[go: up one dir, main page]

CN114978590B - API safety protection method, equipment and readable storage medium - Google Patents

API safety protection method, equipment and readable storage medium Download PDF

Info

Publication number
CN114978590B
CN114978590B CN202210389284.2A CN202210389284A CN114978590B CN 114978590 B CN114978590 B CN 114978590B CN 202210389284 A CN202210389284 A CN 202210389284A CN 114978590 B CN114978590 B CN 114978590B
Authority
CN
China
Prior art keywords
target
analysis
service request
judgment rule
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210389284.2A
Other languages
Chinese (zh)
Other versions
CN114978590A (en
Inventor
陈志勇
蔡舒晗
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN202210389284.2A priority Critical patent/CN114978590B/en
Publication of CN114978590A publication Critical patent/CN114978590A/en
Application granted granted Critical
Publication of CN114978590B publication Critical patent/CN114978590B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an API safety protection method, equipment and a readable storage medium.A safety server receives a service request which is initiated by a request end equipment and requests to call a target API deployed on a service server, updates a target record corresponding to the target API in an analysis table according to the service request, and judges whether the updated target record triggers an attack judgment rule or not. And if the target record triggers the attack judgment rule, processing the service request according to the strategy indicated by the attack judgment rule. By adopting the scheme, the security server improves the security protection capability of the target API by analyzing the service request in real time, avoids the attack request from bypassing the protection strategy and illegally calling the target API, reduces the influence of the attack flow aiming at the target API on the service, and achieves the aim of improving the service security. Moreover, due to real-time analysis, hysteresis of the traditional protection means for analyzing the service log can be avoided.

Description

API安全防护的方法、设备及可读存储介质API security protection method, device and readable storage medium

技术领域Technical Field

本申请涉及网络安全技术领域,特别涉及一种API安全防护方法、设备及可读存储介质。The present application relates to the field of network security technology, and in particular to an API security protection method, device, and readable storage medium.

背景技术Background Art

目前,随着互联网应用的多元化、复杂化,应用服务化成为显著的趋势,越来越多的应用提供应用程序接口(Application Programming Interface,API)供供需求方调用。At present, with the diversification and complexity of Internet applications, application service has become a significant trend, and more and more applications provide application programming interfaces (Application Programming Interface, API) for demanders to call.

为了便于需求方调用API,API通常具有简单、开放的特性。但是,API的这些特性同时为恶意黑客提供了访问公司数据的多种途径,甚至被用于引发大范围的业务中断。对外提供API调用服务时,为了避免API被恶意攻击而影响业务,往往需要对API进行安全防护处理。常见的API安全防护手段包括:基于令牌(token)验证的防护手段、对API的调用频率进行限制的防护手段、分析业务日志的防护手段等。In order to facilitate API calls by demanders, APIs are usually simple and open. However, these features of APIs also provide malicious hackers with multiple ways to access company data, and can even be used to cause large-scale business interruptions. When providing API call services to the outside world, in order to prevent APIs from being maliciously attacked and affecting business, it is often necessary to perform security protection on the APIs. Common API security protection methods include: protection methods based on token verification, protection methods that limit the frequency of API calls, and protection methods that analyze business logs.

经验证发现,上述的防护手段无法拦截一些攻击请求,导致该些攻击请求绕过防护策略非法调用API,威胁业务安全。It has been verified that the above protection measures are unable to intercept some attack requests, causing these attack requests to bypass the protection strategy and illegally call the API, threatening business security.

发明内容Summary of the invention

本申请提供一种API安全防护方法、设备及可读存储介质,通过实时分析业务行为流来提升对API的安全防护能力,减少非法调用API的次数,从而实现提高业务安全性的目的。The present application provides an API security protection method, device and readable storage medium, which improves the security protection capability of the API by real-time analysis of business behavior flows, reduces the number of illegal API calls, and thus achieves the purpose of improving business security.

第一方面,本申请实施例提供一种API安全防护方法,应用于安全服务器,所述方法包括:In a first aspect, an embodiment of the present application provides an API security protection method, which is applied to a security server, and the method includes:

接收请求端设备发起的业务请求,所述业务请求用于请求调用业务服务器提供的目标API;Receive a service request initiated by a requesting end device, wherein the service request is used to request to call a target API provided by a service server;

根据所述业务请求更新分析表,以使得所述分析表中目标域名对应的目标记录记载所述目标API的多个分析因子中每个分析因子的最新值,所述目标域名是所述目标API对应的目标URL包含的域名;Update the analysis table according to the service request, so that the target record corresponding to the target domain name in the analysis table records the latest value of each analysis factor in the multiple analysis factors of the target API, and the target domain name is the domain name contained in the target URL corresponding to the target API;

确定所述目标记录是否触发所述目标域名的攻击判断规则;Determining whether the target record triggers an attack judgment rule for the target domain name;

当所述目标记录触发所述攻击判断规则时,根据所述攻击判断规则指示的策略处理所述业务请求。When the target record triggers the attack judgment rule, the service request is processed according to the policy indicated by the attack judgment rule.

第二方面,本申请实施例提供一种API安全防护方法,应用于策略服务器,所述方法包括:In a second aspect, an embodiment of the present application provides an API security protection method, which is applied to a policy server, and the method includes:

接收指示信息,所述指示信息用于指示请求调用目标API的业务请求为攻击请求时,目标域名的目标记录记载的多个分析因子中各分析因子的最新值符合的条件,所述目标域名是所述目标API对应的目标URL包含的域名;Receive indication information, where the indication information is used to indicate that when a service request for calling a target API is an attack request, a condition is met by a latest value of each analysis factor among a plurality of analysis factors recorded in a target record of a target domain name, where the target domain name is a domain name contained in a target URL corresponding to the target API;

根据所述指示信息生成攻击判断规则;Generate an attack judgment rule according to the indication information;

向安全服务器发送所述攻击判断规则。The attack determination rule is sent to a security server.

第三方面,本申请实施例提供一种电子设备,包括:处理器、存储器及存储在所述存储器上并可在处理器上运行的计算机程序,所述处理器执行所述计算机程序时使得所述电子设备实现如上第一方面或第二方面各种可能的实现方式所述的方法。In a third aspect, an embodiment of the present application provides an electronic device, comprising: a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the computer program, the electronic device implements the method described in various possible implementation methods of the first aspect or the second aspect above.

第四方面,本申请实施例提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,所述计算机指令在被处理器执行时用于实现如上第一方面或第二方面各种可能的实现方式所述的方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, in which computer instructions are stored. When the computer instructions are executed by a processor, they are used to implement the methods described in various possible implementation methods of the first aspect or the second aspect above.

本申请实施例提供的API安全防护方法、设备及可读存储介质,安全服务器接收到请求端设备发起的、请求调用部署在业务服务器上的目标API的业务请求后,根据该业务请求更新分析表中目标API对应的目标记录,并判断更新后的目标记录是否触发攻击判断规则。若目标记录触发攻击判断规则,则根据攻击判断规则指示的策略处理该业务请求。采用该种方案,安全服务器通过实时分析业务请求来提升对目标API的安全防护能力,避免攻击请求绕过防护策略而非法调用目标API,降低针对目标API的攻击流量对业务造成的影响,实现提高业务安全性的目的。而且,由于是实时分析,因此,能够避免传统的分析业务日志的防护手段存在的滞后性。同时,当业务请求是攻击请求时,仅处置该业务请求,而非从IP维度、会话session维度等处置多个业务请求,因此不会发生错误的阻断正常业务请求的现象,较好的控制了安全防护的影响范围。The API security protection method, device and readable storage medium provided in the embodiment of the present application, after the security server receives the service request initiated by the request end device and requests to call the target API deployed on the service server, it updates the target record corresponding to the target API in the analysis table according to the service request, and determines whether the updated target record triggers the attack judgment rule. If the target record triggers the attack judgment rule, the service request is processed according to the strategy indicated by the attack judgment rule. With this scheme, the security server improves the security protection capability of the target API by analyzing the service request in real time, avoids the attack request bypassing the protection strategy and illegally calling the target API, reduces the impact of the attack traffic against the target API on the service, and achieves the purpose of improving the security of the service. Moreover, since it is a real-time analysis, it can avoid the lag of the traditional protection means of analyzing the service log. At the same time, when the service request is an attack request, only the service request is processed, rather than processing multiple service requests from the IP dimension, session dimension, etc., so the phenomenon of incorrectly blocking normal service requests will not occur, and the scope of influence of security protection is better controlled.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required for use in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

图1是本申请实施例提供的API安全防护方法的网络架构示意图;FIG1 is a schematic diagram of the network architecture of the API security protection method provided in an embodiment of the present application;

图2是本申请实施例提供的API安全防护方法的流程图;FIG2 is a flow chart of an API security protection method provided in an embodiment of the present application;

图3是本申请实施例提供的API安全防护方法的另一个流程图;FIG3 is another flow chart of the API security protection method provided in an embodiment of the present application;

图4是本申请实施例提供的API安全防护方法中一种配置界面的示意图;FIG4 is a schematic diagram of a configuration interface in the API security protection method provided in an embodiment of the present application;

图5为本申请实施例提供的一种API安全防护装置的示意图;FIG5 is a schematic diagram of an API safety protection device provided in an embodiment of the present application;

图6为本申请实施例提供的另一种API安全防护装置的示意图FIG. 6 is a schematic diagram of another API safety protection device provided in an embodiment of the present application

图7为本申请实施例提供的一种电子设备的结构示意图。FIG. 7 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions and advantages of the present application more clear, the implementation methods of the present application will be further described in detail below with reference to the accompanying drawings.

应用程序编程接口(Application Programming Interface,API)是一些预先定义的函数,将服务能力封装成API供需求方访问。API具有调用灵活、开放等特性,被广泛应用于视频媒体、物联网应用等高科技行业。但是,API在对开发者提供便利性的同时,也面临着安全威胁。然而,目前的安全防护措施大多数是针对网页的,针对API的安全意识和措施却具有明显缺失。黑客利用API简单、开放的特性,恶意访问公司业务数据,甚至引发大范围业务中断。随着API负责传输数据的数据量以及敏感性的增加,针对API的攻击已经越来越复杂和频繁,严重影响业务数据的安全性。Application Programming Interface (API) is a set of predefined functions that encapsulate service capabilities into APIs for access by demanders. APIs are flexible and open in calling, and are widely used in high-tech industries such as video media and IoT applications. However, while APIs provide convenience to developers, they also face security threats. However, most of the current security protection measures are aimed at web pages, and there is a clear lack of security awareness and measures for APIs. Hackers take advantage of the simple and open nature of APIs to maliciously access company business data and even cause large-scale business interruptions. With the increase in the amount of data that APIs are responsible for transmitting and the increase in sensitivity, attacks on APIs have become more and more complex and frequent, seriously affecting the security of business data.

目前,针对API的安全防护手段包括:基于令牌(token)验证的防护手段、对API的调用频率进行限制的防护手段、分析业务日志的防护手段等。Currently, security protection measures for APIs include: protection measures based on token verification, protection measures that limit the frequency of API calls, protection measures that analyze business logs, etc.

基于token验证的防护手段是指:通过协商token的方式对请求访问API的业务请求进行合法性验证。但是,很多企业对外开放的API是直接面向终端用户的,比如大部分webAPI。这种面向终端用户的API,很难通过与用户协商token的方式进行验证。即使可进行认证,协商出的token也被常常拿来复用,从而绕过安全策略的验证。The protection method based on token verification refers to: verifying the legitimacy of business requests for API access by negotiating tokens. However, many enterprises open APIs directly to end users, such as most web APIs. It is difficult to verify such end-user APIs by negotiating tokens with users. Even if authentication is possible, the negotiated tokens are often reused, thereby bypassing the verification of security policies.

对API的调用频率进行限制的防护手段中,基于客户端的IP地址、客户端会话(session)等可标记客户端唯一性的纬度对API的访问次数进行限定。但是,由于不同用户的访问频率存在差异,若限制阈值设置过小,则很有可能误伤正常用户的访问;若阈值设置过大,则导致漏掉攻击请求,从而使得一部分攻击请求绕过安全策略的验证。In the protection method of limiting the frequency of API calls, the number of API accesses is limited based on the client's IP address, client session, and other dimensions that can mark the uniqueness of the client. However, since the access frequencies of different users vary, if the limit threshold is set too small, it is very likely to accidentally hurt the access of normal users; if the threshold is set too large, it will lead to the omission of attack requests, so that some attack requests bypass the verification of security policies.

分析业务日志的防护手段中,对历史业务日志进行分析,根据指定的异常判断规则确定出异常的客户端,对该客户端后续的业务请求进行处置。但是,由于对历史业务日志的分析具有滞后性,这就导致漏掉一些攻击请求,无法保证时效性。而且,在确定出异常的客户端后,该异常客户端后续可能已经没有攻击行为了。In the protection method of analyzing business logs, historical business logs are analyzed, abnormal clients are identified according to the specified abnormal judgment rules, and subsequent business requests of the client are processed. However, due to the lag in the analysis of historical business logs, some attack requests are missed, and timeliness cannot be guaranteed. Moreover, after the abnormal client is identified, the abnormal client may no longer have any attack behavior.

根据上述可知:现有的API的安全防护手段无法拦截一些攻击请求,导致该些攻击请求绕过防护策略非法调用API,威胁业务安全。Based on the above, it can be seen that existing API security protection measures are unable to intercept some attack requests, resulting in these attack requests bypassing the protection strategy and illegally calling the API, threatening business security.

基于此,本申请实施例提供一种API安全防护方法、设备及可读存储介质,通过实时分析业务行为流来提升对API的安全防护能力,减少非法调用API的次数,从而实现提高业务安全性的目的。Based on this, the embodiments of the present application provide an API security protection method, device and readable storage medium, which improve the security protection capability of the API by real-time analysis of business behavior flows, reduce the number of illegal API calls, and thus achieve the purpose of improving business security.

图1是本申请实施例提供的API安全防护方法的网络架构示意图。请参照图1,该网络架构包括:安全服务器11、策略服务器12、业务服务器13、请求端设备14和配置端设备15。安全服务器11与策略服务器12、安全服务器11和请求端设备14之间均建立网络连接。配置端设备15和策略服务器12之间建立网络连接。FIG1 is a schematic diagram of the network architecture of the API security protection method provided in the embodiment of the present application. Referring to FIG1 , the network architecture includes: a security server 11, a policy server 12, a business server 13, a request end device 14, and a configuration end device 15. A network connection is established between the security server 11 and the policy server 12, and between the security server 11 and the request end device 14. A network connection is established between the configuration end device 15 and the policy server 12.

安全服务器11可以是硬件也可以是软件。当安全服务器11为硬件时,其可以为单个服务器或多个服务器组成的分布式服务器集群。当安全服务器11为软件时,可以为多个软件模块或单个软件模块等,本申请实施例并不限制。同理,策略服务器12、业务服务器13也可以是软件或硬件,本申请实施例并不限制。The security server 11 can be hardware or software. When the security server 11 is hardware, it can be a single server or a distributed server cluster composed of multiple servers. When the security server 11 is software, it can be multiple software modules or a single software module, etc., which is not limited by the embodiments of the present application. Similarly, the policy server 12 and the business server 13 can also be software or hardware, which is not limited by the embodiments of the present application.

图1所示架构中,安全服务器11、策略服务器12、业务服务器13为物理上独立的3个服务器。实际实现时,这三个服务器中的任意两个或全部也可以为逻辑上独立的服务器,即可以部署在同一台物理机上。比如,安全服务器11、策略服务器12部署在同一个物理机上,业务服务器13部署在另外一台物理机上。再如,安全服务器11、策略服务器12、业务服务器13部署在同一个物理机上。In the architecture shown in FIG1 , the security server 11, the policy server 12, and the business server 13 are three physically independent servers. In actual implementation, any two or all of the three servers may also be logically independent servers, that is, they may be deployed on the same physical machine. For example, the security server 11 and the policy server 12 are deployed on the same physical machine, and the business server 13 is deployed on another physical machine. For another example, the security server 11, the policy server 12, and the business server 13 are deployed on the same physical machine.

请求端设备14为发起业务请求的设备,可以是安装有安卓操作系统、微软操作系统、塞班操作系统、Linux操作系统或苹果iOS操作系统的手机、平板电脑、个人电脑、电子书阅读器、膝上型便携电脑、台式计算机等,也可以是服务器等。当请求端设备14为软件时,其可以安装在上述列举的硬件设备中,此时,请求端设备14例如为多个软件模块或单个软件模块等,本申请实施例并不限制。The requesting end device 14 is a device that initiates a service request, and may be a mobile phone, tablet computer, personal computer, e-book reader, laptop computer, desktop computer, etc., which is installed with an Android operating system, a Microsoft operating system, a Symbian operating system, a Linux operating system, or an Apple iOS operating system, or may be a server, etc. When the requesting end device 14 is software, it may be installed in the hardware devices listed above. In this case, the requesting end device 14 may be, for example, multiple software modules or a single software module, etc., which is not limited in the embodiments of the present application.

配置端设备15用于向运维人员提供配置界面,供运维人员在配置界面上配置防护路径、触发条件等,配置端设备15基于运维人员在配置界面的输入生成指示信息并发送给策略服务器12。策略服务器12根据指示信息生成攻击判断规则并下发给安全服务器11。配置端设备15也可以是软件或者硬件,其和请求端设备14可以是同一个设备,也可以是独立的设备。The configuration end device 15 is used to provide a configuration interface for the operation and maintenance personnel to configure the protection path, trigger conditions, etc. on the configuration interface. The configuration end device 15 generates indication information based on the input of the operation and maintenance personnel on the configuration interface and sends it to the policy server 12. The policy server 12 generates attack judgment rules according to the indication information and sends them to the security server 11. The configuration end device 15 can also be software or hardware, and it can be the same device as the request end device 14 or an independent device.

安全服务器11可以是基于内容分发网络(Content Delivery Network,CDN)等云平台搭建的,用于对目标API的业务请求进行攻击验证,其可以是一台或多台安全服务器构成。请求端设备14发起的业务请求优先到达安全服务器11,安全服务器11基于攻击判断规则实时分析业务请求,并对攻击请求进行处置。The security server 11 can be built on a cloud platform such as a content delivery network (CDN) and is used to perform attack verification on the service request of the target API. It can be composed of one or more security servers. The service request initiated by the request end device 14 reaches the security server 11 first. The security server 11 analyzes the service request in real time based on the attack judgment rules and handles the attack request.

策略服务器12为管理攻击判断规则的服务器,根据实际业务设定攻击判断规则,并将攻击判断规则下发给安全服务器11,由安全服务器11执行。业务服务器13上部署一个或多个API,能够对外提供API调用服务,是实际响应业务请求的服务器。The policy server 12 is a server for managing attack judgment rules, setting attack judgment rules according to actual business, and sending the attack judgment rules to the security server 11 for execution by the security server 11. One or more APIs are deployed on the business server 13, which can provide API call services to the outside world and is the server that actually responds to business requests.

当请求端设备14发起请求调用业务服务器13上的目标API的业务请求时,安全服务器11拦截该业务请求,分析该业务请求并更新分析表中的目标记录,然后确定目标记录是否触发攻击判断规则。若触发攻击判断规则,则表示业务请求为攻击请求,安全服务器11根据判断规则指示的策略处理业务请求。若业务请求为合法的业务请求,则安全服务器11将该业务请求转发给业务服务器13,使得请求端设备14调用目标API。When the requesting end device 14 initiates a service request to call the target API on the service server 13, the security server 11 intercepts the service request, analyzes the service request and updates the target record in the analysis table, and then determines whether the target record triggers the attack judgment rule. If the attack judgment rule is triggered, it means that the service request is an attack request, and the security server 11 processes the service request according to the policy indicated by the judgment rule. If the service request is a legitimate service request, the security server 11 forwards the service request to the service server 13, so that the requesting end device 14 calls the target API.

应当理解的是,图1中的安全服务器11、策略服务器12、业务服务器13、请求端设备14和配置端设备15的数量仅仅是示意性的。实际实现中,根据实际需求部署任意数量的安全服务器11、策略服务器12、业务服务器13、请求端设备14和配置端设备15。It should be understood that the number of security servers 11, policy servers 12, business servers 13, request end devices 14, and configuration end devices 15 in FIG1 is only for illustration. In actual implementation, any number of security servers 11, policy servers 12, business servers 13, request end devices 14, and configuration end devices 15 may be deployed according to actual needs.

下面,基于图1所示网络架构,对本申请实施例提供的API安全防护方法进行详细说明。示例性的,请参照图2。图2是本申请实施例提供的API安全防护方法的流程图。本实施例是从安全服务器的角度进行说明。本实施例包括:Below, based on the network architecture shown in Figure 1, the API security protection method provided by the embodiment of the present application is described in detail. For example, please refer to Figure 2. Figure 2 is a flow chart of the API security protection method provided by the embodiment of the present application. This embodiment is described from the perspective of a security server. This embodiment includes:

201、接收请求端设备发起的业务请求,所述业务请求用于请求调用业务服务器提供的目标API。201. Receive a service request initiated by a requesting end device, where the service request is used to request to call a target API provided by a service server.

本申请实施例中,一个业务服务器上部署一个或多个API。目标API指一个或多个API中被请求端设备请求调用的API。In the embodiment of the present application, one or more APIs are deployed on a service server. The target API refers to the API in the one or more APIs that is requested to be called by the requesting end device.

请求端设备发起业务请求后,安全服务器拦截请求端设备发起的业务请求,使得请求端设备发起的业务请求优先到达安全服务器。After the requesting device initiates a service request, the security server intercepts the service request initiated by the requesting device, so that the service request initiated by the requesting device reaches the security server first.

202、根据所述业务请求更新分析表,以使得所述分析表中目标域名对应的目标记录记载所述目标API的多个分析因子中每个分析因子的最新值,所述目标域名是所述目标API对应的目标URL包含的域名。202. Update the analysis table according to the business request so that the target record corresponding to the target domain name in the analysis table records the latest value of each analysis factor in the multiple analysis factors of the target API, and the target domain name is the domain name contained in the target URL corresponding to the target API.

本申请实施例中,API和URL是一一对应的,不同API对应的URL不同。以下将目标API对应的URL称之为目标URL,目标URL对应的域名称之为目标域名。安全服务器第一次接收到一个业务请求后,倘若分析表中不存在该业务请求对应的URL包含目标域名,则在分析表中创建一条记录,并初始化该条记录中各分析因子的初始值。In the embodiment of the present application, the API and the URL are one-to-one corresponding, and different APIs correspond to different URLs. The URL corresponding to the target API is referred to as the target URL, and the domain name corresponding to the target URL is referred to as the target domain name. When the security server receives a service request for the first time, if the URL corresponding to the service request does not contain the target domain name in the analysis table, a record is created in the analysis table, and the initial values of each analysis factor in the record are initialized.

一个域名具有多个分析因子,这些分析因子形成一个分析因子集合。不同域名的分析因子集合存在交集或不存在交集。分析表中的每一条记录用于记录一个域名的多个分析因子中每个分析因子的最新值。目标域名的分析因子包括下述因子中的至少一个:所述目标API域名、粒度、自定义统一资源定位符URL的请求次数、其他URL的请求次数、总求次数或有效期,所述其他URL指包含所述目标域名但不是所述目标URL或所述自定义URL,所述有效期用于指示所述目标记录的有效期。其中,粒度例如为IP、包头(header)、套接字(cookie)、会话(session)等。采用该种方案,灵活定义各域名的分析因子,不同域名的分析因子可以不同,实现对API的定制化、精准化的安全防护。A domain name has multiple analysis factors, which form an analysis factor set. The analysis factor sets of different domain names may or may not have intersections. Each record in the analysis table is used to record the latest value of each analysis factor among the multiple analysis factors of a domain name. The analysis factor of the target domain name includes at least one of the following factors: the target API domain name, granularity, the number of requests for the custom uniform resource locator URL, the number of requests for other URLs, the total number of requests or the validity period, wherein the other URL refers to a URL containing the target domain name but not the target URL or the custom URL, and the validity period is used to indicate the validity period of the target record. Among them, the granularity is, for example, IP, header, cookie, session, etc. By adopting this solution, the analysis factors of each domain name can be flexibly defined, and the analysis factors of different domain names can be different, so as to realize customized and precise security protection of the API.

安全服务器预先构建一个分析表,初始时,该分析表为空。安全服务器每次接收到一个业务请求后,判断该业务请求是否命中分析表中的某条记录,若命中某条记录,则将该条记录作为目标记录,并根据业务请求携带的信息更新目标记录。更新目标记录是指:将目标记录中各分析因子的当前值更新为最新值。更新过程中,安全服务器解析所述业务请求以得到所述多个分析因子中各分析因子对应的变化量。之后,根据所述各分析因子对应的变化量更新所述目标记录,以使得所述目标记录记载所述每个分析因子的最新值。The security server pre-builds an analysis table, which is initially empty. Each time the security server receives a service request, it determines whether the service request hits a record in the analysis table. If it hits a record, the record is used as the target record, and the target record is updated according to the information carried by the service request. Updating the target record means updating the current value of each analysis factor in the target record to the latest value. During the update process, the security server parses the service request to obtain the change amount corresponding to each analysis factor in the multiple analysis factors. Afterwards, the target record is updated according to the change amount corresponding to each analysis factor, so that the target record records the latest value of each analysis factor.

若业务请求无法命中分析表中已有的记录,且业务请求包含目标域名的多个分析因子中的任意一个分析因子,则安全服务器在分析表中创建所述目标记录并根据所述业务请求初始化所述多个分析因子中的各分析因子。示例性的,请参照表1。表1示意出本申请实施例提供的API安全防护方法中的一个分析表。If the business request cannot hit an existing record in the analysis table, and the business request contains any one of the multiple analysis factors of the target domain name, the security server creates the target record in the analysis table and initializes each of the multiple analysis factors according to the business request. For example, please refer to Table 1. Table 1 illustrates an analysis table in the API security protection method provided in an embodiment of the present application.

表1Table 1

安全服务器接收到当前的业务请求之前,分析表中的记录如表1所示,该分析表中已存在2条记录,该2条记录的域名分别为example1和example2。以域名为example1对应的记录为例,分析因子包括域名、统计粒度、URLa的请求次数、其他URL的请求次数、总请求次数、有效期。当前值分别为:example1、IP、1、0、1、60。Before the security server receives the current service request, the records in the analysis table are shown in Table 1. There are already two records in the analysis table, and the domain names of the two records are example1 and example2. Taking the record corresponding to the domain name example1 as an example, the analysis factors include domain name, statistical granularity, number of requests for URLa, number of requests for other URLs, total number of requests, and validity period. The current values are: example1, IP, 1, 0, 1, 60.

安全服务器接收到业务请求后,假设业务请求的域名为example1,命中example1对应的记录,则安全服务器将这条记录作为目标记录并更新。例如,业务请求携带IP、且业务请求对应的URL为URLa,则目标记录更新后,分析表如表2所示。After the security server receives the service request, assuming that the domain name of the service request is example1 and hits the record corresponding to example1, the security server takes this record as the target record and updates it. For example, if the service request carries an IP address and the URL corresponding to the service request is URLa, after the target record is updated, the analysis table is shown in Table 2.

表2Table 2

假设安全服务器接收到的业务请求对应的域名为example3,分析表中不存在该域名对应的记录。此时,安全服务器在分析表中创建一条新的记录,将新创建的记录作为目标记录并初始化。例如,业务请求携带IP、且业务请求对应的URL为URLc,则目标记录更新后,分析表如表3所示。Assume that the domain name corresponding to the service request received by the security server is example3, and there is no record corresponding to the domain name in the analysis table. At this time, the security server creates a new record in the analysis table, and initializes the newly created record as the target record. For example, if the service request carries an IP, and the URL corresponding to the service request is URLc, after the target record is updated, the analysis table is shown in Table 3.

表3Table 3

再如,目标API对应的目标URL为http://example.com/booking HTTP/1.1,则目标域名为example.com,初始时,分析表为空。假设安全服务器接收到一个业务请求,该业务请求为:1.1.1.1[22/Nov/2021:18:19:36+0800]"POST http://example.com/booking HTTP/1.1",表示请求端设备的IP为1.1.1.1、安全服务器接收业务请求的接收时间点为2021年11月22日18点19分36秒(22/Nov/2021:18:19:36)、接收端口为0800、请求方式为POST、目标URL为http://example.com/booking HTTP/1.1。安全服务器创建目标记录并初始化,初始化后的目标记录如表4所示。For example, if the target URL corresponding to the target API is http://example.com/booking HTTP/1.1, then the target domain name is example.com, and initially, the analysis table is empty. Assume that the security server receives a service request, and the service request is: 1.1.1.1[22/Nov/2021:18:19:36+0800]"POST http://example.com/booking HTTP/1.1", which means that the IP of the requesting device is 1.1.1.1, the time when the security server receives the service request is 18:19:36 on November 22, 2021 (22/Nov/2021:18:19:36), the receiving port is 0800, the request method is POST, and the target URL is http://example.com/booking HTTP/1.1. The security server creates and initializes the target record, and the initialized target record is shown in Table 4.

表4Table 4

其中,统计粒度和有效期从目标API对应的攻击判断规则中获取。后续每次接收到业务请求后,若该业务请求对应的URL包含的域名是example.com、则将该条记录作为目标记录并更新。例如,安全服务器接收到的一条业务请求为:1.1.1.1[22/Nov/2021:18:19:37+0800]"POST http://example.com/booking HTTP/1.1",则目标URL请求次数增1、总请求次数增1,其他URL请求次数保持不变。这两个URL的接收时间点的差值为1秒,则有效期减1秒。更新后的目标记录如表5所示。Among them, the statistical granularity and validity period are obtained from the attack judgment rules corresponding to the target API. Each subsequent time a business request is received, if the domain name contained in the URL corresponding to the business request is example.com, the record is used as the target record and updated. For example, a business request received by the security server is: 1.1.1.1[22/Nov/2021:18:19:37+0800]"POST http://example.com/booking HTTP/1.1", then the number of target URL requests increases by 1, the total number of requests increases by 1, and the number of other URL requests remains unchanged. The difference between the receiving time points of the two URLs is 1 second, and the validity period is reduced by 1 second. The updated target record is shown in Table 5.

表5Table 5

采用该种方案,当分析表中不存在目标记录时,生成目标记录并初始化,当分析表中存在目标记录时,更新分析表中已有的目的记录,确保每个API在分析表中仅存在一条记录,保证API安全防护的准确性。With this solution, when the target record does not exist in the analysis table, the target record is generated and initialized. When the target record exists in the analysis table, the existing target record in the analysis table is updated to ensure that each API has only one record in the analysis table, thereby ensuring the accuracy of API security protection.

203、确定所述目标记录是否触发目标域名的攻击判断规则,若目标记录触发攻击判断规则,则执行步骤204;若目标记录未触发目标域名的攻击判断规则,则执行步骤205。203. Determine whether the target record triggers the attack judgment rule of the target domain name. If the target record triggers the attack judgment rule, execute step 204; if the target record does not trigger the attack judgment rule of the target domain name, execute step 205.

本申请实施例中,安全服务器预先接收策略服务器针对目标域名下发的攻击判断规则。安全服务器每次接收到业务请求并更新分析表后,判断分析表中的目标记录是否触发攻击判断规则。攻击判断规则可以是一个或多个条件的集合,若目标记录中每个分析因子的最新值都符合攻击判断规则,则表示目标记录触发攻击判断规则,说明业务请求为攻击请求。若目标记录中的一个或多个分析因子的最新值不符合攻击判断规则,则表示目标记录未触发攻击判断规则,说明业务请求为正常请求。In an embodiment of the present application, the security server pre-receives the attack judgment rule issued by the policy server for the target domain name. Each time the security server receives a service request and updates the analysis table, it determines whether the target record in the analysis table triggers the attack judgment rule. The attack judgment rule can be a set of one or more conditions. If the latest value of each analysis factor in the target record meets the attack judgment rule, it means that the target record triggers the attack judgment rule, indicating that the service request is an attack request. If the latest value of one or more analysis factors in the target record does not meet the attack judgment rule, it means that the target record does not trigger the attack judgment rule, indicating that the service request is a normal request.

204、根据所述攻击判断规则指示的策略处理所述业务请求。204. Process the service request according to the strategy indicated by the attack determination rule.

本申请实施例中,攻击判断规则还指示攻击请求的处理策略。当一个业务请求对应的目标记录触发攻击判断规则时,即一个业务请求是攻击请求时,安全服务器根据攻击判断规则指示的策略处置该业务请求。例如,攻击判断规则指示的策略为阻断,则安全服务器阻断该业务请求,即不向业务服务器转发这条业务请求。再如,攻击判断规则指示的策略为监控,则安全服务器将该业务请求转发给业务服务器并实时监控这条业务请求。In the embodiment of the present application, the attack judgment rule also indicates the processing strategy of the attack request. When the target record corresponding to a service request triggers the attack judgment rule, that is, when a service request is an attack request, the security server handles the service request according to the strategy indicated by the attack judgment rule. For example, if the strategy indicated by the attack judgment rule is blocking, the security server blocks the service request, that is, does not forward the service request to the service server. For another example, if the strategy indicated by the attack judgment rule is monitoring, the security server forwards the service request to the service server and monitors the service request in real time.

目前,多用户单出口或网络地址转换(Network Address Translation,NAT)环境下,用户群共享同一个出口IP。其中,用户群包含多个请求端设备。倘若采用基于IP粒度进行处置,则一个业务请求为攻击请求时,安全服务器确定出发起该攻击请求的请求端设备的IP,将来自该IP的所有业务请求阻断。显然,这种安全防护措施会阻断一些正常的业务请求。为了防止出现这种情况,本申请实施例,安全服务器确定出一个业务请求为攻击时,仅处置该业务请求。At present, in a multi-user single-exit or Network Address Translation (NAT) environment, a user group shares the same exit IP. Among them, the user group includes multiple request-side devices. If the handling is based on IP granularity, when a service request is an attack request, the security server determines the IP of the request-side device that initiated the attack request and blocks all service requests from the IP. Obviously, this security protection measure will block some normal service requests. In order to prevent this situation, in an embodiment of the present application, when the security server determines that a service request is an attack, it only handles the service request.

205、向业务服务器转发业务请求。205. Forward the service request to the service server.

当一个业务请求对应的目标记录未触发攻击判断规则时,说明该业务请求不是攻击请求时,此时,安全服务器将该业务请求转发给业务服务器,使得业务服务器对该业务请求作出响应。例如,业务服务器基于目标API的内部业务功能对业务请求进行响应。采用该种方案,对于正常业务请求,安全服务器不做任何处理,而是直接转发给业务服务器,确保业务不中断。When the target record corresponding to a service request does not trigger the attack judgment rule, it means that the service request is not an attack request. At this time, the security server forwards the service request to the business server, so that the business server responds to the service request. For example, the business server responds to the service request based on the internal business function of the target API. With this solution, the security server does not process normal service requests, but directly forwards them to the business server to ensure uninterrupted service.

本申请实施例提供的API安全防护方法,安全服务器接收到请求端设备发起的、请求调用部署在业务服务器上的目标API的业务请求后,根据该业务请求更新分析表中目标域名对应的目标记录,并判断更新后的目标记录是否触发攻击判断规则。若目标记录触发攻击判断规则,则根据攻击判断规则指示的策略处理该业务请求。采用该种方案,安全服务器通过实时分析业务请求来提升对目标API的安全防护能力,避免攻击请求绕过防护策略而非法调用目标API,降低针对目标API的攻击流量对业务造成的影响,实现提高业务安全性的目的。而且,由于是实时分析,因此,能够避免传统的分析业务日志的防护手段存在的滞后性。同时,当业务请求是攻击请求时,仅处置该业务请求,而非从IP维度、会话session维度等处置多个业务请求,因此不会发生错误的阻断正常业务请求的现象,较好的控制了安全防护的影响范围。The API security protection method provided in the embodiment of the present application is that after the security server receives the service request initiated by the request end device and requests to call the target API deployed on the service server, it updates the target record corresponding to the target domain name in the analysis table according to the service request, and determines whether the updated target record triggers the attack judgment rule. If the target record triggers the attack judgment rule, the service request is processed according to the strategy indicated by the attack judgment rule. With this scheme, the security server improves the security protection capability of the target API by analyzing the service request in real time, avoids the attack request bypassing the protection strategy and illegally calling the target API, reduces the impact of the attack traffic against the target API on the service, and achieves the purpose of improving the security of the service. Moreover, since it is a real-time analysis, the lag of the traditional protection means of analyzing the service log can be avoided. At the same time, when the service request is an attack request, only the service request is processed, rather than processing multiple service requests from the IP dimension, session dimension, etc., so the phenomenon of incorrectly blocking normal service requests will not occur, and the scope of influence of security protection is better controlled.

图3是本申请实施例提供的API安全防护方法的另一个流程图。本实施例是从策略服务器的角度进行说明。本实施例包括:FIG3 is another flow chart of the API security protection method provided by an embodiment of the present application. This embodiment is described from the perspective of a policy server. This embodiment includes:

301、接收指示信息。301. Receive instruction information.

其中,所述指示信息用于指示请求调用目标API的业务请求为攻击请求时,目标域名的目标记录记载的多个分析因子中各分析因子的最新值符合的条件,所述目标域名是所述目标API对应的目标URL包含的域名。Among them, the indication information is used to indicate that when the business request requesting to call the target API is an attack request, the latest value of each analysis factor in the multiple analysis factors recorded in the target record of the target domain name meets the conditions, and the target domain name is the domain name contained in the target URL corresponding to the target API.

示例性的,针对目标域名,运维人员通过配置端设备请求配置界面,然后通过配置界面配置分析因子、业务请求为攻击请求时每个分析因子的最新值符合的条件等。Exemplarily, for the target domain name, the operation and maintenance personnel request a configuration interface through the configuration terminal device, and then configure the analysis factors, the conditions that the latest value of each analysis factor meets when the business request is an attack request, etc. through the configuration interface.

由于一个业务服务器上往往部署一个或多个API,因此,针对每个需要进行安全防护的API,配置端设备都可以请求到目标域名对应的配置界面,并基于运维人员的输入生成指示信息,进而使得策略服务器为每个需要进行安全防护的API生成攻击判断规则,不同的API的攻击判断规则不同,实现攻击判断规则的定制化。Since one or more APIs are often deployed on a business server, for each API that requires security protection, the configuration-end device can request the configuration interface corresponding to the target domain name and generate instruction information based on the input of the operation and maintenance personnel, thereby enabling the policy server to generate attack judgment rules for each API that requires security protection. Different APIs have different attack judgment rules, thereby achieving customization of the attack judgment rules.

302、根据所述指示信息生成攻击判断规则。302. Generate an attack determination rule according to the indication information.

策略服务器接收到指示信息后,根据指示信息生成能够被安全服务器识别的攻击判断规则。After receiving the indication information, the policy server generates an attack determination rule that can be identified by the security server according to the indication information.

303、向安全服务器发送所述攻击判断规则。303. Send the attack determination rule to a security server.

相应的,安全服务器接收该攻击判断规则。Correspondingly, the security server receives the attack judgment rule.

本申请实施例提供的API安全防护方法,策略服务器基于配置端设备的指示信息生成攻击判断规则并下发给安全服务器,由安全服务器实时依据该攻击判断规则判断请求调用目标API的业务请求是否为攻击请求。采用该种方案,策略服务器对需要进行安全保护的API分别生成对应的攻击判断规则,灵活性高,且针对不同的API实现个性化安全防护。In the API security protection method provided by the embodiment of the present application, the policy server generates attack judgment rules based on the indication information of the configuration terminal device and sends them to the security server, and the security server judges in real time whether the service request for calling the target API is an attack request based on the attack judgment rules. With this solution, the policy server generates corresponding attack judgment rules for the APIs that need security protection, which is highly flexible and realizes personalized security protection for different APIs.

图4是本申请实施例提供的API安全防护方法中一种配置界面的示意图。请参照图4,配置端设备请求为目标域名配置攻击判断规则时,策略服务器向配置端设备发送用于显示配置界面的数据流,配置端设备基于该数据流渲染出配置界面。之后,配置端设备基于运维人员在配置界面上的输入生成指示信息并发送给策略服务器。由于图4所示配置界面用于为目标域名配置攻击判断规则,目标域名和目标URL是已知的。因此,指示信息携带目标域名。FIG4 is a schematic diagram of a configuration interface in the API security protection method provided in an embodiment of the present application. Referring to FIG4 , when the configuration end device requests to configure attack judgment rules for the target domain name, the policy server sends a data stream for displaying the configuration interface to the configuration end device, and the configuration end device renders the configuration interface based on the data stream. Afterwards, the configuration end device generates indication information based on the input of the operation and maintenance personnel on the configuration interface and sends it to the policy server. Since the configuration interface shown in FIG4 is used to configure attack judgment rules for the target domain name, the target domain name and target URL are known. Therefore, the indication information carries the target domain name.

请参照图4,配置界面至少用于配置触发条件,触发条件用于设置目标记录触发攻击判断规则时,各分析因子的最新值符合的条件。分析因子包括自定义URL请求次数、其他URL请求次数、总请求次数等。自定义URL的数量可以为一个或多个,其他URL的数量也可以为一个或多个。图4中触发条件下仅列出了3个触发条件,实际中,还可以根据需求设置更多的选择,或者设置添加按钮供用户自动添加,例如,当自定义URL为多个时,图4中的触发条件除了1-3外还可以包含其他条件。图4中显示一些输入框和选择框,包含小三角的矩形框指选择框,运维人员点击小三角,配置界面上即可显示下拉菜单供用户选择。输入框供运维人员输入具体数值、URL等。下面,对图4中3个触发条件分别进行详细说明。Please refer to FIG4. The configuration interface is at least used to configure the trigger conditions. The trigger conditions are used to set the conditions that the latest values of each analysis factor meet when the target record triggers the attack judgment rule. The analysis factors include the number of custom URL requests, the number of other URL requests, the total number of requests, etc. The number of custom URLs can be one or more, and the number of other URLs can also be one or more. In FIG4, only three trigger conditions are listed in the trigger conditions. In practice, more options can be set according to needs, or an add button can be set for users to add automatically. For example, when there are multiple custom URLs, the trigger conditions in FIG4 can also include other conditions in addition to 1-3. FIG4 shows some input boxes and selection boxes. The rectangular box containing a small triangle refers to the selection box. When the operation and maintenance personnel click the small triangle, a drop-down menu will be displayed on the configuration interface for the user to select. The input box allows the operation and maintenance personnel to enter specific values, URLs, etc. Below, the three trigger conditions in FIG4 are described in detail.

触发条件1:总请求次数,输入框3用于输入具体数值,比如0、1等。Trigger condition 1: total number of requests. Input box 3 is used to enter a specific value, such as 0, 1, etc.

触发条件2:其他URL请求次数,输入框4用于输入具体数值,比如0、1等。其他URL指自定义URL外的URL。Trigger condition 2: other URL request times, input box 4 is used to enter a specific value, such as 0, 1, etc. Other URLs refer to URLs other than custom URLs.

触发条件3:自定义URL请求次数,选择框3的下拉菜单列出的选项例如为完整URL和正则表达式。当运维人员选中完整URL时,输入框5用于输入一个或多个完整的URL,输入框6用于输入具体的数值,比如1、2等。当运维人员选中正则表达式时,输入框5用于输入正则表达式,输入框6用于输入具体的数值。Trigger condition 3: Customize the number of URL requests. The options listed in the drop-down menu of selection box 3 are, for example, complete URL and regular expression. When the operation and maintenance personnel selects complete URL, input box 5 is used to enter one or more complete URLs, and input box 6 is used to enter specific values, such as 1, 2, etc. When the operation and maintenance personnel selects regular expression, input box 5 is used to enter the regular expression, and input box 6 is used to enter the specific value.

再请参照图4,可选的,通过配置界面,还可以配置有效期和统计粒度,统计粒度用于指示所述目标记录的统计依据,所述有效期用于指示所述目标记录有效的期限。图4中,输入框2用于输入有效期,比如60秒、90秒、120秒,表示攻击判断策略下发给安全服务器后,安全服务器一旦建立目标记录,则该目标记录的有效期为60秒等。选择框2的下拉菜单列出的选项包括IP、header、cookie、session等,表示目标记录是按照IP粒度还是header粒度统计。Please refer to Figure 4 again. Optionally, through the configuration interface, you can also configure the validity period and statistical granularity. The statistical granularity is used to indicate the statistical basis of the target record, and the validity period is used to indicate the validity period of the target record. In Figure 4, input box 2 is used to enter the validity period, such as 60 seconds, 90 seconds, 120 seconds, indicating that after the attack judgment strategy is sent to the security server, once the security server establishes the target record, the validity period of the target record is 60 seconds, etc. The options listed in the drop-down menu of selection box 2 include IP, header, cookie, session, etc., indicating whether the target record is counted according to IP granularity or header granularity.

采用该种方案,通过设置有效期和统计粒度,实现精准生成目标记录的目的。This solution can achieve the purpose of accurately generating target records by setting the validity period and statistical granularity.

可选的,再请参照图4,通过配置界面,还可以配置防护路径和处理动作。其中,所述防护路径指示防护方式,防护方式包括对目标域名进行全站防护或按照业务类型防护。选择框1的下拉菜单列出的选项包括全站或业务类型。若选中全站,则表示按照业务域名进行安全防护,即对所有包含目标域名的业务请求进行攻击判断。此时,运维人员无需在输入框1内进行输入。Optionally, please refer to Figure 4 again. Through the configuration interface, you can also configure the protection path and processing actions. Among them, the protection path indicates the protection method, which includes full-site protection of the target domain name or protection according to business type. The options listed in the drop-down menu of selection box 1 include full site or business type. If the full site is selected, it means security protection according to the business domain name, that is, attack judgment is performed on all business requests containing the target domain name. At this time, the operation and maintenance personnel do not need to enter in input box 1.

若选中业务类型,则表示按照业务类型进行安全防护,即对目标域名下的某类业务进行安全防护。此时,运维人员在输入框1内输入一些受保护的URL或者正则表达式。其中,受保护的URL和触发条件中的自定义URL或其他URL完全相同、部分相同或完全不同。If the business type is selected, it means that security protection is performed according to the business type, that is, security protection is performed on a certain type of business under the target domain name. At this time, the operation and maintenance personnel enter some protected URLs or regular expressions in the input box 1. Among them, the protected URL is exactly the same, partially the same, or completely different from the custom URL or other URL in the trigger condition.

请参照图4,处理策略的下拉菜单提供的选项包括监控、阻断等。当运维人员配置了防护路径和处理策略时,配置端设备将这些配置通过指示信息发送给策略服务器,策略服务器根据防护路径确定防护方式。当所述防护方式为按照业务类型防护时,根据所述防护路径确定受保护的URL。之后,根据受保护的URL、各分析因子的最新值符合的条件和所述处理策略,生成所述攻击判断规则,并下发给安全服务器。Please refer to Figure 4. The drop-down menu of the processing strategy provides options such as monitoring and blocking. When the operation and maintenance personnel configure the protection path and processing strategy, the configuration end device sends these configurations to the policy server through instruction information, and the policy server determines the protection method according to the protection path. When the protection method is protection according to the business type, the protected URL is determined according to the protection path. Afterwards, based on the protected URL, the conditions met by the latest values of each analysis factor and the processing strategy, the attack judgment rule is generated and sent to the security server.

采用该种方案,通过配置防护路径和处理策略,使得安全服务器更新后的目标记录触发攻击判断规则时,继续判断业务请求对应的URL是否为受保护的URL,若业务请求对应的URL是收包含的URL,则拦截该业务请求,提高API安全防护的效率。By adopting this solution, by configuring the protection path and processing strategy, when the target record updated by the security server triggers the attack judgment rule, it continues to determine whether the URL corresponding to the business request is a protected URL. If the URL corresponding to the business request is a received URL, the business request is intercepted to improve the efficiency of API security protection.

可选的,上防护路径指示按照业务类型对所述目标域名进行安全防护时,所述指示信息还携带至少一个URL或至少一个正则表达式。Optionally, when the upper protection path indicates that security protection is to be performed on the target domain name according to the business type, the indication information further carries at least one URL or at least one regular expression.

示例性的,当指示信息指示URL或正则表达式时,说明需要安全服务器根据业务类型对目标域名进行安全防护。安全服务器根据指示信息指示的URL或正则表达式确定出受保护的URL。其中,指示信息指示的URL或正则表达式通过图4中的输入框1输入。Exemplarily, when the indication information indicates a URL or a regular expression, it indicates that the security server is required to perform security protection on the target domain name according to the business type. The security server determines the protected URL according to the URL or regular expression indicated by the indication information. The URL or regular expression indicated by the indication information is input through the input box 1 in FIG. 4 .

采用该种方案,安全服务器确定出更新后的目标记录触发攻击判断规则时,继续判断业务请求对应的URL是否为受保护的URL,若业务请求对应的URL是收包含的URL,则拦截该业务请求,提高API安全防护的效率。With this solution, when the security server determines that the updated target record triggers the attack judgment rule, it continues to determine whether the URL corresponding to the business request is a protected URL. If the URL corresponding to the business request is a protected URL, the business request is intercepted to improve the efficiency of API security protection.

可选的,上述实施例中,策略服务器将根据指示信息生成攻击判断规则,并将攻击判断规则下发给安全服务器。由安全服务器根据所述攻击判断规则确定所述多个分析因子,并在第一次接收到包含目标域名的业务请求后,创建并初始化目标记录。后续对请求端设备发起的业务请求进行实时分析。当根据业务请求更新目标记录后,若目标记录符合攻击判断规则包含的全部条件时,则根据攻击规则拦截该业务请求。采用该种方案,安全服务器通过攻击判断规则准确确定出多个分析因子,提高对API进行安全防护的有效性。Optionally, in the above embodiment, the policy server will generate an attack judgment rule based on the indication information and send the attack judgment rule to the security server. The security server determines the multiple analysis factors based on the attack judgment rule, and creates and initializes the target record after receiving the service request containing the target domain name for the first time. Subsequently, the service request initiated by the requesting end device is analyzed in real time. After the target record is updated according to the service request, if the target record meets all the conditions contained in the attack judgment rule, the service request is intercepted according to the attack rule. With this solution, the security server accurately determines multiple analysis factors through the attack judgment rule, thereby improving the effectiveness of security protection for the API.

下面,以目标API对应的目标URL为http://example.com/booking为例,对上述的API安全防护方法进行详细描述。Below, taking the target URL corresponding to the target API as http://example.com/booking as an example, the above API security protection method is described in detail.

第一个例子:First example:

当防护方式为按照业务类型防护、攻击判断规则指示受保护的URL为http://example.com/booking时,分析正常用户行为与攻击行为的差异为:正常用户在发起访问http://example.com/booking之前,还会调用其他3个API。为清楚起见,其他3个API的URL分别表示为URL1、URL2和URL3,将目标API的目标URL表示为URL4。URL1为http://example.com/login,URL2为http://example.com/searching,URL3为http://example.com/adding,URL4为http://example.com/booking。When the protection mode is protection by business type and the attack judgment rule indicates that the protected URL is http://example.com/booking, the difference between normal user behavior and attack behavior is as follows: Before initiating access to http://example.com/booking, normal users will also call three other APIs. For the sake of clarity, the URLs of the other three APIs are represented as URL1, URL2, and URL3, and the target URL of the target API is represented as URL4. URL1 is http://example.com/login, URL2 is http://example.com/searching, URL3 is http://example.com/adding, and URL4 is http://example.com/booking.

请参照图4,基于图4所示的配置界面,运维人员的输入如下:基于选择框1选择全站、在输入框2内输入60、基于选择框2选择IP、处理动作选择阻断。自定义URL包括:URL1、URL2、URL3和URL4。假设条件3用于设置URL4,则基于选择框3选择完整URL,在输入框5内输入完整的URL4,在输入框6内输入1,输入框3和输入框4的值分别为1。运维人员通过添加触发条件,设置URL1、URL2或URL3。Please refer to Figure 4. Based on the configuration interface shown in Figure 4, the operation and maintenance personnel input as follows: select the entire site based on selection box 1, enter 60 in input box 2, select IP based on selection box 2, and select block for processing action. Custom URLs include: URL1, URL2, URL3, and URL4. Assuming that condition 3 is used to set URL4, select the complete URL based on selection box 3, enter the complete URL4 in input box 5, enter 1 in input box 6, and the values of input box 3 and input box 4 are 1 respectively. The operation and maintenance personnel set URL1, URL2, or URL3 by adding trigger conditions.

配置端设备根据运维人员在配置界面的输入,生成指示信息并发送给策略服务器。策略服务器根据指示信息生成攻击判断规则,该攻击判断规则包括10个条件:The configuration end device generates indication information based on the input of the operation and maintenance personnel in the configuration interface and sends it to the policy server. The policy server generates attack judgment rules based on the indication information. The attack judgment rules include 10 conditions:

1)需要保护的API接口URL:http://example.com/booking1) API URL to be protected: http://example.com/booking

2)有效期:60秒2) Validity period: 60 seconds

3)统计粒度:IP3) Statistical granularity: IP

4)URL1请求次数:http://example.com/login请求次数小于14) Number of requests to URL1: The number of requests to http://example.com/login is less than 1

5)URL2请求次数:http://example.com/searching请求次数小于15) Number of URL2 requests: http://example.com/searching Number of requests is less than 1

6)URL3请求次数:http://example.com/adding请求次数小于16) URL3 request count: http://example.com/adding request count is less than 1

7)URL4请求次数:http://example.com/booking请求次数大于17) URL4 request count: http://example.com/booking request count is greater than 1

8)其他URL请求次数:其他请求次数小于18) Other URL request times: Other request times are less than 1

9)总请求次数:总请求次数大于19) Total number of requests: The total number of requests is greater than 1

10)处置动作:拦截10) Action: Interception

之后,策略服务器将上述的攻击判断规则下发给安全服务器。由安全服务器根据所述攻击判断规则确定所述多个分析因子,并在第一次接收到包含目标域名的业务请求后,创建并更新目标记录。后续对请求端设备发起的业务请求进行实时分析。当一个请求端设备依次发起URL1、URL2、URL3和URL4,即一个请求端设备正常访问时,请求端设备的行为如下:Afterwards, the policy server sends the above attack judgment rules to the security server. The security server determines the multiple analysis factors according to the attack judgment rules, and creates and updates the target record after receiving the service request containing the target domain name for the first time. The service request initiated by the requesting device is subsequently analyzed in real time. When a requesting device initiates URL1, URL2, URL3 and URL4 in sequence, that is, a requesting device accesses normally, the behavior of the requesting device is as follows:

1.1.1.1[22/Nov/2021:18:19:36+0800]"POST http://example.com/loginHTTP/1.1"1.1.1.1[22/Nov/2021:18:19:36+0800]"POST http://example.com/loginHTTP/1.1"

1.1.1.1[22/Nov/2021:18:19:37+0800]"POST http://example.com/searchingHTTP/1.1"1.1.1.1[22/Nov/2021:18:19:37+0800]"POST http://example.com/searchingHTTP/1.1"

1.1.1.1[22/Nov/2021:18:19:38+0800]"POST http://example.com/addingHTTP/1.1"1.1.1.1[22/Nov/2021:18:19:38+0800]"POST http://example.com/addingHTTP/1.1"

1.1.1.1[22/Nov/2021:18:19:39+0800]"POST http://example.com/bookingHTTP/1.1"1.1.1.1[22/Nov/2021:18:19:39+0800]"POST http://example.com/bookingHTTP/1.1"

当请求端设备发起第一个业务请求时,由于分析表中没有相关记录,于是安全服务器在分析表中创建目标记录并初始化。初始化后的目标记录如表6所示。When the requesting device initiates the first service request, since there is no relevant record in the analysis table, the security server creates and initializes the target record in the analysis table. The initialized target record is shown in Table 6.

表6Table 6

请参照表6,该目标记录的统计粒度为1.1.1.1,有效期为60秒。虽然URL2的请求次数、URL3的请求次数分别满足上述攻击判断规则包含的条件5)和条件6)。但是,URL1请求次数、URL4请求次数和总请求次数分别不满足上述的条件4)、条件7)和条件9。因此,该条业务请求为合法请求,安全服务器对该请求不做任何处置,而是直接转发给业务服务器。Please refer to Table 6. The statistical granularity of the target record is 1.1.1.1 and the validity period is 60 seconds. Although the number of requests for URL2 and URL3 respectively meet the conditions 5) and 6) of the above attack judgment rules, the number of requests for URL1, URL4 and the total number of requests do not meet the above conditions 4), 7) and 9 respectively. Therefore, this business request is a legitimate request, and the security server does not do anything with the request, but directly forwards it to the business server.

当请求端设备发起第二个业务请求时,由于分析表中存在目标记录,于是安全服务器更新目标记录。更新后的目标记录如表7所示。When the requesting end device initiates the second service request, since the target record exists in the analysis table, the security server updates the target record. The updated target record is shown in Table 7.

表7Table 7

请参照表7,虽然URL3的请求次数满足上述攻击判断规则包含的条件6)。但是,URL1请求次数、URL2、URL4请求次数和总请求次数分别不满足上述的条件4)、条件5)、条件7)和条件9。因此,该条业务请求为合法请求,安全服务器对该请求不做任何处置,而是直接转发给业务服务器。Please refer to Table 7. Although the number of requests for URL3 meets the condition 6) included in the above attack judgment rule, the number of requests for URL1, URL2, URL4 and the total number of requests do not meet the above conditions 4), condition 5), condition 7) and condition 9 respectively. Therefore, this business request is a legitimate request, and the security server does not do anything with the request, but directly forwards it to the business server.

当请求端设备发起第三个业务请求时,由于分析表中存在目标记录,于是安全服务器更新目标记录。更新后的目标记录如表8所示。When the requesting end device initiates the third service request, since the target record exists in the analysis table, the security server updates the target record. The updated target record is shown in Table 8.

表8Table 8

请参照表8,由于URL1请求次数、URL2请求次数、URL3请求次数、URL4请求次数和总请求次数分别不满足上述的条件4)、条件5)、条件6)、条件7)和条件9。因此,该条业务请求为合法请求,安全服务器对该请求不做任何处置,而是直接转发给业务服务器。Please refer to Table 8, since the number of requests for URL1, URL2, URL3, URL4 and the total number of requests do not meet the above conditions 4), 5), 6), 7) and 9 respectively, the business request is a legitimate request, and the security server does not take any action on the request, but directly forwards it to the business server.

当请求端设备发起第四个业务请求时,由于分析表中存在目标记录,于是安全服务器更新目标记录。更新后的目标记录如表9所示。When the requesting end device initiates the fourth service request, since the target record exists in the analysis table, the security server updates the target record. The updated target record is shown in Table 9.

表9Table 9

请参照表9,由于URL1请求次数、URL2请求次数、URL3请求次数、URL4请求次数和总请求次数分别不满足上述的条件4)、条件5)、条件6)、条件7)和条件9。因此,该条业务请求为合法请求,安全服务器对该请求不做任何处置,而是直接转发给业务服务器。Please refer to Table 9, since the number of requests for URL1, URL2, URL3, URL4 and the total number of requests do not meet the above conditions 4), 5), 6), 7) and 9 respectively, the business request is a legitimate request, and the security server does not take any action on the request, but directly forwards it to the business server.

另外,由于是按照业务类型度目标域名进行包含,上述表6-表8所示例子中,业务请求对应的URL不是受保护的URL。因此,即使表6-表8触发了攻击判断规则,安全服务器也不会将这些业务请求作为攻击请求而进行阻拦。In addition, since the inclusion is based on the business type and target domain name, in the examples shown in Tables 6 to 8 above, the URL corresponding to the business request is not a protected URL. Therefore, even if Tables 6 to 8 trigger the attack judgment rule, the security server will not block these business requests as attack requests.

当一个请求端设备仅访问URL4,即一个请求端设备是攻击设备时,请求端设备的行为如下:When a requesting device only accesses URL4, that is, a requesting device is an attacking device, the behavior of the requesting device is as follows:

2.2.2.2[22/Nov/2021:18:19:36+0800]"POST http://example.com/bookingHTTP/1.1"2.2.2.2[22/Nov/2021:18:19:36+0800]"POST http://example.com/bookingHTTP/1.1"

2.2.2.2[22/Nov/2021:18:19:37+0800]"POST http://example.com/bookingHTTP/1.1"2.2.2.2[22/Nov/2021:18:19:37+0800]"POST http://example.com/bookingHTTP/1.1"

2.2.2.2[22/Nov/2021:18:19:38+0800]"POST http://example.com/bookingHTTP/1.1"2.2.2.2[22/Nov/2021:18:19:38+0800]"POST http://example.com/bookingHTTP/1.1"

2.2.2.2[22/Nov/2021:18:19:39+0800]"POST http://example.com/bookingHTTP/1.1"2.2.2.2[22/Nov/2021:18:19:39+0800]"POST http://example.com/bookingHTTP/1.1"

当请求端设备发起第一个业务请求时,由于分析表中没有相关记录,于是安全服务器在分析表中创建目标记录并初始化。初始化后的目标记录如表10所示。When the requesting end device initiates the first service request, since there is no relevant record in the analysis table, the security server creates and initializes the target record in the analysis table. The initialized target record is shown in Table 10.

表10Table 10

请参照表10,该目标记录的统计粒度为2.2.2.2,有效期为60秒。虽然URL1请求次数、URL2的请求次数、URL3的请求次数分别满足上述攻击判断规则包含的条件4)、条件5)和条件6)。但是,URL4请求次数和总请求次数分别不满足上述的条件7)和条件9。因此,该条业务请求为合法请求,安全服务器对该请求不做任何处置,而是直接转发给业务服务器。Please refer to Table 10. The statistical granularity of the target record is 2.2.2.2, and the validity period is 60 seconds. Although the number of requests for URL1, URL2, and URL3 respectively meet the conditions 4), 5), and 6) of the above attack judgment rules, the number of requests for URL4 and the total number of requests do not meet the above conditions 7) and 9 respectively. Therefore, this business request is a legitimate request, and the security server does not do anything with the request, but directly forwards it to the business server.

当请求端设备发起第二个业务请求时,由于分析表中存在目标记录,于是安全服务器更新目标记录。更新后的目标记录如表11所示。When the requesting end device initiates the second service request, since the target record exists in the analysis table, the security server updates the target record. The updated target record is shown in Table 11.

表11Table 11

请参照表11,由于URL1请求次数、URL2请求次数、URL3请求次数、URL4请求次数和总请求次数分别满足上述的条件4)、条件5)、条件6)、条件7)和条件9)。因此,目标记录触发攻击判断规则,该条业务请求为攻击请求,安全服务器拦截该业务请求,不向业务服务器发送该业务请求。Please refer to Table 11. Since the number of requests for URL1, URL2, URL3, URL4 and the total number of requests respectively meet the above conditions 4), 5), 6), 7) and 9). Therefore, the target record triggers the attack judgment rule, and the service request is an attack request. The security server intercepts the service request and does not send the service request to the service server.

当请求端设备发起第三个业务请求时,由于分析表中存在目标记录,于是安全服务器更新目标记录。更新后的目标记录如表12所示。When the requesting end device initiates the third service request, since the target record exists in the analysis table, the security server updates the target record. The updated target record is shown in Table 12.

表12Table 12

请参照表12,由于URL1请求次数、URL2请求次数、URL3请求次数、URL4请求次数和总请求次数分别满足上述的条件4)、条件5)、条件6)、条件7)和条件9)。因此,目标记录触发攻击判断规则,该条业务请求为攻击请求,安全服务器拦截该业务请求,不向业务服务器发送该业务请求。Please refer to Table 12. Since the number of requests for URL1, URL2, URL3, URL4 and the total number of requests respectively meet the above conditions 4), 5), 6), 7) and 9). Therefore, the target record triggers the attack judgment rule, and the service request is an attack request. The security server intercepts the service request and does not send the service request to the service server.

当请求端设备发起第四个业务请求时,由于分析表中存在目标记录,于是安全服务器更新目标记录。更新后的目标记录如表13所示。When the requesting end device initiates the fourth service request, since the target record exists in the analysis table, the security server updates the target record. The updated target record is shown in Table 13.

表13Table 13

请参照表13,由于URL1请求次数、URL2请求次数、URL3请求次数、URL4请求次数和总请求次数分别满足上述的条件4)、条件5)、条件6)、条件7)和条件9)。因此,目标记录触发攻击判断规则,该条业务请求为攻击请求,安全服务器拦截该业务请求,不向业务服务器发送该业务请求。Please refer to Table 13. Since the number of requests for URL1, URL2, URL3, URL4 and the total number of requests respectively meet the above conditions 4), 5), 6), 7) and 9). Therefore, the target record triggers the attack judgment rule, and the service request is an attack request. The security server intercepts the service request and does not send the service request to the service server.

第二个例子:Second example:

当防护方式为按照业务类型防护、攻击判断规则指示受保护的URLhttp://example.com/booking时,攻击判断规则包含的条件如下:When the protection mode is protection by business type and the attack judgment rule indicates the protected URL http://example.com/booking, the attack judgment rule contains the following conditions:

1)需要保护的API接口URL:http://example.com/booking1) API URL to be protected: http://example.com/booking

2)有效期:60秒2) Validity period: 60 seconds

3)统计粒度:IP3) Statistical granularity: IP

4)URL1请求次数:http://example.com/login请求次数小于14) Number of requests to URL1: The number of requests to http://example.com/login is less than 1

5)URL2请求次数:http://example.com/searching请求次数大于15) URL2 request count: http://example.com/searching request count is greater than 1

6)URL3请求次数:http://example.com/adding请求次数小于16) URL3 request count: http://example.com/adding request count is less than 1

7)URL4请求次数:http://example.com/booking请求次数大于17) URL4 request count: http://example.com/booking request count is greater than 1

8)其他URL请求次数:其他请求次数小于18) Other URL request times: Other request times are less than 1

9)总请求次数:总请求次数大于19) Total number of requests: The total number of requests is greater than 1

10)处置动作:拦截10) Action: Interception

该攻击判断规则与上述第一个例子的差别在于:条件5不同。The difference between this attack judgment rule and the first example mentioned above is that condition 5 is different.

请求端设备共发起了5次业务请求,分别为:The requesting device initiated a total of 5 service requests, namely:

1.1.1.1[22/Nov/2021:18:19:37+0800]"POST http://example.com/searchingHTTP/1.1"1.1.1.1[22/Nov/2021:18:19:37+0800]"POST http://example.com/searchingHTTP/1.1"

1.1.1.1[22/Nov/2021:18:19:38+0800]"POST http://example.com/searchingHTTP/1.1"1.1.1.1[22/Nov/2021:18:19:38+0800]"POST http://example.com/searchingHTTP/1.1"

1.1.1.1[22/Nov/2021:18:19:39+0800]"POST http://example.com/bookingHTTP/1.1"1.1.1.1[22/Nov/2021:18:19:39+0800]"POST http://example.com/bookingHTTP/1.1"

1.1.1.1[22/Nov/2021:18:19:40+0800]"POST http://example.com/bookingHTTP/1.1"1.1.1.1[22/Nov/2021:18:19:40+0800]"POST http://example.com/bookingHTTP/1.1"

1.1.1.1[22/Nov/2021:18:19:41+0800]"POST http://example.com/searchingHTTP/1.1"。1.1.1.1[22/Nov/2021:18:19:41+0800]"POST http://example.com/searchingHTTP/1.1".

当请求端设备发起第一个业务请求时,由于分析表中没有相关记录,于是安全服务器在分析表中创建目标记录并初始化。初始化后的目标记录未触发攻击判断规则。When the requesting device initiates the first service request, since there is no relevant record in the analysis table, the security server creates and initializes the target record in the analysis table. The initialized target record does not trigger the attack judgment rule.

当请求端设备发起第二个业务请求时,由于分析表中存在目标记录,于是安全服务器更新目标记录。更新后的目标记录如表14所示。When the requesting end device initiates the second service request, since the target record exists in the analysis table, the security server updates the target record. The updated target record is shown in Table 14.

表14Table 14

表14中,虽然RUL2请求次数满是上述的条件5),但是URL1请求次数、URL3、URL4请求次数和总请求次数分别不满足上述的条件4)、条件6)、条件7)和条件9。因此,该条业务请求为合法请求,安全服务器对该请求不做任何处置,而是直接转发给业务服务器。In Table 14, although the number of requests for URL2 meets the above condition 5), the number of requests for URL1, URL3, URL4 and the total number of requests do not meet the above conditions 4), 6), 7) and 9 respectively. Therefore, this service request is a legitimate request, and the security server does not do anything with the request, but directly forwards it to the service server.

同理,当请求端设备发起第三个业务请求时,更新后的目标记录未触发攻击判断规则。Similarly, when the requesting device initiates the third service request, the updated target record does not trigger the attack judgment rule.

当请求端设备发起第四个业务请求时,更新后的目标记录如表15所示。When the requesting device initiates the fourth service request, the updated target record is as shown in Table 15.

表15Table 15

由于第四个业务请求对应的URL是URLhttp://example.com/booking,该业务请求对应的URL是受保护的URL,且表15触发了攻击判断规则,因此,安全服务器拦截第四个业务请求。Since the URL corresponding to the fourth service request is URL http://example.com/booking, the URL corresponding to the service request is a protected URL, and Table 15 triggers the attack judgment rule, the security server intercepts the fourth service request.

当请求端设备发起第五个业务请求时,更新后的目标记录如表16所示。When the requesting device initiates the fifth service request, the updated target record is as shown in Table 16.

表16Table 16

虽然表16触发了攻击判断规则,但是第五个业务请求对应的URL是URLhttp://example.com/searching,该业务请求对应的URL不是受保护的URL。因此,安全服务器不拦截第五个业务请求,而是将其转发给业务服务器。Although Table 16 triggers the attack judgment rule, the URL corresponding to the fifth service request is URL http://example.com/searching, which is not a protected URL. Therefore, the security server does not intercept the fifth service request, but forwards it to the service server.

假设第二个例子中,防护方式为全站防护方式,则由于表16触发了攻击判断规则,因此,安全服务器需要拦截第五个业务请求。Assuming that in the second example, the protection mode is the whole-station protection mode, since Table 16 triggers the attack judgment rule, the security server needs to intercept the fifth service request.

可选的,上述实施例中,安全服务器根据所述攻击判断规则指示的有效期判断所述目标记录是否有效。当所述目标记录无效时,从所述分析表中删除所述目标记录。Optionally, in the above embodiment, the security server determines whether the target record is valid according to the validity period indicated by the attack judgment rule. When the target record is invalid, the target record is deleted from the analysis table.

示例性的,请参照上述各表,有效期为60秒。自创建目标记录起,该目标记录进入倒计时,每经过1秒,有效期减少1秒。安全服务器监控有效期,当有效期为0时,安全服务器删除该条目标记录。For example, please refer to the above tables, the validity period is 60 seconds. From the creation of the target record, the target record enters a countdown, and the validity period decreases by 1 second for every 1 second that passes. The security server monitors the validity period, and when the validity period is 0, the security server deletes the target record.

采用该种方案,通过设置有效期并依据有效期监控目标记录,便于后续灵活调整目标API的分析因子等,灵活度高。This solution allows for flexible adjustment of the target API's analysis factors by setting a validity period and monitoring the target records based on the validity period, which is highly flexible.

下述为本申请装置实施例,可以用于执行本申请方法实施例。对于本申请装置实施例中未披露的细节,请参照本申请方法实施例。The following are device embodiments of the present application, which can be used to execute the method embodiments of the present application. For details not disclosed in the device embodiments of the present application, please refer to the method embodiments of the present application.

图5为本申请实施例提供的一种API安全防护装置的示意图。该API安全防护装置500包括:收发模块51、更新模块52、确定模块53和处理模块54。Fig. 5 is a schematic diagram of an API security protection device provided in an embodiment of the present application. The API security protection device 500 comprises: a transceiver module 51, an update module 52, a determination module 53 and a processing module 54.

收发模块51,用于接收请求端设备发起的业务请求,所述业务请求用于请求调用业务服务器提供的目标API;The transceiver module 51 is used to receive a service request initiated by a requesting end device, wherein the service request is used to request to call a target API provided by a service server;

更新模块52,用于根据所述业务请求更新分析表,以使得所述分析表中目标域名对应的目标记录记载所述目标API的多个分析因子中每个分析因子的最新值,所述目标域名是所述目标API对应的目标URL包含的域名;An updating module 52, configured to update the analysis table according to the service request, so that the target record corresponding to the target domain name in the analysis table records the latest value of each analysis factor in the multiple analysis factors of the target API, wherein the target domain name is the domain name contained in the target URL corresponding to the target API;

确定模块53,用于确定所述目标记录是否触发所述目标域名的攻击判断规则;A determination module 53, used to determine whether the target record triggers an attack judgment rule of the target domain name;

处理模块54,用于当所述目标记录触发所述攻击判断规则时,根据所述攻击判断规则指示的策略处理所述业务请求。The processing module 54 is used to process the service request according to the strategy indicated by the attack judgment rule when the target record triggers the attack judgment rule.

一种可行的实现方式中,所述更新模块52,用于当所述分析表中存在所述目标记录时,解析所述业务请求以得到所述多个分析因子中各分析因子对应的变化量;根据所述各分析因子对应的变化量更新所述目标记录,以使得所述目标记录记载所述每个分析因子的最新值。In a feasible implementation, the update module 52 is used to parse the business request to obtain the change amount corresponding to each analysis factor among the multiple analysis factors when the target record exists in the analysis table; and update the target record according to the change amount corresponding to each analysis factor, so that the target record records the latest value of each analysis factor.

一种可行的实现方式中,所述更新模块52,用于当所述分析表中不存在所述目标记录、所述业务请求包含所述多个分析因子中的任意一个分析因子时,在分析表中创建所述目标记录并根据所述业务请求初始化所述多个分析因子中的各分析因子。In a feasible implementation, the update module 52 is used to create the target record in the analysis table and initialize each of the multiple analysis factors according to the business request when the target record does not exist in the analysis table and the business request contains any one of the multiple analysis factors.

一种可行的实现方式中,所述确定模块53,用于确定所述目标记录记载的多个分析因子中各分析因子的最新值是否满足所述攻击判断规则;若所述多个分析因子中各分析因子的最新值满足所述攻击判断规则,则确定所述目标记录触发所述攻击判断规则。In a feasible implementation, the determination module 53 is used to determine whether the latest value of each analysis factor among the multiple analysis factors recorded in the target record satisfies the attack judgment rule; if the latest value of each analysis factor among the multiple analysis factors satisfies the attack judgment rule, it is determined that the target record triggers the attack judgment rule.

一种可行的实现方式中,所述收发模块51,在所述更新模块52根据所述业务请求更新分析表之前,还用于接收策略服务器下发的所述攻击判断规则,所述攻击判断规则用于指示所述业务请求为攻击请求时,所述多个分析因子中各分析因子的最新值符合的条件;In a feasible implementation, the transceiver module 51 is further used to receive the attack judgment rule sent by the policy server before the update module 52 updates the analysis table according to the service request, and the attack judgment rule is used to indicate the condition that the latest value of each analysis factor in the multiple analysis factors meets when the service request is an attack request;

所述处理模块54,还用于根据所述攻击判断规则确定所述多个分析因子。The processing module 54 is further configured to determine the multiple analysis factors according to the attack determination rule.

一种可行的实现方式中,所述多个分析因子包括下述因子中的至少一个:所述目标域名、粒度、自定义统一资源定位符URL的请求次数、其他URL的请求次数、总求次数或有效期,所述其他URL指包含所述目标域名但不是所述目标URL或所述自定义URL,所述有效期用于指示所述目标记录的有效期。In a feasible implementation, the multiple analysis factors include at least one of the following factors: the target domain name, granularity, number of requests for a custom uniform resource locator URL, number of requests for other URLs, total number of requests or validity period, wherein the other URL refers to a URL that contains the target domain name but is not the target URL or the custom URL, and the validity period is used to indicate the validity period of the target record.

一种可行的实现方式中,所述收发模块51,还用于当所述目标记录未触发所述攻击判断规则时,向业务服务器发送所述业务请求。In a feasible implementation, the transceiver module 51 is further configured to send the service request to the service server when the target record does not trigger the attack judgment rule.

一种可行的实现方式中,所述处理模块54,还用于根据所述攻击判断规则指示的有效期判断所述目标记录是否有效;当所述目标记录无效时,从所述分析表中删除所述目标记录。In a feasible implementation, the processing module 54 is further configured to determine whether the target record is valid according to the validity period indicated by the attack determination rule; when the target record is invalid, delete the target record from the analysis table.

一种可行的实现方式中,所述处理模块54,用于当所述攻击判断规则还指示防护路径时,根据所述防护路径确定防护方式,所述防护方式包括对所述目标域名进行全站防护或按照业务类型防护;当所述防护方式为按照业务类型防护时,根据所述防护路径确定受保护的URL;确定所述业务请求对应的URL是否是受保护的URL;当所述业务请求对应的URL是受保护的URL中的任意一个URL时,根据所述攻击判断规则指示的策略处理所述业务请求。In a feasible implementation, the processing module 54 is used to determine a protection method according to the protection path when the attack judgment rule also indicates a protection path, and the protection method includes full-site protection of the target domain name or protection according to business type; when the protection method is protection according to business type, determine the protected URL according to the protection path; determine whether the URL corresponding to the business request is a protected URL; when the URL corresponding to the business request is any one of the protected URLs, process the business request according to the strategy indicated by the attack judgment rule.

本申请实施例提供的API安全防护装置,可以执行上述实施例中安全服务器的动作,其实现原理和技术效果类似,在此不再赘述。The API security protection device provided in the embodiment of the present application can execute the actions of the security server in the above embodiment. Its implementation principle and technical effects are similar and will not be repeated here.

图6为本申请实施例提供的另一种API安全防护装置的示意图。该API安全防护装置600包括:接收模块61、处理模块62和发送模块63。Fig. 6 is a schematic diagram of another API safety protection device provided in an embodiment of the present application. The API safety protection device 600 comprises: a receiving module 61, a processing module 62 and a sending module 63.

接收模块61,用于接收指示信息,所述指示信息用于指示请求调用目标API的业务请求为攻击请求时,目标域名的目标记录记载的多个分析因子中各分析因子的最新值符合的条件,所述目标域名是所述目标API对应的目标URL包含的域名;A receiving module 61, configured to receive indication information, wherein the indication information is used to indicate that when a service request for calling a target API is an attack request, a condition is met by the latest value of each analysis factor in a plurality of analysis factors recorded in a target record of a target domain name, wherein the target domain name is a domain name contained in a target URL corresponding to the target API;

处理模块62,用于根据所述指示信息生成攻击判断规则;A processing module 62, configured to generate an attack determination rule according to the indication information;

发送模块63,用于向安全服务器发送所述攻击判断规则。The sending module 63 is used to send the attack judgment rule to the security server.

一种可行的实现方式中,所述指示信息还携带统计粒度和所述目标记录的有效期,所述统计粒度用于指示IP、header、session、cookie中的任意一个,所述有效期用于指示所述目标记录有效的期限。In a feasible implementation, the indication information also carries a statistical granularity and a validity period of the target record, the statistical granularity is used to indicate any one of IP, header, session, and cookie, and the validity period is used to indicate the validity period of the target record.

一种可行的实现方式中,所述指示信息还携带防护路径和处理策略,所述处理模块62,用于根据所述防护路径确定防护方式,所述防护方式包括对所述目标域名进行全站防护或按照业务类型防护;当所述防护方式为按照业务类型防护时,根据所述防护路径确定受保护的URL;根据所述受保护的URL、所述各分析因子的最新值符合的条件和所述处理策略,生成所述攻击判断规则。In a feasible implementation, the indication information also carries a protection path and a processing strategy. The processing module 62 is used to determine a protection method based on the protection path, and the protection method includes full-site protection of the target domain name or protection according to business type; when the protection method is protection according to business type, the protected URL is determined according to the protection path; the attack judgment rule is generated according to the protected URL, the conditions met by the latest values of the analysis factors and the processing strategy.

一种可行的实现方式中,当所述防护路径指示按照业务类型对所述目标域名进行安全防护时,所述指示信息还携带至少一个URL或至少一个正则表达式。In a feasible implementation, when the protection path indicates that security protection is to be performed on the target domain name according to the business type, the indication information further carries at least one URL or at least one regular expression.

本申请实施例提供的API安全防护装置,可以执行上述实施例中策略服务器的动作,其实现原理和技术效果类似,在此不再赘述。The API security protection device provided in the embodiment of the present application can execute the actions of the policy server in the above embodiment. Its implementation principle and technical effects are similar and will not be repeated here.

图7为本申请实施例提供的一种电子设备的结构示意图。如图7所示,该电子设备700例如为上述的调控中心或抗攻击节点,该电子设备700包括:FIG7 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present application. As shown in FIG7 , the electronic device 700 is, for example, the control center or anti-attack node mentioned above, and the electronic device 700 includes:

处理器71和存储器72;Processor 71 and memory 72;

所述存储器72存储计算机指令;The memory 72 stores computer instructions;

所述处理器71执行所述存储器72存储的计算机指令,使得所述处理器71执行如上调控中心实现所述的流量攻击的防护方法;或者,使得所述处理器71执行如上抗攻击节点实现所述的流量攻击的防护方法。The processor 71 executes the computer instructions stored in the memory 72, so that the processor 71 executes the above control center to implement the protection method for traffic attacks; or, the processor 71 executes the above anti-attack node to implement the protection method for traffic attacks.

处理器71的具体实现过程可参见上述方法实施例,其实现原理和技术效果类似,本实施例此处不再赘述。The specific implementation process of the processor 71 can be found in the above-mentioned method embodiment. Its implementation principle and technical effects are similar, and will not be repeated here in this embodiment.

可选地,该电子设备700还包括通信部件73。其中,处理器71、存储器72以及通信部件73可以通过总线74连接。Optionally, the electronic device 700 further includes a communication component 73 , wherein the processor 71 , the memory 72 and the communication component 73 may be connected via a bus 74 .

本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质中存储有计算机指令,所述计算机指令被处理器执行时用于实现如安全服务器或策略服务器实施的API安全防护方法。An embodiment of the present application also provides a computer-readable storage medium, in which computer instructions are stored. When the computer instructions are executed by a processor, they are used to implement an API security protection method implemented by a security server or a policy server.

本申请实施例还提供一种计算机程序产品,该计算机程序产品包含计算机程序,计算机程序被处理器执行时实现如安全服务器或策略服务器实施的API安全防护方法。An embodiment of the present application also provides a computer program product, which includes a computer program. When the computer program is executed by a processor, it implements an API security protection method implemented by a security server or a policy server.

本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本申请的真正范围和精神由下面的权利要求书指出。Those skilled in the art will readily appreciate other embodiments of the present application after considering the specification and practicing the invention disclosed herein. The present application is intended to cover any modification, use or adaptation of the present application, which follows the general principles of the present application and includes common knowledge or customary techniques in the art that are not disclosed in the present application. The specification and examples are intended to be exemplary only, and the true scope and spirit of the present application are indicated by the following claims.

应当理解的是,本申请并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求书来限制。It should be understood that the present application is not limited to the precise structures that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present application is limited only by the appended claims.

Claims (14)

1.一种API安全防护方法,其特征在于,应用于安全服务器,所述方法包括:1. An API security protection method, characterized in that it is applied to a security server, and the method comprises: 接收请求端设备发起的业务请求,所述业务请求用于请求调用业务服务器提供的目标API;Receive a service request initiated by a requesting end device, wherein the service request is used to request to call a target API provided by a service server; 根据所述业务请求更新分析表,以使得所述分析表中目标域名对应的目标记录记载所述目标API的多个分析因子中每个分析因子的最新值,所述目标域名是所述目标API对应的目标URL包含的域名,所述分析表用于存储多条记录,不同记录对应不同的API对应的域名;Update the analysis table according to the business request, so that the target record corresponding to the target domain name in the analysis table records the latest value of each analysis factor in the multiple analysis factors of the target API, the target domain name is the domain name contained in the target URL corresponding to the target API, and the analysis table is used to store multiple records, and different records correspond to domain names corresponding to different APIs; 确定所述目标记录是否触发所述目标域名的攻击判断规则;Determining whether the target record triggers an attack judgment rule for the target domain name; 当所述目标记录触发所述攻击判断规则时,根据所述攻击判断规则指示的策略处理所述业务请求;When the target record triggers the attack judgment rule, processing the service request according to the strategy indicated by the attack judgment rule; 所述确定所述目标记录是否触发所述目标域名的攻击判断规则,包括:The determining whether the target record triggers an attack judgment rule of the target domain name includes: 确定所述目标记录记载的多个分析因子中各分析因子的最新值是否满足所述攻击判断规则;Determining whether the latest value of each analysis factor among the multiple analysis factors recorded in the target record satisfies the attack judgment rule; 若所述多个分析因子中各分析因子的最新值满足所述攻击判断规则,则确定所述目标记录触发所述攻击判断规则。If the latest value of each analysis factor in the multiple analysis factors satisfies the attack judgment rule, it is determined that the target record triggers the attack judgment rule. 2.根据权利要求1所述的方法,其特征在于,所述根据所述业务请求更新分析表,包括:2. The method according to claim 1, characterized in that updating the analysis table according to the service request comprises: 当所述分析表中存在所述目标记录时,解析所述业务请求以得到所述多个分析因子中各分析因子对应的变化量;When the target record exists in the analysis table, parsing the business request to obtain a change amount corresponding to each analysis factor in the multiple analysis factors; 根据所述各分析因子对应的变化量更新所述目标记录,以使得所述目标记录记载所述每个分析因子的最新值。The target record is updated according to the change amount corresponding to each analysis factor, so that the target record records the latest value of each analysis factor. 3.根据权利要求1所述的方法,其特征在于,所述根据所述业务请求更新分析表,包括:3. The method according to claim 1, wherein updating the analysis table according to the service request comprises: 当所述分析表中不存在所述目标记录、所述业务请求包含所述多个分析因子中的任意一个分析因子时,在分析表中创建所述目标记录并根据所述业务请求初始化所述多个分析因子中的各分析因子。When the target record does not exist in the analysis table and the service request includes any one of the multiple analysis factors, the target record is created in the analysis table and each of the multiple analysis factors is initialized according to the service request. 4.根据权利要求1-3任一项所述的方法,其特征在于,所述根据所述业务请求更新分析表之前,还包括:4. The method according to any one of claims 1 to 3, characterized in that before updating the analysis table according to the service request, it also includes: 接收策略服务器下发的所述攻击判断规则,所述攻击判断规则用于指示所述业务请求为攻击请求时,所述多个分析因子中各分析因子的最新值符合的条件;receiving the attack judgment rule sent by the policy server, wherein the attack judgment rule is used to indicate a condition that the latest value of each analysis factor in the multiple analysis factors meets when the service request is an attack request; 根据所述攻击判断规则确定所述多个分析因子。The plurality of analysis factors are determined according to the attack judgment rule. 5.根据权利要求1-3任一项所述的方法,其特征在于,5. The method according to any one of claims 1 to 3, characterized in that: 所述多个分析因子包括下述因子中的至少一个:所述目标域名、粒度、自定义统一资源定位符URL的请求次数、其他URL的请求次数、总求次数或有效期,所述其他URL指包含所述目标域名但不是所述目标URL或所述自定义URL,所述有效期用于指示所述目标记录的有效期。The multiple analysis factors include at least one of the following factors: the target domain name, granularity, number of requests for a custom uniform resource locator URL, number of requests for other URLs, total number of requests or validity period, wherein the other URL refers to a URL that contains the target domain name but is not the target URL or the custom URL, and the validity period is used to indicate the validity period of the target record. 6.根据权利要求1-3任一项所述的方法,其特征在于,还包括:6. The method according to any one of claims 1 to 3, further comprising: 当所述目标记录未触发所述攻击判断规则时,向业务服务器发送所述业务请求。When the target record does not trigger the attack judgment rule, the service request is sent to the service server. 7.根据权利要求1-3任一项所述的方法,其特征在于,还包括:7. The method according to any one of claims 1 to 3, further comprising: 根据所述攻击判断规则指示的有效期判断所述目标记录是否有效;Determining whether the target record is valid according to the validity period indicated by the attack judgment rule; 当所述目标记录无效时,从所述分析表中删除所述目标记录。When the target record is invalid, the target record is deleted from the analysis table. 8.根据权利要求1-3任一项所述的方法,其特征在于,所述当所述目标记录触发所述攻击判断规则时,根据所述攻击判断规则指示的策略处理所述业务请求,包括:8. The method according to any one of claims 1 to 3, characterized in that when the target record triggers the attack judgment rule, processing the service request according to the strategy indicated by the attack judgment rule comprises: 当所述攻击判断规则还指示防护路径时,根据所述防护路径确定防护方式,所述防护方式包括对所述目标域名进行全站防护或按照业务类型防护;When the attack judgment rule further indicates a protection path, determining a protection method according to the protection path, the protection method including performing full site protection on the target domain name or protection according to business type; 当所述防护方式为按照业务类型防护时,根据所述防护路径确定受保护的URL;When the protection mode is protection according to business type, determining the protected URL according to the protection path; 确定所述业务请求对应的URL是否是受保护的URL;Determine whether the URL corresponding to the service request is a protected URL; 当所述业务请求对应的URL是受保护的URL中的任意一个URL时,根据所述攻击判断规则指示的策略处理所述业务请求。When the URL corresponding to the service request is any one of the protected URLs, the service request is processed according to the policy indicated by the attack judgment rule. 9.一种API安全防护方法,其特征在于,应用于策略服务器,所述方法包括:9. An API security protection method, characterized in that it is applied to a policy server, and the method comprises: 接收指示信息,所述指示信息用于指示请求调用目标API的业务请求为攻击请求时,目标域名的目标记录记载的多个分析因子中各分析因子的最新值符合的条件,所述目标域名是所述目标API对应的目标URL包含的域名,所述目标记录存储与安全服务器的分析表中,所述分析表用于存储多条记录,不同记录对应不同的API对应的域名;Receive indication information, where the indication information is used to indicate that when a service request for calling a target API is an attack request, a condition is met by a latest value of each analysis factor in a plurality of analysis factors recorded in a target record of a target domain name, where the target domain name is a domain name included in a target URL corresponding to the target API, and the target record is stored in an analysis table of a security server, where the analysis table is used to store a plurality of records, and different records correspond to domain names corresponding to different APIs; 根据所述指示信息生成攻击判断规则;Generate an attack judgment rule according to the indication information; 向安全服务器发送所述攻击判断规则,以使得安全服务器接收到请求端设备发起的业务请求并更细所述分析表中目标域名对应的目标记录后,确定所述目标记录记载的多个分析因子中各分析因子的最新值是否满足所述攻击判断规则;若所述多个分析因子中各分析因子的最新值满足所述攻击判断规则,则确定所述目标记录触发所述攻击判断规则。The attack judgment rule is sent to the security server so that after the security server receives the service request initiated by the requesting device and fine-tunes the target record corresponding to the target domain name in the analysis table, it determines whether the latest value of each analysis factor among the multiple analysis factors recorded in the target record satisfies the attack judgment rule; if the latest value of each analysis factor among the multiple analysis factors satisfies the attack judgment rule, it is determined that the target record triggers the attack judgment rule. 10.根据权利要求9所述的方法,其特征在于,所述指示信息还携带统计粒度和所述目标记录的有效期,所述统计粒度用于指示IP、header、session、cookie中的任意一个,所述有效期用于指示所述目标记录有效的期限。10. The method according to claim 9 is characterized in that the indication information also carries the statistical granularity and the validity period of the target record, the statistical granularity is used to indicate any one of IP, header, session, and cookie, and the validity period is used to indicate the validity period of the target record. 11.根据权利要求9所述的方法,其特征在于,所述根据所述指示信息生成攻击判断规则,包括:11. The method according to claim 9, characterized in that generating an attack judgment rule according to the indication information comprises: 当所述指示信息还携带防护路径和处理策略时,根据所述防护路径确定防护方式,所述防护方式包括对所述目标域名进行全站防护或按照业务类型防护;When the indication information also carries a protection path and a processing strategy, a protection mode is determined according to the protection path, and the protection mode includes performing full site protection on the target domain name or protection according to business type; 当所述防护方式为按照业务类型防护时,根据所述防护路径确定受保护的URL;When the protection mode is protection according to business type, determining the protected URL according to the protection path; 根据所述受保护的URL、所述各分析因子的最新值符合的条件和所述处理策略,生成所述攻击判断规则。The attack judgment rule is generated according to the protected URL, the conditions met by the latest values of the analysis factors, and the processing strategy. 12.根据权利要求11所述的方法,其特征在于,当所述防护路径指示按照业务类型对所述目标域名进行安全防护时,所述指示信息还携带至少一个URL或至少一个正则表达式。12. The method according to claim 11 is characterized in that when the protection path indicates that security protection is performed on the target domain name according to the business type, the indication information also carries at least one URL or at least one regular expression. 13.一种电子设备,包括处理器、存储器及存储在所述存储器上并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时使得所述电子设备实现如权利要求1至12任一所述的方法。13. An electronic device, comprising a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the computer program, the electronic device implements the method according to any one of claims 1 to 12. 14.一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至12任一所述的方法。14. A computer-readable storage medium having a computer program stored thereon, wherein when the computer program is executed by a processor, the method according to any one of claims 1 to 12 is implemented.
CN202210389284.2A 2022-04-13 2022-04-13 API safety protection method, equipment and readable storage medium Active CN114978590B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210389284.2A CN114978590B (en) 2022-04-13 2022-04-13 API safety protection method, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210389284.2A CN114978590B (en) 2022-04-13 2022-04-13 API safety protection method, equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN114978590A CN114978590A (en) 2022-08-30
CN114978590B true CN114978590B (en) 2024-08-20

Family

ID=82976789

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210389284.2A Active CN114978590B (en) 2022-04-13 2022-04-13 API safety protection method, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN114978590B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119892515B (en) * 2025-03-27 2025-06-24 北京安胜华信科技有限公司 API safety protection method, device and equipment based on HTTP message stream processing

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112350992A (en) * 2020-09-28 2021-02-09 广东电力信息科技有限公司 Safety protection method, device, equipment and storage medium based on web white list
CN112434304A (en) * 2020-12-02 2021-03-02 网宿科技股份有限公司 Method, server and computer readable storage medium for defending network attack

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8112799B1 (en) * 2005-08-24 2012-02-07 Symantec Corporation Method, system, and computer program product for avoiding cross-site scripting attacks
US8738765B2 (en) * 2011-06-14 2014-05-27 Lookout, Inc. Mobile device DNS optimization
CN113366477A (en) * 2019-05-22 2021-09-07 深圳市欢太科技有限公司 Malicious fast application detection method and terminal
CN114244564B (en) * 2021-11-16 2024-04-16 北京网宿科技有限公司 Attack defense method, device, equipment and readable storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112350992A (en) * 2020-09-28 2021-02-09 广东电力信息科技有限公司 Safety protection method, device, equipment and storage medium based on web white list
CN112434304A (en) * 2020-12-02 2021-03-02 网宿科技股份有限公司 Method, server and computer readable storage medium for defending network attack

Also Published As

Publication number Publication date
CN114978590A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
US9881304B2 (en) Risk-based control of application interface transactions
US9773109B2 (en) Alternate files returned for suspicious processes in a compromised computer network
US20220217164A1 (en) Inline malware detection
US9565177B2 (en) Network application security utilizing network-provided identities
US10447726B2 (en) Mitigating attacks on server computers by enforcing platform policies on client computers
US10904288B2 (en) Identifying and deceiving adversary nodes and maneuvers for attack deception and mitigation
US20180020002A1 (en) System and method for filtering internet traffic and optimizing same
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
US20150156183A1 (en) System and method for filtering network communications
CN105939350B (en) Network access control method and system
US12101350B2 (en) Low touch integration of a bot detection service in association with a content delivery network
US11848960B2 (en) Content delivery network (CDN)-based bot detection service with stop and reset protocols
US12132759B2 (en) Inline package name based supply chain attack detection and prevention
JP7662267B2 (en) Inline Malware Detection
CN117938962B (en) Network request scheduling method, device, equipment and medium for CDN
CN106899549A (en) A kind of network security detection method and device
CN115314231B (en) Network attack information processing method and device, electronic equipment and storage medium
CN114978590B (en) API safety protection method, equipment and readable storage medium
Xiong et al. Warmonger attack: A novel attack vector in serverless computing
CN114553529B (en) Data processing method, device, network equipment and storage medium
CN112637171A (en) Data traffic processing method, device, equipment, system and storage medium
US20250016220A1 (en) Method and apparatus for processing security service, device, storage medium, and program product
US11770361B1 (en) Cobalt strike beacon HTTP C2 heuristic detection
TW201141153A (en) Method and system for intercepting malicious access

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant