CN112804242B - API safety management system and method for non-perception automatic discovery - Google Patents
API safety management system and method for non-perception automatic discovery Download PDFInfo
- Publication number
- CN112804242B CN112804242B CN202110099690.0A CN202110099690A CN112804242B CN 112804242 B CN112804242 B CN 112804242B CN 202110099690 A CN202110099690 A CN 202110099690A CN 112804242 B CN112804242 B CN 112804242B
- Authority
- CN
- China
- Prior art keywords
- api
- authentication module
- security authentication
- interface
- api interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention relates to an API safety management method for non-perception automatic discovery, which comprises the following steps: step one, registering an API interface needing security management to an API registration center module; step two, storing the API interface data information registered by the API registration center module in an API data storage module and displaying the API interface data information in an API display module; thirdly, the API security authentication module compares request data information of the API interface which is requested to be accessed with authentication information stored in the API data storage module to determine the access permission of the request, and transmits the result to the API access control module; the API access control module transmits data through the received determined API interface request and the access authority of the corresponding API interface request; the security of data transmitted by the API interface is improved by verifying the inflow flow, the outflow flow, the calling times and the abnormal calling times.
Description
Technical Field
The invention relates to the technical field of networks, in particular to an API (application programming interface) safety management system and method for non-perception automatic discovery.
Background
The API refers to an application program interface, which is some predefined interface, such as a function, an HTTP interface, or a convention for linking different components of a software system. The API interface is used to provide applications and a set of routines that developers can access based on certain software or hardware without accessing source code or understanding the details of internal working mechanisms. With the introduction of microservice concepts, the development and integration mode based on microservice architecture is becoming a hot spot. Under a micro-service architecture, a barrier designed for protecting internal services helps developers of application services to conveniently provide services to the outside by providing high-performance API (application programming interface) hosting services without considering problems of security control, flow control, audit logs and the like. In an enterprise information environment, because a large number of API interfaces are called mutually between different systems, service subscription and call management are required to be performed on service calls between the systems so as to clearly see the call relationship of each system.
In the prior art, a system and an effective management method for the security management of the API still exist.
Disclosure of Invention
Therefore, the invention provides an API safety management system and method capable of realizing non-perception automatic discovery, which are used for overcoming the problems of the prior art that the API safety management system and the effective management method exist.
In order to achieve the above object, the present invention provides an API security management system and method for unaware auto discovery, comprising:
step one, registering an API interface needing security management to an API registration center module;
step two, storing API interface data information registered by the API registration center module in an API data storage module and displaying the API interface data information in an API display module;
thirdly, the API security authentication module compares request data information of the API interface which is requested to be accessed with authentication information stored in the API data storage module to determine the access permission of the request, and transmits the result to the API access control module;
step four, the API access control module transmits data through the received determined API interface request and the access authority of the corresponding API interface request;
in the second step, the data information of the API interface includes entry parameter information and exit parameter information, the entry parameter data includes an account, a key, a timestamp and API request parameters, the account, the key, the timestamp and the API request parameters are encrypted according to a specific encryption algorithm to generate data, the generated data and the account, the key, the timestamp and the parameters are transmitted to the API interface through a network after encryption is completed, and the exit parameter information includes data information corresponding to a timestamp request transmitted to a request terminal after the API interface verifies that the data information passes the authentication;
in the third step, the API security authentication module verifies the account and the key received by the API, and transmits the request data information after passing the verification to the API interface, where the API interface performs a participating operation, and if the verification fails, the API security authentication module directly returns to the request end;
the API safety authentication module verifies the input parameter information of the API interface, counts the abnormal information in the input parameter information, counts the number of calling times and the number of abnormal times through the inflow flow and the outflow flow in the input parameter information, judges the safety performance of the API interface according to the counting result, and then adjusts the input parameter information and the output parameter information of the API interface.
Furthermore, the API security authentication module further counts the flow rate and the outflow rate flowing into the API interface, sets the real-time inflow rate of the API interface to Dc and the real-time outflow rate of the API interface to Qc, and presets a first threshold Dc1 and a second threshold Dc2 for the inflow rate of the API interface in the API security authentication module, and if the API security authentication module determines the inflow rate of the API interface,
if Dc is less than or equal to Dc1, the API security authentication module judges the inflow flow of the API interface as the normal inflow flow;
if Dc1 is more than Dc and less than or equal to Dc2, the API security authentication module judges the inflow flow of the API interface as the inflow flow to be confirmed;
and if Dc is more than Dc2, the API security authentication module judges the inflow flow of the API interface as abnormal inflow flow.
Furthermore, a first threshold value Qc1 and a second threshold value Qc2 of the outflow rate of the API interface are preset in the API security authentication module, and if the API security authentication module determines the outflow rate of the API interface,
if Qc is less than or equal to Qc1, the API security authentication module judges the outflow traffic of the API interface as normal outflow traffic;
if Qc1 is greater than Qc and less than or equal to Qc2, the API security authentication module judges the outflow traffic of the API interface as the outflow traffic to be confirmed;
and if Qc is greater than Qc2, the API security authentication module judges the outflow traffic of the API interface as abnormal outflow traffic.
Furthermore, the API security authentication module also includes the steps of counting the calling times and calling abnormal times of the API interface, setting the calling times of the API interface as Ds, setting a first threshold value of the calling times of the API interface as Ds1, setting a second threshold value of the calling times of the API interface as Ds2, and if the API security authentication module judges the calling times of the API interface,
if Ds is less than or equal to Ds1, the API security authentication module judges the calling times of the API interface as normal times;
if Ds1 is larger than Ds2 and is not larger than Ds, the API security authentication module judges the calling times of the API interface as the times to be confirmed;
and if Ds is larger than Ds2, the API security authentication module judges that the calling times of the API interface are abnormal times.
Furthermore, the calling abnormal frequency of the API security authentication module is set to be Dy, the first threshold value of the calling abnormal frequency of the API interface is set to be Dy1, the second threshold value of the calling abnormal frequency of the API interface is set to be Dy2, the API security authentication module judges the calling abnormal frequency of the API interface,
if Dy is less than or equal to Dy1, the API safety certification module judges the calling abnormal times of the API interface as normal times;
if Dy1 is larger than Dy and is not larger than Dy2, the API security authentication module judges the calling abnormal times of the API interface as the times to be confirmed;
and if Dy is greater than Dy2, the API security authentication module judges the calling abnormal times of the API interface as abnormal times.
Further, the API security authentication module sets the preset time as t through the secondary authentication of the flow to be confirmed and the times to be confirmed, then,
if the flow rate to be confirmed is the admission flow rate, setting the average value of the normal inflow flow rate in the inflow flow rates in t as Dz1, setting the average value of the abnormal inflow flow rate in the inflow flow rates in t as Dz2, comparing (Dz1+ Dz2)/2 with Dc,
if Dc is more than or equal to (Dz1+ Dz2)/2, the API security authentication module judges that the inflow flow to be confirmed is abnormal flow;
if Dc < (Dz1+ Dz2)/2, the API security authentication module determines that the inflow traffic to be confirmed is normal traffic.
Further, the API security authentication module carries out secondary authentication on the flow to be confirmed, sets the preset time as t, and then,
if the flow rate to be confirmed is the reference flow rate, the average value of the normal outflow flow rate in the outflow flow rate in t is set as Qz1, the average value of the abnormal outflow flow rate in the outflow flow rate in t is set as Qz2, and (Qz1+ Qz2)/2 is compared with Qc,
if Qc is more than or equal to (Qz1+ Qz2)/2, the API security authentication module judges that the outflow traffic to be confirmed is abnormal traffic;
if Qc < (Qz1+ Qz2)/2, the API security authentication module determines that the outgoing traffic to be confirmed is normal traffic.
Further, the API security authentication module carries out secondary authentication on the times to be confirmed, sets the preset time as t,
if the number of times to be confirmed is the number of times of calling, the API security authentication module sets the frequency of normal times in t as w0, sets the normal probability of the inflow flow in t as w1, compares w0 with w1,
if w0 is not less than w1, the API security authentication module judges the number of calls to be confirmed as the abnormal number;
if w0 is less than w1, the API security authentication module judges that the calling times to be confirmed are normal times;
if the number of times to be confirmed is the calling abnormal number, the API security authentication module sets the frequency of the abnormal number in t as the normal number as w3, sets the normal probability of the outflow flow in t as w4, and compares w3 with w4, then
If w3 is not less than w4, the API security authentication module judges the number of times of abnormal calls to be confirmed is the abnormal number of times;
and if w3 is less than w4, the API security authentication module judges that the number of abnormal calls to be confirmed is normal.
Further, the account, the key, the timestamp and the API request parameter in the reference data are encrypted according to a specific encryption algorithm, and the generated data is one group or a plurality of groups of data.
Further, an API security management system for unaware auto-discovery, comprising:
an API registry module to provide registration of APIs;
an API data storage module used for storing data information of the registered API in the system;
an API security authentication module to control secure access of the API;
an API display module to view data information of the API;
and the API access control module is used for dividing the access authority of the API according to the authentication data of the security authentication module and determining the reference data.
Compared with the prior art, the API safety management method has the advantages that the API interface is registered to the API registration center module, the API interface data information is stored in the API data storage module and the API display module to be displayed, the API safety authentication module encrypts the account, the key, the timestamp and the API request parameter in the parameter entering information according to a specific encryption algorithm to generate data, the generated data, the account, the key, the timestamp and the parameter are transmitted to the API interface through a network after encryption is completed, authentication of the API parameter entering parameter is completed, the API interface requests data information corresponding to the timestamp transmitted to a request terminal after authentication is passed, and safety of data transmitted by the API interface is improved.
Particularly, the invention sets the real-time inflow flow rate of the API interface as Dc and the real-time outflow flow rate of the API interface as Qc by counting the flow rate and the outflow flow rate of the API interface, the first threshold value Dc1 and the second threshold value Dc2 of the inflow flow rate of the API interface are preset in the API security authentication module, and the API security authentication module judges the inflow flow rate of the API interface, thereby confirming whether the flow rate flowing into the API interface is normal flow rate, reducing the verification of the normal inflow flow rate, enhancing the secondary verification of the flow rate to be determined, and further improving the security of data transmitted by the API interface.
Furthermore, the data of the outflow flow of the API interface is counted, the first outflow threshold value and the second outflow threshold value are set, the real-time outflow flow value is compared with the set outflow flow threshold value, so that abnormal flow in the outflow flow is monitored, secondary verification is carried out on the outflow flow to be determined, and the safety of the data transmitted by the API interface is further improved.
Particularly, the calling times and calling abnormal times of the API interface are counted by the arranged API security authentication module, the calling times of the API interface are set to Ds1, the first threshold value of the calling times of the API interface is set to Ds1, the second threshold value of the calling times of the API interface is set to Ds2, the calling times of the API interface are judged by the API security authentication module, the calling times are adjusted according to the time of combining the calling times and are directly called for the normal calling times, the abnormal times are directly returned to be called abnormally, secondary authentication is carried out on the times to be determined, and the normal probability of inflow flow in the set time is compared with the normal calling frequency, so that secondary determination of the times to be determined is realized, the security of data authentication is improved, and the data interacted with the API are safer and more convenient.
Furthermore, the calling abnormal frequency is set to be Dy, the first threshold value of the calling abnormal frequency of the API interface is set to be Dy1, the second threshold value of the calling abnormal frequency of the API interface is set to be Dy2, the API security authentication module judges the calling abnormal frequency of the API interface, statistics of the abnormal frequency is achieved, whether the abnormal frequency is within a preset range or not is determined, operation of secondary determination or direct return of the abnormal frequency which is not within the preset range is carried out, frequency w3 with the abnormal frequency within t as the normal frequency is compared with normal probability w4 of outflow flow within t, and therefore secondary determination is carried out on the abnormal frequency, and safety of API interaction is improved.
Drawings
FIG. 1 is a schematic flow chart of an API security management method for non-aware auto-discovery according to the present invention;
fig. 2 is a functional framework diagram of the API security management system for unaware auto-discovery according to the present invention.
Detailed Description
In order that the objects and advantages of the invention will be more clearly understood, the invention is further described below with reference to examples; it should be understood that the specific embodiments described herein are merely illustrative of the invention and do not delimit the invention.
Preferred embodiments of the present invention are described below with reference to the accompanying drawings. It should be understood by those skilled in the art that these embodiments are only for explaining the technical principles of the present invention, and do not limit the scope of the present invention.
It should be noted that in the description of the present invention, the terms of direction or positional relationship indicated by the terms "upper", "lower", "left", "right", "inner", "outer", etc. are based on the directions or positional relationships shown in the drawings, which are only for convenience of description, and do not indicate or imply that the device or element must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention.
Furthermore, it should be noted that, in the description of the present invention, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
Referring to fig. 1, it is shown that the API security management method for unaware auto-discovery according to the present invention includes,
step one, registering an API interface needing security management to an API registration center module;
step two, storing the API interface data information registered by the API registration center module in an API data storage module and displaying the API interface data information in an API display module;
thirdly, the API security authentication module compares request data information of the API interface which is requested to be accessed with authentication information stored in the API data storage module to determine the access permission of the request, and transmits the result to the API access control module;
and fourthly, the API access control module transmits the data through the received determined API interface request and the access authority of the corresponding API interface request.
Specifically, in the second step of the present invention, the data information of the API interface includes entry parameter information and exit parameter information, the entry parameter data includes an account, a key, a timestamp, and API request parameters, the account, the key, the timestamp, and the API request parameters are encrypted according to a specific encryption algorithm to generate data, the generated data and the account, the key, the timestamp, and the parameters are transmitted to the API interface through a network after encryption is completed, and the exit parameter information includes data information corresponding to a timestamp request transmitted to a request end after the API interface passes verification.
Specifically, in the third step of the present invention, the API security authentication module verifies the account and the key received by the API, and transmits the request data information after the verification is passed to the API interface, and the API interface performs a participating operation, and if the verification is not passed, the API security authentication module directly returns to the request end.
Specifically, in the embodiment of the present invention, the account, the key, the timestamp, and the API request parameter in the reference data are encrypted according to a specific encryption algorithm, and the generated data is one or more groups of data.
Specifically, in the embodiment of the present invention, the API security authentication module verifies the entry information of the API interface, counts the abnormal information in the entry information, counts the number of calls and the number of abnormal times by the inflow traffic and the outflow traffic in the entry information, and determines the security performance of the API interface according to the statistical result, thereby adjusting the entry information and the exit information of the API interface.
Please refer to fig. 2, which is a system for API security management without automatic discovery according to the present invention, comprising: an API registry module to provide registration of APIs; an API data storage module used for storing data information of the registered API in the system; an API security authentication module to control secure access of the API; an API presentation module to view data information of the API; and the API access control module is used for dividing the access authority of the API according to the authentication data of the security authentication module and determining the reference data.
Specifically, in the embodiment of the present invention, the API security authentication module further performs statistics on the flow rate and the outflow rate flowing into the API interface, sets the real-time inflow rate of the API interface to Dc and the real-time outflow rate of the API interface to Qc, and presets a first threshold Dc1 and a second threshold Dc2 for the inflow rate of the API interface in the API security authentication module, if the API security authentication module determines the inflow rate of the API interface,
if Dc is less than or equal to Dc1, the API security authentication module judges the inflow flow of the API interface as the normal inflow flow;
if Dc1 is more than or equal to Dc2, the API security authentication module judges the inflow flow of the API interface as the inflow flow to be confirmed;
and if Dc is more than Dc2, the API security authentication module judges the inflow flow of the API interface as abnormal inflow flow.
Specifically, in the embodiment of the present invention, the API security authentication module monitors only the flow when the inflow flow is determined as the normal inflow flow, and directly returns the data of the determined abnormal inflow flow as the abnormal inflow flow without any intervention, so as to reduce the process of repeated verification, perform secondary verification on the inflow flow to be confirmed, and further improve the security of the data of the inflow flow of the API.
Specifically, in the embodiment of the present invention, the first threshold Qc1 and the second threshold Qc2 of the outgoing flow rate of the API interface are preset in the API security authentication module, and if the API security authentication module determines the outgoing flow rate of the API interface,
if Qc is less than or equal to Qc1, the API security authentication module judges the outflow traffic of the API interface as normal outflow traffic;
if Qc1 is greater than Qc and less than or equal to Qc2, the API security authentication module judges the outflow traffic of the API interface as outflow traffic to be confirmed;
and if Qc is greater than Qc2, the API security authentication module judges the outflow traffic of the API interface as abnormal outflow traffic.
Specifically, in the embodiment of the present invention, the API security authentication module monitors only the flow when the outflow flow is determined as the normal outflow flow, does not perform any intervention, directly returns the data determined as the abnormal outflow flow, and prevents the API interface from performing an outflow operation, thereby reducing the process of repeated verification, performing secondary verification on the outflow flow to be confirmed, further improving the security of the data of the outflow flow of the API, and implementing effective security protection on the data in the API interface.
Specifically, in the embodiment of the present invention, the API security authentication module further performs statistics on the number of calling times and the number of calling exception times of the API interface, sets the number of calling times of the API interface as Ds, sets a first threshold value of the number of calling times of the API interface as Ds1, sets a second threshold value of the number of calling times of the API interface as Ds2, and if the API security authentication module determines the number of calling times of the API interface,
if Ds is less than or equal to Ds1, the API security authentication module judges the calling times of the API interface as normal times;
if Ds1 is larger than Ds2 and is not larger than Ds, the API security authentication module judges the calling times of the API interface as the times to be confirmed;
and if Ds is larger than Ds2, the API security authentication module judges that the calling times of the API interface are abnormal times.
Specifically, in the embodiment of the invention, the API security authentication module directly calls the calling times when the calling times are normal, secondary verification is not needed, the verification time of the API interface is shortened, the safety of the API is improved, and the calling time is shortened.
Specifically, in the embodiment of the present invention, when the number of calls is abnormal, the API security authentication module directly performs no execution operation on the calls, and returns data with abnormal number of calls, so that the security of the API is improved, and the call time is reduced.
Specifically, in the embodiment of the invention, the API security authentication module carries out secondary verification on the calling times when the times are to be determined, so that the verification efficiency is improved. The API safety authentication module judges the calling times of the API interface, adjusts the calling time combining time, directly calls the normal calling times, directly returns calling abnormity to the abnormal times, carries out secondary verification on the times to be determined, and compares the normal probability of inflow flow in set time with the normal calling frequency, thereby realizing secondary determination on the times to be determined, improving the safety of data verification and further ensuring that the data of API interaction is safer and more convenient.
Specifically, in the embodiment of the present invention, if the number of calling abnormality times in the API security authentication module is Dy, the first threshold for the number of calling abnormality times of the API interface is Dy1, the second threshold for the number of calling abnormality times of the API interface is Dy2, and the API security authentication module determines the number of calling abnormality times of the API interface,
if Dy is less than or equal to Dy1, the API security authentication module judges the calling abnormal times of the API interface as normal times;
if Dy1 is larger than or equal to Dy2, the API safety certification module judges the calling abnormal times of the API interface as the times to be confirmed;
and if Dy is greater than Dy2, the API security authentication module judges the calling abnormal times of the API interface as abnormal times.
Specifically, in the embodiment of the present invention, the API security authentication module determines the calling abnormal times of the API interface, implements statistics on the abnormal times, determines whether the abnormal times are within a preset range, performs secondary determination on the abnormal times that are not within the preset range or directly returns an abnormal operation, and compares the frequency w3 with the frequency w4 with the normal probability of the outflow traffic within t, thereby performing secondary determination on the abnormal times and improving the security of API interaction.
Specifically, in the embodiment of the present invention, the API security authentication module sets the preset time to t through the secondary authentication of the flow to be confirmed and the number of times to be confirmed, and then,
if the flow rate to be confirmed is the admission flow rate, setting the average value of the normal inflow flow rate in the inflow flow rates in t as Dz1, setting the average value of the abnormal inflow flow rate in the inflow flow rates in t as Dz2, comparing (Dz1+ Dz2)/2 with Dc,
if Dc is more than or equal to (Dz1+ Dz2)/2, the API security authentication module judges that the inflow flow to be confirmed is abnormal flow;
if Dc < (Dz1+ Dz2)/2, the API security authentication module determines that the inflow traffic to be confirmed is normal traffic.
Specifically, in the embodiment of the present invention, the API security authentication module performs secondary authentication on the traffic to be confirmed, and sets the preset time to t, then,
if the flow rate to be confirmed is the reference flow rate, the average value of the normal outflow rate among the outflow rates in t is set to Qz1, the average value of the abnormal outflow rate among the outflow rates in t is set to Qz2, and (Qz1+ Qz2)/2 is compared with Qc,
if Qc is more than or equal to (Qz1+ Qz2)/2, the API security authentication module judges that the outflow traffic to be confirmed is abnormal traffic;
if Qc < (Qz1+ Qz2)/2, the API security authentication module determines that the outgoing traffic to be confirmed is normal traffic.
Specifically, in the embodiment of the present invention, the API security authentication module performs secondary authentication on the number of times to be confirmed, sets the preset time to t,
if the number of times to be confirmed is the number of times of calling, the API security authentication module sets the frequency of normal times in t as w0, sets the normal probability of the inflow flow in t as w1, compares w0 with w1,
if w0 is not less than w1, the API security authentication module judges the number of calls to be confirmed as the abnormal number;
if w0 is less than w1, the API security authentication module judges that the calling times to be confirmed are normal times;
if the times to be confirmed are calling abnormal times, the API security authentication module sets the frequency of the abnormal times in t as normal times as w3, sets the normal probability of the outflow flow in t as w4, and compares w3 with w4, so that the API security authentication module determines that the abnormal times in t are normal times and the outflow flow in t is normal flow in t
If w3 is not less than w4, the API security authentication module judges the number of times of abnormal calls to be confirmed is the abnormal number of times;
and if w3 is less than w4, the API security authentication module judges the number of abnormal calls to be confirmed to be the normal number.
Specifically, the embodiment of the invention registers the API interface to the API registration center module, stores the API interface data information in the API data storage module and the API display module for display, encrypts the account, the key, the timestamp and the API request parameter according to a specific encryption algorithm by the API security authentication module according to the account, the key, the timestamp and the API request parameter in the access information to generate data, and compares the inflow flow rate, the outflow flow rate, the calling times and the abnormal calling times with preset parameters, thereby improving the security of the data.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is apparent to those skilled in the art that the scope of the present invention is not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention; various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (7)
1. An API security management method for unaware auto-discovery, comprising:
step one, registering an API interface needing security management to an API registration center module;
step two, storing the API interface data information registered by the API registration center module in an API data storage module and displaying the API interface data information in an API display module;
thirdly, the API security authentication module compares request data information of the API interface which is requested to be accessed with authentication information stored in the API data storage module to determine the access permission of the request, and transmits the result to the API access control module;
the API access control module transmits data through the received determined API interface request and the access authority of the corresponding API interface request;
in the second step, the data information of the API interface includes entry information and exit information, the entry information includes an account, a key, a timestamp and API request parameters, the account, the key, the timestamp and the API request parameters are encrypted according to a specific encryption algorithm to generate data, the generated data and the account, the key, the timestamp and the parameters are transmitted to the API interface through a network after encryption is completed, and the exit information includes data information corresponding to a timestamp request transmitted to a request terminal after the API interface verifies that the data information passes the authentication;
in the third step, the API security authentication module verifies the account and the key received by the API, and transmits the request data information after passing the verification to the API interface, where the API interface performs a participating operation, and if the verification fails, the API security authentication module directly returns to the request end; the API security authentication module sets the preset time as t through the secondary authentication of the flow to be confirmed and the times to be confirmed, and then,
if the flow to be confirmed is the admission flow, setting the average value of the normal inflow flow in the inflow flow in t as Dz1, setting the average value of the abnormal inflow flow in the inflow flow in t as Dz2, setting the real-time inflow flow of the API interface as Dc, comparing (Dz1+ Dz2)/2 with Dc,
if Dc is more than or equal to (Dz1+ Dz2)/2, the API security authentication module judges that the inflow flow to be confirmed is abnormal flow;
if Dc < (Dz1+ Dz2)/2, the API security authentication module determines that the inflow traffic to be confirmed is normal traffic.
The API safety authentication module carries out secondary authentication on the flow to be confirmed by setting the preset time as t, then,
if the flow to be confirmed is the reference flow, setting the average value of the normal outflow flow in the outflow flow in t as Qz1, setting the average value of the abnormal outflow flow in the outflow flow in t as Qz2, setting the real-time outflow flow of the API interface as Qc, comparing (Qz1+ Qz2)/2 with Qc,
if Qc is more than or equal to (Qz1+ Qz2)/2, the API security authentication module judges that the outflow traffic to be confirmed is abnormal traffic;
if Qc < (Qz1+ Qz2)/2, the API security authentication module determines that the outgoing traffic to be confirmed is normal traffic.
The API security authentication module carries out secondary authentication on the times to be confirmed, sets the preset time as t,
if the number of times to be confirmed is the number of times of calling, the API security authentication module sets the frequency of normal times in t as w0, sets the normal probability of the inflow flow in t as w1, compares w0 with w1,
if w0 is not less than w1, the API security authentication module judges the number of calls to be confirmed as the abnormal number;
if w0 is less than w1, the API security authentication module judges that the calling times to be confirmed are normal times;
if the number of times to be confirmed is the calling abnormal number, the API security authentication module sets the frequency of the abnormal number in t as the normal number as w3, sets the normal probability of the outflow flow in t as w4, and compares w3 with w4, then
If w3 is not less than w4, the API security authentication module judges the number of times of abnormal calls to be confirmed is the abnormal number of times;
and if w3 is less than w4, the API security authentication module judges that the number of abnormal calls to be confirmed is normal.
The API safety authentication module verifies the input parameter information of the API interface, counts the abnormal information in the input parameter information, counts the number of calling times and the number of abnormal times through the inflow flow and the outflow flow in the input parameter information, judges the safety performance of the API interface according to the counting result, and then adjusts the input parameter information and the output parameter information of the API interface.
2. The API security management method for the unaware auto-discovery according to claim 1, wherein the API security authentication module further comprises a statistical analysis module for the flow rate and the outflow rate of the API interface, wherein the real-time inflow rate of the API interface is set as Dc and the real-time outflow rate of the API interface is set as Qc, the API security authentication module is preset with a first threshold Dc1 and a second threshold Dc2 for the inflow rate of the API interface, and the API security authentication module determines the inflow rate of the API interface,
if Dc is less than or equal to Dc1, the API security authentication module judges the inflow flow of the API interface as the normal inflow flow;
if Dc1 is more than or equal to Dc2, the API security authentication module judges the inflow flow of the API interface as the inflow flow to be confirmed;
and if Dc is more than Dc2, the API security authentication module judges the inflow flow of the API interface as abnormal inflow flow.
3. The API security management method for unaware auto-discovery according to claim 2, wherein the API security authentication module is preset with a first threshold value Qc1 and a second threshold value Qc2 for outgoing flow of the API interface, and the API security authentication module determines the outgoing flow of the API interface,
if Qc is less than or equal to Qc1, the API security authentication module judges the outflow traffic of the API interface as normal outflow traffic;
if Qc1 is greater than Qc and less than or equal to Qc2, the API security authentication module judges the outflow traffic of the API interface as the outflow traffic to be confirmed;
and if Qc is greater than Qc2, the API security authentication module judges the outflow traffic of the API interface as abnormal outflow traffic.
4. The API security management method for the unaware auto-discovery according to claim 3, wherein the API security certification module further counts the number of calling times and the number of calling exception times of the API interface, sets the number of calling times of the API interface as Ds, sets a first threshold of the number of calling times of the API interface as Ds1, sets a second threshold of the number of calling times of the API interface as Ds2, and if the API security certification module determines the number of calling times of the API interface,
if Ds is less than or equal to Ds1, the API security authentication module judges the calling times of the API interface as normal times;
if Ds1 is larger than Ds2 and is not larger than Ds, the API security authentication module judges the calling times of the API interface as the times to be confirmed;
and if Ds is larger than Ds2, the API security authentication module judges that the calling times of the API interface are abnormal times.
5. The API security management method of claim 4, wherein the number of call exceptions in the API security authentication module is Dy, the first threshold value of the number of call exceptions of the API interface is Dy1, the second threshold value of the number of call exceptions of the API interface is Dy2, and the API security authentication module determines the number of call exceptions of the API interface,
if Dy is less than or equal to Dy1, the API security authentication module judges the calling abnormal times of the API interface as normal times;
if Dy1 is larger than Dy and is not larger than Dy2, the API security authentication module judges the calling abnormal times of the API interface as the times to be confirmed;
and if Dy is greater than Dy2, the API security authentication module judges the calling abnormal times of the API interface as abnormal times.
6. The API security management method for the unaware auto-discovery according to claim 1, wherein the account, the key, the timestamp and the API request parameter in the participating data are encrypted according to a specific encryption algorithm, and the generated data is one or more groups of data.
7. An API security management system for unaware auto-discovery using the method of any of claims 1 to 6, comprising:
an API registry module to provide registration of APIs;
an API data storage module used for storing data information of the registered API in the system;
an API security authentication module to control secure access of the API;
an API display module to view data information of the API;
and the API access control module is used for dividing the access authority of the API according to the authentication data of the security authentication module and determining the reference data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110099690.0A CN112804242B (en) | 2021-01-25 | 2021-01-25 | API safety management system and method for non-perception automatic discovery |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110099690.0A CN112804242B (en) | 2021-01-25 | 2021-01-25 | API safety management system and method for non-perception automatic discovery |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112804242A CN112804242A (en) | 2021-05-14 |
| CN112804242B true CN112804242B (en) | 2022-09-13 |
Family
ID=75811621
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110099690.0A Active CN112804242B (en) | 2021-01-25 | 2021-01-25 | API safety management system and method for non-perception automatic discovery |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112804242B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114584328B (en) * | 2022-05-09 | 2022-08-02 | 武汉四通信息服务有限公司 | API interface access method, computer device and computer storage medium |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108063765B (en) * | 2014-12-17 | 2021-07-16 | 南昌理工学院 | SDN system suitable for solving network security |
| CN105262717A (en) * | 2015-08-31 | 2016-01-20 | 福建天晴数码有限公司 | Network service security management method and device |
| EP3471007B1 (en) * | 2017-10-13 | 2022-02-23 | Ping Identity Corporation | Methods and apparatus for analyzing sequences of application programming interface traffic to identify potential malicious actions |
| CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
| US11070458B2 (en) * | 2018-07-17 | 2021-07-20 | Cisco Technology, Inc. | Encrypted traffic analysis control mechanisms |
| CN109672612A (en) * | 2018-12-13 | 2019-04-23 | 中国电子科技集团公司电子科学研究院 | API gateway system |
| CN110175466B (en) * | 2019-04-16 | 2024-03-08 | 平安科技(深圳)有限公司 | Security management method and device for open platform, computer equipment and storage medium |
| CN110378120A (en) * | 2019-07-17 | 2019-10-25 | 腾讯科技(深圳)有限公司 | Application programming interfaces attack detection method, device and readable storage medium storing program for executing |
| CN110941844B (en) * | 2019-11-27 | 2022-04-01 | 网易(杭州)网络有限公司 | Authentication method, system, electronic equipment and readable storage medium |
| CN111416837A (en) * | 2020-02-20 | 2020-07-14 | 华迪计算机集团有限公司 | Government affair system API interface access gateway, method, electronic equipment and storage medium |
-
2021
- 2021-01-25 CN CN202110099690.0A patent/CN112804242B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN112804242A (en) | 2021-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10938896B2 (en) | Peer-to-peer communication system and peer-to-peer processing apparatus | |
| US8156553B1 (en) | Systems and methods for correlating log messages into actionable security incidents and managing human responses | |
| CN112367321B (en) | Method for quickly constructing service call and middle station API gateway | |
| CN110765484A (en) | Credit investigation data processing method and electronic equipment | |
| CN112270012A (en) | Device, method and system for distributed data security protection | |
| US5940589A (en) | Method and apparatus for validating a subscriber terminal on a telecommunication network | |
| US11398942B2 (en) | Systems and methods for subscribing topics and registering computer server event notifications | |
| CN114124583B (en) | Terminal control method, system and device based on zero trust | |
| US20230155879A1 (en) | Systems and methods for registering computer server event notifications | |
| US11032267B2 (en) | Securing sensitive historian configuration information | |
| CN112804242B (en) | API safety management system and method for non-perception automatic discovery | |
| US11556634B2 (en) | Systems and methods for event-based application control | |
| CN114466076A (en) | API gateway architecture applied in general financial business scene and use method | |
| Kretzschmar et al. | Security management areas in the inter-cloud | |
| EP4045998A1 (en) | Token-based device access restriction systems | |
| US9485225B2 (en) | Method for manufacturing a filtering module | |
| CN108429732B (en) | Method and system for acquiring resources | |
| CN115333791A (en) | Cloud-based vehicle safety protection method and related equipment | |
| CN113438242A (en) | Service authentication method, device and storage medium | |
| CN113468591A (en) | Data access method, system, electronic device and computer readable storage medium | |
| US11983266B2 (en) | Systems and methods for event-based application control | |
| CN117113379B (en) | User offline authorization management method for information system | |
| CN115955325B (en) | Information management and control method and system and electronic equipment | |
| CN117375901B (en) | Cross-tenant multi-terminal authentication method and system | |
| EP4030327A1 (en) | Method and system for validating a transaction against service level agreement conditions in a distributed ledger |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |