CN117786696A - API asset risk analysis method and device, electronic equipment and storage medium - Google Patents

API asset risk analysis method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN117786696A
CN117786696A CN202311764430.6A CN202311764430A CN117786696A CN 117786696 A CN117786696 A CN 117786696A CN 202311764430 A CN202311764430 A CN 202311764430A CN 117786696 A CN117786696 A CN 117786696A
Authority
CN
China
Prior art keywords
api
data
asset
homologous
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311764430.6A
Other languages
Chinese (zh)
Inventor
王世峰
刘云飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202311764430.6A priority Critical patent/CN117786696A/en
Publication of CN117786696A publication Critical patent/CN117786696A/en
Pending legal-status Critical Current

Links

Abstract

The embodiment of the disclosure discloses an API asset risk analysis method, an API asset risk analysis device, electronic equipment and a storage medium. The API asset risk analysis method comprises the following steps: acquiring API asset data of a target API asset; matching at least one homologous API asset associated with the target API asset in an API asset library based on the API asset data of the target API asset, and determining homology data for each of the homologous API assets; matching the homologous API assets with preset risk event data to determine risk degree data of each homologous API asset; and determining a risk analysis result of the target API asset based on the risk degree data and the homology degree data of each homologous API asset. The method/system can realize early discovery and avoid risks.

Description

API asset risk analysis method and device, electronic equipment and storage medium
Technical Field
The application relates to the technical field of data security, in particular to an API asset risk analysis method, an API asset risk analysis device, electronic equipment and a storage medium.
Background
In the conventional API (Application Programming Interface, application program interface) asset risk analysis process, an API asset vulnerability is mainly checked and processed, and an API asset is matched with threat information, so that the problem is often solved to expose the security problem of the API asset, risks cannot be found and avoided in advance, and the effective capability of defending the API asset risk is lacking.
Currently, most security vendors do risk analysis based on API data, but only on API assets where risk has occurred. In addition, the prior art proposes recommendation of the API by combining API homology correlation, so that development efficiency and maintenance efficiency are improved, but safety information related to the API is not analyzed, and homologous API asset risk analysis of a safety event cannot be met. Thus, existing API asset risk analysis techniques lack the ability to pre-determine risk in advance.
Disclosure of Invention
The embodiment of the application provides an API asset risk analysis method, an API asset risk analysis device, electronic equipment and a storage medium, which are used for solving the technical problem that the prior API asset risk analysis technology lacks the capability of pre-judging risks in advance.
According to an aspect of the embodiments of the present application, there is provided an API asset risk analysis method, including:
Acquiring API asset data of a target API asset;
matching at least one homologous API asset associated with the target API asset in an API asset library based on the API asset data of the target API asset, and determining homology data for each of the homologous API assets;
matching the homologous API assets with preset risk event data to determine risk degree data of each homologous API asset;
and determining a risk analysis result of the target API asset based on the risk degree data and the homology degree data of each homologous API asset.
In one possible implementation, the API asset library stores one or more API assets and API asset data corresponding thereto; the API asset data includes element data including at least one of location data, associated attribute data, interaction data type, vulnerability data, and user data;
the matching at least one homologous API asset associated with the target API asset in an API asset library based on API asset data of the target API asset and determining homology data for each of the homologous API assets, comprising:
and carrying out homology matching on the target API assets in the API asset library so as to determine that at least one API asset which is identical to the element data of any target API asset is a homologous API asset.
In one possible implementation, the risk event data includes at least one risk event type and risk data corresponding thereto; the matching the homologous API assets with preset risk event data to determine risk degree data of each homologous API asset includes:
when the API asset data based on the homologous API asset is matched with at least one risk event type, determining event risk degree data of the homologous API asset about the risk event type based on risk data corresponding to any risk event type matched with the API asset data, so that the risk degree data of the homologous API asset is determined based on event risk degree data corresponding to all risk event types matched with the homologous API asset;
the risk event type comprises threat information, a blacklist, an alarm, a security event and a vulnerability, and the risk data comprises a risk level, a risk confidence level and a risk evaluation value mapped with the risk level.
In one possible implementation, the risk event data includes a threat intelligence library corresponding to the threat intelligence, the threat intelligence library storing a plurality of threat types and related threat intelligence data; matching the risk event type with API asset data based on the homologous API asset by:
And when the threat information library is matched with the threat type and threat information data corresponding to the API asset data of the homologous API asset, determining that threat information exists in the API asset data of the homologous API asset.
In one possible implementation, the risk event data further includes alarm data corresponding to the alarm and security event data corresponding to the security event; matching the risk event type with API asset data based on the homologous API asset by:
when the API asset data of the homologous API asset is matched with the alarm source address and the alarm destination address contained in the alarm data, determining that an alarm exists in the API asset data of the homologous API asset; and/or the number of the groups of groups,
and when the API asset data of the homologous API asset is matched with the security event source address and the security event destination address contained in the security event data, determining that a security event exists in the API asset data of the homologous API asset.
In one possible implementation, determining homology data for the homologous API asset comprises:
determining at least one characteristic attribute indicating a class of the homologous API asset from element data of the homologous API asset, the class including homologous APIs and non-homologous APIs, and dividing a characteristic attribute condition for each of the characteristic attributes;
Determining a category frequency for each category in a training sample for training a preset classifier;
based on the category frequency, calculating the conditional probability of each characteristic attribute condition under each category, wherein the conditional probability is used for representing the relationship strength between the category and the characteristic attribute condition;
inputting API asset data of any homologous API asset into the classifier to determine a feature identification probability of the homologous API asset with respect to each feature attribute, and mapping the feature identification probability into corresponding feature attribute conditions to obtain corresponding conditional probabilities, so that homology data and belonging categories for the input homologous API asset are output under joint calculation of the corresponding conditional probabilities of each feature attribute.
In one possible implementation manner, the outputting homology data and the belonging category for the input homologous API asset under the joint calculation of the conditional probability corresponding to each characteristic attribute includes:
for any category, calculating the category distribution probability of the input homologous API asset under the category based on the corresponding conditional probability of each characteristic attribute and the category frequency of the category;
Determining the category corresponding to the maximum value of the category distribution probability as the category of the input homologous API asset;
and determining the homology data of the input homologous API assets based on the maximum value of the category distribution probability and a calculation coefficient consisting of the category distribution probability under each category.
In one possible implementation manner, the determining the risk analysis result of the target API asset based on the risk degree data and the homology degree data of each homologous API asset includes:
and weighting and calculating the risk degree data and the homology data of each homologous API asset to obtain the risk degree data of the target API asset, wherein the risk degree data and the homology data of each homologous API asset are used as risk analysis results.
According to another aspect of an embodiment of the present application, there is provided an API asset risk analysis device, including:
the data input module is used for acquiring a target API asset and API asset data of the target API asset;
a homology matching module for matching at least one homologous API asset associated with the target API asset in an API asset library based on API asset data of the target API asset, and determining homology data for each of the homologous API assets;
the risk degree calculation module is used for matching the homologous API assets with preset risk event data to determine risk degree data of the homologous API assets;
And the risk analysis module is used for determining a risk analysis result of the target API asset based on the risk degree data and the homology degree data of each homologous API asset.
According to still another aspect of embodiments of the present application, there is provided an electronic device including:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the API asset risk analysis method of the above embodiments.
According to yet another aspect of the embodiments of the present application, there is provided a computer readable storage medium storing computer instructions for causing a computer to perform the API asset risk analysis method of the above embodiments.
The beneficial effects that technical scheme that this application embodiment provided brought are:
according to the API asset risk analysis method, the target API asset and the API asset data of the target API asset are obtained, then at least one homologous API asset associated with the target API asset is matched in an API asset library based on the API asset data of the target API asset, the homology degree data of the homologous API assets are determined, the homologous API asset is matched with preset risk event data to determine the risk degree data of the homologous API assets, so that the homology correlation of the API is considered, the risk analysis result of the target API asset is determined based on the risk degree data and the homology degree data of the homologous API asset, the similarity between the target API asset and the homologous API asset is considered, the accuracy of risk assessment of the target API asset is improved, the risk analysis of the API asset which does not have a safety event is realized, the technical problem that the prior API asset risk analysis technology lacks the capability of pre-judging the risk in advance is solved, and the prior discovery and the risk avoidance are realized. According to the API asset risk analysis method, the target API asset and the API asset data of the target API asset are obtained, then at least one homologous API asset associated with the target API asset is matched in an API asset library based on the API asset data of the target API asset, the homology degree data of the homologous API assets are determined, the homologous API asset is matched with preset risk event data to determine the risk degree data of the homologous API assets, so that the homology correlation of the API is considered, the risk analysis result of the target API asset is determined based on the risk degree data and the homology degree data of the homologous API asset, the similarity between the target API asset and the homologous API asset is considered, the accuracy of risk assessment of the target API asset is improved, the risk analysis of the API asset which does not have a safety event is realized, the technical problem that the prior API asset risk analysis technology lacks the capability of pre-judging the risk in advance is solved, and the prior discovery and the risk avoidance are realized.
The foregoing description is only an overview of the disclosed technology, and may be implemented in accordance with the disclosure of the present disclosure, so that the above-mentioned and other objects, features and advantages of the present disclosure can be more clearly understood, and the following detailed description of the preferred embodiments is given with reference to the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
Fig. 1 is a flow chart of an API asset risk analysis method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an API asset risk analysis device according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
It should be appreciated that the following specific embodiments of the disclosure are described in order to provide a better understanding of the present disclosure, and that other advantages and effects will be apparent to those skilled in the art from the present disclosure. It will be apparent that the described embodiments are merely some, but not all embodiments of the present disclosure. The disclosure may be embodied or practiced in other different specific embodiments, and details within the subject specification may be modified or changed from various points of view and applications without departing from the spirit of the disclosure. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure are intended to be within the scope of this disclosure.
It is noted that various aspects of the embodiments are described below within the scope of the following claims. It should be apparent that the aspects described herein may be embodied in a wide variety of forms and that any specific structure and/or function described herein is merely illustrative. Based on the present disclosure, one skilled in the art will appreciate that one aspect described herein may be implemented independently of any other aspect, and that two or more of these aspects may be combined in various ways. For example, an apparatus may be implemented and/or a method practiced using any number of the aspects set forth herein. In addition, such apparatus may be implemented and/or such methods practiced using other structure and/or functionality in addition to one or more of the aspects set forth herein.
It should also be noted that the illustrations provided in the following embodiments merely illustrate the basic concepts of the disclosure by way of illustration, and only the components related to the disclosure are shown in the drawings and are not drawn according to the number, shape and size of the components in actual implementation, and the form, number and proportion of the components in actual implementation may be arbitrarily changed, and the layout of the components may be more complicated.
In addition, in the following description, specific details are provided in order to provide a thorough understanding of the examples. However, it will be understood by those skilled in the art that the aspects may be practiced without these specific details.
Example 1
Fig. 1 is a flow chart of an API asset risk analysis method according to an embodiment of the present application, where the API asset risk analysis method includes steps S101 to S104.
S101, acquiring an API asset of a target API and API asset data of the target API asset.
Wherein the API asset data includes element data including, but not limited to, location data, associated attribute data, interaction data type, vulnerability data, and user data. The API asset data also includes basic information such as API type, method of operation, endpoint path, request parameters, response parameters, parameter structure; API asset association information such as deployment IP, API access source, number of communications, API communication topology, API function tag, service domain division information; API security risk monitoring information, such as vulnerability data.
S102, matching at least one homologous API asset associated with the target API asset in an API asset library based on the API asset data of the target API asset, and determining homology data of each homologous API asset.
In the application, homology correlation of API assets is considered, and homology API asset analysis is performed by taking a target API asset as a core, and one or more API assets consistent with the target API asset in data such as type/element are matched to serve as homology API assets of the target API asset. By way of example, an API asset that is fully consistent with the interaction data type (e.g., request parameters, response parameters, parameter structure, etc.) of the target API asset may be considered a homologous API asset to the target API asset; an API asset that is consistent with the associated attribute data of the target API asset is considered a homologous API asset of the target API asset. In this regard, the homology data is used to measure the similarity between the homologous API asset and the target API asset, so the similarity and the difference between the target API asset and the homologous API asset are considered by calculating the homology between each homologous API asset and the target API asset, so that the risk degree data of the homologous API asset has different importance degrees along with the homology between the homologous API asset and the target API asset in the risk analysis process of the target API asset, and the accuracy and the rationality of the risk assessment of the target API asset are improved.
And S103, matching the homologous API assets with preset risk event data to determine risk degree data of each homologous API asset.
S104, determining risk analysis results of the target API assets based on the risk degree data and the homology degree data of the homologous API assets.
In the method, the homology correlation of the API assets is considered, the risk situation of the target API assets can be predicted by using the known risk situation of the homologous API assets, so that the characteristics of the target API assets can be more comprehensively known through similar characteristics and distribution of the homologous API assets, the risk situation of the target API assets can be accurately estimated, the data change can be better dealt with, and the estimated stability is improved.
In some embodiments, the determining the risk analysis result of the target API asset based on the risk degree data and the homology degree data of each of the homologous API assets includes:
and weighting and calculating the risk degree data and the homology data of each homologous API asset to obtain the risk degree data of the target API asset, wherein the risk degree data and the homology data of each homologous API asset are used as risk analysis results.
In this embodiment, a weight is configured for each homologous API asset, and then, according to the weight, risk degree data, and homology degree data of each homologous API asset, the risk assessment situation of the homologous API asset is calculated, so that the risk assessment situations of all the homologous API assets are superimposed to obtain the risk analysis result of the target API asset. Illustratively, the target API asset D has three homologous API assets, the risk of the target API asset D = (homologous API asset a risk = homologous API asset a + homologous API asset B risk = homologous API asset B homology + homologous API asset C risk = homologous API asset C homology = weight C). Therefore, the risk degree and the homology degree of each homologous API asset are weighted, and the importance degree and the influence of each homologous API asset in the whole data are considered, so that the accuracy and the flexibility of risk analysis of the target API asset are improved.
According to the API asset risk analysis method provided by the embodiment, the target API asset and the API asset data of the target API asset are obtained, then at least one homologous API asset associated with the target API asset is matched in an API asset library based on the API asset data of the target API asset, the homology degree data of each homologous API asset is determined, the homologous API asset is matched with preset risk event data to determine the risk degree data of each homologous API asset, so that the homology correlation of the API is considered, the risk analysis result of the target API asset is determined based on the risk degree data and the homology degree data of each homologous API asset, the similarity between the target API asset and the homologous API asset is considered, the accuracy of risk assessment of the target API asset is improved, the risk analysis of the API which does not have a safety event can be realized, the technical problem that the prior API asset risk analysis technology lacks the capability of pre-judging the risk in advance is solved, and the risk is found and avoided in advance is realized.
In some embodiments, the API asset library stores one or more API assets and API asset data corresponding thereto; the API asset data includes element data including at least one of location data, associated attribute data, interaction data type, vulnerability data, and user data;
The matching at least one homologous API asset associated with the target API asset in an API asset library based on API asset data of the target API asset and determining homology data for each of the homologous API assets, comprising:
and carrying out homology matching on the target API assets in the API asset library so as to determine that at least one API asset which is identical to the element data of any target API asset is a homologous API asset.
In this embodiment, an API asset library is configured to match API asset data of a target API asset with API asset data in the API asset library, so as to obtain at least one API asset consistent in API asset data such as type/element, and consider a homologous API asset of the target API asset, thereby implementing homologous matching.
In some embodiments, the risk event data includes at least one risk event type and risk data corresponding thereto; the matching the homologous API assets with preset risk event data to determine risk degree data of each homologous API asset includes:
when the API asset data based on the homologous API asset is matched with at least one risk event type, determining event risk degree data of the homologous API asset about the risk event type based on risk data corresponding to any risk event type matched with the API asset data, so that the risk degree data of the homologous API asset is determined based on event risk degree data corresponding to all risk event types matched with the homologous API asset;
The risk event type comprises threat information, a blacklist, an alarm, a security event and a vulnerability, and the risk data comprises a risk level, a risk confidence level and a risk evaluation value mapped with the risk level.
In this embodiment, the API asset data of each homologous API asset is matched with risk events such as threat information, a blacklist, an alarm, a security event, and a vulnerability, so as to obtain risk degree data of the homologous API asset. Specifically, when at least one risk event type is matched, event risk degree data of the homologous API asset about each risk event type is calculated according to a risk level, a risk confidence coefficient and a risk evaluation value corresponding to each risk event type, and then the event risk degree data of all risk event types existing in the homologous API asset are overlapped to obtain the risk degree data of the homologous API asset. Therefore, the risk identification of the homologous API assets is realized by considering the risk events existing in the homologous API assets, and the risk quantification is performed on the risk information corresponding to the risk events, so that the accuracy of the risk assessment of the homologous API assets is improved.
For example, as shown in table 1 below, when the type of risk event is an alarm and the IOC information (i.e., threat information) is illustrated, and when the API asset data based on the homologous API asset a is matched to the alarm and the IOC information, the risk information includes a risk level of medium risk, a risk confidence level of 0.90, and a risk evaluation value about the risk level of 0.8 for the alarm, the event risk data for the alarm may be obtained as risk evaluation value=risk confidence level=0.8×0.90=0.72. Similarly, for IOC information, the risk information includes a risk level of high risk, a risk confidence level of 0.90, and a risk evaluation value of 0.9 for the risk level, and event risk data of 0.9x0.90=0.81 for the IOC information can be obtained. Thus, based on the event risk data for alarm, IOC intelligence, the risk data for the homologous API asset a is obtained as 0.8 x 0.90+0.9 x 0.90=1.53.
TABLE 1
Based on the above embodiments, in some embodiments, the risk event data includes a threat intelligence library corresponding to the threat intelligence, the threat intelligence library storing a plurality of threat types and related threat intelligence data; matching the risk event type with API asset data based on the homologous API asset by:
and when the threat information library is matched with the threat type and threat information data corresponding to the API asset data of the homologous API asset, determining that threat information exists in the API asset data of the homologous API asset.
In this embodiment, the threat information library stores a plurality of threat types and related threat information data, wherein the threat types include, but are not limited to, malware, viruses, spyware, adware, junk mail, login attack phishing, and the like, and the threat information data includes, but is not limited to, an IP address, a domain name, a file hash, an email address, and attack information (such as an attacker, attack time, an attack target, an attack tool, an attack mode, and the like) related to security threats related to any threat type. Specifically, the API asset data of the homologous API asset is compared with threat intelligence data in the threat intelligence library to determine whether the API asset data includes threat intelligence corresponding to at least one threat type. Therefore, threat information data of a plurality of dimensions corresponding to each threat type are stored in the threat information library, and the threat information data is matched with the application scene of the current network environment, so that the application judges whether the API asset data is threat information or not by matching the API asset data of the homologous API asset with the data stored in the threat information library, the judgment basis of the threat information is increased, and the accuracy and the credibility of threat information detection are improved to a certain extent.
Based on the above embodiments, in some embodiments, the risk event data further includes alert data corresponding to the alert and security event data corresponding to the security event; matching the risk event type with API asset data based on the homologous API asset by:
when the API asset data of the homologous API asset is matched with the alarm source address and the alarm destination address contained in the alarm data, determining that an alarm exists in the API asset data of the homologous API asset; and/or the number of the groups of groups,
and when the API asset data of the homologous API asset is matched with the security event source address and the security event destination address contained in the security event data, determining that a security event exists in the API asset data of the homologous API asset.
In this embodiment, by matching the API asset data of the homologous API asset with the source and destination addresses of the alarm and the source and destination addresses of the security event respectively, it is determined whether the alarm and/or the security event exists in the API asset data of the homologous API asset, so that event risk degree data of the homologous API asset about the alarm and/or the security event is calculated according to the risk data corresponding to the alarm and/or the security event, thereby implementing risk identification.
In some embodiments, determining homology data for the homologous API assets by:
determining at least one characteristic attribute indicating a class of the homologous API asset from element data of the homologous API asset, the class including homologous APIs and non-homologous APIs, and dividing a characteristic attribute condition for each of the characteristic attributes;
determining a category frequency for each category in a training sample for training a preset classifier;
based on the category frequency, calculating the conditional probability of each characteristic attribute condition under each category, wherein the conditional probability is used for representing the relationship strength between the category and the characteristic attribute condition;
inputting API asset data of any homologous API asset into the classifier to determine a feature identification probability of the homologous API asset with respect to each feature attribute, and mapping the feature identification probability into corresponding feature attribute conditions to obtain corresponding conditional probabilities, so that homology data and belonging categories for the input homologous API asset are output under joint calculation of the corresponding conditional probabilities of each feature attribute.
In this embodiment, since there may be a difference in risk degree data of at least one homologous API asset corresponding to the target API asset, risk association needs to be performed based on the homology degree of the homologous API asset. Specifically, the class is first determined to be a homologous API and a non-homologous API, for example, a label C is a class, that is, c=0 represents the homologous API, c=1 represents the non-homologous API, and then one or more element data capable of distinguishing the homologous API and the non-homologous API are selected from the element data of the homologous API asset as characteristic attributes, for example, three characteristic attributes are selected, such as a characteristic attribute a1: API vulnerability data/API asset number, feature attribute a2: sensitive data type/data total class, characteristic attribute a3: API asset user data/API asset number. Then, the selected feature attribute is subjected to conditional classification, for example, feature attribute a1: { a1< = 0.05,0.05< a1<0.2, a1> = 0.2}, characteristic attribute a2: { a2< = 0.1,0.1< a2<0.8, a2> = 0.8}, characteristic attribute a3: { a3=0 (non-homologous), a3=1 (homologous) }. Further, a training sample is obtained to calculate the class frequency of each class in the training sample, for example, the training sample is 10000 API assets, wherein the samples of homologous APIs are 8900 and the samples of non-homologous APIs are 1100, and then the class frequency used for characterizing homologous APIs is P (c=0) =0.89, and the class frequency used for characterizing non-homologous APIs is P (c=1) =0.11. Furthermore, the conditional probability of each characteristic attribute condition under each category is calculated, and it is to be noted that the conditional probability is used for describing the dependency relationship and the conditional independence between the category and the characteristic attribute condition, so as to reflect the relationship strength between the category and the characteristic attribute condition. Illustratively, in combination with the above examples, the conditional probability examples are as follows: regarding the feature attribute a1, P (a1 < =0.05|c=0) =0.3, P (0.05 < a1< 0.2|c=0) =0.5, P (a1 > =0.2|c=0) =0.2; p (a1 < =0.05|c=1) =0.8, P (0.05 < a1< 0.2|c=1) =0.1, P (a1 > =0.2|c=1) =0.1; regarding the feature attribute a2, P (a2 < =0.1|c=0) =0.1, P (0.1 < a2< 0.8|c=0) =0.7, P (a2 > =0.8|c=0) =0.2; p (a2 < =0.1|c=1) =0.7, P (0.1 < a2< 0.8|c=1) =0.2, P (a2 > =0.8|c=1) =0.1; regarding the feature attribute a3, P (a3= 0|C =0) =0.2, P (a3= 1|C =0) =0.8, P (a3= 0|C =1) =0.9, and P (a3= 1|C =1) =0.1. Then, the API asset data of the homologous API asset is input into a classifier to determine a feature recognition probability of the homologous API asset with respect to each feature attribute, such as the feature recognition probability of the API vulnerability data/API asset number is 0.1 and the feature recognition probability of the sensitive data type/data total class is 0.2, and further, the feature recognition probability of each feature attribute is mapped into the feature attribute condition to obtain a conditional probability of the identified feature attribute a1, a2 with respect to each class, i.e., P (0.05 < a1< 0.2|c=0) =0.5, P (0.05 < a1< 0.2|c=1) =0.1, P (0.1 < a2< 0.8|c=0) =0.7, P (0.1 < a2< 0.8|c=1) =0.2. Thus, since each characteristic attribute has independence, joint calculation is performed on the conditional probabilities obtained by the input homologous API assets to obtain homology data and belonging categories of the homologous API assets. Therefore, by setting the conditional probability, the embodiment considers the dependency relationship and the conditional independence between the category and the characteristic attribute condition, improves the accuracy and the reliability of category prediction and improves the accuracy of homology calculation.
Based on the above embodiments, in some embodiments, the outputting homology data for the input homologous API asset and the belonging category under the joint calculation of the conditional probabilities corresponding to each feature attribute includes:
for any category, calculating the category distribution probability of the input homologous API asset under the category based on the corresponding conditional probability of each characteristic attribute and the category frequency of the category;
determining the category corresponding to the maximum value of the category distribution probability as the category of the input homologous API asset;
and determining the homology data of the input homologous API assets based on the maximum value of the category distribution probability and a calculation coefficient consisting of the category distribution probability under each category.
In this embodiment, for calculating the homology data and the predicted class of the homologous API asset, this embodiment converts to calculating the class distribution probability of the homologous API asset under each class, that is, the class distribution probability P (c= 0|x) of the homologous API asset under the homologous API and the class distribution probability P (c= 1|x) of the homologous API asset under the homologous API, where x is the item to be classified (i.e., the input homologous API asset). Further, the calculated class distribution probability P (c= 0|x) may be converted into a calculated intermediate quantity P (c=0) P (x|c=0), and the calculated class distribution probability P (c= 1|x) may be converted into a calculated intermediate quantity P (c=1) P (x|c=1). Specifically, the intermediate quantity P (c=0) P (x|c=0) =p (c=0) P (0.05 < a1< 0.2|c=0) P (0.1 < a2< 0.8|c=0) P (a3= 0|C =0) =0.89×0.5×0.7×0.2= 0.0623; intermediate quantity P (c=1) P (x|c=1) =p (0.05 < a1< 0.2|c=1) P (0.1 < a2< 0.8|c=1) P (a3= 0|C =1) =0.11×0.1×0.2×0.9= 0.00198. Further, the class with the larger class distribution probability is determined as the class to which the input homologous API asset belongs, that is, since the class distribution probability P (c= 0|x) is 0.0623 and the class distribution probability P (c= 1|x) is 0.00198, the input homologous API asset is the homologous API. And secondly, determining a calculation coefficient based on the class distribution probability under each class, and calculating the input homology data of the homologous API asset based on the maximum value of the calculation coefficient and the class distribution probability, wherein the homology data of the homologous API asset is 0.97 if the calculation coefficient is 1/(0.0623+0.00198) =15.56.
Exemplary, the method for analyzing the risk of the input target API asset comprises the following specific operations:
step 1: inputting target API assets to be analyzed in the system: http:// api. Example. Com/data.
Step 2: the homologous API assets of hhh.com are automatically searched, and the API assets with high degree of knowledge of the http:// api.example.com/data asset organization architecture, such as http:// api.example.com/data1, http:// api.example.com/data2, http:// api.example.com/data3, are automatically retrieved.
Step 3: and carrying out similarity recognition and analysis on the API assets which are automatically searched and have high similarity with the http:// api.example.com/data asset organization architecture, carrying out similarity sorting according to elements such as components, and the like, sequentially sorting the http:// api.example.com/data1, http:// api.example.com/data2, http:// api.example.com/data3, and calculating homology data of the http:// api.example.com/data asset and the http:// api.example.com/data1, http:// api.example.com/data2 and http:// api.example.com/data3.
Step 4: and matching the automatically retrieved http:// api.example.com/data homologous API assets http:// api.example.com/data1, http:// api.example.com/data2 and http:// api.example.com/data3 with threat information, security events, alarms and other risk event data respectively, mining the risk information of the homologous API assets, and counting the risk degree data of the homologous API assets.
Step 4: and (3) carrying out weighted calculation based on the analysis results of the step (3) and the step (4) to obtain the risk condition of the input API asset, and finally calculating the risk degree of the target API asset http:// API.
Example two
Fig. 2 is a schematic structural diagram of an API asset risk analysis device according to an embodiment of the present application, where the API asset risk analysis device 200 includes:
a data input module 201, configured to obtain a target API asset and API asset data of the target API asset;
a homology matching module 202, configured to match at least one homologous API asset associated with the target API asset in an API asset library based on API asset data of the target API asset, and determine homology data of each of the homologous API assets;
the risk calculation module 203 is configured to match the homologous API assets with preset risk event data, so as to determine risk data of each homologous API asset;
the risk analysis module 204 is configured to determine a risk analysis result of the target API asset based on the risk degree data and the homology degree data of each of the homologous API assets.
In some embodiments, the API asset library stores one or more API assets and API asset data corresponding thereto; the API asset data includes element data including at least one of location data, associated attribute data, interaction data type, vulnerability data, and user data;
The homography matching module 202 includes:
and the matching unit is used for carrying out homologous matching on the target API assets in the API asset library so as to determine that at least one API asset which is identical to the element data of any target API asset is a homologous API asset.
In some embodiments, the risk event data includes at least one risk event type and risk data corresponding thereto; the risk degree calculation module 203 includes:
a homologous API asset risk assessment unit, configured to, when API asset data based on the homologous API asset matches at least one of the risk event types, determine event risk degree data of the homologous API asset with respect to the risk event type based on risk data corresponding to any of the matched risk event types, so that risk degree data of the homologous API asset is determined based on event risk degree data corresponding to all of the matched risk event types;
the risk event type comprises threat information, a blacklist, an alarm, a security event and a vulnerability, and the risk data comprises a risk level, a risk confidence level and a risk evaluation value mapped with the risk level.
In some embodiments, the risk event data includes a threat intelligence library corresponding to the threat intelligence, the threat intelligence library storing a plurality of threat types and associated threat intelligence data; the homologous API asset risk assessment unit includes:
and the threat information matching unit is used for determining that threat information exists in the API asset data of the homologous API asset when the threat type and the threat information data corresponding to the API asset data of the homologous API asset are matched in the threat information library.
In some embodiments, the risk event data further includes alert data corresponding to the alert and security event data corresponding to the security event; the homologous API asset risk assessment unit further comprises:
the alarm matching unit is used for determining that an alarm exists in the API asset data of the homologous API asset when the API asset data of the homologous API asset is matched with the alarm source address and the alarm destination address contained in the alarm data; and/or the number of the groups of groups,
and the security event matching unit is used for determining that a security event exists in the API asset data of the homologous API asset when the API asset data of the homologous API asset is matched with the security event source address and the security event destination address contained in the security event data.
In some embodiments, the homography matching module 202 includes:
a feature attribute selection unit configured to determine at least one feature attribute indicating a category of the homologous API asset from element data of the homologous API asset, and divide feature attribute conditions for each of the feature attributes, the category including a homologous API and a non-homologous API;
a category frequency calculation unit for determining a category frequency for each category in a training sample for training a preset classifier;
a conditional probability calculation unit, configured to calculate, based on the category frequency, a conditional probability for each characteristic attribute condition under each category, where the conditional probability is used to characterize a strength of relationship between the category and the characteristic attribute condition;
and the homology calculating unit is used for inputting the API asset data of any homologous API asset into the classifier to determine the characteristic identification probability of the homologous API asset about each characteristic attribute, and mapping the characteristic identification probability into the corresponding characteristic attribute condition to obtain corresponding condition probability, so that the homology data and the belonging category of the input homologous API asset are output under the joint calculation of the corresponding condition probability of each characteristic attribute.
In some embodiments, the homology calculation unit comprises:
the class distribution probability calculation unit is used for calculating the class distribution probability of the input homologous API asset under the class according to the corresponding conditional probability of each characteristic attribute and the class frequency of the class;
the class identification unit is used for determining that the class corresponding to the maximum value of the class distribution probability is the class of the input homologous API asset;
and the computing unit is used for determining the homology data of the input homologous API assets based on the maximum value of the category distribution probability and a computing coefficient consisting of the category distribution probability under each category.
In some embodiments, risk analysis module 204 includes:
and the target API asset risk degree calculation unit is used for carrying out weighted calculation on the risk degree data and the homology data of each homologous API asset to obtain the risk degree data of the target API asset as a risk analysis result.
The apparatus of the embodiments of the present application may perform the method provided by the embodiments of the present application, and implementation principles of the method are similar, and actions performed by each module in the apparatus of each embodiment of the present application correspond to steps in the method of each embodiment of the present application, and detailed functional descriptions of each module of the apparatus may be referred to in the corresponding method shown in the foregoing, which is not repeated herein.
Example III
An electronic device according to an embodiment of the present disclosure includes a memory and a processor. The memory is for storing non-transitory computer readable instructions. In particular, the memory may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like.
The processor may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities, and may control other components in the electronic device to perform the desired functions. In one embodiment of the present disclosure, the processor is configured to execute the computer readable instructions stored in the memory to cause the electronic device to perform all or part of the steps of the API asset risk analysis method of the various embodiments of the present disclosure described above.
It should be understood by those skilled in the art that, in order to solve the technical problem of how to obtain a good user experience effect, the present embodiment may also include well-known structures such as a communication bus, an interface, and the like, and these well-known structures are also included in the protection scope of the present disclosure.
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application. A schematic diagram of an electronic device suitable for use in implementing embodiments of the present disclosure is shown. The electronic device shown in fig. 3 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.
As shown in fig. 3, the electronic device may include a processor (e.g., a central processing unit, a graphic processor, etc.) that may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) or a program loaded from a storage device into a Random Access Memory (RAM). In the RAM, various programs and data required for the operation of the electronic device are also stored. The processor, ROM and RAM are connected to each other by a bus. An input/output (I/O) interface is also connected to the bus.
In general, the following devices may be connected to the I/O interface: input means including, for example, sensors or visual information gathering devices; output devices including, for example, display screens and the like; storage devices including, for example, magnetic tape, hard disk, etc.; a communication device. The communication means may allow the electronic device to communicate wirelessly or by wire with other devices, such as edge computing devices, to exchange data. While fig. 3 shows an electronic device having various means, it is to be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a non-transitory computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via a communication device, or installed from a storage device, or installed from ROM. All or part of the steps of the API asset risk analysis method of the embodiments of the present disclosure are performed when the computer program is executed by a processor.
The detailed description of the present embodiment may refer to the corresponding description in the foregoing embodiments, and will not be repeated herein.
The basic principles of the present disclosure have been described above in connection with specific embodiments, however, it should be noted that the advantages, benefits, effects, etc. mentioned in the present disclosure are merely examples and not limiting, and these advantages, benefits, effects, etc. are not to be considered as necessarily possessed by the various embodiments of the present disclosure. Furthermore, the specific details disclosed herein are for purposes of illustration and understanding only, and are not intended to be limiting, since the disclosure is not necessarily limited to practice with the specific details described.
In this disclosure, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions, and the block diagrams of devices, apparatuses, devices, systems involved in this disclosure are merely illustrative examples and are not intended to require or implicate that connections, arrangements, configurations must be made in the manner shown in the block diagrams. As will be appreciated by one of skill in the art, the devices, apparatuses, devices, systems may be connected, arranged, configured in any manner. Words such as "including," "comprising," "having," and the like are words of openness and mean "including but not limited to," and are used interchangeably therewith. The terms "or" and "as used herein refer to and are used interchangeably with the term" and/or "unless the context clearly indicates otherwise. The term "such as" as used herein refers to, and is used interchangeably with, the phrase "such as, but not limited to.
In addition, as used herein, the use of "or" in the recitation of items beginning with "at least one" indicates a separate recitation, such that recitation of "at least one of A, B or C" for example means a or B or C, or AB or AC or BC, or ABC (i.e., a and B and C). Furthermore, the term "exemplary" does not mean that the described example is preferred or better than other examples.
It is also noted that in the systems and methods of the present disclosure, components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered equivalent to the present disclosure.
Various changes, substitutions, and alterations are possible to the techniques described herein without departing from the teachings of the techniques defined by the appended claims. Furthermore, the scope of the claims of the present disclosure is not limited to the particular aspects of the process, machine, manufacture, composition of matter, means, methods and acts described above. The processes, machines, manufacture, compositions of matter, means, methods, or acts, presently existing or later to be developed that perform substantially the same function or achieve substantially the same result as the corresponding aspects described herein may be utilized. Accordingly, the appended claims are intended to include within their scope such processes, machines, manufacture, compositions of matter, means, methods, or acts.
The previous description of the disclosed aspects is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other aspects without departing from the scope of the disclosure. Thus, the present disclosure is not intended to be limited to the aspects shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description has been presented for purposes of illustration and description. Furthermore, this description is not intended to limit the embodiments of the disclosure to the form disclosed herein. Although a number of example aspects and embodiments have been discussed above, a person of ordinary skill in the art will recognize certain variations, modifications, alterations, additions, and subcombinations thereof.

Claims (11)

1. An API asset risk analysis method, comprising:
acquiring API asset data of a target API asset;
matching at least one homologous API asset associated with the target API asset in an API asset library based on the API asset data of the target API asset, and determining homology data for each of the homologous API assets;
matching the homologous API assets with preset risk event data to determine risk degree data of each homologous API asset;
and determining a risk analysis result of the target API asset based on the risk degree data and the homology degree data of each homologous API asset.
2. The API asset risk analysis method as recited in claim 1, wherein said API asset library stores one or more API assets and API asset data corresponding thereto; the API asset data includes element data including at least one of location data, associated attribute data, interaction data type, vulnerability data, and user data;
The matching at least one homologous API asset associated with the target API asset in an API asset library based on API asset data of the target API asset and determining homology data for each of the homologous API assets, comprising:
and carrying out homology matching on the target API assets in the API asset library so as to determine that at least one API asset which is identical to the element data of any target API asset is a homologous API asset.
3. The API asset risk analysis method of claim 2, wherein said risk event data includes at least one risk event type and risk data corresponding thereto; the matching the homologous API assets with preset risk event data to determine risk degree data of each homologous API asset includes:
when the API asset data based on the homologous API asset is matched with at least one risk event type, determining event risk degree data of the homologous API asset about the risk event type based on risk data corresponding to any risk event type matched with the API asset data, so that the risk degree data of the homologous API asset is determined based on event risk degree data corresponding to all risk event types matched with the homologous API asset;
The risk event type comprises threat information, a blacklist, an alarm, a security event and a vulnerability, and the risk data comprises a risk level, a risk confidence level and a risk evaluation value mapped with the risk level.
4. The API asset risk analysis method of claim 3, wherein said risk event data includes a threat intelligence library corresponding to said threat intelligence, said threat intelligence library storing a plurality of threat types and associated threat intelligence data; matching the risk event type with API asset data based on the homologous API asset by:
and when the threat information library is matched with the threat type and threat information data corresponding to the API asset data of the homologous API asset, determining that threat information exists in the API asset data of the homologous API asset.
5. The API asset risk analysis method of claim 4, wherein the risk event data further comprises alert data corresponding to the alert and security event data corresponding to the security event; matching the risk event type with API asset data based on the homologous API asset by:
When the API asset data of the homologous API asset is matched with the alarm source address and the alarm destination address contained in the alarm data, determining that an alarm exists in the API asset data of the homologous API asset; and/or the number of the groups of groups,
and when the API asset data of the homologous API asset is matched with the security event source address and the security event destination address contained in the security event data, determining that a security event exists in the API asset data of the homologous API asset.
6. The API asset risk analysis method as recited in claim 2 or 5, wherein determining homology data for the homologous API asset by:
determining at least one characteristic attribute indicating a class of the homologous API asset from element data of the homologous API asset, the class including homologous APIs and non-homologous APIs, and dividing a characteristic attribute condition for each of the characteristic attributes;
determining a category frequency for each category in a training sample for training a preset classifier;
based on the category frequency, calculating the conditional probability of each characteristic attribute condition under each category, wherein the conditional probability is used for representing the relationship strength between the category and the characteristic attribute condition;
Inputting API asset data of any homologous API asset into the classifier to determine a feature identification probability of the homologous API asset with respect to each feature attribute, and mapping the feature identification probability into corresponding feature attribute conditions to obtain corresponding conditional probabilities, so that homology data and belonging categories for the input homologous API asset are output under joint calculation of the corresponding conditional probabilities of each feature attribute.
7. The API asset risk analysis method as recited in claim 6, wherein said outputting homology data for the inputted homologous API asset and belonging categories under joint calculation of conditional probabilities corresponding to each characteristic attribute comprises:
for any category, calculating the category distribution probability of the input homologous API asset under the category based on the corresponding conditional probability of each characteristic attribute and the category frequency of the category;
determining the category corresponding to the maximum value of the category distribution probability as the category of the input homologous API asset;
and determining the homology data of the input homologous API assets based on the maximum value of the category distribution probability and a calculation coefficient consisting of the category distribution probability under each category.
8. The API asset risk analysis method of claim 7, wherein said determining a risk analysis result for said target API asset based on risk degree data and homology data for each said homologous API asset comprises:
and weighting and calculating the risk degree data and the homology data of each homologous API asset to obtain the risk degree data of the target API asset, wherein the risk degree data and the homology data of each homologous API asset are used as risk analysis results.
9. An API asset risk analysis device, comprising:
the data input module is used for acquiring a target API asset and API asset data of the target API asset;
a homology matching module for matching at least one homologous API asset associated with the target API asset in an API asset library based on API asset data of the target API asset, and determining homology data for each of the homologous API assets;
the risk degree calculation module is used for matching the homologous API assets with preset risk event data to determine risk degree data of the homologous API assets;
and the risk analysis module is used for determining a risk analysis result of the target API asset based on the risk degree data and the homology degree data of each homologous API asset.
10. An electronic device, the electronic device comprising:
at least one processor; the method comprises the steps of,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the API asset risk analysis method of any one of claims 1-8.
11. A computer readable storage medium storing computer instructions for causing a computer to perform the API asset risk analysis method of any one of claims 1-8.
CN202311764430.6A 2023-12-20 2023-12-20 API asset risk analysis method and device, electronic equipment and storage medium Pending CN117786696A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311764430.6A CN117786696A (en) 2023-12-20 2023-12-20 API asset risk analysis method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311764430.6A CN117786696A (en) 2023-12-20 2023-12-20 API asset risk analysis method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117786696A true CN117786696A (en) 2024-03-29

Family

ID=90383001

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311764430.6A Pending CN117786696A (en) 2023-12-20 2023-12-20 API asset risk analysis method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117786696A (en)

Similar Documents

Publication Publication Date Title
CN114679329B (en) System for automatically grouping malware based on artifacts
US11483326B2 (en) Context informed abnormal endpoint behavior detection
CN112005532B (en) Method, system and storage medium for classifying executable files
US10454967B1 (en) Clustering computer security attacks by threat actor based on attack features
CN108270723B (en) Method for acquiring predicted attack path of power network
WO2020028008A1 (en) Automated threat alert triage via data provenance
US9171253B1 (en) Identifying predictive models resistant to concept drift
WO2018088383A1 (en) Security rule evaluation device and security rule evaluation system
CN110868378A (en) Phishing mail detection method and device, electronic equipment and storage medium
US10255436B2 (en) Creating rules describing malicious files based on file properties
Walker et al. Cuckoo’s malware threat scoring and classification: Friend or foe?
CN113239065A (en) Big data based security interception rule updating method and artificial intelligence security system
CN115065545B (en) Safety protection construction method and AI protection system based on big data threat perception
US20210034740A1 (en) Threat analysis system, threat analysis method, and threat analysis program
CN109313541A (en) For showing and the user interface of comparison attacks telemetering resource
CN113343228B (en) Event credibility analysis method and device, electronic equipment and readable storage medium
CN114357447A (en) Attacker threat scoring method and related device
Zhu et al. Effective phishing website detection based on improved BP neural network and dual feature evaluation
CN113746780B (en) Abnormal host detection method, device, medium and equipment based on host image
Shirazi et al. A combined anomaly base intrusion detection using memetic algorithm and Bayesian networks
US20170132413A1 (en) File clustering using filters working over file attributes
WO2021130897A1 (en) Analysis device, analysis method, and non-transitory computer-readable medium storing analysis program
CN111245815A (en) Data processing method, data processing device, storage medium and electronic equipment
CN117786696A (en) API asset risk analysis method and device, electronic equipment and storage medium
CN115146263A (en) User account collapse detection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination