CN115208835A - API classification method, device, electronic equipment, medium and product - Google Patents
API classification method, device, electronic equipment, medium and product Download PDFInfo
- Publication number
- CN115208835A CN115208835A CN202210613369.4A CN202210613369A CN115208835A CN 115208835 A CN115208835 A CN 115208835A CN 202210613369 A CN202210613369 A CN 202210613369A CN 115208835 A CN115208835 A CN 115208835A
- Authority
- CN
- China
- Prior art keywords
- api
- data
- apis
- identification library
- application identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides an API classification method, device, electronic equipment, medium and product, wherein the method comprises the following steps: decoding the flow data flowing through the API to obtain decoded data; extracting feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining application name tags corresponding to the APIs and the categories of the APIs, wherein the application identification library is constructed according to the collected application name tags corresponding to the APIs and the categories of the APIs. According to the method provided by the invention, the application name tag is marked on the determined API, so that the API is managed conveniently, the risk API is found in time, and the asset safety is improved.
Description
Technical Field
The invention relates to the technical field of API security, in particular to an API classification method, an API classification device, electronic equipment, media and products.
Background
With the continuous development of network security technology, realizing the accurate classification of the API has important significance for asset security.
In the prior art, classification of APIs is realized around network boundaries and terminal deployment defense, and this processing manner cannot perform detailed application classification management on APIs, and particularly cannot observe newly added and modified APIs for a large number of confused APIs, and the newly added and modified APIs may have risks but cannot be observed. For example: an interface which is temporarily debugged by an engineer is forgotten to be closed, so that the interface is easily a risk API, or a back door API left by a hacker cannot be found, and when a risk exists, a certain potential safety hazard exists in the asset.
Disclosure of Invention
The invention provides an API classification method, an API classification device, electronic equipment, a medium and a product, which are used for solving the technical problem that in the prior art, due to the fact that accurate API classification cannot be realized, asset safety cannot be guaranteed, and the aims of achieving API fine classification and improving asset safety in a labeling mode are achieved.
In a first aspect, the present invention provides an API classification method, including:
decoding the flow data flowing through the API to obtain decoded data;
extracting feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining an application name tag corresponding to the API and the type of the API;
the application identification library is constructed according to the acquired application name labels corresponding to the APIs and the categories of the APIs.
Further, according to the API classification method provided by the present invention, the extracting the feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining an application name tag corresponding to the API and a category of the API, includes:
extracting HTTP field data from the decoded data;
and comparing the HTTP field data with the characteristic information in a preset application identification library to determine an application name tag corresponding to the API and the type of the API.
Further, according to the API classification method provided by the invention, the categories of the API are safe API and unknown API,
correspondingly, the comparing the HTTP field data with the feature information in the preset application identification library to determine the application name tag corresponding to the API and the type of the API includes:
and when the feature information corresponding to the HTTP field data exists in a preset application identification library, determining an application name tag corresponding to the API, and determining that the type of the API is a safety API.
Further, according to the API classification method provided by the invention, the categories of the API are safe API and unknown API,
correspondingly, the comparing the HTTP field data with the feature information in the preset application identification library to determine the application name tag corresponding to the API and the type of the API further includes:
and when the feature information corresponding to the HTTP field data does not exist in a preset application identification library, determining the type of the API as an unknown API.
Further, according to the API classification method provided by the present invention, before the decoding of the traffic data flowing through the API, the method includes:
determining a plurality of first sample APIs of each application and common component;
acquiring a plurality of first sample flow data flowing through the plurality of first sample APIs, and extracting a plurality of characteristic information of the plurality of first sample flow data;
and updating an application identification library of the security detection system according to the characteristic information.
Further, according to the API classification method provided by the present invention, the updating the application identification library of the security detection system according to the plurality of feature information includes:
determining general characteristic information according to the characteristic information; wherein the general characteristic information is characteristic information included in the plurality of first sample flow data;
and updating the application identification library of the safety detection system according to the general characteristic information based on the operation and maintenance technology.
Further, according to the API classification method provided by the present invention, before decoding the traffic data flowing through the API, the method further includes:
determining second sample flow data flowing through a second sample API;
decoding and feature extracting are carried out on the second sample flow data to obtain second sample feature data;
marking a corresponding application name label for the second sample API according to the regular or character string matched characteristic information of the application identification library;
expanding the application identification library according to the second sample API and the corresponding application name tag;
wherein the second sample API is a different API from the first sample API and belongs to an unknown class of API.
In a second aspect, the present invention further provides an API classification apparatus, including:
the decoding module is used for decoding the flow data flowing through the API to obtain decoded data;
the extraction and determination module is used for extracting the feature data of the decoded data, comparing the feature data with feature information in a preset application identification library and determining an application name tag corresponding to the API and the category of the API;
the application identification library is constructed according to the acquired application name labels corresponding to the APIs and the categories of the APIs.
In a third aspect, the present invention also provides an electronic device, including:
a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor calling the program instructions to perform the steps of the API classification method as described in any one of the above.
In a fourth aspect, the present invention also provides a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the steps of the API classification method as described above.
In a fifth aspect, the present invention also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of the API classification method according to any one of the preceding claims.
The invention provides an API classification method, device, electronic equipment, medium and product, wherein the method comprises the following steps: decoding the flow data flowing through the API to obtain decoded data; and extracting the feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining an application name tag corresponding to the API and the type of the API. According to the method provided by the invention, the application name tag is marked on the determined API, so that the API is managed conveniently, the risk API is found in time, and the asset safety is improved.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow chart of an API classification method provided by the present invention;
FIG. 2 is a schematic overall flow chart of the API classification method provided by the present invention;
FIG. 3 is a schematic structural diagram of an API classification apparatus provided in the present invention;
fig. 4 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a diagram illustrating an API classification method provided by the present invention, and as shown in fig. 1, the API classification method provided by the present invention specifically includes the following steps:
step 101: and decoding the flow data flowing through the API to obtain decoded data.
In this embodiment, it is necessary to decode the traffic data flowing through the API to obtain decoded data, and in this embodiment, it is preferable to extract HTTP data and use the HTTP data as the decoded data. In this embodiment, when decoding the traffic data, a decoding method that is relatively mature in the prior art is adopted, and is not described in detail here.
Step 102: extracting feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining an application name tag corresponding to the API and the type of the API, wherein the application identification library is constructed according to the application name tags corresponding to the acquired APIs and the type of the API.
In this embodiment, it is necessary to extract decoded data obtained by decoding the flow data in step 101, then extract feature data from the decoded data, compare the feature data with feature information in a preset application identification library, and determine an application name tag corresponding to the API and a category of the API, where the application name tag is tag information used for describing an attribute of the API, specifically, it is determined by determining matching feature data in a regular or character string manner in a rule base, for example, 2007 application ERP.
It should be noted that the category of the API refers to information for determining whether the API is safe, and is divided into two categories, i.e., a safe API and an unknown API, where the unknown API is an API that may be dangerous. In other embodiments, the data may be classified into other categories, which are not specifically limited.
It should be noted that the application identification library may be constructed in advance according to the collected application name tags corresponding to the multiple APIs and the categories of the APIs, and includes the application name tags corresponding to the multiple APIs and the category information of the APIs, and the application identification library may be directly applied.
According to the API classification method provided by the invention, the flow data flowing through the API are decoded to obtain decoded data; and extracting the feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining an application name tag corresponding to the API and the type of the API. According to the method provided by the invention, the application name tag is marked on the determined API, so that the API is managed conveniently, the risk API is found in time, and the asset safety is improved.
Based on any one of the above embodiments, in this embodiment, the extracting feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining an application name tag corresponding to the API and a category of the API, includes:
extracting HTTP field data from the decoded data;
and comparing the HTTP field data with the characteristic information in a preset application identification library to determine an application name label corresponding to the API and the type of the API.
In this embodiment, HTTP field data is extracted from decoded data, the HTTP field data is used as feature data, and is compared with feature information in a preset application identification library, and then an application name tag corresponding to an API and a category of the API are determined according to a comparison result, if the application name tag of the API is obtained by comparing the HTTP field data with the feature information in the application identification library, that is, if the API is tagged, the API is determined to be a secure API; if the corresponding application name tag is not determined, the API is determined to be an unknown API, namely the API is a risky API, such as a temporary interface and a hacker back door API interface, which belong to unknown APIs, and at this time, an administrator only needs to focus on checking the unknown APIs. It should be noted that the tag information in the application identification library needs to be stored in advance, and the specific processing manner is described in the following embodiments, which will not be described in detail herein.
According to the API classification method provided by the embodiment of the invention, the HTTP field data is extracted from the decoded data, and then the HTTP field data is compared with the characteristic information in the preset application identification library to determine the application name tag corresponding to the API and the type of the API.
Based on any of the above embodiments, in this embodiment, the categories of the APIs are secure APIs and unknown APIs,
correspondingly, the comparing the HTTP field data with the feature information in the preset application identification library to determine the application name tag corresponding to the API and the category of the API includes:
and when the feature information corresponding to the HTTP field data exists in a preset application identification library, determining an application name tag corresponding to the API, and the type of the API is a safety API.
In this embodiment, when feature information corresponding to the HTTP field data exists in a preset application identification library, it is determined that an application name tag corresponding to the API and the type of the API is a security API, where the security API may be an unknown API found in advance, and if the application identification library is marked with the corresponding application name tag, it is determined that the API is a security API, for example, a database, an OA, a public component (e.g., docker, etcd, k8s, mysql \8230), a content management system, and the like.
It should be noted that the categories of the APIs are divided into a secure API and an unknown API, and it can be determined whether the API is specifically a secure API or an unknown API with risk according to the application name tag information. An application name tag, such as 3516 public component infiluxdb, by which it can be determined that the component flowing through the API is a public component and belongs to a secure API.
According to the API classification method provided by the invention, when the feature information corresponding to the HTTP field data exists in the preset application identification library, the application name label corresponding to the API is determined, and the type of the API is the safe API, so that the type of the API can be accurately determined, and the accuracy of automatic classification processing of the API is improved.
Based on any of the above embodiments, in this embodiment, the categories of the APIs are a secure API and an unknown API,
correspondingly, the comparing the HTTP field data with the feature information in the preset application identification library to determine the application name tag corresponding to the API and the type of the API further includes:
and when the feature information corresponding to the HTTP field data does not exist in a preset application identification library, determining the type of the API as an unknown API.
In this embodiment, when there is no feature information corresponding to HTTP field data in the preset application identification library, it is determined that the type of the API is an unknown API, that is, the API belongs to a risky API, for example, an ES component is not used in a company, an API of a stack of ES appears suddenly, and if no API is set for automatic classification, it is difficult for an administrator to know the information, and by the solution provided by the present invention, the interface can be determined as a dangerous API at a glance; for another example, a hacker intrudes into the server to leave back door APIs, which are recognized and marked with unknown labels, and the administrator can timely discover and process the APIs.
According to the API classification method provided by the invention, when the feature information corresponding to the HTTP field data does not exist in the preset application identification library, the type of the API is determined to be unknown API, so that the API with risk can be determined in time, and the property of asset safety detection is improved.
Based on any one of the above embodiments, in this embodiment, before the decoding the traffic data flowing through the API, the method includes:
determining a plurality of first sample APIs of each application and common component;
acquiring a plurality of first sample flow data flowing through the plurality of first sample APIs, and extracting a plurality of characteristic information of the plurality of first sample flow data;
and updating an application identification library of the safety detection system according to the characteristic information.
In this embodiment, before decoding the traffic data flowing through the API, a large number of applications and public components on the market need to be investigated, a plurality of first sample APIs of each application and public component are determined, the plurality of first sample APIs are analyzed, a network protocol is analyzed, and first sample traffic data is extracted. The first sample API refers to an API for which the corresponding tag information is known.
For example, flow MQTT-WebSocket is extracted, in the flow, a flow request and corresponding host information are provided with Sec-WebSocket-Protocol: MQTT, the character string is determined as a general characteristic, a rule is formed by utilizing a plurality of characteristics, and in later application, the flow meeting the rule is identified as an API of the MQTT type.
According to the API classification method provided by the invention, a plurality of first sample flow data flowing through a plurality of first sample APIs are obtained by determining a plurality of first sample APIs of each application and common component, a plurality of characteristic information of the plurality of first sample flow data is extracted, an application identification library of a safety detection system is updated according to the plurality of characteristic information, the obtained application identification library is applied to automatic classification of subsequent APIs, and the automatic classification efficiency can be improved.
Based on any one of the foregoing embodiments, in this embodiment, the updating the application identification library of the security detection system according to the multiple pieces of feature information includes:
determining general characteristic information according to the characteristic information; the general characteristic information is characteristic information contained in the plurality of first sample flow data;
and updating the application identification library of the safety detection system according to the general characteristic information based on the operation and maintenance technology.
In this embodiment, it is necessary to determine common feature information according to the obtained multiple feature information systems, and then update an application identification library of the security detection system according to the common feature information based on an operation and maintenance technology, where the common feature information is feature information included in each of multiple first sample traffic data, and for an application and a common component, rule matching manners are the same, and are both regular or character strings matching an HTTP field, but each specific rule, the regular or character string is different, and is a regular or character string created by extracting API traffic features of the application and the common component.
For example, the rule applied to the recognition base may be:
http_req_uri_path:{pcre:"/v[0-9._]+/|/v[0-9.]\w+/";nocase;};http_rsp_code:{value:"200|201|202|204|206";};
tcp:http(sport:"0-0";dport:"0-0";priority:70;ruletype:1;ruleid:60015;appid:4775;labels:[3516,2007];)。
it should be noted that, in this embodiment, the application identification library of the security detection system needs to be updated according to the obtained general feature information corresponding to the first sample API, for example, the original application name tag corresponding to the API-1 is 1, and it is determined that the application name tag of the API-1 has changed and is changed to 2 according to the general feature, so that the application name tag of the API-1 is adjusted from 1 to 2 by using the operation and maintenance technology, so that real-time update of data in the application identification library is realized, and real-time performance of automatic classification of the API is ensured.
According to the API classification method provided by the invention, the universal characteristic information is determined according to the plurality of characteristic information, and then the application identification library of the safety detection system is updated according to the universal characteristic information based on the operation and maintenance technology, so that the application identification library can be updated in real time, the accuracy of API classification processing is improved, and the efficiency of API automatic classification is improved.
Based on any one of the above embodiments, in this embodiment, before the decoding the traffic data flowing through the API, the method further includes:
determining second sample flow data flowing through a second sample API;
decoding and feature extracting are carried out on the second sample flow data to obtain second sample feature data;
marking a corresponding application name label for the second sample API according to the regular or character string matched characteristic information of the application identification library;
expanding the application identification library according to the second sample API and the corresponding application name tag;
wherein the second sample API is a different API from the first sample API and belongs to an unknown class of API.
In this embodiment, it is further required to determine second sample traffic data flowing through a second sample API, where the second sample API refers to some unknown APIs, and through analyzing the sample traffic accessing the API, decoding and extracting a field of the HTTP, that is, second sample feature data, and then binding a corresponding application name tag for the API by using a rule, which is regular or string-matched, in the application identification library, expanding the application identification library, and constructing a more comprehensive application identification library.
According to the API classification method provided by the invention, the second sample flow data flowing through the second sample API is determined, the second sample flow data is decoded and subjected to feature extraction to obtain the second sample feature data, and then the second sample API is marked with the corresponding application name label by applying the regular or character string matched feature information of the identification library, so that the purpose of expanding the application identification library is achieved, and the efficiency and the accuracy of API classification are improved.
Based on any of the above embodiments, as shown in fig. 2, in this embodiment, it is necessary to complete the construction of the application identification library in advance, investigate a large number of applications and public components on the market, analyze network protocols thereof, extract general features to form predefined rules, store the predefined rules in the application identification library, and update the application identification library in real time by the security detection system based on an operation and maintenance technical means.
It should be noted that, for an identified unknown API asset, by analyzing the traffic accessing the API, the HTTP data field is decoded and extracted, and then the corresponding application name tag is bound by applying the rule of regular or string matching of the identification library.
The rule information of the application recognition library is as follows:
http_req_uri_path:{pcre:"/v[0-9._]+/|/v[0-9.]\w+/";nocase;};http_rsp_code:{value:"200|201|202|204|206";};
tcp:http(sport:"0-0";dport:"0-0";priority:70;ruletype:1;ruleid:60015;appid:4775;labels:[3516,2007];)
after the rule identifies, binding the corresponding application name tag, specifically for example:
2007 applying ERP
3516 common component InfluxDB
According to the API classification method provided by the invention, the API assets can be conveniently managed by marking the corresponding application name tags on the APIs, the APIs with risks can be timely found, and the missing APIs are prevented from being attacked to cause company loss.
Fig. 3 is a flowchart of an API classification apparatus according to an embodiment of the present invention, as shown in fig. 3, the API classification apparatus specifically includes:
the decoding module 301 is configured to decode the flow data flowing through the API to obtain decoded data;
an extracting and determining module 302, configured to extract feature data of the decoded data, compare the feature data with feature information in a preset application identification library, and determine an application name tag corresponding to the API and a category of the API; the application identification library is constructed according to the acquired application name labels corresponding to the APIs and the categories of the APIs.
According to the API classification device provided by the invention, the flow data flowing through the API are decoded to obtain decoded data; and extracting the feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining an application name tag corresponding to the API and the type of the API. The device provided by the invention can conveniently manage the API by marking the application name tag on the determined API, find the API with risks in time and improve the asset safety.
Further, the extracting and determining module 302 is further configured to:
extracting HTTP field data from the decoded data;
and comparing the HTTP field data with the characteristic information in a preset application identification library to determine an application name label corresponding to the API and the type of the API.
According to the API classification device provided by the embodiment of the invention, the HTTP field data are extracted from the decoded data, and then the HTTP field data are compared with the characteristic information in the preset application identification library to determine the application name label corresponding to the API and the type of the API.
Further, the API is classified into a security API and an unknown API, and the extracting and confirming module 302 is further configured to:
and when the feature information corresponding to the HTTP field data exists in a preset application identification library, determining an application name tag corresponding to the API, and determining that the type of the API is a safety API.
According to the API classification device provided by the invention, when the feature information corresponding to the HTTP field data exists in the preset application identification library, the application name label corresponding to the API is determined, and the type of the API is the safe API, so that the type of the API can be accurately determined, and the accuracy of automatic classification processing of the API is improved.
Further, the API is classified into a security API and an unknown API, and the extracting and confirming module 302 is further configured to:
and when the feature information corresponding to the HTTP field data does not exist in a preset application identification library, determining that the type of the API is unknown API.
According to the API classification device provided by the invention, when the feature information corresponding to the HTTP field data does not exist in the preset application identification library, the type of the API is determined to be unknown API, so that the API with risk can be determined in time, and the property of asset safety detection is improved.
Further, before the decoding the traffic data flowing through the API, the method includes:
determining a plurality of first sample APIs of each application and common component;
acquiring a plurality of first sample flow data flowing through the plurality of first sample APIs, and extracting a plurality of characteristic information of the plurality of first sample flow data;
and updating an application identification library of the safety detection system according to the characteristic information.
According to the API classification device provided by the invention, a plurality of first sample APIs of each application and common component are determined, a plurality of first sample flow data flowing through the plurality of first sample APIs are obtained, a plurality of characteristic information of the plurality of first sample flow data is extracted, an application identification library of a safety detection system is updated according to the plurality of characteristic information, the obtained application identification library is applied to automatic classification of subsequent APIs, and the automatic classification efficiency can be improved.
Further, the updating the application identification library of the security detection system according to the plurality of feature information includes:
determining general characteristic information according to the characteristic information; wherein the general characteristic information is characteristic information included in the plurality of first sample flow data;
and updating the application identification library of the safety detection system according to the general characteristic information based on the operation and maintenance technology.
According to the API classification device provided by the invention, the universal characteristic information is determined according to the plurality of characteristic information, and then the application identification library of the safety detection system is updated according to the universal characteristic information based on the operation and maintenance technology, so that the application identification library can be updated in real time, the accuracy of API classification processing is improved, and the automatic API classification efficiency is improved.
Further, before the decoding the traffic data flowing through the API, the method further includes:
determining second sample flow data flowing through a second sample API;
decoding and feature extracting are carried out on the second sample flow data to obtain second sample feature data;
marking a corresponding application name label for the second sample API according to the regular or character string matched characteristic information of the application identification library;
expanding the application identification library according to the second sample API and the corresponding application name tag;
wherein the second sample API is a different API from the first sample API and belongs to an unknown class of API.
According to the API classification device provided by the invention, the second sample flow data flowing through the second sample API is determined, the second sample flow data is decoded and subjected to feature extraction to obtain the second sample feature data, and then the corresponding application name label is marked on the second sample API by applying the regular or character string matched feature information of the identification library, so that the purpose of expanding the application identification library is achieved, and the efficiency and the accuracy of API classification are improved.
Since the principle of the apparatus according to the embodiment of the present invention is the same as that of the method according to the above embodiment, further details are not described herein for further explanation.
Fig. 4 is a schematic structural diagram of an electronic device provided in an embodiment of the present invention, and as shown in fig. 4, the present invention provides an electronic device, including: a processor (processor) 401, a memory (memory) 402, and a bus 403;
the processor 401 and the memory 402 complete communication with each other through the bus 403;
the processor 401 is configured to call the program instructions in the memory 402 to execute the methods provided in the above-mentioned embodiments of the methods, including, for example: decoding the flow data flowing through the API to obtain decoded data; extracting feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining application name tags corresponding to the APIs and the categories of the APIs, wherein the application identification library is constructed according to the collected application name tags corresponding to the APIs and the categories of the APIs.
Embodiments of the present invention provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the methods provided in the above-described method embodiments, for example, including: decoding the flow data flowing through the API to obtain decoded data; extracting feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining an application name tag corresponding to the API and the type of the API, wherein the application identification library is constructed according to the application name tags corresponding to the acquired APIs and the type of the API.
The present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method provided by the embodiments described above, the method comprising: decoding the flow data flowing through the API to obtain decoded data; extracting feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining application name tags corresponding to the APIs and the categories of the APIs, wherein the application identification library is constructed according to the collected application name tags corresponding to the APIs and the categories of the APIs.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (11)
1. An API classification method, comprising:
decoding the flow data flowing through the API to obtain decoded data;
extracting feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining an application name tag corresponding to the API and the type of the API;
the application identification library is constructed according to the acquired application name labels corresponding to the APIs and the categories of the APIs.
2. The API classification method according to claim 1, wherein the extracting feature data of the decoded data, comparing the feature data with feature information in a preset application identification library, and determining an application name tag corresponding to the API and a category of the API, includes:
extracting HTTP field data from the decoded data;
and comparing the HTTP field data with the characteristic information in a preset application identification library to determine an application name label corresponding to the API and the type of the API.
3. The API classification method of claim 2, wherein the classes of APIs are security APIs and unknown APIs,
correspondingly, the comparing the HTTP field data with the feature information in the preset application identification library to determine the application name tag corresponding to the API and the category of the API includes:
and when the feature information corresponding to the HTTP field data exists in a preset application identification library, determining an application name tag corresponding to the API, and the type of the API is a safety API.
4. The API classification method of claim 2, wherein the classes of APIs are security APIs and unknown APIs,
correspondingly, the comparing the HTTP field data with the feature information in the preset application identification library to determine the application name tag corresponding to the API and the category of the API further includes:
and when the feature information corresponding to the HTTP field data does not exist in a preset application identification library, determining the type of the API as an unknown API.
5. The API classification method of claim 1, prior to said decoding of traffic data flowing through the API, comprising:
determining a plurality of first sample APIs of each application and common component;
acquiring a plurality of first sample flow data flowing through the plurality of first sample APIs, and extracting a plurality of characteristic information of the plurality of first sample flow data;
and updating an application identification library of the security detection system according to the characteristic information.
6. The API classification method of claim 5, wherein the updating the application identification library of the security detection system according to the plurality of feature information comprises:
determining general characteristic information according to the characteristic information; the general characteristic information is characteristic information contained in the plurality of first sample flow data;
and updating the application identification library of the safety detection system according to the general characteristic information based on the operation and maintenance technology.
7. The API classification method of claim 5, prior to said decoding of traffic data flowing through the API, further comprising:
determining second sample flow data flowing through a second sample API;
decoding and feature extracting are carried out on the second sample flow data to obtain second sample feature data;
marking a corresponding application name label for the second sample API according to the regular or character string matched characteristic information of the application identification library;
expanding the application identification library according to the second sample API and the corresponding application name tag;
wherein the second sample API is a different API from the first sample API and belongs to an unknown class of API.
8. An API classification apparatus, comprising:
the decoding module is used for decoding the flow data flowing through the API to obtain decoded data;
the extraction and determination module is used for extracting the feature data of the decoded data, comparing the feature data with feature information in a preset application identification library and determining an application name tag corresponding to the API and the category of the API;
the application identification library is constructed according to the acquired application name labels corresponding to the APIs and the categories of the APIs.
9. An electronic device, comprising: a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the steps of the API classification method of any one of claims 1 to 7.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the steps of the API classification method of any one of claims 1 to 7.
11. A computer program product comprising computer executable instructions for performing the steps of the API classification method according to any one of claims 1 to 7 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210613369.4A CN115208835A (en) | 2022-05-31 | 2022-05-31 | API classification method, device, electronic equipment, medium and product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210613369.4A CN115208835A (en) | 2022-05-31 | 2022-05-31 | API classification method, device, electronic equipment, medium and product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115208835A true CN115208835A (en) | 2022-10-18 |
Family
ID=83575610
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210613369.4A Pending CN115208835A (en) | 2022-05-31 | 2022-05-31 | API classification method, device, electronic equipment, medium and product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115208835A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208801A (en) * | 2022-05-27 | 2022-10-18 | 奇安信科技集团股份有限公司 | API (application program interface) collaborative identification method and device, electronic equipment, medium and product |
| CN117435959A (en) * | 2023-11-17 | 2024-01-23 | 广西壮族自治区信息中心 | Parameter-based API interface classification method and system |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107247902A (en) * | 2017-05-10 | 2017-10-13 | 深信服科技股份有限公司 | Malware categorizing system and method |
| CN109582841A (en) * | 2018-12-13 | 2019-04-05 | 北京锐安科技有限公司 | A kind of application and identification method, device, server and storage medium |
| CN109902073A (en) * | 2019-04-03 | 2019-06-18 | 北京奇安信科技有限公司 | Log processing method, device, computer equipment and computer readable storage medium |
| US20190213326A1 (en) * | 2018-01-11 | 2019-07-11 | ArecaBay, Inc. | Self-adaptive application programming interface level security monitoring |
| CN111027094A (en) * | 2019-12-04 | 2020-04-17 | 支付宝(杭州)信息技术有限公司 | Risk assessment method and device for private data leakage |
| CN113360800A (en) * | 2021-06-03 | 2021-09-07 | 深圳红途科技有限公司 | Method and device for processing featureless data, computer equipment and storage medium |
| CN113360916A (en) * | 2021-06-18 | 2021-09-07 | 奇安信科技集团股份有限公司 | Risk detection method, device, equipment and medium for application programming interface |
| CN113890902A (en) * | 2021-09-15 | 2022-01-04 | 奇安信科技集团股份有限公司 | Feature recognition library construction method and device and flow recognition method |
| CN114024651A (en) * | 2020-07-16 | 2022-02-08 | 深信服科技股份有限公司 | Method, device and equipment for identifying coding type and readable storage medium |
| CN114356693A (en) * | 2021-12-15 | 2022-04-15 | 绿盟科技集团股份有限公司 | Data monitoring method, device, medium and equipment |
-
2022
- 2022-05-31 CN CN202210613369.4A patent/CN115208835A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107247902A (en) * | 2017-05-10 | 2017-10-13 | 深信服科技股份有限公司 | Malware categorizing system and method |
| US20190213326A1 (en) * | 2018-01-11 | 2019-07-11 | ArecaBay, Inc. | Self-adaptive application programming interface level security monitoring |
| CN109582841A (en) * | 2018-12-13 | 2019-04-05 | 北京锐安科技有限公司 | A kind of application and identification method, device, server and storage medium |
| CN109902073A (en) * | 2019-04-03 | 2019-06-18 | 北京奇安信科技有限公司 | Log processing method, device, computer equipment and computer readable storage medium |
| CN111027094A (en) * | 2019-12-04 | 2020-04-17 | 支付宝(杭州)信息技术有限公司 | Risk assessment method and device for private data leakage |
| CN114024651A (en) * | 2020-07-16 | 2022-02-08 | 深信服科技股份有限公司 | Method, device and equipment for identifying coding type and readable storage medium |
| CN113360800A (en) * | 2021-06-03 | 2021-09-07 | 深圳红途科技有限公司 | Method and device for processing featureless data, computer equipment and storage medium |
| CN113360916A (en) * | 2021-06-18 | 2021-09-07 | 奇安信科技集团股份有限公司 | Risk detection method, device, equipment and medium for application programming interface |
| CN113890902A (en) * | 2021-09-15 | 2022-01-04 | 奇安信科技集团股份有限公司 | Feature recognition library construction method and device and flow recognition method |
| CN114356693A (en) * | 2021-12-15 | 2022-04-15 | 绿盟科技集团股份有限公司 | Data monitoring method, device, medium and equipment |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208801A (en) * | 2022-05-27 | 2022-10-18 | 奇安信科技集团股份有限公司 | API (application program interface) collaborative identification method and device, electronic equipment, medium and product |
| CN117435959A (en) * | 2023-11-17 | 2024-01-23 | 广西壮族自治区信息中心 | Parameter-based API interface classification method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11188789B2 (en) | Detecting poisoning attacks on neural networks by activation clustering | |
| CN115208835A (en) | API classification method, device, electronic equipment, medium and product | |
| CN111401416A (en) | Abnormal website identification method and device and abnormal countermeasure identification method | |
| CN110247933B (en) | Method and device for realizing firewall policy | |
| CN111865960A (en) | Network intrusion scene analysis processing method, system, terminal and storage medium | |
| CN114205128B (en) | Network attack analysis method, device, electronic equipment and storage medium | |
| CN114244611B (en) | Abnormal attack detection method, device, equipment and storage medium | |
| CN107437088B (en) | File identification method and device | |
| CN108090364B (en) | Method and system for positioning data leakage source | |
| CN111371581A (en) | Method, device, equipment and medium for detecting business abnormity of Internet of things card | |
| CN106982147B (en) | Communication monitoring method and device for Web communication application | |
| CN116055587A (en) | Method and device for realizing hierarchical classification of API (application program interface) assets | |
| CN113037555B (en) | Risk event marking method, risk event marking device and electronic equipment | |
| CN113114679B (en) | Message identification method and device, electronic equipment and medium | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN114971642A (en) | Knowledge graph-based anomaly identification method, device, equipment and storage medium | |
| CN113688240A (en) | Threat element extraction method, device, equipment and storage medium | |
| CN113055396B (en) | Cross-terminal traceability analysis method, device, system and storage medium | |
| KR20190070583A (en) | Apparatus and method for generating integrated representation specification data for cyber threat information | |
| CN113065132B (en) | Method and device for detecting confusion of macro program, electronic equipment and storage medium | |
| CN116775889B (en) | Threat information automatic extraction method, system, equipment and storage medium based on natural language processing | |
| CN113518118B (en) | Information processing method and system based on Internet of things security service | |
| CN113972994B (en) | Flow analysis method and device based on industrial control honeypot, computer equipment and readable storage medium | |
| CN117041362B (en) | Checking method and system for industrial control protocol semantic reverse result | |
| CN110768969B (en) | Test method and device based on network data monitoring and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |