Method for guaranteeing elasticity bare metal server resource exclusive use and security isolation

Abstract

The application belongs to the field of server security, and particularly relates to a flexible bare metal server resource exclusive use and security isolation guarantee method and system, which configures resources from a server group, constructs a distributed coupling correlation mapping chain, and uses a preset three-layer dynamic protection algorithm to complete real-time monitoring of internal and external operation states according to requirements, feeds back the judgment result to a resource configuration adjustment model, and jointly adjusts the service chain with a security adjustment strategy library to repair abnormalities and adjust resources up and down the chain, through the non-tamperability of the blockchain to guarantee traceability of resource configuration-release, realize a safe closed loop of 'fingerprint anchoring-chain configuration-dynamic protection', and exclusive use and isolation.

Description

Technical Field

[0001] This invention belongs to the field of server security, and in particular relates to a method and system for ensuring exclusive resource access and security isolation of elastic bare metal servers. Background Technology

[0002] Bare metal servers offer exclusive physical resources, high performance, and strong isolation. While traditional bare metal servers achieve a certain level of security through physical isolation technology and basic network protection, significant shortcomings remain in dynamic resource scheduling, fine-grained security protection, and intelligent operation and maintenance. Existing technologies often rely on static policies for resource allocation, failing to adjust in real-time according to business load, leading to low resource utilization. Security mechanisms are loosely coupled, lacking integration with advanced technologies such as zero-trust architecture and homomorphic encryption, making it difficult to cope with new types of network attacks. Furthermore, hardware-level isolation depends on fixed configurations, lacking flexible control over programmable hardware such as FPGAs, hindering fine-grained dynamic resource allocation. Although some solutions attempt to introduce automated scripts or basic monitoring tools, anomaly detection still relies on threshold alarms, unable to predict potential failures through machine learning models, and emergency response processes depend on manual intervention, leading to business continuity risks.

[0003] For example, Chinese patent CN115442316B discloses a full-stack high-performance computing bare metal management service system and method, including a user terminal that is electrically connected to the bare metal management service system via an input port, a communication connection between the bare metal management service system and a network service system, and a communication connection between the network service system and a cloud server; the method of the full-stack high-performance computing bare metal management service system includes: connecting the bare metal management service system; the communication connection between the bare metal management service system and the cloud server; the deployment of the bare metal management service system through DHCP and FTP services; the establishment of a subnet on the bare metal management service system; data processing by the cloud server; and security isolation and firewall protection for system security. Summary of the Invention

[0004] To address the shortcomings of existing technologies, this invention proposes a method and system for ensuring exclusive and secure isolation of elastic bare metal server resources. This method utilizes a pre-set elastically coupled blockchain and on-chain smart contracts. Based on user needs and combined with a PoS+QoS consensus algorithm, resources are allocated from a server group to construct a distributed coupled and associated mapping chain. Each blockchain node configures a unique identity fingerprint and configuration parameters for the resources according to requirements. After the service chain is deployed and started, a pre-set three-layer dynamic protection algorithm is used to monitor its internal and external operating status in real time according to the progress of requirements completion. The judgment results are fed back to the resource configuration adjustment model, and in conjunction with a security adjustment strategy library, anomaly repair and resource on / off-chain adjustments are performed on the service chain. This invention ensures traceability of resource configuration and release through the immutability of the blockchain, achieving a secure closed loop of "fingerprint anchoring - on-chain configuration - dynamic protection" and ensuring exclusive access and isolation.

[0005] To achieve the above objectives, the present invention provides the following technical solution:

[0006] Methods for ensuring dedicated and secure isolation of resources on elastic bare metal servers include:

[0007] A pre-defined elastically coupled blockchain is used. Based on the smart contracts configured on the elastically coupled blockchain, resources are configured in response to user needs. Combined with a pre-defined resource configuration adjustment model, PoS+QoS consensus algorithm and server group, a distributed coupled association mapping chain is obtained.

[0008] The distributed coupled association mapping chain is constructed by each blockchain node on the elastically coupled blockchain, combining the unique identity fingerprint and configuration parameters of the corresponding configuration requirements and configuration resources.

[0009] Deploy and start the distributed coupled-associated mapping chain. At the same time, through the preset three-layer dynamic protection algorithm and the required completion progress, the internal and external operating status of the distributed coupled-associated mapping chain is detected and judged in real time. The judgment results are fed back to the resource configuration adjustment model and combined with the preset security adjustment strategy library to perform real-time anomaly repair and resource on / off chain adjustment of the distributed coupled-associated mapping chain.

[0010] Specifically, the distributed coupled association mapping chain is configured with a resource exchange pool; the resource exchange pool is configured with a resource interaction verification network;

[0011] The resource exchange pool is used to store the configuration, performance, identity fingerprint, historical configuration, running status and functions of the server group. The resource interaction verification network performs real-time resource uplink and downlink verification interaction through the configured parameter-resource one-to-one association mapping and the distributed coupled association mapping chain.

[0012] The construction steps of the resource interaction verification network include:

[0013] The system monitors and acquires the configuration, performance, identity fingerprint, historical configuration running status and functions, and current idle running status data of all server groups at the current moment, and constructs a comprehensive status sequence set of real-time idle elastic bare metal servers.

[0014] Based on the performance, historical configuration operation status, and current idle operation status data in the comprehensive state sequence set, an evaluation algorithm is used to obtain the health status score corresponding to each idle elastic bare metal server. Combined with the Bayesian probability model built into the evaluation algorithm, the business operation risk value after the corresponding configuration resources are put on the blockchain is obtained.

[0015] Specifically, the construction steps of the resource interaction verification network also include:

[0016] The functional attributes, identity fingerprints, health status scores, and configuration status of the server group are stored in each parameter node of the metadata subnet within the resource interaction verification network. Based on the identity fingerprint and location information of each parameter node, a corresponding verification key-public key pair is generated.

[0017] A physical resource subnet is constructed based on the server group, and the public key of the server corresponding to each parameter node is associated and mapped to the physical resource node corresponding to the physical resource subnet, establishing a one-to-one association mapping between parameters and resources; each physical resource node represents a server.

[0018] Based on parameter-resource one-to-one association mapping, metadata subnet and physical resource subnet, a resource interaction verification network is obtained through topology space algorithm, and the initial state of the corresponding server in each parameter node is set to idle.

[0019] Specifically, the construction process of the distributed coupled association mapping chain includes:

[0020] Obtain the user resource demand sequence, trigger the demand parsing model in the smart contract of the elastically coupled blockchain, and obtain the user resource demand space;

[0021] Based on the user resource demand space and resource interaction verification network, the matching algorithm combined with the PoS+QoS consensus algorithm is used to obtain the server resources and number of servers that meet the user's needs. The initial state of the corresponding parameter node of the server obtained from the resource exchange pool is converted into the current occupied state, and the occupied state timestamp interval is marked.

[0022] Based on the number of servers, combined with blockchain and smart contracts, a distributed coupled and related mapping chain is constructed.

[0023] Specifically, the distributed coupled association mapping chain includes an isolated block sub-chain and a business processing sub-chain;

[0024] The isolated block subchain contains M isolated block sub-nodes and one extended isolated block sub-node; the business processing subchain contains M business processing sub-nodes.

[0025] The isolated block sub-nodes are used to store the key-public key, identity fingerprint, hash table of the running results, and verification and on / off chain adjustment of the security isolation interaction strategy for the corresponding business processing sub-nodes; the business processing sub-chain is used to perform load adjustment and calculation of user demand business based on real-time load data, and each business processing sub-node in the business processing sub-chain is only allowed to interact with other business processing sub-nodes in the chain.

[0026] Specifically, the construction process of the distributed coupled association mapping chain also includes:

[0027] The identity fingerprint, parameter-resource one-to-one association mapping, key-public key pair, and marked occupation status timestamp interval of each server corresponding parameter node in the server resources that meet user needs are associated and mapped from the corresponding parameter node in the metadata subnet to the corresponding isolated block sub-node in the isolated block subchain through smart contracts for resource on-chaining. After the resources are on-chained, a three-layer dynamic protection algorithm is configured on the corresponding interface of each isolated block sub-node.

[0028] Simultaneously, based on the physical resource subnet, select the physical resource node corresponding to the server, construct the business processing subchain and configure the exclusive virtual LAN identifier and VLAN identifier, and use parameter-resource one-to-one association mapping to connect the business processing sub-nodes in the business processing subchain with the corresponding isolation block sub-nodes.

[0029] The public key stored in the isolation block sub-nodes corresponding to the isolation block sub-chain is associated and mapped to the corresponding business processing sub-nodes. At the same time, the virtual LAN identifier, VLAN identifier, and storage hash of each business processing sub-node configured in the business processing sub-chain are associated and mapped to the corresponding isolation block sub-nodes.

[0030] Specifically, the construction process of the distributed coupled association mapping chain also includes:

[0031] In the business processing subchain, a load operation limit threshold is set for each node, and an extended association mapping is established between each business processing sub-node and the extended isolation block sub-node based on the set load operation limit threshold. The extended association mapping is then built into the on-chain extended contract between the isolation block subchain and the preparatory resource sub-pool configured in the resource exchange pool.

[0032] When the probability that the predicted load obtained by each business processing sub-node, configured with a predictive analysis model and combined with real-time running load data, is greater than the preset load over-limit probability threshold, the on-chain extended contract is triggered.

[0033] Based on the information stored in the over-limit corresponding business processing sub-node and the isolation block sub-node, combined with the information saved in the resource exchange pool corresponding to the idle parameter node and the distance between the physical resource node corresponding to each parameter node and the currently predicted over-limit business processing sub-node, a matching algorithm is used to select the parameter node by combining the principle of shortest delay, and the matched parameter node is stored in the reserve resource sub-pool.

[0034] Simultaneously, the public key associated with the business processing sub-node corresponding to the predicted over-limit is mapped to the corresponding parameter node obtained by matching the reserve resource sub-pool, and the extended on-chain association mapping is performed.

[0035] Specifically, the steps for real-time anomaly repair and resource on / off chain adjustment of the distributed coupled association mapping chain include:

[0036] Real-time monitoring of the operational status information within and between the distributed coupled associated mapping chain and the chain, and real-time anomaly detection through the configured anomaly detection model. When the monitoring and detection show that at least one business processing sub-node has an abnormal load, the on-chain extension contract is triggered. Based on the expected migration load corresponding to the load abnormality and the maximum load of the physical resource node corresponding to the reserve resource sub-pool, the physical resource node quantity of the business processing sub-node with the abnormal load is obtained.

[0037] Based on the physical resource node quantity of the load anomaly business processing sub-node, the corresponding number of isolated block sub-nodes and business processing sub-nodes are extended on the distributed coupled association mapping chain through the on-chain extension contract. The public-private key stored in the parameter node corresponding to the on-chain physical resource node in the prepared resource sub-pool is associated and mapped to the public key of the load anomaly business processing sub-node. On-chain verification is performed through smart contract combined with resource configuration adjustment model. When the verification is successful, the corresponding on-chain parameter node and physical resource node are associated and mapped to the corresponding isolated block sub-node and business processing sub-node.

[0038] Once the association mapping is complete, the new isolated block sub-nodes on the chain are interactively verified using the three-layer dynamic protection algorithm configured in the isolated block sub-nodes corresponding to the load anomaly business processing sub-nodes. If the verification is successful, the abnormal load is migrated to the new business processing sub-nodes that have passed the verification, and the corresponding result hash is synchronously migrated to the corresponding isolated block sub-nodes for the required business calculations.

[0039] If the parameter node corresponding to the current physical resource node fails the verification, the current physical resource node and its corresponding parameter node will be rejected from being put on the chain. The remaining parameter nodes and physical resource nodes in the reserve resource sub-pool will continue to be verified until the load migration requirements of the load anomaly business processing sub-node are met.

[0040] Specifically, the steps for real-time anomaly repair and resource on / off chain adjustment of the distributed coupled association mapping chain also include:

[0041] When at least one node in the distributed coupled association mapping chain receives a cross-chain resource request, it directly rejects the corresponding request and adds it to the blacklist. When the business processing sub-node of the distributed coupled association mapping chain completes its business calculation, it directly removes the completed business processing sub-node from the chain. At the same time, it clears the business information stored in the business processing sub-node and the on-chain association mapping parameter information corresponding to the corresponding isolated block sub-node, and saves the calculation result in the corresponding isolated block sub-node.

[0042] If the corresponding cross-chain resource request still exists after the calculation is completed, then according to the cross-chain resource request, the physical resource node of the next chain and the parameter information stored in the corresponding parameter node are associated and mapped to the distributed coupled association mapping chain corresponding to the cross-chain resource request.

[0043] When the risk value of the business operation of at least one node in the distributed coupled association mapping chain exceeds the preset abnormal probability threshold, the process of loading the abnormal physical resource node onto the chain is repeated. A new physical resource node is obtained from the reserve resource sub-pool, and on-chain verification and resource interaction three-layer verification are performed. When all verifications pass, the information of the corresponding abnormal isolation block sub-node and business processing sub-node is migrated to the new on-chain isolation block sub-node and business processing sub-node to continue the operation until the operation is completed. The business processing sub-chain in the distributed coupled association mapping chain is directly disbanded and all business and configuration information is cleared. At the same time, the on-chain association mapping information corresponding to the business processing sub-nodes in the business processing sub-chain is cleared, and only the operation result is retained in the isolation block sub-chain.

[0044] The elastic bare metal server resource dedicated and security isolation guarantee system includes: a coupled service chain module, an isolation verification module, and a repair module;

[0045] The Coupled Service Chain module responds to user needs and configuration information based on smart contracts configured on the elastically coupled blockchain, and combines a preset resource configuration adjustment model with the PoS+QoS consensus algorithm to obtain a distributed coupled association mapping chain.

[0046] The distributed coupled association mapping chain is constructed by each block node on the elastically coupled blockchain, combining the corresponding configured resource requirements and the corresponding unique identity fingerprint.

[0047] The isolation verification module is used to deploy and start the distributed coupled association mapping chain. At the same time, it uses a preset three-dimensional dynamic protection algorithm and the required completion progress to detect and judge the internal and external operating status of the distributed coupled association mapping chain in real time and obtain the judgment result.

[0048] The repair module is used to feed back the judgment results to the resource configuration adjustment model and combine them with the preset security adjustment strategy library to perform real-time anomaly repair and resource uplink / downlink adjustment on the distributed coupled association mapping chain.

[0049] Compared with the prior art, the beneficial effects of the present invention are:

[0050] This invention addresses the shortcomings of existing technologies by leveraging smart contracts and PoS+QoS consensus in a flexible blockchain to achieve real-time correlation mapping between bare metal server hardware fingerprints, configuration parameters, and load status, overcoming the limitations of static resource configuration. A resource interaction verification network integrates a three-layer dynamic protection algorithm to complete end-to-end verification on-chain, including hardware fingerprint verification, VLAN binding, and storage hash synchronization, blocking side-channel attack paths. A predictive analysis model combined with extended correlation mapping based on the shortest latency principle compresses load overload response from minutes to milliseconds. Simultaneously, hardware fingerprint ZKP pre-verification ensures the physical trustworthiness of extended nodes, preventing infected nodes from being added to the chain. The three-layer protection algorithm is injected into the isolated block child node interface in real-time, completing a comprehensive verification of health status scoring, anomaly probability, and hardware status during resource on / off chain stages, forming a closed-loop protection of "prediction-verification-isolation." This solves the problems of resource rigidity, isolation failure, and extension latency in traditional solutions, achieving hardware-level exclusivity and real-time response for elastic bare metal servers. Attached Figure Description

[0051] Figure 1 This is a logic diagram of the method for ensuring exclusive and secure isolation of resources on a flexible bare metal server according to Embodiment 1 of the present invention.

[0052] Figure 2 This is a flowchart of the method for ensuring exclusive access to and security isolation of resources on a flexible bare metal server according to Embodiment 1 of the present invention;

[0053] Figure 3 This is a block diagram of the elastic bare metal server resource exclusivity and security isolation protection system according to Embodiment 2 of the present invention. Detailed Implementation

[0054] Example 1:

[0055] Please see Figure 1 and Figure 2 The present invention provides an embodiment of a method for ensuring dedicated and secure isolation of resources on an elastic bare metal server, comprising the following steps:

[0056] S1. Preset elastic coupling blockchain, based on the smart contract configured on the elastic coupling blockchain, responds to user needs to configure resources and combines the preset resource configuration adjustment model, PoS+QoS consensus algorithm and server group to obtain a distributed coupling association mapping chain.

[0057] The distributed coupled association mapping chain is constructed by each blockchain node on the elastically coupled blockchain, combining the unique identity fingerprint and configuration parameters of the corresponding configuration requirements and configuration resources.

[0058] It should be further explained that the construction and training process of the resource allocation adjustment model in this embodiment includes:

[0059] Historical operating data of the server group is collected based on a distributed monitoring agent cluster. The historical operating data includes CPU utilization curves, memory usage waveforms, disk I / O throughput sequences, network bandwidth utilization time series, service response latency logs, and resource request rejection rate statistics. Data collection is completed through a data collection mechanism to obtain the raw dataset of the server group's historical operation.

[0060] Based on the original historical data set of the server group, the original historical data is cleaned and processed. The missing value imputation algorithm is used to repair the data breakpoints in the original historical data, and the outlier filtering mechanism is used to remove outlier data points in the original historical data, so as to obtain a regularized original historical data set of the server group.

[0061] Based on the regular historical operation dataset of server groups, a sliding time window mechanism is used to extract multi-dimensional features from the regular historical operation dataset of server groups. The extracted features include the mean resource utilization rate, the variance of resource load, the peak of resource demand, the frequency of resource conflict and the number of service level agreement breaches, and a multi-dimensional initial feature vector is obtained.

[0062] Based on the multi-dimensional initial feature vector, the influence weight of each feature dimension in the multi-dimensional initial feature vector on the resource adjustment decision is calculated by the feature importance evaluation algorithm. Then, the key feature subset is selected according to the influence weight by the recursive feature elimination method to obtain the optimized multi-dimensional feature vector.

[0063] Based on the regular historical operation dataset of the server group, the regular historical operation dataset of the server group is divided into training dataset, validation dataset and test dataset by time series segmentation method. The training dataset accounts for 70% of the total regular historical operation dataset of the server group, the validation dataset accounts for 15% of the total regular historical operation dataset of the server group, and the test dataset accounts for 15% of the total regular historical operation dataset of the server group, thus obtaining the divided training dataset, validation dataset and test dataset.

[0064] A resource allocation adjustment model is constructed based on a deep reinforcement learning framework. The main body of the resource allocation adjustment model adopts an Actor-Critic network architecture, in which the Actor network is responsible for generating resource adjustment strategies and the Critic network is responsible for evaluating the value of the resource adjustment strategies. The main body of the model is constructed through the network architecture building mechanism to obtain the initial resource allocation adjustment model.

[0065] Based on the partitioned training dataset and the optimized multi-dimensional feature vector, an initial resource allocation adjustment model is trained using a near-end policy optimization algorithm. The optimized multi-dimensional feature vector is used as the input to the initial resource allocation adjustment model. Through model training iterations, the initial resource allocation adjustment model outputs operation instructions for resource expansion, resource contraction, resource migration, or maintaining the status quo, thus obtaining the resource allocation adjustment model under training.

[0066] Based on the resource allocation adjustment model in training, the merits of the resource adjustment strategy output by the resource allocation adjustment model in training are evaluated through a reward function design mechanism. The calculation factors of the reward function in the reward function design mechanism include the improvement of resource utilization rate, the degree of compliance with service level agreement, the resource adjustment cost coefficient and the system stability index, so as to obtain the reward function of resource adjustment strategy for model training evaluation.

[0067] Based on the resource allocation adjustment model in training and the resource adjustment strategy reward function used for model training evaluation, the training process of the resource allocation adjustment model in training is accelerated through a distributed parallel training framework. The gradient synchronization algorithm ensures the consistency of model parameters of each training node, and the adaptive learning rate adjustment strategy optimizes the training convergence speed of the resource allocation adjustment model in training, thereby obtaining the accelerated training resource allocation adjustment model.

[0068] Based on the accelerated training resource allocation adjustment model and the partitioned validation dataset, an early stopping mechanism is used to prevent the accelerated training resource allocation adjustment model from overfitting. When the reward value of the accelerated training resource allocation adjustment model on the validation dataset no longer increases for several consecutive training cycles, the model training process is automatically terminated, and a resource allocation adjustment model that has been initially trained is obtained.

[0069] Based on the pre-trained resource allocation adjustment model and the partitioned test dataset, the performance of the pre-trained resource allocation adjustment model is evaluated using the partitioned test dataset through a test evaluation mechanism. The evaluation indicators include policy accuracy, decision latency, percentage increase in resource utilization, and decrease in service level agreement default rate. Resource allocation adjustment models that meet the performance standards are selected.

[0070] Based on the performance-compliant resource allocation adjustment model, the performance-compliant resource allocation adjustment model is converted into a lightweight inference engine through model compression technology. The lightweight inference engine is then deployed to the smart contract execution environment of the elastically coupled blockchain through a deployment mechanism to obtain a resource allocation adjustment inference engine that can be deployed in smart contracts.

[0071] Based on a resource allocation adjustment inference engine that can be deployed on smart contracts, an online model optimization system is built through an online learning mechanism. The system operation data is collected through a real-time data acquisition module to continuously optimize the model parameters of the resource allocation adjustment inference engine. The historical decision records of the resource allocation adjustment inference engine are stored through an experience replay buffer. The model parameters are updated through a periodic incremental training process to obtain a resource allocation adjustment inference engine with online optimization capabilities.

[0072] Based on a resource configuration adjustment inference engine with online optimization capabilities, the effectiveness and security of the resource adjustment strategy output by the resource configuration adjustment inference engine are ensured through the PoS+QoS consensus algorithm. The resource configuration adjustment inference engine with online optimization capabilities is integrated into the smart contract of the elastically coupled blockchain through an integration mechanism, thereby obtaining a resource configuration adjustment model that can be integrated into the smart contract of the elastically coupled blockchain. This model can automatically generate the optimal resource adjustment strategy based on the real-time system status.

[0073] S2. Deploy and start the distributed coupled-associated mapping chain. At the same time, through the preset three-layer dynamic protection algorithm and the required completion progress, the internal and external operating status of the distributed coupled-associated mapping chain is detected and judged in real time. The judgment results are fed back to the resource configuration adjustment model and combined with the preset security adjustment strategy library to perform real-time anomaly repair and resource on / off chain adjustment of the distributed coupled-associated mapping chain.

[0074] It should be further explained that the construction process of the security adjustment policy library in this embodiment includes:

[0075] Based on historical security event data from the distributed coupled association mapping chain and historical anomaly discrimination results from the three-layer dynamic protection algorithm, security event records, anomaly repair action records, resource uplink and downlink adjustment records, and requirement completion progress deviation data are obtained through a multi-source data acquisition interface to obtain an initial security adjustment strategy dataset.

[0076] It should be further noted that the security incident log includes network layer intrusion events, node layer abnormal behavior, and data layer leakage events.

[0077] Based on the initial security adjustment strategy dataset, data preprocessing algorithms are used to clean and organize the data. This includes removing redundant records using a duplicate data removal algorithm, classifying event types using an anomaly event classification algorithm, and converting indicators such as repair time and business impact into a unified dimension using a data standardization algorithm, thus obtaining a well-organized security strategy training dataset.

[0078] It should be further explained that the abnormal event classification algorithm divides the event types into "network layer abnormality, node layer abnormality, data layer abnormality, resource load abnormality, and demand schedule deviation".

[0079] Based on a well-structured security policy training dataset and domain expert knowledge, the core elements of the security adjustment policy are determined through a policy framework definition algorithm, including policy triggering conditions, policy execution actions, and policy execution priority rules, thereby obtaining an initial security adjustment policy framework.

[0080] It should be further explained that domain expert knowledge includes security risk level classification standards and business priority rules; policy triggering conditions such as the anomaly probability threshold output by the three-layer dynamic protection algorithm and the requirement completion progress deviation threshold; policy execution actions such as network connection blocking, node isolation, data encryption and repair, resource expansion on-chain, and redundant resource removal on-chain; and policy execution priority rules such as data leakage events having higher priority than minor load anomalies.

[0081] Based on the initial security adjustment strategy framework and the standardized security strategy training dataset, the association relationship between anomaly types and adjustment actions is mined through association rule mining algorithm, and the quantitative judgment rules of triggering conditions are generated through decision tree algorithm to obtain the initial security adjustment rule set.

[0082] It should be further explained that the association rule mining algorithm adopts the Apriori algorithm; regarding the association between anomaly types and adjustment actions, for example, when the network layer detects an anomaly through deep packet inspection, flow table blocking operations and temporary isolation measures for the abnormal node are executed; when the node trust value is lower than a set threshold, node offline operations and resource migration measures are executed; in terms of trigger condition determination, if the anomaly probability output by the three-layer dynamic protection algorithm exceeds the preset anomaly probability value, an emergency repair strategy is triggered; if the deviation of the requirement completion progress exceeds the preset deviation range and the resource load rate exceeds the high load limit, an emergency resource on-chain strategy is triggered.

[0083] Based on the business impact assessment indicators of the initial security adjustment rule set and the distributed coupled association mapping chain, the weight of each assessment indicator is determined by the analytic hierarchy process, and the priority score of each security adjustment rule is calculated by the weighted scoring algorithm. The rules are sorted from high to low to obtain an ordered security adjustment strategy set.

[0084] It should be further explained that the business impact assessment indicators include security risk level, business interruption loss, repair resource cost, and user satisfaction.

[0085] Based on the output instructions of the ordered security adjustment strategy set and the resource configuration adjustment model, the association between the security adjustment strategy execution action and the resource configuration adjustment instruction is established through the strategy-model mapping algorithm, the resource adjustment parameters that need to be called when the strategy is executed are clarified, and the security adjustment strategy set of associated resource configuration is obtained.

[0086] Further explanation is needed regarding the following: the output instructions of the resource configuration adjustment model include resource expansion instructions, resource contraction instructions, and resource migration instructions; the relationship between the execution actions of the security adjustment strategy and the resource configuration adjustment instructions, such as the relationship between the node-level anomaly repair strategy and the associated resource migration instructions, and the relationship between the resource load anomaly strategy and the associated resource expansion / contraction instructions; and the resource adjustment parameters that need to be called when the strategy is executed, such as the number of resource expansions and the range of migration nodes.

[0087] Based on the real-time running data of the security adjustment strategy set based on the associated resource configuration and the distributed coupled associated mapping chain, new data is continuously incorporated through an incremental learning algorithm to update the strategy rules, and invalid strategies are filtered out through a strategy effectiveness evaluation algorithm to obtain a dynamically updated security adjustment strategy set.

[0088] It should be further explained that the real-time operation data of the distributed coupled association mapping chain includes newly generated security events, real-time discrimination results of the three-layer dynamic protection algorithm, and real-time data on the progress of requirement completion; an example of updating policy rules through incremental learning algorithm is to generate new blocking policies for new network intrusion patterns; the policy effectiveness evaluation algorithm evaluates the policy by calculating the success rate of anomaly repair, service recovery time, and changes in resource utilization after policy execution; an invalid policy refers to a policy whose effectiveness is lower than the preset effective threshold.

[0089] Based on a dynamically updated set of security adjustment strategies and historical abnormal scenario simulation data, a strategy verification algorithm is used to conduct simulation tests, calculate the strategy verification pass rate, correct the parameters of strategies that fail verification, and obtain a set of verified security adjustment strategies.

[0090] It should be further noted that the historical anomaly scenario simulation data includes historical anomaly events, such as network DDoS attacks and node key leaks; the simulation test of the policy verification algorithm verifies the accuracy of policy triggering, the rationality of execution actions, and the linkage and coordination with the resource configuration adjustment model by replaying historical anomaly events; the policy verification pass rate is required to be ≥95%; policies that fail verification will undergo parameter correction, including adjusting the trigger threshold and optimizing the execution actions.

[0091] Based on the verified set of security adjustment strategies and the business scenario characteristics of the distributed coupled associated mapping chain, the strategy parameters are adjusted through the strategy adaptation algorithm to adapt to different scenario requirements. The adapted strategies are stored in the database that can be called by the on-chain contract through the strategy deployment algorithm. A strategy retrieval index is established to obtain a security adjustment strategy library that can be linked with the three-layer dynamic protection algorithm and the resource configuration adjustment model.

[0092] It should be further explained that the business scenario characteristics of the distributed coupled association mapping chain include financial transaction scenarios and general data processing scenarios; the strategy adaptation algorithm adjusts the strategy parameters, such as reducing the trigger threshold of the data layer security strategy in the financial transaction scenario to a%, and increasing the priority to b%; the strategy retrieval index is established according to the anomaly type and triggering conditions.

[0093] Based on the interconnected security adjustment strategy library, an interaction interface is established between the strategy call adaptation algorithm and the judgment results of the three-layer dynamic protection algorithm and the resource configuration adjustment model. This ensures that the judgment results output by the three-layer dynamic protection algorithm can match the trigger conditions in the security adjustment strategy library in real time, and the resource configuration adjustment model can directly call the associated adjustment actions in the security adjustment strategy library. This results in a security adjustment strategy library that can support real-time anomaly repair and resource uplink / downlink adjustment of the distributed coupled associated mapping chain.

[0094] It should be further explained that the establishment of the interaction interface needs to realize bidirectional data transmission and command invocation between the three-layer dynamic protection algorithm and the security adjustment strategy library, and between the resource configuration adjustment model and the security adjustment strategy library, to ensure the real-time nature of the linkage response.

[0095] Furthermore, one implementation process of the three-layer dynamic protection algorithm in this embodiment includes:

[0096] Based on the network layer security protection requirements of the distributed coupled-associated mapping chain, a network layer protection system is deployed through software-defined networking technology. Then, the SDN controller obtains the network flow table information of all nodes in the distributed coupled-associated mapping chain in real time to obtain the network flow table dataset of the distributed coupled-associated mapping chain nodes. It should be further noted that the network flow table information in this embodiment is the core basis for the switch to decide the data forwarding behavior under the SDN architecture, and it is also the key data for the SDN controller to grasp the network operation status of each node in the distributed coupled-associated mapping chain in real time. It mainly includes data traffic matching rules, such as source IP address, destination IP address, transport layer protocol type, source port number, destination port number, etc., as well as the corresponding processing actions, such as forwarding traffic to a specified port, discarding abnormal traffic, and guiding traffic to the monitoring module for further inspection. It may also cover the effective priority, lifespan, and traffic statistics (including but not limited to the number of data packets and bytes that flow through) of flow table entries. By collecting this network flow table information from all nodes in the distributed coupled and associated mapping chain through the SDN controller, it can be integrated to form a complete dataset reflecting the network communication status of each node, providing basic data support for subsequent identification of network anomalies, judgment of security threats, and execution of flow table blocking or isolation of abnormal nodes.

[0097] Based on the distributed coupled association mapping chain node network flow table dataset, the network data packet characteristics are analyzed by deep packet inspection algorithm, and then abnormal access patterns are identified by feature matching algorithm to obtain the network abnormal access pattern identification results.

[0098] Based on the normal network operation data of the distributed coupled association mapping chain, a baseline of normal network behavior is established through a hidden Markov model, and then the abnormal probability of real-time network sessions is calculated through the state transition probability calculation method to obtain the abnormal probability value of real-time network sessions.

[0099] Based on the network abnormal access pattern recognition results and the real-time network session abnormal probability value, an access control foundation is built by deploying distributed firewall rules, and then an access control policy is automatically generated by a smart contract. Subsequently, the access control policy is distributed to each node through a flow table distribution mechanism to block abnormal network connections in real time and obtain abnormal network connection blocking results.

[0100] Based on the communication data between nodes of the distributed coupled association mapping chain, the communication status within the chain is monitored in real time through network traffic visualization technology, and the network structure graph is dynamically updated through topology discovery algorithm to obtain the real-time monitoring results of the communication status within the chain and the dynamic network structure graph.

[0101] Based on the node-level security authentication requirements of the distributed coupled association mapping chain, a node identity authentication system is built through public key infrastructure, and then the authenticity of the node identity is verified through a digital certificate verification mechanism to obtain the node identity authenticity verification result.

[0102] Based on the node identity authenticity verification result, node access control is strengthened through a multi-factor authentication protocol, and dynamic verification credentials are generated through a time-synchronized one-time password algorithm to obtain node access dynamic verification credentials.

[0103] Based on the node operation data of the distributed coupled association mapping chain, a node credibility assessment foundation is built by deploying a trust assessment model, then node operation indicators are collected through behavior monitoring algorithms, and finally the node trust value is calculated by combining Bayesian inference algorithms to obtain the node credibility assessment result.

[0104] Based on the node trustworthiness assessment results, a node isolation mechanism is implemented to build the foundation for handling abnormal nodes. When abnormal node behavior is detected, the node isolation process is triggered through a consensus algorithm to obtain the abnormal node isolation result.

[0105] Based on the security requirements of node keys in the distributed coupled association mapping chain, the node keys are stored and protected by a hardware security module, and the integrity of the node startup program is verified by a secure boot mechanism to ensure the trustworthiness of the node operating environment, thereby obtaining the node key security protection result and the node trustworthy operating environment.

[0106] Based on the data layer encryption protection requirements of the distributed coupled association mapping chain, the data encryption foundation is built through the national cryptographic algorithm system, then the business data is encrypted through symmetric encryption algorithm, and the encryption key is distributed through asymmetric encryption algorithm to obtain the encrypted business data and the key secure distribution result.

[0107] Based on encrypted business data, a data integrity assurance foundation is built by deploying a data integrity verification mechanism. Then, a data digest is generated using a secure hash algorithm, and digital signature technology is used to verify the consistency of the data digest to confirm data integrity and obtain the data integrity verification result.

[0108] Based on sensitive data in the distributed coupled association mapping chain, a data leakage prevention system is deployed to build a foundation for sensitive data protection. Then, a content recognition algorithm is used to detect sensitive data, and data desensitization technology is used to process privacy information to obtain the sensitive data detection results and the desensitized privacy information.

[0109] Based on the data access behavior of the distributed coupled association mapping chain, the data access log is recorded by blockchain technology, and the immutability of blockchain is used to ensure the credibility of the audit record, so as to obtain a credible data audit trace record.

[0110] Based on the data availability requirements of the distributed coupled association mapping chain, a data security foundation is built by deploying a data backup and recovery mechanism, and then the data is redundantly processed by a redundancy coding algorithm to ensure data availability, thereby obtaining data backup results and data recovery security capabilities.

[0111] Based on the three-layer protection linkage requirement of distributed coupled association mapping chain, the security event data of the network layer, node layer and data layer are integrated through the security information and event management system, and then the correlation analysis algorithm is used to mine the correlation between security events in each layer to obtain the integrated security event association dataset.

[0112] Based on the integrated security incident association dataset, the foundation for automated security incident handling is built through security orchestration automation and response technology. Then, security incidents are automatically handled through predefined security handling scripts to obtain automated security incident handling results.

[0113] Based on the results of automated security incident handling, a security management foundation is built by deploying a unified security management platform. The security situation is then displayed through a visual interface. At the same time, machine learning algorithms are used to analyze historical security data to predict security risks, resulting in visualized security situation results and predicted security risks.

[0114] Based on the security risk prediction results, a security adjustment strategy library is established to store protection rules. Then, the rule engine dynamically adjusts the protection strategy according to the real-time security situation. At the same time, the protection rules are updated in combination with threat intelligence to obtain a dynamically adjusted security protection strategy.

[0115] Based on the dynamically adjusted security protection strategy, real-time security data is collected through the implementation of a continuous security monitoring mechanism, and security events are notified to the management end through a real-time alarm mechanism. At the same time, an emergency response process is adopted to handle security threats, and real-time alarm results and security threat handling results are obtained.

[0116] Based on the results of abnormal network connection blocking, abnormal node isolation, data integrity verification, automatic security incident handling, and security threat handling, the protection coverage and linkage effect are confirmed through the protection system effectiveness verification mechanism. This results in a comprehensive dynamic protection system covering the network layer, node layer, and data layer. This system can detect and block various security threats in real time, providing dynamic and proactive security protection capabilities for the distributed coupled and associated mapping chain.

[0117] Furthermore, in this embodiment, the distributed coupled association mapping chain is deployed and implemented based on the corresponding functions and configuration information of the Suanniao Cloud Platform.

[0118] Furthermore, the distributed coupled association mapping chain in this embodiment is configured with a resource exchange pool; the resource exchange pool is configured with a resource interaction verification network;

[0119] The resource exchange pool is used to store the configuration, performance, identity fingerprint, historical configuration, running status and functions of the server group. The resource interaction verification network performs real-time resource uplink and downlink verification interaction through the configured parameter-resource one-to-one association mapping and the distributed coupled association mapping chain.

[0120] Furthermore, the construction steps of the resource interaction verification network in this embodiment include:

[0121] The system monitors and acquires the configuration, performance, identity fingerprint, historical configuration running status and functions, and current idle running status data of all server groups at the current moment, and constructs a comprehensive status sequence set of real-time idle elastic bare metal servers.

[0122] Furthermore, in this embodiment, the aforementioned monitoring data is collected from three aspects: the hardware layer, the business layer, and the spatial layer.

[0123] Specifically, the data collected at the hardware layer includes, but is not limited to: server configuration, TPM fingerprint, CPU utilization collected by BMC, hard disk SMART, and IPMI sensor temperature.

[0124] The data collected at the business layer includes, but is not limited to: historical configuration records and current idle status;

[0125] The data collected at the spatial layer includes, but is not limited to: geographical location, obtained by acquiring the latitude and longitude of the out-of-band management IP via IPMI sensors, and rack location by reading rack tags via SNMP;

[0126] Based on the performance, historical configuration operation status, and current idle operation status data in the comprehensive state sequence set, an evaluation algorithm is used to obtain the health status score corresponding to each idle elastic bare metal server. Combined with the Bayesian probability model built into the evaluation algorithm, the business operation risk value after the corresponding configuration resources are put on the blockchain is obtained.

[0127] It should be further explained that the construction process of the Bayesian probability model built into the evaluation algorithm in this embodiment includes:

[0128] Based on historical business operation data, server performance monitoring indicators, resource configuration parameter records, business load fluctuation data and fault event logs are obtained through data acquisition interfaces to obtain the initial training dataset.

[0129] Based on the initial training dataset, the initial training dataset is cleaned and transformed through a data preprocessing process, which includes handling data null values ​​through a missing value imputation algorithm, removing erroneous records through an outlier detection algorithm, and converting various indicators into a unified dimension through a data standardization method to obtain the preprocessed training dataset.

[0130] Based on the preprocessed training dataset, key feature vectors are extracted using feature engineering methods, including trend and periodic features of performance indicators, feature of historical configuration status change patterns, feature of duration of idle running status and resource idle rate, to obtain a set of key feature vectors.

[0131] Based on key feature vector sets and domain expert knowledge, the node variables and their dependencies of the Bayesian network are determined through network structure definition methods. The parent nodes include performance index nodes, historical configuration nodes, and idle state nodes, and the child nodes are business operation risk level nodes, thus obtaining the initial Bayesian network structure.

[0132] Based on the initial Bayesian network structure and the preprocessed training dataset, model parameters are learned using the Expectation-Maximization (EM) algorithm. This includes the E-step calculating the posterior probabilities of latent variables, the Q-step updating the estimated model parameters, and an iterative optimization process to calculate the conditional probability distribution table of each node in the network, thus obtaining a parameterized Bayesian network model. It should be further noted that in this embodiment, when learning Bayesian network model parameters using the E-step (expectation step), the core of the E-step is to calculate the posterior probability distribution of all latent variables (i.e., variables not directly observed) under given observation data conditions, based on the current model parameter estimates and combined with the preprocessed training data, thereby quantifying the possible states and probabilities of the latent variables. The Q-step (maximization step), on the other hand, constructs an objective function for the model parameters based on the posterior probabilities of the latent variables obtained in the E-step. This objective function is typically the expectation of the log-likelihood function, i.e., the Q-function. The estimated model parameters are updated by maximizing this objective function, making the parameters more closely match the current data distribution. The two steps are performed iteratively, gradually optimizing the model parameters until convergence.

[0133] Based on the parameterized Bayesian network model and the missing values ​​in the preprocessed training dataset, the missing values ​​are processed by the Gibbs sampling algorithm, which uses the Markov chain Monte Carlo method to extract samples from the conditional probability distribution and gradually approximate the true joint probability distribution to obtain the Bayesian network model after missing value processing.

[0134] Based on the Bayesian network model after missing value processing, the model performance is evaluated by cross-validation. The preprocessed training dataset is divided into training set and test set. The model's discriminative ability is evaluated by calculating the model's prediction accuracy, recall and F1 score, and the Bayesian network model after performance evaluation is obtained.

[0135] Based on the Bayesian network model after performance evaluation, model regularization techniques are used to prevent overfitting. Specifically, the Bayesian information criterion is used to optimize the network structure complexity, and the weight decay method is used to constrain the magnitude of the parameter estimates to obtain a regularized Bayesian probability model.

[0136] Based on the regularized Bayesian probabilistic model, the model is continuously optimized by establishing an online model update mechanism. This mechanism continuously incorporates new monitoring data through incremental learning algorithms and adopts a sliding time window mechanism to maintain the model's adaptability to changes in system state, thereby obtaining a Bayesian probabilistic model with online update capabilities.

[0137] Based on a Bayesian probability model with online update capabilities and a production environment, the model is deployed to the production environment through model deployment technology. The current server performance data, configuration status and idle status are received through a real-time monitoring interface and input into the model for inference calculation to obtain real-time inference results.

[0138] Based on the real-time inference results, the posterior probability in the real-time inference results is converted into a business operation risk value through a risk level classification algorithm. The risk value range is calibrated according to historical fault data to obtain the business operation risk value.

[0139] Based on the risk values ​​of business operations and the requirements of the resource scheduling system, the Bayesian probability model with online update capability is integrated into the resource scheduling system through system integration technology. This enables the model to provide risk prediction support for resource allocation decisions, resulting in a Bayesian probability model that can accurately assess the business operation risks after the elastic bare metal server is connected to the blockchain.

[0140] The functional attributes, identity fingerprints, health status scores, and configuration status of the server group are stored in each parameter node of the metadata subnet within the resource interaction verification network. Based on the identity fingerprint and location information of each parameter node, a corresponding verification key-public key pair is generated.

[0141] A physical resource subnet is constructed based on the server group, and the public key of the server corresponding to each parameter node is associated and mapped to the physical resource node corresponding to the physical resource subnet, establishing a one-to-one association mapping between parameters and resources; each physical resource node represents a server.

[0142] Based on parameter-resource one-to-one association mapping, metadata subnet and physical resource subnet, a resource interaction verification network is obtained through topology space algorithm, and the initial state of the corresponding server in each parameter node is set to "idle".

[0143] Furthermore, the process of associating and mapping metadata subnets with physical resource nodes in this embodiment includes:

[0144] By collecting server functional attributes, health status scores, identity fingerprints and geographical locations, a multi-dimensional description vector of physical resource nodes is constructed to provide basic metadata for key generation and association mapping.

[0145] Based on server fingerprints and geographic location, an asymmetric key pair is generated using an elliptic curve algorithm. The private key is encrypted and stored in a hardware security module, while the public key serves as the node's identity identifier, ensuring that the communication link authentication is tamper-proof.

[0146] Idle parameter nodes are selected based on health status scores, and a one-to-one binding is established with physical resource nodes in the same data center through public keys to prioritize low latency and high reliability, while isolating potential risks of cross-data center communication.

[0147] Multiple parameter nodes and multiple physical machines are bound together to form metadata subnets and physical resource subnets, respectively. Public key association is used to achieve encrypted communication and resource scheduling access control across subnets.

[0148] Furthermore, in this embodiment, the geolocation-sensitive association mapping, combined with hardware fingerprint anti-tampering, achieves dual isolation of "location + identity," greatly improving the network attack interception rate.

[0149] Obtain the user resource demand sequence, trigger the demand parsing model in the smart contract of the elastically coupled blockchain, and obtain the user resource demand space;

[0150] Furthermore, the construction and training process of the demand analysis model in this embodiment includes:

[0151] Based on historical user resource demand data, the original training corpus is obtained by acquiring resource specification description text, performance index requirements, service level agreement terms, business type tags and resource usage pattern records through multi-source data acquisition interfaces.

[0152] Based on the original training corpus, the original training corpus is preprocessed using natural language processing techniques. This includes removing irrelevant characters and stop words using text cleaning algorithms, standardizing vocabulary through stemming and lemmatization techniques, and extracting resource-related entities using named entity recognition algorithms to obtain the preprocessed training corpus.

[0153] Based on the preprocessed training corpus, a multimodal feature vector is constructed through feature engineering methods. This involves combining word embedding technology to convert text descriptions into numerical vectors, processing categorical features through one-hot encoding, and processing numerical features through a normalization algorithm to obtain a multimodal feature vector with a unified dimension.

[0154] Based on multimodal feature vectors, a deep demand analysis model is constructed through the Transformer architecture. The model uses a multi-head self-attention mechanism to capture long-distance dependencies in the demand text, positional encoding to maintain sequence order information, and a feedforward neural network to achieve nonlinear transformation of features, thus obtaining the initial deep demand analysis model structure.

[0155] Based on the initial deep demand analysis model structure and large-scale unlabeled resource demand text, the model parameters are initialized through the masked language model pre-training strategy, the model is trained through self-supervised learning, and the semantic understanding ability of the model is enhanced through the next sentence prediction task, thus obtaining the pre-trained demand analysis basic model.

[0156] Based on the pre-trained demand parsing basic model and the labeled resource demand-configuration mapping data, the pre-trained demand parsing basic model is fine-tuned through domain adaptation technology, and the model is optimized through supervised training. The loss value is calculated using the cross-entropy loss function, and the model weights are iteratively updated through the gradient descent algorithm to obtain the fine-tuned demand parsing model.

[0157] Based on the fine-tuned demand parsing model, the robustness of the model is improved by deploying an adversarial training mechanism. This mechanism involves generating adversarial examples through a generative adversarial network, enhancing the model's anti-interference ability through a gradient penalty method, and improving the model's calibration performance through label smoothing technology, thereby obtaining a robust demand parsing model.

[0158] Based on a robust demand parsing model and a domain knowledge graph, the model's reasoning ability is enhanced by integrating the knowledge graph. Specifically, the relationship between domain knowledge entities is fused through a graph neural network, and important knowledge nodes are dynamically weighted through an attention mechanism to enhance the model's ability to infer implicit demands, thus obtaining a demand parsing model with enhanced reasoning ability.

[0159] Based on the demand parsing model with enhanced reasoning ability, the model performance is optimized through a multi-task learning framework, including joint training of demand classification tasks and resource allocation generation tasks, maintaining the independence of each task through a task-specific adapter network, and coordinating the multi-task learning process through a gradient equalization algorithm, to obtain a demand parsing model with optimized performance.

[0160] Based on the performance optimization demand analysis model, hyperparameters are tuned using the Bayesian optimization algorithm. The relationship between hyperparameters and model performance is modeled using a Gaussian process, and the optimal combination of hyperparameters is selected by the expectation-enhancing acquisition function to obtain the demand analysis model with the best hyperparameter configuration.

[0161] Based on the demand parsing model with optimal hyperparameter configuration, we improve inference efficiency through model compression technology, train a lightweight student model using knowledge distillation, remove redundant parameters through model pruning algorithm, and reduce model storage requirements through quantization technology, thus obtaining a lightweight and efficient demand parsing model.

[0162] Based on a lightweight and efficient requirement analysis model and smart contract environment, the model service is deployed to the smart contract environment through model deployment technology. The ONNX format is used to achieve cross-platform deployment of the model, hardware acceleration technology is used to improve inference speed, and online hot updates are supported through model version management, so as to obtain the requirement analysis model service deployed in the smart contract environment.

[0163] Based on the demand parsing model service deployed in the smart contract environment, the model adaptability is optimized by establishing a continuous learning mechanism. This includes adapting to new demand patterns through online learning algorithms, maintaining old knowledge through catastrophic forgetting prevention technology, and selecting valuable samples for labeling through active learning strategies, thereby obtaining a demand parsing model with continuous learning capabilities.

[0164] Based on a demand parsing model with continuous learning capabilities, a functional verification mechanism is used to confirm the accuracy of the model's understanding of user resource requirements and the reliability of the output structured demand space. This results in a high-performance demand parsing model that can output a structured description of user resource demand space, providing reliable input for subsequent resource scheduling and allocation.

[0165] Furthermore, the demand parsing model in the smart contract in this embodiment is constructed using LSTM to identify business types and extract key parameters. For example, the financial sector requires "exclusive VLAN + hardware encryption".

[0166] Based on the user resource demand space and resource interaction verification network, the matching algorithm combined with the PoS+QoS consensus algorithm is used to obtain the server resources and number of servers that meet the user's needs. The initial state of the corresponding parameter node of the server obtained from the resource exchange pool is converted into the "current occupancy state" and the occupancy state timestamp interval is marked.

[0167] It should be further explained that the state transition implementation process in this embodiment includes:

[0168] Based on the task status of the business processing subchain, the task completion event of the business processing subchain is monitored through smart contracts. When a signal of business completion or lease expiration is detected, the resource state transition process is automatically triggered. At the same time, an event-driven architecture is adopted to ensure the timeliness of the state transition and obtain the resource state transition trigger instruction.

[0169] Based on the resource state transition trigger instruction, a resource cleanup task is created through a resource release instruction generation algorithm. The resource release instruction generation algorithm generates differentiated cleanup strategies based on the characteristics of resource types. Specifically, memory zeroing is performed on computing resources, data erasure is performed on storage resources, and rule reclamation is performed on network resources to obtain a set of resource cleanup tasks.

[0170] Based on the storage resource cleanup task set, the storage resources are cleaned up multiple times through a secure data erasure algorithm, while the data is ensured to be unrecoverable through erasure specifications, so as to obtain the storage resource cleanup results.

[0171] Based on the computational resource cleanup tasks in the resource cleanup task set, memory resources are initialized through physical memory zeroing instructions, and the integrity of the cleanup is ensured through hardware-assisted memory protection mechanisms to obtain the memory resource initialization results.

[0172] Based on the security key processing task in the resource cleanup task set, the security key material is processed through the key destruction protocol. The key derivation tree management mechanism is used to trace all derived keys, and the original key storage area is covered by a cryptographically secure random number generator to ensure that the key information is completely eliminated and obtain the key information clearing result.

[0173] Based on the storage resource cleanup results, memory resource initialization results, and key information clearing results, a resource cleanup verification mechanism is deployed to verify the cleanup effect. This mechanism involves obtaining a resource status snapshot using a digital fingerprinting algorithm, generating a resource status digest value using hash operations, and comparing the resource status digest value with the initial status baseline value to obtain the resource cleanup effect verification result.

[0174] Based on the verification results of resource cleanup effect, the cleanup proof is verified by executing a smart contract. The correctness of the resource cleanup process is verified by zero-knowledge proof technology without revealing the specific cleanup details. Merkle tree structure is used to construct the cleanup operation proof to ensure the efficiency of the verification process and obtain the verification result of the correctness of the cleanup process.

[0175] Based on the entire process of resource state transition, the complete resource release process is recorded through audit logs. Blockchain technology is used to ensure the immutability of the logs, timestamp service is used to record the time node of each operation, and digital signatures are used to ensure the traceability of responsibility for the operation, thus obtaining an immutable resource release audit log.

[0176] Based on the integrity and quality of the resource release process, a health status score update mechanism is implemented to dynamically adjust the node score. The weighted scoring algorithm is adopted to comprehensively consider multiple factors such as cleanup time, resource consumption and verification results to obtain the updated node health status score.

[0177] Based on fault monitoring during resource release, an abnormal handling process is established to deal with release failures. When a failure is detected in the resource release process, a backup cleanup plan is automatically triggered. At the same time, a redundant cleanup mechanism is used to ensure that the resource release task can be completed under various abnormal conditions and to obtain the resource release completion result under abnormal conditions.

[0178] Based on the resource release completion result, the node state in the resource interaction verification network is updated through the state synchronization protocol. A consensus algorithm is used to ensure the consistency of all nodes' understanding of the resource state, and distributed transactions are used to ensure the atomicity of the state update, thereby obtaining a consistent update result of the node state in the resource interaction verification network.

[0179] Based on the consistent update results of node states, a state transition confirmation mechanism is used to complete the safe transition of resources from occupied to idle states, ensuring that resources are thoroughly cleaned up and can be reassigned to new user tasks, while maintaining the security and reliability of the system and obtaining safe and available resources that can be reassigned.

[0180] For example, to better illustrate the process of obtaining server resources and the number of servers that meet user needs through a matching algorithm combined with a PoS+QoS consensus algorithm, this embodiment provides the following exemplary steps, taking a financial transaction scenario as an example:

[0181] A user submits a JSON request containing their own requirements, including user information, business type, hardware specifications, number of servers required, network requirements, usage time window, and service level agreement.

[0182] In this embodiment, the smart contract will parse this request and perform the following operations:

[0183] The business type is identified as financial, which triggers financial-specific rules. These rules typically require the servers to be located in the same data center, have hardware encryption capabilities, and have TPM (Trusted Platform Module) verification capabilities.

[0184] In the resource interaction verification network, query the timestamp range of each server's occupancy status and exclude servers that have already been pre-occupied within the user-specified time window.

[0185] The hardware specifications required by users are associated and mapped to hardware fingerprint prefixes, which facilitates matching based on the "configuration fingerprint" field in the resource interaction verification network, and ultimately transforms user requests into structured requirement objects.

[0186] Relevant data is extracted from the metadata subnet and physical resource subnet of the resource interaction verification network. This data includes server configuration fingerprints, health status scores, geographical locations, financial tags, recent usage time, staking status, and QoS scores. The data is then filtered based on some basic criteria.

[0187] Servers with health status scores below the preset value are excluded because servers with low health status scores may have hardware failure risks, which could affect the stable operation of the business.

[0188] Only select servers with financial labels to ensure that the servers meet the specific requirements of financial business;

[0189] Filter out servers that are available within the user-specified time window to avoid time conflicts.

[0190] Furthermore, in this embodiment, the PoS (Proof-of-Stake) consensus mechanism is used to filter nodes that provide server resources. The specific steps are as follows:

[0191] By traversing the resource interaction verification network through smart contracts, it checks whether the amount of resources in the staking pool of the provider node meets the requirements, and filters nodes with sufficient staking and no excess locked resources, thus providing a reliable resource pool for subsequent priority ranking.

[0192] In this embodiment, the percentage of staked resources affects the priority of nodes. The higher the staked amount, the greater the weight. Nodes that stake 100% of their resources will have their weight doubled. This incentivizes providers to offer more resources and ensure their availability. Ultimately, provider nodes with sufficient staked resources are selected.

[0193] Nodes are sorted in descending order based on the proportion of pledged amount and QoS score. If the scores are the same, they are sorted in order of pledge weight. If the pledge weights are also the same, they are sorted in ascending order of geographical location. This incentivizes high-pledge nodes and ensures the service quality baseline.

[0194] A three-level filtering process is used to screen servers, ensuring low latency, high security, and balanced resource allocation, and then selecting available candidates for the atomic lock-on process. Furthermore, in this embodiment, the three-level filtering includes criteria such as financial tags from the same data center, hardware encryption support, and priority given to servers that have not been used recently.

[0195] Furthermore, the implementation process of the PoS+QoS consensus algorithm in this embodiment includes:

[0196] Based on the node participation foundation of the distributed coupled associated mapping chain, a node staking system is established through the proof-of-stake mechanism. Then, the server resource provider is required to pledge digital assets of corresponding value through the digital asset staking algorithm. Subsequently, the staking quantity and timestamp are automatically recorded through smart contracts. At the same time, the on-chain ledger is used to ensure the transparency and immutability of the staking records, thereby obtaining a node staking record dataset.

[0197] Based on the server nodes in the node staking record dataset, server performance data is collected in real time through a service quality measurement system. This system uses network probe technology to measure node response latency, uses bandwidth monitoring tools to obtain node throughput data, and collects node CPU utilization and memory utilization metrics through a resource monitoring agent to obtain a real-time service quality dataset for the nodes.

[0198] Based on the node real-time service quality dataset, the real-time QoS score of each node is calculated through a multi-dimensional scoring algorithm. The weighted moving average method is used to process the node's historical performance data to smooth fluctuations. The coefficient of variation method is used to dynamically adjust the weights of each indicator, such as CPU utilization, memory utilization, response latency, and throughput. The normalization process converts the indicator values ​​of different dimensions into a unified range of scores to obtain the node's real-time QoS standardized score.

[0199] It should be further explained that the process of dynamically adjusting the weights of CPU utilization, memory utilization, response latency, and throughput using the coefficient of variation method in this embodiment includes:

[0200] First, a sliding time window is set, containing the most recent N fixed data collection periods, where N is a preset positive integer. Historical performance data for four categories—CPU utilization, memory utilization, response latency, and throughput—is extracted from this window and used as the basis for weight calculation. Next, for each category of historical performance data, its arithmetic mean is calculated, and the sample standard deviation is calculated using Bezier correction to ensure that the standard deviation more accurately reflects data fluctuations. Based on this, the coefficient of variation (CV) for each indicator is calculated using the formula CV = σ / μ, where σ is the variance of the indicator and μ is the mean. If the mean μ of an indicator is 0, a preset maximum value is set for the coefficient of variation of that indicator to avoid calculation errors. Then, the coefficients of variation (CV) of the four indicators are normalized by dividing the coefficient of variation of each indicator by the sum of the coefficients of variation of the four indicators to obtain the weight ω for each indicator, ensuring that the sum of the weights of the four categories of indicators is always 1. Meanwhile, the regular update cycle for the weights is set to P collection cycles, where P is a preset positive integer and P≤N. After each P collection cycle, the entire process from extracting window data to calculating weights is repeated to achieve periodic dynamic updates of the weights. In addition, when the absolute value of the change in the coefficient of variation of a certain indicator exceeds a preset threshold within two consecutive update cycles, the regular update cycle will be broken, and the weight update process will be immediately triggered. Data extraction, coefficient of variation calculation, and normalization operations will be re-executed to quickly adapt to abnormal changes in indicator fluctuations.

[0201] Based on the node staking record dataset and node reputation history data, the Proof-of-Stake (PoS) weight factor is determined through a stake weight calculation algorithm. A logarithmic function is used to smooth the differences in staking amounts among different nodes to avoid excessive concentration of stake. A time decay factor is used to quantify the impact of staking duration on stake (the longer the staking time, the smaller the decay coefficient). The final Proof-of-Stake score is calculated by combining the node's historical record of no violations.

[0202] Based on the node's Proof-of-Stake score and the node's real-time QoS standardized score, the two scores are combined through a linear weighted fusion algorithm. A dynamic weight adjustment mechanism is used to balance the importance of Proof-of-Stake and QoS. A fuzzy logic control algorithm is used to automatically adjust the weight allocation ratio according to the business type. For example, in the financial transaction scenario, the QoS indicator weight is increased by 30%-50% to obtain the node's comprehensive consensus score.

[0203] Based on the comprehensive consensus score of nodes, a candidate node pool for resource allocation schemes is created through a consensus proposal generation mechanism. A round-robin selection algorithm is used to initially screen candidate nodes from all nodes that meet the comprehensive consensus score. A cryptographically secure random number generator is used to introduce selection uncertainty. A verifiable random function is used to ensure the fairness and unpredictability of the candidate node selection process, and a consensus candidate node list is obtained.

[0204] Based on the consensus candidate node list and resource scheduling requirements (cost, performance, and risk constraints), the optimal resource allocation scheme is solved through a multi-objective optimization algorithm. The non-dominated sorting genetic algorithm is used to handle the multiple constraints of "cost minimization, performance maximization, and risk minimization". The Pareto optimal solution selection mechanism is used to select the optimal solution that takes into account all objectives from multiple feasible solutions, thus obtaining the optimal resource allocation scheme for nodes.

[0205] Based on the optimal node resource allocation scheme, the final consensus verification is executed through smart contracts. The multi-signature mechanism requires at least two-thirds of the verification nodes (the verification nodes are selected from the top 30% of the nodes in the comprehensive consensus score) to collectively confirm the allocation scheme. The Byzantine fault tolerance algorithm is used to resist malicious behavior of no more than one-third of the nodes to ensure consensus security. The threshold signature technology is used to merge the signatures of multiple nodes into a single signature to improve verification efficiency and obtain the consensus verification result of the resource allocation scheme.

[0206] Based on the consensus verification results of the resource allocation scheme, the consensus execution effect is tracked through a real-time monitoring system. The feedback control algorithm is used to dynamically adjust the consensus parameters, such as QoS indicator weights and candidate node screening thresholds, according to the actual service quality deviations. The weight allocation strategy is optimized through a reinforcement learning mechanism with the reward goal of improving consensus efficiency and service quality compliance rate. New network environment data, such as node failure rate and business load changes, are incorporated in real time using an online learning algorithm to adapt to changes in demand and obtain dynamically optimized consensus parameter configurations.

[0207] Based on the consensus process data, including candidate node selection records, voting data, and verification results, an auditable system is built through a consensus result traceability mechanism. This system uses blockchain technology to record the complete consensus process on the chain ledger, uses a Merkle tree structure to store the voting data of each node to achieve fast hash verification, and uses zero-knowledge proof technology to verify the correctness of the consensus process without revealing specific voting details, thus obtaining a complete record of the traceable and auditable consensus process.

[0208] Based on the consensus verification results of the resource allocation scheme, the dynamically optimized consensus parameter configuration, and the complete record of the traceable and auditable consensus process, the consensus algorithm is confirmed through an algorithm integrity verification mechanism to simultaneously meet the requirements of "PoS" and "Quality of Service (QoS)" and can adapt to the security and reliability scheduling requirements of high-requirement scenarios such as financial transactions, thus obtaining a complete PoS+QoS consensus algorithm. This algorithm can provide consensus support for resource scheduling of distributed coupled and associated mapping chains.

[0209] Furthermore, the three-level filtering server in this embodiment specifically includes:

[0210] The first-level filtering specifically involves filtering servers located in the same data center as the user, with a financial tag, and a health status score greater than 90, based on the user's IP location. Servers in the same data center can reduce network latency and meet the low latency requirements of financial services.

[0211] The second-level filtering specifically involves querying the SecureBoot status of the server's BMC (Baseboard Management Controller) via IPMI (Intelligent Platform Management Interface) to confirm whether the server supports hardware encryption. Servers that do not support hardware encryption are excluded to ensure the security of financial business data.

[0212] The three-level filtering process involves sorting the remaining servers in ascending order of "last usage time," prioritizing servers that have not been used recently. Then, it extracts the top few servers from the sorted list and verifies their availability within the user-specified time window.

[0213] The smart contract is invoked to lock the state of the selected server. The CAS mechanism handles concurrent conflicts, and failed requests are put into the retry queue to ensure the uniqueness of resource configuration. At the same time, the amount of staking pool is deducted, triggering a state change.

[0214] Based on user IP and SDN path detection, latency is calculated, and nodes in the same data center with latency < SLA requirements are forcibly selected, excluding cross-region servers. If resources are insufficient, the latency is relaxed to 15ms and IPsec tunnel encryption is enabled to balance performance and security.

[0215] The server's real-time health status score is obtained through the HealthOracle oracle. Abnormal nodes are automatically released and replaced with alternatives to prevent business interruption caused by sudden changes in status after the server is locked.

[0216] The Paxos algorithm is used to synchronously update the metadata subnet and the physical resource subnet, deduct resources from the staking pool and record the timestamp. If no confirmation is made after the timeout, the rollback is performed to ensure distributed consistency.

[0217] When resources in the same data center are insufficient, latency restrictions are dynamically relaxed, the staking weight of cross-regional nodes is increased and encryption is enforced, and the configuration audit trail is recorded on the chain to ensure compliance while maximizing resource utilization.

[0218] Server details are returned in JSON format and the user is notified. Simultaneously, the SDN controller is pre-bound to VLANs, reducing user-end configuration latency and improving end-to-end readiness speed. The server has optimized IP, VLAN, and fingerprint selection.

[0219] The entire process is recorded on the blockchain, including configuration ID, user ID, server fingerprint, and algorithm parameters, generating quarterly compliance reports, supporting regulatory retrospectives and audits, and forming a closed-loop trusted proof.

[0220] Based on the number of servers, combined with blockchain and smart contracts, a distributed coupled and related mapping chain is constructed.

[0221] Furthermore, the distributed coupled association mapping chain in this embodiment includes an isolated block sub-chain and a business processing sub-chain;

[0222] The isolated block subchain contains M isolated block sub-nodes and one extended isolated block sub-node; the business processing subchain contains M business processing sub-nodes.

[0223] The isolated block sub-nodes are used to store the key-public key, identity fingerprint, hash table of the running results, and verification and on / off chain adjustment of the security isolation interaction strategy for the corresponding business processing sub-nodes; the business processing sub-chain is used to perform load adjustment and calculation of user demand business based on real-time load data, and each business processing sub-node in the business processing sub-chain is only allowed to interact with other business processing sub-nodes in the chain.

[0224] The identity fingerprint, parameter-resource one-to-one association mapping, key-public key pair, and marked occupation status timestamp interval of each server corresponding parameter node in the server resources that meet user needs are associated and mapped from the corresponding parameter node in the metadata subnet to the corresponding isolated block sub-node in the isolated block subchain through smart contracts for resource on-chaining. After the resources are on-chained, a three-layer dynamic protection algorithm is configured on the corresponding interface of each isolated block sub-node.

[0225] Simultaneously, based on the physical resource subnet, select the physical resource node corresponding to the server, construct the business processing subchain and configure the exclusive virtual LAN identifier and VLAN identifier, and use parameter-resource one-to-one association mapping to connect the business processing sub-nodes in the business processing subchain with the corresponding isolation block sub-nodes.

[0226] Furthermore, in this embodiment, VLAN is a technology that logically divides devices within a local area network into different network segments. Through VLAN, a physical local area network can be divided into multiple logically isolated networks. Devices in different VLANs cannot communicate directly by default, thereby improving the security, flexibility, and manageability of the network.

[0227] The public key stored in the isolation block sub-nodes corresponding to the isolation block sub-chain is associated and mapped to the corresponding business processing sub-nodes. At the same time, the virtual LAN identifier, VLAN identifier, and storage hash of each business processing sub-node configured in the business processing sub-chain are associated and mapped to the corresponding isolation block sub-nodes.

[0228] In the business processing subchain, a load operation limit threshold is set for each node, and an extended association mapping is established between each business processing sub-node and the extended isolation block sub-node based on the set load operation limit threshold. The extended association mapping is then built into the on-chain extended contract between the isolation block subchain and the preparatory resource sub-pool configured in the resource exchange pool.

[0229] When the probability that the predicted load obtained by each business processing sub-node, configured with a predictive analysis model and combined with real-time running load data, is greater than the preset load over-limit probability threshold, the on-chain extended contract is triggered.

[0230] Based on the information stored in the over-limit corresponding business processing sub-node and the isolation block sub-node, combined with the information saved in the resource exchange pool corresponding to the idle parameter node and the distance between the physical resource node corresponding to each parameter node and the currently predicted over-limit business processing sub-node, a matching algorithm is used to select the parameter node by combining the principle of shortest delay, and the matched parameter node is stored in the reserve resource sub-pool.

[0231] Simultaneously, the public key associated with the business processing sub-node corresponding to the predicted over-limit is mapped to the corresponding parameter node obtained by matching the reserve resource sub-pool, and the extended on-chain association mapping is performed.

[0232] This process achieves full lifecycle security management of elastic bare-metal servers through a chain-based trusted architecture. Specifically, the hardware layer achieves precise status awareness through multi-dimensional data collection and health status scoring assessment; the resource scheduling layer ensures node optimization and exclusive configuration based on dynamic consensus algorithms and smart contract locking; the security protection layer establishes a three-tiered defense-in-depth based on network isolation, hardware trusted verification, and business compliance verification; and the elastic scaling layer achieves dynamic resource optimization through load prediction analysis models and hot migration technology. This architecture, through hardware fingerprint anchoring and business scenario decoupling, ensures the immutability of physical devices while supporting efficient elastic scaling of highly sensitive businesses, providing full-stack trusted infrastructure support for financial-grade applications.

[0233] Furthermore, the steps for real-time anomaly repair and resource on / off chain adjustment of the distributed coupled association mapping chain in this embodiment include:

[0234] Real-time monitoring of the operational status information within and between the distributed coupled associated mapping chain and the chain, and real-time anomaly detection through the configured anomaly detection model. When the monitoring and detection show that at least one business processing sub-node has an abnormal load, the on-chain extension contract is triggered. Based on the expected migration load corresponding to the load abnormality and the maximum load of the physical resource node corresponding to the reserve resource sub-pool, the physical resource node quantity of the business processing sub-node with the abnormal load is obtained.

[0235] It should be further explained that the construction and training process of the anomaly detection model in this embodiment includes:

[0236] Based on the business processing sub-node, by deploying a data collection agent on the business processing sub-node, the running status indicator data of the business processing sub-node is collected in real time. The running status indicator data includes CPU utilization time series data, memory usage change curve, disk I / O throughput statistics, network bandwidth utilization waveform, and service response latency log, so as to obtain the raw data of the real-time running status of the business processing sub-node.

[0237] Based on the raw data of the real-time running status of the business processing sub-nodes, the raw data of the real-time running status is received through a distributed message queue. Then, the raw data of the real-time running status is preprocessed to perform missing value filling and outlier filtering operations. Subsequently, the preprocessed continuous data stream is converted into a fixed-length time-series data segment through a sliding time window mechanism to obtain the time-series data segment of the business processing sub-nodes.

[0238] Based on the time-series data segments of the business processing sub-nodes, feature engineering techniques are used to extract multi-dimensional features from the time-series data segments. The extracted feature types include statistical features, time-domain features, and frequency-domain features. Among them, statistical features include mean, variance, and extreme values; time-domain features include autocorrelation function values ​​and partial autocorrelation function values; and frequency-domain features include fast Fourier transform coefficients and wavelet transform coefficients, thereby obtaining multi-dimensional feature vectors of the business processing sub-nodes.

[0239] Based on historical anomaly event annotation data and time-series data fragments of business processing sub-nodes, the time-series data associated with the historical anomaly event annotation data are initially annotated using an expert rule system. Then, the time-series data that are not associated with historical annotations are supplemented with annotations using a clustering analysis algorithm. Samples labeled as anomaly states are set as positive samples, and samples labeled as normal states are set as negative samples, thus obtaining an anomaly detection training sample set after annotation.

[0240] Based on the labeled anomaly detection training sample set and the multi-dimensional feature vectors of business processing sub-nodes, an initial anomaly detection model is constructed using the isolation forest algorithm. The isolation forest algorithm constructs multiple isolation trees by randomly selecting features from the multi-dimensional feature vectors and randomly selecting the split points corresponding to the features. Then, the anomaly score of the sample is determined by calculating the path length of the sample in the multiple isolation trees, thus obtaining the baseline anomaly discrimination model.

[0241] Based on the labeled anomaly detection training sample set and the multi-dimensional feature vectors of business processing sub-nodes, a temporal anomaly detection neural network is constructed using deep learning methods. The temporal anomaly detection neural network adopts an encoder-decoder architecture, where the encoder part uses a one-dimensional convolutional neural network to extract local features from the multi-dimensional feature vectors, and the decoder part uses a long short-term memory network to capture long-term dependencies in the multi-dimensional feature vectors, thus obtaining the initial temporal anomaly detection neural network model.

[0242] Based on the initial temporal anomaly detection neural network model and the labeled anomaly detection training sample set, the initial temporal anomaly detection neural network model is trained through a contrastive learning mechanism. The contrastive learning mechanism adopts a triplet loss function, which narrows the feature distance between normal samples and widens the feature distance between normal samples and abnormal samples, thereby enhancing the model's ability to distinguish abnormal patterns and obtaining the trained temporal anomaly detection neural network model.

[0243] Based on the baseline anomaly discrimination model, the trained temporal anomaly detection neural network model, and the validation set in the labeled anomaly detection training sample set, the output results of the two models are fused through an ensemble learning framework. The ensemble learning framework uses a weighted voting mechanism to calculate the final anomaly probability value, wherein the voting weight is dynamically adjusted according to the accuracy of the two models on the validation set, to obtain the fused anomaly discrimination model.

[0244] Based on the fused anomaly detection model and the newly generated monitoring data from the business processing sub-nodes, the parameters of the fused anomaly detection model are continuously optimized through an online learning mechanism. The online learning mechanism uses an incremental learning algorithm to process the newly generated monitoring data to update the model parameters, while using model distillation technology to keep the model lightweight to adapt to real-time inference requirements, thereby obtaining an anomaly detection model with online optimization capabilities.

[0245] Based on an anomaly detection model with online optimization capabilities and edge computing nodes, the anomaly detection model with online optimization capabilities is deployed to the edge computing nodes to form a model service through model deployment technology. Hardware acceleration technology is used to improve the inference speed of the model service, and a model version management mechanism is used to support hot update and rollback operations of the model service to ensure service continuity, thereby obtaining an anomaly detection model service deployed on the edge computing nodes.

[0246] Based on the anomaly detection model service deployed on edge computing nodes, the performance of the model service is evaluated and monitored through a model performance monitoring system. The model performance monitoring system evaluates the discrimination effect of the model service through accuracy, recall, F1 score and response latency indicators. Adversarial examples are used regularly to test the robustness of the model service and to discover and fix model defects in a timely manner, so as to obtain an anomaly detection model service with controllable performance.

[0247] Based on the stable operation requirements of the performance-controllable anomaly detection model service and the distributed coupled association mapping chain, the functional verification mechanism confirms that the performance-controllable anomaly detection model service can accurately identify various load anomaly patterns of business processing sub-nodes, and can promptly trigger on-chain extension contracts when anomalies are detected, thereby obtaining an anomaly detection model that can identify load anomalies of business processing sub-nodes in real time.

[0248] Based on the physical resource node quantity of the load anomaly business processing sub-node, the corresponding number of isolated block sub-nodes and business processing sub-nodes are extended on the distributed coupled association mapping chain through the on-chain extension contract. The public-private key stored in the parameter node corresponding to the on-chain physical resource node in the prepared resource sub-pool is associated and mapped to the public key of the load anomaly business processing sub-node. On-chain verification is performed through smart contract combined with resource configuration adjustment model. When the verification is successful, the corresponding on-chain parameter node and physical resource node are associated and mapped to the corresponding isolated block sub-node and business processing sub-node.

[0249] Once the association mapping is complete, the new isolated block sub-nodes on the chain are interactively verified using the three-layer dynamic protection algorithm configured in the isolated block sub-nodes corresponding to the load anomaly business processing sub-nodes. If the verification is successful, the abnormal load is migrated to the new business processing sub-nodes that have passed the verification, and the corresponding result hash is synchronously migrated to the corresponding isolated block sub-nodes for the required business calculations.

[0250] If the parameter node corresponding to the current physical resource node fails the verification, the current physical resource node and its corresponding parameter node will be rejected from being put on the chain. The remaining parameter nodes and physical resource nodes in the reserve resource sub-pool will continue to be verified until the load migration requirements of the load anomaly business processing sub-node are met.

[0251] When at least one node in the distributed coupled association mapping chain receives a cross-chain resource request, it directly rejects the corresponding request and adds it to the blacklist. When the business processing sub-node of the distributed coupled association mapping chain completes its business calculation, it directly removes the completed business processing sub-node from the chain. At the same time, it clears the business information stored in the business processing sub-node and the on-chain association mapping parameter information corresponding to the corresponding isolated block sub-node, and saves the calculation result in the corresponding isolated block sub-node.

[0252] If the corresponding cross-chain resource request still exists after the calculation is completed, then according to the cross-chain resource request, the physical resource node of the next chain and the parameter information stored in the corresponding parameter node are associated and mapped to the distributed coupled association mapping chain corresponding to the cross-chain resource request.

[0253] When the risk value of the business operation of at least one node in the distributed coupled association mapping chain exceeds the preset abnormal probability threshold, the process of loading the abnormal physical resource node onto the chain is repeated. A new physical resource node is obtained from the reserve resource sub-pool, and on-chain verification and resource interaction three-layer verification are performed. When all verifications pass, the information of the corresponding abnormal isolation block sub-node and business processing sub-node is migrated to the new on-chain isolation block sub-node and business processing sub-node to continue the operation until the operation is completed. The business processing sub-chain in the distributed coupled association mapping chain is directly disbanded and all business and configuration information is cleared. At the same time, the on-chain association mapping information corresponding to the business processing sub-nodes in the business processing sub-chain is cleared, and only the operation result is retained in the isolation block sub-chain.

[0254] The self-closed-loop control system of the elastic bare-metal service chain constructed in this embodiment dynamically triggers resource expansion decisions by fusing analysis of real-time hardware health characteristics and business load, combined with predictive analysis models. During node migration, a three-dimensional protection mechanism is adopted, including network layer flow table comparison, hardware layer TPM verification, and business layer encryption processing, to block forgery attacks and ensure data integrity. In cross-chain scenarios, abnormal requests are intercepted and attack fingerprints are recorded based on a zero-trust mechanism, and security cleanup and compliant storage are performed after the business ends. To address the issue of excessive node anomaly probability, the system automatically schedules node replacement from the front-end resource pool, synchronously migrates business status, and isolates old nodes, forming a closed-loop security system covering the entire process of perception, decision-making, migration, and protection.

[0255] Example 2:

[0256] Please see Figure 3 Another embodiment of the present invention provides: an elastic bare metal server resource exclusive and security isolation protection system, including: a coupling service chain module, an isolation verification module and a repair module;

[0257] The Coupled Service Chain module responds to user needs and configuration information based on smart contracts configured on the elastically coupled blockchain, and combines a preset resource configuration adjustment model with the PoS+QoS consensus algorithm to obtain a distributed coupled association mapping chain.

[0258] The distributed coupled association mapping chain is constructed by each block node on the elastically coupled blockchain, combining the corresponding configured resource requirements and the corresponding unique identity fingerprint.

[0259] The isolation verification module is used to deploy and start the distributed coupled association mapping chain. At the same time, it uses a preset three-dimensional dynamic protection algorithm and the required completion progress to detect and judge the internal and external operating status of the distributed coupled association mapping chain in real time and obtain the judgment result.

[0260] The repair module is used to feed back the judgment results to the resource configuration adjustment model and combine them with the preset security adjustment strategy library to perform real-time anomaly repair and resource uplink / downlink adjustment on the distributed coupled association mapping chain.

[0261] The embodiments of the present invention have been described above with reference to the accompanying drawings. However, the present invention is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make changes, modifications, substitutions and variations to the above embodiments under the guidance of the present invention without departing from the spirit and scope of the claims. All of these variations are within the protection scope of the present invention.

Claims

1. A method for ensuring dedicated and secure isolation of resources on an elastic bare-metal server, characterized in that: include: A pre-defined elastically coupled blockchain is used. Based on the smart contracts configured on the elastically coupled blockchain, resources are configured in response to user needs. Combined with a pre-defined resource configuration adjustment model, PoS+QoS consensus algorithm and server group, a distributed coupled association mapping chain is obtained. The distributed coupled association mapping chain includes an isolation block sub-chain and a business processing sub-chain. The isolation block sub-chain contains M isolation block child nodes and one extended isolation block child node. The business processing sub-chain contains M business processing child nodes. The isolation block child nodes are used to store the key-public key, identity fingerprint, hash table of the running results, and verification and on / off chain adjustment of the security isolation interaction strategy for the corresponding business processing child node. The business processing sub-chain is used to perform load adjustment and calculation of user demand services based on real-time load data, and each business processing child node in the business processing sub-chain is only allowed to interact with other business processing child nodes within the chain. The distributed coupled association mapping chain is constructed by each blockchain node on the elastic coupled blockchain, combining the unique identity fingerprint and configuration parameters of the corresponding configuration requirements and configuration resources. The construction process of the distributed coupled association mapping chain includes: In the business processing sub-chain, a load operation limit threshold is set for each node, and an extended association mapping between each business processing sub-node and the extended isolation block sub-node is established based on the set load operation limit threshold. The extended association mapping is then embedded into the on-chain extended contract between the isolation block sub-chain and the preparatory resource sub-pool configured by the resource exchange pool. When the probability that the predicted load obtained by each business processing sub-node, configured with a predictive analysis model and combined with real-time running load data, is greater than the preset load over-limit probability threshold, the on-chain extended contract is triggered. Based on the information stored in the over-limit corresponding business processing sub-node and the isolation block sub-node, combined with the information saved in the resource exchange pool corresponding to the idle parameter node and the distance between the physical resource node corresponding to each parameter node and the currently predicted over-limit business processing sub-node, a matching algorithm is used to select the parameter node by combining the principle of shortest delay, and the matched parameter node is stored in the reserve resource sub-pool. At the same time, the public key associated with the business processing sub-node corresponding to the predicted over-limit is mapped to the corresponding parameter node obtained by matching the reserve resource sub-pool, and the extended on-chain association mapping is performed. Deploy and start the distributed coupled-association mapping chain. Simultaneously, using a preset three-layer dynamic protection algorithm and meeting required progress, perform real-time detection and judgment of the internal and external operating status of the distributed coupled-association mapping chain. Feedback the judgment results to a resource configuration adjustment model, combined with a preset security adjustment strategy library, to perform real-time anomaly repair and resource on / off chain adjustment for the distributed coupled-association mapping chain. The steps of performing real-time anomaly repair and resource on / off chain adjustment for the distributed coupled-association mapping chain include: The system monitors the running status information of the distributed coupled association mapping chain within and between the chains in real time, and performs real-time anomaly detection through the configured anomaly detection model. When it is detected that there is at least one business processing sub-node with abnormal load, the system triggers the on-chain extension contract. Based on the expected migration load corresponding to the load abnormality and the maximum load of the physical resource node corresponding to the prepared resource sub-pool, the system obtains the physical resource node quantity of the business processing sub-node with abnormal load. Based on the physical resource node quantity of the load anomaly business processing sub-node, the corresponding number of isolated block sub-nodes and business processing sub-nodes are extended in the distributed coupled association mapping chain through the on-chain extension contract. The public-private key stored in the parameter node corresponding to the on-chain physical resource node in the prepared resource sub-pool is associated and mapped to the public key of the load anomaly business processing sub-node. On-chain verification is performed through smart contract combined with resource configuration adjustment model. When the verification is successful, the corresponding on-chain parameter node and physical resource node are associated and mapped to the corresponding isolated block sub-node and business processing sub-node. Once the association mapping is complete, the new isolated block sub-nodes on the chain are interactively verified using the three-layer dynamic protection algorithm configured in the isolated block sub-nodes corresponding to the load anomaly business processing sub-nodes. If the verification is successful, the abnormal load is migrated to the new business processing sub-nodes that have passed the verification, and the corresponding result hash is synchronously migrated to the corresponding isolated block sub-nodes for the required business calculations. If the parameter node corresponding to the current physical resource node fails the verification, the current physical resource node and its corresponding parameter node will be rejected from being put on the chain. The remaining parameter nodes and physical resource nodes in the reserve resource sub-pool will continue to be verified until the load migration requirements of the load anomaly business processing sub-node are met.

2. The method for ensuring exclusive resource access and security isolation of elastic bare metal servers as described in claim 1, characterized in that, The distributed coupled association mapping chain is configured with a resource exchange pool; the resource exchange pool is configured with a resource interaction verification network; The resource exchange pool is used to store the configuration, performance, identity fingerprint, historical configuration running status and functions of the server group, and the resource interaction verification network performs real-time resource uplink and downlink verification interaction through the configured parameter-resource one-to-one association mapping and the distributed coupled association mapping chain. The construction steps of the resource interaction verification network include: The system monitors and acquires the configuration, performance, identity fingerprint, historical configuration running status and functions, and current idle running status data of all server groups at the current moment, and constructs a comprehensive status sequence set of real-time idle elastic bare metal servers. Based on the performance, historical configuration operation status, and current idle operation status data in the comprehensive state sequence set, an evaluation algorithm is used to obtain the health status score corresponding to each idle elastic bare metal server. Combined with the Bayesian probability model built into the evaluation algorithm, the business operation risk value after the corresponding configuration resources are put on the blockchain is obtained.

3. The method for ensuring exclusive resource access and security isolation of elastic bare metal servers as described in claim 2, characterized in that, The construction steps of the resource interaction verification network also include: The functional attributes, identity fingerprints, health status scores, and configuration status of the server group are stored in each parameter node of the metadata subnet within the resource interaction verification network, and a corresponding verification key-public key pair is generated based on the identity fingerprint and location information of each parameter node. A physical resource subnet is constructed based on the server group, and the public key of the server corresponding to each parameter node is associated and mapped to the physical resource node corresponding to the physical resource subnet, establishing a parameter-resource one-to-one association mapping; each physical resource node represents a server. Based on parameter-resource one-to-one association mapping, metadata subnet and physical resource subnet, a resource interaction verification network is obtained through topology space algorithm, and the initial state of the corresponding server in each parameter node is set to idle.

4. The method for ensuring exclusive resource access and security isolation of elastic bare metal servers as described in claim 3, characterized in that, The construction process of the distributed coupled association mapping chain also includes: Obtain the user resource demand sequence, trigger the demand parsing model in the smart contract of the elastically coupled blockchain, and obtain the user resource demand space; Based on the user resource demand space and resource interaction verification network, the matching algorithm combined with the PoS+QoS consensus algorithm is used to obtain the server resources and number of servers that meet the user's needs. The initial state of the corresponding parameter node of the server obtained from the resource exchange pool is converted into the current occupied state, and the occupied state timestamp interval is marked. Based on the number of servers, combined with blockchain and smart contracts, a distributed coupled and related mapping chain is constructed.

5. The method for ensuring exclusive resource access and security isolation of elastic bare metal servers as described in claim 4, characterized in that, The construction process of the distributed coupled association mapping chain also includes: The identity fingerprint, parameter-resource one-to-one association mapping, key-public key pair, and marked occupation status timestamp interval of each server corresponding parameter node in the server resources that meet user needs are associated and mapped from the parameter node in the metadata subnet to the corresponding isolated block sub-node in the isolated block sub-chain through smart contracts for resource on-chaining, and a three-layer dynamic protection algorithm is configured on the interface corresponding to each isolated block sub-node after the resources are on-chain. Simultaneously, based on the physical resource subnet, select the physical resource node corresponding to the server, construct the service processing subchain and configure the exclusive virtual LAN identifier and VLAN identifier, and use parameter-resource one-to-one association mapping to connect the service processing sub-nodes in the service processing subchain with the corresponding isolation block sub-nodes. The public key stored in the isolation block sub-nodes corresponding to the isolation block sub-chain is associated and mapped to the corresponding service processing sub-nodes. At the same time, the virtual LAN identifier, VLAN identifier, and storage hash corresponding to each service processing sub-node configured in the service processing sub-chain are associated and mapped to the corresponding isolation block sub-nodes.

6. The method for ensuring exclusive resource access and security isolation of elastic bare metal servers as described in claim 5, characterized in that, The steps of real-time anomaly repair and resource on / off chain adjustment of the distributed coupled association mapping chain also include: When at least one node in the distributed coupled association mapping chain receives a cross-chain resource request, it directly rejects the corresponding request and adds it to the blacklist. When the business processing sub-node of the distributed coupled association mapping chain completes its business operation, it directly removes the completed business processing sub-node from the chain, clears the business information stored in the business processing sub-node and the on-chain association mapping parameter information corresponding to the corresponding isolated block sub-node, and saves the operation result in the corresponding isolated block sub-node. If the corresponding cross-chain resource request still exists after the calculation is completed, then according to the cross-chain resource request, the physical resource node of the next chain and the parameter information stored in the corresponding parameter node are associated and mapped to the distributed coupled association mapping chain corresponding to the cross-chain resource request. When the risk value of the business operation of at least one node in the distributed coupled association mapping chain exceeds the preset abnormal probability threshold, the process of loading the abnormal physical resource node onto the chain is repeated. A new physical resource node is obtained from the reserve resource sub-pool, and on-chain verification and resource interaction three-layer verification are performed. When all verifications pass, the information of the corresponding abnormal isolation block sub-node and business processing sub-node is migrated to the new on-chain isolation block sub-node and business processing sub-node to continue the operation until the operation ends. The business processing sub-chain in the distributed coupled association mapping chain is directly disbanded and all business and configuration information is cleared. At the same time, the on-chain association mapping information corresponding to the business processing sub-node in the business processing sub-chain is cleared, and only the operation result is retained in the isolation block sub-chain.

7. A system for ensuring dedicated and secure access to resources on an elastic bare metal server, used to implement the method for ensuring dedicated and secure access to resources on an elastic bare metal server as described in any one of claims 1-6, characterized in that, include: The service chain module, isolation verification module, and repair module are coupled. The coupled service chain module, based on the smart contract configuration on the elastically coupled blockchain, responds to user demand configuration information and combines a preset resource configuration adjustment model with the PoS+QoS consensus algorithm to obtain a distributed coupled association mapping chain. The distributed coupled association mapping chain includes an isolated block sub-chain and a business processing sub-chain. The isolated block sub-chain contains M isolated block child nodes and one extended isolated block child node. The business processing sub-chain contains M business processing child nodes. The isolated block child nodes are used to store the corresponding business processing child node's key-public key, identity fingerprint, hash table of execution results, and verification and on / off chain adjustment of the security isolation interaction strategy. The business processing sub-chain is used to perform load adjustment and user demand business calculations based on real-time load data, and each business processing child node in the business processing sub-chain is only allowed to interact with other business processing child nodes within the chain. The distributed coupled association mapping chain is constructed by each block node on the elastic coupled blockchain, combining the corresponding configured resource requirements and the corresponding unique identity fingerprint. The construction process of the distributed coupled association mapping chain includes: In the business processing sub-chain, a load operation limit threshold is set for each node, and an extended association mapping between each business processing sub-node and the extended isolation block sub-node is established based on the set load operation limit threshold. The extended association mapping is then embedded into the on-chain extended contract between the isolation block sub-chain and the preparatory resource sub-pool configured by the resource exchange pool. When the probability that the predicted load obtained by each business processing sub-node, configured with a predictive analysis model and combined with real-time running load data, is greater than the preset load over-limit probability threshold, the on-chain extended contract is triggered. Based on the information stored in the over-limit corresponding business processing sub-node and the isolation block sub-node, combined with the information saved in the resource exchange pool corresponding to the idle parameter node and the distance between the physical resource node corresponding to each parameter node and the currently predicted over-limit business processing sub-node, a matching algorithm is used to select the parameter node by combining the principle of shortest delay, and the matched parameter node is stored in the reserve resource sub-pool. At the same time, the public key associated with the business processing sub-node corresponding to the predicted over-limit is mapped to the corresponding parameter node obtained by matching the reserve resource sub-pool, and the extended on-chain association mapping is performed. The isolation verification module is used to deploy and start the distributed coupled association mapping chain. At the same time, it uses a preset three-dimensional dynamic protection algorithm and the required completion progress to detect and judge the internal and external operating status of the distributed coupled association mapping chain in real time and obtain the judgment result. The repair module is used to feed back the judgment result to the resource configuration adjustment model and, in conjunction with a preset security adjustment strategy library, perform real-time anomaly repair and resource on / off chain adjustment on the distributed coupled association mapping chain, specifically including: The system monitors the running status information of the distributed coupled association mapping chain within and between the chains in real time, and performs real-time anomaly detection through the configured anomaly detection model. When it is detected that there is at least one business processing sub-node with abnormal load, the system triggers the on-chain extension contract. Based on the expected migration load corresponding to the load abnormality and the maximum load of the physical resource node corresponding to the prepared resource sub-pool, the system obtains the physical resource node quantity of the business processing sub-node with abnormal load. Based on the physical resource node quantity of the load anomaly business processing sub-node, the corresponding number of isolated block sub-nodes and business processing sub-nodes are extended in the distributed coupled association mapping chain through the on-chain extension contract. The public-private key stored in the parameter node corresponding to the on-chain physical resource node in the prepared resource sub-pool is associated and mapped to the public key of the load anomaly business processing sub-node. On-chain verification is performed through smart contract combined with resource configuration adjustment model. When the verification is successful, the corresponding on-chain parameter node and physical resource node are associated and mapped to the corresponding isolated block sub-node and business processing sub-node. Once the association mapping is complete, the new isolated block sub-nodes on the chain are interactively verified using the three-layer dynamic protection algorithm configured in the isolated block sub-nodes corresponding to the load anomaly business processing sub-nodes. If the verification is successful, the abnormal load is migrated to the new business processing sub-nodes that have passed the verification, and the corresponding result hash is synchronously migrated to the corresponding isolated block sub-nodes for the required business calculations. If the parameter node corresponding to the current physical resource node fails the verification, the current physical resource node and its corresponding parameter node will be rejected from being put on the chain. The remaining parameter nodes and physical resource nodes in the reserve resource sub-pool will continue to be verified until the load migration requirements of the load anomaly business processing sub-node are met.

Images