CN111400721B - API interface detection method and device - Google Patents
API interface detection method and device Download PDFInfo
- Publication number
- CN111400721B CN111400721B CN202010213139.XA CN202010213139A CN111400721B CN 111400721 B CN111400721 B CN 111400721B CN 202010213139 A CN202010213139 A CN 202010213139A CN 111400721 B CN111400721 B CN 111400721B
- Authority
- CN
- China
- Prior art keywords
- api
- data
- target
- request
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 25
- 238000006243 chemical reaction Methods 0.000 claims abstract description 56
- 230000004044 response Effects 0.000 claims abstract description 37
- 238000000034 method Methods 0.000 claims description 42
- 238000010801 machine learning Methods 0.000 claims description 23
- 238000004458 analytical method Methods 0.000 claims description 19
- 238000000605 extraction Methods 0.000 claims description 3
- 230000009471 action Effects 0.000 description 12
- 230000008569 process Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 238000003058 natural language processing Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention provides an API interface detection method and device. In the embodiment of the invention, the flow data of the target API interface in the preset time period is obtained, the flow data comprises API request data and API response data, the target data is extracted from the flow data, the data conversion is carried out on the target data according to the preset data conversion strategy, formatted data is obtained, at least one first API permission request rule is generated based on the formatted data, and the API request of the target API interface is detected according to the at least one first API permission request rule, so that various attacks, particularly unknown attacks, can be effectively detected, and the safety performance of the API interface is improved.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to an API interface detection method and apparatus.
Background
The development of WEB, mobile application programs, saaS (Software-as-a-Service) services, micro services and the Internet of things are supported by APIs (Application Programming Interface, application program interfaces) behind the development of the WEB, the mobile application programs, the SaaS-as-a-Service, the micro services and the Internet of things. Therefore, the application range of the API is very wide. Therefore, a large number of attack means aiming at the APIs also appear, and various serious security events, such as data leakage caused by various APIs attack, and the like, are caused.
In the related art, a blacklist is generated according to known API attack means, and an API request is detected through the blacklist. The method can not effectively identify unknown attack means and various logic loopholes, and has low safety.
Disclosure of Invention
In order to overcome the problems in the related art, the invention provides an API interface detection method and device, and improves the safety performance of an API interface.
According to a first aspect of an embodiment of the present invention, there is provided an API interface detecting method, including:
acquiring flow data of a target API interface in a preset time period, wherein the flow data comprises API request data and API response data;
extracting target data from the flow data;
according to a preset data conversion strategy, carrying out data conversion on the target data to obtain formatted data;
generating at least one first API permission request rule based on the formatted data; the first API allows the request rule to be a rule which is met by legal API requests;
and detecting the API request of the target API interface according to the at least one first API permission request rule.
According to a second aspect of an embodiment of the present invention, there is provided an API interface detecting apparatus, including:
the acquisition module is used for acquiring flow data of the target API interface in a preset time period, wherein the flow data comprises API request data and API response data;
the extraction module is used for extracting target data from the flow data;
the conversion module is used for carrying out data conversion on the target data according to a preset data conversion strategy to obtain formatted data;
the generation module is used for generating at least one first API permission request rule based on the formatted data; the first API allows the request rule to be a rule which is met by legal API requests;
and the detection module is used for detecting the API request of the target API interface according to the at least one first API permission request rule.
The technical scheme provided by the embodiment of the invention can have the following beneficial effects:
according to the embodiment of the invention, the flow data of the target API interface in the preset time period is obtained, the flow data comprises the API request data and the API response data, the target data is extracted from the flow data, the data conversion is carried out on the target data according to the preset data conversion strategy, the formatted data is obtained, at least one first API permission request rule is generated based on the formatted data, and the API request of the target API interface is detected according to the at least one first API permission request rule, so that various attacks, particularly unknown attacks, can be effectively detected, and the safety performance of the API interface is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is an exemplary diagram of an API application scenario provided in an embodiment of the present invention.
Fig. 2 is a flowchart illustrating an API interface detection method according to an embodiment of the present invention.
Fig. 3 is a functional block diagram of an API interface detecting apparatus according to an embodiment of the present invention.
Fig. 4 is a hardware configuration diagram of a network device according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the invention. Rather, they are merely examples of apparatus and methods consistent with aspects of embodiments of the invention as detailed in the accompanying claims.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments of the invention only and is not intended to be limiting of embodiments of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in embodiments of the present invention to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of embodiments of the present invention. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
Fig. 1 is an exemplary diagram of an API application scenario provided in an embodiment of the present invention. Referring to fig. 1, a plurality of API interfaces are deployed on a network device, each API interface corresponds to an application, where API interface 1 corresponds to application 1, API interface 2 corresponds to application 2, and … … API interface n corresponds to application n. The user can send an API request to an API interface corresponding to the application through the application installed on the terminal, the API interface obtains API response data from a corresponding application server according to the API request, and the API response data is returned to the user terminal.
APIs are rapidly becoming a heavy disaster area for modern attacks. The back of the API hides a series of richness attack targets, and if an attacker learns and knows the logic of the API and how to operate to use it, they can find attack modes such as data leakage, account theft, denial of service and the like. APIs are unique in each application, and thus it is difficult to predict where vulnerabilities may exist.
In the related art, the essence of API detection is a blacklist mode, which cannot cope with complex scenarios and cannot effectively prevent unknown attacks.
The method for detecting the API interface aims to effectively detect unknown attack aiming at the API interface and improve the safety performance of the API interface.
The method for detecting the API interface provided by the invention is described in detail by the following embodiments.
Fig. 2 is a flowchart illustrating an API interface detection method according to an embodiment of the present invention. As shown in fig. 2, the API interface detection method may include:
s201, acquiring flow data of a target API interface in a preset time period, wherein the flow data comprises API request data and API response data.
S202, extracting target data from the flow data.
And S203, performing data conversion on the target data according to a preset data conversion strategy to obtain formatted data.
S204, generating at least one first API permission request rule based on the formatted data, wherein the first API permission request rule is a rule conforming to a legal API request.
S205, according to the at least one first API permission request rule, detecting an API request of the target API interface.
In practical applications, the method of the present embodiment may be used to detect each application's API interface.
In this embodiment, the preset time period may be set according to actual application requirements. For example, the preset time period may be one week, one month, 25 days, etc. before the current time.
In this embodiment, the traffic data includes not only API request data but also API response data, and by covering the response data, whether the attack is successful or not can be accurately identified.
In the implementation, steps S201 to S205 may be all executed on the same device, or steps S201 to S204 may be executed on the same device, and step S205 may be executed on another device.
In this embodiment, steps S201 to S204 may be performed periodically, for example, once per day, once per week, or once per hour, etc. In the period interval in which steps S201 to S204 are not performed, step S205 may perform detection according to the first API permission request rule generated in the previous period.
In one example, all traffic data for all API interfaces on a network device may be acquired in real-time by way of bypass traffic access (e.g., optical splitting, etc.).
In another example, all traffic data of all API interfaces on the network device may be acquired in real time through a serial traffic access manner, for example, DNS (Domain Name System ) CNAME (mapping record) is configured on the network device where the API interfaces are deployed to read the traffic data of the API interfaces.
It should be noted that, the manner of acquiring the API traffic data is not limited to the two types listed above, in the case of a further embodiment of the present invention, the API interface traffic data may also be obtained by other means, which is not limited in this embodiment. The API interface traffic data may also be obtained, for example, by reading a log from the network device.
Traffic data for different API interfaces may be distinguished by URLs (Uniform Resource Locator, uniform resource locators) in the API request data.
The flow obtained in step S201 the data is raw traffic data.
In one exemplary implementation, in step S202, extracting target data from the traffic data may include:
the flow data is parsed and the flow data is analyzed, obtaining an analysis result;
and extracting target data according to the analysis result, wherein the target data comprises an HTTP (HyperText Transfer Protocol ) version, a request method, a request header, request content, a response header and response content.
The request method may be GET, POST, PUT, DELETE or the like.
The request header may be Cookie, location, HTTP reference, X-Forwarded-For, etc.
Wherein, the response header can be Content-Length, server, set-Cookie, etc.
The target data extracted through step S202 and the raw traffic data obtained through step S201 may be stored in a database such as a monodb.
In an exemplary implementation process, after step S202 and before step S203, data processing such as deduplication and cleaning may be performed on the target data, so as to obtain processed target data, where step S203 may include: and performing data conversion on the treated target data according to a preset data conversion strategy to obtain formatted data.
In an exemplary implementation process, in step S203, performing data conversion on the target data according to a preset data conversion policy to obtain formatted data may include:
identifying a target data type to which a parameter value of each first parameter in the target data belongs based on a preset data type;
replacing the parameter value of the first parameter with a target data type corresponding to the parameter value;
identifying a target data format to which a parameter value of each second parameter in the target data belongs based on a preset data format;
replacing the parameter value of the second parameter with a target data format corresponding to the parameter value;
the first parameter is a parameter in a preset first parameter set, and the second parameter is a parameter in a preset second parameter set.
In this embodiment, the first parameter set and the second parameter set are both preset. The parameter values of the parameters in the first parameter set (i.e. the first parameter) after the data conversion are of the data type and the parameter values of the parameters in the second parameter set (i.e. the second parameter) after the data conversion are of the data format. The purpose of the first parameter set and the second parameter set is to distinguish how each parameter is converted during the data conversion process (i.e. whether the parameter value is converted into a certain data format or vice versa).
The preset data types may include built-in types, standard data types, custom types, and the like.
For example, built-in types may include precise types of IP (Internet Protocol ), domain name, mailbox, cell phone number, identification number, word, etc. Standard data types may include numbers, strings, floating points, and the like.
The preset data types may also include a name, home address, etc. type recognized through NLP (Natural Langunge Possns, natural language processing).
If the built-in type does not completely cover all types present in the traffic data, the user can freely define various data types. I.e. the uncovered data types are complemented with custom types.
In this embodiment, the preset data format may include a common data format such as JSON, XML, KEY-VALUE (user=admin), and may also include other data formats defined by the user without built-in support.
The parameters contained in the data are fixed for one API request and its corresponding API response. The user can divide the parameters needing to be subjected to data type identification into first parameters and divide the parameters needing to be subjected to data format identification into second parameters according to the data conversion requirement.
In the present embodiment, format recognition is mainly performed on DATA (DATA) of requested content and DATA of response content.
In the data conversion process, the parameter value is directly replaced by the data type for the data of the accurate type and the data identified by the NLP. And converting the unmatched data into standard data types, namely converting the parameter values into the standard data types, namely the data lengths.
For example.
It is assumed that the request data in the target data before the data conversion is performed is as follows:
POST/getuserinfoaction=search HTTP/1.1
Host:111.111.111.111:8480
Cache-Control:no-cache
Upgrade-Insecure-Requests:1
Accept-Encoding:gzip,deflate
Connection:close
Content-Length:13
uid=12401
before data conversion, response data in the target data are as follows:
HTTP/1.0 200OK
Content-Type:text/html;charset=utf-8
Content-Length:11
Server:Werkzeug/0.16.0Python/3.8.0
Date:Tue,26Nov 2019 12:19:59GMT
17705663836
the request data in the target data after the data conversion is performed is as follows:
POST/getuserinfoaction={word}HTTP/1.1
Host:{IP}:{port}
Cache-Control:{STR:8}
Upgrade-Insecure-Requests:{INT:1}
Accept-Encoding:{STR:13}
Connection:{WORD:5}
Content-Length:{INT:2}
after data conversion, response data in the target data is as follows:
HTTP/1.0 200OK
Content-Type:{STR:24}
Content-Length:{INT:2}
Server:Werkzeug/0.16.0Python/3.8.0
Date:Tue,26Nov 2019 12:19:59GMT
{PHONE}
among the above data, the data within "{ }" is the data after conversion.
For the parameter Connection, the data type of the parameter value is "close", "close" is WORD, and the data length is 5, so that the "Connection: close" is formatted into "Connection: { WORD:5 }) after data conversion.
For the parameter Host, the parameter value is '111.111.111.111:8480', and the corresponding data format is 'IP: { port }', so 'Host: 111.111.111:8480' is formatted into 'Host: { IP }: { port }' after data conversion.
In the data conversion policy, conversion of most common fields of API request data can be set, and a user can prohibit data conversion of fields which are considered to be less in security threat and not easy to tamper according to actual conditions.
In the Data conversion policy, the Content-Type, content-Length and response Content in the API response Data can be set to be converted, fields such as Server and Data in the non-conversion response header can be set, and after the fields such as Server and Data are set to be non-converted, a user can manually add the fields to be converted when required.
In this embodiment, the generated first API allowable request rule may be one or more.
In this embodiment, the first API permission request rule is learned through analysis of a large amount of formatted data, and the rule may be used to detect a request received by the API interface to determine whether the API request is an attack. The detection mode is that if the API request does not accord with the first API permission request rule, the API request is considered as attack or illegal. The legitimate API request must conform to the first API admission request rule.
For example, assuming that the response of an API request should be a cell phone number through analysis learning of a large amount of formatted data, if the actual response of a certain API request is not a cell phone number, the API request is considered illegal.
It should be noted that, for the same API interface, multiple results (i.e., multiple first API permission request rules) may be learned, and any one of the results (i.e., any one of the first API permission request rules) may be considered legal. For example, the response of an API request may be a mobile phone number, or may be a specific type of access error, and then the actual response of a certain API request is a mobile phone number or an access error, which both consider the API request to be legal.
In this embodiment, the first API permission request rule may also be generated by analysis learning of a KEY field in the formatted data. For example, if learning considers that the request DATA should be JSON and contain 2 KEYs, e.g., { JSON: name, password }, then a certain API request is considered illegal using a non-JSON format request, and the request is considered illegal without containing both name and password keywords KEYs.
In an exemplary implementation, in step S204, generating, based on the formatted data, a first API permission request rule that is met by a legal API request may include:
and inputting the formatted data into a pre-trained first machine learning model for learning, and outputting a first API permission request rule conforming to a legal API request by the first machine learning model.
The first machine learning model may be trained according to a training manner in the related art, which is not described herein.
The first machine learning model may output all details that the API interface should receive and respond to as API admission request rules for API interface detection by learning and modeling the full-scale fine granularity of the API requests.
In an exemplary implementation, the method may further include:
generating a second API permission request rule based on the target data; the second API allows the request rule to be a rule that the legal API requests to conform to.
And detecting the API request of the target API interface according to the second API permission request rule.
The first API permission request rule is generated based on the formatted data obtained after the data conversion, and in this embodiment, the second API permission request rule is obtained based on the target data before the data conversion.
In this embodiment, the auxiliary analysis is performed by enabling the original data (referred to as the target data) corresponding to the formatted data, so that more optional rules can be provided for API interface detection, and the user can select under different requirements.
For example, the original data "URI: the formatted data obtained after the action=search "is" action= { word } ". Assuming that all API requests of all users are "action=search", if only formatted data analysis is used, only one result "action= { word }" will be output, if the original data is accessed for synchronous analysis, it will be found that almost all traffic requests of the interface are action=search, and then two rules "action= { word }" and "action=search" will be generated. When the internal setting is performed, a wider "action= { word }" result can be started by default, so that false alarms are avoided, but another non-started result "action=search" is output to a user, and the user can adjust the detection strategy according to the actual situation, for example, the "action= { word }" start "action=search" strategy is closed, so that stronger defensive capability can be obtained.
In one exemplary implementation, generating the second API admission request rule based on the target data may include:
and inputting the target data into a pre-trained second machine learning model for learning, and outputting a second API permission request rule by the second machine learning model.
The second machine learning model may be trained according to a training manner in the related art, which is not described herein.
In an exemplary implementation, the method may further include:
selecting a target API permission request rule from the at least one first API permission request rule and the second API permission request rule according to a selection operation of a user;
and detecting the API request of the target API interface according to the target API permission request rule.
In this embodiment, when there are both a first API permission request rule obtained by analyzing the formatted data and a second API permission request rule obtained by analyzing the target data, a rule for API interface detection is determined according to a selection of a user, thereby meeting an actual requirement of the user.
In an exemplary implementation process, in step S205, detecting, according to the at least one first API permission request rule, an API request of the target API interface may include:
updating a white list according to which the API request of the target API interface is detected according to the first API permission request rule;
and detecting the API request of the target API interface by using the updated white list.
In this embodiment, updating the whitelist on which the API request of the target API interface is detected may include adding the first API admission request rule to the whitelist, replacing the corresponding rule in the whitelist with the first API admission request rule, and so on.
In an exemplary implementation, the time period of the preset time period is greater than or equal to a preset time period threshold; the number of the request source IP corresponding to the flow data is larger than or equal to a preset first number; the number of the account numbers corresponding to the flow data is larger than or equal to a preset second number.
In this embodiment, by making the duration of the preset time period greater than or equal to the preset duration threshold, data with wide time distribution can be obtained, so that analysis and learning of the data are not easy to be interfered, and the problem that malicious requests are considered as legal API requests due to analysis and learning results caused by that an attacker sends a large amount of malicious requests in a short time is avoided, and reliability is improved.
In this embodiment, the number of request source IPs corresponding to the traffic data is greater than or equal to the preset first number, so that the traffic data has a wide request source IP distribution, and the analysis learning result is ensured not to be affected by a large number of requests of individual IPs, thereby further improving reliability.
In this embodiment, the number of accounts corresponding to the flow data is greater than or equal to the preset second number, so that the flow data has a wide account distribution, the analysis learning result is further ensured not to be affected by a large number of requests of individual accounts, and the reliability is further improved.
According to the API interface detection method, the flow data of the target API interface in the preset time period is obtained, the flow data comprise API request data and API response data, the target data are extracted from the flow data, data conversion is carried out on the target data according to the preset data conversion strategy, formatted data are obtained, at least one first API permission request rule is generated based on the formatted data, and according to the at least one first API permission request rule, the API request of the target API interface is detected, various attacks, particularly unknown attacks, can be effectively detected, and therefore the safety performance of the API interface is improved.
In the API interface detection method provided by the embodiment of the invention, the process of generating the API permission request rule can be periodically performed, so that the white list for API interface detection can be periodically updated automatically, and a great deal of effort is not required to be consumed for maintenance as in the case of the blacklist detection rule, thereby saving human resources.
Based on the method embodiment, the embodiment of the invention also provides a corresponding device, equipment and storage medium embodiment. For detailed implementation of the apparatus, device and storage medium embodiments of the present invention, please refer to the corresponding description of the method embodiment section.
Fig. 3 is a functional block diagram of an API interface detecting apparatus according to an embodiment of the present invention. As shown in fig. 3, in this embodiment, the API interface detecting apparatus may include:
an obtaining module 310, configured to obtain flow data of a target API interface within a preset period of time, where the flow data includes API request data and API response data;
an extracting module 320, configured to extract target data from the traffic data;
the conversion module 330 is configured to perform data conversion on the target data according to a preset data conversion policy, so as to obtain formatted data;
a first generating module 340, configured to generate at least one first API permission request rule based on the formatted data; the first API allows the request rule to be a rule which is met by legal API requests;
the first detection module 350 is configured to detect an API request of the target API interface according to the at least one first API permission request rule.
In one exemplary implementation, the extraction module 320 may be specifically configured to:
analyzing the flow data to obtain an analysis result;
and extracting target data according to the analysis result, wherein the target data comprises an HTTP version, a request method, a request header, request contents, a response header and response contents.
In one exemplary implementation, the conversion module 330 may be specifically configured to:
identifying a target data type to which a parameter value of each first parameter in the target data belongs based on a preset data type;
replacing the parameter value of the first parameter with a target data type corresponding to the parameter value;
identifying a target data format to which a parameter value of each second parameter in the target data belongs based on a preset data format;
replacing the parameter value of the second parameter with a target data format corresponding to the parameter value;
the first parameter is a parameter in a preset first parameter set, and the second parameter is a parameter in a preset second parameter set.
In an exemplary implementation, the first generating module 340 may be specifically configured to:
and inputting the formatted data into a pre-trained first machine learning model for learning, and outputting at least one first API permission request rule by the first machine learning model.
In an exemplary implementation, the method further includes:
the second generation module is used for generating a second API permission request rule based on the target data; the second API allows the request rule to be a rule which is met by legal API requests;
and the second detection module is used for detecting the API request of the target API interface according to the second API permission request rule.
In an exemplary implementation, the second generating module may be specifically configured to:
and inputting the target data into a pre-trained second machine learning model for learning, and outputting a second API permission request rule by the second machine learning model.
In an exemplary implementation, the method further includes:
a selection module, configured to select a target API permission request rule from the at least one first API permission request rule and the second API permission request rule according to a selection operation of a user;
and the third detection module is used for detecting the API request of the target API according to the target API permission request rule.
In an exemplary implementation, the first detection module 350 may be specifically configured to:
updating a white list according to which the API request of the target API interface is detected according to the at least one first API permission request rule;
and detecting the API request of the target API interface by using the updated white list.
In an exemplary implementation, the time period of the preset time period is greater than or equal to a preset time period threshold; the number of the request source IP corresponding to the flow data is larger than or equal to a preset first number; the number of the account numbers corresponding to the flow data is larger than or equal to a preset second number.
The embodiment of the invention also provides network equipment. Fig. 4 is a hardware configuration diagram of a network device according to an embodiment of the present invention. As shown in fig. 4, the network device includes: an internal bus 401, and a memory 402, a processor 403, and an external interface 404 connected by the internal bus.
The processor 403 is configured to read the machine readable instructions on the memory 402 and execute the instructions to implement the following operations:
acquiring flow data of a target API interface in a preset time period, wherein the flow data comprises API request data and API response data;
extracting target data from the flow data;
according to a preset data conversion strategy, carrying out data conversion on the target data to obtain formatted data;
generating at least one first API permission request rule based on the formatted data; the first API allows the request rule to be a rule which is met by legal API requests;
and detecting the API request of the target API interface according to the at least one first API permission request rule.
In one exemplary implementation, extracting target data from the traffic data includes:
analyzing the flow data to obtain an analysis result;
and extracting target data according to the analysis result, wherein the target data comprises an HTTP version, a request method, a request header, request contents, a response header and response contents.
In an exemplary implementation process, performing data conversion on the target data according to a preset data conversion policy to obtain formatted data, including:
identifying a target data type to which a parameter value of each first parameter in the target data belongs based on a preset data type;
replacing the parameter value of the first parameter with a target data type corresponding to the parameter value;
identifying a target data format to which a parameter value of each second parameter in the target data belongs based on a preset data format;
replacing the parameter value of the second parameter with a target data format corresponding to the parameter value;
the first parameter is a parameter in a preset first parameter set, and the second parameter is a parameter in a preset second parameter set.
In one exemplary implementation, generating at least one first API admission request rule based on the formatting data includes:
and inputting the formatted data into a pre-trained first machine learning model for learning, and outputting at least one first API permission request rule by the first machine learning model.
In an exemplary implementation, the method further includes:
generating a second API permission request rule based on the target data;
detecting an API request of the target API interface according to the second API permission request rule; the second API allows the request rule to be a rule that the legal API requests to conform to.
In one exemplary implementation, generating the second API admission request rule based on the target data includes:
and inputting the target data into a pre-trained second machine learning model for learning, and outputting a second API permission request rule by the second machine learning model.
In an exemplary implementation, the method further includes:
selecting a target API permission request rule from the at least one first API permission request rule and the second API permission request rule according to a selection operation of a user;
and detecting the API request of the target API interface according to the target API permission request rule.
In an exemplary implementation, detecting an API request of the target API interface according to the first API admission request rule includes:
updating a white list according to which the API request of the target API interface is detected according to the first API permission request rule;
and detecting the API request of the target API interface by using the updated white list.
In an exemplary implementation, the time period of the preset time period is greater than or equal to a preset time period threshold; the number of the request source IP corresponding to the flow data is larger than or equal to a preset first number; the number of the account numbers corresponding to the flow data is larger than or equal to a preset second number.
The embodiment of the invention also provides a computer readable storage medium, which stores a plurality of computer instructions, and the computer instructions when executed perform the following processes:
acquiring flow data of a target API interface in a preset time period, wherein the flow data comprises API request data and API response data;
extracting target data from the flow data;
according to a preset data conversion strategy, carrying out data conversion on the target data to obtain formatted data;
generating at least one first API permission request rule based on the formatted data; the first API allows the request rule to be a rule which is met by legal API requests;
and detecting the API request of the target API interface according to the at least one first API permission request rule.
In one exemplary implementation, extracting target data from the traffic data includes:
analyzing the flow data to obtain an analysis result;
and extracting target data according to the analysis result, wherein the target data comprises an HTTP version, a request method, a request header, request contents, a response header and response contents.
In an exemplary implementation process, performing data conversion on the target data according to a preset data conversion policy to obtain formatted data, including:
identifying a target data type to which a parameter value of each first parameter in the target data belongs based on a preset data type;
replacing the parameter value of the first parameter with a target data type corresponding to the parameter value;
identifying a target data format to which a parameter value of each second parameter in the target data belongs based on a preset data format;
replacing the parameter value of the second parameter with a target data format corresponding to the parameter value;
the first parameter is a parameter in a preset first parameter set, and the second parameter is a parameter in a preset second parameter set.
In one exemplary implementation, generating at least one first API admission request rule based on the formatting data includes:
and inputting the formatted data into a pre-trained first machine learning model for learning, and outputting at least one first API permission request rule by the first machine learning model.
In an exemplary implementation, the method further includes:
generating a second API permission request rule based on the target data; the second API allows the request rule to be a rule which is met by legal API requests;
and detecting the API request of the target API interface according to the second API permission request rule.
In one exemplary implementation, generating the second API admission request rule based on the target data includes:
and inputting the target data into a pre-trained second machine learning model for learning, and outputting a second API permission request rule by the second machine learning model.
In an exemplary implementation, the method further includes:
selecting a target API permission request rule from the at least one first API permission request rule and the second API permission request rule according to a selection operation of a user;
and detecting the API request of the target API interface according to the target API permission request rule.
In an exemplary implementation, detecting an API request of the target API interface according to the at least one first API admission request rule includes:
updating a white list according to which the API request of the target API interface is detected according to the at least one first API permission request rule;
and detecting the API request of the target API interface by using the updated white list.
In an exemplary implementation, the time period of the preset time period is greater than or equal to a preset time period threshold; the number of the request source IP corresponding to the flow data is larger than or equal to a preset first number; the number of the account numbers corresponding to the flow data is larger than or equal to a preset second number.
For the device and apparatus embodiments, reference is made to the description of the method embodiments for the relevant points, since they essentially correspond to the method embodiments. The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purposes of the present description. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It is to be understood that the present description is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The foregoing description of the preferred embodiments is provided for the purpose of illustration only, and is not intended to limit the scope of the disclosure, since any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the disclosure are intended to be included within the scope of the disclosure.
Claims (9)
1. An API interface detecting method, comprising:
acquiring flow data of a target API interface in a preset time period, wherein the flow data comprises API request data and API response data;
extracting target data from the flow data;
according to a preset data conversion strategy, carrying out data conversion on the target data to obtain formatted data;
generating at least one first API permission request rule based on the formatted data; the first API allows the request rule to be a rule which is met by legal API requests;
detecting an API request of the target API interface according to the at least one first API permission request rule;
the step of performing data conversion on the target data according to a preset data conversion strategy to obtain formatted data includes:
identifying a target data type to which a parameter value of each first parameter in the target data belongs based on a preset data type;
replacing the parameter value of the first parameter with a target data type corresponding to the parameter value;
identifying a target data format to which a parameter value of each second parameter in the target data belongs based on a preset data format;
replacing the parameter value of the second parameter with a target data format corresponding to the parameter value;
the first parameter is a parameter in a preset first parameter set, and the second parameter is a parameter in a preset second parameter set.
2. The method of claim 1, wherein extracting target data from the traffic data comprises:
analyzing the flow data to obtain an analysis result;
and extracting target data according to the analysis result, wherein the target data comprises an HTTP version, a request method, a request header, request contents, a response header and response contents.
3. The method of claim 1, wherein generating at least one first API admission request rule based on the formatting data comprises:
and inputting the formatted data into a pre-trained first machine learning model for learning, and outputting at least one first API permission request rule by the first machine learning model.
4. The method as recited in claim 1, further comprising:
generating a second API permission request rule based on the target data; the second API allows the request rule to be a rule which is met by legal API requests;
and detecting the API request of the target API interface according to the second API permission request rule.
5. The method of claim 4, wherein generating a second API admission request rule based on the target data comprises:
and inputting the target data into a pre-trained second machine learning model for learning, and outputting a second API permission request rule by the second machine learning model.
6. The method as recited in claim 4, further comprising:
selecting a target API permission request rule from the at least one first API permission request rule and the second API permission request rule according to a selection operation of a user;
and detecting the API request of the target API interface according to the target API permission request rule.
7. The method of claim 1, wherein detecting the API request of the target API interface according to the at least one first API admission request rule comprises:
updating a white list according to which the API request of the target API interface is detected according to the at least one first API permission request rule;
and detecting the API request of the target API interface by using the updated white list.
8. The method of claim 1, wherein the time period of the preset time period is greater than or equal to a preset time period threshold; the number of the request source IP corresponding to the flow data is larger than or equal to a preset first number; the number of the account numbers corresponding to the flow data is larger than or equal to a preset second number.
9. An API interface detecting apparatus, comprising:
the acquisition module is used for acquiring flow data of the target API interface in a preset time period, wherein the flow data comprises API request data and API response data;
the extraction module is used for extracting target data from the flow data;
the conversion module is used for carrying out data conversion on the target data according to a preset data conversion strategy to obtain formatted data;
the generation module is used for generating at least one first API permission request rule based on the formatted data; the first API allows the request rule to be a rule which is met by legal API requests;
the detection module is used for detecting the API request of the target API interface according to the at least one first API permission request rule;
wherein, the conversion module is used for:
identifying a target data type to which a parameter value of each first parameter in the target data belongs based on a preset data type;
replacing the parameter value of the first parameter with a target data type corresponding to the parameter value;
identifying a target data format to which a parameter value of each second parameter in the target data belongs based on a preset data format;
replacing the parameter value of the second parameter with a target data format corresponding to the parameter value;
the first parameter is a parameter in a preset first parameter set, and the second parameter is a parameter in a preset second parameter set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010213139.XA CN111400721B (en) | 2020-03-24 | 2020-03-24 | API interface detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010213139.XA CN111400721B (en) | 2020-03-24 | 2020-03-24 | API interface detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111400721A CN111400721A (en) | 2020-07-10 |
| CN111400721B true CN111400721B (en) | 2024-04-12 |
Family
ID=71431149
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010213139.XA Active CN111400721B (en) | 2020-03-24 | 2020-03-24 | API interface detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111400721B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112286951A (en) * | 2020-11-26 | 2021-01-29 | 杭州数梦工场科技有限公司 | Data detection method and device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8745641B1 (en) * | 2011-07-14 | 2014-06-03 | Google Inc. | Automatic verification and anomaly detection in a representational state transfer (REST) application programming interface |
| CN108512841A (en) * | 2018-03-23 | 2018-09-07 | 四川长虹电器股份有限公司 | A kind of intelligent system of defense and defence method based on machine learning |
| CN108881263A (en) * | 2018-06-29 | 2018-11-23 | 北京奇虎科技有限公司 | A kind of network attack result detection method and system |
| CN108900467A (en) * | 2018-05-31 | 2018-11-27 | 华东师范大学 | A method of perception is built and threatened to the automation honey jar based on Docker |
| CN109189622A (en) * | 2018-08-21 | 2019-01-11 | 上海起作业信息科技有限公司 | Interface test method and device, electronic equipment, storage medium |
| CN109714340A (en) * | 2018-12-28 | 2019-05-03 | 厦门服云信息科技有限公司 | The Network Abnormal of a kind of sequence to sequence requests recognition methods and device |
| CN109857484A (en) * | 2019-01-17 | 2019-06-07 | 北京城市网邻信息技术有限公司 | For the processing method and system of interface call request |
| CN110602029A (en) * | 2019-05-15 | 2019-12-20 | 上海云盾信息技术有限公司 | Method and system for identifying network attack |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9853996B2 (en) * | 2015-04-13 | 2017-12-26 | Secful, Inc. | System and method for identifying and preventing malicious API attacks |
| US10218727B2 (en) * | 2016-03-24 | 2019-02-26 | Cisco Technology, Inc. | Sanity check of potential learned anomalies |
-
2020
- 2020-03-24 CN CN202010213139.XA patent/CN111400721B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8745641B1 (en) * | 2011-07-14 | 2014-06-03 | Google Inc. | Automatic verification and anomaly detection in a representational state transfer (REST) application programming interface |
| CN108512841A (en) * | 2018-03-23 | 2018-09-07 | 四川长虹电器股份有限公司 | A kind of intelligent system of defense and defence method based on machine learning |
| CN108900467A (en) * | 2018-05-31 | 2018-11-27 | 华东师范大学 | A method of perception is built and threatened to the automation honey jar based on Docker |
| CN108881263A (en) * | 2018-06-29 | 2018-11-23 | 北京奇虎科技有限公司 | A kind of network attack result detection method and system |
| CN109189622A (en) * | 2018-08-21 | 2019-01-11 | 上海起作业信息科技有限公司 | Interface test method and device, electronic equipment, storage medium |
| CN109714340A (en) * | 2018-12-28 | 2019-05-03 | 厦门服云信息科技有限公司 | The Network Abnormal of a kind of sequence to sequence requests recognition methods and device |
| CN109857484A (en) * | 2019-01-17 | 2019-06-07 | 北京城市网邻信息技术有限公司 | For the processing method and system of interface call request |
| CN110602029A (en) * | 2019-05-15 | 2019-12-20 | 上海云盾信息技术有限公司 | Method and system for identifying network attack |
Non-Patent Citations (1)
| Title |
|---|
| 陈霖 ; 梁坤 ; .4G时代基于网络流量大数据分析的安全预警研究.湖南邮电职业技术学院学报.2016,(第04期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111400721A (en) | 2020-07-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9154516B1 (en) | Detecting risky network communications based on evaluation using normal and abnormal behavior profiles | |
| CN112468520B (en) | Data detection method, device and equipment and readable storage medium | |
| CN102957664B (en) | A kind of method and device identifying fishing website | |
| CN106961419A (en) | WebShell detection methods, apparatus and system | |
| CN105376217B (en) | A kind of malice jumps and the automatic judging method of malice nested class objectionable website | |
| Gupta et al. | XSS‐immune: a Google chrome extension‐based XSS defensive framework for contemporary platforms of web applications | |
| CN109948334B (en) | Vulnerability detection method and system, electronic equipment and storage medium | |
| CN107800686B (en) | Phishing website identification method and device | |
| CN104956372A (en) | Determining coverage of dynamic security scans using runtime and static code analyses | |
| CN111756728B (en) | Vulnerability attack detection method and device, computing equipment and storage medium | |
| WO2018077035A1 (en) | Malicious resource address detecting method and apparatus, and storage medium | |
| CN113179260B (en) | Botnet detection method, device, equipment and medium | |
| Gupta et al. | An infrastructure-based framework for the alleviation of JavaScript worms from OSN in mobile cloud platforms | |
| CN111314301A (en) | Website access control method and device based on DNS (Domain name Server) analysis | |
| CN112118238B (en) | Method, device, system, equipment and storage medium for authenticating login | |
| CN113190838A (en) | Web attack behavior detection method and system based on expression | |
| CN111400721B (en) | API interface detection method and device | |
| CN112751804A (en) | Method, device and equipment for identifying counterfeit domain name | |
| Zhang et al. | A survey of browser fingerprint research and application | |
| US10686834B1 (en) | Inert parameters for detection of malicious activity | |
| CN116800518A (en) | Method and device for adjusting network protection strategy | |
| KR102258965B1 (en) | Method and device for classifying range of web attack types by using information on method field of http protocol and information on content-type field of http protocol | |
| CN115412312A (en) | Malicious domain name determination method, device, equipment and medium | |
| CN111371917B (en) | Domain name detection method and system | |
| US10091311B2 (en) | Smart location determination |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |