Search

CN-122020644-A - Interface call risk identification method and device, electronic equipment and storage medium

CN122020644ACN 122020644 ACN122020644 ACN 122020644ACN-122020644-A

Abstract

The invention discloses an interface call risk identification method and device, electronic equipment and storage medium, and relates to the field of financial science and technology or other related technical fields, wherein the method comprises the steps of obtaining an interface call record and a preset service sensitive interface list; dividing interface call records to obtain sensitive interface call records and normal interface call records, constructing sensitive feature vectors for all sensitive call interfaces based on the sensitive interface call records, constructing normal feature vectors for all normal call interfaces based on the normal interface call records, calculating similarity values between the sensitive call interfaces and the normal call interfaces based on the sensitive feature vectors and the normal feature vectors, and identifying risk interface call behaviors based on the similarity values between the sensitive call interfaces and the normal call interfaces. The invention solves the technical problems of low accuracy of the recognition result in the related art of interface calling risk recognition based on fixed threshold and static rule matching.

Inventors

  • ZHAO XIN

Assignees

  • 中国工商银行股份有限公司

Dates

Publication Date
20260512
Application Date
20260120

Claims (11)

  1. 1. An interface call risk identification method, comprising: acquiring an interface calling record and a preset service sensitive interface list; dividing the interface calling record based on the service sensitive interface list to obtain a sensitive interface calling record and a normal interface calling record; Constructing a sensitive feature vector for each sensitive call interface based on the sensitive interface call record, and constructing a normal feature vector for each normal call interface based on the normal interface call record; And calculating a similarity value between the sensitive calling interface and the normal calling interface based on the sensitive feature vector and the normal feature vector, and identifying a risk interface calling behavior based on the similarity value between the sensitive calling interface and the normal calling interface.
  2. 2. The method of claim 1, wherein the step of obtaining a pre-set list of service sensitive interfaces comprises: Acquiring service types corresponding to all service interfaces; And selecting a service sensitive interface based on the service type, and constructing the service sensitive interface list based on the service sensitive interface.
  3. 3. The method of claim 2, wherein the step of partitioning the interface call record based on the service sensitive interface list comprises: Extracting interface identifiers of all the calling interfaces; Matching the interface identifier with the interface identifier of each service sensitive interface in the service sensitive interface list to obtain a matching result; And dividing the call interface which is successfully matched into the sensitive call interfaces under the condition that the matching result indicates that the interface identification is successfully matched with the interface identification of any service sensitive interface in the service sensitive interface list.
  4. 4. The method of claim 1, wherein calculating a similarity value between the sensitive call interface and the normal call interface based on the sensitive feature vector and the normal feature vector comprises: Calculating a cosine similarity value successfully invoked between the sensitive invoking interface and the normal invoking interface based on the sensitive feature vector and the normal feature vector to obtain a first similarity value; Calculating a cosine similarity value of failed call between the sensitive call interface and the normal call interface based on the sensitive feature vector and the normal feature vector to obtain a second similarity value; calculating the Euclidean distance successfully invoked between the sensitive invoking interface and the normal invoking interface based on the sensitive feature vector and the normal feature vector, and carrying out normalization processing and weighting processing on the Euclidean distance to obtain a normalized Euclidean distance; And calculating the similarity value between the sensitive calling interface and the normal calling interface based on the first similarity value, a first weight value corresponding to the first similarity value, the second similarity value, a second weight value corresponding to the second similarity value, the normalized Euclidean distance and a third weight value corresponding to the normalized Euclidean distance.
  5. 5. The method of claim 1, further comprising, after obtaining the interface call record: performing time sequence completion processing on each interface call record; and constructing a time sequence based on the interface call record after the time sequence completion processing.
  6. 6. The method of claim 1, further comprising, after obtaining the interface call record: Counting the calling times of each calling interface based on the interface calling record; Comparing the calling times with a preset times threshold, and deleting an interface calling record of the calling interface under the condition that the calling times of the calling interface are smaller than or equal to the times threshold.
  7. 7. The method of claim 1, wherein the step of identifying a risk interface based on a similarity value between the sensitive call interface and the normal call interface comprises: comparing the similarity value between the sensitive calling interface and the normal calling interface with a preset similarity threshold value; and under the condition that the similarity value between the sensitive calling interface and the normal calling interface is larger than or equal to the preset similarity threshold value, determining that high-risk calling behaviors exist between the sensitive calling interface and the normal calling interface.
  8. 8. An interface call risk identification device, comprising: the acquisition unit is used for acquiring an interface calling record and a preset service sensitive interface list; The dividing unit is used for dividing the interface calling record based on the service sensitive interface list to obtain a sensitive interface calling record and a normal interface calling record; the calling unit is used for constructing a sensitive feature vector for each sensitive calling interface based on the sensitive interface calling record and constructing a normal feature vector for each normal calling interface based on the normal interface calling record; And the identification unit is used for calculating the similarity value between the sensitive calling interface and the normal calling interface based on the sensitive characteristic vector and the normal characteristic vector, and identifying the risk interface calling behavior based on the similarity value between the sensitive calling interface and the normal calling interface.
  9. 9. A computer readable storage medium, characterized in that the computer readable storage medium comprises a stored computer program, wherein the computer program when run controls a device in which the computer readable storage medium is located to execute the interface call risk identification method according to any one of claims 1 to 7.
  10. 10. An electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the interface invocation risk identification method of any of claims 1-7.
  11. 11. A computer program product, characterized in that the computer program product comprises a computer program, wherein the computer program, when executed by a processor, implements the interface call risk identification method of any of claims 1 to 7.

Description

Interface call risk identification method and device, electronic equipment and storage medium Technical Field The invention relates to the field of financial science and technology or other related technical fields, in particular to an interface calling risk identification method and device, electronic equipment and storage medium. Background In the fields of finance, internet and the like, an API (application program interface) is used as an important channel for communication between a server and a client, different services or systems, and the security of the API directly influences the stability of the whole system and the security of user data. In recent years, with the vigorous development of the economy of the API, the use frequency and the scene of the API are continuously increased, and meanwhile, new security challenges are brought. In the related art, interface call risk identification based on fixed threshold and static rule matching ignores the time distribution characteristic of interface call, which results in that when processing transient traffic peaks (such as promotion and user activity increase caused by news hot spots), the system can erroneously judge legal traffic surge as attack, thereby generating a large number of false positives. On the other hand, when the strategy of an attacker is more ingenious and imitates the calling behavior patterns of a normal user, the novel attack patterns are difficult to be covered by static rules due to lack of deep understanding and learning of the behavior patterns, so that the report of potential risks is missed, and the problem of low recognition accuracy exists. In view of the above problems, no effective solution has been proposed at present. Disclosure of Invention The embodiment of the invention provides an interface call risk identification method and device, electronic equipment and storage medium, which at least solve the technical problem of lower accuracy of an identification result in the related art based on interface call risk identification matched with a fixed threshold value and a static rule. According to one aspect of the embodiment of the invention, an interface call risk identification method is provided, which comprises the steps of obtaining an interface call record and a preset service sensitive interface list, dividing the interface call record based on the service sensitive interface list to obtain a sensitive interface call record and a normal interface call record, constructing a sensitive feature vector for each sensitive call interface based on the sensitive interface call record and a normal feature vector for each normal call interface based on the normal interface call record, calculating a similarity value between the sensitive call interface and the normal call interface based on the sensitive feature vector and the normal feature vector, and identifying a risk interface call behavior based on the similarity value between the sensitive call interface and the normal call interface. Further, the step of obtaining the preset service sensitive interface list comprises the steps of obtaining service types corresponding to all service interfaces, selecting the service sensitive interface based on the service types, and constructing the service sensitive interface list based on the service sensitive interface. Further, the step of dividing the interface call record based on the service sensitive interface list includes extracting interface identifications of all the call interfaces; and dividing the calling interface which is successfully matched into the sensitive calling interfaces under the condition that the matching result indicates that the interface identification is successfully matched with the interface identification of any service sensitive interface in the service sensitive interface list. The method comprises the steps of calculating a similarity value between a sensitive calling interface and a normal calling interface based on a sensitive feature vector and a normal feature vector, calculating a cosine similarity value successfully called between the sensitive calling interface and the normal calling interface based on the sensitive feature vector and the normal feature vector to obtain a first similarity value, calculating a cosine similarity value unsuccessfully called between the sensitive calling interface and the normal calling interface based on the sensitive feature vector and the normal feature vector to obtain a second similarity value, calculating a Euclidean distance successfully called between the sensitive calling interface and the normal calling interface based on the sensitive feature vector and the normal feature vector, and carrying out normalization processing and weighting processing on the Euclidean distance to obtain a normalized Euclidean distance, and calculating a normal calling interface based on the first similarity value, a first weight value corresponding to the first similarit