+

CN120144415A - An intelligent early warning system based on integrated framework interface service management - Google Patents

An intelligent early warning system based on integrated framework interface service management Download PDF

Info

Publication number
CN120144415A
CN120144415A CN202510209003.4A CN202510209003A CN120144415A CN 120144415 A CN120144415 A CN 120144415A CN 202510209003 A CN202510209003 A CN 202510209003A CN 120144415 A CN120144415 A CN 120144415A
Authority
CN
China
Prior art keywords
interface
call
security
unit
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510209003.4A
Other languages
Chinese (zh)
Inventor
张军
刘耀增
刘骏杰
王智源
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Atoz Information Technology Ltd
Original Assignee
Shanghai Atoz Information Technology Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Atoz Information Technology Ltd filed Critical Shanghai Atoz Information Technology Ltd
Priority to CN202510209003.4A priority Critical patent/CN120144415A/en
Publication of CN120144415A publication Critical patent/CN120144415A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/32Monitoring with visual or acoustical indication of the functioning of the machine
    • G06F11/324Display of status information
    • G06F11/327Alarm or error message display
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3006Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3034Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a storage system, e.g. DASD based or network based
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3065Monitoring arrangements determined by the means or processing involved in reporting the monitored data
    • G06F11/3072Monitoring arrangements determined by the means or processing involved in reporting the monitored data where the reporting involves data filtering, e.g. pattern matching, time or event triggered, adaptive or policy-based reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Quality & Reliability (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an intelligent early warning system based on integrated framework interface service management, and belongs to the technical field of interface monitoring. The system comprises an interface registration unit, an interface address generation unit, an ID retrieval unit and an authorization code configuration, wherein the interface registration unit imports a third party interface document, creates an API (application program interface) comprising four states of editing, registering, publishing and downloading. The open sharing unit verifies the control calling authority based on the dynamic authorization code by calling the ID authentication interface address, and performs security level division. The monitoring alarm unit adopts a safety detection model, and carries out anti-shake current limiting and blocking vulnerability judgment by calling frequency, source and parameter analysis. The interface management unit integrates the calling trend and the alarm log, performs abnormal classification processing based on the Markov model, and executes offline operation. The intelligent management and the high-efficiency early warning of the interface service are realized.

Description

Intelligent early warning system based on integrated framework interface service management
Technical Field
The invention belongs to the technical field of interface monitoring, and particularly relates to an intelligent early warning system based on integrated framework interface service management.
Background
As project sizes expand, challenges of data exchange and business collaboration between different systems are presented. Individual projects employ independent systems and tools, resulting in islanding of information and inefficiency of development. In particular, the data cannot be shared and cooperated smoothly due to the fact that the independent systems are adopted for different projects. The system lacks a unified information platform, has imperfect ecology on the upstream and downstream of the API, and has low resource utilization rate. The wheel is repeatedly manufactured in the enterprise; the current integration scheme is various, so that a large amount of time and resources are required to be consumed for each new project to adapt to the existing integration mode, the lack of a general integration standard causes difficult maintenance of data consistency and business consistency between systems, management of API assets is disordered, multi-dimensional ecology which runs through the whole life cycle of the API cannot be formed, the threshold of an application integration developer is higher, the delivery cycle is longer, and the API and the data assets lack monitoring and early warning mechanisms.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides an intelligent early warning system based on integrated framework interface service management,
The aim of the invention can be achieved by the following technical scheme:
an intelligent early warning system based on integrated framework interface service management comprises an interface registration unit, an open sharing unit, a monitoring alarm unit and an interface management unit;
the interface registration unit is used for importing a third party interface document address and platform record information in an interface manner, creating an application program interface comprising four states of editing, registering, publishing and offline, generating an interface address and a call ID through interface debugging, and configuring authorization code information to realize state marking and automatic synchronous updating;
The open sharing unit performs interface address authentication through the call ID, realizes interface call authority control based on dynamic authorization code validation period verification, and configures an online security inspection mechanism to perform security level division on the interface in a release state;
The monitoring alarm unit adopts a security detection model comprising a vulnerability feature library and a behavior analysis module, and implements an anti-shake current limiting and blocking vulnerability dual judgment mechanism through time sequence analysis of calling frequency, root cause positioning of calling sources and incidence matrix detection of calling parameters;
The interface management unit integrates the interface calling trend record and the alarm log information through the API list management module, classifies the interface calling trend record and the alarm log information based on an anomaly identification model of the Markov model, and executes interface offline operation according to an analysis result of the security score calculation model;
the system realizes state circulation control, dynamic security policy adaptation and multidimensional abnormal blocking response of the whole life cycle of the interface through cooperation of four units.
Specifically, the interface registration unit carries out interface import on interface information and platform record interface document address provided by an interface party and creates an application program interface, and the state of the application program interface comprises editing, registering, publishing and offline; the newly created application program interface is in an editing state; the interface registration unit has an automatic updating function and automatically and synchronously updates the state and the document of the application program interface by periodically detecting the change of the interface information.
The open sharing unit is used for performing on-line release operation, acquiring authorization code information by calling an interface address corresponding to the registered ID and authenticating the interface address, verifying whether the authorization code is in a life period through a calling authentication interface, calling an interface of an interface side by the monitoring alarm unit if the authorization code is in the life period, and sending failure calling information to a calling side if the authorization code is not in the life period.
Specifically, the interface debugging obtains a debugging return result by acquiring a third-party platform corresponding to an interface father stage and splicing interface parameters, and registers an application program interface through which the debugging return result passes to generate an interface address and a calling ID which meet specifications.
Specifically, the monitoring alarm unit monitors call information of an interface party in real time, performs anti-shake current limiting on the interface, judges whether the interface has a blocking leak, if so, triggers a monitoring alarm and sends alarm log information to the interface management unit, if not, calls a corresponding interface, judges whether the interface has the blocking leak again at the corresponding interface party, if so, triggers the monitoring alarm and sends alarm log information to the interface management unit, and if not, applies the interface and sends an interface call trend record to the interface management unit.
The interface management unit comprises an API list management module, an interface abnormality module and an interface offline module, wherein the API list management module is used for receiving an API list registered in the open sharing unit and an interface call trend record sent by the monitoring alarm unit, maintaining and managing the API list management module after acquiring alarm log information sent by the monitoring alarm unit through the interface abnormality module, and recording the service condition, abnormality information and offline state of an interface, the interface abnormality module is used for classifying and sorting the alarm log information through an abnormality identification model, analyzing the reason and frequency of interface abnormality to obtain an analysis result, and generating an interface abnormality report according to the analysis result, and the interface offline module is used for carrying out offline processing on the interface of the interface abnormality report.
The open sharing unit configures corresponding authorization code information according to the received registered application program interface of the system release online interface after the interface is checked and passed, sets corresponding dynamic authorization code effective date, interface expiration time and authorized user, and updates the interface state to the release state.
Specifically, the security inspection is performed by calculating security scores of interfaces, the security scores are determined by encryption algorithm complexity scores and verification rule scores, the encryption algorithm complexity scores are quantized according to time complexity of differential analysis attack, the verification rule scores are composed of field integrity inspection coverage rate and digital range limitation coverage rate, and the security score calculation formula is as follows:
Wherein S total is a security score, alpha and beta are weight coefficients, T SHA is a key length, an effective entropy value, a round number design and a nonlinear transformation complexity weighted fusion value of an encryption algorithm type used by an interface, R is a security reference value, C integrity is a field integrity check coverage rate, and C range is a digital range limit coverage rate;
and carrying out security grading on the interfaces through the security scores, and formulating corresponding security strategies according to the security grades to ensure the security of the interfaces.
The method comprises the steps of judging blocking holes through a security detection model, wherein the security detection model comprises a hole feature library and a behavior analysis module, the hole feature library stores feature information of known holes, the behavior analysis module is used for carrying out real-time monitoring on behaviors in a call process and matching with the feature information in the hole feature library, if matching is successful, judging that blocking holes occur, the real-time monitored behaviors comprise interface call frequency, call sources and call parameters, the behavior analysis module specifically detects API call logs in the dimension of the call frequency in the process of executing matching, adopts time sequence analysis and sliding window recording and updating interface access time, the behavior analysis module detects network flow data in the dimension of the call sources, adopts root cause analysis algorithm to rapidly locate IP addresses causing rapid increase of access quantity, and the behavior analysis module carries out detection on a system call sequence in the dimension of the call parameters, builds an association matrix through the API call sequence, extracts time variance characteristics, analyzes the association matrix and the time variance characteristics, and identifies abnormal call modes, so that whether blocking holes exist is judged.
The anomaly identification model receives alarm log information from a monitoring alarm unit, extracts a time stamp, an interface name, a request method, a request path, response time, an error code and flow information from the alarm log information, performs feature extraction after preprocessing the extracted data, wherein the features comprise familiarity characteristics, business behavior similarity, access behavior stability and data load anomalies, constructs an observation sequence based on a Markov model according to the extracted features, sets a state sequence, determines a corresponding state sequence by decoding the observation sequence, optimizes a state transition matrix and an observation probability matrix by using a forward-backward algorithm, adjusts model parameters according to feedback results, and optimizes feature extraction and state definition.
The construction step of the anomaly identification model comprises the following steps:
step 1, collecting alarm log information from an interface monitoring alarm unit, wherein the alarm log information comprises a time stamp, an interface request address, a request method, a response state code, response time, error information and the like;
Preprocessing, namely cleaning data, removing invalid or repeated records, and filling or deleting missing values. For example, for a missing response time, the average response time for the interface may be filled in. Meanwhile, the data are ordered according to time sequence, so that subsequent time sequence analysis is facilitated.
Step 2, according to the abnormal behavior observation characteristics, extracting the following characteristics:
Familiarity characteristic (F h) is that the frequency of interface requests is calculated, high frequency requests may indicate normal traffic activity, low frequency or bump requests may be abnormal. The formula is as follows:
Wherein F h is the average value of the frequency of the interface requests, n is the total number of requests, F i is the frequency of each request, F total is the total number of requests, and the average value of the frequency of the interface requests. If F h is higher than the average value, the interface request frequency is normal, and if F h is lower than the average value, the interface request frequency is abnormal.
The business behavior similarity (D KL (P||Q)). Statistics of request type distribution of different interfaces, the likelihood of high similarity is normal behavior, and the similarity calculation method adopts a Kullback-Leibler divergence:
Wherein, P and Q are the request type distribution of the normal and to-be-tested interfaces respectively;
access behavior stability (σ) the time interval stability of the interface access is calculated. The standard deviation can be measured by:
data load anomalies (Z) monitoring the interface for changes in the amount of data returned, such as sudden increases or decreases in the amount of data:
where X is the current data amount, μ and σ are the historical mean and standard deviation, respectively.
Step 3, constructing a double hidden Markov model, comprising a lower-layer HMM and an upper-layer HMM, defining an observation sequence O= { F h,DKL (P||Q), sigma, Z }, and a state sequence S= { S 1,S2,S3,S4 } (corresponding to normal, low-risk abnormality, medium-risk abnormality and high-risk abnormality respectively) in the lower-layer HMM, identifying an attack behavior of a long-time span based on an output sequence of the lower-layer HMM, and defining a state dependency relationship between the upper-layer HMM and the lower-layer HMM through a conditional probability matrix;
and 4, model training and parameter optimization, training a DHMM model by using historical alarm log data, and adjusting parameters to minimize prediction errors. The state transition matrix and the observation probability matrix are optimized by using a forward-backward algorithm, and model parameters are updated regularly to adapt to the change of the interface access mode;
Continuously collecting interface monitoring alarm log information, calculating the characteristic value { F h,DKL (P|Q), sigma and Z } in real time, inputting the characteristic value into a double-hidden Markov model, decoding an observation sequence by using a Viterbi algorithm, and determining the most probable state sequence:
evaluating the risk level according to the state sequence:
If the state is normal (S 1), continuing to monitor;
If the state is low-risk abnormality (S 2), recording and early warning;
if the state is medium-risk or high-risk abnormality (S 3,S4), an alarm is triggered to inform operation and maintenance personnel of processing.
And comparing the model detection result with the actual operation and maintenance condition, and collecting false alarm and missing report cases.
And (3) adjusting model parameters according to feedback results, optimizing feature extraction and state definition, and improving the accuracy and the robustness of the model.
The beneficial effects of the invention are as follows:
Through full life cycle closed-loop management, the operation and maintenance efficiency of the interface is improved, and a state machine management and automatic synchronous updating mechanism of an interface registration unit is adopted, so that full-process automatic tracking from creation to abandonment of the interface is realized, and the manual maintenance cost is reduced. And by means of debugging parameter splicing and ID generation, the interface access complexity is reduced, and the deployment period is shortened. The automatic state synchronization avoids calling errors caused by inconsistent versions, and improves the usability of the system.
The method comprises the steps of adapting a dynamic security policy, strengthening the protection capability of an interface, constructing a security score calculation model (encryption algorithm complexity+verification rule coverage), verifying the effective period of a dynamic authorization code and classifying the security grades in a multi-dimension mode, quantitatively evaluating the security risk of the interface, changing the dynamic adaptation attack means of the security policy, improving the protection coverage rate, preventing illegal calling caused by the leakage of the authorization code based on a time-sensitive dynamic authorization mechanism, reducing the risk of data leakage, and avoiding the online of an interface which does not reach standards through security inspection and release state binding, thereby reducing the probability of introducing loopholes.
Multidimensional intelligent monitoring, accurate blocking of abnormal behaviors, high-frequency calling identification is achieved through three-dimensional blocking vulnerability detection (calling frequency time sequence analysis, calling source root cause positioning and calling parameter incidence matrix detection), and anti-shake current limiting response speed is improved.
And the abnormal processing self-optimization reduces the downtime risk of the system, and the abnormal recognition classification based on the Markov model and the offline decision driven by the interface calling trend record. And the fault root cause classification accuracy is improved by extracting multiple characteristics of the abnormal log (access stability and abnormal data load). And optimizing model parameters through a forward-backward algorithm, and reducing the abnormal recognition misjudgment rate. The interface abnormality report is linked with the offline module, the high-risk interface is automatically isolated, and the overall stability of the system is improved.
The resource coordination and strategy linkage realize system-level intelligent response, and a four-unit coordination mechanism (state flow control, authority verification, real-time monitoring and management decision) is adopted, so that the interface call trend data and the alarm log are in multi-source fusion, and the operation and maintenance decision response time is shortened. The security policy is dynamically linked with the abnormal blocking mechanism, so that the treatment efficiency of the complex attack scene is improved. And optimizing the utilization rate of system resources (such as automatically offline an invalid interface), and reducing the peak value of hardware load.
Drawings
The present invention is further described below with reference to the accompanying drawings for the convenience of understanding by those skilled in the art.
FIG. 1 is a schematic diagram of an intelligent early warning system based on integrated framework interface service management according to the present invention.
FIG. 2 is a schematic diagram of an intelligent early warning system architecture based on integrated framework interface service management according to the present invention.
Detailed Description
In order to further describe the technical means and effects adopted by the invention for achieving the preset aim, the following detailed description is given below of the specific implementation, structure, characteristics and effects according to the invention with reference to the attached drawings and the preferred embodiment.
1-2, An intelligent early warning system based on integrated framework interface service management comprises an interface registration unit, an open sharing unit, a monitoring alarm unit and an interface management unit;
the interface registration unit is used for importing a third party interface document address and platform record information in an interface manner, creating an application program interface comprising four states of editing, registering, publishing and offline, generating an interface address and a call ID through interface debugging, and configuring authorization code information to realize state marking and automatic synchronous updating;
The open sharing unit performs interface address authentication through the call ID, realizes interface call authority control based on dynamic authorization code validation period verification, and configures an online security inspection mechanism to perform security level division on the interface in a release state;
The monitoring alarm unit adopts a security detection model comprising a vulnerability feature library and a behavior analysis module, and implements an anti-shake current limiting and blocking vulnerability dual judgment mechanism through time sequence analysis of calling frequency, root cause positioning of calling sources and incidence matrix detection of calling parameters;
The interface management unit integrates the interface calling trend record and the alarm log information through the API list management module, classifies the interface calling trend record and the alarm log information based on an anomaly identification model of the Markov model, and executes interface offline operation according to an analysis result of the security score calculation model;
the system realizes state circulation control, dynamic security policy adaptation and multidimensional abnormal blocking response of the whole life cycle of the interface through cooperation of four units.
In this embodiment, different functional units (called services) of an application program are split based on a Service Oriented Architecture (SOA), and a good interface and a good protocol are defined between the services. The interface is defined in a neutral manner, independent of the hardware platform, operating system, and programming language in which the service is implemented. This allows services built into a wide variety of systems to interact in a uniform and versatile manner. The interface definition of a service should contain the following:
1) Data defining data attributes of interactions between the service and the outside world. The method specifically comprises the following steps:
The data type definition includes basic type and complex type.
Data format refers to how data of various data types are stored in memory, files, or networks. In order to solve the problem that the formats of data stored in memories of different program languages are different, a character is generally used for describing a complex type data format, and a JSON or XML format is used.
Data content is generally divided into two levels of technology and business. The content of the technical layer is data message header information interacted between the service and the outside, and the content of the service layer is data message content information.
2) And defining the interaction mode of the service and the outside, namely the information exchange mode. The method specifically comprises the following steps:
Interface interaction modes include request response (synchronous), request callback (asynchronous), and publish-subscribe.
Interface states are divided into stateful interfaces and stateless interfaces. The interface type of the state is maintained between the multiple calls of the same interface of the service, and the interface type of the state can be maintained between the multiple calls of the same interface.
The interface calling session mechanism refers to calling sequence and rules among a plurality of interfaces, and comprises calling rules among a plurality of interfaces of the same service and calling rules among a plurality of interfaces of a plurality of services.
Interface communication protocol, the protocol adopted by the remote interface comprises HTTP, TCP, SOAP, JMS message middleware and the like.
Other security policies, such as interface calls, log records, etc.
Specifically, the interface registration unit carries out interface import on interface information and platform record interface document address provided by an interface party and creates an application program interface, and the state of the application program interface comprises editing, registering, publishing and offline; the newly created application program interface is in an editing state; the interface registration unit has an automatic updating function and automatically and synchronously updates the state and the document of the application program interface by periodically detecting the change of the interface information.
The open sharing unit is used for performing on-line release operation, acquiring authorization code information by calling an interface address corresponding to the registered ID and authenticating the interface address, verifying whether the authorization code is in a life period through a calling authentication interface, calling an interface of an interface side by the monitoring alarm unit if the authorization code is in the life period, and sending failure calling information to a calling side if the authorization code is not in the life period.
Specifically, the interface debugging obtains a debugging return result by acquiring a third-party platform corresponding to an interface father stage and splicing interface parameters, and registers an application program interface through which the debugging return result passes to generate an interface address and a calling ID which meet specifications.
In this embodiment, the interface integration strategy is based on a minimum variation principle, and takes "control increment and stock reduction" as a guiding thought, and in the iterative process of system construction, unified interface control is gradually realized. The newly added interfaces all need to be developed based on the restful stateless style interfaces of the http/https+json protocol. Protocols compatible with stock interfaces (e.g., http+soap, http+json, etc.) have a certain conversion adaptation workload. The service interface response time for the integration is required to be less than 30s, and the integration framework returns a timeout error in response to a request greater than 30 s. The service interface single request or response message data must be non-binary structured data and the single data message size is not more than 5Mb, and data transmission with a size greater than 5Mb suggests to go through shared memory transmission.
Specifically, the monitoring alarm unit monitors call information of an interface party in real time, performs anti-shake current limiting on the interface, judges whether the interface has a blocking leak, if so, triggers a monitoring alarm and sends alarm log information to the interface management unit, if not, calls a corresponding interface, judges whether the interface has the blocking leak again at the corresponding interface party, if so, triggers the monitoring alarm and sends alarm log information to the interface management unit, and if not, applies the interface and sends an interface call trend record to the interface management unit.
The interface management unit comprises an API list management module, an interface abnormality module and an interface offline module, wherein the API list management module is used for receiving an API list registered in the open sharing unit and an interface call trend record sent by the monitoring alarm unit, maintaining and managing the API list management module after acquiring alarm log information sent by the monitoring alarm unit through the interface abnormality module, and recording the service condition, abnormality information and offline state of an interface, the interface abnormality module is used for classifying and sorting the alarm log information through an abnormality identification model, analyzing the reason and frequency of interface abnormality to obtain an analysis result, and generating an interface abnormality report according to the analysis result, and the interface offline module is used for carrying out offline processing on the interface of the interface abnormality report.
The open sharing unit configures corresponding authorization code information according to the received registered application program interface of the system release online interface after the interface is checked and passed, sets corresponding dynamic authorization code effective date, interface expiration time and authorized user, and updates the interface state to the release state.
Specifically, the security inspection is performed by calculating security scores of interfaces, the security scores are determined by encryption algorithm complexity scores and verification rule scores, the encryption algorithm complexity scores are quantized according to time complexity of differential analysis attack, the verification rule scores are composed of field integrity inspection coverage rate and digital range limitation coverage rate, and the security score calculation formula is as follows:
Wherein S total is a security score, alpha and beta are weight coefficients, T SHA is a key length, an effective entropy value, a round number design and a nonlinear transformation complexity weighted fusion value of an encryption algorithm type used by an interface, R is a security reference value, C integrity is a field integrity check coverage rate, and C range is a digital range limit coverage rate;
and carrying out security grading on the interfaces through the security scores, and formulating corresponding security strategies according to the security grades to ensure the security of the interfaces.
The method comprises the steps of judging blocking holes through a security detection model, wherein the security detection model comprises a hole feature library and a behavior analysis module, the hole feature library stores feature information of known holes, the behavior analysis module is used for carrying out real-time monitoring on behaviors in a call process and matching with the feature information in the hole feature library, if matching is successful, judging that blocking holes occur, the real-time monitored behaviors comprise interface call frequency, call sources and call parameters, the behavior analysis module specifically detects API call logs in the dimension of the call frequency in the process of executing matching, adopts time sequence analysis and sliding window recording and updating interface access time, the behavior analysis module detects network flow data in the dimension of the call sources, adopts root cause analysis algorithm to rapidly locate IP addresses causing rapid increase of access quantity, and the behavior analysis module carries out detection on a system call sequence in the dimension of the call parameters, builds an association matrix through the API call sequence, extracts time variance characteristics, analyzes the association matrix and the time variance characteristics, and identifies abnormal call modes, so that whether blocking holes exist is judged.
The anomaly identification model receives alarm log information from a monitoring alarm unit, extracts a time stamp, an interface name, a request method, a request path, response time, an error code and flow information from the alarm log information, performs feature extraction after preprocessing the extracted data, wherein the features comprise familiarity characteristics, business behavior similarity, access behavior stability and data load anomalies, constructs an observation sequence based on a Markov model according to the extracted features, sets a state sequence, determines a corresponding state sequence by decoding the observation sequence, optimizes a state transition matrix and an observation probability matrix by using a forward-backward algorithm, adjusts model parameters according to feedback results, and optimizes feature extraction and state definition.
In this embodiment, the complexity score of the encryption algorithm is scored according to the type and intensity of the encryption algorithm adopted by the interface, the more complex and higher the intensity of the encryption algorithm, the higher the complexity score of the encryption algorithm, the higher the verification rule score is scored according to the integrity check of the interface field and the coverage condition of the digital range limitation, the more the covered field and the more strict the limitation, the higher the verification rule score is, the failure retrieval information comprises the error information of the interface party, the failure reason, the failure time and the retrieval record of the retrieval party, and the retrieval party re-performs interface retrieval according to the failure retrieval information or feeds back the error information to the interface management unit.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing. Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The present invention is not limited in any way by the above-described preferred embodiments, but is not limited to the above-described preferred embodiments, and any person skilled in the art will appreciate that the present invention can be embodied in the form of a program for carrying out the method of the present invention, while the above disclosure is directed to equivalent embodiments capable of being altered or modified in a slight manner, any and all concise modifications, equivalent variations and alterations of the above embodiments are still within the scope of the present disclosure, all as may be made without departing from the scope of the present disclosure.

Claims (10)

1.一种基于集成框架接口服务管理的智能预警系统,其特征在于,包括:接口注册单元、开放共享单元、监控报警单元、接口管理单元;1. An intelligent early warning system based on integrated framework interface service management, characterized in that it includes: an interface registration unit, an open sharing unit, a monitoring and alarm unit, and an interface management unit; 所述接口注册单元用于将第三方接口文档地址与平台记录信息进行接口导入,创建包含编辑、注册、发布、下线四种状态的应用程序接口,通过接口调试生成接口地址及调取ID,并配置授权码信息实现状态标记与自动同步更新;The interface registration unit is used to import the third-party interface document address and platform record information through the interface, create an application program interface including four states: edit, register, publish, and offline, generate the interface address and call ID through interface debugging, and configure the authorization code information to realize the status marking and automatic synchronization update; 所述开放共享单元通过所述调取ID进行接口地址认证,基于动态授权码生效期限验证实现接口调用权限控制,并配置在线安全审查机制对发布状态的接口进行安全等级划分;The open sharing unit authenticates the interface address through the call ID, implements interface call authority control based on the dynamic authorization code validity period verification, and configures an online security review mechanism to classify the security level of the published interface; 所述监控报警单元采用包含漏洞特征库和行为分析模块的安全检测模型,通过调用频率的时间序列分析、调用来源的根因定位、调用参数的关联矩阵检测,实施防抖限流与阻断性漏洞双重判断机制;The monitoring alarm unit adopts a security detection model including a vulnerability feature library and a behavior analysis module, and implements a dual judgment mechanism of anti-shake current limiting and blocking vulnerabilities through time series analysis of call frequency, root cause location of call source, and correlation matrix detection of call parameters; 所述接口管理单元通过API列表管理模块整合接口调用趋势记录与报警日志信息,基于马尔可夫模型的异常识别模型进行分类处理,并依据安全得分计算模型的分析结果执行接口下线操作。The interface management unit integrates the interface call trend record and the alarm log information through the API list management module, performs classification processing based on the abnormality recognition model of the Markov model, and executes the interface offline operation according to the analysis result of the security score calculation model. 2.根据权利要求1所述的系统,其特征在于,所述接口注册单元将接口方提供的接口信息和平台记录接口文档地址进行接口导入并创建应用程序接口,所述应用程序接口的状态包括编辑、注册、发布、下线;新创建的应用程序接口为编辑状态;通过对所述应用程序接口进行接口调试得到接口地址和调取ID,并配置授权码信息,将应用程序接口的状态标记为注册状态;所述接口注册单元具备自动更新功能,通过定期检测接口信息的变更,自动同步更新应用程序接口的状态和文档。2. The system according to claim 1 is characterized in that the interface registration unit imports the interface information provided by the interface party and the interface document address recorded by the platform to create an application interface, and the status of the application interface includes editing, registration, publishing, and offline; the newly created application interface is in an editing state; the interface address and call ID are obtained by debugging the application interface, and the authorization code information is configured to mark the status of the application interface as a registered state; the interface registration unit has an automatic update function, which automatically and synchronously updates the status and documents of the application interface by regularly detecting changes in interface information. 3.根据权利要求1所述的系统,其特征在于,所述开放共享单元用于进行发布上线操作,通过调取ID调取注册后对应的接口地址并进行认证,获取授权码信息;通过调取认证接口验证授权码是否在生效期限内,若在生效期限内则所述监控报警单元调取接口方接口,若未在生效期限内则向调取方发送失败调取信息。3. The system according to claim 1 is characterized in that the open sharing unit is used to perform the release and online operation, and obtains the authorization code information by calling the ID to call the corresponding interface address after registration and performing authentication; verifies whether the authorization code is within the effective period by calling the authentication interface. If it is within the effective period, the monitoring and alarm unit calls the interface party interface. If it is not within the effective period, a failed call information is sent to the caller. 4.根据权利要求2所述的系统,其特征在于,所述接口调试通过获取接口父级对应的第三方平台,拼接接口参数得到调试返回结果,对所述调试返回结果为通过的应用程序接口进行注册生成符合规范的接口地址和调取ID。4. The system according to claim 2 is characterized in that the interface debugging obtains the third-party platform corresponding to the interface parent, splices the interface parameters to obtain the debugging return result, and registers the application interface that passes the debugging return result to generate an interface address and call ID that conforms to the specification. 5.根据权利要求1所述的系统,其特征在于,所述监控报警单元通过对接口方接口的调用信息进行实时监控,对接口进行防抖限流,并判断接口是否发生阻断性漏洞,若发生阻断性漏洞,则触发监控报警并向所述接口管理单元发送报警日志信息,若未发生阻断性漏洞,则调取对应接口,在对应接口方再次判断接口是否发生阻断性漏洞,若接口方发生阻断性漏洞,则触发监控报警并向所述接口管理单元发送报警日志信息,若接口方未发生阻断性漏洞,则应用接口并向所述接口管理单元发送接口调用趋势记录。5. The system according to claim 1 is characterized in that the monitoring and alarm unit performs anti-shake and current limiting on the interface by real-time monitoring of the calling information of the interface on the interface side, and determines whether a blocking vulnerability occurs in the interface. If a blocking vulnerability occurs, the monitoring alarm is triggered and alarm log information is sent to the interface management unit. If no blocking vulnerability occurs, the corresponding interface is called and it is determined again on the corresponding interface side whether a blocking vulnerability occurs in the interface. If a blocking vulnerability occurs on the interface side, the monitoring alarm is triggered and alarm log information is sent to the interface management unit. If no blocking vulnerability occurs on the interface side, the interface is applied and an interface call trend record is sent to the interface management unit. 6.根据权利要求1所述的系统,其特征在于,所述接口管理单元包括API列表管理模块、接口异常模块、接口下线模块;所述API列表管理模块用于接收所述开放共享单元中已注册的API列表和所述监控报警单元发送的接口调用趋势记录,通过接口异常模块获取所述监控报警单元发送的报警日志信息后,对所述API列表管理模块进行维护和管理,记录接口的使用情况、异常信息和下线状态;所述接口异常模块用于对所述报警日志信息通过异常识别模型进行分类和整理,分析接口异常的原因和频率得到分析结果,并根据所述分析结果生成接口异常报告;所述接口下线模块用于对所述接口异常报告的接口进行下线处理。6. The system according to claim 1 is characterized in that the interface management unit includes an API list management module, an interface exception module, and an interface offline module; the API list management module is used to receive the registered API list in the open sharing unit and the interface call trend record sent by the monitoring alarm unit, and after obtaining the alarm log information sent by the monitoring alarm unit through the interface exception module, maintain and manage the API list management module to record the usage, exception information and offline status of the interface; the interface exception module is used to classify and organize the alarm log information through an exception recognition model, analyze the cause and frequency of interface exceptions to obtain analysis results, and generate an interface exception report based on the analysis results; the interface offline module is used to offline the interface of the interface exception report. 7.根据权利要求3所述的系统,其特征在于,所述发布上线操作为:通过在线审核机制对接口进行安全审查,审核通过后,所述开放共享单元根据系统的发布上线界面对接收的已注册应用程序接口配置对应的授权码信息,设置对应的动态授权码生效日期、接口截止时间、授权用户,并将接口状态更新为发布状态。7. The system according to claim 3 is characterized in that the release and online operation is: a security review of the interface is performed through an online audit mechanism. After the review is passed, the open sharing unit configures the corresponding authorization code information for the received registered application interface according to the system's release and online interface, sets the corresponding dynamic authorization code effective date, interface deadline, authorized user, and updates the interface status to the release status. 8.根据权利要求7所述的系统,其特征在于,所述安全审查通过计算接口的安全得分进行审查,所述安全得分由加密算法复杂度分值和验证规则分值确定,所述加密算法复杂度分值根据差分分析攻击的时间复杂度量化得到,所述验证规则分值由字段完整性检查覆盖率和数字范围限制覆盖率两部分组成,所述安全得分计算公式为:8. The system according to claim 7 is characterized in that the security review is reviewed by calculating the security score of the interface, the security score is determined by the encryption algorithm complexity score and the verification rule score, the encryption algorithm complexity score is quantified according to the time complexity of the differential analysis attack, the verification rule score consists of two parts: field integrity check coverage and digital range restriction coverage, and the security score calculation formula is: 其中,Stotal为安全得分,α、β为权重系数,TSHA为接口使用的加密算法类型的密钥长度、有效熵值、轮数设计、非线性变换复杂度加权融合值,R为安全基准值,Cintegrity为字段完整性检查覆盖率,Crange为数字范围限制覆盖率;Where S total is the security score, α and β are weight coefficients, T SHA is the weighted fusion value of the key length, effective entropy value, round number design, and nonlinear transformation complexity of the encryption algorithm type used by the interface, R is the security reference value, C integrity is the field integrity check coverage, and C range is the digital range limit coverage; 通过所述安全得分对接口进行安全等级划分,并根据安全等级制定相应的安全策略,确保接口的安全性。The interfaces are divided into security levels according to the security scores, and corresponding security policies are formulated according to the security levels to ensure the security of the interfaces. 9.根据权利要求1所述的系统,其特征在于,所述阻断性漏洞的判断通过安全检测模型进行监控,所述安全检测模型包括漏洞特征库和行为分析模块,所述漏洞特征库存储已知漏洞的特征信息,所述行为分析模块用于对接口调用过程中的行为进行实时监测,与漏洞特征库中的特征信息进行匹配,若匹配成功则判定为发生阻断性漏洞;实时监测的行为包括接口调用频率、调用来源、调用参数,所述行为分析模块具体在执行匹配的过程中在所述调用频率的维度上通过对API调用日志进行检测,采用时间序列分析和滑动窗口记录和更新接口访问时间;所述行为分析模块在所述调用来源维度上通过对网络流量数据进行检测,采用根因分析算法快速定位引起访问量激增的IP地址;所述行为分析模块在所述调用参数的维度上,通过对系统调用序列进行检测,通过API调用序列构建关联矩阵,提取时间方差特征,对关联矩阵和时间方差特征进行分析,识别异常调用模式,从而判定是否存在阻断性漏洞。9. The system according to claim 1 is characterized in that the judgment of the blocking vulnerability is monitored by a security detection model, and the security detection model includes a vulnerability feature library and a behavior analysis module. The vulnerability feature library stores feature information of known vulnerabilities, and the behavior analysis module is used to monitor the behavior in the interface call process in real time and match it with the feature information in the vulnerability feature library. If the match is successful, it is determined that a blocking vulnerability has occurred; the real-time monitored behavior includes interface call frequency, call source, and call parameters. Specifically, the behavior analysis module detects the API call log in the dimension of the call frequency during the matching process, and uses time series analysis and sliding windows to record and update the interface access time; the behavior analysis module detects the network traffic data in the dimension of the call source, and uses a root cause analysis algorithm to quickly locate the IP address that causes a surge in access volume; the behavior analysis module detects the system call sequence in the dimension of the call parameter, constructs an association matrix through the API call sequence, extracts time variance features, analyzes the association matrix and time variance features, identifies abnormal call patterns, and thus determines whether there is a blocking vulnerability. 10.根据权利要求6所述的系统,其特征在于,所述异常识别模型接收来自监控报警单元的报警日志信息,从所述报警日志信息中提取时间戳、接口名称、请求方法、请求路径、响应时间、错误代码、流量信息;对提取的数据进行预处理后进行特征提取,特征包括熟悉特性、业务行为相似性、访问行为稳定性、数据负载异常;根据提取的特征构建基于马尔可夫模型的观测序列,并设定状态序列,通过解码观测序列,确定对应的状态序列,使用前向-后向算法优化状态转移矩阵和观测概率矩阵,根据反馈结果调整模型参数,优化特征提取和状态定义。10. The system according to claim 6 is characterized in that the anomaly recognition model receives alarm log information from the monitoring alarm unit, extracts timestamp, interface name, request method, request path, response time, error code, and traffic information from the alarm log information; performs feature extraction after preprocessing the extracted data, and the features include familiarity characteristics, business behavior similarity, access behavior stability, and data load anomalies; constructs an observation sequence based on the Markov model according to the extracted features, and sets a state sequence, determines the corresponding state sequence by decoding the observation sequence, uses a forward-backward algorithm to optimize the state transfer matrix and the observation probability matrix, adjusts the model parameters according to the feedback results, and optimizes feature extraction and state definition.
CN202510209003.4A 2025-02-25 2025-02-25 An intelligent early warning system based on integrated framework interface service management Pending CN120144415A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510209003.4A CN120144415A (en) 2025-02-25 2025-02-25 An intelligent early warning system based on integrated framework interface service management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510209003.4A CN120144415A (en) 2025-02-25 2025-02-25 An intelligent early warning system based on integrated framework interface service management

Publications (1)

Publication Number Publication Date
CN120144415A true CN120144415A (en) 2025-06-13

Family

ID=95942747

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510209003.4A Pending CN120144415A (en) 2025-02-25 2025-02-25 An intelligent early warning system based on integrated framework interface service management

Country Status (1)

Country Link
CN (1) CN120144415A (en)

Similar Documents

Publication Publication Date Title
US11558272B2 (en) Methods and systems for predicting time of server failure using server logs and time-series data
CN111712813B (en) Intelligent Preprocessing of Multidimensional Time Series Data
US20140089339A1 (en) Unified communication audit tool
CN118509336A (en) Communication network optimization method, device and equipment considering power consumption
CN113112038B (en) Intelligent monitoring and diagnostic analysis system, device, electronic equipment and storage medium
CN120217158A (en) Asset operation and maintenance decision-making management platform and management method based on data fusion
CN120085885A (en) A method for updating an operating system based on cloud services
CN116800438A (en) A rebound shell detection method and device
CN117539739B (en) User continuous behavior abnormality monitoring method based on dual features
CN118694586A (en) A method, device, equipment and medium for intelligently detecting CDN volume brushing
CN119027038A (en) Business process processing method, device, computer equipment and readable storage medium
CN119938365A (en) Log processing method, device and equipment
CN118747164A (en) A log-based risk management method and system
CN120144415A (en) An intelligent early warning system based on integrated framework interface service management
CN117061560A (en) Audit method, audit device, electronic equipment and readable storage medium
CN107566187B (en) A SLA violation monitoring method, device and system
US11693851B2 (en) Permutation-based clustering of computer-generated data entries
US20250291900A1 (en) Systems and methods for anomaly detection in network devices
CN116149885B (en) Method and system for predicting risk of flood IT service
CN120560946A (en) Distributed database inspection system, method, equipment and medium
US20250138972A1 (en) Systems and methods for aggregating and generating a daily incident profile
US20250138971A1 (en) Systems and methods for aggregating and generating a single incident profile
US20250138970A1 (en) Systems and methods for aggregating and mapping incident characteristics into daily incident profiling
CN120614272A (en) A playback method and device for realizing dual-transmission of traffic based on network layer recording messages
CN120408635A (en) A dynamic and static combined detection method for power system software security vulnerabilities

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载