CN116055587A - Method and device for realizing hierarchical classification of API (application program interface) assets - Google Patents

Method and device for realizing hierarchical classification of API (application program interface) assets Download PDF

Info

Publication number
CN116055587A
CN116055587A CN202211499604.6A CN202211499604A CN116055587A CN 116055587 A CN116055587 A CN 116055587A CN 202211499604 A CN202211499604 A CN 202211499604A CN 116055587 A CN116055587 A CN 116055587A
Authority
CN
China
Prior art keywords
api
api interface
interface
determining
asset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211499604.6A
Other languages
Chinese (zh)
Inventor
何文娟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unihub China Information Technology Co Ltd
Original Assignee
Unihub China Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unihub China Information Technology Co Ltd filed Critical Unihub China Information Technology Co Ltd
Priority to CN202211499604.6A priority Critical patent/CN116055587A/en
Publication of CN116055587A publication Critical patent/CN116055587A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a method and a device for realizing hierarchical classification of API assets, wherein the method comprises the following steps: analyzing the acquired request message and response message of the API interface to acquire basic information of the API interface and metadata of the API interface; determining the service type of the API according to the basic information of the API, and determining the data type of the API by combining the metadata of the API; and determining the asset classification of the API according to the service type of the API and the data type of the API. The method and the device improve the asset management efficiency and accuracy of the API interface.

Description

Method and device for realizing hierarchical classification of API (application program interface) assets
Technical Field
The invention relates to the technical field of communication, in particular to a method and a device for realizing hierarchical classification of API assets.
Background
With the trend of diversification, complexity and service of internet applications becoming remarkable, application architecture in more and more scenes adopts Application Programming Interfaces (APIs) as data transmission and control flow among applications; with the development of big data applications, the data volume and sensitivity of the API interface responsible for transmitting data are also increasing.
The API interface is used as a channel for data transmission, and relates to a plurality of processes for managing the data life cycle. In recent years, security events have occurred worldwide due to the non-standardization of API interfaces. Thus, the telecommunication and internet industry data security standards system establishes data classification standards.
Disclosure of Invention
Aiming at the situation, the invention provides a method and a device for realizing the classification of the API assets, which are used for realizing the multi-dimensional asset classification of the API assets by carrying out deep analysis on the request message and the response message of the API and combining the service scene, thereby improving the management efficiency and the accuracy of the API assets.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in an embodiment of the present invention, a method for implementing hierarchical classification of API assets is provided, the method comprising:
analyzing the acquired request message and response message of the API interface to acquire basic information of the API interface and metadata of the API interface;
determining the service type of the API according to the basic information of the API, and determining the data type of the API by combining the metadata of the API;
and determining the asset classification of the API according to the service type of the API and the data type of the API.
Further, determining the relation between the request path of the API interface and the domain name corresponding to the affiliated site;
layering processing is carried out on the request paths of the API interfaces, and URL request paths are decomposed and combined according to the tree structure;
and determining the business overall hierarchical relationship of the API according to the hierarchical relationship of the domain name corresponding to the site to which the API belongs and the hierarchical relationship of the request path of the associated API.
Further, the domain name corresponding to the site to which the API interface belongs and the request path of the API interface are analyzed, and the service type to which the API interface belongs is determined.
Further, labeling different layers of the request path of the API interface, wherein the labels can be associated with the service types of the API; the request path for each API interface may have multiple tags, each tag having a different dimension.
Further, according to the request parameters of the API, the data type of the API is determined in combination with the analysis of the metadata of the API.
Further, labeling the metadata of the API according to the analysis result of the metadata of the API, wherein the label can be associated with the data types of the API, and each label identifies the data types of different API; and determining data information associated with the asset of the API according to the data type of the API, and determining the hierarchical classification of the API by combining the service type of the API.
Further, the service type to which the API interface belongs has multiple dimensions, and each type of service has multiple layers; the data type of the API interface has a plurality of layers; and determining the asset classification hierarchy of the API interface based on the arbitrary dimension in combination with the service type to which the API interface belongs and the data type of the API interface.
Further, determining the asset priority of the API according to the priority corresponding to the service type of the API and the priority corresponding to the data type of the API; determining asset classification of the API according to the hierarchical relationship of the service type of the API and the class of the data type of the API, and if the priorities are different, taking the high priority as the reference; one asset of the API interface may be partitioned in multiple dimensions.
Further, according to the asset classification of the API interface, different protection strategies are implemented, and according to the label change condition of the API interface, the asset protection strategy of the API interface is adjusted in real time.
In an embodiment of the present invention, an apparatus for implementing hierarchical classification of API assets is further provided, where the apparatus includes:
the message analysis module is used for analyzing the acquired request message and response message of the API interface and acquiring basic information of the API interface and metadata of the API interface;
the label management module is used for managing labels, wherein the labels comprise label names, types, security levels, paranoid levels, whether to enable, detection modes, detection objects, rule contents, sample data and test results;
the service and data type determining module is used for determining the service type of the API according to the basic information of the API and determining the data type of the API by combining the metadata of the API;
and the asset classification determining module is used for determining the asset classification of the API according to the service type of the API and the data type of the API.
Further, determining the relation between the request path of the API interface and the domain name corresponding to the affiliated site;
layering processing is carried out on the request paths of the API interfaces, and URL request paths are decomposed and combined according to the tree structure;
and determining the business overall hierarchical relationship of the API according to the hierarchical relationship of the domain name corresponding to the site to which the API belongs and the hierarchical relationship of the request path of the associated API.
Further, the domain name corresponding to the site to which the API interface belongs and the request path of the API interface are analyzed, and the service type to which the API interface belongs is determined.
Further, labeling different layers of the request path of the API interface, wherein the labels can be associated with the service types of the API; the request path for each API interface may have multiple tags, each tag having a different dimension.
Further, according to the request parameters of the API, the data type of the API is determined in combination with the analysis of the metadata of the API.
Further, labeling the metadata of the API according to the analysis result of the metadata of the API, wherein the label can be associated with the data types of the API, and each label identifies the data types of different API; and determining data information associated with the asset of the API according to the data type of the API, and determining the hierarchical classification of the API by combining the service type of the API.
Further, the service type to which the API interface belongs has multiple dimensions, and each type of service has multiple layers; the data type of the API interface has a plurality of layers; and determining the asset classification hierarchy of the API interface based on the arbitrary dimension in combination with the service type to which the API interface belongs and the data type of the API interface.
Further, determining the asset priority of the API according to the priority corresponding to the service type of the API and the priority corresponding to the data type of the API; determining asset classification of the API according to the hierarchical relationship of the service type of the API and the class of the data type of the API, and if the priorities are different, taking the high priority as the reference; one asset of the API interface may be partitioned in multiple dimensions.
Further, according to the asset classification of the API interface, different protection strategies are implemented, and according to the label change condition of the API interface, the asset protection strategy of the API interface is adjusted in real time.
In one embodiment of the present invention, a computer device is also presented, including a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the implementation of the hierarchical classification of the aforementioned API assets when the computer program is executed by the processor.
In an embodiment of the invention, a computer-readable storage medium is also presented, the computer-readable storage medium storing a computer program that performs an implementation of hierarchical classification of API assets.
The beneficial effects are that:
the invention improves the management efficiency and accuracy of the API assets through the deep analysis of the request message and the response message of the API and various data identification and data classification methods.
Drawings
FIG. 1 is a flow diagram of a method for implementing hierarchical classification of API assets in accordance with the present invention;
FIG. 2 is a system interaction diagram of an embodiment of the present invention;
FIG. 3 is a diagram of the overall hierarchical relationship of the services corresponding to the API interface according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an implementation of hierarchical classification of API assets in accordance with the present invention;
FIG. 5 is a schematic diagram of a computer device according to the present invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments, with the understanding that these embodiments are merely provided to enable those skilled in the art to better understand and practice the invention and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
It will be appreciated by those skilled in the art that embodiments of the present invention may be implemented as an apparatus, device, apparatus, method or computer program product. Accordingly, the present disclosure may be embodied in the following forms, namely: complete hardware, complete software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, the method and the device for realizing the hierarchical classification of the API assets are provided, and the efficiency and the accuracy of API asset management are improved.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments thereof.
FIG. 1 is a flow chart of a method for implementing hierarchical classification of API assets in accordance with the present invention. As shown in fig. 1, the method includes:
s1, acquiring the flow of an API
Here, the flow is a generic term of a request message and a response message of the API interface.
Specifically, the traffic of the API interface is captured by mirroring or probe, etc.
S2, analyzing the request message and the response message of the API;
analyzing the request message and the response message of the API based on the network layering model and the protocol type, analyzing metadata in the request message and the response message, and acquiring basic information of the API and metadata of the API.
The network layering model herein mainly refers to the OSI model, and protocol types include: TCP/UDP/HTTP/HTTPS/WEB socket/etc.
Specifically, according to the OSI model, hierarchical parsing of the network layer, the transport layer, and the application layer is performed. Taking the HTTP protocol as an example, according to the HTTP protocol format, the request header, the request entity, the response header and the response entity of the HTTP are analyzed, and meanwhile, metadata in the request entity and the response entity are analyzed, including fields in XML/JSON and the like.
The basic information here includes a protocol type, a protocol version, a request path, a request action, HOST, XFF, UA, cookie, a source address, a destination address, a port number, and the like. The metadata mainly refers to fields and contents of body parts of the request message and the response message, and also comprises fields and contents after XML and JSON analysis.
S3, determining the service type of the API and determining the data type of the API;
and determining the service type of the API according to the basic information of the API, and determining the data type of the API by combining the metadata of the API.
The service type here includes a service name, a dimension to which the service belongs, a parent node, and a priority, and the service type may be associated with a tag. The parent node identifies a hierarchical relationship of traffic types.
The data type here includes a data type name and a priority.
Firstly, determining the relation between a request PATH of an API interface and a site, then carrying out layering processing on the request PATH of the API interface, and decomposing and merging the request PATHs of the URLs according to a tree structure.
And determining the business overall hierarchical relationship of the API according to the hierarchical relationship of the domain name corresponding to the site to which the API belongs and the hierarchical relationship of the request PATH of the associated API.
And analyzing the corresponding domain name of the site to which the API interface belongs and the request PATH PATH of the API interface by a short text analysis method to determine the service type to which the API interface belongs.
In the implementation, site information corresponding to the API assets can be determined according to HOST information in the HTTP message, and the API asset information under the tenant is determined according to the relation between the tenant and the site;
in the implementation, different layers of the request PATH of the API interface can be labeled, and the service types are related by the labels. The request PATH of each API interface may have a plurality of labels, each label having a different dimension.
Specifically, the service types may have multiple dimensions, and may be classified according to content into personal information, banking service, operation service, and the like, or classified according to an organization, or classified according to a service system, or classified according to a region to which the service belongs.
Each type of business may have multiple levels, such as banking, sub-division into loan, storage, etc.
According to the request parameters in the request message of the API interface and the metadata in the request message and the response message, specifically, taking HTTP as an example, the analysis of fields and data can be performed, including the header of HTTP and the content of an entity; determining the data type of the API interface by using analysis of the regular, dictionary and short text and clustering algorithm;
in the implementation, the metadata in the API interface can be labeled according to the analysis result of the metadata of the API interface, each label identifies different data types, the labels are associated with the data types, and the data information associated with the asset of the API interface is determined according to the data types of the API interface.
In the implementation, the service type of the API interface has a plurality of layers and a plurality of dimensions, and the data type of the API interface has a plurality of layers; and determining the asset classification hierarchy of the API interface based on the arbitrary dimension in combination with the service type to which the API interface belongs and the data type of the API interface.
S4, determining the classification and grading of the assets of the API by combining the service type and the data type.
And combining the service type of the API interface and the data type of the API interface, determining the asset priority of the API interface according to the priority corresponding to the service type of the API interface and the priority corresponding to the data type of the API interface, determining the asset classification of the API interface according to the service type hierarchical relationship of the API interface and the class of the data type of the API interface, and if the priorities are different, taking the high priority as the reference. One asset of the API interface may be partitioned in multiple dimensions.
In the implementation, the metadata in the API interface can be labeled according to the analysis result of the metadata of the API interface, each label identifies different data types, the labels are associated with the data types, the data information associated with the asset of the API interface is determined according to the data types of the API interface, and the asset classification of the API interface is determined by combining the service types of the API interface.
The request PATH of the API interface is hierarchically divided, the service type of the request PATH is determined according to the information of the request PATH of the API interface, and further, the request message and the response message of the API interface are combined with a regular, dictionary, short text and clustering algorithm to identify and score the API interface and the message, and the security staff verifies the request message and the response message.
The asset classification of the API provides a foundation for risk management and safety protection of the API, and different protection measures can be implemented according to the asset classification of the API, such as implementing different protection strategies for interfaces of registration, login, robbery package and the like of the API.
When the method is implemented, the change condition of the tags of the API interface can be compared, the asset change of the API interface can be found in time, and the asset protection strategy of the API interface can be adjusted in time according to the asset change of the API interface.
It should be noted that although the operations of the method of the present invention are described in a particular order in the above embodiments and the accompanying drawings, this does not require or imply that the operations must be performed in the particular order or that all of the illustrated operations be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
In order to more clearly explain the implementation of the hierarchical classification of API assets, a specific embodiment is described below, however, it should be noted that this embodiment is only for better illustrating the present invention and is not meant to be unduly limiting.
Examples:
s1, acquiring the flow of an API;
specifically, the traffic of the capture API interface is sent to the API analysis system by means of mirroring or probe, etc.
Here, the flow is a generic term of a request message and a response message of the API interface.
The node in fig. 2 may be an API gateway, or may be NGINX (an open source software), where different technologies have different collection modes, or may perform flow collection by means of an eBPF (extended BPF) or a agent (probe), or may perform flow collection by means of multiple collection points.
The flow collection mode does not affect the embodiment of the invention.
S2, analyzing the request message and the response message of the API;
and analyzing the request message and the response message of the API based on the network layering model and the protocol type, and analyzing the metadata in the request message and the response message to acquire the basic information of the API and the metadata of the API.
The network layering model herein mainly refers to the OSI model, and protocol types include: TCP/UDP/HTTP/HTTPS/WEB socket/etc.
In this embodiment, taking the HTTP protocol as an example, the present invention is also applicable to other protocols, such as Websocket (a protocol of an application layer), and the like.
Specifically, according to the OSI model, hierarchical parsing of the network layer, the transport layer, and the application layer is performed. Taking the HTTP protocol as an example, according to the HTTP protocol format, the request header, the request entity, the response header and the response entity of the HTTP are analyzed, and meanwhile, metadata in the request entity and the response entity are analyzed, including fields in XML/JSON and the like.
Specifically, in the case of HTTPS protocol, SSL offloading is performed first.
Taking the HTTP protocol as an example, analyzing and obtaining a request PATH PATH, request parameters, protocol version, request action, user behavior UA, cookie, HOST and the like of the API interface.
S3, determining the service type of the API and determining the data type of the API;
and determining the service type of the API according to the basic information of the API, and determining the data type of the API by combining the metadata of the API.
The service type here includes a service name, a dimension to which the service belongs, a parent node, and a priority, and the service type may be associated with a tag. The parent node identifies a hierarchical relationship of traffic types.
The first step: determining the business hierarchy relation of the API interface;
(1) firstly, constructing the relation between a request PATH of an API interface and a domain name, and determining site information corresponding to the API interface according to HOST information in an HTTP message;
in this embodiment, the sites and domain names are equivalent.
In a multi-tenant scenario, site information corresponding to an API interface may be determined according to HOST information in the HTTP message, and API interface information under the tenant may be determined according to a relationship between the tenant and the site. The PATH analysis of the request PATH of all API interfaces is based on a certain site.
If the domain name corresponding to HOST has a multi-level relationship, a hierarchical relationship diagram of the domain name is constructed first.
Such as: mark, ctyun, product, ctyun, com (an example of a domain name), all belong to the sub-level of ctyun, com (an example of a root domain name).
(2) Establishing a hierarchical relationship of a request PATH PATH of an API interface, and decomposing and merging the request PATHs of the URLs according to a tree structure;
specific: PATH format is generally/api/product/ecs/; an example of API/product/vms/(request PATH of API interface).
Specifically, taking a prefix tree as an example, inserting a request PATH of an API interface according to the prefix tree, decomposing different branches, and merging the same layers; taking the request PATH of the API interface above as an example, vms and ecs belong to different bifurcation points; but/api/product belongs to the same branch as the common parent node for vms and ecs.
(3) According to the hierarchical relationship of the domain name corresponding to the site to which the API interface belongs, the hierarchical relationship of the request PATH PATH of the associated API interface is determined;
as shown in fig. 3: specifically,/api/product/ecs/ecs products belonging to the site product, ctyun.
(4) And analyzing the domain name and the request PATH PATH of the API interface by a short text analysis method to determine the service type of the API.
In specific implementation, the PATH of the request corresponding to the API interface is divided according to/, each divided character is analyzed and combined, and the service type of the API is determined, for example ecs is a virtual machine service, and log in is a login interface.
In the implementation, different layers of a request PATH of an API interface are labeled according to the analysis result of the short text, and the service types of the API are associated by the labels. The request PATH of each API interface may be made up of a plurality of labels, each label having a different dimension.
For example: the label of the api/product is the product, and the label of the ecs is the cloud host.
Specifically, the service types to which the APIs belong may have multiple dimensions, and may be classified according to content into personal information, banking service, operation service, and the like, or classified according to an organization, or classified according to a service system, or classified according to an area to which the service belongs.
Each type of business may have multiple levels, such as banking, sub-division into loan, storage, etc.
The tag is composed of tag name, belonging type, security level, paranoid level, whether to enable, detection mode, detection object, rule content, sample data, test result and the like. The name of the tag is unique. The types comprise service types and data types, and the hierarchical relationship between the service types and the data types is established according to the tree structure. The level of paranoid refers to the degree of looseness of execution, and each site or tenant may select a different level of paranoid. The detection mode comprises regularization, dictionary and short text. The detection object specifies specific detection content, specifically a request header, a request path, a request parameter, HOST, UA, COOKIE, a request body, a response body, and the like; the detection object can be a field in the message or a value corresponding to the field; a tag may specify that one or more elements are matched. And the API analysis system assembles the parsed message and provides a detection object for the tag. The rule content designates rule content of a corresponding matching mode, comprises text content of regular expressions and dictionary matching, logic calculation, calculation functions and the like. The API analysis system analyzes and calculates the content of the API request and the content of the API response according to the specified rule content. Sample data is a sample of detection data corresponding to the label, and a test result is a test execution result of the sample.
In particular, different tenants or sites may select different labels.
(5) The metadata of the API interface is analyzed by using regular, dictionary, short text analysis and clustering algorithms to determine the data type of the API interface.
In the implementation, according to the analysis result of the metadata of the API interface, the metadata of the API interface is analyzed by using a regular, dictionary and short text analysis and a clustering algorithm, the metadata in the API interface is labeled according to the label associated with the analysis result, each label identifies the data type of different API interfaces, the label is associated with the data type of the API interface, and the data information associated with the API interface is determined according to the data type of the API interface.
Elements such as a regular and dictionary are associated with the tags, and when the request content and the response content of the API interface are matched with the rules, the corresponding tags are marked. And similarly, the short text analysis is carried out, the analysis result is associated with the label, and when the corresponding content of the API interface is matched with the analysis result, the corresponding label is marked on the API interface.
According to the request parameters of the API interface and the metadata in the request message and the response message, specifically taking HTTP as an example, the analysis of fields and data can be performed, including the header of HTTP and the content of an entity; determining the data type of the API interface by using a regular, dictionary, short text analysis and clustering algorithm;
in the implementation, the service type of the API interface has a plurality of layers and a plurality of dimensions, and the data type of the API interface has a plurality of layers; and determining the asset classification hierarchy of the API interface based on the arbitrary dimension in combination with the service type to which the API interface belongs and the data type of the API interface.
In the implementation, the URL request parameter of the request message and UA can be used for determining the equipment type of the user; the composition of the Cookie determines the type of user.
S4, determining the classification and grading of the assets of the API by combining the service type and the data type.
Combining the service type of the API interface and the data type of the API interface, determining the asset priority of the API interface according to the priority corresponding to the service type of the API interface and the priority corresponding to the data type of the API interface, determining the asset classification of the API interface according to the service type hierarchical relationship of the API interface and the class of the data type of the API interface, and if the priorities are different, taking the high priority as the reference. One asset of the API interface may be partitioned in multiple dimensions.
In implementation, metadata in the API interface can be labeled according to the analysis result of the metadata of the API interface, each label identifies the data type of different API interfaces, the labels are associated with the data types of the API interfaces, data information associated with the assets of the API interfaces is determined according to the data types of the API interfaces, and the asset classification of the API interfaces is determined by combining the service types of the API interfaces.
The request PATH of the API interface is hierarchically divided, the service function of the request PATH is determined according to the information of the request PATH of the API interface, and further, the request message and the response message of the API interface are combined with a regular, dictionary, short text and clustering algorithm to identify and score the API interface and the message, and the security staff verifies the request message and the response message.
The asset classification of the API provides a foundation for risk management and safety protection of the API, and different protection measures can be implemented according to the asset classification of the API, such as implementing different protection strategies for interfaces of registration, login, robbery package and the like of the API.
When the method is implemented, the change condition of the tags of the API interface can be compared, the asset change of the API interface can be found in time, and the asset protection strategy of the API interface can be adjusted in time according to the asset change of the API interface.
Based on the same inventive concept, the invention also provides a device for realizing the hierarchical classification of the API assets. The implementation of the device can be referred to as implementation of the above method, and the repetition is not repeated. The term "module" as used below may be a combination of software and/or hardware that implements the intended function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
FIG. 4 is a schematic diagram of an implementation of hierarchical classification of API assets in accordance with the present invention. As shown in fig. 4, the apparatus includes:
the message parsing module 101 is configured to parse the acquired request message and response message of the API interface, and acquire basic information of the API interface and metadata of the API interface.
The tag management module 102 is configured to manage a tag, where the tag is composed of a tag name, a type, a security level, a paranoid level, whether to enable, a detection mode, a detection object, rule content, sample data, a test result, and the like;
a service and data type determining module 103, configured to determine, according to basic information of the API interface, a service type to which the API interface belongs, and determine a data type of the API interface in combination with metadata of the API interface;
determining the relation between a request path of an API interface and a domain name corresponding to a site to which the request path belongs;
layering processing is carried out on the request paths of the API interfaces, and URL request paths are decomposed and combined according to the tree structure;
and determining the business overall hierarchical relationship of the API according to the hierarchical relationship of the domain name corresponding to the site to which the API belongs and the hierarchical relationship of the request path of the associated API.
And analyzing the domain name corresponding to the site to which the API interface belongs and the request path of the API interface, and determining the service type to which the API interface belongs.
Labeling different layers of a request path of an API interface, wherein the labels can be associated with service types of the API; the request path for each API interface may have multiple tags, each tag having a different dimension.
And determining the data type of the API according to the request parameters of the API in combination with the analysis of the metadata of the API.
The asset classification determining module 104 is configured to determine an asset classification of the API according to a service type to which the API belongs and a data type of the API;
the service type of the API interface has multiple dimensions, and each type of service has multiple layers; the data type of the API interface has a plurality of layers; and determining the asset classification hierarchy of the API interface based on the arbitrary dimension in combination with the service type to which the API interface belongs and the data type of the API interface.
Determining the asset priority of the API according to the priority corresponding to the service type of the API and the priority corresponding to the data type of the API; determining asset classification of the API according to the hierarchical relationship of the service type of the API and the class of the data type of the API, and if the priorities are different, taking the high priority as the reference; one asset of the API interface may be partitioned in multiple dimensions.
And implementing different protection strategies according to the asset classification of the API interface, and adjusting the asset protection strategy of the API interface in real time according to the label change condition of the API interface.
It should be noted that while several modules of an implementation of hierarchical classification of API assets are mentioned in the detailed description above, such a division is merely exemplary and not mandatory. Indeed, the features and functions of two or more modules described above may be embodied in one module in accordance with embodiments of the present invention. Conversely, the features and functions of one module described above may be further divided into a plurality of modules to be embodied.
Based on the foregoing inventive concept, as shown in fig. 5, the present invention further proposes a computer device 200, including a memory 210, a processor 220, and a computer program 230 stored on the memory 210 and executable on the processor 220, where the processor 220 implements the implementation of the hierarchical classification of the API assets when executing the computer program 230.
Based on the foregoing inventive concept, the present invention also proposes a computer-readable storage medium storing a computer program that performs the implementation of the hierarchical classification of the aforementioned API assets.
The method and the device for realizing the hierarchical classification of the API assets improve the asset management efficiency and the accuracy of the API interface.
While the spirit and principles of the present invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments nor does it imply that features of the various aspects are not useful in combination, nor are they useful in any combination, such as for convenience of description. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
It should be apparent to those skilled in the art that various modifications or variations can be made in the present invention without requiring any inventive effort by those skilled in the art based on the technical solutions of the present invention.

Claims (20)

1. A method for implementing hierarchical classification of API assets, the method comprising:
analyzing the acquired request message and response message of the API interface to acquire basic information of the API interface and metadata of the API interface;
determining the service type of the API according to the basic information of the API, and determining the data type of the API by combining the metadata of the API;
and determining the asset classification of the API according to the service type of the API and the data type of the API.
2. The method for implementing hierarchical classification of API assets according to claim 1, wherein a relationship between a request path of an API interface and a domain name corresponding to a site to which the API interface belongs is determined;
layering processing is carried out on the request paths of the API interfaces, and URL request paths are decomposed and combined according to the tree structure;
and determining the business overall hierarchical relationship of the API according to the hierarchical relationship of the domain name corresponding to the site to which the API belongs and the hierarchical relationship of the request path of the associated API.
3. The method for implementing hierarchical classification of API assets according to claim 2, wherein the domain name corresponding to the site to which the API interface belongs and the request path of the API interface are parsed to determine the service type to which the API interface belongs.
4. A method for implementing hierarchical classification of API assets according to claim 3, wherein different levels of the request path of the API interface are labeled, the label being associated with a service type to which the API belongs; the request path for each API interface may have multiple tags, each tag having a different dimension.
5. The method of claim 1, wherein the data type of the API interface is determined in conjunction with parsing metadata of the API interface according to a request parameter of the API interface.
6. The method for implementing hierarchical classification of API assets according to claim 5, wherein metadata of an API interface is tagged according to a result of parsing the metadata of the API interface, the tag being associable with a data type of the API interface, each tag identifying a different data type of the API interface; and determining data information associated with the asset of the API according to the data type of the API, and determining the hierarchical classification of the API by combining the service type of the API.
7. The method for implementing hierarchical classification of API assets according to claim 1, wherein said API interface has multiple dimensions for each type of service, each type of service having multiple levels; the data type of the API interface has a plurality of layers; and determining the asset classification hierarchy of the API interface based on the arbitrary dimension in combination with the service type to which the API interface belongs and the data type of the API interface.
8. The method for implementing hierarchical classification of API assets according to claim 7, wherein the asset priority of an API interface is determined according to a priority corresponding to a service type to which the API interface belongs and a priority corresponding to a data type of the API interface; determining asset classification of the API according to the hierarchical relationship of the service type of the API and the class of the data type of the API, and if the priorities are different, taking the high priority as the reference; one asset of the API interface may be partitioned in multiple dimensions.
9. The method for implementing hierarchical classification of API assets according to claim 1 or 8, wherein different protection policies are implemented according to the API interface asset hierarchical classification, and the API interface asset protection policies are adjusted in real time according to the API interface tag change.
10. An apparatus for implementing hierarchical classification of API assets, the apparatus comprising:
the message analysis module is used for analyzing the acquired request message and response message of the API interface and acquiring basic information of the API interface and metadata of the API interface;
the label management module is used for managing labels, wherein the labels comprise label names, types, security levels, paranoid levels, whether to enable, detection modes, detection objects, rule contents, sample data and test results;
the service and data type determining module is used for determining the service type of the API according to the basic information of the API and determining the data type of the API by combining the metadata of the API;
and the asset classification determining module is used for determining the asset classification of the API according to the service type of the API and the data type of the API.
11. The apparatus for implementing hierarchical classification of API assets according to claim 10, wherein a relationship between a request path of an API interface and a domain name corresponding to a site to which the API interface belongs is determined;
layering processing is carried out on the request paths of the API interfaces, and URL request paths are decomposed and combined according to the tree structure;
and determining the business overall hierarchical relationship of the API according to the hierarchical relationship of the domain name corresponding to the site to which the API belongs and the hierarchical relationship of the request path of the associated API.
12. The apparatus for implementing hierarchical classification of API assets according to claim 11, wherein a domain name corresponding to a site to which an API interface belongs and a request path of the API interface are parsed to determine a service type to which the API interface belongs.
13. The apparatus for implementing hierarchical classification of API assets according to claim 12, wherein different levels of the request path of the API interface are labeled, the labels being associated with a service type to which the API belongs; the request path for each API interface may have multiple tags, each tag having a different dimension.
14. The apparatus for implementing hierarchical classification of API assets according to claim 10, wherein a data type of an API interface is determined in conjunction with parsing metadata of the API interface according to a request parameter of the API interface.
15. The apparatus for implementing hierarchical classification of API assets according to claim 14, wherein metadata of an API interface is tagged according to a result of parsing the metadata of the API interface, the tag being associable with a data type of the API interface, each tag identifying a different data type of the API interface; and determining data information associated with the asset of the API according to the data type of the API, and determining the hierarchical classification of the API by combining the service type of the API.
16. The apparatus for implementing hierarchical classification of API assets according to claim 10, wherein said API interface has multiple dimensions for each type of service, each type of service having multiple levels; the data type of the API interface has a plurality of layers; and determining the asset classification hierarchy of the API interface based on the arbitrary dimension in combination with the service type to which the API interface belongs and the data type of the API interface.
17. The apparatus for implementing hierarchical classification of API assets according to claim 16, wherein the asset priority of an API interface is determined according to a priority corresponding to a service type to which the API interface belongs and a priority corresponding to a data type of the API interface; determining asset classification of the API according to the hierarchical relationship of the service type of the API and the class of the data type of the API, and if the priorities are different, taking the high priority as the reference; one asset of the API interface may be partitioned in multiple dimensions.
18. The method for implementing hierarchical classification of API assets according to claim 10 or 17, wherein different protection policies are implemented according to the API interface asset hierarchical classification, and the API interface asset protection policies are adjusted in real time according to the API interface tag change.
19. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-8 when executing the computer program.
20. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program for executing the method of any one of claims 1-8.
CN202211499604.6A 2022-11-28 2022-11-28 Method and device for realizing hierarchical classification of API (application program interface) assets Pending CN116055587A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211499604.6A CN116055587A (en) 2022-11-28 2022-11-28 Method and device for realizing hierarchical classification of API (application program interface) assets

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211499604.6A CN116055587A (en) 2022-11-28 2022-11-28 Method and device for realizing hierarchical classification of API (application program interface) assets

Publications (1)

Publication Number Publication Date
CN116055587A true CN116055587A (en) 2023-05-02

Family

ID=86130206

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211499604.6A Pending CN116055587A (en) 2022-11-28 2022-11-28 Method and device for realizing hierarchical classification of API (application program interface) assets

Country Status (1)

Country Link
CN (1) CN116055587A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117435959A (en) * 2023-11-17 2024-01-23 广西壮族自治区信息中心 Parameter-based API interface classification method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200074106A1 (en) * 2018-08-30 2020-03-05 Netskope, Inc. Enriching document metadata using contextual information
CN112307133A (en) * 2020-10-29 2021-02-02 平安普惠企业管理有限公司 Security protection method and device, computer equipment and storage medium
CN113360800A (en) * 2021-06-03 2021-09-07 深圳红途科技有限公司 Method and device for processing featureless data, computer equipment and storage medium
CN115208835A (en) * 2022-05-31 2022-10-18 奇安信科技集团股份有限公司 API classification method, device, electronic equipment, medium and product

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200074106A1 (en) * 2018-08-30 2020-03-05 Netskope, Inc. Enriching document metadata using contextual information
CN112307133A (en) * 2020-10-29 2021-02-02 平安普惠企业管理有限公司 Security protection method and device, computer equipment and storage medium
CN113360800A (en) * 2021-06-03 2021-09-07 深圳红途科技有限公司 Method and device for processing featureless data, computer equipment and storage medium
CN115208835A (en) * 2022-05-31 2022-10-18 奇安信科技集团股份有限公司 API classification method, device, electronic equipment, medium and product

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
阿里云安全: ""万丈高楼平地起, 每个API皆根基"", pages 9 - 10, Retrieved from the Internet <URL:《https://mp.weixin.qq.com/s?__biz=MzA4MTQ2MjI5OA==&mid=2664087159&idx=1&sn=ed4ed668caf1922aa63811f474a9ec32&chksm=84aa8b02b3dd021482bbaff7af9576f2e38ebf0ba2160d11fa37a7e630662bb63c6866f2844f&scene=27》> *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117435959A (en) * 2023-11-17 2024-01-23 广西壮族自治区信息中心 Parameter-based API interface classification method and system

Similar Documents

Publication Publication Date Title
US20190213326A1 (en) Self-adaptive application programming interface level security monitoring
US9455892B2 (en) Data loss monitoring of partial data streams
CN110113345A (en) A method of the assets based on Internet of Things flow are found automatically
US8799714B1 (en) Generating test scenarios from application-layer messages
CN111835777B (en) Abnormal flow detection method, device, equipment and medium
CN111814192B (en) Training sample generation method and device and sensitive information detection method and device
US20090177768A1 (en) Systems, methods and computer program products for extracting port-level information of web services with flow-based network monitoring
CN115208835A (en) API classification method, device, electronic equipment, medium and product
CN116055587A (en) Method and device for realizing hierarchical classification of API (application program interface) assets
CN116346456A (en) Business logic vulnerability attack detection model training method and device
CN114979264A (en) Financial level message processing method and device
CN112839055B (en) Network application identification method and device for TLS encrypted traffic and electronic equipment
CN116346961B (en) Financial message processing method and device, electronic equipment and storage medium
CN115378619A (en) Sensitive data access method, electronic equipment and computer readable storage medium
CN111917848A (en) Data processing method based on edge computing and cloud computing cooperation and cloud server
US8429458B2 (en) Method and apparatus for system analysis
CN111538616A (en) Method, device and system for positioning abnormity and computer readable storage medium
CN116192527A (en) Attack flow detection rule generation method, device, equipment and storage medium
CN114095235B (en) System identification method, device, computer equipment and medium
CN106982147A (en) The communication monitoring method and device of a kind of Web communication applications
CN115604343A (en) Data transmission method, system, electronic equipment and storage medium
US8219667B2 (en) Automated identification of computing system resources based on computing resource DNA
CN111177595B (en) Method for extracting asset information by templating HTTP protocol
CN109685662A (en) Investment data processing method, device, computer equipment and its storage medium
CN112131611A (en) Data correctness verification method, device, equipment, system and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination