CN115859282A - Security protection method, device and computer readable storage medium - Google Patents

Security protection method, device and computer readable storage medium Download PDF

Info

Publication number
CN115859282A
CN115859282A CN202211519947.4A CN202211519947A CN115859282A CN 115859282 A CN115859282 A CN 115859282A CN 202211519947 A CN202211519947 A CN 202211519947A CN 115859282 A CN115859282 A CN 115859282A
Authority
CN
China
Prior art keywords
api
call
call request
detection
normal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211519947.4A
Other languages
Chinese (zh)
Inventor
闫保奇
呼博文
徐浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202211519947.4A priority Critical patent/CN115859282A/en
Publication of CN115859282A publication Critical patent/CN115859282A/en
Pending legal-status Critical Current

Links

Images

Abstract

The present disclosure provides a security protection method, device and computer readable storage medium, relating to the technical field of network security, the method comprises: monitoring a function call chain consisting of a plurality of functions called in the calling process of the first API interface, wherein the functions are sequentially arranged according to the calling sequence in the function call chain; the chain of function calls is input to a machine learning model to determine whether the call request of the first API is normal.

Description

Security protection method, device and computer readable storage medium
Technical Field
The present disclosure relates to the field of network security technologies, and in particular, to a security protection method, apparatus, and computer-readable storage medium.
Background
Currently, in a case of providing an Application Programming Interface (API) call service, in order to avoid that network traffic is affected by maliciously attacking an API through an API call, an API provider needs to perform security protection processing on the API.
In the related art, the API provider generally limits the frequency of API calls, i.e., limits the number of times a user calls the API within a specified time. Under the condition that the calling frequency of a certain user to the API exceeds the limit, the API provider directly rejects the calling request of the API of the user and adds the user into a blacklist, so that the risk of malicious attack on the API can be reduced.
Disclosure of Invention
The inventors have noted that the accuracy of determining whether an API call request is normal in the manner in the related art is low.
The inventor analyzes and finds that some normal call requests can be mistaken as abnormal call requests in some cases. For example, the user may also send a normal API call request with a higher frequency, but such a call request may be erroneously determined as an abnormal call request in the manner in the related art.
In order to solve the above problem, the embodiments of the present disclosure propose the following solutions.
According to an aspect of the embodiments of the present disclosure, there is provided a safety protection method, including: monitoring a function call chain consisting of a plurality of functions called in the calling process of the first API, wherein the functions are sequentially arranged according to the calling sequence in the function call chain; inputting the function call chain into a machine learning model to determine whether a call request of the first API is normal.
In some embodiments, the method further comprises monitoring at least one preset function called during the calling of the first API, the plurality of functions including the at least one preset function; and determining other functions except the at least one preset function in the plurality of functions according to the context of the code corresponding to each preset function.
In some embodiments, the method further comprises performing a first test on the call request of the first API to determine whether the call request of the first API is normal; allowing the first API to be called if the result of the first detection is normal; wherein the first detection comprises at least one of the following detections, and the result of the first detection is normal if the result of each detection in the at least one detection is yes: detecting whether the value type of the calling request of the first API belongs to a preset value type or not; detecting whether the length range of the calling request of the first API belongs to a preset length range or not; detecting whether the size range of the calling request of the first API belongs to a preset size range or not; detecting whether the call request of the first API does not contain a Structured Query Language (SQL) statement; and detecting whether the call request of the first API does not contain characters which do not match with the numerical type of the call request of the first API.
In some embodiments, the method further comprises clustering call requests of the first API with call requests of other unhealthy APIs if a preset condition is met, the preset condition comprising the machine learning model determining that the call requests of the first API are unhealthy; and determining the common characteristics of the abnormal API call requests according to the clustering result.
In some embodiments, the method further comprises, in the event that the machine learning model determines that the call request of the first API is not normal, performing a second test in a simulated environment to determine whether an offensive behavior occurs during the call of the first API; under the condition that an attack behavior occurs, determining the correspondence between the common characteristic of abnormal API call requests and the category of the attack behavior according to the clustering result; and the preset condition further comprises that the result of the second detection is the occurrence of an attack behavior.
In some embodiments, the method further comprises performing the first detection with a second API as the first API; the multiple detections further include detecting whether a call request of the second API has the commonality characteristic.
In some embodiments, the method further comprises determining that the call request of the first API is normal in the absence of an attack.
In some embodiments, the attack behavior includes at least one of tampering with a system file and obtaining root rights.
In some embodiments, the call request of the first API is copied into the simulation environment by way of traffic mirroring to perform the second detection.
In some embodiments, in the case that the result of the first detection is normal, allowing the first API to be called includes: executing third detection to detect whether a token carried by the call request of the first API is valid or not under the condition that the result of the first detection is normal; allowing the first API to be called if the token is valid; in the event that the token is invalid, the first API is not allowed to be called.
According to still another aspect of the embodiments of the present disclosure, there is provided a safety shield apparatus, including: the monitoring module is configured to monitor a function call chain consisting of a plurality of functions called in the calling process of the first application programming interface API, and the functions are sequentially arranged in the function call chain according to the calling sequence; a determination module configured to input the chain of function calls into a machine learning model to determine whether a call request of the first API is normal.
According to still another aspect of the embodiments of the present disclosure, there is provided a safety shield apparatus, including: a memory; and a processor coupled to the memory, the processor configured to perform the method of any of the above embodiments based on instructions stored in the memory.
According to a further aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium comprising computer program instructions, wherein the computer program instructions, when executed by a processor, implement the method of any one of the above embodiments.
According to a further aspect of the embodiments of the present disclosure, there is provided a computer program product comprising a computer program, wherein the computer program, when executed by a processor, implements the method of any one of the above embodiments.
In the embodiment of the disclosure, a function call chain is formed by sequentially arranging a plurality of functions called in the calling process of the API according to the calling sequence, and the function call chain is input into the machine learning model to determine whether the calling request of the API is normal. In such a mode, the sequence in the calling process of the API is considered, so that the normal API calling request and the abnormal API calling request can be accurately distinguished.
The technical solution of the present disclosure is further described in detail by the accompanying drawings and examples.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings used in the embodiments or the prior art descriptions will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic flow diagram of a security method according to some embodiments of the present disclosure;
FIG. 2 is a schematic flow diagram of a security method according to further embodiments of the present disclosure;
FIG. 3 is a schematic structural view of a safety shield apparatus according to some embodiments of the present disclosure;
figure 4 is a schematic structural view of a safety shield apparatus according to further embodiments of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
In addition, in the description of the present disclosure, the terms "first," "second," "third," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or order. Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous.
Fig. 1 is a flow diagram of a security method according to some embodiments of the present disclosure.
In step 102, a function call chain composed of a plurality of functions called in a calling process of the first API is monitored. Here, in the function call chain, a plurality of functions are arranged in order of the order of call. In some embodiments, multiple functions may be monitored using dynamic instrumentation. For example, a plurality of functions are monitored using an agent probe.
In some embodiments, the plurality of functions may be arranged in order of the calls in combination with the time stamp to form a function call chain.
At step 104, the chain of function calls is input to a machine learning model to determine whether the call request of the first API is normal.
In some embodiments, in the case of training a machine learning model, the machine learning model may be trained with the chain of sample function calls of the first API as input and the type of corresponding attack as output. For example, a machine learning model may be trained using a function call chain of requests of an API that initiates a Structured Query Language (SQL) attack as a sample input and an attack type "SQL attack" as an output.
As some embodiments, in the case of training the machine learning model, the sample function call chain of the first API and the type of the first API may be simultaneously used as inputs, and the machine learning model may be trained using the corresponding attack type as an output so that the machine learning model may determine whether the call request of the first API is normal according to the type of the API.
As some implementations, the machine learning model may be a Recurrent Neural Network (RNN) model.
Therefore, the function call chain formed by sequentially arranging the functions called in the calling process of the API according to the calling sequence is monitored, and the function call chain is input into the machine learning model to determine whether the calling request of the API is normal. In such a way, the sequence in the calling process of the API is considered, so that the normal API calling request and the abnormal API calling request can be accurately distinguished.
In some embodiments, at least one preset function called in the calling process of the first API may be monitored, and other functions than the at least one preset function in the plurality of functions may be determined according to the context of the code corresponding to each preset function. Here, the plurality of functions in the function call chain includes the at least one preset function.
For example, a key function (i.e., a preset function) in the API call may be instrumented to obtain a corresponding code and a context of the key function, and other functions that are called before and/or after the key function is called may be obtained by using the context of the key function, and then, in combination with the timestamp, a function call chain may be obtained that is sequentially arranged and composed according to the calling order. Here, the key function refers to a function having a critical role, for example, a function having a content that needs to operate on a main configuration or a function having a main role in the entire calling process.
For some embodiments, the key function may be selected according to the type of API.
Therefore, the preset function called in the calling process of the first API is monitored, other functions except the preset function in the multiple functions are determined according to the context of the code corresponding to the preset function, and then the function calling chain can be obtained without monitoring more functions, so that system resources required under the monitoring condition are saved, and the monitoring efficiency is improved.
In some embodiments, a first test may be performed on the call request of the first API to determine whether the call request of the first API is normal, and in the case that the result of the first test is normal, the first API is allowed to be called.
The following describes the plurality of tests that the first test comprises in connection with various embodiments. In the tests mentioned below, if the test result is "yes", the result of the first test is normal; if the detection result is "no", the result of the first detection is abnormal.
As some embodiments, the first detecting may include detecting whether a value type of a call request of the first API belongs to a preset value type. For example, if the preset value type is "int" type, the call request of the API with the value type of "int" can pass the first detection, and the call requests of other value types cannot pass the first detection. Here, the preset numerical value type may include one or more data types.
As another embodiment, the first detecting may include detecting whether a length range of the call request of the first API belongs to a preset length range. For example, if the preset length range is 1 to 16 characters, then the call requests of the API with the length range between 1 to 16 characters (including 1 character and 16 characters) can pass the first detection, and the call requests of other length ranges cannot pass the first detection. Here, the preset length range may include one or more length ranges.
As still further embodiments, the first detecting may include detecting whether a size range of the call request of the first API belongs to a preset size range. For example, call requests of APIs with a preset size range of 1 to 10 Kilobytes (KB), and with a size range of 1 to 10KB (including 1KB and 10 KB) can pass the first detection, and call requests with other size ranges cannot pass the first detection. Here, the preset size range may include one or more size ranges.
As still further embodiments, the first detecting may include detecting whether a call request of the first API does not include an SQL statement. For example, in the case where the call request of the API does not include the SQL statement, the call request passes the first detection, and in the case where the call request of the API includes the SQL statement, the call request cannot pass the first detection.
As still further embodiments, the first detecting may include detecting whether the call request of the first API does not contain a character that does not match the value type of the call request of the first API. For example, if a character such as a kanji and/or punctuation occurs in a call request of an API whose numerical type is "int", the call request does not pass through the first detection, and can pass through the first detection in the case where a character that does not match the numerical type of the call request of the first API does not occur.
It is to be understood that the result of the first detection is normal, and the result of the first detection that is not the first detection is abnormal.
Therefore, the first detection is carried out on the call request of the first API to determine whether the call request of the first API is normal or not, the first API is allowed to be called under the condition that the first detection result is normal, and then the first detection can be firstly utilized to eliminate part of abnormal call requests of the API, so that the efficiency of distinguishing the normal call request of the API from the abnormal call request of the API is improved.
In some embodiments, the first detection includes multiple ones of the above-mentioned multiple detections, that is, the first detection may include detecting whether a value type of a call request of the first API belongs to a preset value type, detecting whether a length range of the call request of the first API belongs to a preset length range, detecting whether a size range of the call request of the first API belongs to a preset size range, detecting whether the call request of the first API does not include an SQL statement, and detecting whether the call request of the first API does not include two or more of characters that do not match the value type of the call request of the first API.
In this way, the first detection including the plurality of detections can more accurately exclude a part of call requests of the abnormal API, thereby further improving the efficiency of distinguishing the call requests of the normal API from the call requests of the abnormal API.
In some embodiments, in the case that a preset condition is met, the call request of the first API is clustered with the call requests of other abnormal APIs, and according to the clustering result, the common characteristic of the call requests of the abnormal APIs is determined. Here, the preset condition includes that the machine learning model determines that the call request of the first API is not normal.
For example, in the case where the machine learning model determines that the call request of the first API is abnormal, the call request of the first API may be clustered with call requests of other abnormal APIs, for example, according to one or more of parameters of the call requests of the APIs such as a value type, a length range, a size range; the commonalities characteristic of abnormal API call requests can be obtained through the clustering result.
In some embodiments, the commonality feature may be a feature that is common to more than a preset number of call requests of all unhealthy APIs in the clustering process, e.g., may be a feature that is common to a majority (e.g., 80%) of the call requests of unhealthy APIs in the clustering process; for another example, the feature may be common to all call requests of the abnormal API in the clustering process.
Therefore, under the condition that the preset condition is met, the calling request of the first API and the calling requests of other abnormal APIs are clustered, and the characteristics of the calling requests of the abnormal APIs are determined according to the clustering result, so that reference is provided for analyzing the calling requests of the abnormal APIs.
In some embodiments, a first check may also be performed on the call request of the second API to determine whether the call request of the second API is normal. In this case, the plurality of tests in the first test also include a characteristic of the call request having the determined unhealthy API. Here, the first API may be the same as or different from the second API.
In this way, in the first detection of the subsequent call requests, the call requests of the APIs with the same or similar characteristics can be rejected in advance, so that the efficiency of distinguishing the normal call requests of the APIs from the abnormal call requests of the APIs is improved.
In some embodiments, in the event that the machine learning model determines that the call request of the first API is not normal, performing a second test in the simulation environment to determine whether an attack behavior occurs during the call of the first API; and under the condition of the attack behavior, determining the corresponding relation between the characteristic of the abnormal API call request and the category of the attack behavior according to the clustering result. Here, the preset condition further includes that the result of the second detection is that an attack behavior occurs. In other words, the call request of the first API is determined to be abnormal in the case where the machine learning model determines that the call request of the first API is abnormal and an attack behavior occurs.
The second detection may also be referred to as attack replay detection.
In some embodiments, the call request of the first API may be copied into the simulation environment by way of traffic mirroring to perform the second detection. The simulated environment may be, for example, a sandbox.
In some embodiments, the attack behavior may include at least one of tampering with a system file and obtaining root (root) rights.
Therefore, the corresponding relation between the abnormal API call request characteristics and the attack behavior categories is determined through the clustering result, and the corresponding attack behavior categories can be shown on the basis of rejecting the API call requests with the same or similar characteristics under the condition of receiving the API call requests again, so that the efficiency of distinguishing the normal API call requests from the abnormal API call requests is improved.
In some embodiments, in the absence of an attack, it is determined that the call request of the first API is normal.
As some embodiments, after determining that the call request of the first API is normal without an attack behavior, the call request of the first API may be normally executed to call the corresponding API.
Therefore, the calling request of the first API is determined to be normal under the condition that the attack behavior does not occur, the condition that the normal calling request of the API is rejected due to the misjudgment of the machine learning model and the condition that the calling request of the API is actually normal although the function calling chain is not standard can be avoided, and the accuracy of distinguishing the normal calling request of the API from the abnormal calling request of the API is further improved.
In some embodiments, a third detection is performed to detect whether a token carried by a call request of the first API is valid or not when a result of the first detection is normal, and the first API is allowed to be called when the token is valid; in the event that the token is invalid, the first API is not allowed to be called.
Therefore, the accuracy of distinguishing normal API call requests from abnormal API call requests can be further improved by combining the mode of detecting whether the token is effective or not on the basis of the first detection.
In some embodiments, in the event that the token is invalid, the call requests of the corresponding first API may be clustered with call requests of other unhealthy APIs, e.g., may be clustered by one or more of the parameters of the call requests of the API such as a value type, a length range, a size range; the commonalities characteristic of call requests of an abnormal API can be obtained through the clustering result.
In this way, under the condition that the token is invalid, the calling request of the first API is clustered with the calling requests of other abnormal APIs, and the characteristics of the calling requests of the abnormal APIs are determined according to the clustering result, so that reference is provided for analyzing the calling requests of the abnormal APIs.
In some embodiments, in the event that the token is invalid, performing a second test in the simulation environment to determine whether an attack has occurred during the invocation of the corresponding first API; and under the condition that the attack behavior occurs, clustering is carried out again, and the corresponding relation between the abnormal characteristics of the API call request and the type of the attack behavior is determined according to the clustering result.
In this way, the corresponding relation between the abnormal API call request characteristics and the attack behavior categories is determined through the clustering result, so that the corresponding attack behavior categories can be shown on the basis of rejecting the API call requests with the same or similar characteristics in advance (namely before the third detection is executed) under the condition that the API call requests are received again, and the efficiency of distinguishing the normal API call requests from the abnormal API call requests is improved.
FIG. 2 is a flow diagram of a method of safeguarding in accordance with other embodiments of the present disclosure.
At step 202, a call request for a first API is received.
At step 204, a first test is performed on the call request of the first API to determine whether the call request of the first API is normal. Here, the first detection includes at least one of the aforementioned plurality of detections. In the case that the result of the first detection is normal, step 206 is executed; in case the result of the first detection is abnormal, step 216 is executed to reject the call request of the first API.
In step 206, a third test is performed to detect whether the token carried by the call request of the first API is valid. In case the token is valid, step 208 is performed, i.e. the first API is allowed to be called; in case the token is not valid, step 218 is performed.
At step 210, a function call chain composed of a plurality of functions called during the calling process of the first API is monitored and the function call chain is input into a machine learning model. Here, in the function call chain, a plurality of functions are arranged in order of the order of call.
In step 212, the machine learning model determines whether the call request of the first API is normal. Under normal conditions, step 214 is executed, i.e. the first API is called continuously; in the abnormal case, step 218 is performed.
At step 218, a second test is performed in the simulation environment to determine if an aggressive behavior is present during the invocation of the first API. In case no aggressive behavior occurs, step 214 is executed; in case of an aggressive behavior, step 220 is performed.
In step 220, the call request of the first API is clustered with the call requests of other abnormal APIs, and the corresponding relationship between the characteristics of the abnormal API call request and the category of the attack behavior is determined according to the clustering result.
In the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same or similar parts in the embodiments are referred to each other. For the device embodiment, since it basically corresponds to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
Figure 3 is a schematic structural view of a safety shield apparatus according to some embodiments of the present disclosure.
As shown in fig. 3, the safety shield apparatus includes a monitoring module 301 and a determination module 302.
The monitoring module 301 is configured to monitor a function call chain composed of a plurality of functions called in the call process of the first API, where the functions are sequentially arranged according to the calling order in the function call chain.
The determination module 302 is configured to input a chain of function calls into a machine learning model to determine whether a call request of the first API is normal.
In some embodiments, the safety device may further include other modules to perform the safety method of any of the above embodiments.
Figure 4 is a schematic structural view of a safety shield apparatus according to still further embodiments of the present disclosure.
As shown in fig. 4, the safety device 400 includes a memory 401 and a processor 402 coupled to the memory 401, the processor 402 being configured to perform the method of any of the above embodiments based on instructions stored in the memory 401.
The memory 401 may include, for example, a system memory, a fixed non-volatile storage medium, and the like. The system memory may store, for example, an operating system, application programs, a Boot Loader (Boot Loader), and other programs.
The safety shield apparatus 400 may also include an input output interface 403, a network interface 404, a storage interface 405, and the like. The interfaces 403, 404, 405, and the memory 401 and the processor 402 may be connected by a bus 406, for example. The input/output interface 403 provides a connection interface for input/output devices such as a display, a mouse, a keyboard, and a touch screen. The network interface 404 provides a connection interface for various networking devices. The storage interface 405 provides a connection interface for external storage devices such as an SD card and a usb disk.
The disclosed embodiments also provide a computer-readable storage medium comprising computer program instructions, which when executed by a processor, implement the method of any of the above embodiments.
The disclosed embodiments also provide a computer program product comprising a computer program that, when executed by a processor, implements the method of any of the above embodiments.
Thus, various embodiments of the present disclosure have been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. Those skilled in the art can now fully appreciate how to implement the teachings disclosed herein, in view of the foregoing description.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that the functions specified in one or more of the flows in the flowcharts and/or one or more of the blocks in the block diagrams can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be understood by those skilled in the art that various changes may be made in the above embodiments or equivalents may be substituted for elements thereof without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.

Claims (14)

1. A method of safety protection, comprising:
monitoring a function call chain consisting of a plurality of functions called in the calling process of a first application programming interface API, wherein in the function call chain, the functions are sequentially arranged according to the calling sequence;
inputting the function call chain into a machine learning model to determine whether a call request of the first API is normal.
2. The method of claim 1, further comprising:
monitoring at least one preset function called in the calling process of the first API, wherein the functions comprise the at least one preset function;
and determining other functions except the at least one preset function in the plurality of functions according to the context of the code corresponding to each preset function.
3. The method of claim 1, further comprising:
performing first detection on the call request of the first API to determine whether the call request of the first API is normal;
allowing the first API to be called if the result of the first detection is normal;
wherein the first detection comprises at least one of the following detections, and the result of the first detection is normal if the result of each detection in the at least one detection is yes:
detecting whether the value type of the calling request of the first API belongs to a preset value type or not;
detecting whether the length range of the calling request of the first API belongs to a preset length range or not;
detecting whether the size range of the calling request of the first API belongs to a preset size range or not;
detecting whether the call request of the first API does not contain a Structured Query Language (SQL) statement; and
detecting whether the call request of the first API does not contain characters which do not match with the numerical type of the call request of the first API.
4. The method of claim 3, further comprising:
clustering the call request of the first API with call requests of other abnormal APIs under the condition that a preset condition is met, wherein the preset condition comprises that the machine learning model determines that the call request of the first API is abnormal;
and determining the common characteristics of the abnormal API call requests according to the clustering result.
5. The method of claim 4, further comprising:
in the case that the machine learning model determines that the call request of the first API is abnormal, performing a second detection in a simulation environment to judge whether an attack behavior occurs in the call process of the first API;
under the condition that an attack behavior occurs, determining the corresponding relation between the common characteristic of an abnormal API call request and the category of the attack behavior according to the clustering result;
wherein the preset condition further comprises that the result of the second detection is the occurrence of an attack behavior.
6. The method of claim 4 or 5, further comprising:
performing the first detection by taking a second API as the first API;
the multiple detections also include detecting whether a call request of the second API has the commonality trait.
7. The method of claim 5, further comprising:
and under the condition that the attack behavior does not occur, determining that the call request of the first API is normal.
8. The method of claim 5, wherein the attack behavior comprises at least one of tampering with a system file and obtaining root rights.
9. The method of claim 5, wherein call requests of the first API are replicated into the simulation environment by way of traffic mirroring to perform the second detection.
10. The method of claim 3, wherein, in the event that the result of the first detection is normal, allowing the first API to be called comprises:
executing third detection to detect whether a token carried by the call request of the first API is valid or not under the condition that the result of the first detection is normal;
allowing the first API to be called if the token is valid;
in the event that the token is invalid, not allowing the first API to be called.
11. A safety shield apparatus, comprising:
the monitoring module is configured to monitor a function call chain consisting of a plurality of functions called in the calling process of the first application programming interface API, and the functions are sequentially arranged in the function call chain according to the calling sequence;
a determination module configured to input the chain of function calls into a machine learning model to determine whether a call request of the first API is normal.
12. A safety shield apparatus, comprising:
a memory; and
a processor coupled to the memory and configured to perform the method of any of claims 1-10 based on instructions stored in the memory.
13. A computer readable storage medium comprising computer program instructions, wherein the computer program instructions, when executed by a processor, implement the method of any of claims 1-10.
14. A computer program product comprising a computer program, wherein the computer program when executed by a processor implements the method of any one of claims 1-10.
CN202211519947.4A 2022-11-30 2022-11-30 Security protection method, device and computer readable storage medium Pending CN115859282A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211519947.4A CN115859282A (en) 2022-11-30 2022-11-30 Security protection method, device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211519947.4A CN115859282A (en) 2022-11-30 2022-11-30 Security protection method, device and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN115859282A true CN115859282A (en) 2023-03-28

Family

ID=85668307

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211519947.4A Pending CN115859282A (en) 2022-11-30 2022-11-30 Security protection method, device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN115859282A (en)

Similar Documents

Publication Publication Date Title
CN106055980B (en) A kind of rule-based JavaScript safety detecting method
CN106570399B (en) A kind of detection method of across App inter-module privacy leakage
CN109325193B (en) WAF normal flow modeling method and device based on machine learning
CN104462962B (en) A kind of method for detecting unknown malicious code and binary vulnerability
CN109101815B (en) Malicious software detection method and related equipment
CN109255240B (en) Vulnerability processing method and device
CN107016298B (en) Webpage tampering monitoring method and device
CN106599688A (en) Application category-based Android malicious software detection method
CN109711163A (en) Android malware detection method based on API Calls sequence
CN109543408A (en) A kind of Malware recognition methods and system
CN110719278A (en) Method, device, equipment and medium for detecting network intrusion data
CN112817877B (en) Abnormal script detection method and device, computer equipment and storage medium
CN111291377A (en) Application vulnerability detection method and system
EP4137976A1 (en) Learning device, detection device, learning method, detection method, learning program, and detection program
CN115859282A (en) Security protection method, device and computer readable storage medium
CN108509796B (en) Method for detecting risk and server
CN107402883B (en) A kind of data test treating method and apparatus
CN105787369A (en) Android software security analysis method based on slice measurement
CN104252595B (en) Application program analysis method and device and client
CN115373984A (en) Code coverage rate determining method and device
CN109271781B (en) Method and system for detecting super authority obtaining behavior of application program based on kernel
CN111190813B (en) Android application network behavior information extraction system and method based on automatic testing
CN114547610A (en) File detection method, device and equipment
CN111934949A (en) Safety test system based on database injection test
CN114745722B (en) Short message platform security audit verification method and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination