CN117891749B - API application safety monitoring method, device, equipment and storage medium - Google Patents
API application safety monitoring method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN117891749B CN117891749B CN202410302754.6A CN202410302754A CN117891749B CN 117891749 B CN117891749 B CN 117891749B CN 202410302754 A CN202410302754 A CN 202410302754A CN 117891749 B CN117891749 B CN 117891749B
- Authority
- CN
- China
- Prior art keywords
- api
- data
- request
- call
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 91
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000006399 behavior Effects 0.000 claims abstract description 90
- 238000004458 analytical method Methods 0.000 claims abstract description 44
- 230000004044 response Effects 0.000 claims abstract description 35
- 238000011156 evaluation Methods 0.000 claims abstract description 33
- 239000008186 active pharmaceutical agent Substances 0.000 claims abstract 92
- 238000012360 testing method Methods 0.000 claims description 24
- 238000012545 processing Methods 0.000 claims description 15
- 230000002159 abnormal effect Effects 0.000 claims description 14
- 238000013475 authorization Methods 0.000 claims description 11
- 238000012795 verification Methods 0.000 claims description 10
- 230000003542 behavioural effect Effects 0.000 claims description 9
- 238000012549 training Methods 0.000 claims description 8
- 238000012550 audit Methods 0.000 claims description 7
- 230000007246 mechanism Effects 0.000 claims description 7
- 238000007781 pre-processing Methods 0.000 claims description 5
- 238000007621 cluster analysis Methods 0.000 claims description 4
- 230000001419 dependent effect Effects 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims 2
- 206010000117 Abnormal behaviour Diseases 0.000 abstract description 4
- 230000002349 favourable effect Effects 0.000 abstract 1
- 238000001514 detection method Methods 0.000 description 8
- 238000012806 monitoring device Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000010801 machine learning Methods 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011990 functional testing Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000007637 random forest analysis Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses an API application safety monitoring method, device, equipment and storage medium, relating to the technical field of computers, wherein the method comprises the following steps: acquiring request information of all APIs in a service system; performing multidimensional evaluation analysis on the request information of all APIs; if the API evaluation analysis passes, carrying out distributed tracking on the request information of all APIs to obtain API call chain data; performing behavior prediction on the API call chain data to generate a behavior characteristic data set of the API; and based on the behavior characteristic data set and the current request data of the service system, performing exception monitoring on the API to obtain an API monitoring result. The method can comprehensively and accurately track the calling links of the API application, including the calling relation among the services, the data of the request and the response, the calling time and other information, is favorable for discovering potential safety risks and abnormal behaviors, and improves the usability and the stability of the system.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an API application security monitoring method, apparatus, device, and storage medium.
Background
With the widespread development of internet applications, businesses are increasingly dependent on Application Programming Interfaces (APIs). The traditional API monitoring mainly uses an IP/URL/server as an analysis source, and detailed presentation of an API attack event is difficult to realize, so that after an intrusion event occurs, a manager cannot judge which application API is attacked. Traditional API monitoring is maintained through asset statistics, but in practice some assets may be missed in security assessment or related applications may not be maintained for a long period of time. When an API framework vulnerability bursts or is hacked, it may not be possible to locate the relevant application node in time, missing the optimal emergency response time.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method, an apparatus, a device and a storage medium for API application security monitoring, so as to solve at least one of the problems in the prior art.
The invention provides an API application safety monitoring method, which comprises the following steps:
acquiring request information of all APIs in a service system;
performing multidimensional evaluation analysis on the request information of all APIs;
If the API evaluation analysis passes, carrying out distributed tracking on the request information of all APIs to obtain API call chain data;
Performing behavior prediction on the API call chain data to generate a behavior characteristic data set of the API;
And based on the behavior characteristic data set of the API and the current request data of the service system, carrying out anomaly monitoring on the API to obtain an API monitoring result.
Optionally, according to the method for monitoring API application security provided by the present invention, the multidimensional evaluation analysis is performed on the request information of all APIs, including:
Performing fuzzy test on the API based on preset invalid data; and/or the number of the groups of groups,
Modifying request parameters in the request information of the API to monitor whether response data of the API is in a normal state or not; and/or the number of the groups of groups,
Verifying whether an identity verification and authorization mechanism of the API is valid; and/or the number of the groups of groups,
Checking whether the API has leakage risk in processing, storing and transmitting data; and/or the number of the groups of groups,
And analyzing whether the logic flow and the business rule of the API are normal.
Optionally, according to the method for monitoring API application security provided by the present invention, the multidimensional evaluation analysis is performed on the request information of all APIs, including:
verifying whether the API executes the operation according to a preset business rule; and/or the number of the groups of groups,
Checking whether the API verifies the input data; and/or the number of the groups of groups,
Verify if the API performs rights and access control and/or,
Checking whether the API maintains consistency of the data when processing the data; and/or the number of the groups of groups,
Monitoring whether the API generates a log and an audit record; and/or the number of the groups of groups,
Simulating user operations using an automated test tool to verify business logic compliance of the API; and/or the number of the groups of groups,
Third party libraries and dependencies used by the API are checked for security risks or logic problems.
Optionally, according to the method for monitoring API application security provided by the present invention, the request information includes a request identifier and, an API call identifier, a request call time and a response time;
the step of carrying out distributed tracking on the request information of all APIs to obtain API call chain data comprises the following steps:
determining call data among the service nodes based on the request identifier, the API call identifier, the request call time and the response time;
And associating the call data among the service nodes to obtain the API call chain data.
Optionally, according to the method for monitoring API application security provided by the present invention, the predicting the behavior of the API call chain data generates a behavior feature data set of the API, including:
inputting the API call chain data into a pre-constructed behavior prediction model to obtain a behavior characteristic data set which is output by the behavior prediction model and is matched with the normal behavior of a service system;
The behavior prediction model is constructed by the following steps:
Acquiring a plurality of call data;
preprocessing each call data;
And carrying out iterative training on the model to be trained based on the preprocessed call data to obtain the behavior prediction model.
Optionally, according to the method for monitoring API application security provided by the present invention, the monitoring of the API for exception based on the behavior feature data set of the API and the current request data of the service system, to obtain an API monitoring result, includes:
determining a degree of deviation between the behavioral characteristic data set and the current request data;
And determining the API monitoring result based on the deviation degree.
Optionally, according to the method for monitoring API application security provided by the present invention, the monitoring of the API for exception based on the behavior feature data set of the API and the current request data of the service system, to obtain an API monitoring result, includes:
determining a degree of deviation between the behavioral characteristic data set and the current request data;
Performing rule matching on the current request data according to a pre-constructed business logic rule to obtain a matching result;
performing cluster analysis on the current request data to obtain a cluster result;
And determining the API monitoring result based on the deviation degree, the matching result and the clustering result.
The invention also provides an API application safety monitoring device, which comprises:
The acquisition module is used for acquiring request information of all APIs in the service system;
the analysis module is used for carrying out multidimensional evaluation analysis on the request information of all APIs;
the tracking module is used for carrying out distributed tracking on the request information of all APIs if the API evaluation analysis passes, so as to obtain API call chain data;
the prediction module is used for performing behavior prediction on the API call chain data to generate a behavior characteristic data set of the API;
and the monitoring module is used for carrying out abnormal monitoring on the API based on the behavior characteristic data set of the API and the current request data of the service system to obtain an API monitoring result.
The invention also provides a computer device, which comprises a memory, a processor and computer readable instructions stored in the memory and capable of running on the processor, wherein the processor realizes the API application safety monitoring method when executing the computer readable instructions.
The present invention also provides one or more readable storage media storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform an API application security monitoring method as described above.
The method, the device, the equipment and the storage medium for monitoring the application safety of the API comprise the following steps: acquiring request information of all APIs in a service system; performing multidimensional evaluation analysis on the request information of all APIs; if the API evaluation analysis passes, carrying out distributed tracking on the request information of all APIs to obtain API call chain data; performing behavior prediction on the API call chain data to generate a behavior characteristic data set of the API; and based on the behavior characteristic data set of the API and the current request data of the service system, carrying out anomaly monitoring on the API to obtain an API monitoring result. The invention can comprehensively and accurately track the calling links of the API application through the distributed tracking-based method, including the calling relation, the data of requests and responses, the calling time and other information among the services, is beneficial to finding potential safety risks and abnormal behaviors, and can find abnormal requests, responses or behavior patterns through analyzing the tracking data, thereby improving the usability and stability of the system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments of the present invention will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an API application security monitoring method according to an embodiment of the invention;
FIG. 2 is a schematic diagram of distributed trace call data according to one embodiment of the present invention;
FIG. 3 is a schematic diagram of an API application security monitoring device according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a computer device in accordance with an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terminology used in the one or more embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the invention. As used in one or more embodiments of the invention, the singular forms "a," "an," "the," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present invention refers to and encompasses any or all possible combinations of one or more of the associated listed items.
In an embodiment, as shown in fig. 1, fig. 1 is a flow chart of an API application security monitoring method according to an embodiment of the present invention, and the embodiment of the present invention provides an API application security monitoring method, including the following steps:
step S11, request information of all APIs in a service system is obtained;
it should be noted that, embedding points are performed at the entrance and exit of the API to collect information about the request and the response. The request information comprises the information of the URL, the request method, the request head, the request body, the response status code, the response head, the response body and the like of the request. At the same time, the relevant information of the service node and the call chain needs to be collected for subsequent analysis and association.
Step S12, carrying out multidimensional evaluation analysis on the request information of all APIs;
It should be noted that after all the API information is obtained, security analysis and evaluation are required, and optionally, security analysis includes vulnerability assessment of the API in design implementation, business logic security and compliance analysis and evaluation, where in the aspect of vulnerability assessment, vulnerability assessment can be implemented through vulnerability scanning, fuzzy test, parameter tampering, verification authorization, data leakage and logic test; in the aspect of service logic compliance detection, the realization of the detection API accords with service rules and logic requirements, and the safety risk caused by logic errors or non-compliance operation is avoided. It should be noted that, the evaluation and analysis method of each dimension is specifically described in the following embodiments, which are not described herein.
Step S13, if the API evaluation analysis passes, carrying out distributed tracking on the request information of all APIs to obtain API call chain data;
The request information includes information such as request identification and, API call identification, request call time and response time. Specifically, tracking code is embedded in the application to record relevant information, including the unique identifier of the request, the start time, the end time, the service or component involved, etc., each time a request is initiated. The transfer of request context information into a request link across multiple services may be accomplished by adding an identifier in the request header or context so that the collected trace data may be sent to a central storage or processing system for subsequent analysis and visualization.
Step S14, performing behavior prediction on the API call chain data to generate a behavior characteristic data set of the API;
Specifically, after the API call chain data is collected through distributed tracking, preprocessing is performed on the API call chain data, and after relevant useful data fields are screened out, for example, the calling time, response time, calling parameters and other attributes of an API are screened, the API call chain data is subjected to behavior prediction by utilizing a pre-constructed behavior prediction model so as to generate an API call behavior portrait under the normal condition, and a behavior characteristic data set matched with the normal behavior of a service system is generated, wherein the behavior prediction model is obtained by training based on the calling information of the pre-collected calling time, response time, calling parameters and the like of the API.
And step S15, based on the behavior characteristic data set of the API and the current request data of the service system, performing anomaly monitoring on the API to obtain an API monitoring result.
Specifically, the current request data of the service system and the behavior feature data set of the API are searched and matched, the deviation degree between the behavior feature data set of the API and the current request data of the service system is detected, whether the current request data is abnormal or not is judged, and the API monitoring result is obtained. In this embodiment, a series of rules may be formulated according to the business logic and experience, and rule matching may be performed on the API request to determine whether it is abnormal. A machine learning algorithm can also be utilized to train a classifier or clustering model to classify or cluster API requests and determine requests that do not meet expectations as abnormal.
The embodiment of the invention comprises the following steps: acquiring request information of all APIs in a service system; performing multidimensional evaluation analysis on the request information of all APIs; if the API evaluation analysis passes, carrying out distributed tracking on the request information of all APIs to obtain API call chain data; performing behavior prediction on the API call chain data to generate a behavior characteristic data set of the API; and based on the behavior characteristic data set of the API and the current request data of the service system, carrying out anomaly monitoring on the API to obtain an API monitoring result. The method can comprehensively and accurately track the calling links of the API application through the distributed tracking-based method, and is beneficial to finding out potential safety risks and abnormal behaviors, wherein the calling links comprise calling relations among all services, data of requests and responses, calling time and the like. Meanwhile, abnormal request, response or behavior patterns can be found through analysis of the tracking data, so that the usability and stability of the system are improved.
In one embodiment of the present invention, the multi-dimensional evaluation analysis of the request information of all APIs includes:
Performing fuzzy test on the API based on preset invalid data; and/or modifying a request parameter in the request information of the API to monitor whether the response data of the API is in a normal state; and/or verifying whether an authentication and authorization mechanism of the API is valid; and/or checking whether the API is at risk of leakage in processing, storing and transmitting data; and/or analyzing whether the logic flow and business rules of the API are normal.
Specifically, the blur test: by inputting invalid, unexpected or random data into the API, and observing the reaction and robustness thereof, problems such as improper input verification, buffer overflow and the like can be found.
Parameter tampering: attempting to modify parameters in the API request, observing whether the response and behavior of the API meet expectations, security vulnerabilities such as authorization issues, improper access control, etc. may be discovered.
Identity verification and authorization test: verifying whether the authentication and authorization mechanism of the API is valid, attempting to access the API using an unauthorized user identity or authority may discover authentication and authorization vulnerabilities, such as unauthorized access, authority promotion, and the like.
And (3) testing data leakage: checking whether the API is at risk of leakage in processing, storing and transmitting the data, it can be found whether too much sensitive information is returned or whether the sensitive data is not properly encrypted or desensitized.
And (3) testing logic loopholes: analyzing the logic flow and business rules of the API, attempting to trigger potential logic vulnerabilities through unconventional operations or inputs can find out whether the API has problems of business logic errors, improper processing flow and the like.
In one embodiment of the present invention, the multi-dimensional evaluation analysis of the request information of all APIs includes:
Verifying whether the API executes the operation according to a preset business rule; and/or checking whether the API validates the input data; and/or verifying whether the API performs authority and access control and/or checking whether the API maintains consistency of the data when processing the data; and/or monitoring whether the API generates a log and audit record; and/or simulating user operations using an automated test tool to verify business logic compliance of the API; and/or checking third party libraries and dependent items used by the API for security risks or logic problems.
Specifically, business rule verification: and verifying whether the API performs the operation according to the preset business rule. Ensuring that the API follows the correct order and steps in processing the business logic without skipping or erroneously performing any critical steps.
Input verification: it is checked whether the API has sufficiently verified the input data. It is verified whether the user input meets the expected format, type and scope. The API can be ensured to correctly process boundary conditions and abnormal inputs, and logic errors or security vulnerabilities are avoided.
Rights and access control: verifying whether the API has properly enforced rights and access controls. It is checked whether the user has access to a specific resource or performs a specific operation. Ensuring that the API implements appropriate authentication and authorization mechanisms when handling sensitive data or performing critical operations.
Data consistency: it is checked whether the API maintains consistency of the data as it processes the data. When updating database records, it is ensured that the updates of the relevant fields are atomic and do not lead to data inconsistencies. And verifying the behavior of the API in the concurrent environment, and ensuring that the problems of race conditions, deadlocks and the like are avoided.
Business logic error detection: techniques such as fuzzy testing, anomaly testing, etc. are used to discover potential logic errors. By providing invalid or abnormal input to the API, it is observed whether it can be handled correctly. Analyzing the code and logic flow of the API to find possible logic vulnerabilities or errors.
Log and audit: ensure that the API generates the appropriate log and audit records. These records may help detect non-compliant operations or abnormal behavior. The log data is analyzed for possible security events or violations.
Automated testing: automated test tools are used to simulate user operations to verify the business logic compliance of the API. And writing test cases by using an API test framework, and performing functional test and regression test on the API. Integrating automated testing into a continuous integration/continuous deployment (CI/CD) flow ensures that each code change is subject to compliance checks.
In an embodiment of the present invention, the request information includes a request identifier and an API call identifier, a request call time and a response time; the step of carrying out distributed tracking on the request information of all APIs to obtain API call chain data comprises the following steps:
determining call data among the service nodes based on the request identifier, the API call identifier, the request call time and the response time; and associating the call data among the service nodes to obtain the API call chain data.
It should be noted that, there must be a global request identifier for the request, and each interface call needs to carry a global API call identifier, and each interface call further includes a request call time and the response time, so that the API call identifiers can be associated. Specifically, based on the request identifier, the API call identifier, the request call time and the response time, call data between service nodes are determined, and call data between the service nodes are further associated to obtain the API call chain data.
For example, referring to fig. 2, fig. 2 is a schematic diagram of distributed Trace call data according to an embodiment of the present invention, and Trace is performed by using a OpenTracing data model: a complete request link, a call procedure requires a start time and an end time SpanContext: trace global context information, such as containing TraceId. Global trace_id, associating each sub-call with the original request. span_id, which call parent_span_id needs to be identified, two adjacent calls are associated, and the number of the finally obtained API call chains is shown in table 1:
the embodiment of the invention realizes the visible observation of the service link by distributing the call link of the tracking API, so that the problem of API application safety can be effectively solved based on the tracking data and combined with a safety detection method, machine learning and other big data analysis technologies.
In one embodiment of the present invention, the performing behavior prediction on the API call chain data to generate a behavior feature data set of an API includes:
inputting the API call chain data into a pre-constructed behavior prediction model to obtain a behavior characteristic data set which is output by the behavior prediction model and is matched with the normal behavior of a service system; the behavior prediction model is constructed by the following steps: acquiring a plurality of call data and preprocessing each call data; and carrying out iterative training on the model to be trained based on the preprocessed call data to obtain the behavior prediction model.
It should be noted that, a large amount of call data is collected, including information such as request parameters, response data, and call time. Such data may be obtained through log analysis, monitoring systems, or API management tools. And then any call data is subjected to cleaning, de-duplication, classification and other processes, and useful characteristics and information are extracted, including operations of processing missing values, abnormal values, invalid data and the like. Further, according to the business requirements and the problem background, proper characteristics are selected, and operations such as characteristic conversion, dimension reduction and the like are performed to optimize the performance of the model. Furthermore, based on the preprocessed call data, iterative training is performed on the model to be trained to obtain the behavior prediction model, wherein the behavior prediction model can comprise models such as decision trees, random forest machine learning models and the like. Optionally, the performance of the model can be evaluated through indexes such as cross verification, confusion matrix, accuracy, recall rate and the like, and parameters of the model can be adjusted and optimized. And finally, deploying the trained model into an actual environment for monitoring and predicting the behaviors of the API in real time, periodically collecting new call data, updating a training data set of the model, and retraining and optimizing the model again so as to keep the accuracy and the effectiveness of the model.
Specifically, after the API call chain data is collected through distributed tracking, all the API call chain data are preprocessed, relevant useful data fields such as calling time, response time, calling parameters and the like are screened out, and the screened API call chain data are input into a pre-constructed behavior prediction model to obtain a behavior characteristic data set which is output by the behavior prediction model and is matched with normal behavior of a service system.
The embodiment of the invention can find abnormal requests, responses or behavior modes through analysis of the tracking data, and timely find the existing security threat according to the detection of parameter tampering, calling frequency abnormality, logic abnormality and the like.
In one embodiment of the present invention, the monitoring the abnormality of the API based on the behavior feature data set of the API and the current request data of the service system to obtain an API monitoring result includes:
determining a degree of deviation between the behavioral characteristic data set and the current request data; and determining the API monitoring result based on the deviation degree. Or alternatively
Determining a degree of deviation between the behavioral characteristic data set and the current request data; performing rule matching on the current request data according to a pre-constructed business logic rule to obtain a matching result; performing cluster analysis on the current request data to obtain a cluster result; and determining the API monitoring result based on the deviation degree, the matching result and the clustering result.
Specifically, current request data of a service system are obtained, and then based on the behavior feature data set and the current request data, the deviation degree between the behavior feature data set and the current request data is calculated, and based on the deviation degree, whether the current request data is abnormal or not is judged, so that an API monitoring result is obtained.
In addition, in order to improve the accuracy of anomaly monitoring, in the present embodiment, API anomalies may also be determined together by both rule-based anomaly detection and machine-learning-based anomaly detection. In more detail: after determining the degree of deviation between the behavioral characteristic data set and the current request data, rule-based anomaly detection: and carrying out rule matching on the current request data according to a series of rules established by service logic and experience and a pre-constructed service logic rule to obtain a matching result so as to judge whether the current request data is abnormal or not, thereby obtaining the matching result. And training a classifier or a clustering model by using a machine learning algorithm, so as to perform clustering analysis on the current request data by using the model to obtain a clustering result, and judging that the clustering result does not accord with an expected request as abnormal, thereby realizing that the API monitoring result of the request data is determined together based on the deviation degree, the matching result and the clustering result.
The embodiment of the invention can discover and process the safety problem in time by comprehensively monitoring the request and the response of the API and the related service nodes and call chains, thereby ensuring the normal operation of the API. Meanwhile, the system can help developers to quickly locate and solve the problems in the system, and the usability and stability of the system are improved.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present invention.
In an embodiment, an API application security monitoring device is provided, where the API application security monitoring device corresponds to the API application security monitoring method in the foregoing embodiment one by one. As shown in fig. 3, fig. 3 is a schematic structural diagram of an API application security monitoring device according to an embodiment of the present invention, where the API application security monitoring device includes:
an obtaining module 21, configured to obtain request information of all APIs in the service system;
An analysis module 22, configured to perform multidimensional evaluation analysis on the request information of all APIs;
the tracking module 23 is configured to perform distributed tracking on the request information of all APIs if the API evaluation analysis passes, so as to obtain API call chain data;
The prediction module 24 is configured to perform behavior prediction on the API call chain data, and generate a behavior feature data set of an API;
and the monitoring module 25 is configured to perform anomaly monitoring on the API based on the behavior feature data set of the API and the current request data of the service system, so as to obtain an API monitoring result.
The API application security monitoring apparatus further includes:
Performing fuzzy test on the API based on preset invalid data; and/or the number of the groups of groups,
Modifying request parameters in the request information of the API to monitor whether response data of the API is in a normal state or not; and/or the number of the groups of groups,
Verifying whether an identity verification and authorization mechanism of the API is valid; and/or the number of the groups of groups,
Checking whether the API has leakage risk in processing, storing and transmitting data; and/or the number of the groups of groups,
And analyzing whether the logic flow and the business rule of the API are normal.
The API application security monitoring apparatus further includes:
verifying whether the API executes the operation according to a preset business rule; and/or the number of the groups of groups,
Checking whether the API verifies the input data; and/or the number of the groups of groups,
Verify if the API performs rights and access control and/or,
Checking whether the API maintains consistency of the data when processing the data; and/or the number of the groups of groups,
Monitoring whether the API generates a log and an audit record; and/or the number of the groups of groups,
Simulating user operations using an automated test tool to verify business logic compliance of the API; and/or the number of the groups of groups,
Third party libraries and dependencies used by the API are checked for security risks or logic problems.
The API application security monitoring apparatus further includes:
The request information comprises a request identifier, an API call identifier, a request call time and a response time;
determining call data among the service nodes based on the request identifier, the API call identifier, the request call time and the response time;
And associating the call data among the service nodes to obtain the API call chain data.
The API application security monitoring apparatus further includes:
inputting the API call chain data into a pre-constructed behavior prediction model to obtain a behavior characteristic data set which is output by the behavior prediction model and is matched with the normal behavior of a service system;
The behavior prediction model is constructed by the following steps:
Acquiring a plurality of call data;
preprocessing each call data;
And carrying out iterative training on the model to be trained based on the preprocessed call data to obtain the behavior prediction model.
The API application security monitoring apparatus further includes:
determining a degree of deviation between the behavioral characteristic data set and the current request data;
And determining the API monitoring result based on the deviation degree.
The API application security monitoring apparatus further includes:
determining a degree of deviation between the behavioral characteristic data set and the current request data;
Performing rule matching on the current request data according to a pre-constructed business logic rule to obtain a matching result;
performing cluster analysis on the current request data to obtain a cluster result;
And determining the API monitoring result based on the deviation degree, the matching result and the clustering result.
For specific limitations of the API application security monitoring device, reference may be made to the above limitation of the API application security monitoring method, and no further description is given here. The various modules in the API application security monitoring device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and an internal structure thereof may be shown in fig. 4, and fig. 4 is a schematic diagram of the computer device in an embodiment of the present invention. The computer device includes a processor, a memory, a network interface, and a database connected by a device bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a readable storage medium, an internal memory. The readable storage medium stores operating means, computer readable instructions, and a database. The internal memory provides an environment for the execution of operating devices and computer-readable instructions in a readable storage medium. The database of the computer device is used for storing data related to the API application security monitoring method. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer readable instructions when executed by a processor implement an API application security monitoring method. The readable storage medium provided by the present embodiment includes a nonvolatile readable storage medium and a volatile readable storage medium.
In one embodiment, a computer device is provided, which may be a terminal device, and the internal structure thereof may be as shown in fig. 4. The computer device includes a processor, a memory, and a network interface connected by a device bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a readable storage medium. The readable storage medium stores computer readable instructions. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer readable instructions when executed by a processor implement an API application security monitoring method. The readable storage medium provided by the present embodiment includes a nonvolatile readable storage medium and a volatile readable storage medium.
In one embodiment, a computer device is provided that includes a memory, a processor, and computer readable instructions stored in the memory and executable on the processor, which when executed implement the steps of the API application security monitoring method as described above.
In one embodiment, a readable storage medium is provided, the readable storage medium storing computer readable instructions that when executed by a processor implement the API application security monitoring method steps as described above. Those skilled in the art will appreciate that implementing all or part of the above described embodiment methods may be accomplished by instructing the associated hardware by computer readable instructions stored in a non-volatile readable storage medium or a volatile readable storage medium, which when executed may comprise the above described embodiment methods. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link (SYNCHLINK) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention.
Claims (7)
1. An API application security monitoring method, comprising:
acquiring request information of all APIs in a service system;
performing multidimensional evaluation analysis on the request information of all APIs;
If the API evaluation analysis passes, carrying out distributed tracking on the request information of all APIs to obtain API call chain data;
Performing behavior prediction on the API call chain data to generate a behavior characteristic data set of the API;
Based on the behavior characteristic data set of the API and the current request data of the service system, carrying out anomaly monitoring on the API to obtain an API monitoring result;
The multi-dimensional evaluation analysis is carried out on the request information of all APIs, and the multi-dimensional evaluation analysis comprises the following steps:
performing fuzzy test on the API based on preset invalid data;
modifying request parameters in the request information of the API to monitor whether response data of the API is in a normal state or not;
Verifying whether an identity verification and authorization mechanism of the API is valid;
checking whether the API has leakage risk in processing, storing and transmitting data;
Analyzing whether the logic flow and the business rule of the API are normal;
The multi-dimensional evaluation analysis is carried out on the request information of all APIs, and the multi-dimensional evaluation analysis comprises the following steps:
verifying whether the API executes the operation according to a preset business rule;
checking whether the API verifies the input data;
verifying whether the API performs authority and access control;
checking whether the API maintains consistency of the data when processing the data;
monitoring whether the API generates a log and an audit record;
simulating user operations using an automated test tool to verify business logic compliance of the API;
checking whether a third party library and a dependent item used by the API have security risks or logic problems;
The request information comprises a request identifier, an API call identifier, a request call time and a response time;
the step of carrying out distributed tracking on the request information of all APIs to obtain API call chain data comprises the following steps:
determining call data among the service nodes based on the request identifier, the API call identifier, the request call time and the response time;
associating call data among the service nodes to obtain the API call chain data;
the step of performing behavior prediction on the API call chain data to generate a behavior characteristic data set of the API comprises the following steps:
And inputting the API call chain data into a pre-constructed behavior prediction model to obtain a behavior characteristic data set which is output by the behavior prediction model and is matched with the normal behavior of the service system.
2. The API application security monitoring method of claim 1, wherein the behavior prediction model is constructed as follows:
Acquiring a plurality of call data;
preprocessing each call data;
And carrying out iterative training on the model to be trained based on the preprocessed call data to obtain the behavior prediction model.
3. The method for monitoring API application security according to claim 1, wherein said performing anomaly monitoring on said API based on said API behavior feature data set and said service system current request data to obtain an API monitoring result comprises:
determining a degree of deviation between the behavioral characteristic data set and the current request data;
And determining the API monitoring result based on the deviation degree.
4. The method for monitoring API application security according to claim 1, wherein said performing anomaly monitoring on said API based on said API behavior feature data set and said service system current request data to obtain an API monitoring result comprises:
determining a degree of deviation between the behavioral characteristic data set and the current request data;
Performing rule matching on the current request data according to a pre-constructed business logic rule to obtain a matching result;
performing cluster analysis on the current request data to obtain a cluster result;
And determining the API monitoring result based on the deviation degree, the matching result and the clustering result.
5. An API application security monitoring apparatus, comprising:
The acquisition module is used for acquiring request information of all APIs in the service system;
the analysis module is used for carrying out multidimensional evaluation analysis on the request information of all APIs;
the tracking module is used for carrying out distributed tracking on the request information of all APIs if the API evaluation analysis passes, so as to obtain API call chain data;
the prediction module is used for performing behavior prediction on the API call chain data to generate a behavior characteristic data set of the API;
The monitoring module is used for carrying out abnormal monitoring on the API based on the behavior characteristic data set of the API and the current request data of the service system to obtain an API monitoring result;
The multi-dimensional evaluation analysis is carried out on the request information of all APIs, and the multi-dimensional evaluation analysis comprises the following steps:
performing fuzzy test on the API based on preset invalid data;
modifying request parameters in the request information of the API to monitor whether response data of the API is in a normal state or not;
Verifying whether an identity verification and authorization mechanism of the API is valid;
checking whether the API has leakage risk in processing, storing and transmitting data;
Analyzing whether the logic flow and the business rule of the API are normal;
The multi-dimensional evaluation analysis is carried out on the request information of all APIs, and the multi-dimensional evaluation analysis comprises the following steps:
verifying whether the API executes the operation according to a preset business rule;
checking whether the API verifies the input data;
verifying whether the API performs authority and access control;
checking whether the API maintains consistency of the data when processing the data;
monitoring whether the API generates a log and an audit record;
simulating user operations using an automated test tool to verify business logic compliance of the API;
checking whether a third party library and a dependent item used by the API have security risks or logic problems;
The request information comprises a request identifier, an API call identifier, a request call time and a response time;
the step of carrying out distributed tracking on the request information of all APIs to obtain API call chain data comprises the following steps:
determining call data among the service nodes based on the request identifier, the API call identifier, the request call time and the response time;
associating call data among the service nodes to obtain the API call chain data;
the step of performing behavior prediction on the API call chain data to generate a behavior characteristic data set of the API comprises the following steps:
And inputting the API call chain data into a pre-constructed behavior prediction model to obtain a behavior characteristic data set which is output by the behavior prediction model and is matched with the normal behavior of the service system.
6. An electronic device comprising a memory, a processor and a computer program stored on the memory and running on the processor, wherein the processor implements the API application security monitoring method of any one of claims 1 to 4 when the program is executed by the processor.
7. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the API application security monitoring method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410302754.6A CN117891749B (en) | 2024-03-18 | 2024-03-18 | API application safety monitoring method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410302754.6A CN117891749B (en) | 2024-03-18 | 2024-03-18 | API application safety monitoring method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117891749A CN117891749A (en) | 2024-04-16 |
| CN117891749B true CN117891749B (en) | 2024-06-04 |
Family
ID=90641560
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410302754.6A Active CN117891749B (en) | 2024-03-18 | 2024-03-18 | API application safety monitoring method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117891749B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
| WO2020147419A1 (en) * | 2019-01-18 | 2020-07-23 | 深圳壹账通智能科技有限公司 | Monitoring method and apparatus, computer device and storage medium |
| WO2021189899A1 (en) * | 2020-09-24 | 2021-09-30 | 平安科技(深圳)有限公司 | Link state tracking method and apparatus, and electronic device and computer storage medium |
| CN113761531A (en) * | 2021-08-13 | 2021-12-07 | 北京卫达信息技术有限公司 | Malicious software detection system and method based on distributed API (application program interface) feature analysis |
| CN114185708A (en) * | 2021-12-15 | 2022-03-15 | 中国农业银行股份有限公司 | Data analysis method and device based on distributed link tracking and electronic equipment |
| CN114297639A (en) * | 2021-12-29 | 2022-04-08 | 恒安嘉新(北京)科技股份公司 | Method and device for monitoring interface calling behavior, electronic equipment and medium |
| CN114528196A (en) * | 2022-02-18 | 2022-05-24 | 科来网络技术股份有限公司 | API (application program interface) performance studying and judging method, system and medium based on link tracking |
| CN115499187A (en) * | 2022-09-13 | 2022-12-20 | 国网智能电网研究院有限公司 | API safety monitoring model training method, monitoring method, device and equipment |
-
2024
- 2024-03-18 CN CN202410302754.6A patent/CN117891749B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108737425A (en) * | 2018-05-24 | 2018-11-02 | 北京凌云信安科技有限公司 | Fragility based on multi engine vulnerability scanning association analysis manages system |
| WO2020147419A1 (en) * | 2019-01-18 | 2020-07-23 | 深圳壹账通智能科技有限公司 | Monitoring method and apparatus, computer device and storage medium |
| WO2021189899A1 (en) * | 2020-09-24 | 2021-09-30 | 平安科技(深圳)有限公司 | Link state tracking method and apparatus, and electronic device and computer storage medium |
| CN113761531A (en) * | 2021-08-13 | 2021-12-07 | 北京卫达信息技术有限公司 | Malicious software detection system and method based on distributed API (application program interface) feature analysis |
| CN114185708A (en) * | 2021-12-15 | 2022-03-15 | 中国农业银行股份有限公司 | Data analysis method and device based on distributed link tracking and electronic equipment |
| CN114297639A (en) * | 2021-12-29 | 2022-04-08 | 恒安嘉新(北京)科技股份公司 | Method and device for monitoring interface calling behavior, electronic equipment and medium |
| CN114528196A (en) * | 2022-02-18 | 2022-05-24 | 科来网络技术股份有限公司 | API (application program interface) performance studying and judging method, system and medium based on link tracking |
| CN115499187A (en) * | 2022-09-13 | 2022-12-20 | 国网智能电网研究院有限公司 | API safety monitoring model training method, monitoring method, device and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117891749A (en) | 2024-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102705925B1 (en) | A continuous vulnerability management system for digital assets based on blockchain smart contracts using sandboxes and artificial intelligence | |
| Chen et al. | Tokenscope: Automatically detecting inconsistent behaviors of cryptocurrency tokens in ethereum | |
| Kumar et al. | Adversarial machine learning-industry perspectives | |
| US9424426B2 (en) | Detection of malicious code insertion in trusted environments | |
| US7877780B2 (en) | System and method for enforcing functionality in computer software through policies | |
| US8499353B2 (en) | Assessment and analysis of software security flaws | |
| Xu et al. | A sharper sense of self: Probabilistic reasoning of program behaviors for anomaly detection with context sensitivity | |
| Ceccato et al. | SOFIA: An automated security oracle for black-box testing of SQL-injection vulnerabilities | |
| US11748487B2 (en) | Detecting a potential security leak by a microservice | |
| EP4435649A1 (en) | Apparatus and method for automatically analyzing malicious event log | |
| CN116361807A (en) | Risk management and control method and device, storage medium and electronic equipment | |
| Rosenberg et al. | Improving problem identification via automated log clustering using dimensionality reduction | |
| CN116232768B (en) | Information security assessment method, system, electronic equipment and storage medium | |
| Zaber et al. | A framework for automated evaluation of security metrics | |
| CN117891749B (en) | API application safety monitoring method, device, equipment and storage medium | |
| Chondamrongkul et al. | Formal Security Analysis for Blockchain-based Software Architecture. | |
| Abadeh et al. | An empirical analysis for software robustness vulnerability in terms of modularity quality | |
| Yuan et al. | Digging Evidence for Violation of Cloud Security Compliance with Knowledge Learned from Logs | |
| US20230252143A1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| Alharbi | Proactive system for digital forensic investigation | |
| Shi et al. | Security-based code smell definition, detection, and impact quantification in Android | |
| US20240214396A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| Sampada et al. | A Review and Catalog of Security Metric during the Secure Software Development Life Cycle | |
| Sulthana | Controlling vulnerabilities in open-source libraries through different tools and techniques | |
| Hein et al. | Predicting attack prone software components using repository mined change metrics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |