CN114650187A

CN114650187A - Abnormal access detection method and device, electronic equipment and storage medium

Info

Publication number: CN114650187A
Application number: CN202210472963.6A
Authority: CN
Inventors: 石雨佳
Original assignee: Sangfor Technologies Co Ltd
Current assignee: Sangfor Technologies Co Ltd
Priority date: 2022-04-29
Filing date: 2022-04-29
Publication date: 2022-06-21
Anticipated expiration: 2042-04-29
Also published as: CN114650187B

Abstract

The embodiment of the invention is suitable for the technical field of computers and provides an abnormal access detection method, an abnormal access detection device, electronic equipment and a storage medium, wherein the abnormal access detection method comprises the following steps: determining at least one node corresponding to the first API flow; the node represents a network address of the first API flow; acquiring node information corresponding to each node of at least one node; detecting whether the information of each node meets the access relation corresponding to the first behavior relation graph or not to obtain a detection result; the detection result represents whether the first API flow is abnormal access flow or not; at least one node is a node in the first behavioral graph; the edge of the first behavior relation graph represents the access relation between two nodes corresponding to the edge.

Description

Abnormal access detection method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of computer technologies, and in particular, to an abnormal access detection method and apparatus, an electronic device, and a storage medium.

Background

In the related art, when detecting abnormal access, abnormal mining is usually performed based on directions such as parameters, request fields, and contents. However, an Application Programming Interface (API) logical defect is difficult to be detected effectively only by the above-described anomaly detection method.

Disclosure of Invention

In order to solve the above problem, embodiments of the present invention provide an abnormal access detection method, an abnormal access detection apparatus, an electronic device, and a storage medium, so as to at least solve the problem that it is difficult to detect API logic defects in the related art.

The technical scheme of the invention is realized as follows:

in a first aspect, an embodiment of the present invention provides an abnormal access detection method, where the abnormal access detection method includes:

determining at least one node corresponding to the flow of the first application programming interface API; the node characterizes a network address of the first API traffic;

acquiring node information corresponding to each node of the at least one node;

detecting whether the information of each node meets the access relation corresponding to the first behavior relation graph or not to obtain a detection result; the detection result represents whether the first API flow is abnormal access flow or not; the at least one node is a node in the first behavioral relationship graph; and the edge of the first behavior relation graph represents the access relation between two nodes corresponding to the edge.

In the foregoing scheme, the detecting whether the information of each node satisfies an access relationship corresponding to the first behavior relationship diagram to obtain a detection result includes:

matching each node information with the characteristic information of the corresponding node in the first behavioral relation graph;

if the information of each node is successfully matched with the characteristic information of the corresponding node in the first behavior relation graph, obtaining a detection result that the first API flow is normal access flow;

and if the matching of the node information and the characteristic information of the corresponding node in the first behavior relation graph fails, obtaining a detection result that the first API flow is abnormal access flow.

In a second aspect, an embodiment of the present invention provides a method for constructing a behavior relation graph, where the method for constructing a behavior relation graph includes:

obtaining a network address of each of the at least two second API flows;

constructing a first behavior relation graph based on the network address of each second API flow; the nodes of the first behavior relation graph represent network addresses of second API traffic, and the edges of the first behavior relation graph represent access relations between two nodes corresponding to the edges; the first behavior relation graph is used for executing the abnormal access detection method provided by the first aspect.

In the foregoing solution, the constructing a first behavioral relationship graph based on the network address of each second API traffic includes:

analyzing the at least two second API flows to obtain a set field in each second API flow; the setting field represents context information of corresponding second API flow;

and determining nodes with direct access relations in the first behavioral relation graph based on the set fields, and connecting the nodes with the direct access relations to obtain edges of the first behavioral relation graph.

In the foregoing solution, when constructing the first behavior relationship diagram based on the network address of each second API traffic, the method includes:

acquiring information of edges in the first behavioral graph; the information of the edge represents the access probability between nodes corresponding to the edge;

and updating the characteristic information of each node of the first behavioral relationship graph based on the information of the edge in the first behavioral relationship graph.

In the foregoing solution, after constructing the first behavioral graph based on at least two second API traffic, the method further includes:

acquiring parameter values of set access parameters of each node of the first behavioral relational graph;

determining connected nodes which represent low-frequency access behaviors in the first behavior relation graph based on parameter values of set access parameters of all the nodes;

and deleting the connecting lines among the connected nodes for representing the low-frequency access behaviors in the first behavior relation graph.

In a third aspect, an embodiment of the present invention provides an abnormal access detection apparatus, where the abnormal access detection apparatus includes:

the first determining module is used for determining at least one node corresponding to the first API flow; the node represents a network address corresponding to the first API flow;

a first obtaining module, configured to obtain node information corresponding to each node of the at least one node;

the detection module is used for detecting whether the information of each node meets the access relation corresponding to the first behavior relation graph or not to obtain a detection result; the detection result represents whether the first API flow is abnormal access flow or not; the at least one node is a node in the first behavioral relationship graph; any edge of the first behavioral relation graph represents the access relation between two nodes corresponding to the edge.

In a fourth aspect, an embodiment of the present invention provides a device for constructing a behavioral graph, where the device includes:

the second obtaining module is used for obtaining the network address of each second API flow of the at least two second API flows;

the construction module is used for constructing a first behavior relation graph based on the network address of each second API flow; the nodes of the first behavior relation graph represent network addresses of second API traffic, and the edges of the first behavior relation graph represent access relations between two nodes corresponding to the edges; the first behavior relation diagram is used for executing the abnormal access detection method provided by the first aspect of the embodiment of the invention.

In a fifth aspect, an embodiment of the present invention provides an electronic device, which includes a processor and a memory, where the processor and the memory are connected to each other, where the memory is used to store a computer program, and the computer program includes program instructions, and the processor is configured to call the program instructions, and perform the steps of the abnormal access detection method provided in the first aspect of the present invention or the method for constructing the behavioral graph provided in the second aspect of the present invention.

In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, including: the computer-readable storage medium stores a computer program. The computer program, when executed by a processor, implements the steps of the abnormal access detection method provided by the first aspect or the method for constructing the behavioral graph provided by the second aspect of the embodiment of the present invention.

The embodiment of the invention obtains the node information corresponding to each node by determining at least one node corresponding to the first API flow, detects whether the node information meets the access relation corresponding to the first action relation graph or not, and obtains the detection result, wherein the detection result represents whether the first API flow is abnormal access flow or not. The nodes represent network addresses of the first API traffic, at least one node is a node in the first behavior relation graph, and any edge of the first behavior relation graph represents an access relation between two nodes corresponding to the edge. According to the embodiment of the invention, the logic error of the API flow can be effectively identified through the access relation corresponding to the first behavior relation diagram, the behavior detection of access restricted functions and sensitive information under an abnormal state is realized, for example, attack behaviors such as replay attack, bypass attack and the like can be identified, and the problem of API logic defect detection deficiency in the current market is solved.

Drawings

Fig. 1 is a schematic flow chart of an implementation of a method for constructing a behavioral graph according to an embodiment of the present invention;

fig. 2 is a schematic flow chart of an implementation of another method for constructing a behavioral graph according to an embodiment of the present invention;

fig. 3 is a schematic flow chart illustrating an implementation of a method for constructing a behavioral graph according to another embodiment of the present invention;

fig. 4 is a schematic flow chart of an implementation of a method for constructing a behavioral graph according to another embodiment of the present invention;

fig. 5 is a schematic flow chart illustrating an implementation of an abnormal access detection method according to an embodiment of the present invention;

FIG. 6 is a diagram illustrating a first behavior graph according to an embodiment of the present invention;

FIG. 7 is a schematic diagram of an anomaly detection process according to an embodiment of the present invention;

FIG. 8 is a schematic diagram of an apparatus for detecting abnormal access according to an embodiment of the present invention;

FIG. 9 is a schematic diagram of a device for constructing a behavioral graph according to an embodiment of the present invention;

fig. 10 is a schematic diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

A World Wide Web (Web) API is a Web application program interface, which can interface various clients (e.g., browsers and mobile devices), and includes a Wide range of functions.

With the vigorous development of the WebAPI business, the WebAPI security problem is paid more and more attention. An attacker can tamper data, obtain sensitive information, perform illegal operation and other behaviors on a website through the WebAPI. Currently, most API security solutions in the industry focus on explicit input and output attacks (e.g., SQL injection, cross-site scripting (XSS), file uploading, etc.), and perform exception mining from the direction of parameters, request fields, and content. However, logical defects of Application Programming Interfaces (APIs) and the problems caused by the logical defects are very important when an Application accesses restricted functions and sensitive information in an inappropriate state, for example, an attacker skips a login Interface to directly access service data. Currently, existing solutions in the industry do not have the capability to detect API logic defects.

In view of the above drawbacks of the related art, embodiments of the present invention provide an abnormal access detection method, which can effectively detect API logic defects. In order to explain the technical means of the present invention, the following description will be given by way of specific examples.

The key point of the embodiment of the invention is to construct the access relation among the nodes, and the access relation can be represented by data structures such as graphs, trees, linked lists and the like. The graphs, trees, and linked lists are constructed based on the connections between nodes and may be interchanged in some cases, e.g., a tree is a special graph with directed acyclic, but not necessarily a tree. Since the access relationships can include loops, the tree is directed acyclic. In addition, the linked list is associated with the next node through the pointer, and compared with the pointer, the edges of the graph can more visually display the connection relation between the nodes, so that the access relation between the nodes is constructed by the graph in the embodiment of the application.

In an embodiment, abnormal access detection is performed on the basis of a first behavior relation graph, and the first behavior relation graph is obtained on the basis of user behavior data learning under non-attack behaviors. The graph is a common representation form of a connection data network structure, machine learning is carried out on the graph through graph learning, node distances, relationships among nodes and the like in the graph can be effectively learned based on a graph algorithm, and relationship feature expression learning among objects is achieved. A graph is typically defined by two sets, a node set and an edge set. Nodes represent entities in the graph, while edges represent relationships between these entities.

Referring to fig. 1, fig. 1 is a schematic diagram illustrating an implementation flow of a method for constructing a behavioral graph according to an embodiment of the present invention, where an execution subject of the method for constructing a behavioral graph may be an electronic device such as a desktop computer, a notebook computer, a server, and so on. The server may be an entity device or a virtualization device deployed in the cloud. The method for constructing the behavior relation graph comprises the following steps:

s101, obtaining the network address of each second API flow of at least two second API flows.

Here, the at least two second API traffic are both historical network traffic and are both API traffic corresponding to the same application software, for example, the at least two second API traffic may be API traffic generated within 30 days of the domain of panning.

In an embodiment, before obtaining the network address of each of the at least two second API traffic, the method further comprises:

and filtering the historical network flow based on a set filtering method, and filtering to obtain the at least two second API flows.

The set filtering method at least comprises any one of the following items:

host clustering;

filtering parameters;

request method filtering;

and filtering the response code.

Here, the at least two second API traffic are filtered from historical network traffic, for example, the at least two second API traffic may be filtered from historical access traffic of the terminal for one month. The historical network traffic of the terminal comprises various types of traffic, and the embodiment of the invention only needs the API traffic and can filter and extract the API traffic from the historical network traffic through the filtering methods such as Host clustering, parameter filtering, request method filtering, response code filtering and the like.

And performing Host clustering on the historical network traffic, namely clustering the API data associated with the IP address in the Host file in the historical network traffic together to serve as at least two second API traffic. Hosts is a system file without extension, which is used for establishing a related database of some commonly used website domain names and IP addresses corresponding to the commonly used website domain names, when a user inputs a website to be logged in a browser, the system can automatically search the corresponding IP address from the Hosts file at first, and once the website is found, the system can immediately open the corresponding webpage.

And performing parameter filtering on the historical network flow, and filtering out the network flow containing the set parameters to serve as at least two second API flows. The parameter refers to a parameter in the API traffic, and may be, for example, a domain name, a user name, or the like.

And performing request method filtering on the historical network traffic, for example, filtering out the network traffic of which the request method is a GET method in the historical network traffic as at least two second API traffic.

And performing response code filtering on the historical network traffic, for example, filtering out response code traffic at the beginning of 5, such as 500, 501, and the like, as at least two second API traffic.

In an embodiment, the second API traffic is characterized as performance layer State transition (Rest) API traffic.

In an embodiment, the embodiment of the invention only extracts the RestAPI flow from the historical network flow, and extracts the RestAPI flow according to the set RestAPI reference format and the specification requirement. Since RestAPI may have some level of path as a variable parameter, e.g., baidu v1.com and baidu v2.com both point to the same RestAPI, it is also necessary to identify the variable parameter portion and merge API traffic that points to the same RestAPI.

In an embodiment, the at least two second API traffic are both normal API traffic.

In practical application, the extracted API traffic may be saved as an API audit log.

At least two second API flows are analyzed to obtain a network address in each second API flow, where the network address may refer to a Uniform Resource Locator (URL).

S102, constructing a first behavior relation graph based on the network address of each second API flow; and the nodes of the first behavior relation graph represent the network address of the second API flow, and the edges of the first behavior relation graph represent the access relation between two nodes corresponding to the edges.

And under the condition that the network address is the URL, the URL is used as a graph node, the access relation among the URLs is used as an edge, and nodes containing direct access relation are connected to obtain an initial structure of the first behavior relation graph. The structure of the first behavioral graph is made up of a set of nodes V and a set of edges E, so the graph can be represented as G ═ V, E.

For example, a user jumps from a first URL page to a second URL page, which is an inter-URL access relationship. The first behavioral graph may associate nodes having indirect access relationships, e.g., a user jumping from a first URL page to a second URL page and then from the second URL page to a third URL page, where the first URL node and the third URL node are indirect access relationships.

Referring to fig. 2, in an embodiment, the building the first behavioral graph based on the network address of each second API traffic includes:

s201, analyzing the at least two second API flows to obtain a set field in each second API flow; the setting field represents context information of the corresponding second API flow.

And acquiring a set field in the second API flow by analyzing the request header, the request body, the response header and the response body in the second API flow, wherein the set field represents context information of the second API flow, and the context information represents a previous access behavior or a next access behavior of the current access behavior.

For example, the setting field may be "refer" or "Location", wherein the refer field is located in the request header and the Location field is located in the response body. The refer field indicates the last access behavior of the current access behavior, for example, in a shopping scenario, the last access behavior of purchasing a commodity is browsing commodity information, and the refer field carries API information of browsing commodity information.

S202, determining nodes with direct access relations in the first behavioral relation graph based on the set fields, and connecting the nodes with the direct access relations to obtain edges of the first behavioral relation graph.

Different second API flows (URLs) can be associated through a set field in the second API flow, so that nodes with direct access relations in the first behavior relation graph can be known, lines with directions are connected among the nodes with the direct access relations, and edges of the first behavior relation graph are obtained.

Here, the first behavioral graph may be a directed graph, nodes in the graph are connected by using a connection line with an arrow, a direction of the arrow represents an access relationship between the nodes, such as a connection line between an a node and a B node, and a direction of the arrow is from the a node to the B node, which indicates that the B node is accessed from the a node.

Degree in the figure: the degree (degree) of a node refers to the number of edges associated with the node. In the directed graph, degrees are divided into in-degree and out-degree. The degree of income is as follows: the sum of the times that a certain node of the directed graph is taken as an end point. The output degree is as follows: the sum of the number of times a certain vertex of the directed graph is taken as a starting point.

The graph has a plurality of storage modes, wherein the first storage mode is to store the graph as an edge list; the second storage approach uses a adjacency matrix; a third storage approach uses adjacency lists.

In an embodiment, the constructing the first behavioral graph based on the network address of each second API traffic includes:

determining, based on the at least two second API traffic, an access relationship between nodes in the first behavioral relationship graph;

determining feature information of each node in the first behavioral relationship graph based on the access relationships between the nodes; the characteristic information represents the node type of the corresponding node.

Here, the characteristic information of the node refers to a node type. In other embodiments, the node characteristics may further include more information, for example, information such as access frequency between graph nodes, access probability between graph nodes, number of access IPs, access time, and total number of accesses within a domain may also be included.

In the embodiment of the present invention, the node types may include: the service node comprises seven types of nodes, namely a node which can be accessed only passively, a node which can be accessed only once, a node which can be accessed multiple times, an important node, a service must pass node, a service starting node or a service ending node.

And determining the access relation between the nodes in the first behavior relation graph through each second API flow. The access relationship among the nodes comprises: the number of times that the node is accessed, the number of times that the node actively accesses other nodes, the time that the node is accessed, the time and the access sequence that the node actively accesses other nodes, and the like. According to the set field in the second API flow, the nodes can be associated, and therefore a complete business process is obtained.

And determining the node type of each node in the first behavior relation graph according to the access relation among the nodes.

For example, if the number of times a certain node actively accesses other nodes is 0 and the number of times other nodes access is greater than or equal to 2, the node type of the node may be determined as a passively accessible node only.

If the number of times a certain node is accessed in each business process is 1, the node type of the node can be determined as a node which can be accessed only once.

If the number of times that a certain node is accessed in each business process is greater than or equal to 2, the node type of the node can be determined as the node which can be accessed for multiple times.

If a certain node is a service node in a plurality of service flows formed by at least two API flows, the node type of the node can be determined as a node through which the service must pass.

The important node may be set manually by a user or a service may be determined as an important node via the node.

If the number of times that a certain node is accessed by other nodes is 0, namely the node has only out degree and no in degree, the node type of the node can be determined to be the service starting node.

If the number of times that a certain node actively accesses other nodes is 0, that is, the node has only an in-degree and no out-degree, it can be determined that the node type of the node is a service end node.

When the first behavior relation graph is used for detecting abnormal access, the characteristic information of the node can be used as a judgment standard of the abnormal access behavior. For example, the first node is a node that can be accessed only once, and if the current access behavior repeatedly accesses the first node for a short time, it may be determined that the current access behavior is an abnormal access behavior. For another example, if the first node is a passive-access-only node, if the first node actively accesses other nodes, it may be determined that the current access behavior is an abnormal access behavior. For another example, if the first node is a traffic-bound node but the current access behavior does not access the first node, it may be determined that the current access behavior is an abnormal access behavior.

Referring to fig. 3, in an embodiment, when constructing the first behavioral graph based on at least two second API traffic, the method includes:

s301, acquiring information of edges in the first behavioral graph; and the information of the edges represents the access probability among the nodes corresponding to the edges.

Here, the information of the edge in the first behavioral graph mainly refers to the access probability between 2 nodes corresponding to the edge. For example, in the first behavioral graph, if the node a directly accesses the node B and the node C, the access probability between the node a and the node B is equal to the number of times the node a accesses the node B/(the number of times the node a accesses the node B + the number of times the node a accesses the node C).

S302, updating the characteristic information of each node of the first behavioral relationship diagram based on the information of the edge in the first behavioral relationship diagram.

The information of the edge is written into the characteristic information of the node corresponding to the edge, and the information of the edge can be used as an auxiliary in the abnormal detection. When the information of the edge is the inter-node access probability, the inter-node access probability may be used as the reliability of the abnormal result when the abnormality is detected in the first behavioral graph.

For example, assuming that a node a-node B-node C is a complete access link, the access probability of a node a to a node B is 70% and the access probability of a node B to a node C is 80%. Here, the access probability of the node a to the node B is equal to the number of times the node a accesses the node B/the number of times the node a accesses all the nodes; the access probability of the node B to the node C is the number of times the node B accesses the node C/the number of times the node B accesses all the nodes. If the current access behavior is that the node A directly accesses the node C and does not access the intermediate node B, and if the node B is a service must pass node, the current access behavior can be considered as an abnormal access behavior with 70% of confidence level. And taking the lowest access probability among the nodes in the complete access link as the reliability of the abnormal detection result.

Referring to fig. 4, in an embodiment, after obtaining parameter values of the setting access parameters of the nodes of the first behavioral graph, the method further includes:

s401, obtaining parameter values of the access parameters set for each node of the first behavioral graph.

Here, setting the access parameter may include one or more of: the access frequency among the graph nodes, the access probability among the graph nodes, the number of access Internet Protocol (IP), the access time and the total number of intra-domain access.

By analyzing at least two second API flows, parameter values of the set access parameters between the nodes of the first behavior relational graph can be obtained.

The access frequency between the nodes in the graph is calculated in the above embodiment, and is not described here.

And counting the times of directly accessing other nodes by each node, and accumulating the times to obtain the total times of the access in the domain of the node.

The number of times a node accesses other nodes in a unit time is called the access frequency between graph nodes.

S402, determining the connected nodes which represent the low-frequency access behaviors in the first behavior relation graph based on the parameter values of the set access parameters of all the nodes.

For example, when the access parameter is set as the access frequency between the graph nodes, the connected nodes whose access frequency between the graph nodes is smaller than the set value may be determined as the connected nodes representing the low-frequency access behavior.

And S403, deleting the connecting lines among the connected nodes for representing the low-frequency access behaviors in the first behavior relation graph.

By deleting the connecting lines between the connected nodes representing the low-frequency access behaviors in the first behavior relational graph and filtering the low-frequency access behaviors in the first behavior relational graph, the abnormality detection precision of the first behavior relational graph can be increased.

The constructed first behavior relational graph can be used for detecting abnormal access traffic, and when the abnormal access detection is carried out on the first behavior relational graph, the first behavior relational graph is used for acquiring node information in the current access traffic and judging whether the node information meets the access relation corresponding to the first behavior relational graph or not.

Referring to fig. 5, fig. 5 is a schematic flow chart illustrating an implementation process of an abnormal access detection method according to an embodiment of the present invention, where the abnormal access detection method may be executed by the first behavior relationship diagram, a physical execution subject of the abnormal access detection method may be an electronic device such as a desktop computer and a notebook computer, and a function implemented by the first behavior relationship diagram may be implemented by a processor in the electronic device. The abnormal access detection method comprises the following steps:

s501, determining at least one node corresponding to the first API flow; the node characterizes a network address of the first API traffic.

Here, the first API traffic list may refer to one access traffic or may refer to all access traffic corresponding to one service access flow. For example, after the user successfully logs in the shopping application software and orders, the access flow corresponding to the service access flow belongs to the first API flow.

The first API traffic may also refer to all access traffic received within a set time period, for example, access traffic received every 10 minutes is taken as the first API traffic.

Here, the node refers to a network address corresponding to the first API traffic, and the network address may be a URL. The first API traffic corresponds to at least one node, for example, in a replay attack scenario, if an attacker repeatedly accesses the same URL, the first API traffic corresponds to one node.

S502, obtaining node information corresponding to each node of the at least one node.

Here, the node information may include information such as access frequency, access time, and the number of access IPs at which the node accesses another node. The node information specifically includes which information, and the present application is not limited.

For example, in a replay attack scenario, the number of accesses to the same URL is counted, as well as the access time for each access. For another example, in a multi-node access scenario, the time and the number of times each node is accessed are recorded, and the access sequence of the multi-node can be known according to the node access time.

S503, detecting whether the information of each node meets the access relation corresponding to the first behavior relation graph or not to obtain a detection result; the detection result represents whether the first API flow is abnormal access flow or not; the at least one node is a node in the first behavioral relationship graph; and the edge of the first behavior relation graph represents the access relation between two nodes corresponding to the edge.

The first behavior relational graph is obtained by mining normal access behaviors of a user according to a network track of interaction between the user and an application program function from the perspective of user behaviors and abstracted into a graph representation mode. The first behavioral graph represents normal access logic and can identify API logic anomalies in the data stream.

The first behavior relationship graph corresponds to access relationships, for example, the node a is connected to the node B, and the node B is connected to the node C in the first behavior relationship graph. The arrow direction of the connecting line is A pointing to B, and B pointing to C. The access relation indicates that the node A, the node B and the node C have dependency relation, and indicates that the node B must be accessed based on the node A before the node C can be accessed based on the node B. If the node A directly accesses the node C, the access relation corresponding to the first behavior relation graph is not satisfied; or the node A accesses the node C first and then accesses the node B, and the access relation corresponding to the first behavior relation graph is not met.

In an embodiment, the detecting whether the information of each node satisfies the access relationship corresponding to the first behavior relationship diagram to obtain a detection result includes:

under the condition that the access relation corresponding to the first behavior relation graph is met among all the node information, obtaining a detection result that the first API flow is a normal access flow;

and under the condition that the access relation corresponding to the first behavior relation graph is not satisfied among the node information, obtaining a detection result that the first API flow is abnormal access flow.

Here, if the first API traffic corresponds to only one node, it is only necessary to determine whether the node satisfies the access relationship corresponding to the first behavior relationship graph. If the first API traffic corresponds to at least two nodes, whether the access relationship corresponding to the first behavior relationship graph is met between the node information needs to be respectively judged.

The first API traffic only corresponds to a scene of one node, for example, in a replay attack scene, the access relation corresponding to the first behavior relation graph limits that the node A is an accessible node only once, and if the node information of the node A indicates that the first API traffic repeatedly accesses the node A for multiple times in a short time, the node information of the node A does not meet the access relation corresponding to the first behavior relation graph, and the first API traffic is determined to be abnormal access traffic.

For another example, the access relationship corresponding to the first behavior relationship diagram defines that the node a is accessed first and then the node B is accessed. However, it can be known that the access time of the node B is before the access time of the node a through the node information of the node a and the node B, which means that the first API traffic accesses the node B first and then accesses the node a. Therefore, the access relationship corresponding to the first behavior relationship graph is not satisfied between the node information of the node A and the node information of the node B, and the first API traffic is determined to be abnormal access traffic.

For another example, the access relationship corresponding to the first behavior relationship graph defines the access sequence, and the node a must access the node B first, and then the node B must access the node C. However, through the access time in each node information, it can be known that the first API traffic is that the a node accesses the C node first and then accesses the B node. Therefore, the node information of the node A, the node B and the node C does not satisfy the access relation corresponding to the first behavior relation graph, and the first API traffic is determined to be abnormal access traffic.

Or the node corresponding to the first API traffic is not in the first behavior relational graph, which indicates that the first API traffic exceeds the access right and belongs to the unauthorized access, and the first API traffic is determined to be the abnormal access traffic.

and matching the information of each node with the characteristic information of the corresponding node in the first behavior relation graph.

And if the information of each node is successfully matched with the characteristic information of the corresponding node in the first behavior relation graph, obtaining a detection result that the first API flow is normal access flow.

Here, each node has corresponding feature information, and the feature information may include: node type, access frequency among graph nodes, access probability among graph nodes, access sequence among graph nodes, number of access IP, access time, total number of access times in a domain and the like. The feature information specifically includes which information, and the present application is not limited.

And matching the node information with the characteristic information of the corresponding node, for example, the characteristic information of the node a includes a node type, the node a is a node which can be accessed only once, but the node information of the node a indicates that the node a is repeatedly accessed for a plurality of times in a short time, so that the matching between the node information of the node a and the characteristic information of the node a fails, and the first API traffic is abnormal access traffic.

As another example, the characteristic information of the A node includes an access order, and the characteristic information of the A node defines that the access order of the A node should be before the B node. However, the access time of the node A is known to be after the access time of the node B through the access times in the node information of the node A and the node B, so that the matching between the node information of the node A and the characteristic information of the node A fails, and the first API traffic is determined to be abnormal access traffic.

And if the characteristic information also comprises the access probability among the graph nodes, outputting the reliability of the abnormal result according to the access probability among the graph nodes when the abnormality is detected.

The first behavioral graph of the present application may be used for abnormal access detection in various scenarios, and may identify API logic abnormalities, for example, the following 5 scenarios:

1. replay attacks, i.e. a large number of repeated accesses to a certain URL.

By calculating the visit frequency of the URL, if the visit frequency specified by the first action relation graph is exceeded, abnormal visit is detected.

2. Bypassing, i.e., bypassing a business segment in a workflow, such as bypassing payment business in e-commerce, implements a retail purchase.

For example, the normal shopping flow specified by the first behavioral graph is "select goods-join shopping cart-order settlement", which requires sequential access to these 3 nodes. If the user bypasses the payment service to realize the zero-element purchase, the condition that the node of 'order placement settlement' is not accessed can be detected, the service flow is abnormal, and the abnormal access is detected.

3. Service access sequence in the workflow is disturbed, for example, service is submitted first and then audit is carried out in the audit service.

For example, node a and node B, the service access sequence specified by the first behavior relation graph is a-B, and the node a is accessed before the node B is accessed. By acquiring the access time of the node A and the node B, if the access time of the node A is before the access time of the node B, the service access sequence is correct; and if the access time of the node A is after the access time of the node B, the service access sequence is wrong, and abnormal access is detected.

4. Directly accessing a certain service intermediate node, for example, directly accessing a logged-on service node.

The behavior is similar to the bypass scenario, and the normal service access sequence should be login first and then access the service node, and if the login node is not accessed, the abnormal access is detected.

5. Access to services that have not been learned, such as unauthorized access to high-rights services.

If the URL accessed by the user is not the node in the first behavior relation graph, the user possibly accesses the URL in an unauthorized manner and detects abnormal access.

In practical application, if abnormal access flow is detected, an alarm can be given to inform a user of safety maintenance.

Referring to fig. 6, fig. 6 is a schematic diagram of a first behavior relation diagram according to an embodiment of the present invention, where the first behavior relation diagram represents access relations among services, and the access relations in the first behavior relation diagram may be abstracted as the following adjacency list (table 1). As shown in fig. 6, there are two paths from the a node to the F node, and the path lengths are 3 and 5, respectively. Namely, a business access relation exists between the node A and the node F, but the node A cannot directly access the node F, so that the bypass abnormal behavior is inferred if the behavior that the node A directly accesses the node F exists.

TABLE 1

Referring to fig. 7, fig. 7 is a schematic diagram of an anomaly detection process according to an embodiment of the present invention, where the anomaly detection process includes:

first, API interface identification and traffic extraction.

Filtering the API flow from the historical flow data by adopting a filtering method such as Host clustering, parameter filtering, request method filtering, response code filtering and the like to obtain the API flow from the historical flow data, and storing the API flow as an API audit log.

In an embodiment, the embodiment of the present invention extracts the RestAPI traffic only from the historical network traffic, and extracts the RestAPI traffic according to the set RestAPI reference format and specification requirements. Since RestAPI may have some level of path as a variable parameter, e.g., baidu v1.com and baidu v2.com both point to the same RestAPI, it is also necessary to identify the variable parameter portion and merge API traffic that points to the same RestAPI.

And secondly, constructing an access behavior relation graph.

The access behavior relation graph is the first behavior relation graph in the embodiment, and the nodes and edges of the first behavior relation graph are constructed based on at least two second API traffic; the network address of the API traffic is characterized as a node of a first behavior relation graph, and any edge of the first behavior relation graph represents an access relation between two nodes corresponding to any edge.

Determining the node characteristics of each node in the first behavior relation graph based on the access relation among the nodes in the first behavior relation graph; the node characteristics characterize the node type.

And thirdly, learning and updating the feature map.

Acquiring parameter values of set access parameters of each node of the first behavioral graph; and updating the characteristic information of each node of the first behavior relation graph based on the parameter value of the set access parameter of each node.

Determining connected nodes representing low-frequency access behaviors in the first behavior relational graph based on parameter values of set access parameters of all the nodes;

and deleting the connecting lines between the connected nodes for representing the low-frequency access behaviors in the first behavior relation graph.

And updating the feature map learning through the first behavior relation graph to obtain a strong association access behavior relation graph.

And fourthly, detecting whether the access behavior is abnormal.

Performing anomaly detection on the first API traffic based on the strongly-associated access behavior relation graph, and determining at least one node corresponding to the first API traffic; the node characterizes a network address corresponding to the first API flow. Acquiring node information corresponding to each node of at least one node, and detecting whether the node information meets an access relation corresponding to a strong association access behavior relation graph or not to obtain a detection result; and the detection result represents whether the first API flow is abnormal access flow.

If abnormal access flow is detected, an alarm can be given to inform a user to carry out safety maintenance.

The embodiment of the invention focuses on API logic loopholes, and from the perspective of user behavior, normal access behaviors of users are mined according to network tracks of functional interaction between the users and application programs, the normal access behaviors of the users are abstracted into a graph representation mode, the dependency relationship between graph nodes is optimized based on an adaptive graph learning algorithm, and a strong association access behavior relational graph is generated. Any abnormal access behavior in the workflow can be identified through the strongly-associated access behavior relational graph under the non-attack behavior, and the behavior detection of access restricted functions and sensitive information under the abnormal state is realized. For example, bypass, replay, etc. attacks may be detected.

It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by functions and internal logic of the process, and should not limit the implementation process of the embodiments of the present invention in any way.

It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

The technical means described in the embodiments of the present invention may be arbitrarily combined without conflict.

In addition, in the embodiments of the present invention, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.

Referring to fig. 8, fig. 8 is a schematic diagram of an abnormal access detection apparatus according to an embodiment of the present invention, and as shown in fig. 8, the abnormal access detection apparatus includes: the device comprises a first determining module, a first obtaining module and a detecting module.

In an embodiment, the detecting module detects whether the information of each node satisfies an access relationship corresponding to the first behavior relationship diagram, and obtains a detection result, including:

Referring to fig. 9, fig. 9 is a schematic diagram of a behavior relation graph constructing apparatus according to an embodiment of the present invention, and as shown in fig. 9, the behavior relation graph constructing apparatus includes: the device comprises a second acquisition module and a construction module.

A second obtaining module, configured to obtain a network address of each of the at least two second API flows;

the construction module is used for constructing a first behavior relation graph based on the network address of each second API flow; the nodes of the first behavior relation graph represent network addresses of second API traffic, and the edges of the first behavior relation graph represent access relations between two nodes corresponding to the edges; the first behavior relation graph is used for executing the abnormal access detection method provided by the first aspect of the embodiment of the present invention.

In an embodiment, the building module builds the first behavioral graph based on the network address of each second API traffic, including:

In an embodiment, the building module, when building the first behavioral graph based on the network address of each second API traffic, is configured to:

acquiring information of edges in the first behavioral graph; the information of the edge represents the access probability between the nodes corresponding to the edge;

In one embodiment, the apparatus further comprises:

a third obtaining module, configured to obtain a parameter value of a set access parameter of each node of the first behavioral graph;

the second determining module is used for determining the connected nodes which represent the low-frequency access behaviors in the first behavior relation graph based on the parameter values of the set access parameters of all the nodes;

and the deleting module is used for deleting the connecting lines among the connecting nodes which represent the low-frequency access behaviors in the first behavior relation graph.

In practical applications, the first determining module, the first obtaining module, the detecting module, the constructing module and the second obtaining module may be implemented by a Processor in an electronic device, such as a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a Micro Control Unit (MCU), or a Programmable gate array (FPGA).

It should be noted that: in the abnormal access detection apparatus provided in the foregoing embodiment, when performing abnormal access detection, only the division of the modules is exemplified, and in practical applications, the processing may be distributed to different modules according to needs, that is, the internal structure of the apparatus may be divided into different modules to complete all or part of the processing described above. In addition, the abnormal access detection apparatus provided in the above embodiment and the abnormal access detection method embodiment belong to the same concept, and specific implementation processes thereof are described in the method embodiment and are not described herein again.

The abnormal access detection device may be in the form of an image file, and after the image file is executed, the image file may run in the form of a container or a virtual machine, so as to implement the abnormal access detection method described in the present application. Of course, the method is not limited to the image file form, and any software form capable of implementing the data processing method described in the present application is within the protection scope of the present application.

Based on the hardware implementation of the program module, in order to implement the method of the embodiment of the present application, an embodiment of the present application further provides an electronic device. Fig. 10 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application, and as shown in fig. 10, the electronic device includes:

the communication interface can carry out information interaction with other equipment such as network equipment and the like;

and the processor is connected with the communication interface to realize information interaction with other equipment, and is used for executing the method provided by one or more technical schemes on the electronic equipment side when running a computer program. And the computer program is stored on the memory.

Of course, in practice, the various components in an electronic device are coupled together by a bus system. It will be appreciated that a bus system is used to enable communications among the components. The bus system includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for the sake of clarity the various buses are labeled as a bus system in figure 10.

The electronic device may be in a cluster form, for example, a cloud computing platform, where the cloud computing platform is a service form that organizes a plurality of independent server physical hardware resources into pooled resources by using computing virtualization, network virtualization, and storage virtualization technologies, and is a software-defined resource structure based on virtualization technology development, and may provide resource capabilities in the form of virtual machines, containers, and the like. The fixed relation between hardware and an operating system is eliminated, the communication of a network is relied on to unify resource scheduling, and then required virtual resources and services are provided.

The current cloud computing platform supports several service modes:

SaaS (Software as a Service): the cloud computing platform user does not need to purchase software, but rents the software deployed on the cloud computing platform instead, the user does not need to maintain the software, and a software service provider can manage and maintain the software in full right;

PaaS (Platform as a Service): a cloud computing platform user (usually a software developer at this time) can build a new application on a framework provided by the cloud computing platform, or expand an existing application, and does not need to purchase a development server, a quality control server or a production server;

IaaS (Infrastructure as a Service): the cloud computing platform provides data centers, infrastructure hardware and software resources through the internet, and the cloud computing platform in the IaaS mode can provide servers, operating systems, disk storage, databases and/or information resources.

The memory in the embodiments of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.

It will be appreciated that the memory can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a Flash Memory (Flash Memory), a magnetic surface Memory, an optical disk, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Synchronous Static Random Access Memory (SSRAM), Dynamic Random Access Memory (DRAM), Synchronous Dynamic Random Access Memory (SDRAM), Double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM, Double Data Synchronous Random Access Memory), Enhanced Synchronous Dynamic Random Access Memory (ESDRAM, Enhanced Synchronous Dynamic Random Access Memory), Synchronous link Dynamic Random Access Memory (DRAM, Synchronous Dynamic Random Access Memory), Direct Memory (DRmb Random Access Memory). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.

The method disclosed by the embodiment of the present application can be applied to a processor, or can be implemented by the processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The processor described above may be a general purpose processor, a DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor may implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in a memory where a processor reads the programs in the memory and in combination with its hardware performs the steps of the method as previously described.

Optionally, when the processor executes the program, the corresponding process implemented by the electronic device in each method of the embodiment of the present application is implemented, and for brevity, no further description is given here.

In an exemplary embodiment, the present application further provides a storage medium, specifically a computer storage medium, for example, a first memory storing a computer program, where the computer program is executable by a processor of an electronic device to perform the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface Memory, optical disk, or CD-ROM.

In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit may be implemented in the form of hardware, or in the form of hardware plus a software functional unit.

Those of ordinary skill in the art will understand that: all or part of the steps of implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer-readable storage medium, and when executed, executes the steps including the method embodiments; and the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media capable of storing program code.

Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or portions thereof contributing to the prior art may be embodied in the form of a software product stored in a storage medium, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.

The technical means described in the embodiments of the present application may be arbitrarily combined without conflict.

In addition, in the examples of the present application, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. An abnormal access detection method, comprising:

acquiring node information corresponding to each node of the at least one node;

2. The method according to claim 1, wherein the detecting whether the information of each node satisfies the access relationship corresponding to the first behavior relationship diagram to obtain a detection result includes:

3. A method for constructing a behavioral graph is characterized by comprising the following steps:

obtaining a network address of each of the at least two second API flows;

constructing a first behavior relation graph based on the network address of each second API flow; the nodes of the first behavior relation graph represent network addresses of second API traffic, and the edges of the first behavior relation graph represent access relations between two nodes corresponding to the edges; the first behavioral graph is used to perform the abnormal access detection method according to any one of claims 1 to 2.

4. The method of claim 3, wherein constructing the first behavioral graph based on the network address of each second API traffic comprises:

5. The method of claim 3, wherein in constructing the first behavioral graph based on the network address of each second API traffic, the method comprises:

6. The method of claim 3, wherein after building the first behavioral graph based on the at least two second API flows, the method further comprises:

acquiring parameter values of set access parameters of each node of the first behavioral graph;

determining connected nodes for representing low-frequency access behaviors in the first behavior relation graph based on parameter values of set access parameters of all the nodes;

7. An abnormal access detection apparatus, comprising:

8. An apparatus for constructing a behavioral graph, comprising:

the construction module is used for constructing a first behavior relation graph based on the network address of each second API flow; the nodes of the first behavior relation graph represent network addresses of second API traffic, and the edges of the first behavior relation graph represent access relations between two nodes corresponding to the edges; the first behavioral graph is used to perform the abnormal access detection method according to any one of claims 1 to 2.

9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor implements the abnormal access detection method according to any one of claims 1 to 2 or the method of constructing the behavioral graph according to claims 3 to 6 when executing the computer program.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to execute the abnormal access detection method of any one of claims 1 to 2 or the method of constructing a behavioral graph of claims 3 to 6.