CN117150493A - Method and device for identifying API (application program interface) parameter value increment type traversal - Google Patents
Method and device for identifying API (application program interface) parameter value increment type traversal Download PDFInfo
- Publication number
- CN117150493A CN117150493A CN202311251318.2A CN202311251318A CN117150493A CN 117150493 A CN117150493 A CN 117150493A CN 202311251318 A CN202311251318 A CN 202311251318A CN 117150493 A CN117150493 A CN 117150493A
- Authority
- CN
- China
- Prior art keywords
- parameter value
- value list
- data
- parameter
- traversal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000004364 calculation method Methods 0.000 claims abstract description 15
- 235000014510 cooky Nutrition 0.000 claims description 6
- 238000012163 sequencing technique Methods 0.000 claims description 6
- 238000001914 filtration Methods 0.000 claims description 4
- 238000007781 pre-processing Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 3
- 230000009471 action Effects 0.000 description 12
- 238000004590 computer program Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000012938 design process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/42—Syntactic analysis
- G06F8/427—Parsing
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a method and a device for identifying API interface parameter value incremental traversal, which relate to the field of data processing and comprise the steps of collecting API interface related data as a data source to be analyzed, windowing, and grouping the windowed data; the data after grouping is subjected to grouping processing again based on the interface, the request parameters are analyzed for the data in the obtained grouping, the parameter values of the data are obtained, the parameter values corresponding to each grouping are subjected to de-duplication processing, and then the parameter values are ordered to form a parameter value list; obtaining an adjusted parameter value list based on the length of the parameter value list corresponding to each group, and calculating to obtain a traversal distribution value; and judging whether the traversal is the API interface parameter incremental traversal. The method has good calculation performance, and solves the problem that the traditional API security cannot accurately and high-performance identify incremental traversal attack.
Description
Technical Field
The application relates to the field of data processing, in particular to a method and a device for identifying API (application program interface) parameter value incremental traversal.
Background
The API (Application Programming Interface), an application programming interface, is an important channel for connecting services and transmitting data, and is widely used in the context of Web applications. For example, the user accesses the website to log in, inquires user information and the like, and actually, the browser and the server perform API interaction operation; for example, in a data sharing exchange scenario, typically, data is exchanged through an API gateway, a data provider issues an API, and a data receiver calls an API interface to obtain data after completing API authentication according to a key.
Because of the wide use of APIs, security attacks around API interfaces have been increasing in recent years, wherein traversal of interface parameters is a very dangerous type of attack, such attacks may perform traversal attacks, such as 0001 to 9999, on short message authentication codes (4-6 digits) of a login interface, in an attempt to find the correct short message authentication code; there are also personal information of all users and the like obtained from, for example, traversing the user UID (User Identification ) from 1 to 99999. However, most of the conventional detection is statistical detection of the number of times of calling the API interface, for example, if the calling frequency of the API interface is too high in a short time of an IP (Internet Protocol ), an alarm is generated.
Disclosure of Invention
Aiming at the defects existing in the prior art, the application aims to provide a method and a device for identifying the incremental traversal of the parameter values of an API, which have good calculation performance and solve the problem that the incremental traversal attack cannot be identified accurately and with high performance in the traditional API security.
In order to achieve the above object, the present application provides a method for identifying an API interface parameter value increment type traversal, which specifically includes the following steps:
collecting API interface related data as a data source to be analyzed, windowing the collected API interface related data, and grouping the windowed data based on IP or Session;
the data after grouping is subjected to grouping processing again based on the interface, the request parameters are analyzed for the data in the obtained grouping, the parameter values of the data are obtained, the parameter values corresponding to each grouping are subjected to de-duplication processing, and then the parameter values are ordered to form a parameter value list;
based on the length of the parameter value list corresponding to each group, removing the parameter values of each preset number from the head to the tail in the parameter value list when the length of the current parameter value list is larger than the preset value, obtaining an adjusted parameter value list, and calculating to obtain a traversal distribution value;
and judging whether the parameter value is the API interface parameter incremental traversal or not according to the number of the parameter values in the parameter value list and the traversal distribution value of the parameter value list corresponding to the adjusted parameter value list.
On the basis of the technical proposal, the method comprises the following steps,
the API interface related data comprises a bypass network flow log, a WAF original access log, a WEB application access log and an API interface log;
the API interface log comprises a request URI, a request method, a request source destination IP, a request header field, a req_body, time, a Host, a url_path and a url_query.
Based on the technical scheme, the windowing processing is carried out on the collected API interface related data, and the data after the windowing processing is grouped based on IP or Session, and the specific steps comprise;
setting the size of a window, and then windowing the collected API interface related data;
the data within the window is grouped based on IP or Session.
On the basis of the technical proposal, the method comprises the following steps,
for grouping data based on IP, specifically: realizing grouping according to the SIP field or by using a designated field as a source IP field;
for grouping data based on Session, specifically: and acquiring the Session information according to the Cookie or the custom linkage login interface, so as to realize grouping.
On the basis of the technical scheme, the interface-based data after grouping is subjected to grouping processing again, the request parameters are analyzed for the data in the obtained grouping, the parameter values of the data are obtained, the parameter values corresponding to each grouping are subjected to de-duplication processing and then are sequenced to form a parameter value list, and the method specifically comprises the following steps:
grouping the grouped data again based on the identification interface mode to obtain groups and data in each group;
identifying req_body and url_query types of data in the packet, analyzing request parameters, obtaining parameter values of the data, and filtering non-digital parts in the parameter values;
and performing de-duplication processing on the parameter values corresponding to each group, and then sequencing to form a parameter value list of each group.
Based on the above technical solution, the step of removing the first and last preset number of parameter values in the parameter value list to obtain an adjusted parameter value list and calculating to obtain a traversal distribution value based on the length of the parameter value list corresponding to each group when the length of the current parameter value list is greater than a preset value comprises the following specific steps:
removing the parameter values of each preset number from the head to the tail of the parameter value list when the number of the parameter values of the current parameter value list is larger than the preset value based on the number of the parameter values in the parameter value list of each group, and obtaining an adjusted parameter value list;
and calculating to obtain the traversal distribution value of the adjusted parameter value list based on the number of the parameter values, the maximum parameter value and the minimum parameter value in the adjusted parameter value list.
On the basis of the technical scheme, the calculation is performed to obtain the traversal distribution value of the adjusted parameter value list, and the specific calculation mode is as follows:
A=len(collect)/(max(collect)-min(collect)+1)
wherein A represents the traversal distribution value of the adjusted parameter value list, len represents the number of parameter values in the adjusted parameter value list, collect represents the adjusted parameter value list, max represents the maximum parameter value in the adjusted parameter value list, and min represents the minimum parameter value in the adjusted parameter value list.
Based on the above technical solution, the determining whether the parameter value is the API interface parameter incremental traversal is performed according to the number of parameter values in the parameter value list and the traversal distribution value of the parameter value list after the parameter value list is correspondingly adjusted, specifically includes:
if the traversing distribution value of the parameter value list corresponding to the adjusted parameter value list is larger than a set value and the number of the parameter values in the parameter value list is larger than a first set number, indicating that the interface traversing attack is incremental;
if the traversing distribution value of the parameter value list corresponding to the adjusted parameter value list is not greater than the set value and the number of the parameter values in the parameter value list is greater than the second set number, the interface traversing attack is indicated.
The application provides a device for identifying API interface parameter value increment type traversal, which comprises:
the preprocessing module is used for collecting the related data of the API interface as a data source to be analyzed, windowing the collected related data of the API interface and grouping the windowed data based on IP or Session;
the execution module is used for carrying out grouping processing on the grouped data again based on the interface, analyzing request parameters on the data in the obtained grouping to obtain parameter values of the data, carrying out de-duplication processing on the parameter values corresponding to each grouping, and then sequencing to form a parameter value list;
the calculation module is used for removing the parameter values of each preset number from the head to the tail in the parameter value list based on the length of the parameter value list corresponding to each group when the length of the current parameter value list is larger than the preset value, obtaining an adjusted parameter value list and calculating to obtain a traversal distribution value;
and the judging module is used for judging whether the parameter value is the API interface parameter incremental traversal according to the number of the parameter values in the parameter value list and the traversal distribution value of the parameter value list corresponding to the adjusted parameter value list.
On the basis of the technical proposal, the method comprises the following steps,
the API interface related data comprises a bypass network flow log, a WAF original access log, a WEB application access log and an API interface log;
the API interface log comprises a request URI, a request method, a request source destination IP, a request header field, a req_body, time, a Host, a url_path and a url_query.
Compared with the prior art, the application has the advantages that: through analysis of API interface parameters and parameter values, whether the request parameter characteristics of each IP or session meet incremental traversal characteristics in a certain window period is identified, incremental interface traversal can be accurately identified through innovative traversal value calculation, false alarm is not easy to generate, various incremental interface traversal attack behaviors can be effectively applied, calculation complexity is fully considered in the algorithm design process, meanwhile, the method has good calculation performance, and the problem that incremental traversal attack cannot be accurately identified with high performance in traditional API safety is solved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for identifying an API interface parameter value increment type traversal in accordance with an embodiment of the application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application.
Referring to fig. 1, the method for identifying the traversal of the increment type of the parameter value of the API interface provided by the embodiment of the application specifically includes the following steps:
s1: collecting API interface related data as a data source to be analyzed, windowing the collected API interface related data, and grouping the windowed data based on IP or Session (Session control);
in the application, the related data of the API interface comprises bypass network traffic log, WAF (Web Application Firewall, network application firewall) original access log, WEB application access log and API interface log; the API interface log includes a request URI (Uniform Resource Identifier ), a request method, a request source destination IP, a request header field (including but not limited to XFF, cookie, etc.), req_body, time, host (domain name), url_path (path portion in URL), and url_query (parameter portion in URL).
That is, the API interface log needs to include at least a request URI, a request method, a request source destination IP, a request header field, req_body, time, host, url_path, url_query, and the like.
In the application, windowing processing is carried out on collected API interface related data, and the data after windowing processing is grouped based on IP or Session, and the specific steps comprise;
s101: setting the size of a window, and then windowing the collected API interface related data;
s102: the data within the window is grouped based on IP or Session.
Specifically, windowing can be performed according to Eventtime or Proctime, the window size is 5 minutes, then windowing processing is performed on collected API interface related data, and then data in the window are grouped based on IP or Session.
In the present application, for grouping data based on IP, specifically: packets are implemented according to the SIP (four layer network source IP) field or by designating a field as the source IP field for a designated application. I.e., based on IP packets, by default is done in accordance with the SIP field, or other fields may be designated as source IP fields For a given application (e.g., an a application may be configured to perform IP packets in accordance with the X-Forwarded-For field in its request header field).
In the application, for grouping data based on Session, specifically: and acquiring Session information according to the Cookie (data stored on a local terminal of the user) or the user-defined linkage login interface, so as to realize grouping. I.e. according to Cookie (which can be configured for application, such as a application performs Session grouping according to the value of the B field in the request Cookie), or the custom linkage login interface obtains Session information to perform grouping (e.g. a application can extract its login user and subsequently allocated Session to perform Session grouping after configuring its login interface).
S2: the data after grouping is subjected to grouping processing again based on the interface, the request parameters are analyzed for the data in the obtained grouping, the parameter values of the data are obtained, the parameter values corresponding to each grouping are subjected to de-duplication processing, and then the parameter values are ordered to form a parameter value list;
the application carries out grouping processing again on the data after grouping based on the interface, analyzes the request parameters on the data in the obtained grouping to obtain the parameter values of the data, carries out de-duplication processing on the parameter values corresponding to each grouping and then sorts the parameter values to form a parameter value list, and the application comprises the following specific steps:
s201: grouping the grouped data again based on the identification interface mode to obtain groups and data in each group; the default interface may be determined according to the host+port+url_path of the application, or may be modified by user-defined modification, for example, may be modified to dip+port+url_path.
S202: identifying req_body and url_query types of data in the packet, analyzing request parameters, obtaining parameter values of the data, and filtering non-digital parts in the parameter values;
s203: and performing de-duplication processing on the parameter values corresponding to each group, and then sequencing to form a parameter value list of each group.
And identifying the req_body and url_query types of the Data in the packet, defaulting to support Json (for example { 'uid':1 }), key-Value (for example uid=1), data (for example 1), xml and other formats, analyzing the formats, and then uniformly de-aggregating the Data into Json format by converting and de-aggregating the Data into a parameter Value list.
For example A, B, C, D four users respectively call a K-V format request to the view user information interface of application a:
a1 request
uid=2&action=getuserinfo
B1 time request
uid=1&action=getuserinfo
C1 request
uid=3&action=getuserinfo
D999 requests
uid=1&action=getuserinfo
uid=2&action=getuserinfo
uid=3&action=getuserinfo
uid=5&action=getuserinfo
…
uid=1000&action=getuserinfo
Then uniformly converting and aggregating into Json format such as:
A:{'uid':[2],'action':['getuserinfo']}
B:{'uid':[1],'action':['getuserinfo']}
C:{'uid':[3],'action':['getuserinfo']}
D:{'uid':[1,2,3,5,...,1000],'action':['getuserinfo']}
in the process, the request data is analyzed first, and then the duplicate removal and aggregation are carried out on the same parameter value.
And then filtering a non-digital part in the parameter value, and if the parameter value list is empty after the digits are removed, removing the parameter, wherein the data are further processed as follows:
A:{'uid':[2]}
B:{'uid':[1]}
C:{'uid':[3]}
D:{'uid':[1,2,3,5,...,1000]}。
s3: based on the length of the parameter value list corresponding to each group, removing the parameter values of each preset number from the head to the tail in the parameter value list when the length of the current parameter value list is larger than the preset value, obtaining an adjusted parameter value list, and calculating to obtain a traversal distribution value;
based on the length of a parameter value list corresponding to each group, and when the length of the current parameter value list is larger than a preset value, removing the parameter values of each preset number from the head to the tail in the parameter value list to obtain an adjusted parameter value list, and calculating to obtain a traversal distribution value, wherein the method specifically comprises the following steps:
s301: removing the parameter values of each preset number from the head to the tail of the parameter value list when the number of the parameter values of the current parameter value list is larger than the preset value based on the number of the parameter values in the parameter value list of each group, and obtaining an adjusted parameter value list;
specifically, the number of parameter values in the parameter value list of each group is calculated, if the number of parameter values in the current parameter value list is greater than 50 (the default detection minimum threshold is configured to be 50 and can be modified by self-definition), the subsequent calculation is continued, and the parameter values of the preset number of the head and the tail in the parameter value list are removed. It can be seen that only D is satisfied in the above example.
In a specific embodiment, 2 (capable of being adjusted by user definition) parameter values from the beginning to the end are removed from the parameter value list by default to obtain a parameter value list, for example, the example D is that the adjusted parameter value list obtained after the beginning to the end is removed is D { 'uid': 3,5,..998 }.
S302: and calculating to obtain the traversal distribution value of the adjusted parameter value list based on the number of the parameter values, the maximum parameter value and the minimum parameter value in the adjusted parameter value list.
In the application, the traversal distribution value of the adjusted parameter value list is calculated, and the specific calculation mode is as follows:
A=len(collect)/(max(collect)-min(collect)+1)
wherein A represents the traversal distribution value of the adjusted parameter value list, len represents the number of parameter values in the adjusted parameter value list, collect represents the adjusted parameter value list, max represents the maximum parameter value in the adjusted parameter value list, and min represents the minimum parameter value in the adjusted parameter value list.
For example, the adjusted parameter value list D is { 'uid': 3,5,..998 ] }, and the calculated traversal distribution value is 0.998995983935743.
S4: and judging whether the parameter value is the API interface parameter incremental traversal or not according to the number of the parameter values in the parameter value list and the traversal distribution value of the parameter value list corresponding to the adjusted parameter value list.
In the application, according to the number of parameter values in a parameter value list and the traversing distribution value of the parameter value list corresponding to the adjusted parameter value list, the judgment of whether the parameter is the API interface parameter incremental traversing is carried out, specifically, the method comprises the following steps:
if the traversing distribution value of the parameter value list corresponding to the adjusted parameter value list is larger than a set value and the number of the parameter values in the parameter value list is larger than a first set number, indicating that the interface traversing attack is incremental;
if the traversing distribution value of the parameter value list corresponding to the adjusted parameter value list is not greater than the set value and the number of the parameter values in the parameter value list is greater than the second set number, the interface traversing attack is indicated.
For example, the traversal distribution value of the adjusted parameter value list is greater than 0.7 (the built-in threshold value can be modified in a self-defining way), and the number of parameter values in the parameter value list is greater than 50 (the built-in threshold value can be modified in a self-defining way), then the traversal attack is considered as incremental interface traversal attack; if the traversing distribution value of the adjusted parameter value list is not more than 0.7 and the number of parameter values in the parameter value list is more than 200, the interface traversing attack is considered, and the interface traversing attack cannot be identified as the incremental interface traversing attack.
The application uses the collection bypass network flow log, WAF original access log, WEB application access log and other API interface log as the data source of analysis, after the related data enters the data analysis platform, the window is opened according to the 5 minute window by default (the window size can be self-defined), the data in the window is grouped according to IP or Session, then the data in the group is grouped according to the interface, then the data in the group is aggregated, and the judgment method is that whether the parameter value is a digital type, if the parameter value is a digital type, the formatted dictionary information (the list after the parameter aggregation, the value is the duplicate and ordered) is produced, the parameter value list of each group is obtained, the parameter value list length of the group is calculated, if the default length is larger than the preset value, the judgment flow of incremental traversal is entered, the judgment method is as follows: and removing 2 bits of data (which can be self-defined and adjusted) from the head and tail of the parameter value list by default to obtain a collection, calculating the distribution value of the data distribution condition in the collection list (the distribution value is 1 if the data is completely matched with the increment attribute, otherwise, the distribution value is lower), comprehensively judging the distribution value and the size of the list (the number of parameter values meeting the condition after the duplication removal), and detecting whether the result is API interface parameter increment type traversal.
According to the method for identifying the incremental traversal of the API interface parameter values, through analysis of the API interface parameters and the parameter values, whether the request parameter characteristics of each IP or session meet the incremental traversal characteristics in a certain window period is identified, through innovative traversal value calculation, the incremental traversal of the interfaces can be accurately identified, false alarm is not easy to occur, various incremental traversal attack behaviors can be effectively identified, calculation complexity is fully considered in the algorithm design process, meanwhile, the method has good calculation performance, and the problem that the incremental traversal attack cannot be accurately identified with high performance in the traditional API security is solved.
In a possible implementation manner, the embodiment of the present application further provides a non-transitory computer readable storage medium, where the readable storage medium is located in a PLC (Programmable Logic Controller ) controller, and a computer program is stored on the readable storage medium, where the program is executed by a processor to implement the following steps of the method for identifying the API interface parameter value increment type traversal:
collecting API interface related data as a data source to be analyzed, windowing the collected API interface related data, and grouping the windowed data based on IP or Session;
the data after grouping is subjected to grouping processing again based on the interface, the request parameters are analyzed for the data in the obtained grouping, the parameter values of the data are obtained, the parameter values corresponding to each grouping are subjected to de-duplication processing, and then the parameter values are ordered to form a parameter value list;
based on the length of the parameter value list corresponding to each group, removing the parameter values of each preset number from the head to the tail in the parameter value list when the length of the current parameter value list is larger than the preset value, obtaining an adjusted parameter value list, and calculating to obtain a traversal distribution value;
and judging whether the parameter value is the API interface parameter incremental traversal or not according to the number of the parameter values in the parameter value list and the traversal distribution value of the parameter value list corresponding to the adjusted parameter value list.
The storage media may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium may be, for example, but not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present application may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The device for identifying the traversal of the increment type of the parameter value of the API comprises a preprocessing module, an executing module, a calculating module and a judging module.
The preprocessing module is used for collecting the related data of the API interface as a data source to be analyzed, windowing the collected related data of the API interface and grouping the windowed data based on IP or Session; the execution module is used for carrying out grouping processing on the grouped data again based on the interface, analyzing request parameters on the data in the obtained grouping to obtain parameter values of the data, carrying out de-duplication processing on the parameter values corresponding to each grouping, and then sequencing to form a parameter value list; the calculation module is used for removing the parameter values of each preset number from the head to the tail in the parameter value list based on the length of the parameter value list corresponding to each group and calculating to obtain a traversing distribution value when the length of the current parameter value list is larger than the preset value; the judging module is used for judging whether the parameter value is the API interface parameter incremental traversal according to the number of the parameter values in the parameter value list and the traversal distribution value of the parameter value list corresponding to the adjusted parameter value list.
In the application, the related data of the API interface comprises a bypass network flow log, a WAF original access log, a WEB application access log and an API interface log; the API interface log includes a request URI, a request method, a request source destination IP, a request header field, a req_body, a time, a Host, a url_path and a url_query.
The foregoing is only a specific embodiment of the application to enable those skilled in the art to understand or practice the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Claims (10)
1. The method for identifying the API interface parameter value increment type traversal is characterized by comprising the following steps:
collecting API interface related data as a data source to be analyzed, windowing the collected API interface related data, and grouping the windowed data based on IP or Session;
the data after grouping is subjected to grouping processing again based on the interface, the request parameters are analyzed for the data in the obtained grouping, the parameter values of the data are obtained, the parameter values corresponding to each grouping are subjected to de-duplication processing, and then the parameter values are ordered to form a parameter value list;
based on the length of the parameter value list corresponding to each group, removing the parameter values of each preset number from the head to the tail in the parameter value list when the length of the current parameter value list is larger than the preset value, obtaining an adjusted parameter value list, and calculating to obtain a traversal distribution value;
and judging whether the parameter value is the API interface parameter incremental traversal or not according to the number of the parameter values in the parameter value list and the traversal distribution value of the parameter value list corresponding to the adjusted parameter value list.
2. A method of identifying API interface parameter value incrementing traversal as claimed in claim 1, wherein:
the API interface related data comprises a bypass network flow log, a WAF original access log, a WEB application access log and an API interface log;
the API interface log comprises a request URI, a request method, a request source destination IP, a request header field, a req_body, time, a Host, a url_path and a url_query.
3. The method for identifying incremental traversal of API interface parameter values according to claim 1, wherein said windowing of collected API interface-related data is performed, and the windowed data is grouped based on IP or Session, the steps comprising;
setting the size of a window, and then windowing the collected API interface related data;
the data within the window is grouped based on IP or Session.
4. A method of identifying API interface parameter value incrementing traversal as claimed in claim 3, wherein:
for grouping data based on IP, specifically: realizing grouping according to the SIP field or by using a designated field as a source IP field;
for grouping data based on Session, specifically: and acquiring the Session information according to the Cookie or the custom linkage login interface, so as to realize grouping.
5. The method for identifying incremental traversal of API interface parameter values according to claim 1, wherein said interface-based process of grouping the grouped data again, parsing the request parameters for the data in the obtained group to obtain the parameter values of the data, and sorting the parameter values corresponding to each group to form a parameter value list after performing the de-duplication process, comprising the specific steps of:
grouping the grouped data again based on the identification interface mode to obtain groups and data in each group;
identifying req_body and url_query types of data in the packet, analyzing request parameters, obtaining parameter values of the data, and filtering non-digital parts in the parameter values;
and performing de-duplication processing on the parameter values corresponding to each group, and then sequencing to form a parameter value list of each group.
6. The method for identifying incremental traversal of API interface parameter values according to claim 1, wherein said steps include:
removing the parameter values of each preset number from the head to the tail of the parameter value list when the number of the parameter values of the current parameter value list is larger than the preset value based on the number of the parameter values in the parameter value list of each group, and obtaining an adjusted parameter value list;
and calculating to obtain the traversal distribution value of the adjusted parameter value list based on the number of the parameter values, the maximum parameter value and the minimum parameter value in the adjusted parameter value list.
7. The method for identifying an API interface parameter value incrementing traversal of claim 6 wherein said calculating results in a traversal distribution value of the adjusted list of parameter values, the specific calculating is:
A=len(collect)/(max(collect)-min(collect)+1)
wherein A represents the traversal distribution value of the adjusted parameter value list, len represents the number of parameter values in the adjusted parameter value list, collect represents the adjusted parameter value list, max represents the maximum parameter value in the adjusted parameter value list, and min represents the minimum parameter value in the adjusted parameter value list.
8. The method for identifying incremental traversal of API interface parameter values according to claim 6, wherein the determining whether the traversal of the API interface parameter value is based on the number of parameter values in the parameter value list and the traversal distribution value of the parameter value list corresponding to the adjusted parameter value list is specifically:
if the traversing distribution value of the parameter value list corresponding to the adjusted parameter value list is larger than a set value and the number of the parameter values in the parameter value list is larger than a first set number, indicating that the interface traversing attack is incremental;
if the traversing distribution value of the parameter value list corresponding to the adjusted parameter value list is not greater than the set value and the number of the parameter values in the parameter value list is greater than the second set number, the interface traversing attack is indicated.
9. An apparatus for identifying an API interface parameter value incrementing traversal, comprising:
the preprocessing module is used for collecting the related data of the API interface as a data source to be analyzed, windowing the collected related data of the API interface and grouping the windowed data based on IP or Session;
the execution module is used for carrying out grouping processing on the grouped data again based on the interface, analyzing request parameters on the data in the obtained grouping to obtain parameter values of the data, carrying out de-duplication processing on the parameter values corresponding to each grouping, and then sequencing to form a parameter value list;
the calculation module is used for removing the parameter values of each preset number from the head to the tail in the parameter value list based on the length of the parameter value list corresponding to each group when the length of the current parameter value list is larger than the preset value, obtaining an adjusted parameter value list and calculating to obtain a traversal distribution value;
and the judging module is used for judging whether the parameter value is the API interface parameter incremental traversal according to the number of the parameter values in the parameter value list and the traversal distribution value of the parameter value list corresponding to the adjusted parameter value list.
10. An apparatus for identifying an API interface parameter value incrementing traversal as recited in claim 9, wherein:
the API interface related data comprises a bypass network flow log, a WAF original access log, a WEB application access log and an API interface log;
the API interface log comprises a request URI, a request method, a request source destination IP, a request header field, a req_body, time, a Host, a url_path and a url_query.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311251318.2A CN117150493A (en) | 2023-09-26 | 2023-09-26 | Method and device for identifying API (application program interface) parameter value increment type traversal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311251318.2A CN117150493A (en) | 2023-09-26 | 2023-09-26 | Method and device for identifying API (application program interface) parameter value increment type traversal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117150493A true CN117150493A (en) | 2023-12-01 |
Family
ID=88908111
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311251318.2A Pending CN117150493A (en) | 2023-09-26 | 2023-09-26 | Method and device for identifying API (application program interface) parameter value increment type traversal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117150493A (en) |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110348225A (en) * | 2019-07-09 | 2019-10-18 | 中国工商银行股份有限公司 | Method and apparatus are determined for the security breaches of application programming interfaces |
| CN110941822A (en) * | 2018-09-21 | 2020-03-31 | 武汉安天信息技术有限责任公司 | Lesovirus detection method and apparatus |
| CN112114995A (en) * | 2020-09-29 | 2020-12-22 | 平安普惠企业管理有限公司 | Process-based terminal anomaly analysis method, device, equipment and storage medium |
| CN112165445A (en) * | 2020-08-13 | 2021-01-01 | 杭州数梦工场科技有限公司 | Method, device, storage medium and computer equipment for detecting network attack |
| CN112540948A (en) * | 2019-09-23 | 2021-03-23 | 萨思学会有限公司 | Route management through event stream processing cluster manager |
| US20210266346A1 (en) * | 2019-09-27 | 2021-08-26 | Stealthpath, Inc. | Methods for Zero Trust Security with High Quality of Service |
| CN114124426A (en) * | 2020-08-11 | 2022-03-01 | 英特尔公司 | Protection against network-initiated attacks |
| CN114168935A (en) * | 2021-12-01 | 2022-03-11 | 北京联创新天科技有限公司 | System access security wind control processing method and device |
| CN115314483A (en) * | 2022-08-03 | 2022-11-08 | 奇安信网神信息技术(北京)股份有限公司 | API asset determining method and abnormal calling early warning method |
| CN116545702A (en) * | 2023-05-10 | 2023-08-04 | 工业富联(杭州)数据科技有限公司 | Network security protection method and related equipment |
| CN116668157A (en) * | 2023-06-21 | 2023-08-29 | 北京持安科技有限公司 | API interface identification processing method, device and medium based on zero trust gateway log |
| CN116680673A (en) * | 2023-06-20 | 2023-09-01 | 深圳市彤兴电子有限公司 | Identity verification method and device for display and computer equipment |
-
2023
- 2023-09-26 CN CN202311251318.2A patent/CN117150493A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110941822A (en) * | 2018-09-21 | 2020-03-31 | 武汉安天信息技术有限责任公司 | Lesovirus detection method and apparatus |
| CN110348225A (en) * | 2019-07-09 | 2019-10-18 | 中国工商银行股份有限公司 | Method and apparatus are determined for the security breaches of application programming interfaces |
| CN112540948A (en) * | 2019-09-23 | 2021-03-23 | 萨思学会有限公司 | Route management through event stream processing cluster manager |
| US20210266346A1 (en) * | 2019-09-27 | 2021-08-26 | Stealthpath, Inc. | Methods for Zero Trust Security with High Quality of Service |
| CN114124426A (en) * | 2020-08-11 | 2022-03-01 | 英特尔公司 | Protection against network-initiated attacks |
| CN112165445A (en) * | 2020-08-13 | 2021-01-01 | 杭州数梦工场科技有限公司 | Method, device, storage medium and computer equipment for detecting network attack |
| CN112114995A (en) * | 2020-09-29 | 2020-12-22 | 平安普惠企业管理有限公司 | Process-based terminal anomaly analysis method, device, equipment and storage medium |
| CN114168935A (en) * | 2021-12-01 | 2022-03-11 | 北京联创新天科技有限公司 | System access security wind control processing method and device |
| CN115314483A (en) * | 2022-08-03 | 2022-11-08 | 奇安信网神信息技术(北京)股份有限公司 | API asset determining method and abnormal calling early warning method |
| CN116545702A (en) * | 2023-05-10 | 2023-08-04 | 工业富联(杭州)数据科技有限公司 | Network security protection method and related equipment |
| CN116680673A (en) * | 2023-06-20 | 2023-09-01 | 深圳市彤兴电子有限公司 | Identity verification method and device for display and computer equipment |
| CN116668157A (en) * | 2023-06-21 | 2023-08-29 | 北京持安科技有限公司 | API interface identification processing method, device and medium based on zero trust gateway log |
Non-Patent Citations (2)
| Title |
|---|
| 何亨 等: "云环境中基于SDN的高效DDoS攻击检测与防御方案", 《通信学报》, vol. 39, no. 04, 25 April 2018 (2018-04-25), pages 139 - 151 * |
| 宋睿: "基于动态安全策略的Android应用程序隐私保护机制研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》, no. 04, 15 April 2022 (2022-04-15), pages 138 - 40 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3135018B1 (en) | Policy-based payload delivery for transport protocols | |
| TWI526825B (en) | Web page link detection method, device and system | |
| WO2019114700A1 (en) | Traffic analysis method, public service traffic attribution method and corresponding computer system | |
| CN108718298B (en) | Malicious external connection flow detection method and device | |
| US11444861B2 (en) | Method and apparatus for detecting traffic | |
| CN103139315A (en) | Application layer protocol analysis method suitable for home gateway | |
| CN107465693B (en) | Request message processing method and device | |
| US11924316B2 (en) | System and methods for automated computer security policy generation and anomaly detection | |
| CN110266726B (en) | Method and device for identifying DDOS attack data stream | |
| CN105743702B (en) | A kind of subscription recognition methods of GOOSE message | |
| CN114785567B (en) | Flow identification method, device, equipment and medium | |
| CN108011850B (en) | Data packet reassembly method and apparatus, computer device, and readable medium | |
| CN104333461A (en) | Identification method, system and identification device for internet application flow | |
| CN109474540B (en) | Method and device for identifying OPC (optical proximity correction) flow | |
| WO2016201876A1 (en) | Service identification method and device for encrypted traffic, and computer storage medium | |
| CN110830416A (en) | Network intrusion detection method and device | |
| CN117150493A (en) | Method and device for identifying API (application program interface) parameter value increment type traversal | |
| WO2023082605A1 (en) | Http message extraction method and apparatus, and medium and device | |
| CN113422699B (en) | Data stream processing method and device, computer readable storage medium and electronic equipment | |
| CN113297577B (en) | Request processing method and device, electronic equipment and readable storage medium | |
| CN112910842B (en) | Network attack event evidence obtaining method and device based on flow reduction | |
| US20240137385A1 (en) | Method and apparatus for identifying malicious mining behavior, and device and storage medium | |
| JP5925287B1 (en) | Information processing apparatus, method, and program | |
| CN116939669B (en) | Network element identification method, system, equipment and readable medium based on IP learning table | |
| CN110943873B (en) | Message flow processing method and device and readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |