CN115659377B

CN115659377B - Interface abnormal access identification method and device, electronic equipment and storage medium

Info

Publication number: CN115659377B
Application number: CN202211592384.1A
Authority: CN
Inventors: 张黎; 陈广辉; 钱伟杰; 程树华
Original assignee: Flash It Co ltd
Current assignee: Flash It Co ltd
Priority date: 2022-12-13
Filing date: 2022-12-13
Publication date: 2023-03-31
Anticipated expiration: 2042-12-13
Also published as: CN115659377A

Abstract

The invention provides an interface abnormal access identification method, an interface abnormal access identification device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring a historical access frequency sequence of the API interface in any fixed time period; predicting a first access frequency predicted value of the fixed time period of the current date based on the statistical value of the historical access frequency of the API interface in the fixed time period of each historical date; predicting a second access time prediction value of the fixed time period of the current date based on the historical access time sequence by using a time sequence prediction model; fusing the first access time number predicted value and the second access time number predicted value of the fixed time period on the current date to obtain a final predicted value of the fixed time period on the current date; and determining the actual access times of the fixed time period on the current date, and if the actual access times are larger than the final predicted value, determining that the interface has abnormal high-frequency access in the fixed time period on the current date. The invention improves the identification precision and flexibility of interface abnormal access.

Description

Interface abnormal access identification method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of data processing technologies, and in particular, to a method and an apparatus for identifying an interface abnormal access, an electronic device, and a storage medium.

Background

The API Interface (Application Program Interface) may implement mutual communication between computer software, and provide data sharing for various platforms. A user may access data within the API interface by calling the API interface. However, the types of data transmitted by the API interface are complicated and varied, and part of the API interface relates to sensitive business data and personal privacy data. Once leakage and theft occurs, enterprises face huge compliance risks and leakage risks of confidential data.

In general, an attacker can automatically call the API interface through a robot to acquire sensitive information therein, so that in order to identify such an attack behavior, the access times of the API interface can be monitored, and an abnormal high-frequency access behavior is identified, so that the attack behavior is discovered and the access of the API interface is controlled, thereby avoiding leakage of sensitive data. However, in the currently adopted access control policy, a fixed access threshold is often set and access control is adopted when the number of accesses is higher than the access threshold, and the fixed access threshold is difficult to adapt to access rules in different periods, so that the flexibility and accuracy of the identification mode of the abnormal access behavior are poor.

Disclosure of Invention

The invention provides an interface abnormal access identification method, an interface abnormal access identification device, electronic equipment and a storage medium, which are used for overcoming the defects of poor flexibility and accuracy in the prior art.

The invention provides an interface abnormal access identification method, which comprises the following steps:

acquiring a historical access frequency sequence of the API in any fixed time period; the historical access frequency sequence comprises the historical access frequency of the API interface in any fixed time period of each historical date;

predicting to obtain a first access frequency predicted value of any fixed time period of the current date based on the statistical value of the historical access frequency of the API interface in any fixed time period of each historical date;

predicting to obtain a second access time prediction value of any fixed time period of the current date based on the historical access time sequence by using a time sequence prediction model;

fusing the first visit number predicted value and the second visit number predicted value of any fixed time period of the current date to obtain a final predicted value of any fixed time period of the current date;

and determining the actual access times of any fixed time period on the current date, and if the actual access times are greater than the final predicted value, determining that the API has abnormal high-frequency access in any fixed time period on the current date.

According to the interface abnormal access identification method provided by the present invention, the fusing the first access frequency predicted value and the second access frequency predicted value of any fixed time period of the current date to obtain the final predicted value of any fixed time period of the current date specifically includes:

predicting to obtain a first historical time prediction value of any fixed time period of the previous date based on the statistical value of the historical access times of the API interface in any fixed time period of the historical date before the previous date;

predicting a second historical frequency predicted value of any fixed time period of the previous date based on the historical access frequency of the API in any fixed time period of the historical date before the previous date by using a time series prediction model;

updating a first weight and a second weight corresponding to any fixed time period of the previous date based on the historical access times, the first historical time predicted value and the second historical time predicted value of any fixed time period of the previous date to obtain the first weight and the second weight corresponding to any fixed time period of the current date;

fusing the first visit time number predicted value and the second visit time number predicted value of any fixed time period of the current date based on the first weight and the second weight corresponding to any fixed time period of the current date to obtain a final predicted value of any fixed time period of the current date; the first weight corresponding to any fixed time period of the current date is used for adjusting the importance degree of the first access time number predicted value, and the second weight corresponding to any fixed time period of the current date is used for adjusting the importance degree of the second access time number predicted value.

According to the interface abnormal access identification method provided by the present invention, the updating the first weight and the second weight corresponding to any fixed time period of the previous date based on the historical access time, the first historical time prediction value and the second historical time prediction value of any fixed time period of the previous date to obtain the first weight and the second weight corresponding to any fixed time period of the current date specifically includes:

determining a first difference between the historical access times of the any fixed period on the previous date and the first historical time prediction value, and a second difference between the historical access times of the any fixed period on the previous date and the second historical time prediction value;

numerically adjusting a first weight and a second weight corresponding to the any fixed period of the previous date based on the first difference and the second difference;

if the first difference is greater than the second difference, decreasing a first weight corresponding to any fixed time period of the previous date and increasing a second weight corresponding to any fixed time period of the previous date to obtain a first weight and a second weight corresponding to any fixed time period of the current date;

if the first difference is smaller than the second difference, increasing a first weight corresponding to any fixed time period of the previous date, and decreasing a second weight corresponding to any fixed time period of the previous date to obtain a first weight and a second weight corresponding to any fixed time period of the current date.

According to the interface abnormal access identification method provided by the present invention, the numerically adjusting the first weight and the second weight corresponding to any one of the fixed time periods on the previous date based on the first difference and the second difference specifically includes:

determining a ratio between the first difference and the second difference as a current fluctuation coefficient;

if the current fluctuation coefficient is larger than 1, multiplying a second weight corresponding to any fixed time period of the previous date by the current fluctuation coefficient to obtain a second weight corresponding to any fixed time period of the current date, and determining a first weight corresponding to any fixed time period of the current date based on the second weight corresponding to any fixed time period of the current date;

if the current fluctuation coefficient is smaller than 1, multiplying a first weight corresponding to any fixed time period of the previous date by the current fluctuation coefficient to obtain a first weight corresponding to any fixed time period of the current date, and determining a second weight corresponding to any fixed time period of the current date based on the first weight corresponding to any fixed time period of the current date.

According to the interface abnormal access identification method provided by the present invention, the fusing the first access frequency predicted value and the second access frequency predicted value of any fixed time period of the current date based on the first weight and the second weight corresponding to any fixed time period of the current date to obtain the final predicted value of any fixed time period of the current date specifically comprises:

fitting to obtain a first regression coefficient, a second regression coefficient and an error term of the multiple linear regression model based on the historical access times, the first historical time predicted value and the second historical time predicted value of the API in any fixed time period of each historical date; the dependent variable of the multiple linear regression model is a final predicted value of any fixed time period of the current date, and the independent variable is a first access frequency predicted value and a second access frequency predicted value of any fixed time period of the current date;

respectively updating a first regression coefficient and a second regression coefficient of the multiple linear regression model based on a first weight and a second weight corresponding to any fixed time period of the current date to obtain a first updated regression coefficient and a second updated regression coefficient of the multiple linear regression model;

and fusing the first visit time number predicted value and the second visit time number predicted value of any fixed time period of the current date based on the first updated regression coefficient, the second updated regression coefficient and the error term of the multiple linear regression model to obtain the final predicted value of any fixed time period of the current date.

According to the interface abnormal access identification method provided by the present invention, the predicting a first access frequency predicted value of any fixed time period on the current date based on the statistical value of the historical access frequency of the API interface in any fixed time period on each historical date specifically includes:

averaging the historical access times of the API interface in any fixed time period of each historical date to obtain an access average value corresponding to any fixed time period;

dividing the historical access times of the API interface in any fixed time period of each historical date by the access average value respectively to obtain the historical access proportion in any fixed time period of each historical date;

and predicting a first access frequency prediction value of any fixed period of the current date based on the historical access frequency of the API interface in any fixed period of each day in the latest preset time period and the historical access proportion of each historical date in any fixed period.

According to the interface abnormal access identification method provided by the present invention, the predicting a first access frequency predicted value of any fixed time period on the current date based on the historical access frequency of the API interface in any fixed time period of each day in the latest preset time period and the historical access proportion of each historical date in any fixed time period specifically includes:

determining the average value and the standard deviation of the historical access times of the API interface in any fixed time period of each day in the latest preset time period, and determining an access reference value based on the average value and the standard deviation;

determining a cycle factor based on a median of historical access ratios at the any fixed period of each historical date;

and predicting a first access time prediction value of any fixed time period of the current date based on the access reference value and the cycle factor.

The invention also provides an interface abnormal access recognition device, which comprises:

the historical data acquisition unit is used for acquiring a historical access frequency sequence of the API interface in any fixed time period; the historical access times sequence comprises the historical access times of the API interface in any fixed time period of each historical date;

the first prediction unit is used for predicting a first access frequency prediction value of any fixed time period on the current date based on the statistical value of the historical access frequency of the API interface in any fixed time period on each historical date;

the second prediction unit is used for predicting to obtain a second access time prediction value of any fixed time interval of the current date based on the historical access time sequence by using a time sequence prediction model;

the fusion prediction unit is used for fusing a first visit time prediction value and a second visit time prediction value of any fixed time period of the current date to obtain a final prediction value of any fixed time period of the current date;

and the abnormal high-frequency access identification unit is used for determining the actual access times of any fixed time period on the current date, and if the actual access times are greater than the final predicted value, determining that the API interface has abnormal high-frequency access in any fixed time period on the current date.

The invention also provides an electronic device, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein when the processor executes the program, the interface abnormal access identification method is realized.

The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the interface abnormal access identification method as described in any one of the above.

The present invention also provides a computer program product comprising a computer program, which when executed by a processor implements the interface abnormal access identification method as described in any one of the above.

According to the interface abnormal access identification method, the interface abnormal access identification device, the electronic equipment and the storage medium, any fixed time interval is used as a prediction and identification granularity, a first access frequency prediction value of the fixed time interval of the current date is predicted based on a statistical value of historical access frequencies of an API (application program interface) in any fixed time interval of each historical date, a time sequence prediction model is used, a second access frequency prediction value of the fixed time interval of the current date is predicted based on the historical access frequencies of the API in any fixed time interval of each historical date, the access rule of a user is extracted more accurately through multiple times of prediction in different dimensions, so that the final prediction value of the fixed time interval of the current date is predicted more accurately and is used as a basis for judging whether abnormal high-frequency access exists in the fixed time interval of the current date, and if the actual access frequency of the fixed time interval of the current date is larger than the final prediction value, the fact that the API has the abnormal high-frequency access in the fixed time interval of the current date is determined, and flexibility and accuracy of abnormal access identification are improved.

Drawings

In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

FIG. 1 is a flow chart of an interface abnormal access identification method provided by the present invention;

FIG. 2 is a flow chart of a fusion prediction method provided by the present invention;

FIG. 3 is a schematic flow chart of a statistical rule-based prediction method provided by the present invention;

FIG. 4 is a schematic structural diagram of an interface abnormal access recognition apparatus provided in the present invention;

fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Fig. 1 is a schematic flowchart of an interface abnormal access identification method provided by the present invention, as shown in fig. 1, the method includes:

step 110, obtaining a historical access frequency sequence of the API interface in any fixed time period; the historical access times sequence comprises the historical access times of the API interface in any fixed time period of each historical date;

step 120, predicting to obtain a first access frequency predicted value of any fixed time period on the current date based on the statistical value of the historical access frequency of the API interface in any fixed time period on each historical date;

step 130, a time series prediction model is used, and a second visit number prediction value of any fixed time period of the current date is obtained through prediction based on the historical visit number series;

step 140, fusing the first access frequency predicted value and the second access frequency predicted value of any fixed time period on the current date to obtain a final predicted value of any fixed time period on the current date;

step 150, determining the actual access times of any fixed time period on the current date, and if the actual access times are greater than the final predicted value, determining that the API interface has abnormal high-frequency access in any fixed time period on the current date.

Specifically, the historical access time sequence of any API interface in any fixed period (for example, 8 o 'clock to 9 o' clock in the evening) is obtained from the access data of each API interface recorded at the server side. The historical access frequency sequence comprises the historical access frequency of the API interface in the fixed time period of each historical date, the historical access frequency of the fixed time period of any historical date is the access frequency in a normal access state, and the historical access frequencies in the fixed time periods of the historical dates are arranged in the order from morning to evening. For example, if the subsequent prediction is performed weekly, taking monday night 8 to 9 as an example, the historical access number sequence may be the access number from 8 to 9 on monday night the first week, the access number from 8 to 9 on monday night the second week, or the access number from 8 to 9 on monday night the previous week; if the subsequent prediction is performed by day, taking the example of 8 to 9 points later today, the historical access times sequence may be the access times of 8 to 9 points later on the first day, the access times of 8 to 9 points later on the second day, and the access times of 8 to 9 points later on the previous day. The history date is a date before the current date, and an interval or period (for example, one day, one week, or one month) between the history dates may be set according to actual circumstances. The historical access times of the API interface in the fixed period of any historical date is the total times of calling the API interface by the user in the period of the date. For example, the interface may obtain a historical access number sequence corresponding to any fixed time period from the access number of each time period in each day in the previous N (N is a self-defined setting and may be set as 3 by default) weeks.

The API interface comprises the access rule of a user to the API interface in the historical access frequency sequence of any fixed time period, if the access rule can be accurately identified, the conventional access frequency of each time period per day can be predicted, if the access frequency of a certain time period is higher than the conventional access frequency, the abnormal high-frequency access condition of the time period can be considered, and certain access control measures (such as access limitation and the like) need to be taken. In order to accurately extract the access rule, a statistical rule may be used to determine a statistical value of the historical access times of the API interface in any fixed period of each historical date, and the access rule is fitted with the statistical value, so as to predict the access times of the API interface in the fixed period of the current date, that is, a first access time prediction value. The statistical value of the historical access times of the API interface in any fixed period of each historical date can be a statistical value which can embody a discrete numerical rule, such as an average value and a variance of the historical access times, and a first access time predicted value of the fixed period of the current date can be predicted by superposing a certain floating coefficient on the statistical value.

However, the statistical value of the historical access times of the API interface at the fixed period of each historical date only reflects the statistical rule of discrete values, but ignores the time sequence existing between the historical access times in the historical access times sequence, and the access behavior of the user may have a greater association with the access time, so that on the basis of the predicted value of the first access times predicted based on the statistical manner, the time sequence characteristic in the historical access times sequence is considered, and thus another dimension of prediction is performed to improve the accuracy of access rule extraction. Wherein, the time sequence prediction model, such as ARIMA model, can be used to perform time sequence analysis on the historical visit number sequence, so as to predict the second visit number prediction value of the fixed time period of the current date.

And then, a first access time prediction value of the fixed time period of the current date obtained based on statistical rule prediction and a second access time prediction value of the fixed time period of the current date obtained based on data time sequence prediction are fused, so that the advantages of two prediction modes with different dimensionalities are complemented, the final prediction value of the fixed time period of the current date obtained by fusion is closer to a true value, and the true access rule of the user in a normal state can be reflected better.

When the fixed period of the current date is reached, counting the actual access times of the API interface in the fixed period, for example, when the fixed period is from 8 pm to 9 pm, counting the actual access times of the API interface can be started at 8 pm until 9 pm is reached. And then comparing the actual access times of the fixed time period on the current date with the final predicted value of the fixed time period on the current date obtained by prediction to identify whether the API interface has abnormal high-frequency access conditions in the fixed time period on the current date. And if the actual access times of the fixed time period on the current date are greater than the corresponding final predicted values, determining that the API has abnormal high-frequency access in the fixed time period on the current date. It can be seen that, for different fixed time periods, the embodiment of the present invention separately performs the above-mentioned prediction of access times (including prediction based on statistical rules and prediction based on time-series characteristics), so that the determination threshold (i.e., the final prediction value) for determining whether there is abnormal high-frequency access in a certain fixed time period is also adjusted according to the different fixed time periods, and thus the flexibility and accuracy of identifying abnormal access are higher. In addition, as time goes on, data contained in the historical access frequency sequence acquired each time will be richer, and a prediction result predicted based on statistical rules and time sequence characteristics will be closer to an actual situation, so that the accuracy of a judgment threshold value used for judging whether abnormal high-frequency access exists in a certain fixed time period is gradually improved, and the accuracy of abnormal access identification will be higher.

According to the method provided by the embodiment of the invention, any fixed time interval is taken as a prediction and identification granularity, a first access frequency prediction value of the fixed time interval of the current date is predicted based on a statistical value of historical access frequencies of an API interface in any fixed time interval of each historical date, a time sequence prediction model is utilized, a second access frequency prediction value of the fixed time interval of the current date is predicted based on the historical access frequencies of the API interface in any fixed time interval of each historical date, the access rule of a user is more accurately extracted through multiple times of prediction in different dimensions, so that a final prediction value of the fixed time interval of the current date is more accurately predicted and is used as a basis for judging whether abnormal high-frequency access exists in the fixed time interval of the current date, and if the actual access frequency of the fixed time interval of the current date is greater than the final prediction value, the fact that the API interface has the abnormal high-frequency access in the fixed time interval of the current date is determined, and the flexibility and accuracy of abnormal access identification are improved.

Based on the foregoing embodiment, as shown in fig. 2, the fusing the first access time prediction value and the second access time prediction value of any fixed time period of the current date to obtain a final prediction value of any fixed time period of the current date specifically includes:

step 141, predicting a first predicted historical frequency value of any fixed time interval of the previous date based on the statistical value of the historical access frequency of the API interface in any fixed time interval of the historical date before the previous date;

142, predicting a second historical frequency predicted value of any fixed time period of the previous date based on the historical access frequency of the API in any fixed time period of the historical date before the previous date by using a time series prediction model;

step 143, updating a first weight and a second weight corresponding to any fixed time period of the previous date based on the historical access times, the first historical times predicted value and the second historical times predicted value of any fixed time period of the previous date to obtain a first weight and a second weight corresponding to any fixed time period of the current date;

step 144, based on the first weight and the second weight corresponding to any fixed time period on the current date, fusing the first access time number predicted value and the second access time number predicted value of any fixed time period on the current date to obtain a final predicted value of any fixed time period on the current date; and a first weight corresponding to any fixed time period of the current date is used for adjusting the importance degree of the first access time number predicted value, and a second weight corresponding to any fixed time period of the current date is used for adjusting the importance degree of the second access time number predicted value.

Specifically, in order to better fuse the first access time prediction value and the second access time prediction value to obtain a final prediction value closer to the real condition, corresponding fusion weights may be respectively set for the first access time prediction value and the second access time prediction value in the fixed time period of the current date, so as to regulate the importance degree of the first access time prediction value and the second access time prediction value during fusion. In order to improve the accuracy of the final predicted value and thus the accuracy of interface abnormal access identification, the fusion weight corresponding to the first access time predicted value and the second access time predicted value of the fixed time period on the current date can be updated adaptively based on the access time prediction accuracy of the fixed time period on the historical date, so that the fusion prediction mechanism can adapt to the current new access rule rapidly when the access rule changes, and the final predicted value which is closer to the true value is obtained through prediction.

Specifically, the first predicted historical number of times of the fixed period of the previous date may be predicted based on a statistical value of the historical access number of times of the fixed period of the historical date before the previous date (for example, the previous day of the current date or the same day of the previous week, for example, the current date is monday, and the previous date may be monday of the previous week). In addition, a second historical time prediction value of the fixed time period of the previous date is predicted based on the historical access times of the API interface in the fixed time period of the historical date before the previous date by using a time series prediction model. It should be noted that, the above-mentioned prediction step based on the statistical rule of the historical access times performed in the fixed period of the previous date and the prediction step based on the time-series characteristic between the historical access times are the same as the prediction mode of the fixed period of the current date described above, and are not repeated here. And then, based on the historical access times of the fixed time period on the previous date, the predicted value of the first historical times and the predicted value of the second historical times, performing self-adaptive updating on the first weight and the second weight corresponding to the fixed time period on the previous date to obtain the first weight and the second weight corresponding to the fixed time period on the current date.

When the first history frequency predicted value/the first visit frequency predicted value and the second history frequency predicted value/the second visit frequency predicted value are fused, the importance degree of the first history frequency predicted value/the first visit frequency predicted value and the importance degree of the second history frequency predicted value/the second visit frequency predicted value are respectively adjusted to obtain a judgment threshold (namely a final predicted value of the fixed time period of the previous date or the current date) for judging whether abnormal high-frequency visit exists in the fixed time period of the previous date or the current date. In order to adaptively update the first weight and the second weight corresponding to the fixed time interval of the previous date to adapt to the current access law, the difference between the prediction accuracy of the statistical law-based prediction mode and the prediction accuracy of the time sequence characteristic-based prediction mode can be determined based on the difference between the historical access times of the fixed time interval of the previous date and the prediction values of the first historical times and the second historical times, so that the first weight and the second weight corresponding to the fixed time interval of the previous date are updated according to the difference, the importance degree of the statistical law-based prediction value and the time sequence characteristic-based prediction value is adjusted, and the first weight and the second weight corresponding to the fixed time interval of the current date are obtained.

After the first weight and the second weight corresponding to the fixed time period of the current date are determined, the first access time number prediction value and the second access time number prediction value of the fixed time period of the current date may be fused based on the first weight and the second weight corresponding to the fixed time period of the current date to obtain a final prediction value of the fixed time period of the current date.

Based on any one of the above embodiments, the updating, based on the historical access times, the first historical time predicted value, and the second historical time predicted value of any one of the fixed time periods on the previous date, the first weight and the second weight corresponding to any one of the fixed time periods on the previous date to obtain the first weight and the second weight corresponding to any one of the fixed time periods on the current date specifically includes:

determining a first difference between the historical visit times of any fixed time period on the previous date and the first historical time prediction value, and a second difference between the historical visit times of any fixed time period on the previous date and the second historical time prediction value;

Specifically, when the first weight and the second weight corresponding to the fixed period of the previous date are adaptively updated based on the difference between the historical access count of the fixed period of the previous date and the first historical count predicted value and the second historical count predicted value, the first difference between the historical access count of the fixed period of the previous date and the first historical count predicted value and the second difference between the historical access count of the fixed period of the previous date and the second historical count predicted value may be respectively determined. For example, if the historical access number of the fixed period on the previous date is Li, and the first and second historical number of times predicted values are pi and qi, respectively, then the first difference f1= | Li-pi | and the second difference f2= | Li-qi | are described.

And adjusting the value of the first weight and the second weight corresponding to the fixed time interval of the previous date based on the first difference and the second difference. If the first difference is greater than the second difference, the prediction accuracy of prediction based on the statistical rule is weaker than the prediction accuracy of prediction based on the time-series characteristic, so that the first weight corresponding to the fixed time period of the previous date can be reduced, the second weight corresponding to the fixed time period of the previous date can be increased, the importance degree of the prediction result of prediction based on the time-series characteristic can be increased, and the first weight and the second weight corresponding to the fixed time period of the current date can be obtained; if the first difference is smaller than the second difference, the prediction accuracy of the prediction based on the statistical rule is higher than the prediction accuracy of the prediction based on the time series characteristic, so that the first weight corresponding to the fixed time interval of the previous date can be increased, and the second weight corresponding to the fixed time interval of the previous date can be decreased to increase the importance degree of the prediction result of the prediction based on the statistical rule, so that the first weight and the second weight corresponding to the fixed time interval of the current date can be obtained; if the first difference is greater than the second difference, the first weight and the second weight corresponding to the fixed time period of the previous date do not need to be changed. Wherein the sum of the first weight and the second weight corresponding to the fixed time period of the current date is 1.

Based on any of the above embodiments, the numerically adjusting the first weight and the second weight corresponding to any of the fixed time periods of the previous date based on the first difference and the second difference specifically includes:

if the current fluctuation coefficient is greater than 1, multiplying a second weight corresponding to any fixed time period of the previous date by the current fluctuation coefficient to obtain a second weight corresponding to any fixed time period of the current date, and determining a first weight corresponding to any fixed time period of the current date based on the second weight corresponding to any fixed time period of the current date;

Specifically, a ratio f1/f2 between the first difference and the second difference is calculated as the current fluctuation coefficient v. If the current fluctuation coefficient v is greater than 1, multiplying the second weight a2_ old corresponding to the fixed time interval of the previous date by the current fluctuation coefficient v to obtain a second weight a2_ old corresponding to the fixed time interval of the current date, and determining a first weight 1-a2_ old corresponding to the fixed time interval of the current date based on the second weight corresponding to the fixed time interval of the current date; if the current fluctuation coefficient v is less than 1, multiplying the first weight a1_ old corresponding to the fixed period of the previous date by the current fluctuation coefficient v to obtain a first weight a1_ old corresponding to the fixed period of the current date, and determining a second weight 1-a1_ old corresponding to the fixed period of the current date based on the first weight corresponding to the fixed period of the current date. If the current fluctuation coefficient v is equal to 1, the first weight and the second weight corresponding to the fixed period of the current date are the same as the first weight and the second weight corresponding to the fixed period of the previous date.

Based on any of the above embodiments, the fusing the first access frequency predicted value and the second access frequency predicted value of any fixed time period of the current date based on the first weight and the second weight corresponding to any fixed time period of the current date to obtain the final predicted value of any fixed time period of the current date specifically includes:

Specifically, in order to further improve the accuracy of fusing the first visit number predicted value and the second visit number predicted value, a multiple linear regression model may be adopted to better fuse the first visit number predicted value and the second visit number predicted value. And fitting to obtain a first regression coefficient, a second regression coefficient and an error term of the multiple linear regression model based on the historical access times, the first historical time predicted value and the second historical time predicted value of the API in the fixed time period of each historical date. The first historical time number predicted value and the second historical time number predicted value of the fixed time period on any historical date are the same as the first access time number predicted value and the second access time number predicted value of the fixed time period on the current date in the same obtaining mode, and the obtaining mode is not repeated herein. The multiple linear regression model may be K = (w 1 × x1+ w2 × x2+ b)/2, where w1 and w2 are a first regression coefficient and a second regression coefficient, respectively, b is an error term, the dependent variable of the multiple linear regression model is the final predicted value K of the fixed period of the current date, and the independent variable is the first visit number predicted value x1 and the second visit number predicted value x2 of the fixed period of the current date. The first regression coefficient, the second regression coefficient and the error term can be determined through a multiple linear fitting mode.

Then, based on the first weight (denoted as a 1) and the second weight (denoted as a 2) corresponding to the fixed time period of the current date, the first regression coefficient w1 and the second regression coefficient w2 of the multiple linear regression model are respectively updated, and the first updated regression coefficient (i.e., a1 × w 1) and the second updated regression coefficient (i.e., a2 × w 2) of the multiple linear regression model are obtained. Therefore, the updated multivariate linear regression model is K = (a 1 × w1 × x1+ a2 × w2 × x2+ b)/2. And inputting the first visit number predicted value and the second visit number predicted value of the fixed time period on the current date into the multiple linear regression model, and fusing the first visit number predicted value and the second visit number predicted value of the fixed time period on the current date based on the first updated regression coefficient, the second updated regression coefficient and the error term of the multiple linear regression model to obtain the final predicted value of the fixed time period on the current date.

Based on any of the above embodiments, as shown in fig. 3, the predicting a first predicted value of the number of accesses in any fixed time period on the current date based on the statistical value of the number of accesses in any fixed time period on each historical date by the API interface specifically includes:

step 121, averaging the historical access times of the API interface in any fixed time period of each historical date to obtain an access average value corresponding to any fixed time period;

step 122, dividing the historical access times of the API interface in any fixed time period of each historical date by the access average value to obtain a historical access proportion in any fixed time period of each historical date;

and step 123, predicting a first access frequency predicted value of any fixed time period on the current date based on the historical access frequency of the API interface in any fixed time period of each day in the latest preset time period and the historical access proportion in any fixed time period on each historical date.

Specifically, the historical access times of the API interface in the fixed period of each historical date are averaged to obtain an access average corresponding to the fixed period. The access average represents an average level of user access to the API interface over the fixed period of time for each historical date. The historical access times of the API interface in the fixed period of each historical date are respectively divided by the access average value to obtain the historical access proportion in the fixed period of each historical date. And predicting a first access time prediction value of the fixed period on the current date based on the historical access times of the API interface in the fixed period every day in the last preset time period (such as the last week) and the historical access proportion of each historical date in the fixed period.

Based on any one of the above embodiments, the predicting a first access frequency predicted value of any one fixed period on the current date based on the historical access frequency of the API interface in any one fixed period of each day within the latest preset time period and the historical access proportion of each historical date in any one fixed period specifically includes:

determining a cycle factor based on a median of historical access proportions at any of the fixed periods of each historical date;

Specifically, the average value (denoted as a) and the standard deviation (denoted as d) of the historical access times of the API interface at the fixed time period of each day in the last preset time period (for example, the last week) are determined, and the access reference value is determined based on the average value and the standard deviation. The access benchmark value reflects the average access level of recent users. Wherein the access reference value base may be calculated based on the following formula: base = a +3 × d. In addition, the cycle factor t is determined based on the median of the historical access proportion at the fixed period of each historical date. Then, based on the access reference value base and the cycle factor t, a first access number prediction value of the fixed period of the current date is predicted. Wherein, the first access time prediction value p can be calculated according to the following formula: p = base × t.

The interface abnormal access identification device provided by the present invention is described below, and the interface abnormal access identification device described below and the interface abnormal access identification method described above may be referred to in correspondence with each other.

Based on any of the above embodiments, fig. 4 is a schematic structural diagram of an interface abnormal access identification apparatus provided by the present invention, as shown in fig. 4, the apparatus includes: a history data acquisition unit 410, a first prediction unit 420, a second prediction unit 430, a fusion prediction unit 440, and an abnormal high frequency access identification unit 450.

The historical data acquiring unit 410 is configured to acquire a historical access time sequence of the API interface in any fixed time period; the historical access times sequence comprises the historical access times of the API interface in any fixed time period of each historical date;

the first prediction unit 420 is configured to predict a first access time prediction value of any fixed time period on a current date based on a statistical value of historical access times of the API interface in any fixed time period on each historical date;

the second prediction unit 430 is configured to predict, by using a time series prediction model, a second access time prediction value of any fixed time period of the current date based on the historical access time series;

the fusion prediction unit 440 is configured to fuse the first access frequency prediction value and the second access frequency prediction value of any fixed time period of the current date to obtain a final prediction value of any fixed time period of the current date;

the abnormal high-frequency access identifying unit 450 is configured to determine an actual access frequency of the any fixed time period on the current date, and if the actual access frequency is greater than the final predicted value, determine that the API interface has an abnormal high-frequency access in the any fixed time period on the current date.

According to the device provided by the embodiment of the invention, any fixed time interval is taken as a prediction and identification granularity, a first access frequency prediction value of the fixed time interval of the current date is predicted based on a statistical value of historical access frequencies of an API interface in any fixed time interval of each historical date, a second access frequency prediction value of the fixed time interval of the current date is predicted based on the historical access frequencies of the API interface in any fixed time interval of each historical date by using a time sequence prediction model, the access rule of a user is more accurately extracted through multiple times of prediction with different dimensions, so that a final prediction value of the fixed time interval of the current date is more accurately predicted and is used as a basis for judging whether abnormal high-frequency access exists in the fixed time interval of the current date, and if the actual access frequency of the fixed time interval of the current date is greater than the final prediction value, the fact that the API interface has the abnormal high-frequency access in the fixed time interval of the current date is determined, and the flexibility and accuracy of abnormal access identification are improved.

Based on any of the above embodiments, the fusing the first access frequency predicted value and the second access frequency predicted value of any fixed time period of the current date to obtain the final predicted value of any fixed time period of the current date specifically includes:

Based on any of the above embodiments, the numerically adjusting the first weight and the second weight corresponding to any fixed time period of the previous date based on the first difference and the second difference specifically includes:

Based on any one of the above embodiments, the predicting, based on the statistical value of the historical access times of the API interface in any one of the fixed time periods on each historical date, to obtain a predicted value of the first access time of any one of the fixed time periods on the current date by prediction, specifically includes:

respectively dividing the historical access times of the API interface in any fixed time period of each historical date by the access average value to obtain the historical access proportion in any fixed time period of each historical date;

Based on any of the above embodiments, the predicting a first access frequency prediction value of any fixed period on the current date based on the historical access frequency of the API interface in any fixed period of each day in the last preset time period and the historical access proportion of each historical date in any fixed period specifically includes:

and predicting a first access number predicted value of any fixed time period of the current date based on the access reference value and the cycle factor.

Fig. 5 is a schematic structural diagram of an electronic device provided in the present invention, and as shown in fig. 5, the electronic device may include: a processor (processor) 510, a memory (memory) 520, a communication Interface (Communications Interface) 530, and a communication bus 540, wherein the processor 510, the memory 520, and the communication Interface 530 communicate with each other via the communication bus 540. Processor 510 may call logic instructions in memory 520 to perform an interface exception access identification method comprising: acquiring a historical access frequency sequence of the API interface in any fixed time period; the historical access times sequence comprises the historical access times of the API interface in any fixed time period of each historical date; predicting to obtain a first access frequency predicted value of any fixed time period of the current date based on the statistical value of the historical access frequency of the API interface in any fixed time period of each historical date; predicting to obtain a second access time prediction value of any fixed time period of the current date based on the historical access time sequence by using a time sequence prediction model; fusing the first visit number predicted value and the second visit number predicted value of any fixed time period of the current date to obtain a final predicted value of any fixed time period of the current date; and determining the actual access times of any fixed time period on the current date, and if the actual access times are larger than the final predicted value, determining that the API has abnormal high-frequency access in any fixed time period on the current date.

In addition, the logic instructions in the memory 520 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.

In another aspect, the present invention also provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium, the computer program including program instructions, when the program instructions are executed by a computer, the computer being capable of executing the interface abnormal access identification method provided by the above methods, the method including: acquiring a historical access frequency sequence of the API interface in any fixed time period; the historical access times sequence comprises the historical access times of the API interface in any fixed time period of each historical date; predicting to obtain a first access frequency predicted value of any fixed time period of the current date based on the statistical value of the historical access frequency of the API interface in any fixed time period of each historical date; predicting to obtain a second access time prediction value of any fixed time period of the current date based on the historical access time sequence by using a time sequence prediction model; fusing the first visit number predicted value and the second visit number predicted value of any fixed time period of the current date to obtain a final predicted value of any fixed time period of the current date; and determining the actual access times of any fixed time period on the current date, and if the actual access times are greater than the final predicted value, determining that the API has abnormal high-frequency access in any fixed time period on the current date.

In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform the interface anomaly access identification method provided above, the method including: acquiring a historical access frequency sequence of the API interface in any fixed time period; the historical access times sequence comprises the historical access times of the API interface in any fixed time period of each historical date; predicting to obtain a first access frequency predicted value of any fixed time period of the current date based on the statistical value of the historical access frequency of the API interface in any fixed time period of each historical date; predicting to obtain a second access time prediction value of any fixed time period of the current date based on the historical access time sequence by using a time sequence prediction model; fusing the first visit number predicted value and the second visit number predicted value of any fixed time period of the current date to obtain a final predicted value of any fixed time period of the current date; and determining the actual access times of any fixed time period on the current date, and if the actual access times are greater than the final predicted value, determining that the API has abnormal high-frequency access in any fixed time period on the current date.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. An interface abnormal access identification method is characterized by comprising the following steps:

acquiring a historical access frequency sequence of the API interface in any fixed time period; the historical access times sequence comprises the historical access times of the API interface in any fixed time period of each historical date;

determining the actual access times of any fixed time period on the current date, and if the actual access times are greater than the final predicted value, determining that the API interface has abnormal high-frequency access in any fixed time period on the current date;

the fusing the first access frequency predicted value and the second access frequency predicted value of any fixed time period of the current date to obtain a final predicted value of any fixed time period of the current date specifically includes:

if the current fluctuation coefficient is less than 1, multiplying a first weight corresponding to any fixed time period of the previous date by the current fluctuation coefficient to obtain a first weight corresponding to any fixed time period of the current date, and determining a second weight corresponding to any fixed time period of the current date based on the first weight corresponding to any fixed time period of the current date;

and fusing the first access time number predicted value and the second access time number predicted value of any fixed time period of the current date based on the first updating regression coefficient, the second updating regression coefficient and the error term of the multiple linear regression model to obtain the final predicted value of any fixed time period of the current date.

2. The method according to claim 1, wherein the predicting a first predicted value of access times in any fixed time period on a current date based on the statistical value of the historical access times of the API interface in any fixed time period on each historical date specifically includes:

3. The interface abnormal access identification method according to claim 2, wherein the predicting a first access frequency prediction value of any fixed time period on the current date based on the historical access frequency of the API interface in any fixed time period on each day in the last preset time period and the historical access proportion of each historical date in any fixed time period specifically comprises:

determining the average value and the standard deviation of the historical access times of the API interface in any fixed period of each day in the latest preset time period, and determining an access reference value based on the average value and the standard deviation;

4. An interface abnormal access recognition apparatus, comprising:

the second prediction unit is used for predicting a second visit number prediction value of any fixed time period of the current date based on the historical visit number sequence by using a time sequence prediction model;

an abnormal high-frequency access identification unit, configured to determine an actual access frequency of the current date in any fixed time period, and if the actual access frequency is greater than the final predicted value, determine that the API interface has abnormal high-frequency access in any fixed time period of the current date;

5. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the interface abnormal access identification method according to any one of claims 1 to 3 when executing the program.

6. A non-transitory computer-readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the interface abnormal access identification method according to any one of claims 1 to 3.