CN114640511B - Application interface monitoring platform - Google Patents
Application interface monitoring platform Download PDFInfo
- Publication number
- CN114640511B CN114640511B CN202210207169.9A CN202210207169A CN114640511B CN 114640511 B CN114640511 B CN 114640511B CN 202210207169 A CN202210207169 A CN 202210207169A CN 114640511 B CN114640511 B CN 114640511B
- Authority
- CN
- China
- Prior art keywords
- interface
- auditing
- checked
- interface information
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims description 18
- 238000012550 audit Methods 0.000 claims abstract description 27
- 238000007689 inspection Methods 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 description 3
- 230000035945 sensitivity Effects 0.000 description 2
- 238000000586 desensitisation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000000034 method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The utility model provides an application interface monitor platform, including interface information acquisition module, analysis module and audit release module, obtain the interface information of each application program interface of business system through interface information acquisition module, then confirm the new interface that needs to audit and old interface according to interface information through analysis module, finally provide the interface that needs to audit through audit release module and audit personnel carry out the audit, and then update the interface list in the interface access gateway according to the audit result, accomplish the interface release, in this way, the interface in the interface list is all through the audit, when outside requests a certain interface to the gateway, the gateway allows or refuses the request according to this interface list, the security of application interface visit has been improved, the security of really providing the protection for application interface, simultaneously, based on the interface information of each application program interface of business system, not only can carry out unified control to all interfaces, and timeliness is better.
Description
Technical Field
The invention belongs to the technical field of application interface safety, and particularly relates to an application interface monitoring platform.
Background
With the development of the internet, data security monitoring in software services is increasingly important, and if an interface is used as an interaction place between modules in an application or a data circulation point, a problem is likely to occur at the interface, so that important data is lost, and therefore, an exposed interface in the application service needs to be checked.
At present, various data security monitoring and protection products for analyzing based on request content contained in traffic are presented, the products generally collect traffic data logs in interfaces for statistics, analysis and summarization, and finally the traffic data logs are presented to users through a view component, so that data support is provided for interface data security protection decision making of the users, and the specific implementation methods are different.
Disclosure of Invention
Based on the above, an application interface monitoring platform is provided for the technical problems.
The technical scheme adopted by the invention is as follows:
an application interface monitoring platform, comprising:
the interface information acquisition module is used for acquiring the interface information of each application program interface from the service system and storing the interface information as unchecked interface information into the database;
the analysis module is used for acquiring the unchecked interface information and the checked interface information from the database; matching the non-checked interface information with the checked interface information, judging whether the non-checked interface information is matched with an old interface and a new interface, further judging whether the difference exists between the non-checked interface information and the checked interface information for the old interface, if so, taking the old interface as the interface to be checked, and taking the old interface as the interface to be checked for the new interface; generating an audit task for the interface to be audited, and storing the audit task in the database;
and the auditing and issuing module is used for acquiring auditing tasks from the database, providing the auditing tasks for auditing personnel to carry out auditing operation, determining auditing results of all interfaces to be audited according to the auditing operation, updating an interface list in an interface access gateway according to the auditing results, and updating the audited interface information in the database.
The platform acquires the interface information of each application program interface of the service system through the interface information acquisition module, then determines a new interface and an old interface which need to be audited through the analysis module according to the interface information, finally provides the interface which needs to be audited for auditors through the audit release module, and further updates the interface list in the interface access gateway according to the audit result to finish the interface release.
Drawings
The invention is described in detail below with reference to the attached drawings and detailed description:
fig. 1 is a schematic structural view of the present invention.
Detailed Description
As shown in fig. 1, the embodiment of the present disclosure provides an application interface monitoring platform, which includes an interface information obtaining module 11, an analyzing module 12, and an audit publishing module 13.
The interface information obtaining module 11 is configured to obtain interface information of each application program interface from the service system 2, and store the interface information as non-audited interface information in the database 3.
The interface information obtaining module 11 provides the service system 2 with an interface information obtaining program running in the service system 2, and may be provided to the service system 2 in a JAR packet form, and the interface information may be obtained by the interface information obtaining program in two ways:
1. after the service system 2 is started, the interface information acquisition program exposes all application program interfaces of the service system 2 to the outside, collects the interface information of all application program interfaces, and reports the interface information to the interface information acquisition module 11.
2. After the application program of the service system is started, the interface information acquisition program exposes the corresponding application program interface to the outside, and sends a starting success event to the interface information acquisition module 11, and after the interface information acquisition module 11 monitors the starting success event, the interface information of the application program interface is acquired from the corresponding application program interface.
The interface information acquiring module 11 acquires interface information mainly in the first manner, and if in the first manner, the interface information cannot be acquired from a certain application program interface, the interface information of the application program interface can be further acquired in the second manner.
The parsing module 12 is configured to perform the parsing steps:
1) The unverified interface information and the checked interface information are acquired from the database 3.
The interface information comprises an interface name, an interface version, an interface signature, interface parameters and corresponding application program names.
2) And matching the non-checked interface information with the checked interface information, judging whether the non-checked interface information is matched with the old interface and the new interface, further judging whether the difference exists between the non-checked interface information and the checked interface information for the old interface, if so, taking the old interface as the interface to be checked, and taking the old interface as the interface to be checked for the new interface.
When the old interface and the new interface are matched, the interface names of the non-checked interface information and the checked interface information are matched depending on the interface names in the interface information, if a certain interface name of the non-checked interface information is matched with the same interface name in the checked interface information, the corresponding interface is the old interface, and if a certain interface name of the non-checked interface information is not matched with the checked interface information, the corresponding interface is the new interface.
For the old interface, if the interface information of the old interface is not changed, the interface is not required to be audited, which is equivalent to duplicate removal, so that whether the difference exists between the non-audited interface information and the audited interface information of the old interface is required to be further judged:
a. judging whether the output parameters and the input parameters of the interface parameters of the old interface in the non-checked interface information and the checked interface information are consistent, if not, representing that the difference exists.
b. Judging whether the interface version of the old interface in the non-checked interface information is higher than the interface version in the checked interface information, if so, representing that the difference exists.
c. Judging whether the interface signature of the old interface in the non-checked interface information and the checked interface information is consistent, if not, representing that the difference exists.
The judgment of the a, the b and the c is not sequential.
The parsing module 12 takes the new interface and the old interface with the difference as the interfaces to be checked, so that whether the interfaces have risks or not can be actively found.
3) And generating an auditing task for an interface to be audited, and storing the auditing task in the database 3.
In a practical scenario, each application program interface of the service system 2 is often provided by a different third party, so that, for convenience in management, multiple application program interfaces corresponding to the same third party need to be audited by auditors corresponding to the third party, so that the analysis module 12 also provides a grouping function, and can group audit tasks according to application program names in interface information, for example, audit task 1, audit task 2 and 3 interfaces to be audited corresponding to audit task 3 are provided by company a, and the 3 audit tasks are classified into the same group, so that the 3 audit tasks are assigned to auditors corresponding to company a for audit.
The parsing module 12 further provides a grading function, matches the interface parameters of the interface to be inspected with a preset sensitive information configuration table, determines the level of the corresponding inspection task, marks the level of each inspection task, for example, the sensitive information configuration table has information of a sensitive identification card number, a sensitive bank card number, a sensitive mobile phone number and the like, if the interface parameters of a certain interface to be inspected can be matched with the information, marks the corresponding inspection task as a sensitive level, otherwise marks the interface parameters as a non-sensitive level, and of course, the sensitive level can be further subdivided into multiple levels, and the inspection tasks of different levels correspond to different inspection chains and need to be inspected by the inspectors of the corresponding inspection chains.
For example, for a non-sensitive level interface, the auditor in the audit chain only comprises information security sentry personnel, and only needs the information security sentry personnel to examine and approve.
And the auditing personnel in the auditing chain comprise legal compliance personnel, information security sentry personnel and CTO, and the interfaces need to confirm whether the sensitive data transmission accords with a service scene, whether the sensitive data transmission exceeds a service necessary range, whether the sensitive data transmission is subjected to desensitization treatment and the like, so that the data security compliance is ensured.
The parsing module 12 may be periodically scheduled by the distributed scheduling module 14 to periodically perform the parsing steps described above.
An audit issue module 13 for:
1) And acquiring an auditing task from the database 3, and providing the auditing task for auditing personnel to perform auditing operation.
And auditing personnel can carry out auditing operation on each auditing task through an auditing interface.
2) And determining the auditing result of each interface to be audited according to the auditing operation, and updating the interface list in the interface access gateway 4 according to the auditing result.
The interface list is used for allowing access or rejecting access by the gateway 4 according to the interface list when the gateway 4 is externally requested for a certain interface.
In this way, the interfaces in the interface list of the interface access gateway 4 are all checked, so that the safety of the access of the application interface is ensured.
After the auditing personnel performs the save operation on the auditing interfaces, the auditing results of each interface to be audited are saved to the database 3, the issuing personnel can check each auditing result on the issuing interface and perform the issuing operation to generate an issuing task, the issuing task is saved to the database 3, and the auditing issuing module 13 can be periodically scheduled by the distributed scheduling module 14 to perform the task issuing operation: and acquiring a release task from the database 3, and updating an interface list in the interface access gateway according to the auditing result in the release task.
In this embodiment, the auditing result includes an accessible interface, a refused access interface, a login-free interface, and a ignored interface, and the interface list includes an accessible interface list (the interfaces in the list can be accessed after login), a refused access interface list, and a login-free interface list (the interfaces in the list can be accessed without login).
For the ignored interfaces, the interface information acquisition module 11 may first determine which interfaces are ignored interfaces when acquiring the interface information, and only acquire the interface information of the application program interfaces other than the ignored interfaces from the service system 2.
Corresponding to the packet function of the parsing module 12, the auditing issue module 13 provides the auditing task of the same packet to the auditing personnel corresponding to the packet when providing the auditing task to the auditing personnel for auditing operation.
Further, corresponding to the hierarchical function of the parsing module 12, when the auditing task of the same group is provided to the auditing personnel corresponding to the group, according to the level of the auditing task, the auditing chain of the auditing task is further determined, and the auditing task is provided to the auditing personnel corresponding to the auditing chain.
If the auditing task 1, the auditing task 2 and the auditing task 3 are all located in the same group, the group corresponds to the company A, and a plurality of auditing chains corresponding to the company A are provided, wherein the auditing chain a corresponds to the sensitivity level, and if the auditing task 1 is the sensitivity level, the auditing task 1 is provided for auditing personnel corresponding to the auditing chain a.
3) The checked interface information in the database is updated, so that the checked interface information in the database can be kept in the latest state, and the analysis module 12 is helped to accurately judge which interfaces are to-be-checked interfaces.
However, it will be appreciated by persons skilled in the art that the above embodiments are provided for illustration of the invention and not for limitation thereof, and that changes and modifications to the above described embodiments are intended to fall within the scope of the appended claims as long as they fall within the true spirit of the invention.
Claims (10)
1. An application interface monitoring platform, comprising:
the interface information acquisition module is used for acquiring the interface information of each application program interface from the service system and storing the interface information as unchecked interface information into the database;
the analysis module is used for acquiring the unchecked interface information and the checked interface information from the database; matching the non-checked interface information with the checked interface information, judging whether the non-checked interface information is matched with an old interface and a new interface, further judging whether the difference exists between the non-checked interface information and the checked interface information for the old interface, if so, taking the old interface as the interface to be checked, and taking the old interface as the interface to be checked for the new interface; generating an audit task for the interface to be audited, and storing the audit task in the database;
the auditing and issuing module is used for acquiring auditing tasks from the database, providing the auditing tasks for auditing personnel to carry out auditing operation, determining auditing results of all interfaces to be audited according to the auditing operation, updating an interface list in an interface access gateway according to the auditing results, and updating the audited interface information in the database;
the auditing result comprises an accessible interface, a refused access interface, a login-free interface and a ignored interface.
2. The application interface monitoring platform according to claim 1, wherein the interface information acquisition module provides the service system with an interface information acquisition program running in the service system, and the interface information acquisition program is configured to externally expose each application program interface of the service system after the service system is started, collect interface information of each application program interface, and report the interface information to the interface information acquisition module.
3. The application interface monitoring platform according to claim 2, wherein the interface information acquisition program is further configured to externally expose a corresponding application program interface after an application program of the service system is started, and send a start success event to the interface information acquisition module, and the interface information acquisition module captures interface information of the application program interface from the corresponding application program interface after the interface information acquisition module monitors the start success event.
4. An application interface monitoring platform according to claim 1 or 3, wherein the matching of the non-audited interface information and the audited interface information, determining whether to match to an old interface and a new interface, further comprises:
matching the interface names of the non-checked interface information and the checked interface information;
if a certain interface name of the non-checked interface information is matched with the same interface name in the checked interface information, the corresponding interface is an old interface;
and if the interface name of the non-checked interface information is not matched in the checked interface information, the corresponding interface is a new interface.
5. The application interface monitoring platform according to claim 4, wherein the further determining, for the old interface, whether there is a difference between the non-checked interface information and the checked interface information, further comprises:
judging whether the output parameters and the input parameters of the interface parameters of the old interface in the non-checked interface information and the checked interface information are consistent, if not, representing that the difference exists;
judging whether the interface version of the old interface in the non-checked interface information is higher than the interface version in the checked interface information, if so, representing that the difference exists;
and judging whether the interface signature of the old interface in the non-checked interface information and the checked interface information is consistent, if not, representing that the difference exists.
6. The application interface monitoring platform of claim 5, wherein the generating an audit task for the interface to be audited further comprises:
grouping auditing tasks according to application program names in the interface information;
the step of providing the auditing task to auditing personnel for auditing operation further comprises the steps of:
and providing the auditing task of the same group to an auditing person corresponding to the group.
7. The application interface monitoring platform according to claim 6, wherein the interface parameters of the interface to be inspected are matched with a preset sensitive information configuration table, the level of the corresponding inspection task is determined, and the level of each inspection task is marked;
the step of providing the auditing task of the same group to the auditing personnel corresponding to the group further comprises the following steps:
according to the level, further determining an audit chain of the audit task;
and providing the auditing task for the auditing personnel corresponding to the auditing chain.
8. The application interface monitoring platform of claim 7, wherein updating the interface list in the interface access gateway according to the auditing result further comprises:
generating a release task according to the auditing result, and storing the release task in the database;
periodically acquiring the release task from the database;
and updating an interface list in the interface access gateway according to the auditing result in the issuing task.
9. The application interface monitoring platform of claim 8, wherein the interface list comprises an accessible interface list, a denied access interface list, and a login-free interface list.
10. The application interface monitoring platform of claim 9, wherein the interface information acquisition module acquires interface information of application program interfaces other than the ignored interface from the service system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210207169.9A CN114640511B (en) | 2022-03-04 | 2022-03-04 | Application interface monitoring platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210207169.9A CN114640511B (en) | 2022-03-04 | 2022-03-04 | Application interface monitoring platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114640511A CN114640511A (en) | 2022-06-17 |
| CN114640511B true CN114640511B (en) | 2024-01-19 |
Family
ID=81947550
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210207169.9A Active CN114640511B (en) | 2022-03-04 | 2022-03-04 | Application interface monitoring platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114640511B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7457870B1 (en) * | 2004-02-27 | 2008-11-25 | Packeteer, Inc. | Methods, apparatuses and systems facilitating classification of web services network traffic |
| KR20090002587A (en) * | 2007-07-02 | 2009-01-09 | 라파앤컴퍼니(주) | System for integration monitoring and management method thereof |
| CN101976188A (en) * | 2010-05-26 | 2011-02-16 | 天津大学 | OpenApi data automatic loading system oriented to AJAX protocol |
| WO2013097392A1 (en) * | 2011-12-26 | 2013-07-04 | 中兴通讯股份有限公司 | Method for unified account management and third-party account management system |
| JP2018067829A (en) * | 2016-10-20 | 2018-04-26 | 中華電信股▲分▼有限公司 | Real time traffic collection/analysis system and method |
| CN108958711A (en) * | 2017-05-22 | 2018-12-07 | 北京京东尚科信息技术有限公司 | A kind of implementation method and device of interface platform |
| CN112333239A (en) * | 2020-10-10 | 2021-02-05 | 百度(中国)有限公司 | Service auditing notification method, gateway, electronic equipment and readable medium |
| WO2021169212A1 (en) * | 2020-02-26 | 2021-09-02 | 平安科技(深圳)有限公司 | Risk control model construction method and apparatus, risk control checking method and apparatus, and computer device |
| CN113485685A (en) * | 2021-06-30 | 2021-10-08 | 平安银行股份有限公司 | API interface creating method and device, electronic equipment and medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7380279B2 (en) * | 2001-07-16 | 2008-05-27 | Lenel Systems International, Inc. | System for integrating security and access for facilities and information systems |
-
2022
- 2022-03-04 CN CN202210207169.9A patent/CN114640511B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7457870B1 (en) * | 2004-02-27 | 2008-11-25 | Packeteer, Inc. | Methods, apparatuses and systems facilitating classification of web services network traffic |
| KR20090002587A (en) * | 2007-07-02 | 2009-01-09 | 라파앤컴퍼니(주) | System for integration monitoring and management method thereof |
| CN101976188A (en) * | 2010-05-26 | 2011-02-16 | 天津大学 | OpenApi data automatic loading system oriented to AJAX protocol |
| WO2013097392A1 (en) * | 2011-12-26 | 2013-07-04 | 中兴通讯股份有限公司 | Method for unified account management and third-party account management system |
| JP2018067829A (en) * | 2016-10-20 | 2018-04-26 | 中華電信股▲分▼有限公司 | Real time traffic collection/analysis system and method |
| CN108958711A (en) * | 2017-05-22 | 2018-12-07 | 北京京东尚科信息技术有限公司 | A kind of implementation method and device of interface platform |
| WO2021169212A1 (en) * | 2020-02-26 | 2021-09-02 | 平安科技(深圳)有限公司 | Risk control model construction method and apparatus, risk control checking method and apparatus, and computer device |
| CN112333239A (en) * | 2020-10-10 | 2021-02-05 | 百度(中国)有限公司 | Service auditing notification method, gateway, electronic equipment and readable medium |
| CN113485685A (en) * | 2021-06-30 | 2021-10-08 | 平安银行股份有限公司 | API interface creating method and device, electronic equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114640511A (en) | 2022-06-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112615849B (en) | Micro-service access method, device, equipment and storage medium | |
| JP2022000757A (en) | Model training system, method and storage medium | |
| US20180197145A1 (en) | Multi-stage service record collection and access | |
| US10257228B2 (en) | System and method for real time detection and prevention of segregation of duties violations in business-critical applications | |
| CN101345751B (en) | Identifying application user as source of database activity | |
| CN107122987B (en) | Early warning system and method for wanted fraud | |
| CA2457373A1 (en) | System and method for coordinating the collection, analysis and storage of payroll information provided to government agencies by government contractors | |
| CN112738040A (en) | Network security threat detection method, system and device based on DNS log | |
| CN112417492A (en) | Service providing method based on data classification and classification | |
| CN106940643A (en) | Logical APP systems between the police and the people | |
| CN105809031B (en) | The method, apparatus and system of database audit | |
| CN112749400A (en) | Service-oriented data security management system and method | |
| CN109784786A (en) | A kind of staple product quality safety electronics is traced to the source data service system | |
| CN111639021A (en) | Permission testing method and device of application program and terminal equipment | |
| CN112699088B (en) | Method, system and medium for sharing fraud-related data | |
| CN114640511B (en) | Application interface monitoring platform | |
| KR101942576B1 (en) | System for integrally analyzing and auditing heterogeneous personal information protection products | |
| CN113554538A (en) | Digital information integrated system for urban and rural community management | |
| CN111625700A (en) | Anti-grabbing method, device, equipment and computer storage medium | |
| CN115222375B (en) | Government affair data monitoring, analyzing and processing method and system based on big data | |
| CN116367102A (en) | Method and device for automatically switching short message route | |
| CN115525897A (en) | System detection method and device for terminal equipment, electronic device and storage medium | |
| CN114022114A (en) | Data governance platform based on telecommunication industry | |
| CN114358643A (en) | Multimedia content wind control management device and management method | |
| CN112632371A (en) | Anti-fraud method and system for banking business |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |