一级黄色片免费播放|中国黄色视频播放片|日本三级a|可以直接考播黄片影视免费一级毛片

高級搜索

留言板

尊敬的讀者、作者、審稿人, 關于本刊的投稿、審稿、編輯和出版的任何問題, 您可以本頁添加留言。我們將盡快給您答復。謝謝您的支持!

姓名
郵箱
手機號碼
標題
留言內(nèi)容
驗證碼

云應用程序編程接口安全研究綜述:威脅與防護

陳真 乞文超 賀鵬飛 劉林林 申利民

陳真, 乞文超, 賀鵬飛, 劉林林, 申利民. 云應用程序編程接口安全研究綜述:威脅與防護[J]. 電子與信息學報, 2023, 45(1): 371-382. doi: 10.11999/JEIT211185
引用本文: 陳真, 乞文超, 賀鵬飛, 劉林林, 申利民. 云應用程序編程接口安全研究綜述:威脅與防護[J]. 電子與信息學報, 2023, 45(1): 371-382. doi: 10.11999/JEIT211185
CHEN Zhen, QI Wenchao, HE Pengfei, LIU Linlin, SHEN Limin. A Survey for Cloud Application Programming Interface Security: Threats and Protection[J]. Journal of Electronics & Information Technology, 2023, 45(1): 371-382. doi: 10.11999/JEIT211185
Citation: CHEN Zhen, QI Wenchao, HE Pengfei, LIU Linlin, SHEN Limin. A Survey for Cloud Application Programming Interface Security: Threats and Protection[J]. Journal of Electronics & Information Technology, 2023, 45(1): 371-382. doi: 10.11999/JEIT211185

云應用程序編程接口安全研究綜述:威脅與防護

doi: 10.11999/JEIT211185
基金項目: 國家自然科學基金(62102348, 61772450),河北省自然科學基金(F2019203287),河北省教育廳高等學??萍加媱?QN2020183)
詳細信息
    作者簡介:

    陳真:男,副教授,研究方向為服務計算、云計算等

    乞文超:女,碩士生,研究方向為云API安全、云API攻擊與防護等

    賀鵬飛:男,碩士生,研究方向為云API推薦、數(shù)據(jù)挖掘等

    劉林林:男,助理館員,研究方向為云監(jiān)測、科技數(shù)據(jù)挖掘、Web安全等

    申利民:男,教授,研究方向為柔性軟件、協(xié)同計算、信息安全等

    通訊作者:

    陳真 zhenchen@ysu.edu.cn

  • 中圖分類號: TN915.08; TP309

A Survey for Cloud Application Programming Interface Security: Threats and Protection

Funds: The National Natural Science Foundation of China (62102348, 61772450), The Natural Science Foundation of Hebei Province (F2019203287), The Science and Technology Research Project of Hebei University (QN2020183)
  • 摘要: 云時代,云應用程序編程接口(API)是服務交付、能力復制和數(shù)據(jù)輸出的最佳載體。然而,云API在開放服務和數(shù)據(jù)的同時,增加了暴露面和攻擊面,攻擊者通過數(shù)據(jù)劫持和流量分析等技術獲取目標云API的關鍵資源,能夠識別用戶的身份和行為,甚至直接造成背后系統(tǒng)的癱瘓。當前,針對云API的攻擊類型繁多,威脅與防護方法各異,缺乏對現(xiàn)有攻擊和防護方法的系統(tǒng)總結(jié)。該文梳理了云API安全研究中云API面臨的威脅和防護方法,分析了云API的演化歷程和類別劃分;討論了云API的脆弱性以及云API安全研究的重要性;提出了云API安全研究框架,涵蓋身份驗證、云API分布式拒絕服務(DDoS)攻擊防護、重放攻擊防護、中間人(MITM)攻擊防護、注入攻擊防護和敏感數(shù)據(jù)防護6個方面相關研究工作綜述。在此基礎上,探討了增加人工智能(AI)防護的必要性。最后給出了云API防護的未來挑戰(zhàn)和發(fā)展趨勢。
  • 圖  1  云API演化歷程

    圖  2  云API應用體系結(jié)構

    圖  3  云API擴大了攻擊域與攻擊面

    圖  4  基于云API的移動應用場景與傳統(tǒng)Web應用場景對比

    圖  5  云API安全研究框架

    表  1  基于應用范圍分類的云API特點比較

    API類別部署方式應用范圍訪問機制延展性安全性能
    Private APIVPC網(wǎng)絡服務提供商內(nèi)部有效一般
    Partner APIVPC網(wǎng)絡/公共互聯(lián)網(wǎng)服務提供商之間有效一般
    Public API公共互聯(lián)網(wǎng)任何用戶不足低、易受攻擊
    下載: 導出CSV

    表  2  抗重放方案比較

    抗重放方案優(yōu)點缺點適用通信單元數(shù)量適用網(wǎng)絡狀況
    不擁堵無要求
    隨機數(shù)[25]無需嚴格的時鐘同步內(nèi)存占用大、查詢開銷大
    時間戳[26]內(nèi)存占用少嚴格的時鐘同步
    流水號[27]校驗簡單、內(nèi)存占用較少判斷準確率較低
    一次性口令機制[28]即用即更新、驗證維持時間久需要雙方計數(shù)器同步、時鐘同步
    挑戰(zhàn)-應答機制[30]無需嚴格的時鐘同步信道占用大、驗證維持時間短
    下載: 導出CSV

    表  3  MITM防護方案比較

    MITM防護方案攻擊目標類型攻擊場景模型/方法防護機制
    Bruschi等人[33]ARP緩存中毒封閉S-ARP可信主機分發(fā)密鑰
    Limmaneewichid等人[38]目標IP替換封閉P-ARP哈希函數(shù)隱藏IP地址
    Lootah等人[34]ARP緩存中毒封閉T-ARP集中發(fā)行票據(jù)認證
    Trabelsi等人[35]ARP請求應答超時封閉有狀態(tài)ARP應答添加“等待”條目
    Ataullah等人[39]ARP無狀態(tài)性攻擊封閉ES-ARP廣播ARP請求和應答
    Ariyapperuma等人[40]數(shù)據(jù)真實性受損開放DNSSEC哈希函數(shù)加密數(shù)字簽名
    Kales等人[36]惡意證書干擾開放偽造證書檢驗補充中央審計日志
    Soghoian等人[37]惡意證書替換開放證書鎖定證書中的公鑰提前內(nèi)置
    下載: 導出CSV

    表  4  兩類防護方案對比

    攻擊類別傳統(tǒng)云API安全AI驅(qū)動云API安全
    身份驗證令牌、密鑰歷史信息自學習
    云API DDoS攻擊負載均衡、速率限制流量數(shù)據(jù)計算、源驗證
    重放攻擊抗重放因子暫無
    MITM攻擊傳輸介質(zhì)檢驗暫無
    注入攻擊參數(shù)化查詢、正則化檢驗暫無
    敏感數(shù)據(jù)保護加密(SSL, TLS)敏感數(shù)據(jù)學習、提取
    下載: 導出CSV
  • [1] 艾瑞咨詢有限公司. 2020年中國人工智能API經(jīng)濟白皮書[R]. 艾瑞咨詢系列研究報告, 2020.

    IResearch Consulting Croup. White paper on API economy of China's artificial intelligence[R]. IResearch Consulting Series Research Reports, 2020.
    [2] TAN Wei, FAN Yushun, GHONEIM A, et al. From the service-oriented architecture to the Web API economy[J]. IEEE Internet Computing, 2016, 20(4): 64–68. doi: 10.1109/MIC.2016.74
    [3] ESPINHA T, ZAIDMAN A, and GROSS H G. Web API growing pains: Loosely coupled yet strongly tied[J]. Journal of Systems and Software, 2015, 100: 27–43. doi: 10.1016/j.jss.2014.10.014
    [4] BOUGUETTAYA A, SINGH M, HUHNS M, et al. A service computing manifesto: The next 10 years[J]. Communications of the ACM, 2017, 60(4): 64–72. doi: 10.1145/2983528
    [5] HUSSAIN F, HUSSAIN R, NOYE B, et al. Enterprise API security and GDPR compliance: Design and implementation perspective[J]. IT Professional, 2020, 22(5): 81–89. doi: 10.1109/MITP.2020.2973852
    [6] ARCURI A, FRASER G, and JUST R. Private API access and functional mocking in automated unit test generation[C]. 2017 IEEE International Conference on Software Testing, Verification and Validation, Tokyo, Japan, 2017: 126–137.
    [7] OWASP. OWASP top ten 2017[EB/OL]. https://www.owasp.org/index.php/Top_10-2017_Top_10, 2017.
    [8] BOZKURT M, HARMAN M, and HASSOUN Y. Testing Web services: A survey[R]. Technical Reports TR-10-01, 2010.
    [9] ESPINHA T, ZAIDMAN A, and GROSS H G. Web API fragility: How robust is your mobile application?[C]. The 2nd ACM International Conference on Mobile Software Engineering and Systems, Florence, Italy, 2015: 12–21.
    [10] 劉奇旭, 邱凱麗, 王乙文, 等. 面向OAuth2.0授權服務API的賬號劫持攻擊威脅檢測[J]. 通信學報, 2019, 40(6): 40–50. doi: 10.11959/j.issn.1000-436x.2019144

    LIU Qixu, QIU Kaili, WANG Yiwen, et al. Account hijacking threat attack detection for OAuth2.0 authorization API[J]. Journal on Communications, 2019, 40(6): 40–50. doi: 10.11959/j.issn.1000-436x.2019144
    [11] DIG D and JOHNSON R. How do APIs evolve? A story of refactoring[J]. Journal of Software Maintenance and Evolution:Research and Practice, 2006, 18(2): 83–107. doi: 10.1002/smr.328
    [12] SETIADI D R I M, NAJIB A F, RACHMAWANTO E H, et al. A comparative study MD5 and SHA1 algorithms to encrypt REST API authentication on mobile-based application[C]. 2019 International Conference on Information and Communications Technology, Yogyakarta, Indonesia, 2019: 206–211.
    [13] SKLAVOS N and KOUFOPAVLOU O. Implementation of the SHA-2 hash family standard using FPGAs[J]. The Journal of Supercomputing, 2005, 31(3): 227–248. doi: 10.1007/s11227-005-0086-5
    [14] GORSKI P L, ACAR Y, IACONO L L, et al. Listen to developers! A participatory design study on security warnings for cryptographic APIs[C]. The 2020 CHI Conference on Human Factors in Computing Systems, Honolulu, USA, 2020: 1–13.
    [15] Angular University. JWT: The complete guide to JSON web tokens[EB/OL]. https://blog.angular-university.io/angular-jwt/, 2022.
    [16] KARUNANITHI M D and KIRUTHIKA B. Single sign-on and single log out in identity[C]. The International Conference on Nanoscience, Engineering and Technology, Chennai, India, 2011: 607–611.
    [17] FUJII H and TSURUOKA Y. SV-2FA: Two-factor user authentication with SMS and voiceprint challenge response[C]. The 8th International Conference for Internet Technology and Secured Transactions, London, UK, 2013: 283–287.
    [18] VAN OORSCHOT P C. Computer Security and the Internet: Tools and Jewels[M]. Cham: Springer, 2020: 1–25.
    [19] NOKOVIC B, DJOSIC N, and LI W O. API security risk assessment based on dynamic ML models[C]. The 14th International Conference on Innovations in Information Technology, Al Ain, United Arab Emirates, 2020: 247–252.
    [20] BERA P, SAHA A, and SETUA S K. Denial of service attack in software defined network[C]. The 5th International Conference on Computer Science and Network Technology, Changchun, China, 2016: 497–501.
    [21] DE B. API Management[M]. Berkeley: Apress, 2017: 15–28.
    [22] IMPERVA. Bot defense for API security data sheet[EB/OL]. https://resources.distilnetworks.com/data-sheets/bot-defense-for-apis, 2018.
    [23] NETACEA. Bot detection and mitigation with machine learning[EB/OL]. https://www.netacea.com/bot-detection, 2018.
    [24] HARGUINDEGUY B. Artificial intelligence and machine learning: A new approach to API security[EB/OL]. https://www.pingidentity.com/en/company/blog/posts/2018/artificial-intelligence-machine-learning-a-new-approach-to-api-Security.html, 2018.
    [25] ZHU Minghui and MARTíNEZ S. On the performance analysis of resilient networked control systems under replay attacks[J]. IEEE Transactions on Automatic Control, 2014, 59(3): 804–808. doi: 10.1109/TAC.2013.2279896
    [26] GRUSCHKA N and LUTTENBERGER N. Protecting web services from DoS attacks by SOAP message validation[C]. The IFIP TC-11 21st International Information Security Conference, Karlstad, Sweden, 2006: 171–182.
    [27] JENSEN M, GRUSCHKA N, and HERKENH?NER R. A survey of attacks on web services[J]. Computer Science-Research and Development, 2009, 24(4): 185–197. doi: 10.1007/s00450-009-0092-6
    [28] DE RYCK P, DESMET L, PIESSENS F, et al. Primer on client-side web security[M]. Cham: Springer, 2014: 105–109.
    [29] 肖斌斌, 徐雨明. 基于雙重驗證的抗重放攻擊方案[J]. 計算機工程, 2017, 43(5): 115–120,128. doi: 10.3969/j.issn.1000-3428.2017.05.019

    XIAO Binbin and XU Yuming. Scheme of anti-replay attacks based on two-factor authentication[J]. Computer Engineering, 2017, 43(5): 115–120,128. doi: 10.3969/j.issn.1000-3428.2017.05.019
    [30] 王育紅, 夏安祥, 林國慶, 等. 抗重放攻擊方案在工程中的應用[J]. 網(wǎng)絡安全技術與應用, 2021(4): 8–10. doi: 10.3969/j.issn.1009-6833.2021.04.006

    WANG Yuhong, XIA Anxiang, LIN Guoqing, et al. Application of anti-replay attack scheme in engineering[J]. Network Security Technology &Application, 2021(4): 8–10. doi: 10.3969/j.issn.1009-6833.2021.04.006
    [31] CONTI M, DRAGONI N, and LESYK V. A survey of man in the middle attacks[J]. IEEE Communications Surveys & Tutorials, 2016, 18(3): 2027–2051. doi: 10.1109/COMST.2016.2548426
    [32] NAQASH T, UBAID F B, ISHFAQ A, et al. Protecting DNS from cache poisoning attack by using secure proxy[C]. 2012 International Conference on Emerging Technologies, Islamabad, Pakistan, 2012: 1–5.
    [33] BRUSCHI D, ORNAGHI A, and ROSTI E. S-ARP: A secure address resolution protocol[C]. The 19th Annual Computer Security Applications Conference, Las Vegas, USA, 2003: 66–74.
    [34] LOOTAH W, ENCK W, and MCDANIEL P. TARP: Ticket-based address resolution protocol[J]. Computer Networks, 2007, 51(15): 4322–4337. doi: 10.1016/j.comnet.2007.05.007
    [35] TRABELSI Z and EL-HAJJ W. Preventing ARP attacks using a fuzzy-based stateful ARP cache[C]. 2007 IEEE International Conference on Communications, Glasgow, UK, 2007: 1355–1360.
    [36] KALES D, OMOLOLA O, and RAMACHER S. Revisiting user privacy for certificate transparency[C]. 2019 IEEE European Symposium on Security and Privacy, Stockholm, Sweden, 2019.
    [37] SOGHOIAN C and STAMM S. Certified lies: Detecting and defeating government interception attacks against SSL (short paper)[C]. The 15th International Conference on Financial Cryptography and Data Security, Gros Islet, St. Lucia, 2011: 250–259.
    [38] LIMMANEEWICHID P and LILAKIATSAKUN W. P-ARP: A novel enhanced authentication scheme for securing ARP[C]. The 2011 International Conference on Telecommunication Technology and Applications, Singapore, Singapore, 2011: 83–87.
    [39] ATAULLAH M and CHAUHAN N. ES-ARP: An efficient and secure address resolution protocol[C]. 2012 IEEE Students' Conference on Electrical, Electronics and Computer Science, Bhopal, India, 2012: 1–5.
    [40] ARIYAPPERUMA S and MITCHELL C J. Security vulnerabilities in DNS and DNSSEC[C]. The 2rd International Conference on Availability, Reliability and Security, Vienna, Austria, 2007: 335–342.
    [41] KINGTHORIN. OWASP SQL injection[EB/OL]. https://owasp.org/www-community/attacks/SQL_Injection#, 2021.
    [42] ZHONG Weilin and REZOS. Code injection software attack[EB/OL]. https://owasp.org/www-community/attacks/Code_Injection, 2021.
    [43] RAJARAM A K, BABU B C, and KUMAR R C K. API based security solutions for communication among web services[C]. The 15th International Conference on Advanced Computing, Chennai, India, 2013: 571–575.
    [44] YANG Dawei, GAO Yang, HE Wei, et al. Design and achievement of security mechanism of API gateway platform based on microservice architecture[J]. Journal of Physics:Conference Series, 2021, 1738: 012046. doi: 10.1088/1742-6596/1738/1/012046
    [45] ATLIDAKIS V, GODEFROID P, and POLISHCHUK M. Checking security properties of cloud service REST APIs[C]. The 13th International Conference on Software Testing, Validation and Verification, Porto, Portugal, 2020: 387–397.
    [46] MENG Shanshan, YANG Xiaohui, SONG Yubo, et al. Android’s sensitive data leakage detection based on API monitoring[C]. The International Conference on Cyberspace Technology, Beijing, China, 2014: 1–4.
    [47] PANETTA K. Gartner top 10 strategic technology for 2020[EB/OL]. https://www.gartner.com, 2020.
    [48] GRENT H, AKIMOV A, and ANICHE M. Automatically identifying parameter constraints in complex Web APIs: A case study at Adyen[C]. The IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice, Madrid, ES, 2021: 71–80.
    [49] KROMKOWSKI P, LI Shaoran, ZHAO Wenxi, et al. Evaluating statistical models for network traffic anomaly detection[C]. 2019 Systems and Information Engineering Design Symposium, Charlottesville, USA, 2019: 1–6.
    [50] BAYE G, HUSSAIN F, ORACEVIC A, et al. API security in large enterprises: Leveraging machine learning for anomaly detection[C]. 2021 International Symposium on Networks, Computers and Communications, Dubai, United Arab Emirates, 2021: 1–6.
    [51] SHI Yi, SAGDUYU Y E, DAVASLIOGLU K, et al. Active deep learning attacks under strict rate limitations for online API calls[C]. 2018 IEEE International Symposium on Technologies for Homeland Security, Woburn, USA, 2018: 1–6.
  • 加載中
圖(5) / 表(4)
計量
  • 文章訪問數(shù):  1257
  • HTML全文瀏覽量:  643
  • PDF下載量:  216
  • 被引次數(shù): 0
出版歷程
  • 收稿日期:  2021-10-28
  • 修回日期:  2022-04-29
  • 網(wǎng)絡出版日期:  2022-05-08
  • 刊出日期:  2023-01-17

目錄

    /

    返回文章
    返回