Disclosure of Invention
Aiming at the technical problems, the technical scheme adopted by the invention is that the method for detecting the abnormal API comprises a zombie API and a shadow API, and the method comprises the following steps:
S100, acquiring a development API list A= { A 1,A2,…,Ai,…,Am},Ai identified by the target application in a development stage, wherein the development API list A= { A 1,A2,…,Ai,…,Am},Ai is an ith development API, the value range of i is 1 to m, and m is the number of development APIs;
S200, an operation and maintenance API list B= { B 1,B2,…,Bj,…,Bn},Bj identified by the target application in the operation and maintenance stage is obtained, wherein the value range of j is 1 to n, and n is the number of operation and maintenance APIs;
S300, based on A, B, acquiring a development API which does not exist in the B as an initial zombie API, thereby acquiring an initial zombie API list C= { C 1,C2,…,Cr,…,Cs},Cr is the r initial zombie API, the value range of r is 1 to S, S is the number of the initial zombie APIs, and S is less than or equal to m;
S400, based on A, B, acquiring an operation and maintenance API which does not exist in A as an initial shadow API, so that an initial shadow API list D= { D 1,D2,…,Dg,…,Dz},Dg is the g initial shadow API, the value range of g is 1 to z, z is the number of the initial shadow APIs, and z is less than or equal to n.
According to another aspect of the present invention, there is provided a non-transitory computer readable storage medium having stored therein at least one instruction or at least one program loaded and executed by a processor to implement the foregoing method.
According to yet another aspect of the present invention, there is provided an electronic device comprising a processor and the aforementioned non-transitory computer-readable storage medium.
The invention has at least the following beneficial effects:
in summary, a development API list identified by a target application in a development stage is obtained, an operation and maintenance API list identified by the target application in an operation and maintenance stage is obtained, a development API which does not exist in the operation and maintenance API list is obtained as an initial zombie API based on the development API list and the operation and maintenance API list, so that the initial zombie API list is obtained, and the operation and maintenance API which does not exist in the development API list is obtained as an initial shadow API, so that the initial shadow API list is obtained.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
The embodiment of the invention provides a method for detecting abnormal APIs, wherein the abnormal APIs comprise zombie APIs and shadow APIs, as shown in figure 1, the method comprises the following steps:
S100, a development API list A= { A 1,A2,…,Ai,…,Am},Ai identified by the target application in the development stage is the ith development API, the value range of i is 1 to m, and m is the number of development APIs.
Specifically, a development API list A identified by the target application in the development stage is obtained by presetting a fixed code.
Specifically, a static code analysis technology is used for comprehensively scanning codes of the target application to obtain a development API list A identified by the target application in a development stage, and further, the method further comprises the step of comprehensively scanning the codes of the target application based on API information such as an API request mode, an API parameter structure, API authority configuration and the like, so that the development API list A identified by the target application in the development stage is obtained.
In one embodiment of the invention, the development API list identified by the target application in the development phase is obtained by identifying @ Controller, @ RestController.
S200, an operation and maintenance API list B= { B 1,B2,…,Bj,…,Bn},Bj identified by the target application in the operation and maintenance stage is the j-th operation and maintenance API, the value range of j is 1 to n, and n is the number of operation and maintenance APIs.
Specifically, by bypassing the flow of the monitoring target application, the operation and maintenance API list B identified by the target application in the operation and maintenance stage is analyzed and obtained.
S300, based on A, B, acquiring a development API which does not exist in the B as an initial zombie API, so that an initial zombie API list C= { C 1,C2,…,Cr,…,Cs},Cr is the r initial zombie API, the value range of r is 1 to S, S is the number of the initial zombie APIs, and S is less than or equal to m.
Specifically, it will be understood that if an API exists in a and does not exist in B, the API is regarded as an initial zombie API, where the zombie API is an API that has been validated and approved, but is later discarded or replaced by an updated version for various reasons, and thus, an API that appears in the development stage but does not appear in the operation and maintenance stage is used as a zombie API in the present invention.
S400, based on A, B, acquiring an operation and maintenance API which does not exist in A as an initial shadow API, so that an initial shadow API list D= { D 1,D2,…,Dg,…,Dz},Dg is the g initial shadow API, the value range of g is 1 to z, z is the number of the initial shadow APIs, and z is less than or equal to n.
Specifically, it will be understood that if an API does not exist in a and exists in B, the API is taken as an initial shadow API, where the shadow API is an API that is introduced by an in-organization developer or other personnel during the development process, but is not managed and protected, and therefore, an API that does not exist in the development stage but exists in the operation and maintenance stage is used as a shadow API in the present invention.
In summary, a development API list identified by a target application in a development stage is obtained, an operation and maintenance API list identified by the target application in an operation and maintenance stage is obtained, a development API which does not exist in the operation and maintenance API list is obtained as an initial zombie API based on the development API list and the operation and maintenance API list, so that the initial zombie API list is obtained, and the operation and maintenance API which does not exist in the development API list is obtained as an initial shadow API, so that the initial shadow API list is obtained.
Specifically, after S300, the method further includes:
S310, obtaining a feature vector E r={Er1,Er2,…,Erx,…,Erq and a zombie weight vector E 0={E01,E02,…,E0x,…,E0q},Erx corresponding to C r, wherein E 0x is the feature value of the x-th preset feature corresponding to E r, the value range of x is 1 to q, and q is the number of preset features, wherein Σ q x=1E0x =1.
Specifically, the preset features may be determined according to actual requirements, and further, the preset features do not include flow features, because when the operation and maintenance API is acquired, the flow features are already used, and the preset features at this time are for increasing the judgment dimension of the zombie weight, so the preset features do not include the flow features.
S320, obtaining a characteristic vector value E r0=∑q x=1(E0x×Erx corresponding to the C r).
S330, when E r0 is larger than a first preset threshold, determining C r as a final zombie API, and thus obtaining a final zombie API list.
Specifically, the first preset threshold may be determined according to actual requirements.
S340, when E r0 is not greater than a first preset threshold, marking C r as a gray API, thereby acquiring a gray API list.
Specifically, when E r0 is not greater than the first preset threshold, C r cannot be determined to be the final zombie API, and thus C r is noted as a gray API.
In summary, the feature vector and the zombie weight vector corresponding to C r are obtained, the feature vector value corresponding to C r is obtained, when E r0 is larger than a first preset threshold, C r is determined to be a final zombie API, so that a final zombie API list is obtained, when E r0 is not larger than the first preset threshold, C r is marked as a gray API, so that the gray API list is obtained.
Specifically, after S400, the method further includes:
S410, the feature vector F g={Fg1,Fg2,…,Fgx,…,Fgq } and the shadow weight vector F 0={F01,F02,…,F0x,…,F0q},Fgx corresponding to D g are obtained, the feature value of the x-th preset feature corresponding to D g, and F 0x is the shadow weight of the x-th preset feature, where Σ q x=1F0x =1.
S420, obtaining a characteristic vector value F g0=∑q x=1(Fgx×F0x corresponding to the D g).
S430, when F g0 is larger than a second preset threshold, determining D g as a final shadow API, thereby obtaining a final shadow API list.
Specifically, the second preset threshold may be determined according to actual requirements.
S440, when F g0 is not larger than a second preset threshold, marking D g as a gray API, and updating the gray API list.
Specifically, when F g0 is not greater than the second preset threshold, D g cannot be determined to be the final shadow API, and thus D g is noted as a gray API.
In summary, the feature vector and the shadow weight vector corresponding to D g are obtained, the feature vector value corresponding to D g is obtained, when F g0 is larger than a second preset threshold, D g is determined to be a final shadow API, so that a final shadow API list is obtained, when F g0 is not larger than the second preset threshold, D g is marked as a gray API, and the gray API list is updated.
Further, after S440, the method further includes:
s441, the updated gray API list h= { H 1,H2,…,Ht,…,Hk},Ht is the t-th updated gray API, the value range of t is 1 to k, and k is the number of updated gray APIs.
Specifically, the H includes an initial zombie API with a feature value not greater than a first preset threshold and an initial shadow API with a feature value not greater than a second preset threshold.
S442, the test API list G= { G 1,G2,…,Gy,…,Gp},Gy identified by the target application in the test stage is the y-th test API, the value range of y is 1 to p, and p is the number of the test APIs.
Specifically, the flow of the target application is monitored to obtain the test API list G identified by the target application in the test stage, and more specifically, the flow of the target application is monitored by the Agent to obtain the test API list G identified by the target application in the test stage.
S443, H t existing in G is taken as a final shadow API, and the final shadow API list is added.
Specifically, the gray API existing in the test API list G is used as the final shadow API.
S444, taking H t which does not exist in G as a final zombie API, and adding the final zombie API list.
Specifically, the gray API that does not exist in the test API list G is taken as the final zombie API.
In summary, the updated gray API list is obtained, the test API list identified by the target application in the test stage is obtained, the gray APIs existing in the test API list are used as final shadow APIs, the gray APIs not existing in the test API list are used as final zombie APIs, the zombie APIs are more likely to be APIs not used in the test stage, and the shadow APIs are more likely to be APIs used in the test stage but not securely managed, so that the gray APIs are distinguished by using the test API list.
Specifically, in one embodiment of the present invention, zombie weight vector E 0 is obtained by:
S001, a history zombie API list J= { J 1,J2,…,Je,…,Jh},Je is the e-th history zombie API, the value range of e is 1 to h, and h is the number of the history zombie APIs.
S002, obtaining a first zombie characteristic value list K e={Ke1,Ke2,…,Kex,…,Keq},Kex of J e in the operation and maintenance stage, wherein the first zombie characteristic value list K e={Ke1,Ke2,…,Kex,…,Keq},Kex is the characteristic value of the x-th preset characteristic corresponding to J e in the operation and maintenance stage.
S003, a second zombie characteristic value list L e={Le1,Le2,…,Lex,…,Leq},Lex of the J e in the testing stage is obtained, wherein the characteristic value of the x-th preset characteristic corresponding to the J e in the testing stage is obtained.
S004, E 0x is obtained based on the change amplitude of L ex to K ex, and therefore a zombie weight vector E 0 is obtained.
In summary, a historical zombie API list is obtained, a first zombie characteristic value list of the historical zombie API in an operation and maintenance stage is obtained, a second zombie characteristic value list of the historical zombie API in a test stage is obtained, and a zombie weight vector is obtained based on the change amplitude of the first zombie characteristic value and the second zombie characteristic value.
Specifically, in one embodiment of the present invention, the shadow weight vector F 0 is obtained by:
s005, an acquired history shadow API list M= { M 1,M2,…,Ma,…,Mb},Ma is an a-th history shadow API, the value range of a is 1 to b, and b is the number of the history shadow APIs.
S006, a first shadow feature value list N a={Na1,Na2,…,Nax,…,Naq},Nax of M a in the operation and maintenance stage is obtained, wherein the feature value of the x-th preset feature corresponding to M a in the operation and maintenance stage.
S007, obtaining a second shadow feature value list P a={Pa1,Pa2,…,Pax,…,Paq},Pax of M a in the test phase is a feature value of the x-th preset feature corresponding to M a in the test phase.
S008, F 0x is acquired based on the change amplitude of P ax to N ax, thereby acquiring a shadow weight vector F 0.
In addition, a historical shadow API list is obtained, a first shadow feature value list of the historical shadow API in an operation and maintenance stage is obtained, a second shadow feature value list of the historical shadow API in a test stage is obtained, and a shadow weight vector is obtained based on the change amplitude of the first shadow feature value and the second shadow feature value.
Embodiments of the present invention also provide a non-transitory computer readable storage medium that may be disposed in an electronic device to store at least one instruction or at least one program for implementing one of the methods embodiments, the at least one instruction or the at least one program being loaded and executed by the processor to implement the methods provided by the embodiments described above.
Embodiments of the present invention also provide an electronic device comprising a processor and the aforementioned non-transitory computer-readable storage medium.
While certain specific embodiments of the invention have been described in detail by way of example, it will be appreciated by those skilled in the art that the above examples are for illustration only and are not intended to limit the scope of the invention. Those skilled in the art will also appreciate that many modifications may be made to the embodiments without departing from the scope and spirit of the invention. The scope of the invention is defined by the appended claims.