CN115314483A - API asset determining method and abnormal calling early warning method - Google Patents
API asset determining method and abnormal calling early warning method Download PDFInfo
- Publication number
- CN115314483A CN115314483A CN202210926753.XA CN202210926753A CN115314483A CN 115314483 A CN115314483 A CN 115314483A CN 202210926753 A CN202210926753 A CN 202210926753A CN 115314483 A CN115314483 A CN 115314483A
- Authority
- CN
- China
- Prior art keywords
- access
- api
- historical
- log
- path
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The application provides a method for determining API assets and a method for early warning of abnormal calling, which comprises the following steps: acquiring a historical access log of an API (application programming interface) of a web service; splitting an access address of each access request in the historical access log to obtain an access path of each access request; merging the historical access logs with the same access path to obtain a merged target access log; and performing characteristic analysis on the historical parameters of the target access log to obtain a characteristic threshold value of the API corresponding to the access path, and determining the characteristic threshold value of the API as the API asset. According to the scheme, the characteristic threshold value of the API interface can be automatically determined only by analyzing the historical access log, an API gateway does not need to be additionally deployed, the workload of manually combing the API interface is reduced, the efficiency is greatly improved, careless omission is avoided, the cost is reduced, and the safety is improved.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method for determining an API asset, a method for early warning of API interface abnormal call, an electronic device, and a computer-readable storage medium.
Background
An API (Application Programming Interface) is a convention for linking different components of a software system. The design of programming interfaces is important because of the ever-increasing size of software in recent years, often requiring the partitioning of complex systems into small components.
The API interface referred in this application is mainly an application program interface of Web (WWW is an abbreviation of World Wide Web (Web), also may be referred to as Web for short, and chinese name is "World Wide Web") service. The API interface is used as an important component of the web service, and through the API interface, a user can obtain or modify data to realize connection between programs, but simultaneously, the API interface also provides an opportunity for an attacker to attack the web server, and the attacker can obtain key information such as server authority, sensitive data and the like through a well-constructed data packet. Therefore, the discovery and analysis of the API interface are crucial. In the prior art, the API interfaces of the web server are generally registered through an API gateway or a management platform for manual carding registration, and then the known API interfaces are analyzed.
However, the API interface changes with the update iteration of the web service, and it is easy to miss the web service only by the manual carding method, and it is difficult for the manual carding to obtain other features of the API interface except uri (Uniform Resource Identifier). Deploying an API gateway also consumes resources and adds complexity to the development. Attacks on the API interface by attackers are more and more frequent, and if the API interface cannot be combed instantly, damage caused by the attackers is difficult to discover, so that web services are exposed to danger.
Disclosure of Invention
The embodiment of the application provides a method for determining API assets, which is used for reducing omission and insufficient characteristics caused by manual carding and improving the safety of web services.
The embodiment of the application provides a method for determining API assets, which comprises the following steps:
acquiring a historical access log of an API (application programming interface) of a web service;
splitting an access address of each access request in the historical access log to obtain an access path of each access request;
merging the historical access logs with the same access path to obtain a merged target access log;
and performing characteristic analysis on the historical parameters of the target access log to obtain a characteristic threshold value of the API corresponding to the access path, and determining the characteristic threshold value of the API as the API asset.
In an embodiment, the performing feature analysis on the historical parameters of the target access log to obtain a feature threshold of the API interface corresponding to the access path includes:
and counting the occurrence times of the designated parameter values in a preset time period according to the historical parameters of the target access log, and obtaining the characteristic threshold value of the popularity characteristic of the API corresponding to the access path.
In an embodiment, the performing feature analysis on the historical parameters of the target access log to obtain a feature threshold of the API interface corresponding to the access path includes:
and according to the historical parameters of the target access log, counting any one or more of the maximum value, the mean value, the variance or the median of different field characteristics to obtain the characteristic threshold value of the field characteristic of the API corresponding to the access path.
In an embodiment, the performing feature analysis on the historical parameters of the target access log to obtain a feature threshold of the API interface corresponding to the access path includes:
and extracting any one or more of the mean value, the maximum value, the minimum value, the variance and the median of the parameter characteristics and the numerical characteristics in the payload information according to the historical parameters of the target access log to obtain the characteristic threshold values of the parameter characteristics and the numerical characteristics of the API corresponding to the access path.
In an embodiment, the obtaining the historical access log of the API interface of the web service includes:
acquiring historical log data of a web service;
analyzing the historical log data to obtain target field information of each access request;
and filtering and screening the historical log data according to the target field information to obtain a historical access log for calling an API (application program interface).
In an embodiment, the splitting the access address of each access request in the history access log to obtain the access path of each access request includes:
acquiring a uniform resource identifier and a domain name from an access address of each access request;
splitting the uniform resource identifier into a path part and a parameter part according to the split identifier;
the path portion and the domain name are grouped together into the access path.
In an embodiment, the obtaining an access path of the access request according to the path portion includes:
if the path part contains a random character string, replacing the random character string with a specified character;
and composing the domain name and the replaced path part into the access path.
In an embodiment, the method further comprises: extracting API assets from the historical access log.
The embodiment of the application provides an early warning method for API interface abnormal calling, which comprises the following steps:
acquiring a real-time access log of an API (application programming interface) of a web service;
extracting a real-time access path and a real-time access parameter value from the real-time access log;
analyzing a real-time access parameter value corresponding to the real-time access path through a detection model, determining whether an API (application programming interface) interface corresponding to the real-time access path is abnormally called or not, and outputting alarm information when the API interface is abnormally called;
the detection model is obtained by training according to the characteristic threshold values of the API interfaces corresponding to different access paths; the feature threshold of the API interface corresponding to the different access paths is obtained by obtaining a historical access log of the API interface of the web service, splitting an access address of each access request in the historical access log to obtain an access path of each access request, merging the historical access logs with the same access path to obtain a merged target access log, and then performing feature analysis on historical parameters of the target access log.
An embodiment of the present application further provides an electronic device, where the electronic device includes:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to execute the determining method of the API asset or the early warning method called by the API interface abnormity.
The embodiment of the application also provides a computer readable storage medium, wherein a computer program is stored in the storage medium, and the computer program can be executed by a processor to complete the determination method of the API asset or the early warning method of the API interface abnormal call.
According to the technical scheme provided by the embodiment of the application, the historical access log of the API of the web service is obtained; splitting an access address of each access request in the historical access log to obtain an access path of each access request; merging historical access logs with the same access path to obtain a target access log corresponding to the same access path; and performing characteristic analysis on the historical parameters of the target access log to obtain a characteristic threshold value of the API corresponding to the access path, and determining the characteristic threshold value of the API as the API asset. According to the technical scheme, the characteristic threshold value of the API can be automatically determined only by analyzing the historical access log, an API gateway does not need to be additionally deployed, the workload of manually combing the API is reduced, the efficiency is greatly improved, careless omission is avoided, the cost is reduced, and the safety is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the embodiments of the present application will be briefly described below.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
FIG. 2 is a schematic flowchart of a method for determining API assets according to an embodiment of the present application;
FIG. 3 is a detailed flowchart of step S210 in the corresponding embodiment of FIG. 2;
FIG. 4 is a schematic diagram showing a comparison of the contents of three parts of feature analysis provided in the embodiment of the present application;
FIG. 5 is a schematic diagram of payload information provided in an embodiment of the present application;
fig. 6 is a schematic flowchart of an early warning method for API interface abnormal call according to an embodiment of the present disclosure;
FIG. 7 is a block diagram illustrating an apparatus for determining API assets according to an embodiment of the present application;
fig. 8 is a block diagram of an early warning apparatus for API interface exception call according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined or explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Fig. 1 is a schematic structural diagram of an electronic device provided in an embodiment of the present application. The electronic device 100 may be configured to execute the API asset determination method and the API interface exception call early warning method provided in the embodiments of the present application. As shown in fig. 1, the electronic device 100 includes: one or more processors 102, and one or more memories 104 storing processor-executable instructions. The processor 102 is configured to execute the API asset determination method and the API interface exception call early warning method provided in the following embodiments of the present application.
The processor 102 may be a gateway, or may be an intelligent terminal, or may be a device including a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), or other form of processing unit having data processing capability and/or instruction execution capability, and may process data of other components in the electronic device 100, and may control other components in the electronic device 100 to perform desired functions.
The memory 104 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM), cache memory (cache), and/or the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer readable storage medium and executed by processor 102 to implement the API asset determination method and the API interface exception call pre-alert method described below. Various applications and various data, such as various data used and/or generated by the applications, may also be stored in the computer-readable storage medium.
In one embodiment, the electronic device 100 shown in FIG. 1 may further include an input device 106, an output device 108, and a data acquisition device 110, which may be interconnected via a bus system 112 and/or other form of connection mechanism (not shown). It should be noted that the components and structure of the electronic device 100 shown in fig. 1 are merely exemplary and not limiting, and the electronic device 100 may have other components and structures as desired.
The input device 106 may be a device used by a user to input instructions and may include one or more of a keyboard, a mouse, a microphone, a touch screen, and the like. The output device 108 may output various information (e.g., images or sounds) to the outside (e.g., a user), and may include one or more of a display, a speaker, and the like. The data acquisition device 110 may acquire an image of a subject and store the acquired image in the memory 104 for use by other components. Illustratively, the data acquisition device 110 may be a camera.
In an embodiment, the devices in the exemplary electronic device 100 for implementing the API asset determination method and the API interface exception call early-warning method according to the embodiment of the present application may be integrally disposed, or may be disposed in a decentralized manner, such as integrally disposing the processor 102, the memory 104, the input device 106, and the output device 108, and disposing the data acquisition device 110 separately.
In an embodiment, the example electronic device 100 for implementing the API asset determination method and the API interface exception call warning method according to the embodiment of the present application may be implemented as an intelligent terminal such as a server, a desktop computer, or the like.
Fig. 2 is a schematic flowchart of a method for determining an API asset according to an embodiment of the present disclosure. As shown in fig. 2, the method includes: step S210-step S240.
Step S210: a historical access log of an API interface of a web service is obtained.
WWW is an abbreviation of World Wide Web (Web), also referred to as Web for short, and the chinese name is "World Wide Web". A web service refers to a program residing on some type of computer on the internet that can process requests from a web client, such as a browser, and return a corresponding response.
An API interface refers to an application program interface of a web service through which the web service may be accessed. The historical access log is an access log before the current time or a period of time, the access log is used for recording the behavior of a web client such as a browser for requesting web page data from a web service, and the access log of an access request may include information such as a source ip Address (internet Protocol Address), a destination ip Address, an uri (uniform resource identifier) of access, a domain name of access, and a payload (payload) sent during access.
In an embodiment, the historical access log of the API interface of the web service may be stored directly in the web server. In another embodiment, as shown in fig. 3, the step S210 may specifically include the following steps S211 to S213.
Step S211: historical log data for a web service is obtained.
Wherein the historical log data of the web service comprises historical access logs of the API interface and historical access logs of the non-API interface. For differentiation, the two are collectively referred to as historical log data.
Step S212: and analyzing the historical log data to obtain the target field information of each access request.
Wherein a record in the historical log data may be considered an access request. The destination field information may include information such as source ip address, destination ip address, uri of access, domain name of access, payload sent at the time of access, etc.
Step S213: and filtering and screening the historical log data according to the target field information to obtain a historical access log for calling an API (application program interface).
And filtering and screening the historical log data, and only keeping the historical access logs belonging to the API interface and needing to be analyzed. For example, for the uri field, uri ending in jpg, txt, etc. is filtered out, because these uri are usually static resource pages and are not API interfaces, the log of uri ending in jpg, txt can be removed from the historical log data, and the historical access log of API interfaces is obtained.
Step S220: and splitting the access address of each access request in the historical access log to obtain the access path of each access request.
Wherein the access address may be url (uniform resource locator), that is, a web page address. Specifically, uri and domain name are obtained from the access address of each access request; splitting the uri into a path part and a parameter part according to a split identifier; the path portion and the domain name are grouped together into the access path.
The split identifier is a flag for splitting the uri into a path part and a parameter part, where the part before the split identifier is referred to as the path part and the part after the split identifier is referred to as the parameter part. For example, the uri of an access request may be "/v1/info/createtoken = ×", the split identifier may be "? ", so uri can be split into"/v 1/info/create "and" token = × ","/v1/info/create "called a path portion and" token = × "called a parameter portion. In one embodiment, the domain name and the path portion together form an access path of the access request, for example, the domain name "www.baidu.com" and the path portion "/v1/info/create" together form an access path, thereby facilitating merging of historical access logs with the same access path as a unique identifier in step S230.
In another embodiment, if the path portion contains a random string, the random string is replaced with a specified character; and composing the domain name and the replaced path part into the access path.
It should be noted that if some random character strings exist in the uri, which affects the merging of the uri, a replacement mode may be adopted to perform replacement first and then merge. If uri of an access request is "/v1/21wq23ewqewq1/create? token = ×, where the random string "21wq23ewqewq1" is transformed for each visit, for which, the random string "21wq23ewqewq1" may be replaced with a designated character "", resulting in "/v 1/createtoken = ×", and the path portion becomes "/v 1/create". Then, the domain name and the replaced path part are combined into an access path, and the access path is used as a unique identifier to perform step S230 for merging.
Step S230: and merging the historical access logs with the same access path to obtain a merged target access log.
The merging refers to dividing history access logs with the same access path together. For the purpose of distinguishing, the historical access logs corresponding to the same access path are called target access logs. For example, historical access logs with a domain name of "www.baidu.com" and a uri path part of "/v1/info/create" may be merged to obtain a target access log corresponding to "www.baidu.com/v1/info/create", so as to improve the analysis accuracy of the feature threshold.
Step S240: and performing characteristic analysis on the historical parameters of the target access log to obtain a characteristic threshold value of the API corresponding to the access path, and determining the characteristic threshold value of the API as the API asset.
The history parameters may include information such as a source ip address, a destination ip address, an uri visited, a domain name visited, and a payload sent during visiting. The API interface and the feature threshold of the API interface both belong to the API asset.
The feature analysis is to extract features of these historical parameters in the target access log, such as the number of times of accessing a uri, the number of times of occurrence of a destination ip address, the length of url (uniform resource locator), the length of payload, and so on.
The feature threshold refers to a limit value of the feature, and may include a maximum value, a minimum value, and the like. Such as the maximum length of url, the maximum length of payload.
For example, the number of times of accessing a certain uri, the number of times of occurrence of a certain destination ip address, the maximum length of the uri, the maximum length of the payload, and the like may be used as the characteristic threshold of the API interface corresponding to the access path. For example, when the length of a url in the real-time access log exceeds the maximum length of the url (i.e., exceeds the feature threshold), it may be considered that an abnormal call of the API interface occurs.
As shown in FIG. 4, the profile may include three parts, a popularity profile, a field profile, and a payload profile. The following description is respectively provided for the feature threshold obtaining modes of the three features, and the feature threshold of any one, two or three of the features can be extracted in the embodiment of the present application.
Wherein the popularity characteristic is used to characterize a number of occurrences of a given parameter value over a period of time. In an embodiment, the step S240 may include: and counting the occurrence times of the designated parameter values in a preset time period according to the historical parameters of the target access log, and obtaining the characteristic threshold value of the popularity characteristic of the API corresponding to the access path.
For example, the number of occurrences of the specified parameter value may be the number of occurrences of a certain source ip address and the number of occurrences of a certain uri within a preset time period. As shown in fig. 4, the popularity characteristics may include the popularity of the source ip address, the popularity of the destination ip address, the popularity of the uri called, the popularity of the source ip address corresponding to the uri, and so on. Wherein the feature threshold of the popularity feature may be a specific value of popularity. Prevalence refers to the number of occurrences over a period of time.
In an embodiment, the step S240 may include: and according to the historical parameters of the target access log, counting any one or more of the maximum value, the mean value, the variance or the median of different field characteristics to obtain the characteristic threshold value of the field characteristic of the API corresponding to the access path.
As shown in fig. 4, the field characteristics may include the length of the url parameter, the length of payload, the length of time the request responded to, whether the time the request was in working time, the length of the response packet, the length of the request header, and so on. The feature threshold of a field feature may include any one or more of a maximum, mean, variance, or median of the field feature. For example, the maximum length of the url parameter in the target access log may be used as a feature threshold of the field feature of the API interface corresponding to the access path.
In an embodiment, the step S240 may further include: and extracting any one or more of the mean value, the maximum value, the minimum value, the variance and the median of the parameter characteristics and the numerical characteristics in the payload information according to the historical parameters of the target access log to obtain the characteristic threshold values of the parameter characteristics and the numerical characteristics of the API corresponding to the access path.
The parametric and numerical features in the payload information (payload) may be collectively referred to as payload features. The parameter characteristics comprise parameters, types of parameter values, hierarchies and father parameters. As shown in fig. 5, which is a format of payload, there are parameters deviceID, center, org, walq of the first layer, according to types of parameter values, these 4 parameters may be recorded as deviceID _ string _0, center _json _0, org _json _0, walq _string _0, where 0 represents layer 0, string represents that its parameter value is a string type, and json represents that the parameter value is a json type. Similarly, the parameter userId of the next layer can be recorded as userId _ json _1 \uorg, and except the parameter of the 0 th layer, the parameter needs to be distinguished by the parent parameter, so that the parameter characteristics of payload can be extracted. For example, "userId _ json _1 \uorg" is one of the parameter features (called keys), "userId" represents the parameter, "json" represents the type of parameter value, "1" represents the hierarchy, and "org" represents the parent parameter. The key and the parameter value can be stored as payload characteristics in the embodiment of the application.
The numerical characteristic refers to a characteristic value of the parameter characteristic, for example, the characteristic value of the parameter characteristic walq _ string _0 is a length of a parameter value (e.g., wlaqtest). The characteristic value of the parameter feature org _ json _0 is the number of keys contained in the parameter org, and if the parameter feature is int-type, the characteristic value is its parameter value. The feature threshold of the numerical feature may be one or more of a mean, a maximum, a minimum, a variance, and a median of the above feature values. For example, when the payload information of a request in the real-time access log includes an unprecedented parameter feature, it may be considered that an abnormal call of the API occurs. For example, when a parameter value of a parameter in payload information of a request in the real-time access log exceeds a maximum value of the parameter, it may be considered that an abnormal call of the API occurs.
In another embodiment, the method further includes: the API assets are extracted from the historical access log.
Based on the feature threshold of the API interface obtained in any of the above embodiments, the API interface may be discovered based on the feature threshold of the API interface, and API assets such as the feature threshold of the API interface and the API interface may be extracted from the history access log, so that the API assets may be automatically discovered and extracted.
Fig. 6 is a schematic flowchart of an early warning method for API interface exception call according to an embodiment of the present disclosure. As shown in fig. 6, the method includes:
step S610: a real-time access log of an API interface of a web service is obtained.
The real-time access log is equivalent to the above historical access log, and may be considered as an access log at the current time or an access log in the last period of time.
Step S620: and extracting a real-time access path and a real-time access parameter value from the real-time access log.
The real-time access path may refer to the manner of obtaining the access path in step S220 above. The real-time access parameter values may include feature values of the popularity features, feature values of the field features, feature values of the parameter features, and feature values of the numeric features described above.
Step S630: analyzing a real-time access parameter value corresponding to the real-time access path through a detection model, determining whether an API (application programming interface) interface corresponding to the real-time access path is abnormally called or not, and outputting alarm information when the API interface is abnormally called;
the detection model is obtained by training according to the characteristic threshold values of the API interfaces corresponding to different access paths; and the characteristic threshold values of the API interfaces corresponding to different access paths may be obtained by using the API asset determination method provided in the foregoing embodiment.
The detection model is used for judging whether API abnormal calling occurs or not, and the relation between the real-time access parameter value and the characteristic threshold value when the API abnormal calling occurs is specified in the detection model. For example, an exception call is considered to occur when the real-time access parameter value exceeds a characteristic threshold. The feature threshold may be extracted from the historical access log as described above with reference to the API asset determination method embodiment.
For example, the parameter phoneNum represents the number length of the telephone number, the length counted based on the historical access log is 11 bits (i.e. the characteristic threshold), but the real-time access parameter value indicates that the number length of the telephone number is greater than 11, and the returned state is normal, it is likely that an attacker forges payload information, according to the judgment of the detection model, it can be considered that an abnormal API call occurs, and alarm information can be sent.
Furthermore, one-line operators can manage the alarm information, and if the false alarm is generated, the characteristic threshold value in the detection model can be modified through a manual intervention method, so that the false alarm is reduced, and the accuracy is improved. In addition, the API interface can be provided for managers to monitor the network security and can also be provided for developers of the service line to analyze the calling condition and the characteristic threshold value of the API and guide the service line to iteratively optimize and develop the API interface.
The following are embodiments of the apparatus of the present application, which may be used to implement embodiments of the method for determining API assets described above in the present application. For details not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the API asset determination method of the present application.
Fig. 7 is a block diagram illustrating an apparatus for determining API assets according to an embodiment of the present application, where the apparatus, as shown in fig. 7, includes:
a log obtaining module 610, configured to obtain a historical access log of an API interface of a web service;
an address splitting module 620, configured to split an access address of each access request in the history access log, and obtain an access path of each access request;
the log merging module 630 is configured to merge the historical access logs with the same access path to obtain a merged target access log;
the characteristic analysis module 640 is configured to perform characteristic analysis on the historical parameters of the target access log, obtain a characteristic threshold of the API interface corresponding to the access path, and determine the characteristic threshold of the API interface as an API asset.
The implementation process of the function and the action of each module in the apparatus is specifically described in the implementation process of the corresponding step in the API asset determination method, and is not described herein again.
Fig. 8 is a block diagram of an early warning apparatus for API interface exception call according to an embodiment of the present application. As shown in fig. 8, the apparatus includes:
a log obtaining module 710, configured to obtain a real-time access log of an API interface of a web service;
an address splitting module 720, configured to extract a real-time access path and a real-time access parameter value from the real-time access log;
the anomaly detection module 730 is configured to analyze a real-time access parameter value corresponding to the real-time access path through a detection model, determine whether an API interface corresponding to the real-time access path is abnormally called, and output alarm information when the API interface is abnormally called;
the detection model is obtained by training according to the characteristic threshold values of the API interfaces corresponding to different access paths; the characteristic threshold values of the API interfaces corresponding to the different access paths are obtained by obtaining historical access logs of the API interfaces of the web services, splitting the access address of each access request in the historical access logs to obtain the access path of each access request, merging the historical access logs with the same access path to obtain a merged target access log, and then performing characteristic analysis on historical parameters of the target access log.
The implementation process of the function and the action of each module in the device is specifically described in detail in the implementation process of the corresponding step in the early warning method for API interface abnormal call, and is not described herein again.
In the embodiments provided in the present application, the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative and, for example, the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Claims (11)
1. A method for determining API assets, comprising:
acquiring a historical access log of an API (application programming interface) of a web service;
splitting an access address of each access request in the historical access log to obtain an access path of each access request;
merging the historical access logs with the same access path to obtain a merged target access log;
and performing characteristic analysis on the historical parameters of the target access log to obtain a characteristic threshold value of the API corresponding to the access path, and determining the characteristic threshold value of the API as the API asset.
2. The method according to claim 1, wherein performing feature analysis on the historical parameters of the target access log to obtain a feature threshold of an API interface corresponding to the access path includes:
and counting the occurrence times of the designated parameter values within a preset time period according to the historical parameters of the target access log, and obtaining the characteristic threshold value of the popularity characteristic of the API corresponding to the access path.
3. The method of claim 1, wherein the performing feature analysis on the historical parameters of the target access log to obtain a feature threshold of an API interface corresponding to the access path comprises:
and according to the historical parameters of the target access log, counting any one or more of the maximum value, the mean value, the variance or the median of different field characteristics to obtain the characteristic threshold value of the field characteristic of the API corresponding to the access path.
4. The method of claim 1, wherein the performing feature analysis on the historical parameters of the target access log to obtain a feature threshold of an API interface corresponding to the access path comprises:
and extracting any one or more of the mean value, the maximum value, the minimum value, the variance and the median of the parameter characteristics and the numerical characteristics in the payload information according to the historical parameters of the target access log to obtain the characteristic threshold values of the parameter characteristics and the numerical characteristics of the API corresponding to the access path.
5. The method of claim 1, wherein obtaining a historical access log of API interfaces of a web service comprises:
acquiring historical log data of the web service;
analyzing the historical log data to obtain target field information of each access request;
and filtering and screening the historical log data according to the target field information to obtain a historical access log for calling an API (application program interface).
6. The method of claim 1, wherein splitting the access address of each access request in the historical access log to obtain the access path of each access request comprises:
acquiring a uniform resource identifier and a domain name from an access address of each access request;
splitting the uniform resource identifier into a path part and a parameter part according to the split identifier;
the path portion and the domain name are grouped together into the access path.
7. The method of claim 6, wherein the composing the path segment and the domain name together into the access path comprises:
if the path part contains a random character string, replacing the random character string with a specified character;
and combining the domain name and the replaced path part into the access path.
8. The method according to any one of claims 1-7, further comprising:
extracting API assets from the historical access log.
9. An early warning method for API interface abnormal calling is characterized by comprising the following steps:
acquiring a real-time access log of an API (application program interface) of a web service;
extracting a real-time access path and a real-time access parameter value from the real-time access log;
analyzing a real-time access parameter value corresponding to the real-time access path through a detection model, determining whether an API (application programming interface) interface corresponding to the real-time access path is abnormally called or not, and outputting alarm information when the API interface is abnormally called;
the detection model is obtained by training according to the characteristic threshold values of the API interfaces corresponding to different access paths; the feature threshold of the API interface corresponding to the different access paths is obtained by obtaining a historical access log of the API interface of the web service, splitting an access address of each access request in the historical access log to obtain an access path of each access request, merging the historical access logs with the same access path to obtain a merged target access log, and then performing feature analysis on historical parameters of the target access log.
10. An electronic device, characterized in that the electronic device comprises:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to execute the API asset determination method of any one of claims 1-8 or the API interface exception-called early warning method of claim 9.
11. A computer-readable storage medium, characterized in that the storage medium stores a computer program executable by a processor to perform the API asset determination method of any one of claims 1 to 8 or the API interface exception call warning method of claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210926753.XA CN115314483A (en) | 2022-08-03 | 2022-08-03 | API asset determining method and abnormal calling early warning method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210926753.XA CN115314483A (en) | 2022-08-03 | 2022-08-03 | API asset determining method and abnormal calling early warning method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115314483A true CN115314483A (en) | 2022-11-08 |
Family
ID=83859025
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210926753.XA Pending CN115314483A (en) | 2022-08-03 | 2022-08-03 | API asset determining method and abnormal calling early warning method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115314483A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116248550A (en) * | 2022-12-29 | 2023-06-09 | 中国联合网络通信集团有限公司 | Interface performance determining method, device and storage medium |
-
2022
- 2022-08-03 CN CN202210926753.XA patent/CN115314483A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116248550A (en) * | 2022-12-29 | 2023-06-09 | 中国联合网络通信集团有限公司 | Interface performance determining method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110099059B (en) | Domain name identification method and device and storage medium | |
| CN110602029B (en) | Method and system for identifying network attack | |
| CN107257390B (en) | URL address resolution method and system | |
| CN111917740A (en) | Abnormal flow alarm log detection method, device, equipment and medium | |
| JP2006520940A (en) | Invalid click detection method and apparatus in internet search engine | |
| US10652255B2 (en) | Forensic analysis | |
| US10482240B2 (en) | Anti-malware device, anti-malware system, anti-malware method, and recording medium in which anti-malware program is stored | |
| CN113496032A (en) | Big data operation abnormity monitoring system based on distributed computation and rule engine | |
| JP2008090504A (en) | Computer maintenance support system and analysis server | |
| CN111818073B (en) | Method, device, equipment and medium for detecting defect host | |
| CN112600797A (en) | Method and device for detecting abnormal access behavior, electronic equipment and storage medium | |
| CN115314483A (en) | API asset determining method and abnormal calling early warning method | |
| CN112231698B (en) | Attack detection method, device and storage medium | |
| CN111314326B (en) | Method, device, equipment and medium for confirming HTTP vulnerability scanning host | |
| CN111625837B (en) | Method, device and server for identifying system loopholes | |
| JP6169497B2 (en) | Connection destination information determination device, connection destination information determination method, and program | |
| CN110457900B (en) | Website monitoring method, device and equipment and readable storage medium | |
| CN115051867B (en) | Illegal external connection behavior detection method and device, electronic equipment and medium | |
| WO2016173327A1 (en) | Method and device for detecting website attack | |
| Noskov | Smart City Webgis Applications: Proof of Work Concept For High-Level Quality-Of-Service Assurance | |
| CN115442109A (en) | Method, device, equipment and storage medium for determining network attack result | |
| CN110955890A (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN113923039A (en) | Attack equipment identification method and device, electronic equipment and readable storage medium | |
| JP6378808B2 (en) | Connection destination information determination device, connection destination information determination method, and program | |
| KR102001814B1 (en) | A method and apparatus for detecting malicious scripts based on mobile device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |