CN115314483A - API asset determining method and abnormal calling early warning method - Google Patents

Abstract

The application provides a method for determining API assets and a method for early warning of abnormal calling, which comprises the following steps: acquiring a historical access log of an API (application programming interface) of a web service; splitting an access address of each access request in the historical access log to obtain an access path of each access request; merging the historical access logs with the same access path to obtain a merged target access log; and performing characteristic analysis on the historical parameters of the target access log to obtain a characteristic threshold value of the API corresponding to the access path, and determining the characteristic threshold value of the API as the API asset. According to the scheme, the characteristic threshold value of the API interface can be automatically determined only by analyzing the historical access log, an API gateway does not need to be additionally deployed, the workload of manually combing the API interface is reduced, the efficiency is greatly improved, careless omission is avoided, the cost is reduced, and the safety is improved.

Description

The determination method of API assets and the early warning method of abnormal calls

technical field

The present application relates to the technical field of network security, and in particular to a method for determining API assets, an early warning method for abnormal calls of API interfaces, electronic equipment, and a computer-readable storage medium.

Background technique

API interface (Application Programming Interface, Application Programming Interface) is a convention for the connection of different components of a software system. Due to the increasing scale of software in recent years, it is often necessary to divide complex systems into small components, so the design of programming interface is very important.

The API interface involved in this application is mainly the application program interface of web (WWW is the abbreviation of World Wide Web (Global Information Network), which can also be referred to as web for short, and the Chinese name is "World Wide Web"). API interface is an important part of web services. Through API interface, users can obtain or modify data and realize the connection between programs, but at the same time, it also provides an opportunity for attackers to attack web servers. Attackers can use carefully constructed data packets to , to obtain key information such as server permissions and sensitive data. Therefore, the discovery and analysis of the API interface is very important. In the prior art, the API interfaces of the web server are generally registered through an API gateway or a management platform manually combed and registered, and then these known API interfaces are analyzed.

However, the API interface will change with the update and iteration of the web service. Only through manual sorting, it is easy to cause omissions, and it is difficult to obtain the API interface except uri (Uniform Resource Identifier, Uniform Resource Identifier). other features. Deploying an API gateway also consumes certain resources and increases the complexity of development. Attackers attack the API interface more and more frequently. If the API interface cannot be sorted out in real time, it is difficult to find the damage caused by the attacker, and the web service is exposed to danger.

Contents of the invention

The embodiment of the present application provides a method for determining API assets, so as to reduce omissions and insufficient features caused by manual sorting, and improve the security of web services.

The embodiment of this application provides a method for determining API assets, including:

Obtain the historical access log of the API interface of the web service;

Splitting the access address of each access request in the historical access log to obtain the access path of each access request;

Merging the historical access logs with the same access path to obtain the merged target access log;

Perform characteristic analysis on the historical parameters of the target access log, obtain the characteristic threshold of the API interface corresponding to the access path, and determine the characteristic threshold of the API interface as the API asset.

In an embodiment, the characteristic analysis of the historical parameters of the target access log to obtain the characteristic threshold of the API interface corresponding to the access path includes:

According to the historical parameters of the target access log, the number of occurrences of the specified parameter value within a preset time period is counted to obtain the feature threshold of the popularity feature of the API interface corresponding to the access path.

In an embodiment, the characteristic analysis of the historical parameters of the target access log to obtain the characteristic threshold of the API interface corresponding to the access path includes:

According to the historical parameters of the target access log, any one or more of the maximum value, mean value, variance or median of different field features is counted to obtain the feature threshold of the field feature of the API interface corresponding to the access path.

In an embodiment, the characteristic analysis of the historical parameters of the target access log to obtain the characteristic threshold of the API interface corresponding to the access path includes:

According to the historical parameters of the target access log, extract any one or more of the parameter features and numerical features in the payload information, the maximum value, the minimum value, the variance and the median, and obtain the access path The feature threshold of parameter features and numeric features of the corresponding API interface.

In one embodiment, the historical access log of the API interface of the acquisition web service includes:

Obtain historical log data of web services;

Analyzing the historical log data to obtain target field information of each access request;

According to the information of the target field, the historical log data is filtered to obtain the historical access log of calling the API interface.

In an embodiment, the splitting the access address of each access request in the historical access log to obtain the access path of each access request includes:

Obtain the uniform resource identifier and domain name from the access address of each access request;

Splitting the uniform resource identifier into a path part and a parameter part according to the split identifier;

The path part and the domain name are combined to form the access path.

In an embodiment, the obtaining the access path of the access request according to the path part includes:

If the path part contains a random character string, replace the random character string with a specified character;

The domain name and the replaced path part are combined to form the access path.

In an embodiment, the method further includes: extracting API assets from the historical access log.

The embodiment of the present application provides an early warning method for API interface abnormal calls, including:

Obtain real-time access logs of the API interface of the web service;

Extracting a real-time access path and a real-time access parameter value from the real-time access log;

Analyzing the real-time access parameter value corresponding to the real-time access path through the detection model, determining whether an abnormal call occurs in the API interface corresponding to the real-time access path, and outputting an alarm message when an abnormal call occurs;

Wherein, the detection model is obtained according to the feature threshold training of API interfaces corresponding to different access paths; The access address of each access request in the historical access log is split to obtain the access path of each access request, and the historical access logs with the same access path are merged to obtain the merged target access log, and then the target The historical parameters of the access log are obtained through characteristic analysis.

The embodiment of the present application also provides an electronic device, and the electronic device includes:

processor;

memory for storing processor-executable instructions;

Wherein, the processor is configured to execute the method for determining the above-mentioned API assets or the method for early warning of abnormal calling of the API interface.

The embodiment of the present application also provides a computer-readable storage medium, the storage medium stores a computer program, and the computer program can be executed by a processor to complete the above-mentioned API asset determination method or the above-mentioned API interface abnormal call early warning method.

In the technical solution provided by the foregoing embodiments of the present application, by obtaining the historical access log of the API interface of the web service; splitting the access address of each access request in the historical access log to obtain the access path of each access request; Merge the same historical access logs to obtain the target access logs corresponding to the same access path; perform feature analysis on the historical parameters of the target access logs to obtain the feature threshold of the API interface corresponding to the access path, and determine the feature threshold of the API interface for API assets. The above technical solution can automatically determine the feature threshold of the API interface only by analyzing historical access logs, without additional deployment of API gateways, which reduces the workload of manually sorting out API interfaces, greatly improves efficiency, avoids omissions, and reduces Reduced cost and improved safety.

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present application more clearly, the following briefly introduces the drawings that are used in the embodiments of the present application.

FIG. 1 is a schematic structural diagram of an electronic device provided by an embodiment of the present application;

FIG. 2 is a schematic flowchart of a method for determining an API asset provided in an embodiment of the present application;

Fig. 3 is a detailed flowchart of step S210 in the embodiment corresponding to Fig. 2;

Fig. 4 is a schematic diagram of the content comparison of three parts of the feature analysis provided by the embodiment of the present application;

Fig. 5 is a schematic diagram of payload information provided by an embodiment of the present application;

6 is a schematic flow diagram of an early warning method for an API interface abnormal call provided by an embodiment of the present application;

FIG. 7 is a block diagram of a device for determining API assets shown in an embodiment of the present application;

Fig. 8 is a block diagram of an early warning device for an abnormal call of an API interface according to an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.

Like numbers and letters denote similar items in the following figures, so that once an item is defined in one figure, it does not require further definition and explanation in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second" and the like are only used to distinguish descriptions, and cannot be understood as indicating or implying relative importance.

FIG. 1 is a schematic structural diagram of an electronic device provided by an embodiment of the present application. The electronic device 100 can be used to execute the method for determining API assets and the method for early warning of abnormal call of API interface provided by the embodiment of the present application. As shown in FIG. 1 , the electronic device 100 includes: one or more processors 102 , and one or more memories 104 storing processor-executable instructions. Wherein, the processor 102 is configured to execute the method for determining API assets and the method for early warning of abnormal calls of API interfaces provided in the following embodiments of the present application.

The processor 102 may be a gateway, or an intelligent terminal, or a device including a central processing unit (CPU), a graphics processing unit (GPU), or other forms of processing units with data processing capabilities and/or instruction execution capabilities , can process data of other components in the electronic device 100, and can also control other components in the electronic device 100 to perform desired functions.

The memory 104 may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random access memory (RAM) and/or cache memory (cache). The non-volatile memory may include, for example, a read-only memory (ROM), a hard disk, a flash memory, and the like. One or more computer program instructions can be stored on the computer-readable storage medium, and the processor 102 can execute the program instructions to implement the method for determining API assets and the method for early warning of API interface abnormal calls described below. Various application programs and various data, such as various data used and/or generated by the application programs, may also be stored in the computer-readable storage medium.

In one embodiment, the electronic device 100 shown in FIG. 1 may further include an input device 106, an output device 108, and a data collection device 110, and these components are interconnected through a bus system 112 and/or other forms of connection mechanisms (not shown). It should be noted that the components and structure of the electronic device 100 shown in FIG. 1 are only exemplary rather than limiting, and the electronic device 100 may also have other components and structures as required.

The input device 106 may be a device used by a user to input instructions, and may include one or more of a keyboard, a mouse, a microphone, and a touch screen. The output device 108 may output various information (eg, images or sounds) to the outside (eg, a user), and may include one or more of a display, a speaker, and the like. The data acquisition device 110 can acquire images of objects and store the acquired images in the memory 104 for use by other components. Exemplarily, the data collection device 110 may be a camera.

In one embodiment, the various devices in the example electronic device 100 used to implement the method for determining API assets and the method for early warning of API interface exception calls in the embodiment of the present application can be integrated or distributed, such as the processor 102 , the memory 104, the input device 106 and the output device 108 are integrated into one body, and the data collection device 110 is separately provided.

In an embodiment, the exemplary electronic device 100 for realizing the method for determining API assets and the method for early warning of API interface abnormal calls in the embodiment of the present application may be implemented as a smart terminal such as a server or a desktop computer.

Fig. 2 is a schematic flowchart of a method for determining an API asset provided by an embodiment of the present application. As shown in FIG. 2, the method includes: step S210-step S240.

Step S210: Obtain the historical access log of the API interface of the web service.

WWW is the abbreviation of World Wide Web (Global Information Network), and it can also be referred to as web for short. The Chinese name is "World Wide Web". A web service refers to a program residing in a certain type of computer on the Internet, which can process requests from web clients such as browsers and return corresponding responses.

An API interface refers to an application program interface of a web service, through which the web service can be accessed. Historical access logs are relative to real-time access logs. They are access logs before the current moment or a period of time. Access logs are used to record the behavior of web clients such as browsers requesting web page data from web services. The log may include information such as source ip address (Internet Protocol Address, Internet Protocol Address), destination ip address, accessed uri (Uniform Resource Identifier), accessed domain name, and payload (payload) sent during access.

In an embodiment, the historical access log of the API interface of the web service may be directly stored in the web server. In another embodiment, as shown in FIG. 3 , the above step S210 may specifically include the following steps S211 - S213.

Step S211: Obtain historical log data of the web service.

Wherein, the historical log data of the web service includes historical access logs of API interfaces and historical access logs of non-API interfaces. For distinction, the two are collectively referred to as historical log data.

Step S212: Analyze the historical log data to obtain target field information of each access request.

Wherein, a record in the historical log data can be regarded as an access request. The target field information may include information such as source ip address, destination ip address, accessed uri, accessed domain name, and payload sent during access.

Step S213: According to the target field information, filter the historical log data to obtain the historical access log of calling the API interface.

Filter the historical log data, and only keep the historical access logs that belong to the API interface that need to be analyzed. For example, for the uri field, uri ending in jpg, txt, etc. will be filtered out, because these uris are usually static resource pages, not API interfaces, so uri ending in jpg, txt can be removed from historical log data At the end of the log, the historical access log of the API interface is obtained.

Step S220: Split the access address of each access request in the historical access log to obtain the access path of each access request.

Wherein, the access address may be a url (uniform resource locator), that is, a web page address. Specifically, the uri and domain name are obtained from the access address of each access request; the uri is split into a path part and a parameter part according to the split identifier; the path part and the domain name are combined to form the access path.

The split identifier is a flag that splits the uri into a path part and a parameter part, the part before the split identifier is called the path part, and the part after the split identifier is called the parameter part. For example, the uri of an access request may be "/v1/info/create?token=******", the split identifier may be "?", so the uri may be split into "/v1/info /create" and "token=******", "/v1/info/create" is called the path part, and "token=******" is called the parameter part. In one embodiment, the domain name and the path part together form the access path of the access request. For example, the domain name "www.baidu.com" and the path part "/v1/info/create" together form the access path, so that the access The path is used as a unique identifier, and historical access logs with the same access path are merged in step S230.

In another embodiment, if the path part contains a random character string, the random character string is replaced with a specified character; and the domain name and the replaced path part are combined to form the access path.

It should be noted that if there are some random character strings in the uri, which affect the merging of the uri, you can use the replacement method, first replace and then merge. For example, the uri of an access request is "/v1/21wq23ewqewq1/create?token=******", where the random string "21wq23ewqewq1" will change every time it is accessed. For this, the random string " 21wq23ewqewq1" is replaced with the specified character "*", and "/v1/*/create?token=******" is obtained, and the path part becomes "/v1/*/create". Afterwards, the domain name and the replaced path part are combined to form an access path, and the access path is used as a unique identifier, and then step S230 is executed for merging.

Step S230: Merge the historical access logs with the same access path to obtain the merged target access log.

Wherein, merging refers to dividing historical access logs with the same access path together. For distinction, historical access logs corresponding to the same access path are called target access logs. For example, historical access logs whose domain name is "www.baidu.com" and the path part of uri is "/v1/info/create" can be merged to obtain "www.baidu.com/v1/info/create" Corresponding target access logs, thereby improving the analysis accuracy of feature thresholds.

Step S240: Perform characteristic analysis on the historical parameters of the target access log, obtain the characteristic threshold of the API interface corresponding to the access path, and determine the characteristic threshold of the API interface as an API asset.

Among them, the historical parameters may include information such as source IP address, destination IP address, accessed uri, accessed domain name, and payload sent during access. API interfaces and feature thresholds of API interfaces belong to API assets.

Feature analysis refers to extracting the characteristics of these historical parameters in the target access log, such as the number of visits to a certain uri, the number of occurrences of a certain destination ip address, the length of url (uniform resource locator, uniform resource locator), the length of payload, etc. .

Wherein, the feature threshold refers to a limit value of a feature, which may include a maximum value, a minimum value, and the like. For example, the maximum length of url and the maximum length of payload.

For example, the number of visits to a certain uri, the number of occurrences of a certain destination ip address, the maximum length of the uri, and the maximum length of the payload can all be used as the feature threshold of the API interface corresponding to the access path. For example, when the length of a certain url in the real-time access log exceeds the maximum length of the above url (that is, exceeds the feature threshold), it can be considered that an abnormal call of the API interface has occurred.

As shown in Figure 4, feature analysis may include three parts, popularity feature, field feature and payload feature. The methods for obtaining the feature thresholds of the three features are described below, and the embodiment of the present application can extract the feature thresholds of any one, two or three features.

Among them, the popularity feature is used to characterize the number of occurrences of a specified parameter value within a period of time. In an embodiment, the above step S240 may include: according to the historical parameters of the target access log, counting the number of occurrences of the specified parameter value within a preset time period, and obtaining the feature of the popularity feature of the API interface corresponding to the access path threshold.

For example, the number of occurrences of the specified parameter value may be the number of occurrences of a certain source ip address or the number of occurrences of a certain uri within a preset time period. As shown in Figure 4, the popularity feature may include the popularity of the source ip address, the popularity of the destination ip address, the popularity of calling uri, the popularity of the source ip address corresponding to this uri, and so on. Wherein, the feature threshold of the popularity feature may be a specific value of the popularity. Popularity refers to the number of occurrences over a period of time.

In an embodiment, the above step S240 may include: according to the historical parameters of the target access log, counting any one or more of the maximum value, mean value, variance or median of different field features to obtain the access The characteristic threshold of the field characteristic of the API interface corresponding to the path.

As shown in Figure 4, the field characteristics may include the length of the url parameter, the length of the payload, the length of the request response, whether the request time is within working hours, the length of the response packet, the length of the request header, and so on. The characteristic threshold of the field characteristic may include any one or more of the maximum value, mean value, variance or median of the field characteristic. For example, the maximum length of the url parameter in the target access log can be used as the feature threshold of the field feature of the API interface corresponding to the access path.

In an embodiment, the above step S240 may further include: extracting the mean value, maximum value, minimum value, variance and median of parameter features and numerical features in the payload information according to the historical parameters of the target access log. Any one or more of the parameters of the API interface corresponding to the access path and the feature threshold of the numerical feature are obtained.

The parameter features and numerical features in the payload information (payload) may be collectively referred to as payload features. Wherein, the parameter feature includes the parameter, the type of the parameter value, the level, and the parent parameter. As shown in Figure 5, it is the format of the payload. There are first-level parameters deviceID, center, org, and walq. According to the type of parameter value, these four parameters can be recorded as deviceID_string_0, center_json_0, org_json_0, and walq_string_0, where 0 represents For layer 0, string means its parameter value is a string type, and json means its parameter value is a json type. Similarly, the parameter userId of the next layer can be recorded as userId_json_1_org, except for the parameters of the 0th layer, it needs to be distinguished with its parent parameter, so that the parameter characteristics of the payload can be extracted. For example, "userId_json_1_org" is one of the parameter characteristics (called key), "userId" indicates the parameter, "json" indicates the type of the parameter value, "1" indicates the level, and "org" indicates the parent parameter. In this embodiment of the present application, key and parameter values can be stored as payload characteristics.

Among them, the numerical feature refers to the feature value of the parameter feature. For example, the feature value of the parameter feature walq_string_0 is the length of the parameter value (such as wlaqtest). The characteristic value of the parameter characteristic org_json_0 is the number of keys contained in the parameter org. If the parameter characteristic is int type, the characteristic value is its parameter value. The feature threshold of a numerical feature may be one or more of the mean, maximum, minimum, variance, and median of the above-mentioned feature values. For example, when the payload information of a request in the real-time access log contains parameters that have not appeared before, it can be considered that an abnormal API call has occurred. For example, when the parameter value of a parameter in the payload information of a request in the real-time access log exceeds the maximum value of the parameter, it can also be considered that an abnormal API call has occurred.

In another embodiment, the above method further includes: extracting API assets from historical access logs.

Based on the feature threshold of the API interface obtained in any of the above-mentioned embodiments, the API interface can be discovered based on the feature threshold of the API interface, and the feature threshold of the API interface and API assets such as the API interface can be extracted from the historical access log, so that it can automatically Discover and extract API assets.

Fig. 6 is a schematic flow chart of an early warning method for an API interface abnormal call provided by an embodiment of the present application. As shown in Figure 6, the method includes:

Step S610: Obtain the real-time access log of the API interface of the web service.

Wherein, the real-time access log is equivalent to the historical access log above, and can be regarded as the access log at the current moment, or the access log in the most recent period.

Step S620: Extracting real-time access paths and real-time access parameter values from the real-time access logs.

For the real-time access path, refer to the manner of obtaining the access path in step S220 above. The real-time access parameter values may include the feature values of the above-mentioned popularity features, field features, parameter features, and numeric features.

Step S630: Analyze the real-time access parameter value corresponding to the real-time access path through the detection model, determine whether the API interface corresponding to the real-time access path has an abnormal call, and output an alarm message when an abnormal call occurs;

Wherein, the detection model is trained according to the feature thresholds of API interfaces corresponding to different access paths; and the feature thresholds of API interfaces corresponding to different access paths can be obtained by using the methods for determining API assets provided in the above embodiments.

Among them, the detection model is used to judge whether there is an abnormal API call, and the detection model specifies the relationship between the real-time access parameter value and the feature threshold when the API abnormal call occurs. For example, when the value of the real-time access parameter exceeds the characteristic threshold, it is considered that an abnormal call occurs. The feature threshold can be obtained from historical access logs with reference to the description in the above embodiment of the method for determining API assets.

For example, the parameter phoneNum represents the number length of the phone number. The length based on historical access log statistics is 11 digits (that is, the characteristic threshold), but the real-time access parameter value indicates that the number length of the phone number is greater than 11, and the returned status is normal, very It is possible that the attacker forged the payload information. According to the judgment of the detection model, it can be considered that an abnormal API call has occurred, and an alarm message can be issued.

Furthermore, the front-line operators can manage the alarm information. In the case of false alarms, manual intervention can be used to modify the feature thresholds in the detection model to reduce false alarms and improve accuracy. In addition, the API interface is not only provided to managers to monitor network security, it can also be provided to business line developers to analyze API call status and feature thresholds, and guide business lines to iteratively optimize the development of API interfaces.

The following is an embodiment of the device of the present application, which can be used to implement the embodiment of the method for determining the above-mentioned API assets of the present application. For the details not disclosed in the device embodiment of this application, please refer to the embodiment of the method for determining API assets in this application.

Fig. 7 is a block diagram of a device for determining API assets shown in an embodiment of the present application. As shown in Fig. 7, the device includes:

Log obtaining module 610, for obtaining the historical access log of the API interface of web service;

The address splitting module 620 is configured to split the access address of each access request in the historical access log to obtain the access path of each access request;

A log merging module 630, configured to merge historical access logs with the same access path to obtain a merged target access log;

The characteristic analysis module 640 is configured to perform characteristic analysis on the historical parameters of the target access log, obtain the characteristic threshold of the API interface corresponding to the access path, and determine the characteristic threshold of the API interface as an API asset.

For the implementation process of the functions and functions of each module in the above-mentioned device, please refer to the implementation process of the corresponding steps in the method for determining the API asset above for details, and details will not be repeated here.

Fig. 8 is a block diagram of an early warning device for an abnormal call of an API interface according to an embodiment of the present application. As shown in Figure 8, the device includes:

Log obtaining module 710, for obtaining the real-time access log of the API interface of web service;

An address splitting module 720, configured to extract a real-time access path and a real-time access parameter value from the real-time access log;

The abnormal detection module 730 is used to analyze the real-time access parameter value corresponding to the real-time access path through the detection model, determine whether the API interface corresponding to the real-time access path has an abnormal call, and output an alarm message when an abnormal call occurs;

Wherein, the detection model is obtained according to the feature threshold training of API interfaces corresponding to different access paths; The access address of each access request in the historical access log is split to obtain the access path of each access request, and the historical access logs with the same access path are merged to obtain the merged target access log, and then the target The historical parameters of the access log are obtained through feature analysis.

For the implementation process of the functions and functions of each module in the above-mentioned device, please refer to the implementation process of the corresponding steps in the above-mentioned early warning method for API interface abnormal call for details, and will not be repeated here.

In the several embodiments provided in this application, the disclosed devices and methods may also be implemented in other ways. The device embodiments described above are only illustrative. For example, the flowcharts and block diagrams in the accompanying drawings show the architecture, functions and possible implementations of devices, methods and computer program products according to multiple embodiments of the present application. operate. In this regard, each block in a flowchart or block diagram may represent a module, program segment, or portion of code that contains one or more executable instruction. In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks in succession may, in fact, be executed substantially concurrently, or they may sometimes be executed in the reverse order, depending upon the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by a dedicated hardware-based system that performs the specified function or action , or may be implemented by a combination of dedicated hardware and computer instructions.

In addition, each functional module in each embodiment of the present application may be integrated to form an independent part, each module may exist independently, or two or more modules may be integrated to form an independent part.

If the functions are implemented in the form of software function modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including Several instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes. .

Claims (11)

1. A method for determining API assets, comprising: Obtain the historical access log of the API interface of the web service; Splitting the access address of each access request in the historical access log to obtain the access path of each access request; Merging the historical access logs with the same access path to obtain the merged target access log; Perform characteristic analysis on the historical parameters of the target access log, obtain the characteristic threshold of the API interface corresponding to the access path, and determine the characteristic threshold of the API interface as the API asset. 2. The method according to claim 1, wherein the characteristic analysis of the historical parameters of the target access log to obtain the characteristic threshold of the API interface corresponding to the access path comprises: According to the historical parameters of the target access log, the number of occurrences of the specified parameter value within a preset time period is counted to obtain the feature threshold of the popularity feature of the API interface corresponding to the access path. 3. The method according to claim 1, wherein the characteristic analysis of the historical parameters of the target access log to obtain the characteristic threshold of the API interface corresponding to the access path comprises: According to the historical parameters of the target access log, any one or more of the maximum value, mean value, variance or median of different field features is counted to obtain the feature threshold of the field feature of the API interface corresponding to the access path. 4. The method according to claim 1, wherein the characteristic analysis of the historical parameters of the target access log to obtain the characteristic threshold of the API interface corresponding to the access path comprises: According to the historical parameters of the target access log, extract any one or more of the parameter features and numerical features in the payload information, the maximum value, the minimum value, the variance and the median, and obtain the access path The feature threshold of parameter features and numeric features of the corresponding API interface. 5. The method according to claim 1, wherein said acquiring the historical access log of the API interface of the web service comprises: Obtain historical log data of web services; Analyzing the historical log data to obtain target field information of each access request; According to the information of the target field, the historical log data is filtered to obtain the historical access log of calling the API interface. 6. The method according to claim 1, wherein said splitting the access address of each access request in the historical access log to obtain the access path of each access request comprises: Obtain the uniform resource identifier and domain name from the access address of each access request; Splitting the uniform resource identifier into a path part and a parameter part according to the split identifier; The path part and the domain name are combined to form the access path. 7. The method according to claim 6, wherein said forming said access path together with said path part and said domain name comprises: If the path part contains a random character string, replace the random character string with a specified character; The domain name and the replaced path part are combined to form the access path. 8. The method according to any one of claims 1-7, characterized in that the method further comprises: API assets are extracted from the historical access logs. 9. An early warning method for an API interface abnormal call, characterized in that it comprises: Obtain real-time access logs of the API interface of the web service; Extracting a real-time access path and a real-time access parameter value from the real-time access log; Analyzing the real-time access parameter value corresponding to the real-time access path through the detection model, determining whether an abnormal call occurs in the API interface corresponding to the real-time access path, and outputting an alarm message when an abnormal call occurs; Wherein, the detection model is obtained according to the feature threshold training of API interfaces corresponding to different access paths; The access address of each access request in the historical access log is split to obtain the access path of each access request, and the historical access logs with the same access path are merged to obtain the merged target access log, and then the target The historical parameters of the access log are obtained through characteristic analysis. 10. An electronic device, characterized in that the electronic device comprises: processor; memory for storing processor-executable instructions; Wherein, the processor is configured to execute the method for determining API assets according to any one of claims 1-8 or the method for early warning of API interface abnormal calls according to claim 9 . 11. A computer-readable storage medium, characterized in that the storage medium stores a computer program, and the computer program can be executed by a processor to complete the method for determining API assets described in any one of claims 1-8 or The early warning method of API interface abnormal call described in claim 9.

Images