[go: up one dir, main page]

CN118673505B - Abnormal API detection method, electronic device and storage medium - Google Patents

Abnormal API detection method, electronic device and storage medium Download PDF

Info

Publication number
CN118673505B
CN118673505B CN202410879403.1A CN202410879403A CN118673505B CN 118673505 B CN118673505 B CN 118673505B CN 202410879403 A CN202410879403 A CN 202410879403A CN 118673505 B CN118673505 B CN 118673505B
Authority
CN
China
Prior art keywords
api
list
zombie
shadow
apis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410879403.1A
Other languages
Chinese (zh)
Other versions
CN118673505A (en
Inventor
黄循阳
李照
徐俊
左志平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qingke Wandao Beijing Information Technology Co ltd
Original Assignee
Qingke Wandao Beijing Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qingke Wandao Beijing Information Technology Co ltd filed Critical Qingke Wandao Beijing Information Technology Co ltd
Priority to CN202410879403.1A priority Critical patent/CN118673505B/en
Publication of CN118673505A publication Critical patent/CN118673505A/en
Application granted granted Critical
Publication of CN118673505B publication Critical patent/CN118673505B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3089Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/2433Single-class perspective, e.g. one-against-all classification; Novelty detection; Outlier detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/865Monitoring of software
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明提供了一种一种异常API的检测方法、电子设备及存储介质,涉及数据检测领域,所述方法包括:获取目标应用在开发阶段识别出的开发API列表,获取目标应用在运维阶段识别出的运维API列表,基于开发API列表和运维API列表,获取不存在于运维API列表中的开发API作为初始僵尸API,从而获取初始僵尸API列表,获取不存在于开发API列表中的运维API作为初始影子API,从而获取初始影子API列表,本发明通过比较开发阶段和运维阶段的API列表,能够更加准确的获取到僵尸API和影子API。

The present invention provides a method for detecting an abnormal API, an electronic device and a storage medium, and relates to the field of data detection. The method comprises: obtaining a development API list identified by a target application in a development phase, obtaining an operation and maintenance API list identified by a target application in an operation and maintenance phase, obtaining a development API that does not exist in the operation and maintenance API list as an initial zombie API based on the development API list and the operation and maintenance API list, thereby obtaining an initial zombie API list, obtaining an operation and maintenance API that does not exist in the development API list as an initial shadow API, thereby obtaining an initial shadow API list. By comparing the API lists in the development phase and the operation and maintenance phase, the present invention can more accurately obtain zombie APIs and shadow APIs.

Description

Abnormal API detection method, electronic equipment and storage medium
Technical Field
The present invention relates to the field of data detection, and in particular, to a method for detecting an abnormal API, an electronic device, and a storage medium.
Background
Currently, with importance placed on information security, identification, classification and monitoring of API interfaces, particularly APIs involving sensitive data streams, are becoming more important for rapidly growing and morphologically diverse API interfaces. For exception API interfaces, including zombie APIs and shadow APIs.
Zombie APIs refer to those APIs that were once valid and approved, but later are discarded or replaced by newer versions for various reasons. These APIs tend to be forgotten because the organization is busy developing new code and is not properly discarded or updated and thus persists in the system. The existence of zombie APIs may lead to data leakage or other security issues, as they may contain outdated logic and fragile security measures.
Shadow APIs are those APIs that are introduced by in-organization developers or other users during the development process, but are not managed and protected by the organization's IT and security team. Shadow APIs do not have to be used for malicious purposes, but they may be a way of security vulnerabilities and attacks due to lack of proper supervision and protection. For example, if a shadow API exposes sensitive data, for which IT and security teams of an organization are not aware, they cannot take the necessary measures to protect against potential risks.
Therefore, identification of zombie APIs and shadow APIs becomes particularly important.
Disclosure of Invention
Aiming at the technical problems, the technical scheme adopted by the invention is that the method for detecting the abnormal API comprises a zombie API and a shadow API, and the method comprises the following steps:
S100, acquiring a development API list A= { A 1,A2,…,Ai,…,Am},Ai identified by the target application in a development stage, wherein the development API list A= { A 1,A2,…,Ai,…,Am},Ai is an ith development API, the value range of i is 1 to m, and m is the number of development APIs;
S200, an operation and maintenance API list B= { B 1,B2,…,Bj,…,Bn},Bj identified by the target application in the operation and maintenance stage is obtained, wherein the value range of j is 1 to n, and n is the number of operation and maintenance APIs;
S300, based on A, B, acquiring a development API which does not exist in the B as an initial zombie API, thereby acquiring an initial zombie API list C= { C 1,C2,…,Cr,…,Cs},Cr is the r initial zombie API, the value range of r is 1 to S, S is the number of the initial zombie APIs, and S is less than or equal to m;
S400, based on A, B, acquiring an operation and maintenance API which does not exist in A as an initial shadow API, so that an initial shadow API list D= { D 1,D2,…,Dg,…,Dz},Dg is the g initial shadow API, the value range of g is 1 to z, z is the number of the initial shadow APIs, and z is less than or equal to n.
According to another aspect of the present invention, there is provided a non-transitory computer readable storage medium having stored therein at least one instruction or at least one program loaded and executed by a processor to implement the foregoing method.
According to yet another aspect of the present invention, there is provided an electronic device comprising a processor and the aforementioned non-transitory computer-readable storage medium.
The invention has at least the following beneficial effects:
in summary, a development API list identified by a target application in a development stage is obtained, an operation and maintenance API list identified by the target application in an operation and maintenance stage is obtained, a development API which does not exist in the operation and maintenance API list is obtained as an initial zombie API based on the development API list and the operation and maintenance API list, so that the initial zombie API list is obtained, and the operation and maintenance API which does not exist in the development API list is obtained as an initial shadow API, so that the initial shadow API list is obtained.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for detecting an abnormal API according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to fall within the scope of the invention.
The embodiment of the invention provides a method for detecting abnormal APIs, wherein the abnormal APIs comprise zombie APIs and shadow APIs, as shown in figure 1, the method comprises the following steps:
S100, a development API list A= { A 1,A2,…,Ai,…,Am},Ai identified by the target application in the development stage is the ith development API, the value range of i is 1 to m, and m is the number of development APIs.
Specifically, a development API list A identified by the target application in the development stage is obtained by presetting a fixed code.
Specifically, a static code analysis technology is used for comprehensively scanning codes of the target application to obtain a development API list A identified by the target application in a development stage, and further, the method further comprises the step of comprehensively scanning the codes of the target application based on API information such as an API request mode, an API parameter structure, API authority configuration and the like, so that the development API list A identified by the target application in the development stage is obtained.
In one embodiment of the invention, the development API list identified by the target application in the development phase is obtained by identifying @ Controller, @ RestController.
S200, an operation and maintenance API list B= { B 1,B2,…,Bj,…,Bn},Bj identified by the target application in the operation and maintenance stage is the j-th operation and maintenance API, the value range of j is 1 to n, and n is the number of operation and maintenance APIs.
Specifically, by bypassing the flow of the monitoring target application, the operation and maintenance API list B identified by the target application in the operation and maintenance stage is analyzed and obtained.
S300, based on A, B, acquiring a development API which does not exist in the B as an initial zombie API, so that an initial zombie API list C= { C 1,C2,…,Cr,…,Cs},Cr is the r initial zombie API, the value range of r is 1 to S, S is the number of the initial zombie APIs, and S is less than or equal to m.
Specifically, it will be understood that if an API exists in a and does not exist in B, the API is regarded as an initial zombie API, where the zombie API is an API that has been validated and approved, but is later discarded or replaced by an updated version for various reasons, and thus, an API that appears in the development stage but does not appear in the operation and maintenance stage is used as a zombie API in the present invention.
S400, based on A, B, acquiring an operation and maintenance API which does not exist in A as an initial shadow API, so that an initial shadow API list D= { D 1,D2,…,Dg,…,Dz},Dg is the g initial shadow API, the value range of g is 1 to z, z is the number of the initial shadow APIs, and z is less than or equal to n.
Specifically, it will be understood that if an API does not exist in a and exists in B, the API is taken as an initial shadow API, where the shadow API is an API that is introduced by an in-organization developer or other personnel during the development process, but is not managed and protected, and therefore, an API that does not exist in the development stage but exists in the operation and maintenance stage is used as a shadow API in the present invention.
In summary, a development API list identified by a target application in a development stage is obtained, an operation and maintenance API list identified by the target application in an operation and maintenance stage is obtained, a development API which does not exist in the operation and maintenance API list is obtained as an initial zombie API based on the development API list and the operation and maintenance API list, so that the initial zombie API list is obtained, and the operation and maintenance API which does not exist in the development API list is obtained as an initial shadow API, so that the initial shadow API list is obtained.
Specifically, after S300, the method further includes:
S310, obtaining a feature vector E r={Er1,Er2,…,Erx,…,Erq and a zombie weight vector E 0={E01,E02,…,E0x,…,E0q},Erx corresponding to C r, wherein E 0x is the feature value of the x-th preset feature corresponding to E r, the value range of x is 1 to q, and q is the number of preset features, wherein Σ q x=1E0x =1.
Specifically, the preset features may be determined according to actual requirements, and further, the preset features do not include flow features, because when the operation and maintenance API is acquired, the flow features are already used, and the preset features at this time are for increasing the judgment dimension of the zombie weight, so the preset features do not include the flow features.
S320, obtaining a characteristic vector value E r0=∑q x=1(E0x×Erx corresponding to the C r).
S330, when E r0 is larger than a first preset threshold, determining C r as a final zombie API, and thus obtaining a final zombie API list.
Specifically, the first preset threshold may be determined according to actual requirements.
S340, when E r0 is not greater than a first preset threshold, marking C r as a gray API, thereby acquiring a gray API list.
Specifically, when E r0 is not greater than the first preset threshold, C r cannot be determined to be the final zombie API, and thus C r is noted as a gray API.
In summary, the feature vector and the zombie weight vector corresponding to C r are obtained, the feature vector value corresponding to C r is obtained, when E r0 is larger than a first preset threshold, C r is determined to be a final zombie API, so that a final zombie API list is obtained, when E r0 is not larger than the first preset threshold, C r is marked as a gray API, so that the gray API list is obtained.
Specifically, after S400, the method further includes:
S410, the feature vector F g={Fg1,Fg2,…,Fgx,…,Fgq } and the shadow weight vector F 0={F01,F02,…,F0x,…,F0q},Fgx corresponding to D g are obtained, the feature value of the x-th preset feature corresponding to D g, and F 0x is the shadow weight of the x-th preset feature, where Σ q x=1F0x =1.
S420, obtaining a characteristic vector value F g0=∑q x=1(Fgx×F0x corresponding to the D g).
S430, when F g0 is larger than a second preset threshold, determining D g as a final shadow API, thereby obtaining a final shadow API list.
Specifically, the second preset threshold may be determined according to actual requirements.
S440, when F g0 is not larger than a second preset threshold, marking D g as a gray API, and updating the gray API list.
Specifically, when F g0 is not greater than the second preset threshold, D g cannot be determined to be the final shadow API, and thus D g is noted as a gray API.
In summary, the feature vector and the shadow weight vector corresponding to D g are obtained, the feature vector value corresponding to D g is obtained, when F g0 is larger than a second preset threshold, D g is determined to be a final shadow API, so that a final shadow API list is obtained, when F g0 is not larger than the second preset threshold, D g is marked as a gray API, and the gray API list is updated.
Further, after S440, the method further includes:
s441, the updated gray API list h= { H 1,H2,…,Ht,…,Hk},Ht is the t-th updated gray API, the value range of t is 1 to k, and k is the number of updated gray APIs.
Specifically, the H includes an initial zombie API with a feature value not greater than a first preset threshold and an initial shadow API with a feature value not greater than a second preset threshold.
S442, the test API list G= { G 1,G2,…,Gy,…,Gp},Gy identified by the target application in the test stage is the y-th test API, the value range of y is 1 to p, and p is the number of the test APIs.
Specifically, the flow of the target application is monitored to obtain the test API list G identified by the target application in the test stage, and more specifically, the flow of the target application is monitored by the Agent to obtain the test API list G identified by the target application in the test stage.
S443, H t existing in G is taken as a final shadow API, and the final shadow API list is added.
Specifically, the gray API existing in the test API list G is used as the final shadow API.
S444, taking H t which does not exist in G as a final zombie API, and adding the final zombie API list.
Specifically, the gray API that does not exist in the test API list G is taken as the final zombie API.
In summary, the updated gray API list is obtained, the test API list identified by the target application in the test stage is obtained, the gray APIs existing in the test API list are used as final shadow APIs, the gray APIs not existing in the test API list are used as final zombie APIs, the zombie APIs are more likely to be APIs not used in the test stage, and the shadow APIs are more likely to be APIs used in the test stage but not securely managed, so that the gray APIs are distinguished by using the test API list.
Specifically, in one embodiment of the present invention, zombie weight vector E 0 is obtained by:
S001, a history zombie API list J= { J 1,J2,…,Je,…,Jh},Je is the e-th history zombie API, the value range of e is 1 to h, and h is the number of the history zombie APIs.
S002, obtaining a first zombie characteristic value list K e={Ke1,Ke2,…,Kex,…,Keq},Kex of J e in the operation and maintenance stage, wherein the first zombie characteristic value list K e={Ke1,Ke2,…,Kex,…,Keq},Kex is the characteristic value of the x-th preset characteristic corresponding to J e in the operation and maintenance stage.
S003, a second zombie characteristic value list L e={Le1,Le2,…,Lex,…,Leq},Lex of the J e in the testing stage is obtained, wherein the characteristic value of the x-th preset characteristic corresponding to the J e in the testing stage is obtained.
S004, E 0x is obtained based on the change amplitude of L ex to K ex, and therefore a zombie weight vector E 0 is obtained.
In summary, a historical zombie API list is obtained, a first zombie characteristic value list of the historical zombie API in an operation and maintenance stage is obtained, a second zombie characteristic value list of the historical zombie API in a test stage is obtained, and a zombie weight vector is obtained based on the change amplitude of the first zombie characteristic value and the second zombie characteristic value.
Specifically, in one embodiment of the present invention, the shadow weight vector F 0 is obtained by:
s005, an acquired history shadow API list M= { M 1,M2,…,Ma,…,Mb},Ma is an a-th history shadow API, the value range of a is 1 to b, and b is the number of the history shadow APIs.
S006, a first shadow feature value list N a={Na1,Na2,…,Nax,…,Naq},Nax of M a in the operation and maintenance stage is obtained, wherein the feature value of the x-th preset feature corresponding to M a in the operation and maintenance stage.
S007, obtaining a second shadow feature value list P a={Pa1,Pa2,…,Pax,…,Paq},Pax of M a in the test phase is a feature value of the x-th preset feature corresponding to M a in the test phase.
S008, F 0x is acquired based on the change amplitude of P ax to N ax, thereby acquiring a shadow weight vector F 0.
In addition, a historical shadow API list is obtained, a first shadow feature value list of the historical shadow API in an operation and maintenance stage is obtained, a second shadow feature value list of the historical shadow API in a test stage is obtained, and a shadow weight vector is obtained based on the change amplitude of the first shadow feature value and the second shadow feature value.
Embodiments of the present invention also provide a non-transitory computer readable storage medium that may be disposed in an electronic device to store at least one instruction or at least one program for implementing one of the methods embodiments, the at least one instruction or the at least one program being loaded and executed by the processor to implement the methods provided by the embodiments described above.
Embodiments of the present invention also provide an electronic device comprising a processor and the aforementioned non-transitory computer-readable storage medium.
While certain specific embodiments of the invention have been described in detail by way of example, it will be appreciated by those skilled in the art that the above examples are for illustration only and are not intended to limit the scope of the invention. Those skilled in the art will also appreciate that many modifications may be made to the embodiments without departing from the scope and spirit of the invention. The scope of the invention is defined by the appended claims.

Claims (9)

1. A method for detecting an abnormal API, the abnormal API including a zombie API and a shadow API, the method comprising the steps of:
S100, acquiring a development API list A= { A 1,A2,…,Ai,…,Am},Ai identified by the target application in a development stage, wherein the development API list A= { A 1,A2,…,Ai,…,Am},Ai is an ith development API, the value range of i is 1 to m, and m is the number of development APIs;
S200, an operation and maintenance API list B= { B 1,B2,…,Bj,…,Bn},Bj identified by the target application in the operation and maintenance stage is obtained, wherein the value range of j is 1 to n, and n is the number of operation and maintenance APIs;
S300, based on A, B, acquiring a development API which does not exist in the B as an initial zombie API, thereby acquiring an initial zombie API list C= { C 1,C2,…,Cr,…,Cs},Cr is the r initial zombie API, the value range of r is 1 to S, S is the number of the initial zombie APIs, and S is less than or equal to m;
S400, based on A, B, acquiring an operation and maintenance API which does not exist in A as an initial shadow API, so that an initial shadow API list D= { D 1,D2,…,Dg,…,Dz},Dg is the g initial shadow API, the value range of g is 1 to z, z is the number of the initial shadow APIs, and z is less than or equal to n;
Wherein, after S300, further comprises:
S310, obtaining a feature vector E r={Er1,Er2,…,Erx,…,Erq corresponding to C r and a zombie weight vector E 0={E01,E02,…,E0x,…,E0q},Erx which are feature values of an x-th preset feature corresponding to E r, wherein E 0x is a zombie weight of the x-th preset feature, the value range of x is 1 to q, and q is the number of preset features, wherein Σ q x=1E0x =1;
S320, obtaining a characteristic vector value E r0=∑q x=1(E0x×Erx corresponding to the C r);
S330, when E r0 is larger than a first preset threshold, determining C r as a final zombie API, and thus obtaining a final zombie API list;
s340, when E r0 is not greater than a first preset threshold, marking C r as a gray API, thereby acquiring a gray API list.
2. The method for detecting an abnormal API according to claim 1, further comprising, after S400:
S410, obtaining a feature vector F g={Fg1,Fg2,…,Fgx,…,Fgq corresponding to D g and a shadow weight vector F 0={F01,F02,…,F0x,…,F0q},Fgx which are feature values of an x-th preset feature corresponding to D g, wherein F 0x is a shadow weight of the x-th preset feature, and Sigma q x=1F0x =1;
S420, obtaining a characteristic vector value F g0=∑q x=1(Fgx×F0x corresponding to the D g);
s430, when F g0 is larger than a second preset threshold, determining D g as a final shadow API, thereby obtaining a final shadow API list;
S440, when F g0 is not larger than a second preset threshold, marking D g as a gray API, and updating the gray API list.
3. The method for detecting an abnormal API according to claim 2, further comprising, after S440:
S441, an updated gray API list H= { H 1,H2,…,Ht,…,Hk},Ht is the t updated gray APIs, the value range of t is 1 to k, and k is the number of the updated gray APIs;
s442, acquiring a test API list G= { G 1,G2,…,Gy,…,Gp},Gy identified by the target application in a test stage, wherein the test API list G= { G 1,G2,…,Gy,…,Gp},Gy is the y-th test API, the value range of y is 1 to p, and p is the number of the test APIs;
S443, taking H t existing in G as a final shadow API, and adding the final shadow API list;
S444, taking H t which does not exist in G as a final zombie API, and adding the final zombie API list.
4. The method for detecting abnormal APIs according to claim 1, wherein the zombie weight vector E 0 is obtained by:
S001, acquiring a history zombie API list J= { J 1,J2,…,Je,…,Jh},Je, wherein the e-th history zombie API is the value range of e is 1 to h, and h is the number of the history zombie APIs;
S002, obtaining a first zombie characteristic value list K e={Ke1,Ke2,…,Kex,…,Keq},Kex of J e in the operation and maintenance stage, wherein the first zombie characteristic value list K e={Ke1,Ke2,…,Kex,…,Keq},Kex is the characteristic value of the x-th preset characteristic corresponding to J e in the operation and maintenance stage;
S003, obtaining a second zombie characteristic value list L e={Le1,Le2,…,Lex,…,Leq},Lex of J e in a test stage, wherein the characteristic value is a characteristic value of an x-th preset characteristic corresponding to J e in the test stage;
S004, E 0x is obtained based on the change amplitude of L ex to K ex, and therefore a zombie weight vector E 0 is obtained.
5. The method for detecting an abnormal API according to claim 2, wherein said shadow weight vector F 0 is obtained by:
S005, a history shadow API list M= { M 1,M2,…,Ma,…,Mb},Ma is obtained, wherein a value range of a is 1 to b, and b is the number of the history shadow APIs;
S006, acquiring a first shadow characteristic value list N a={Na1,Na2,…,Nax,…,Naq},Nax of M a in an operation and maintenance stage, wherein the first shadow characteristic value list N a={Na1,Na2,…,Nax,…,Naq},Nax is a characteristic value of an x-th preset characteristic corresponding to M a in the operation and maintenance stage;
S007, obtaining a second shadow feature value list P a={Pa1,Pa2,…,Pax,…,Paq},Pax of M a in a test stage, wherein the second shadow feature value list P a={Pa1,Pa2,…,Pax,…,Paq},Pax is a feature value of an x-th preset feature corresponding to M a in the test stage;
S008, F 0x is acquired based on the change amplitude of P ax to N ax, thereby acquiring a shadow weight vector F 0.
6. A method for detecting an abnormal API according to claim 3, characterized by obtaining a test API list G identified by the target application in the test phase by listening to the traffic of the target application.
7. The method for detecting an abnormal API according to claim 1, wherein said developing API list a identified by said target application in said developing stage is obtained by presetting a fixed code.
8. A non-transitory computer readable storage medium having stored therein at least one instruction or at least one program, wherein the at least one instruction or the at least one program is loaded and executed by a processor to implement the method of detecting an abnormal API according to any one of claims 1-7.
9. An electronic device comprising a processor and the non-transitory computer readable storage medium of claim 8.
CN202410879403.1A 2024-07-02 2024-07-02 Abnormal API detection method, electronic device and storage medium Active CN118673505B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410879403.1A CN118673505B (en) 2024-07-02 2024-07-02 Abnormal API detection method, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410879403.1A CN118673505B (en) 2024-07-02 2024-07-02 Abnormal API detection method, electronic device and storage medium

Publications (2)

Publication Number Publication Date
CN118673505A CN118673505A (en) 2024-09-20
CN118673505B true CN118673505B (en) 2025-02-07

Family

ID=92724428

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410879403.1A Active CN118673505B (en) 2024-07-02 2024-07-02 Abnormal API detection method, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN118673505B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024119962A1 (en) * 2022-12-07 2024-06-13 华为云计算技术有限公司 Method and apparatus for analyzing and managing api, and computing device

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8789138B2 (en) * 2010-12-27 2014-07-22 Microsoft Corporation Application execution in a restricted application execution environment
CN113076537A (en) * 2021-03-04 2021-07-06 珠海城市职业技术学院 Malicious file identification method and device, electronic equipment and readable storage medium
CN118194276A (en) * 2022-12-07 2024-06-14 华为云计算技术有限公司 Method, device and computing equipment for analyzing and managing API
CN116132119B (en) * 2022-12-27 2025-09-05 郑州云智信安安全技术有限公司 Web application API sensitive data risk monitoring method and system
CN115982724B (en) * 2023-03-20 2023-05-30 北京万道数智科技有限公司 Code-level security protection method, storage medium and electronic equipment
CN116991455A (en) * 2023-07-31 2023-11-03 西安四叶草信息技术有限公司 API asset identification method and device
CN117112435B (en) * 2023-09-08 2024-01-26 清科万道(北京)信息技术有限公司 Vulnerability linkage detection result fusion method, storage medium and electronic equipment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024119962A1 (en) * 2022-12-07 2024-06-13 华为云计算技术有限公司 Method and apparatus for analyzing and managing api, and computing device

Also Published As

Publication number Publication date
CN118673505A (en) 2024-09-20

Similar Documents

Publication Publication Date Title
US8434151B1 (en) Detecting malicious software
JP6698056B2 (en) System and method for detecting abnormal events
US8732836B2 (en) System and method for correcting antivirus records to minimize false malware detections
US20070283444A1 (en) Apparatus And System For Preventing Virus
NO336813B1 (en) Procedure and system for enforcing a set of security rules using a security-enforcing virtual machine
CN112711760B (en) Detection method and device for detecting malicious elimination of re-entry impact vulnerabilities in smart contracts
US8443354B1 (en) Detecting new or modified portions of code
CN114936366B (en) Malware family label correction method and device based on hybrid analysis
US20210049262A1 (en) Stack pivot exploit detection and mitigation
US20240267405A1 (en) Detecting malware infection path in a cloud computing environment utilizing a security graph
CN115827291A (en) Continuous monitoring and/or provisioning of software
KR20250153792A (en) Anti-malware system and method using optimal triggering of artificial intelligence module
CN118673505B (en) Abnormal API detection method, electronic device and storage medium
US11061804B2 (en) Application monitoring using workload metadata
CN119538266B (en) Language model-based rebound shell detection method, device, equipment, medium and product for cloud security protection and business risk identification
CN109255238B (en) Terminal threat detection and response method and engine
CN112307482A (en) Intrusion kernel detection method and device based on target range and computing equipment
CN112835762B (en) Data processing method and device, storage medium and electronic equipment
JP4643201B2 (en) Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program
US8291494B1 (en) System, method, and computer program product for detecting unwanted activity associated with an object, based on an attribute associated with the object
CN117786674A (en) Methods for identifying potential data breach attacks in at least one software package
WO2024235435A1 (en) Distributed catalog controller and method for data leakage prevention using distributed catalog
KR102152540B1 (en) Automation system and method for testing endpoint data loss prevention detection and response function
CN118656834B (en) A vulnerability detection method, electronic device and storage medium
JP6646494B2 (en) Monitoring device, monitoring method, and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant