CN114978590A - API (application program interface) security protection method and device and readable storage medium - Google Patents
API (application program interface) security protection method and device and readable storage medium Download PDFInfo
- Publication number
- CN114978590A CN114978590A CN202210389284.2A CN202210389284A CN114978590A CN 114978590 A CN114978590 A CN 114978590A CN 202210389284 A CN202210389284 A CN 202210389284A CN 114978590 A CN114978590 A CN 114978590A
- Authority
- CN
- China
- Prior art keywords
- target
- service request
- analysis
- attack
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims description 56
- 238000004458 analytical method Methods 0.000 claims abstract description 137
- 238000012545 processing Methods 0.000 claims abstract description 30
- 230000014509 gene expression Effects 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 7
- 235000014510 cooky Nutrition 0.000 claims description 4
- 238000010223 real-time analysis Methods 0.000 abstract description 5
- 238000012423 maintenance Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 10
- 230000009471 action Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000000903 blocking effect Effects 0.000 description 4
- 239000002245 particle Substances 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000002547 anomalous effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
After a security server receives a service request which is initiated by request end equipment and requests to call a target API deployed on a service server, a target record corresponding to the target API in an analysis table is updated according to the service request, and whether the updated target record triggers an attack judgment rule or not is judged. And if the target record triggers the attack judgment rule, processing the service request according to the strategy indicated by the attack judgment rule. By adopting the scheme, the security server improves the security protection capability of the target API by analyzing the service request in real time, avoids the attack request from bypassing the protection strategy and illegally calling the target API, reduces the influence of the attack flow aiming at the target API on the service, and achieves the purpose of improving the service security. Moreover, because the real-time analysis is carried out, the hysteresis existing in the traditional protection means for analyzing the service log can be avoided.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an API security protection method, device, and readable storage medium.
Background
At present, with diversification and complication of internet applications, Application services become a remarkable trend, and more applications provide Application Programming Interfaces (APIs) for being called by demand parties.
In order to facilitate the calling of the API by the demanding party, the API generally has a simple, open nature. However, these features of the API simultaneously provide many ways for malicious hackers to access corporate data, even being used to cause extensive service outages. When the API call service is provided externally, in order to avoid that the API is maliciously attacked to affect the service, security protection processing is often required to be performed on the API. Common API security measures include: a safeguard means based on token (token) authentication, a safeguard means limiting a call frequency of an API, a safeguard section analyzing a service log, and the like.
According to the verification, the protection means can not intercept some attack requests, so that the attack requests bypass the protection strategy to illegally call the API, and the service security is threatened.
Disclosure of Invention
The application provides an API safety protection method, equipment and a readable storage medium, which improve the safety protection capability of the API by analyzing the service behavior flow in real time and reduce the times of illegally calling the API, thereby achieving the purpose of improving the service safety.
In a first aspect, an embodiment of the present application provides an API security protection method, which is applied to a security server, and the method includes:
receiving a service request initiated by a request terminal device, wherein the service request is used for requesting to call a target API provided by a service server;
updating an analysis table according to the service request, so that a target record corresponding to a target domain name in the analysis table records the latest value of each analysis factor in the plurality of analysis factors of the target API, wherein the target domain name is a domain name contained in a target URL corresponding to the target API;
determining whether the target record triggers an attack judgment rule of the target domain name;
and when the target record triggers the attack judgment rule, processing the service request according to a strategy indicated by the attack judgment rule.
In a second aspect, an embodiment of the present application provides an API security protection method, which is applied to a policy server, and the method includes:
receiving indication information, wherein the indication information is used for indicating a condition that a latest value of each analysis factor in a plurality of analysis factors recorded in a target record of a target domain name meets when a service request requesting to call a target API is an attack request, and the target domain name is a domain name contained in a target URL corresponding to the target API;
generating an attack judgment rule according to the indication information;
and sending the attack judgment rule to a security server.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a computer program stored on the memory and executable on the processor, the processor executing the computer program to cause the electronic device to implement the method as described in the various possible implementations of the first or second aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, in which computer instructions are stored, and when executed by a processor, the computer instructions are used to implement the method according to the various possible implementation manners of the first aspect or the second aspect.
According to the API security protection method, the device and the readable storage medium provided by the embodiment of the application, after the security server receives a service request which is initiated by a request terminal device and requests to call a target API deployed on the service server, a target record corresponding to the target API in an analysis table is updated according to the service request, and whether the updated target record triggers an attack judgment rule or not is judged. And if the target record triggers the attack judgment rule, processing the service request according to the strategy indicated by the attack judgment rule. By adopting the scheme, the security server improves the security protection capability of the target API by analyzing the service request in real time, avoids the attack request from bypassing the protection strategy and illegally calling the target API, reduces the influence of the attack flow aiming at the target API on the service, and achieves the purpose of improving the service security. Moreover, because the real-time analysis is carried out, the hysteresis existing in the traditional protection means for analyzing the service log can be avoided. Meanwhile, when the service request is an attack request, only the service request is processed, and a plurality of service requests are not processed from an IP dimension, a session dimension and the like, so that the phenomenon of mistakenly blocking normal service requests cannot occur, and the influence range of safety protection is well controlled.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of a network architecture of an API security protection method provided in an embodiment of the present application;
FIG. 2 is a flowchart of an API security protection method provided by an embodiment of the present application;
FIG. 3 is another flowchart of an API security protection method provided by an embodiment of the present application;
FIG. 4 is a schematic diagram of a configuration interface in an API security protection method according to an embodiment of the present disclosure;
FIG. 5 is a schematic diagram of an API safety device according to an embodiment of the present application;
FIG. 6 is a schematic diagram of another API safeguard provided in the embodiments of the present application
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
An Application Programming Interface (API) is a predefined function that encapsulates service capabilities into APIs for access by a requesting party. The API has the characteristics of flexible calling, openness and the like, and is widely applied to high-tech industries such as video media, Internet of things application and the like. However, APIs face security threats while providing convenience to developers. However, most current security safeguards are web-targeted, with significant loss of security awareness and measures against APIs. Hackers maliciously access company business data by using the simple and open characteristics of the API, and even cause large-scale business interruption. As the data volume and sensitivity of the API responsible for transmitting data increase, attacks on the API have become more complex and frequent, and the security of the service data is seriously affected.
Currently, the security measures for APIs include: a safeguard means based on token (token) authentication, a safeguard means limiting a call frequency of an API, a safeguard section analyzing a service log, and the like.
The token verification-based protection means is as follows: and carrying out validity verification on the service request for requesting to access the API in a token negotiation mode. However, many enterprises have open APIs to the outside that are directly targeted to end users, such as most web APIs. Such end-user oriented APIs are difficult to authenticate by negotiating a token with a user. Even if authentication is possible, the negotiated token is often taken to be reused, thereby bypassing the verification of the security policy.
In the protection means for limiting the calling frequency of the API, the number of times of access to the API is limited based on the latitude at which the client uniqueness can be marked, such as the IP address of the client and the session (session) of the client. However, since the access frequencies of different users are different, if the limit threshold is set too small, the access of a normal user is likely to be accidentally injured; if the threshold value is set to be too large, the attack request is missed, and therefore a part of the attack requests bypass the verification of the security policy.
In the protection means for analyzing the service log, the historical service log is analyzed, an abnormal client is determined according to a specified abnormal judgment rule, and a subsequent service request of the client is processed. However, since the analysis of the historical service log has hysteresis, some attack requests are missed, and timeliness cannot be guaranteed. Moreover, after the anomalous client is determined, the anomalous client may have no subsequent attack role.
According to the above, it can be seen that: the existing safety protection means of the API can not intercept some attack requests, so that the attack requests bypass the protection strategy to illegally call the API, and the service safety is threatened.
Based on this, embodiments of the present application provide an API security protection method, device, and readable storage medium, which improve the security protection capability of the API by analyzing a service behavior stream in real time, and reduce the number of times of illegally calling the API, thereby achieving the purpose of improving service security.
Fig. 1 is a schematic network architecture diagram of an API security protection method according to an embodiment of the present application. Referring to fig. 1, the network architecture includes: a security server 11, a policy server 12, a service server 13, a requesting end device 14 and a configuring end device 15. The security server 11 establishes network connections with the policy server 12, the security server 11 and the requesting device 14. A network connection is established between the configuration end device 15 and the policy server 12.
The security server 11 may be hardware or software. When the security server 11 is hardware, it may be a single server or a distributed server cluster composed of a plurality of servers. When the security server 11 is software, it may be a plurality of software modules or a single software module, and the embodiments of the present application are not limited. Similarly, the policy server 12 and the service server 13 may also be software or hardware, and the embodiment of the present application is not limited.
In the architecture shown in fig. 1, the security server 11, the policy server 12, and the service server 13 are physically independent 3 servers. In practical implementation, any two or all of the three servers may also be logically independent servers, i.e., may be deployed on the same physical machine. For example, the security server 11 and the policy server 12 are deployed on the same physical machine, and the service server 13 is deployed on another physical machine. For another example, the security server 11, the policy server 12, and the service server 13 are deployed on the same physical machine.
The request end device 14 is a device for initiating a service request, and may be a mobile phone, a tablet computer, a personal computer, an electronic book reader, a laptop portable computer, a desktop computer, or the like, which is installed with an android operating system, a microsoft operating system, a saiban operating system, a Linux operating system, or an apple iOS operating system, or may be a server, or the like. When the requesting device 14 is software, it may be installed in the above listed hardware devices, in this case, the requesting device 14 is, for example, a plurality of software modules or a single software module, and the embodiment of the present application is not limited.
The configuration end device 15 is configured to provide a configuration interface for the operation and maintenance staff, so that the operation and maintenance staff configure a protection path, a trigger condition, and the like on the configuration interface, and the configuration end device 15 generates indication information based on input of the operation and maintenance staff on the configuration interface and sends the indication information to the policy server 12. The policy server 12 generates an attack judgment rule according to the indication information and sends the attack judgment rule to the security server 11. The configuration end device 15 may also be software or hardware, and may be the same device as the requesting end device 14 or may be a separate device.
The security server 11 may be built based on a cloud platform such as a Content Delivery Network (CDN), and is configured to perform attack verification on a service request of a target API, and may be formed by one or more security servers. The service request initiated by the request end device 14 preferentially reaches the security server 11, and the security server 11 analyzes the service request in real time based on the attack judgment rule and handles the attack request.
The policy server 12 is a server for managing the attack judgment rule, sets the attack judgment rule according to the actual service, issues the attack judgment rule to the security server 11, and is executed by the security server 11. The service server 13 is deployed with one or more APIs, and is capable of providing an API call service to the outside, and is a server that actually responds to the service request.
When the request end device 14 initiates a service request requesting to call a target API on the service server 13, the security server 11 intercepts the service request, analyzes the service request and updates a target record in the analysis table, and then determines whether the target record triggers an attack judgment rule. If the attack judgment rule is triggered, the service request is an attack request, and the security server 11 processes the service request according to the strategy indicated by the judgment rule. If the service request is a legal service request, the security server 11 forwards the service request to the service server 13, so that the requesting-end device 14 calls the target API.
It should be understood that the number of security servers 11, policy servers 12, traffic servers 13, requesting end devices 14 and configuring end devices 15 in fig. 1 is merely illustrative. In practical implementation, any number of security servers 11, policy servers 12, service servers 13, request side devices 14 and configuration side devices 15 are deployed according to actual requirements.
Hereinafter, the API security protection method provided in the embodiment of the present application is described in detail based on the network architecture shown in fig. 1. For example, please refer to fig. 2. Fig. 2 is a flowchart of an API security protection method provided in an embodiment of the present application. The present embodiment is explained from the perspective of a security server. The embodiment comprises the following steps:
201. and receiving a service request initiated by a request terminal device, wherein the service request is used for requesting to call a target API provided by a service server.
In the embodiment of the application, one or more APIs are deployed on one service server. A target API refers to an API that is requested to be called by a requesting device in one or more APIs.
After the request terminal equipment initiates a service request, the security server intercepts the service request initiated by the request terminal equipment, so that the service request initiated by the request terminal equipment preferentially reaches the security server.
202. And updating an analysis table according to the service request, so that a target record corresponding to a target domain name in the analysis table records the latest value of each analysis factor in the plurality of analysis factors of the target API, wherein the target domain name is a domain name contained in a target URL corresponding to the target API.
In the embodiment of the application, the API and the URL are in one-to-one correspondence, and the URLs corresponding to different APIs are different. Hereinafter, the URL corresponding to the target API is referred to as a target URL, and the domain name corresponding to the target URL is referred to as a target domain name. After the security server receives a service request for the first time, if the analysis table does not have the URL corresponding to the service request containing the target domain name, a record is created in the analysis table, and the initial value of each analysis factor in the record is initialized.
A domain name has a plurality of analysis factors that form a set of analysis factors. There is an intersection or no intersection between sets of analysis factors for different domain names. Each record in the analysis table is used for recording the latest value of each analysis factor in the plurality of analysis factors of one domain name. The analysis factor for the target domain name includes at least one of the following factors: the target API domain name, granularity, number of requests for a custom uniform resource locator URL, number of requests for other URLs, total number of requests, or validity period, the other URLs referring to the target API domain name but not the target URL or the custom URL, the validity period indicating the validity period of the target record. The granularity is, for example, IP, header (header), socket (cookie), session (session), and the like. By adopting the scheme, the analysis factors of all domain names are flexibly defined, the analysis factors of different domain names can be different, and the customized and accurate safety protection of the API is realized.
The security server pre-builds an analysis table, which is initially empty. After receiving a service request each time, the security server judges whether the service request hits a record in the analysis table, if so, the security server takes the record as a target record, and updates the target record according to information carried by the service request. Updating the target record means: and updating the current value of each analysis factor in the target record to the latest value. In the updating process, the safety server analyzes the service request to obtain the variation corresponding to each analysis factor in the plurality of analysis factors. And then, updating the target record according to the variation corresponding to each analysis factor so that the target record records the latest value of each analysis factor.
If the service request cannot hit the existing record in the analysis table and the service request comprises any one of the analysis factors of the target domain name, the security server creates the target record in the analysis table and initializes each analysis factor in the analysis factors according to the service request. For example, please refer to table 1. Table 1 illustrates an analysis table in the API security protection method provided in the embodiment of the present application.
TABLE 1
Before the security server receives the current service request, the records in the analysis table are shown in table 1, where 2 records already exist in the analysis table, and the domain names of the 2 records are example1 and example2, respectively. Taking the record corresponding to the example of the domain name of example1, the analysis factors include the domain name, the statistical granularity, the number of requests of URLa, the number of requests of other URLs, the total number of requests, and the validity period. The current values are respectively: example1, IP, 1, 0, 1, 60.
After the security server receives the service request, assuming that the domain name of the service request is example1, and a record corresponding to example1 is hit, the security server takes the record as a target record and updates the target record. For example, if the service request carries an IP and the URL corresponding to the service request is URLa, the target record is updated, and the analysis table is shown in table 2.
TABLE 2
Assuming that the domain name corresponding to the service request received by the security server is example3, the record corresponding to the domain name does not exist in the analysis table. At this time, the security server creates a new record in the analysis table, and initializes the newly created record as a target record. For example, if the service request carries an IP and the URL corresponding to the service request is URLc, the target record is updated, and the analysis table is shown in table 3.
TABLE 3
If the target URL corresponding to the target API is HTTP:// example.com/browsing HTTP/1.1, the target domain name is example.com, and the analysis table is empty initially. It is assumed that the security server receives a service request, which is: 1.1.1.1[22/Nov/2021:18:19:36+0800] "POST HTTP:// example. com/pointing HTTP/1.1", which means that the IP of the requesting device is 1.1.1.1, the receiving time point of the service request received by the secure server is 2021 year, 11 month, 22 day, 18 day, 19 minutes and 36 seconds (22/Nov/2021:18:19:36), the receiving port is 0800, the request mode is POST, and the target URL is HTTP:// example. com/pointing HTTP/1.1. The security server creates a target record and initializes it, the initialized target record being shown in table 4.
TABLE 4
Wherein, the statistical granularity and the validity period are obtained from the attack judgment rule corresponding to the target API. Com, if the domain name included in the URL corresponding to the service request is example, then the record is used as the target record and updated. For example, a service request received by the security server is: 1.1.1.1[22/Nov/2021:18:19:37+0800] "POST HTTP:// example. com/browsing HTTP/1.1", the number of requests for the target URL is increased by 1, the total number of requests is increased by 1, and the number of requests for other URLs is kept unchanged. The difference between the reception time points of the two URLs is 1 second, the validity period is reduced by 1 second. The updated target record is shown in table 5.
TABLE 5
By adopting the scheme, when the target record does not exist in the analysis table, the target record is generated and initialized, and when the target record exists in the analysis table, the existing target record in the analysis table is updated, so that only one record exists in the analysis table for each API, and the accuracy of API safety protection is ensured.
203. Determining whether the target record triggers an attack judgment rule of the target domain name, and if the target record triggers the attack judgment rule, executing step 204; if the target record does not trigger the attack determination rule of the target domain name, step 205 is executed.
In the embodiment of the application, the security server receives the attack judgment rule issued by the policy server aiming at the target domain name in advance. And after the security server receives the service request and updates the analysis table each time, judging whether the target record in the analysis table triggers an attack judgment rule or not. The attack judgment rule may be a set of one or more conditions, and if the latest value of each analysis factor in the target record conforms to the attack judgment rule, it indicates that the target record triggers the attack judgment rule, which indicates that the service request is an attack request. If the latest values of one or more analysis factors in the target record do not accord with the attack judgment rule, the target record does not trigger the attack judgment rule, and the service request is a normal request.
204. And processing the service request according to the strategy indicated by the attack judgment rule.
In the embodiment of the application, the attack judgment rule further indicates a processing strategy of the attack request. When a target record corresponding to a service request triggers an attack judgment rule, namely when one service request is an attack request, the security server handles the service request according to a strategy indicated by the attack judgment rule. For example, if the policy indicated by the attack judgment rule is blocking, the security server blocks the service request, that is, does not forward the service request to the service server. If the strategy indicated by the attack judgment rule is monitoring, the security server forwards the service request to the service server and monitors the service request in real time.
At present, in a multi-user single-outlet or Network Address Translation (NAT) environment, a user group shares the same outlet IP. The user group comprises a plurality of requesting end devices. If the handling is performed based on the IP granularity, when one service request is an attack request, the security server determines the IP of the requesting device that initiated the attack request, and blocks all service requests from the IP. Obviously, such security precautions can block some normal service requests. In order to prevent this situation, in the embodiment of the present application, when the security server determines that one service request is an attack, only the service request is handled.
205. And forwarding the service request to the service server.
When a target record corresponding to a service request does not trigger an attack judgment rule, the service request is not an attack request, and at the moment, the security server forwards the service request to the service server, so that the service server responds to the service request. For example, the service server responds to the service request based on the internal service function of the target API. By adopting the scheme, the security server does not perform any processing on the normal service request, but directly forwards the normal service request to the service server, so that the service is ensured not to be interrupted.
According to the API safety protection method provided by the embodiment of the application, after the safety server receives a service request which is initiated by a request terminal device and requests to call a target API deployed on the service server, a target record corresponding to a target domain name in an analysis table is updated according to the service request, and whether the updated target record triggers an attack judgment rule or not is judged. And if the target record triggers the attack judgment rule, processing the service request according to the strategy indicated by the attack judgment rule. By adopting the scheme, the security server improves the security protection capability of the target API by analyzing the service request in real time, avoids the attack request from bypassing the protection strategy and illegally calling the target API, reduces the influence of the attack flow aiming at the target API on the service, and achieves the purpose of improving the service security. Moreover, because the real-time analysis is carried out, the hysteresis existing in the traditional protection means for analyzing the service log can be avoided. Meanwhile, when the service request is an attack request, only the service request is processed, and a plurality of service requests are not processed from an IP dimension, a session dimension and the like, so that the phenomenon of mistakenly blocking normal service requests cannot occur, and the influence range of safety protection is well controlled.
Fig. 3 is another flowchart of an API security protection method provided in an embodiment of the present application. The present embodiment is explained from the perspective of a policy server. The embodiment comprises the following steps:
301. indication information is received.
The indication information is used for indicating a condition that a latest value of each analysis factor in a plurality of analysis factors recorded in a target record of a target domain name meets when a service request requesting to call a target API is an attack request, and the target domain name is a domain name included in a target URL corresponding to the target API.
Illustratively, for a target domain name, an operation and maintenance person requests a configuration interface through configuration end equipment, and then configures analysis factors through the configuration interface, conditions that the latest value of each analysis factor meets when a service request is an attack request, and the like.
Because one or more APIs are often deployed on one service server, for each API that needs to be subjected to security protection, the configuration end device may request a configuration interface corresponding to a target domain name, and generate indication information based on input of operation and maintenance personnel, so that the policy server generates an attack judgment rule for each API that needs to be subjected to security protection, and the attack judgment rules of different APIs are different, thereby implementing customization of the attack judgment rule.
302. And generating an attack judgment rule according to the indication information.
And after receiving the indication information, the policy server generates an attack judgment rule which can be identified by the security server according to the indication information.
303. And sending the attack judgment rule to a security server.
Correspondingly, the security server receives the attack judgment rule.
According to the API security protection method provided by the embodiment of the application, the strategy server generates the attack judgment rule based on the indication information of the configuration end equipment and sends the attack judgment rule to the security server, and the security server judges whether the service request requesting to call the target API is the attack request or not in real time according to the attack judgment rule. By adopting the scheme, the strategy server respectively generates the corresponding attack judgment rules for the APIs needing security protection, the flexibility is high, and the personalized security protection is realized for different APIs.
Fig. 4 is a schematic diagram of a configuration interface in an API security protection method according to an embodiment of the present disclosure. Referring to fig. 4, when the configuration end device requests to configure an attack determination rule for a target domain name, the policy server sends a data stream for displaying a configuration interface to the configuration end device, and the configuration end device renders the configuration interface based on the data stream. And then, the configuration end equipment generates indication information based on the input of the operation and maintenance personnel on the configuration interface and sends the indication information to the policy server. Since the configuration interface shown in fig. 4 is used to configure the attack decision rule for the target domain name, the target domain name and the target URL are known. Thus, the indication information carries the target domain name.
Referring to fig. 4, the configuration interface is at least used for configuring a trigger condition, where the trigger condition is used for setting a condition that the latest value of each analysis factor meets when the target record triggers the attack determination rule. The analysis factors include custom URL request times, other URL request times, total request times, and the like. The number of the custom URLs can be one or more, and the number of other URLs can also be one or more. Only 3 trigger conditions are listed under the trigger condition in fig. 4, in practice, more selections may be set according to needs, or an add button may be set for a user to add automatically, for example, when there are a plurality of custom URLs, the trigger condition in fig. 4 may include other conditions besides 1-3. Some input boxes and selection boxes are displayed in fig. 4, a rectangular box containing a small triangle refers to a selection box, and the operation and maintenance personnel can display a pull-down menu for the user to select by clicking the small triangle on the configuration interface. The input box is used for the operation and maintenance personnel to input specific numerical values, URL and the like. Next, the 3 trigger conditions in fig. 4 will be described in detail.
Trigger condition 1: the total number of requests, input box 3 is used to input specific values, such as 0, 1, etc.
Trigger condition 2: other URL request times, input box 4 is used to enter specific values, such as 0, 1, etc. Other URLs refer to URLs other than custom URLs.
Trigger condition 3: the number of custom URL requests, options listed in the drop down menu of selection box 3 are, for example, full URLs and regular expressions. When the operation and maintenance personnel select the complete URL, the input box 5 is used for inputting one or more complete URLs, and the input box 6 is used for inputting specific numerical values, such as 1, 2 and the like. When the regular expression is selected by the operation and maintenance personnel, the input box 5 is used for inputting the regular expression, and the input box 6 is used for inputting a specific numerical value.
Referring to fig. 4 again, optionally, through the configuration interface, an expiration date and a statistical granularity may also be configured, where the statistical granularity is used to indicate a statistical basis of the target record, and the expiration date is used to indicate a valid expiration date of the target record. In fig. 4, the input box 2 is used to input validity periods, such as 60 seconds, 90 seconds, and 120 seconds, which indicate that, after the attack judgment policy is issued to the security server, once the security server establishes the target record, the validity period of the target record is 60 seconds, and the like. The drop down menu of selection box 2 lists options including IP, header, cookie, session, etc. indicating whether the target record is counted by IP granularity or header granularity.
By adopting the scheme, the aim of accurately generating the target record is fulfilled by setting the effective period and the statistical granularity.
Optionally, referring to fig. 4 again, the protection path and the processing action may be configured through the configuration interface. The protection path indicates a protection mode, wherein the protection mode comprises total station protection on the target domain name or protection according to the service type. The options listed in the drop down menu of selection box 1 include total station or type of service. If the total station is selected, the safety protection is performed according to the service domain name, namely, all service requests containing the target domain name are subjected to attack judgment. At this time, the operation and maintenance personnel do not need to input in the input box 1.
If the service type is selected, the security protection is performed according to the service type, namely, the security protection is performed on a certain type of service under the target domain name. At this time, the operation and maintenance personnel inputs some protected URLs or regular expressions in the input box 1. Wherein the protected URL is identical, partially identical, or completely different from the custom URL or other URLs in the trigger condition.
Referring to fig. 4, options provided by a drop-down menu of processing strategies include monitoring, blocking, and the like. When the operation and maintenance personnel configure the protection path and the processing strategy, the configuration end equipment sends the configuration to the strategy server through the indication information, and the strategy server determines the protection mode according to the protection path. And when the protection mode is protection according to the service type, determining the protected URL according to the protection path. And then, generating the attack judgment rule according to the protected URL, the condition that the latest value of each analysis factor accords with and the processing strategy, and issuing the attack judgment rule to a security server.
By adopting the scheme, the target record updated by the security server is enabled to continuously judge whether the URL corresponding to the service request is the protected URL or not when the attack judgment rule is triggered by the protection path and the processing strategy, and if the URL corresponding to the service request is the URL contained in the received URL, the service request is intercepted, so that the API security protection efficiency is improved.
Optionally, when the upper protection path indicates to perform security protection on the target domain name according to the service type, the indication information further carries at least one URL or at least one regular expression.
Illustratively, when the indication information indicates a URL or a regular expression, it indicates that the security server is required to perform security protection on the target domain name according to the service type. And the safety server determines the protected URL according to the URL or the regular expression indicated by the indication information. Wherein, the URL or the regular expression indicated by the indication information is input through the input box 1 in fig. 4.
By adopting the scheme, when the security server determines that the updated target record triggers the attack judgment rule, whether the URL corresponding to the service request is the protected URL or not is continuously judged, and if the URL corresponding to the service request is the URL contained in the received URL, the service request is intercepted, so that the API security protection efficiency is improved.
Optionally, in the foregoing embodiment, the policy server generates the attack determination rule according to the indication information, and issues the attack determination rule to the security server. And determining the plurality of analysis factors by the security server according to the attack judgment rule, and creating and initializing a target record after receiving a service request containing a target domain name for the first time. And subsequently, carrying out real-time analysis on the service request initiated by the request terminal equipment. And after the target record is updated according to the service request, if the target record meets all conditions contained in the attack judgment rule, intercepting the service request according to the attack rule. By adopting the scheme, the security server accurately determines a plurality of analysis factors through the attack judgment rule, and the effectiveness of security protection on the API is improved.
The API security protection method is described in detail below with the target URL corresponding to the target API as http:// example.
The first example is as follows:
when the protection mode is protection according to the service type and the attack judgment rule indicates that the protected URL is http:// example. com/clicking, analyzing the difference between the normal user behavior and the attack behavior as follows: com/book normal users will also call the other 3 APIs before initiating access to http:// example. For clarity, the URLs of the other 3 APIs are denoted as URL1, URL2, and URL3, respectively, and the target URL of the target API is denoted as URL 4. URL1 is http:// example. com/login, URL2 is http:// example. com/searching, URL3 is http:// example. com/addressing, and URL4 is http:// example. com/browsing.
Referring to fig. 4, based on the configuration interface shown in fig. 4, the inputs of the operation and maintenance personnel are as follows: selecting a total station based on selection box 1, entering 60 in input box 2, selecting an IP based on selection box 2, processing an action selection block. The custom URL includes: URL1, URL2, URL3, and URL 4. Assuming that condition 3 is used to set URL4, a full URL is selected based on the selection box 3, a full URL4 is entered in the input box 5, 1 is entered in the input box 6, and the values of the input box 3 and the input box 4 are 1, respectively. The operation and maintenance personnel set URL1, URL2 or URL3 by adding a trigger condition.
And the configuration end equipment generates indication information according to the input of the operation and maintenance personnel on the configuration interface and sends the indication information to the policy server. The policy server generates an attack judgment rule according to the indication information, wherein the attack judgment rule comprises 10 conditions:
1) API interface URL to be protected: http:// example. com/clicking
2) The validity period is as follows: 60 seconds
3) And (3) counting the particle size: IP (Internet protocol)
4) URL1 number of requests: com/login request times less than 1
5) URL2 number of requests: com/search request times less than 1
6) URL3 number of requests: com/add request times less than 1
7) URL4 number of requests: com/clicking request times greater than 1
8) Number of other URL requests: the number of other requests is less than 1
9) The total request times are as follows: total number of requests greater than 1
10) Treatment action: interception
And then, the strategy server issues the attack judgment rule to the security server. And determining the plurality of analysis factors by the security server according to the attack judgment rule, and creating and updating a target record after receiving a service request containing a target domain name for the first time. And subsequently, carrying out real-time analysis on the service request initiated by the request terminal equipment. When a requesting device initiates the URL1, the URL2, the URL3 and the URL4 in sequence, that is, a requesting device accesses normally, the behavior of the requesting device is as follows:
1.1.1.1[22/Nov/2021:18:19:36+0800]"POST http://example.com/login HTTP/1.1"
1.1.1.1[22/Nov/2021:18:19:37+0800]"POST http://example.com/searching HTTP/1.1"
1.1.1.1[22/Nov/2021:18:19:38+0800]"POST http://example.com/adding HTTP/1.1"
1.1.1.1[22/Nov/2021:18:19:39+0800]"POST http://example.com/booking HTTP/1.1"
when the request terminal device initiates the first service request, the security server creates a target record in the analysis table and initializes the target record because there is no relevant record in the analysis table. The initialized target records are shown in table 6.
TABLE 6
Referring to table 6, the target record had a statistical particle size of 1.1.1.1 and a validity period of 60 seconds. Although the number of requests of the URL2 and the number of requests of the URL3 satisfy the condition 5) and the condition 6) included in the attack determination rule described above, respectively). However, the URL1 request count, the URL4 request count, and the total request count do not satisfy the above-described condition 4), condition 7), and condition 9, respectively. Therefore, the service request is a legal request, and the security server does not handle the request and directly forwards the request to the service server.
When the requesting device initiates a second service request, the security server updates the target record because the target record exists in the analysis table. The updated target record is shown in table 7.
TABLE 7
Referring to table 7, the number of requests of URL3 satisfies condition 6 included in the attack determination rule). However, the URL1 request count, the URL2, the URL4 request count, and the total request count do not satisfy the above-described condition 4), condition 5), condition 7), and condition 9, respectively. Therefore, the service request is a legal request, and the security server does not handle the request and directly forwards the request to the service server.
When the request terminal equipment initiates a third service request, the security server updates the target record because the target record exists in the analysis table. The updated target record is shown in table 8.
TABLE 8
Referring to table 8, since the URL1 request times, the URL2 request times, the URL3 request times, the URL4 request times, and the total request times do not satisfy the above-described condition 4), condition 5), condition 6), condition 7), and condition 9, respectively. Therefore, the service request is a legal request, and the security server does not handle the request and directly forwards the request to the service server.
When the requesting device initiates a fourth service request, the security server updates the target record because the target record exists in the analysis table. The updated target record is shown in table 9.
TABLE 9
Referring to table 9, since the URL1 request times, the URL2 request times, the URL3 request times, the URL4 request times, and the total request times do not satisfy the above-described condition 4), condition 5), condition 6), condition 7), and condition 9, respectively. Therefore, the service request is a legal request, and the security server does not handle the request and directly forwards the request to the service server.
In addition, since the URL is included according to the service type degree target domain name, in the examples shown in tables 6 to 8, the URL corresponding to the service request is not a protected URL. Therefore, even if tables 6-8 trigger the attack decision rule, the security server does not block these traffic requests as attack requests.
When a requesting device only accesses URL4, i.e., a requesting device is an attacking device, the behavior of the requesting device is as follows:
2.2.2.2[22/Nov/2021:18:19:36+0800]"POST http://example.com/booking HTTP/1.1"
2.2.2.2[22/Nov/2021:18:19:37+0800]"POST http://example.com/booking HTTP/1.1"
2.2.2.2[22/Nov/2021:18:19:38+0800]"POST http://example.com/booking HTTP/1.1"
2.2.2.2[22/Nov/2021:18:19:39+0800]"POST http://example.com/booking HTTP/1.1"
when the request terminal device initiates the first service request, the security server creates a target record in the analysis table and initializes the target record because there is no relevant record in the analysis table. The initialized target records are shown in table 10.
TABLE 10
Referring to table 10, the target record has a statistical particle size of 2.2.2.2 and a validity period of 60 seconds. Although the number of requests of the URL1, the number of requests of the URL2, and the number of requests of the URL3 satisfy the condition 4), the condition 5), and the condition 6) included in the above attack determination rule, respectively). However, the URL4 request count and the total request count do not satisfy the above-described condition 7) and condition 9, respectively. Therefore, the service request is a legal request, and the security server does not handle the request and directly forwards the request to the service server.
When the requesting device initiates a second service request, the security server updates the target record because the target record exists in the analysis table. The updated target record is shown in table 11.
TABLE 11
Referring to table 11, since the URL1 request times, the URL2 request times, the URL3 request times, the URL4 request times, and the total request times satisfy the above-described condition 4), condition 5), condition 6), condition 7), and condition 9), respectively). Therefore, the target record triggers an attack judgment rule, the service request is an attack request, the security server intercepts the service request and does not send the service request to the service server.
When the request terminal equipment initiates a third service request, the security server updates the target record because the target record exists in the analysis table. The updated target record is shown in table 12.
TABLE 12
Referring to table 12, since the URL1 request times, the URL2 request times, the URL3 request times, the URL4 request times, and the total request times satisfy the above-described condition 4), condition 5), condition 6), condition 7), and condition 9), respectively). Therefore, the target record triggers an attack judgment rule, the service request is an attack request, the security server intercepts the service request and does not send the service request to the service server.
When the request terminal equipment initiates a fourth service request, the security server updates the target record because the target record exists in the analysis table. The updated target record is shown in table 13.
Referring to table 13, since the URL1 request times, the URL2 request times, the URL3 request times, the URL4 request times, and the total request times satisfy the above-described condition 4), condition 5), condition 6), condition 7), and condition 9), respectively). Therefore, the target record triggers an attack judgment rule, the service request is an attack request, the security server intercepts the service request and does not send the service request to the service server.
The second example:
when the protection mode is protection according to the service type and the attack judgment rule indicates the protected URLhttp:// example. com/clicking, the attack judgment rule comprises the following conditions:
1) API interface URL to be protected: com/book of http:// example
2) The validity period is as follows: 60 seconds
3) And (3) counting the particle size: IP (Internet protocol)
4) URL1 number of requests: com/login request times less than 1
5) URL2 number of requests: com/search request times greater than 1
6) URL3 number of requests: com/add request times less than 1
7) URL4 number of requests: com/clicking request times greater than 1
8) Number of other URL requests: the number of other requests is less than 1
9) The total request times are as follows: total number of requests greater than 1
10) Treatment action: interception
The difference between this attack decision rule and the first example described above is that: condition 5 is different.
The request terminal equipment initiates service requests for 5 times in total, which are respectively as follows:
1.1.1.1[22/Nov/2021:18:19:37+0800]"POST http://example.com/searching HTTP/1.1"
1.1.1.1[22/Nov/2021:18:19:38+0800]"POST http://example.com/searching HTTP/1.1"
1.1.1.1[22/Nov/2021:18:19:39+0800]"POST http://example.com/booking HTTP/1.1"
1.1.1.1[22/Nov/2021:18:19:40+0800]"POST http://example.com/booking HTTP/1.1"
1.1.1.1[22/Nov/2021:18:19:41+0800]"POST http://example.com/searching HTTP/1.1"。
when the request terminal device initiates the first service request, the security server creates a target record in the analysis table and initializes the target record because there is no relevant record in the analysis table. And the initialized target record does not trigger an attack judgment rule.
When the requesting device initiates a second service request, the security server updates the target record because the target record exists in the analysis table. The updated target record is shown in table 14.
TABLE 14
In table 14, although the RUL2 request count is satisfied under the above-described condition 5), the URL1 request count, the URL3, the URL4 request count, and the total request count do not satisfy the above-described condition 4), condition 6), condition 7), and condition 9, respectively. Therefore, the service request is a legal request, and the security server does not handle the request and directly forwards the request to the service server.
Similarly, when the request terminal device initiates a third service request, the updated target record does not trigger the attack judgment rule.
When the requesting device initiates a fourth service request, the updated target record is shown in table 15.
Com/browsing, the URL corresponding to the fourth service request is URL http:// example.com/browsing, the URL corresponding to the service request is a protected URL, and the table 15 triggers an attack judgment rule, so the security server intercepts the fourth service request.
When the requesting device initiates the fifth service request, the updated target record is shown in table 16.
TABLE 16
Although table 16 triggers the attack decision rule, the URL for the fifth service request is URLhttp:// example. com/searching, and the URL for the service request is not a protected URL. Thus, the security server does not intercept the fifth service request, but forwards it to the service server.
Assuming that the protection method is a total-station protection method in the second example, the table 16 triggers the attack determination rule, and therefore the security server needs to intercept the fifth service request.
Optionally, in the above embodiment, the security server determines whether the target record is valid according to the validity period indicated by the attack determination rule. And when the target record is invalid, deleting the target record from the analysis table.
For example, please refer to the above tables, the valid period is 60 seconds. Since the target record was created, the target record enters a countdown, and the validity period is reduced by 1 second every 1 second. And the security server monitors the validity period, and deletes the target record when the validity period is 0.
By adopting the scheme, the target record is monitored according to the set validity period, so that the analysis factors and the like of the target API can be conveniently and flexibly adjusted in the follow-up process, and the flexibility is high.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Fig. 5 is a schematic diagram of an API safety guard according to an embodiment of the present application. The API safety guard 500 includes: a transceiver module 51, an update module 52, a determination module 53 and a processing module 54.
A transceiver module 51, configured to receive a service request initiated by a request end device, where the service request is used to request to call a target API provided by a service server;
an updating module 52, configured to update an analysis table according to the service request, so that a target record corresponding to a target domain name in the analysis table records a latest value of each analysis factor in the multiple analysis factors of the target API, where the target domain name is a domain name included in a target URL corresponding to the target API;
a determining module 53, configured to determine whether the target record triggers an attack judgment rule of the target domain name;
and the processing module 54 is configured to, when the target record triggers the attack determination rule, process the service request according to a policy indicated by the attack determination rule.
In a possible implementation manner, the updating module 52 is configured to, when the target record exists in the analysis table, analyze the service request to obtain a variation corresponding to each of the analysis factors; and updating the target record according to the variation corresponding to each analysis factor so that the target record records the latest value of each analysis factor.
In a possible implementation manner, the updating module 52 is configured to, when the target record does not exist in the analysis table and the service request includes any one analysis factor of the plurality of analysis factors, create the target record in the analysis table and initialize each analysis factor of the plurality of analysis factors according to the service request.
In a possible implementation manner, the determining module 53 is configured to determine whether a latest value of each analysis factor in the plurality of analysis factors recorded in the target record satisfies the attack judgment rule; and if the latest value of each analysis factor in the plurality of analysis factors meets the attack judgment rule, determining that the target record triggers the attack judgment rule.
In a feasible implementation manner, the transceiver module 51 is further configured to receive the attack determination rule issued by the policy server before the update module 52 updates the analysis table according to the service request, where the attack determination rule is used to indicate a condition that the latest value of each analysis factor in the multiple analysis factors meets when the service request is an attack request;
the processing module 54 is further configured to determine the plurality of analysis factors according to the attack determination rule.
In one possible implementation, the plurality of analysis factors includes at least one of the following: the target domain name, granularity, number of requests for a custom uniform resource locator URL, number of requests for other URLs, total number of requests, or validity period, where the other URLs refer to URLs that include the target domain name but not the target URL or the custom URL, and the validity period is used to indicate the validity period of the target record.
In a possible implementation manner, the transceiver module 51 is further configured to send the service request to a service server when the target record does not trigger the attack determination rule.
In a possible implementation manner, the processing module 54 is further configured to determine whether the target record is valid according to a validity period indicated by the attack determination rule; and when the target record is invalid, deleting the target record from the analysis table.
In a possible implementation manner, the processing module 54 is configured to determine a protection manner according to a protection path when the attack determination rule further indicates the protection path, where the protection manner includes performing total-station protection on the target domain name or performing protection according to a service type; when the protection mode is protection according to the service type, determining a protected URL according to the protection path; determining whether the URL corresponding to the service request is a protected URL; and when the URL corresponding to the service request is any one of the protected URLs, processing the service request according to a strategy indicated by the attack judgment rule.
The API security protection device provided in the embodiment of the present application may perform the actions of the security server in the above embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
FIG. 6 is a schematic diagram of another API safety device according to an embodiment of the present application. The API safety guard 600 includes: a receiving module 61, a processing module 62 and a transmitting module 63.
A receiving module 61, configured to receive indication information, where the indication information is used to indicate that, when a service request requesting to invoke a target API is an attack request, a latest value of each analysis factor in a plurality of analysis factors recorded in a target record of a target domain name is a condition that is met, where the target domain name is a domain name included in a target URL corresponding to the target API;
the processing module 62 is configured to generate an attack judgment rule according to the indication information;
and a sending module 63, configured to send the attack judgment rule to a security server.
In a feasible implementation manner, the indication information further carries a statistics granularity and a validity period of the target record, where the statistics granularity is used to indicate any one of an IP, a header, a session, and a cookie, and the validity period is used to indicate a validity period of the target record.
In a feasible implementation manner, the indication information further carries a protection path and a processing policy, and the processing module 62 is configured to determine a protection manner according to the protection path, where the protection manner includes performing total station protection on the target domain name or performing protection according to a service type; when the protection mode is protection according to the service type, determining a protected URL according to the protection path; and generating the attack judgment rule according to the protected URL, the condition that the latest value of each analysis factor accords with and the processing strategy.
In a feasible implementation manner, when the protection path indicates to perform security protection on the target domain name according to a service type, the indication information further carries at least one URL or at least one regular expression.
The API security protection device provided in the embodiment of the present application may perform the actions of the policy server in the above embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 7, the electronic device 700 is, for example, the aforementioned control center or anti-attack node, and the electronic device 700 includes:
a processor 71 and a memory 72;
the memory 72 stores computer instructions;
the processor 71 executes the computer instructions stored in the memory 72, so that the processor 71 executes the method for protecting against traffic attacks implemented by the control center as described above; or, the processor 71 is caused to execute the protection method against the attack node to implement the traffic attack as described above.
For a specific implementation process of the processor 71, reference may be made to the above method embodiments, which implement similar principles and technical effects, and details of this embodiment are not described herein again.
Optionally, the electronic device 700 further comprises a communication component 73. Wherein the processor 71, the memory 72 and the communication means 73 may be connected by a bus 74.
Embodiments of the present application further provide a computer-readable storage medium, in which computer instructions are stored, and when executed by a processor, the computer instructions are used to implement an API security protection method implemented by a security server or a policy server.
Embodiments of the present application also provide a computer program product, which contains a computer program that, when executed by a processor, implements an API security protection method implemented by, for example, a security server or a policy server.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (15)
1. An API security protection method, applied to a security server, the method comprising:
receiving a service request initiated by a request terminal device, wherein the service request is used for requesting to call a target API provided by a service server;
updating an analysis table according to the service request, so that a target record corresponding to a target domain name in the analysis table records the latest value of each analysis factor in the plurality of analysis factors of the target API, wherein the target domain name is a domain name contained in a target URL corresponding to the target API;
determining whether the target record triggers an attack judgment rule of the target domain name;
and when the target record triggers the attack judgment rule, processing the service request according to a strategy indicated by the attack judgment rule.
2. The method of claim 1, wherein updating the analysis table according to the service request comprises:
when the target record exists in the analysis table, analyzing the service request to obtain the variation corresponding to each analysis factor in the plurality of analysis factors;
and updating the target record according to the variation corresponding to each analysis factor so that the target record records the latest value of each analysis factor.
3. The method of claim 1, wherein updating the analysis table according to the service request comprises:
when the target record does not exist in the analysis table and the service request comprises any analysis factor in the plurality of analysis factors, the target record is created in the analysis table and each analysis factor in the plurality of analysis factors is initialized according to the service request.
4. The method according to any one of claims 1 to 3, wherein the determining whether the target record triggers an attack decision rule for the target domain name comprises:
determining whether the latest value of each analysis factor in a plurality of analysis factors recorded in the target record meets the attack judgment rule;
and if the latest value of each analysis factor in the plurality of analysis factors meets the attack judgment rule, determining that the target record triggers the attack judgment rule.
5. The method according to any of claims 1-3, wherein before updating the analysis table according to the service request, further comprising:
receiving the attack judgment rule issued by a policy server, wherein the attack judgment rule is used for indicating a condition that the latest value of each analysis factor in the plurality of analysis factors accords with when the service request is an attack request;
and determining the plurality of analysis factors according to the attack judgment rule.
6. The method according to any one of claims 1 to 3,
the plurality of analytical factors includes at least one of: the target domain name, granularity, number of requests for a custom uniform resource locator URL, number of requests for other URLs, total number of requests, or validity period, where the other URLs refer to URLs that include the target domain name but not the target URL or the custom URL, and the validity period is used to indicate the validity period of the target record.
7. The method according to any one of claims 1-3, further comprising:
and when the target record does not trigger the attack judgment rule, sending the service request to a service server.
8. The method according to any one of claims 1-3, further comprising:
judging whether the target record is valid or not according to the validity period indicated by the attack judgment rule;
and when the target record is invalid, deleting the target record from the analysis table.
9. The method according to any one of claims 1 to 3, wherein the processing the service request according to the policy indicated by the attack judgment rule when the target record triggers the attack judgment rule comprises:
when the attack judgment rule further indicates a protection path, determining a protection mode according to the protection path, wherein the protection mode comprises performing total station protection on the target domain name or performing protection according to a service type;
when the protection mode is protection according to the service type, determining a protected URL according to the protection path;
determining whether the URL corresponding to the service request is a protected URL;
and when the URL corresponding to the service request is any one of the protected URLs, processing the service request according to a strategy indicated by the attack judgment rule.
10. An API security protection method, applied to a policy server, the method comprising:
receiving indication information, wherein the indication information is used for indicating a condition that a latest value of each analysis factor in a plurality of analysis factors recorded in a target record of a target domain name meets when a service request requesting to call a target API is an attack request, and the target domain name is a domain name contained in a target URL corresponding to the target API;
generating an attack judgment rule according to the indication information;
and sending the attack judgment rule to a security server.
11. The method of claim 10, wherein the indication information further carries a statistical granularity and a validity period of the target record, wherein the statistical granularity is used to indicate any one of an IP, a header, a session, and a cookie, and the validity period is used to indicate a term for which the target record is valid.
12. The method of claim 10, wherein generating an attack judgment rule according to the indication information comprises:
when the indication information also carries a protection path and a processing strategy, determining a protection mode according to the protection path, wherein the protection mode comprises performing total station protection on the target domain name or performing protection according to a service type;
when the protection mode is protection according to the service type, determining a protected URL according to the protection path;
and generating the attack judgment rule according to the protected URL, the condition that the latest value of each analysis factor accords with and the processing strategy.
13. The method according to claim 12, wherein when the protection path indicates that the target domain name is to be protected by service type, the indication information further carries at least one URL or at least one regular expression.
14. An electronic device comprising a processor, a memory, and a computer program stored on the memory and executable on the processor, wherein execution of the computer program by the processor causes the electronic device to carry out the method of any one of claims 1 to 13.
15. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1 to 13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210389284.2A CN114978590A (en) | 2022-04-13 | 2022-04-13 | API (application program interface) security protection method and device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210389284.2A CN114978590A (en) | 2022-04-13 | 2022-04-13 | API (application program interface) security protection method and device and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114978590A true CN114978590A (en) | 2022-08-30 |
Family
ID=82976789
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210389284.2A Pending CN114978590A (en) | 2022-04-13 | 2022-04-13 | API (application program interface) security protection method and device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114978590A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8112799B1 (en) * | 2005-08-24 | 2012-02-07 | Symantec Corporation | Method, system, and computer program product for avoiding cross-site scripting attacks |
| US20120324094A1 (en) * | 2011-06-14 | 2012-12-20 | Lookout, Inc., A California Corporation | Mobile device dns optimization |
| WO2020232685A1 (en) * | 2019-05-22 | 2020-11-26 | 深圳市欢太科技有限公司 | Malicious quickapp detection method and terminal |
| CN112350992A (en) * | 2020-09-28 | 2021-02-09 | 广东电力信息科技有限公司 | Safety protection method, device, equipment and storage medium based on web white list |
| CN112434304A (en) * | 2020-12-02 | 2021-03-02 | 网宿科技股份有限公司 | Method, server and computer readable storage medium for defending network attack |
| CN114244564A (en) * | 2021-11-16 | 2022-03-25 | 北京网宿科技有限公司 | Attack defense method, device, equipment and readable storage medium |
-
2022
- 2022-04-13 CN CN202210389284.2A patent/CN114978590A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8112799B1 (en) * | 2005-08-24 | 2012-02-07 | Symantec Corporation | Method, system, and computer program product for avoiding cross-site scripting attacks |
| US20120324094A1 (en) * | 2011-06-14 | 2012-12-20 | Lookout, Inc., A California Corporation | Mobile device dns optimization |
| WO2020232685A1 (en) * | 2019-05-22 | 2020-11-26 | 深圳市欢太科技有限公司 | Malicious quickapp detection method and terminal |
| CN112350992A (en) * | 2020-09-28 | 2021-02-09 | 广东电力信息科技有限公司 | Safety protection method, device, equipment and storage medium based on web white list |
| CN112434304A (en) * | 2020-12-02 | 2021-03-02 | 网宿科技股份有限公司 | Method, server and computer readable storage medium for defending network attack |
| CN114244564A (en) * | 2021-11-16 | 2022-03-25 | 北京网宿科技有限公司 | Attack defense method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11222111B2 (en) | Techniques for sharing network security event information | |
| US10701035B2 (en) | Distributed traffic management system and techniques | |
| US10496994B2 (en) | Enhanced authentication with dark web analytics | |
| US9386078B2 (en) | Controlling application programming interface transactions based on content of earlier transactions | |
| US9881304B2 (en) | Risk-based control of application interface transactions | |
| US9444839B1 (en) | Method and system for uniquely identifying a user computer in real time for security violations using a plurality of processing parameters and servers | |
| US10447726B2 (en) | Mitigating attacks on server computers by enforcing platform policies on client computers | |
| US20090126014A1 (en) | Methods and systems for analyzing security events | |
| US11368433B1 (en) | Private network request forwarding | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| CN105959313A (en) | Method and device for preventing HTTP proxy attack | |
| US11374946B2 (en) | Inline malware detection | |
| US11636208B2 (en) | Generating models for performing inline malware detection | |
| US12003537B2 (en) | Mitigating phishing attempts | |
| EP4300333A1 (en) | Methods and systems for identity control | |
| US11736528B2 (en) | Low latency cloud-assisted network security with local cache | |
| CN114978590A (en) | API (application program interface) security protection method and device and readable storage medium | |
| JP2022541250A (en) | Inline malware detection | |
| AU2007351385A2 (en) | Detecting and interdicting fraudulent activity on a network | |
| CN114900330A (en) | Page protection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |