CN117978471A - Unauthorized access detection method, device, equipment and storage medium for access request - Google Patents
Unauthorized access detection method, device, equipment and storage medium for access request Download PDFInfo
- Publication number
- CN117978471A CN117978471A CN202410075822.XA CN202410075822A CN117978471A CN 117978471 A CN117978471 A CN 117978471A CN 202410075822 A CN202410075822 A CN 202410075822A CN 117978471 A CN117978471 A CN 117978471A
- Authority
- CN
- China
- Prior art keywords
- access
- data
- access request
- application program
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 43
- 238000000034 method Methods 0.000 claims abstract description 51
- 230000006399 behavior Effects 0.000 claims description 132
- 230000004044 response Effects 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 16
- 238000004458 analytical method Methods 0.000 claims description 13
- 230000002159 abnormal effect Effects 0.000 claims description 2
- 230000002265 prevention Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 6
- 206010033799 Paralysis Diseases 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000012098 association analyses Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000003542 behavioural effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses an access request override detection method, device, equipment and storage medium. The method comprises the following steps: receiving an access request, and determining access behavior log data associated with the access request; detecting the access behavior log data based on an application program interface asset table to obtain a right judging result corresponding to the access request, wherein the application program interface asset table is pre-constructed based on target access attribute data associated with flow data; and determining unauthorized access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data. The method has the advantages of accurately detecting the unauthorized behavior and improving the accuracy and efficiency of security risk detection.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting unauthorized access to an access request.
Background
With the rapid development of information technology, application programming interfaces play an increasingly important role in various industries. The application programming interface provides a standardized interface for data exchange between different systems.
However, there is a concomitant challenge to application programming interface security, especially account number unauthorized access issues. When a malicious user or an unauthorized user accesses to acquire unauthorized information or performs unauthorized operations through an application programming interface, serious consequences such as sensitive data leakage, system paralysis and the like can be caused.
Disclosure of Invention
The invention provides an access request override detection method, device, equipment and storage medium, which are used for solving the problems of sensitive data leakage and system paralysis caused by lower override access detection accuracy.
According to an aspect of the present invention, there is provided an override detection method for an access request, the method including:
Receiving an access request, and determining access behavior log data associated with the access request;
detecting the access behavior log data based on an application program interface asset table to obtain a right judging result corresponding to the access request, wherein the application program interface asset table is pre-constructed based on target access attribute data associated with flow data;
and determining unauthorized access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data.
According to another aspect of the present invention, there is provided an apparatus for detecting override of an access request, the apparatus comprising:
The request receiving module is used for receiving an access request and determining access behavior log data associated with the access request;
the permission judging module is used for detecting the access behavior log data based on an application program interface asset table to obtain a permission judging result corresponding to the access request, wherein the application program interface asset table is constructed in advance based on target access attribute data associated with flow data;
and the override analysis module is used for determining override access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data.
According to another aspect of the present invention, there is provided an electronic apparatus including:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of detecting an override of an access request according to any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the method for detecting an override of an access request according to any one of the embodiments of the present invention when executed.
According to the technical scheme, the access behavior log data associated with the access request is determined by receiving the access request; establishing a relation between an access request and access behavior log data; then, detecting the access behavior log data based on an application program interface asset table to obtain a right judging result corresponding to the access request, wherein the application program interface asset table is constructed in advance based on target access attribute data associated with flow data; and finally, determining unauthorized access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data, solving the problems of low unauthorized access detection accuracy, sensitive data leakage and system paralysis, taking accurate unauthorized detection, and improving the accuracy and efficiency beneficial effects of security risk detection.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an override detection method for an access request according to a first embodiment of the present invention;
Fig. 2 is a flowchart of an override detection method for an access request according to a second embodiment of the present invention;
Fig. 3 is a schematic structural diagram of an apparatus for detecting override of an access request according to a third embodiment of the present invention;
Fig. 4 is a schematic structural diagram of an electronic device implementing an override detection method for an access request according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "target," "initial," and the like in the description and claims of the present invention and the above-described drawings are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of an access request override detection method according to an embodiment of the present invention, where the method may be performed by an access request override detection device, and the access request override detection device may be implemented in hardware and/or software, and the access request override detection device may be configured in an electronic device. As shown in fig. 1, the method includes:
S110, receiving an access request and determining access behavior log data associated with the access request.
Wherein the access request may be understood as API (Application Program Interface) access request. The access behavior log data may be understood as access behavior log data of an application program interface account.
Specifically, a request of an account number for accessing an application program interface is received, and access behavior log data associated with the access request is determined.
Optionally, the receiving an access request, determining access behavior log data associated with the access request includes: determining an application program interface account number associated with the access request; verifying the application program interface account number associated with the access request to obtain a target application program interface account number; determining initial access attribute data associated with the target application program interface account, and automatically generating access behavior log data associated with the access request based on the initial access attribute data, wherein the initial access attribute data comprises at least one of application program interface request endpoint data, access time data and request method data.
The application program interface account may be understood as an API account. The target application program interface account may be understood as an API account for which login is successful.
Specifically, an access request initiated by a user is received, and an API account in the access request is identified and verified based on a preset account identification rule, so as to obtain a target application program interface account with successful login. And tracking and recording the access behavior of the target application program interface account, and determining initial access attribute data associated with the target application program interface account. Access behavior log data associated with the access request is automatically generated from the initial access attribute data. The account identification rule may be preset according to experience, and is not limited in this embodiment.
And S120, detecting the access behavior log data based on an application program interface asset table to obtain a right judgment result corresponding to the access request, wherein the application program interface asset table is constructed in advance based on target access attribute data associated with flow data.
The application program interface asset table may be understood as an API asset table, among other things. The right judgment result can be understood as an override judgment result, and the right judgment result comprises non-override and override.
Specifically, the access behavior log data is detected based on a pre-constructed API asset table, so as to obtain whether the permission judgment result of the access request is unauthorized.
Optionally, the application program interface asset table is pre-built based on the target access attribute data, including: acquiring a preset number of flow data, and extracting target flow data in the flow data; performing deep analysis on the target flow data based on a deep message analysis method to obtain target access attribute data associated with the target flow data, wherein the target access attribute data comprises at least one of target network protocol data, target port data, host data, application programming interface address data and request method data; and constructing the application program interface asset table based on the target access attribute number.
Wherein traffic data may be understood as network traffic data. The target traffic data may be HTTP (HyperText Transfer Protocol) traffic data. The target access attribute data may be understood as access attribute data associated with API traffic in HTTP traffic.
Specifically, by deploying a real-time monitoring system, network traffic data is captured and recorded in real time. And analyzing the preset quantity of flow data, and extracting HTTP flow in the network flow. And carrying out deep analysis on the HTTP traffic by a deep message analysis method, and determining target access attribute data of the API traffic under the condition of the API traffic existing in the HTTP traffic. The API asset table is constructed based on destination network protocol data, destination port data, host data, application programming interface address data and request method data in the target access attribute data of the API traffic.
In the embodiment of the invention, the HTTP traffic is extracted by analyzing the captured network traffic. Then, these HTTP traffic are deeply parsed to determine the API traffic present therein. An API asset table is constructed based on five fields of destination network protocol data, destination port data, host data, application programming interface address data, and request method data. Comprehensive identification of API assets present in a network.
S130, determining unauthorized access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data.
Specifically, when the permission determination result is the override, specific override access behavior data corresponding to the access request is determined based on the permission determination result corresponding to the access request and the access behavior log data.
Optionally, the determining, based on the permission determination result and the access behavior log data, unauthorized access behavior data corresponding to the access request includes: and analyzing the permission judgment result and the access behavior log data based on an override detection algorithm to obtain override access behavior data.
Specifically, the override detection algorithm based on the context content association analysis analyzes the permission judgment result and the access behavior log data, and further analyzes the specific override access behavior data of the access request.
In the embodiment of the invention, under the condition that the permission judgment result is override, the permission judgment result and the access behavior log data are further analyzed based on the override detection algorithm of the context content association analysis, so that the specific override access behavior data of the access request can be accurately determined, and the accuracy of override detection is improved.
Optionally, after determining the unauthorized access behavior data corresponding to the access request based on the permission determination result, the method further includes:
And determining a security response mode corresponding to the unauthorized access behavior data based on the unauthorized access behavior data, wherein the security response mode comprises at least one of alarm prompt, access prevention and abnormal recording.
Specifically, corresponding security response levels (e.g., low-level, medium-level, and high-level) may be set in advance for different unauthorized access behaviors, and different security response manners may be set for different security response levels, for example: the low level override access behavior may alert the prompt and block access; medium level override access behavior may record anomalies and prevent access; advanced override access actions may alert prompts, record exceptions, block access, etc. Corresponding security response modes can be preset directly for different unauthorized access behaviors. After the security response mode corresponding to the unauthorized access behavior data is determined, a security response instruction can be generated and sent to the system side to trigger a corresponding security response mechanism.
In the embodiment of the invention, the real-time and accurate detection of the unauthorized access behavior is realized by adopting an advanced algorithm by combining the account access behavior and the API asset authority. Once an override is detected, the system will quickly alert against potential security risks.
According to the technical scheme, the access behavior log data associated with the access request is determined by receiving the access request; establishing a relation between an access request and access behavior log data; then, detecting the access behavior log data based on an application program interface asset table to obtain a right judging result corresponding to the access request, wherein the application program interface asset table is constructed in advance based on target access attribute data associated with flow data; and finally, determining unauthorized access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data, solving the problems of low unauthorized access detection accuracy, sensitive data leakage and system paralysis, taking accurate unauthorized detection, and improving the accuracy and efficiency beneficial effects of security risk detection.
Example two
Fig. 2 is a flowchart of an override detection method for an access request according to a second embodiment of the present invention, where in this embodiment, how the relationship between the above embodiments detects the access behavior log data based on a pre-built application program interface asset table to obtain further refinement of the permission determination result corresponding to the access request. Optionally, the detecting the access behavior log data based on the pre-built application program interface asset table to obtain a right judgment result corresponding to the access request includes: determining authority information data corresponding to the access behavior log data in the application program interface asset table, wherein the authority information data comprises authority range data and/or executable operation data; and comparing the access behavior log data with the permission information data to obtain a permission judgment result corresponding to the access request.
As shown in fig. 2, the method includes:
S210, receiving an access request, and determining access behavior log data associated with the access request.
S220, determining authority information data corresponding to the access behavior log data in the application program interface asset table, wherein the authority information data comprises authority range data and/or operable data.
The rights range data may be understood as rights data accessing a specific API, among other things. Executable operational data may be understood as accessible API interface data.
Specifically, accessible API interface data corresponding to the access behavior log data and/or rights data to access a particular API are determined in the API asset table.
In the embodiment of the invention, by combining the access behavior of the API account and the API asset table, whether the authority of each API asset is matched or not is judged, and whether the account has the right to access a specific API or not is determined. The method realizes the fine management of the API access, and ensures that only the account number with the corresponding authority can access the corresponding API.
Optionally, the determining, in the application program interface asset table, rights information data corresponding to the access behavior log data includes: searching the target access attribute data corresponding to the initial access attribute data in the application program interface asset table based on the initial access attribute data in the access behavior log data; and determining authority information data corresponding to the access behavior log data based on the target access attribute data.
The initial access attribute data may be understood as all access attribute data in the access behavior log data.
Specifically, searching an API asset table based on initial access attribute data, and searching target access attribute data corresponding to the initial access attribute data in the API asset table; and determining authority information data corresponding to the access behavior log data based on the destination network protocol data, the destination port data, the host data, the application programming interface address data and the request method data in the target access attribute data.
S230, comparing the access behavior log data with the permission information data to obtain a permission judgment result corresponding to the access request.
Specifically, the access behavior log data is compared with the authority information data corresponding to the access behavior log data, whether the authority information of the access request is matched with the first-level determination application program interface account number is authorized to access the specific API is judged. And determining a right judging result corresponding to the access request based on the comparison result.
In this embodiment, by carefully resolving the API asset table, the system can accurately determine the authority range of each API asset, including operations such as reading, writing, deleting, and the like, thereby providing fine-grained authority control for the system.
S240, determining unauthorized access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data.
According to the technical scheme, the authority information data corresponding to the access behavior log data is determined in the application program interface asset table, wherein the authority information data comprises authority range data and/or executable operation data; and accurately determining the corresponding permission range and/or the executable operation of the access request. And then, comparing the access behavior log data with the permission information data to obtain a permission judgment result corresponding to the access request, thereby realizing the fine management of the access of the application program interface and ensuring that only an account with corresponding permission can access the corresponding application program interface.
As an optional example of the embodiment of the present invention, the override detection of the access request in this embodiment specifically includes the following steps:
Step1, data access:
and (3) monitoring the real-time flow: and deploying a real-time monitoring system, and capturing and recording the network traffic in real time.
Step 2 API asset identification
The method comprises the steps of analyzing the streaming network traffic, extracting HTTP traffic in the traffic, carrying out deep analysis on the HTTP traffic, judging the existing API traffic, and constructing an API asset table based on five fields of destination network protocol data, destination port data, host data, application programming interface address data and request method data of the API traffic.
Step 3, API account identification:
input: an access request.
And (3) treatment: the system identifies and verifies the account number of the application program interface in the request through a preset account number identification rule. The account identification rule may be configured by user definition, which is not limited in this embodiment.
And (3) outputting: the identified and verified application program interface account information.
Step 4, accessing behavior records:
input: and at least one application program interface account information identified by the application program interface account.
And (3) treatment: determining initial access attribute data associated with the target application program interface account, and automatically generating access behavior log data associated with the access request based on the initial access attribute data, wherein the initial access attribute data comprises at least one of application program interface request endpoint data, access time data and request method data.
And (3) outputting: the behavior log data is accessed.
Step 5, searching an API asset table:
Input: at least one access behavior log data associated with the access request.
And (3) treatment: the system retrieves the API asset table according to the access behavior log data, and acquires the authority information data of each API asset, including the authority range data and/or the executable operation data.
And (3) outputting: network protocol data, destination port data, host data, application programming interface address data, and request method data associated with access behavior in the API asset table.
Step 6, permission judgment:
input: the access behavior log data of the application program interface account number and network protocol data, destination port data, host data, application program programming interface address data and request method data related to the access behavior in the API asset table.
And (3) treatment: and the system judges whether the authority of each API asset is matched according to the access behavior log data and the API asset table associated with the access request, and determines whether the account number of the application program interface is authorized to access a specific application program interface.
And (3) outputting: and judging the right corresponding to the access request.
Step 7, override detection:
input: access behavior log data associated with the access request and a right judgment result corresponding to the access request.
And (3) treatment: and analyzing the permission judgment result and the access behavior log data by the system based on an override detection algorithm realized by context content association analysis.
And (3) outputting: unauthorized access to the behavioral data.
Step 8, safety response:
input: unauthorized access to the behavioral data.
And (3) treatment: and determining a safety response mode corresponding to the unauthorized access behavior data based on the unauthorized access behavior data.
And (3) outputting: a safety response instruction.
According to the technical scheme provided by the embodiment of the invention, the comprehensive access behavior log is formed by tracking and recording the access behavior of each API account in real time, including the requested API endpoint, the access time, the request method and the like. And acquiring detailed information of each API asset, including authority range, executable operation and the like, through searching the API asset table, and providing sufficient basis for subsequent authority judgment. By combining the access behavior of the API account and the API asset table, the system realizes the permission judgment of each API asset, and ensures that the account can only access the API with legal permission. And (3) carrying out real-time analysis on the access behavior and the permission judgment result of the account by using an advanced override detection algorithm, and accurately detecting whether the override access behavior exists. The detection accuracy of illegal access behaviors is improved, potential safety risks are found in time, and the safety protection capability of the system is improved.
Example III
Fig. 3 is a schematic structural diagram of an apparatus for detecting unauthorized access to an access request according to a third embodiment of the present invention. As shown in fig. 3, the apparatus includes: a request receiving module 310, a rights judging module 320, and an override analyzing module 330.
The request receiving module 310 is configured to receive an access request, and determine access behavior log data associated with the access request; the permission judging module 320 is configured to detect the access behavior log data based on an application program interface asset table to obtain a permission judging result corresponding to the access request, where the application program interface asset table is pre-constructed based on target access attribute data associated with flow data; and an override analysis module 330, configured to determine override access behavior data corresponding to the access request based on the permission determination result and the access behavior log data.
According to the technical scheme, the access request is received through the request receiving module, and the access behavior log data associated with the access request is determined; establishing a relation between an access request and access behavior log data; then, detecting the access behavior log data based on an application program interface asset table through a permission judging module to obtain a permission judging result corresponding to the access request, wherein the application program interface asset table is constructed in advance based on target access attribute data associated with flow data; and finally, determining unauthorized access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data through a permission judgment module, solving the problems of low unauthorized access detection accuracy, sensitive data leakage and system paralysis, taking out the accurate detection unauthorized behavior, and improving the accuracy and efficiency beneficial effects of security risk detection.
Optionally, the request receiving module includes:
An account number determining unit, configured to determine an application program interface account number associated with the access request;
The account verification unit is used for verifying the application program interface account associated with the access request to obtain a target application program interface account;
And the log generation unit is used for determining initial access attribute data associated with the target application program interface account number, and automatically generating access behavior log data associated with the access request based on the initial access attribute data, wherein the initial access attribute data comprises at least one of application program interface request endpoint data, access time data and request method data.
Optionally, the permission judging module includes:
The flow acquisition unit is used for acquiring a preset number of flow data and extracting target flow data in the flow data;
The attribute data acquisition unit is used for carrying out deep analysis on the target flow data based on a deep message analysis method so as to obtain target access attribute data associated with the target flow data, wherein the target access attribute data comprises at least one of target network protocol data, target port data, host data, application programming interface address data and request method data;
and the asset table construction unit is used for constructing the application program interface asset table based on the target access attribute number.
Optionally, the permission judging module includes:
A right determining unit, configured to determine right information data corresponding to the access behavior log data in the application program interface asset table, where the right information data includes right range data and/or executable operation data;
And the permission judging unit is used for comparing the access behavior log data with the permission information data to obtain a permission judging result corresponding to the access request.
Optionally, the right determining unit includes:
An attribute data searching subunit, configured to search, in the application program interface asset table, the target access attribute data corresponding to the initial access attribute data based on the initial access attribute data in the access behavior log data;
and the permission information determining subunit is used for determining permission information data corresponding to the access behavior log data based on the target access attribute data.
Optionally, the override analysis module is specifically configured to:
And analyzing the permission judgment result and the access behavior log data based on an override detection algorithm to obtain override access behavior data.
Optionally, the apparatus further comprises a safety response module.
The security response module is configured to determine, after determining the unauthorized access behavior data corresponding to the access request based on the permission determination result, a security response mode corresponding to the unauthorized access behavior data based on the unauthorized access behavior data, where the security response mode includes at least one of alarm prompt, access blocking, and recording abnormality.
The device for detecting the override of the access request provided by the embodiment of the invention can execute the method for detecting the override of the access request provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 4 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as override detection of method access requests.
In some embodiments, the override detection of the method access request may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the above-described override detection of the method access request may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the override detection of the method access request in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. An override detection method for an access request, comprising:
Receiving an access request, and determining access behavior log data associated with the access request;
detecting the access behavior log data based on an application program interface asset table to obtain a right judging result corresponding to the access request, wherein the application program interface asset table is pre-constructed based on target access attribute data associated with flow data;
and determining unauthorized access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data.
2. The method of claim 1, wherein the receiving an access request, determining access behavior log data associated with the access request, comprises:
Determining an application program interface account number associated with the access request;
Verifying the application program interface account number associated with the access request to obtain a target application program interface account number;
Determining initial access attribute data associated with the target application program interface account, and automatically generating access behavior log data associated with the access request based on the initial access attribute data, wherein the initial access attribute data comprises at least one of application program interface request endpoint data, access time data and request method data.
3. The method of claim 1, wherein the application program interface asset table is pre-built based on target access attribute data, comprising:
acquiring a preset number of flow data, and extracting target flow data in the flow data;
Performing deep analysis on the target flow data based on a deep message analysis method to obtain target access attribute data associated with the target flow data, wherein the target access attribute data comprises at least one of target network protocol data, target port data, host data, application programming interface address data and request method data;
And constructing the application program interface asset table based on the target access attribute number.
4. The method according to claim 1, wherein detecting the access behavior log data based on the pre-built application program interface asset table to obtain the permission judgment result corresponding to the access request comprises:
Determining authority information data corresponding to the access behavior log data in the application program interface asset table, wherein the authority information data comprises authority range data and/or executable operation data;
And comparing the access behavior log data with the permission information data to obtain a permission judgment result corresponding to the access request.
5. The method of claim 4, wherein determining rights information data corresponding to the access behavior log data in the application interface asset table comprises:
searching the target access attribute data corresponding to the initial access attribute data in the application program interface asset table based on the initial access attribute data in the access behavior log data;
And determining authority information data corresponding to the access behavior log data based on the target access attribute data.
6. The method according to claim 1, wherein the determining unauthorized access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data includes:
And analyzing the permission judgment result and the access behavior log data based on an override detection algorithm to obtain override access behavior data.
7. The method according to claim 1, further comprising, after the determining unauthorized access behavior data corresponding to an access request based on the permission judgment result:
And determining a security response mode corresponding to the unauthorized access behavior data based on the unauthorized access behavior data, wherein the security response mode comprises at least one of alarm prompt, access prevention and abnormal recording.
8. An apparatus for detecting unauthorized access to an access request, comprising:
The request receiving module is used for receiving an access request and determining access behavior log data associated with the access request;
the permission judging module is used for detecting the access behavior log data based on an application program interface asset table to obtain a permission judging result corresponding to the access request, wherein the application program interface asset table is constructed in advance based on target access attribute data associated with flow data;
and the override analysis module is used for determining override access behavior data corresponding to the access request based on the permission judgment result and the access behavior log data.
9. An electronic device, the electronic device comprising:
At least one processor; and
A memory communicatively coupled to the at least one processor; wherein,
The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the method of override detection of an access request of any one of claims 1-7.
10. A computer readable storage medium storing computer instructions for causing a processor to perform the method of override detection of an access request according to any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410075822.XA CN117978471A (en) | 2024-01-18 | 2024-01-18 | Unauthorized access detection method, device, equipment and storage medium for access request |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410075822.XA CN117978471A (en) | 2024-01-18 | 2024-01-18 | Unauthorized access detection method, device, equipment and storage medium for access request |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117978471A true CN117978471A (en) | 2024-05-03 |
Family
ID=90860951
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410075822.XA Pending CN117978471A (en) | 2024-01-18 | 2024-01-18 | Unauthorized access detection method, device, equipment and storage medium for access request |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117978471A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8539228B1 (en) * | 2006-08-24 | 2013-09-17 | Osr Open Systems Resources, Inc. | Managing access to a resource |
| CN107026825A (en) * | 2016-02-02 | 2017-08-08 | 中国移动通信集团陕西有限公司 | A kind of method and system for accessing big data system |
| CN115314483A (en) * | 2022-08-03 | 2022-11-08 | 奇安信网神信息技术(北京)股份有限公司 | API asset determining method and abnormal calling early warning method |
| CN116846644A (en) * | 2023-07-06 | 2023-10-03 | 中国电信股份有限公司技术创新中心 | Unauthorized access detection method and device |
-
2024
- 2024-01-18 CN CN202410075822.XA patent/CN117978471A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8539228B1 (en) * | 2006-08-24 | 2013-09-17 | Osr Open Systems Resources, Inc. | Managing access to a resource |
| CN107026825A (en) * | 2016-02-02 | 2017-08-08 | 中国移动通信集团陕西有限公司 | A kind of method and system for accessing big data system |
| CN115314483A (en) * | 2022-08-03 | 2022-11-08 | 奇安信网神信息技术(北京)股份有限公司 | API asset determining method and abnormal calling early warning method |
| CN116846644A (en) * | 2023-07-06 | 2023-10-03 | 中国电信股份有限公司技术创新中心 | Unauthorized access detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| US20180075240A1 (en) | Method and device for detecting a suspicious process by analyzing data flow characteristics of a computing device | |
| CN104685510B (en) | Recognition application whether be rogue program method, system and storage medium | |
| CN110417778B (en) | Access request processing method and device | |
| CN110442712B (en) | Risk determination method, risk determination device, server and text examination system | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN111416811A (en) | Unauthorized vulnerability detection method, system, equipment and storage medium | |
| WO2019144548A1 (en) | Security test method, apparatus, computer device and storage medium | |
| CN114760106B (en) | Network attack determination method, system, electronic equipment and storage medium | |
| CN114553456B (en) | Digital identity network alarm | |
| CN116340943A (en) | Application program protection method, device, equipment, storage medium and program product | |
| CN110955890B (en) | Method and device for detecting malicious batch access behaviors and computer storage medium | |
| CN114595765A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN114448645A (en) | Method, device, storage medium and program product for processing webpage access | |
| US11012450B2 (en) | Detection device, detection method, detection system, and detection program | |
| CN117609992A (en) | Data disclosure detection method, device and storage medium | |
| CN113132393A (en) | Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium | |
| CN117978471A (en) | Unauthorized access detection method, device, equipment and storage medium for access request | |
| CN117424743A (en) | Data processing method and device, electronic equipment and storage medium | |
| US11743346B2 (en) | Detection device, detection method, and detection program | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| CN114444087A (en) | Unauthorized vulnerability detection method and device, electronic equipment and storage medium | |
| CN113596051B (en) | Detection method, detection apparatus, electronic device, medium, and computer program | |
| CN118337403B (en) | Attack path restoration method and device based on IOC, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |