing the target application program respectively based on the first preset number of symbiotic trusted execution environment nodes to obtain respective execution results of the first preset number of symbiotic trusted execution environment nodes, detecting whether the second preset number of symbiotic trusted execution environment nodes have an abnormality in the process of camouflage receiving the target application program, obtaining a detection result, and determining accuracy and reliability of the execution result according to the execution result and the detection result.
In some embodiments, the target state information of the migration process of the target application program can be monitored based on a preset monitoring program, and training and updating are performed on the neural network model according to the target state information.
Fig. 2 is a schematic diagram of a trusted application migration node network architecture provided in this embodiment, for facilitating understanding of the above process, this embodiment provides an exemplary illustration in combination with fig. 2, and includes introducing a random symbiotic trusted execution environment mechanism according to an actual requirement of dynamic trusted application, i.e. application program migration, creating symbiotic trusted execution environment nodes, forming a P2P consensus network based on a blockchain infrastructure, for overall migration of the trusted application environment, designing a deep learning model with an attention mechanism neural network as a core, integrating multiple factors affecting migration efficiency, combining migration strategies such as randomly selecting migration nodes and node redundancy, forming an optimal migration scheme, using a dynamic key to establish a point-to-point encryption channel in the P2P consensus network, implementing remote authentication, and completing secure migration under a secret state. In addition, the whole migration process is uplink, and execution conditions are collected in real time through resident programs, so that a supervision and evaluation mechanism is formed, process traceability is supported, and migration safety is improved. Wherein, the
The P2P consensus network is a decentralised network structure, is used as a part of a blockchain infrastructure and is used for managing and maintaining the state and consistency of the whole system, the symbiotic trusted execution environment can communicate and cooperate through the P2P consensus network, and a blockchain related service support migration scheme provided by the blockchain infrastructure is utilized, wherein the services comprise uplink, post trace and the like in the migration process. The symbiotic trusted execution environment node is called symbiotic TEE node for short. The symbiotic TEE node is formed by combining a plurality of TEE trusted execution environments and comprises an execution node and a management node, wherein the creation of the symbiotic TEE node generates a plurality of random trusted execution environments, one management node is specially used for managing and interacting with the outside, and the other execution nodes are used for executing service application programs, so that double isolation of the trusted execution environments is realized. The execution node is a TEE trusted execution environment for running trusted applications, and is used for executing specific business applications, including data sensitive computing business or trusted computing business, providing a trusted channel for connection with a management node, and providing support functions related to node migration. The management node is a TEE trusted execution environment for running management functions and is used for providing safe computing environments and management functions, and mainly comprises a P2P consensus module, an execution node management module, a migration strategy module, an execution node environment migration module, a secret key and authority management module, a safety authentication module and the like, wherein the P2P consensus module is responsible for node consensus and blockchain related services and comprises functions of participation consensus, distributed management, decentralization decision and the like, the execution node management module is responsible for managing service and execution condition monitoring of the execution node, the migration node management module is responsible for locally managing other effective migration nodes in a P2P network, the migration strategy module core is a neural network based on an attention mechanism, factors such as a node owner, a network condition, a calculation condition, a data condition, a unique resource condition, a trust condition, a resource utilization ratio and the like are comprehensively considered, an optimal migration scheme is formulated according to a current node task and a system running state, the execution node environment migration module is responsible for migrating the execution node to a target execution node according to the migration scheme, the migration scheme is responsible for managing the migration node to the safety authentication process, the secret key and the authority authentication module is used in the process and the safety authentication process is established in the safety authentication process of the safety authentication process and the secret key channel authentication module. The migration scheme adopts a random selection and redundancy mechanism, a plurality of alternative migration nodes are selected, one part of nodes, namely the target migration nodes, are used for migration of real execution nodes, the other part of nodes, namely the second preset number of symbiotic trusted execution environment nodes, adopt application tasks formed by disguise calculation, and are mainly used for confusing attack targets of attackers, identifying maliciousness of the target migration nodes and evaluating node safety.
To more intuitively illustrate the migration process of the target application program, the present embodiment provides another exemplary illustration, including determining, according to actual service requirements, resource requirements and configurations of a trusted execution environment required by the application program, including required platforms, hardware, and dependent items, and programs and data running in the trusted execution environment. According to resource requirements and configuration, creating symbiotic TEE nodes, wherein the executing nodes are used for checking the integrity of programs and data and verifying the digital signature of the programs to ensure the credibility of the programs, uploading the data and the programs in the credible execution environment of the executing nodes and executing the programs, constructing a consensus network by the managing nodes by using a blockchain infrastructure, and collecting information of all the migrating nodes, including states and resource conditions, by the managing nodes so as to facilitate subsequent task allocation and management. And the management node creates a migration task according to the resource information and the migration requirement, and utilizes the blockchain infrastructure to uplink to inform all nodes of the consensus network. The management node takes over the execution node, sets up a check point, stores the current execution state, creates a secret key, encrypts the execution node environment to form a trusted execution environment ciphertext of the execution node, builds an optimal migration strategy based on a neural network model of an attention mechanism by combining the current task state and the resource state and the trust state of a collection node, determines a target migration node, wherein one part of nodes are used for migration of a real execution node, the other part of nodes adopt application tasks formed by disguise calculation, all the target migration nodes carry out secret key negotiation to create a safety channel, a monitoring program is started at the management node of the target migration node, the encrypted ciphertext of the source execution node is loaded into a memory, the management node decrypts the ciphertext of the source execution node and carries out complete verification, creates the same execution environment as the source node according to the requirements of the migration task, loads the check point, after migration is completed, the execution node is awakened, resumes the state and data of the application program, continues to execute the application program, monitors the execution process state in real time, collects the program behavior and links the program, ensures tracking and safety of the migration process, returns an execution result to an owner through the trusted channel after the program operation is finished, a plurality of groups of real execution nodes are output, the verification of tasks is carried out, the validity of the task verification is carried out, and the reliability of the migration process is ensured, and the reliability of the abnormal performance is updated, and the reliability of the network model is ensured, and the reliability is updated, and the reliability is ensured.
In summary, the embodiments of the present disclosure can achieve the following effects:
1. By designing a random symbiotic trusted execution environment, double isolation of the trusted execution environment is realized, the safety of an application program is protected, a P2P consensus network management node is introduced, single-point faults are avoided, node mutual trust is increased, the application program is migrated through the consensus network, the data in the migration process can not be stored in a lasting manner, the safety, the privacy and the traceability of the migration process are ensured, and therefore the trusted and efficient migration of the application program is realized, and the migration efficiency and the data privacy safety are improved.
2. By generating a plurality of random trusted execution environments, one of the trusted execution environments is specially used for managing and interacting with the outside, and the other trusted execution environments are used for executing business application programs, so that double isolation of the trusted execution environments is realized, the safety of application program instances is protected, and the difficulty of external attack is increased to a certain extent through a random creation mechanism.
3. The P2P consensus network is adopted to manage the nodes of the trusted application environment, so that single-point faults and security risks possibly existing in the traditional centralized management mode are avoided. By using a hierarchical management and attention mechanism neural network dynamic model, the deep connection affecting migration task factors is better discovered, the optimal migration scheme is selected, and the efficiency and safety of environment migration are improved.
4. The management node takes over the execution node and encrypts and encapsulates the execution node, a random selection mechanism and a redundancy mechanism are adopted to select a plurality of alternative migration nodes, a safety pipeline and a dynamic key are respectively created, one part is used for real calculation execution, the other part is used for disguise calculation, the difficulty of an attacker on the migration process is increased, the malicious performance of the node is also facilitated to be identified, and the security of the node is evaluated.
5. After the migration is completed, the target instance can be quickly awakened and connected with the service, so that the continuity of the service in the migration process is ensured.
6. The whole migration process is pushed to a task initiator, the uplink of the migration process is realized, and traceability is ensured. Meanwhile, the disk is not dropped in the execution process, and the data in the data processing process cannot be stored in a lasting mode, so that the safety and privacy of the data are ensured.
7. And an evaluation mechanism is introduced, the execution condition is collected through resident programs, and the service quality of the migration process is evaluated for further improving the migration efficiency and the security, so that the system is ensured to keep high security and stability in a continuously evolving network environment.
Corresponding to the application migration method, the invention further provides an application migration device. Since the device embodiment of the present invention corresponds to the above-mentioned method embodiment, details not disclosed in the device embodiment may refer to the above-mentioned method embodiment, and details are not described in detail in the present invention.
Fig. 3 is a schematic structural diagram of an apparatus for application migration according to an embodiment of the present disclosure, where, as shown in fig. 3, the apparatus includes:
A first determining unit 21, configured to determine a target symbiotic trusted execution environment node where a target application program to be migrated is located, where the target symbiotic trusted execution environment node includes a target management node and a target execution node, where the target execution node is configured to execute the target application program, and the target management node is configured to manage migration of the target application program;
A second determining unit 22, configured to determine, based on the target management node, a target migration node, where the target migration node is connected to the target symbiotic trusted execution environment node based on a consensus network, the consensus network is a network constructed based on a blockchain, the target migration node is a symbiotic trusted execution environment node, and the target management node is configured to receive the target application program;
A first creating unit 23, configured to perform key negotiation on the target migration node and the target symbiotic trusted execution environment node, and create a secure channel between the target migration node and the target symbiotic trusted execution environment node;
A loading unit 24, configured to load an encrypted ciphertext corresponding to the target application program to the target migration node based on the secure channel;
A decryption unit 25, configured to decrypt the encrypted ciphertext based on a management node in the target migration node, obtain a decryption result, and perform integrity check on the decryption result;
a second creating unit 26, configured to create, in the target migration node, an execution node identical to the target execution node according to trusted execution environment information included in the decryption result, where the trusted execution environment information is environment information of the target program running in the target execution node, where the decryption result is determined to be complete and correct;
And an operation unit 27, configured to operate the target application program at the execution node according to the execution state information of the target application program at the execution node included in the decryption result.
The application migration device provided by the disclosure determines a target symbiotic trusted execution environment node where a target application program to be migrated is located, wherein the target symbiotic trusted execution environment node comprises a target management node and a target execution node, the target execution node is used for executing the target application program, the target management node is used for managing migration of the target application program, the target migration node is determined based on the target management node, the target migration node is connected with the target symbiotic trusted execution environment node based on a consensus network, the consensus network is a network constructed based on a block chain, the target migration node is a symbiotic trusted execution environment node, the target management node is used for receiving the target application program, the target migration node and the target symbiotic trusted execution environment node are subjected to key negotiation, a secure channel between the target migration node and the target symbiotic trusted execution environment node is created, an encrypted ciphertext corresponding to the target application program is loaded to the target migration node based on the secure channel, the target migration node is decrypted based on the management node in the target migration node, the decryption result is obtained, the decryption result is not included under the condition that the decryption result is not included, and the decryption result is not included under the condition that the decryption result is completely verified by the target execution environment is completely, the trusted execution environment information is environment information of the target program running on the target execution node, and the target application program is run on the execution node according to the execution state information of the target application program on the target execution node, which is included in the decryption result. Compared with the related art, the method has the advantages that the dual isolation of the trusted execution environment is realized by designing the random symbiotic trusted execution environment, the safety of the application program is protected, the P2P consensus network management node is introduced, single-point faults are avoided, node mutual trust is increased, the application program is migrated through the consensus network, the data in the migration process can not be stored in a lasting mode, the safety, the privacy and the traceability of the migration process of the data are guaranteed, and therefore the trusted efficient migration of the application program is realized.
Fig. 4 is a schematic structural diagram of another apparatus for application migration according to an embodiment of the present disclosure, as shown in fig. 4, where the first determining unit 21 includes:
A first determining module 211, configured to determine resources and configuration information of a trusted execution environment required for running an application, where the resources and configuration information include a platform, hardware, and dependencies, and the application and data running in the trusted execution environment;
A creation module 212, configured to create a symbiotic trusted execution environment node according to the resource and the configuration information, where the symbiotic trusted execution environment node runs the application program;
and the second determining module 213 is configured to determine that the application is the target application and determine that the symbiotic trusted execution environment node is the target symbiotic trusted execution environment node if it is determined that the application needs to be migrated.
Further, in a possible implementation manner of the embodiment of the present disclosure, as shown in fig. 4, the second determining unit 22 includes:
The collecting module 221 is configured to collect, based on the target management node, status information of all migration nodes on the consensus network, where the status information includes status and resource conditions, and all migration nodes are symbiotic trusted execution environment nodes;
The determining module 222 is configured to determine, according to the state information, the target migration node based on a neural network model of an attention mechanism, where the target migration node is a first preset number of symbiotic trusted execution environment nodes, and the first preset number of symbiotic trusted execution environment nodes is used to receive the target application program, and in addition, a second preset number of symbiotic trusted execution environment nodes connected to the consensus network is used to disguise to receive the target application program.
Further, in a possible implementation manner of the embodiment of the disclosure, as shown in fig. 4, the apparatus is further configured to:
creating a migration task according to the state information and the migration requirement based on the target management node;
the information of the migration task is uplink and broadcast to all the migration nodes on the consensus network, so that each migration node executes corresponding operation according to the information of the migration task;
collecting the execution state information and the trusted execution environment information of the target application program at the target execution node based on the target management node;
And encrypting the execution state information and the trusted execution environment information to obtain the encrypted ciphertext.
Further, in a possible implementation manner of the embodiment of the disclosure, as shown in fig. 4, the apparatus is further configured to:
Receiving the target application program based on the first preset number of symbiotic trusted execution environment nodes corresponding to the target migration node respectively;
Executing the target application program based on the first preset number of symbiotic trusted execution environment nodes respectively to obtain respective execution results of the first preset number of symbiotic trusted execution environment nodes;
Detecting whether the second preset number of symbiotic trusted execution environment nodes are abnormal in the process of camouflage receiving the target application program or not, and obtaining a detection result;
And determining the accuracy and the credibility of the execution result according to the execution result and the detection result.
Further, in a possible implementation manner of the embodiment of the disclosure, as shown in fig. 4, the apparatus is further configured to:
Monitoring target state information of the target application program migration process based on a preset monitoring program;
and training and updating the neural network model according to the target state information.
The foregoing explanation of the method embodiment is also applicable to the apparatus of this embodiment, and the principle is the same, and this embodiment is not limited thereto.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 5 shows a schematic block diagram of an example electronic device 300 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 5, the apparatus 300 includes a computing unit 301 that can perform various appropriate actions and processes according to a computer program stored in a ROM (Read-Only Memory) 302 or a computer program loaded from a storage unit 308 into a RAM (Random Access Memory ) 303. In the RAM 303, various programs and data required for the operation of the device 300 may also be stored. The computing unit 301, the ROM 302, and the RAM 303 are connected to each other by a bus 304. An I/O (Input/Output) interface 305 is also connected to bus 304.
Various components in the device 300 are connected to the I/O interface 305, including an input unit 306, such as a keyboard, mouse, etc., an output unit 307, such as various types of displays, speakers, etc., a storage unit 308, such as a magnetic disk, optical disk, etc., and a communication unit 309, such as a network card, modem, wireless communication transceiver, etc. The communication unit 309 allows the device 300 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 301 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 301 include, but are not limited to, a CPU (Central Processing Unit ), a GPU (Graphic Processing Units, graphics processing unit), various specialized AI (ARTIFICIAL INTELLIGENCE ) computing chips, various computing units running machine learning model algorithms, DSPs (DIGITAL SIGNAL Processor ), and any suitable Processor, controller, microcontroller, etc. The computing unit 301 performs the various methods and processes described above, such as the method of application migration. For example, in some embodiments, the method of application migration may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 308. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 300 via the ROM 302 and/or the communication unit 309. When the computer program is loaded into RAM 303 and executed by computing unit 301, one or more steps of the method described above may be performed. Alternatively, in other embodiments, the computing unit 301 may be configured to perform the aforementioned method of application migration in any other suitable way (e.g., by means of firmware).
Various implementations of the systems and techniques described here above can be implemented in digital electronic circuitry, integrated Circuit System, FPGA (Field Programmable GATE ARRAY ), ASIC (Application-SPECIFIC INTEGRATED Circuit, application-specific integrated Circuit), ASSP (Application SPECIFIC STANDARD Product, application-specific standard Product), SOC (System On Chip ), CPLD (Complex Programmable Logic Device, complex programmable logic device), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include being implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be a special or general purpose programmable processor, operable to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, RAM, ROM, EPROM (ELECTRICALLY PROGRAMMABLE READ-Only-Memory, erasable programmable read-Only Memory) or flash Memory, an optical fiber, a CD-ROM (Compact Disc Read-Only Memory), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having a display device (e.g., a CRT (Cathode-Ray Tube) or LCD (Liquid CRYSTAL DISPLAY) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user, for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback), and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include LAN (Local Area Network ), WAN (Wide Area Network, wide area network), the Internet, and blockchain networks.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service ("Virtual PRIVATE SERVER" or simply "VPS") are overcome. The server may also be a server of a distributed system or a server that incorporates a blockchain.
It should be noted that, artificial intelligence is a subject of studying a certain thought process and intelligent behavior (such as learning, reasoning, thinking, planning, etc.) of a computer to simulate a person, and has a technology at both hardware and software level. The artificial intelligence hardware technology generally comprises technologies such as a sensor, a special artificial intelligence chip, cloud computing, distributed storage, big data processing and the like, and the artificial intelligence software technology mainly comprises a computer vision technology, a voice recognition technology, a natural language processing technology, a machine learning/deep learning technology, a big data processing technology, a knowledge graph technology and the like.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Claims (10)

1. A method of application migration, comprising:
Determining a target symbiotic trusted execution environment node where a target application program to be migrated is located, wherein the target symbiotic trusted execution environment node comprises a target management node and a target execution node, the target execution node is used for executing the target application program, and the target management node is used for managing migration of the target application program;
Determining a target migration node based on the target management node, wherein the target migration node is connected with the target symbiotic trusted execution environment node based on a consensus network, the consensus network is a network constructed based on a blockchain, the target migration node is a symbiotic trusted execution environment node, and the target management node is used for receiving the target application program;
performing key negotiation on the target migration node and the target symbiotic trusted execution environment node, and creating a secure channel between the target migration node and the target symbiotic trusted execution environment node;
loading an encrypted ciphertext corresponding to the target application program to the target migration node based on the secure channel;
decrypting the encrypted ciphertext based on the management node in the target migration node to obtain a decryption result, and performing integrity check on the decryption result;
Under the condition that the decryption result is complete and correct, creating an execution node which is the same as the target execution node in the target migration node according to the trusted execution environment information included in the decryption result, wherein the trusted execution environment information is the environment information of the target program running in the target execution node;
And running the target application program at the execution node according to the execution state information of the target application program at the target execution node, which is included in the decryption result.
2. The method of claim 1, wherein the determining a target symbiotic trusted execution environment node in which the target application to be migrated is located comprises:
Determining resources and configuration information of a trusted execution environment required for running an application, wherein the resources and configuration information comprise a platform, hardware and dependent items, and the application and data running in the trusted execution environment;
Creating a symbiotic trusted execution environment node according to the resources and the configuration information, wherein the symbiotic trusted execution environment node runs the application program;
and under the condition that the application program is determined to be migrated, determining the application program as the target application program and determining the symbiotic trusted execution environment node as the target symbiotic trusted execution environment node.
3. The method of claim 2, wherein the determining a target migration node based on the target management node comprises:
Collecting state information of all migration nodes on the consensus network based on the target management node, wherein the state information comprises states and resource conditions, and all the migration nodes are symbiotic trusted execution environment nodes;
The neural network model based on the attention mechanism determines the target migration node according to the state information, wherein the target migration node is a first preset number of symbiotic trusted execution environment nodes, the first preset number of symbiotic trusted execution environment nodes are used for receiving the target application program, and in addition, a second preset number of symbiotic trusted execution environment nodes connected with the consensus network are used for camouflage receiving the target application program.
4. A method according to claim 3, characterized in that before the neural network model based on an attention mechanism determines the target migration node from the state information, the method comprises:
creating a migration task according to the state information and the migration requirement based on the target management node;
the information of the migration task is uplink and broadcast to all the migration nodes on the consensus network, so that each migration node executes corresponding operation according to the information of the migration task;
collecting the execution state information and the trusted execution environment information of the target application program at the target execution node based on the target management node;
And encrypting the execution state information and the trusted execution environment information to obtain the encrypted ciphertext.
5. The method of claim 4, wherein after determining the target migration node from the state information based on a neural network model of an attention mechanism, the method comprises:
Receiving the target application program based on the first preset number of symbiotic trusted execution environment nodes corresponding to the target migration node respectively;
Executing the target application program based on the first preset number of symbiotic trusted execution environment nodes respectively to obtain respective execution results of the first preset number of symbiotic trusted execution environment nodes;
Detecting whether the second preset number of symbiotic trusted execution environment nodes are abnormal in the process of camouflage receiving the target application program or not, and obtaining a detection result;
And determining the accuracy and the credibility of the execution result according to the execution result and the detection result.
6. The method according to claim 1, characterized in that the method comprises:
Monitoring target state information of the target application program migration process based on a preset monitoring program;
and training and updating the neural network model according to the target state information.
7. An apparatus for application migration, comprising:
The first determining unit is used for determining a target symbiotic trusted execution environment node where a target application program to be migrated is located, wherein the target symbiotic trusted execution environment node comprises a target management node and a target execution node, the target execution node is used for executing the target application program, and the target management node is used for managing migration of the target application program;
The second determining unit is used for determining a target migration node based on the target management node, wherein the target migration node is connected with the target symbiotic trusted execution environment node based on a consensus network, the consensus network is a network constructed based on a blockchain, the target migration node is a symbiotic trusted execution environment node, and the target management node is used for receiving the target application program;
the first creating unit is used for carrying out key negotiation on the target migration node and the target symbiotic trusted execution environment node and creating a secure channel between the target migration node and the target symbiotic trusted execution environment node;
The loading unit is used for loading the encrypted ciphertext corresponding to the target application program to the target migration node based on the secure channel;
the decryption unit is used for decrypting the encrypted ciphertext based on the management node in the target migration node to obtain a decryption result, and carrying out integrity check on the decryption result;
The second creating unit is used for creating the same execution node as the target execution node in the target migration node according to the trusted execution environment information included in the decryption result under the condition that the decryption result is complete and correct, wherein the trusted execution environment information is the environment information of the target program running in the target execution node;
and the running unit is used for running the target application program at the execution node according to the execution state information of the target application program at the target execution node, which is included in the decryption result.
8. An electronic device, comprising:
at least one processor, and
A memory communicatively coupled to the at least one processor, wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.
9. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-6.
10. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any of claims 1-6.
CN202410557526.3A 2024-05-08 2024-05-08 Method, apparatus, electronic device, storage medium and computer program for application migration Active CN118449747B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410557526.3A CN118449747B (en) 2024-05-08 2024-05-08 Method, apparatus, electronic device, storage medium and computer program for application migration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410557526.3A CN118449747B (en) 2024-05-08 2024-05-08 Method, apparatus, electronic device, storage medium and computer program for application migration

Publications (2)

Publication Number Publication Date
CN118449747A CN118449747A (en) 2024-08-06
CN118449747B true CN118449747B (en) 2026-01-13

Family

ID=92319071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410557526.3A Active CN118449747B (en) 2024-05-08 2024-05-08 Method, apparatus, electronic device, storage medium and computer program for application migration

Country Status (1)

Country Link
CN (1) CN118449747B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118869359B (en) * 2024-09-24 2025-05-06 济南浪潮数据技术有限公司 Application migration method, device, electronic device, storage medium and program product

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111082934A (en) * 2019-12-31 2020-04-28 支付宝(杭州)信息技术有限公司 Method and device for cross-domain secure multi-party computation based on trusted execution environment
CN113297133A (en) * 2021-06-01 2021-08-24 中国地质大学(北京) Service migration quality guarantee method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114185641B (en) * 2021-11-11 2024-02-27 北京百度网讯科技有限公司 Virtual machine cold migration method, device, electronic equipment and storage medium
CN115314489B (en) * 2022-08-10 2026-01-23 阿里巴巴(中国)有限公司 Data migration method, device and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111082934A (en) * 2019-12-31 2020-04-28 支付宝(杭州)信息技术有限公司 Method and device for cross-domain secure multi-party computation based on trusted execution environment
CN113297133A (en) * 2021-06-01 2021-08-24 中国地质大学(北京) Service migration quality guarantee method and system

Also Published As

Publication number Publication date
CN118449747A (en) 2024-08-06

Similar Documents

Publication Publication Date Title
US11483318B2 (en) Providing network security through autonomous simulated environments
Mohammad et al. Machine learning with big data analytics for cloud security
RU2584506C1 (en) System and method of protecting operations with electronic money
EP3793157A1 (en) Method and device for blockchain node
US12500870B2 (en) Network action classification and analysis using widely distributed and selectively attributed sensor nodes and cloud-based processing
Tian et al. Honeypot game‐theoretical model for defending against APT attacks with limited resources in cyber‐physical systems
CN112351031A (en) Generation method and device of attack behavior portrait, electronic equipment and storage medium
Gunawan et al. On the review and setup of security audit using Kali Linux
CN118449747B (en) Method, apparatus, electronic device, storage medium and computer program for application migration
Pacheco et al. Enabling risk management for smart infrastructures with an anomaly behavior analysis intrusion detection system
Meziane et al. A Study of Modelling IoT Security Systems with Unified Modelling Language (UML)
Alozie Threat Modeling in Health Care Sector
Buttar et al. Conversational AI: Security Features, Applications, and Future Scope at Cloud Platform
Yzzogh et al. A comprehensive overview of AI-driven behavioral analysis for security in Internet of Things
Ahmed et al. CCF based system framework in federated learning against data poisoning attacks
US8750520B2 (en) Appraising systems with zero knowledge proofs
KR102690034B1 (en) Method of determining trust level of user device accessing resource on server and system of diagnosis the same
Yadav et al. Vulnerability management in IIoT-based systems: What, why and how
Shahriar et al. iddaf: An intelligent deceptive data acquisition framework for secure cyber-physical systems
US20240098102A1 (en) Social graph enabled lateral movement detection
Pacheco et al. Security framework for IoT cloud services
Albakri et al. Traditional security risk assessment methods in cloud computing environment: usability analysis
Wagner et al. Quantifying Trustworthiness in Decentralized Trusted Applications
Sama et al. Security of cloud-assisted bans using digital twin
CN113420303A (en) Port scanning-based substation host security vulnerability detection method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant