云應用程序編程接口安全研究綜述：威脅與防護

陳真; 乞文超; 賀鵬飛; 劉林林; 申利民

doi:10.11999/JEIT211185

云應用程序編程接口安全研究綜述：威脅與防護

doi: 10.11999/JEIT211185

陳真^{1, 3, ,},
乞文超¹,
賀鵬飛¹,
劉林林²,
申利民^{1, 3}

1.
燕山大學信息科學與工程學院秦皇島 066004
2.
中國科學院文獻情報中心北京 100190
3.
河北省計算機虛擬技術與系統(tǒng)集成重點實驗室秦皇島 066004

基金項目: 國家自然科學基金(62102348, 61772450)，河北省自然科學基金(F2019203287)，河北省教育廳高等學?？萍加媱?QN2020183)

詳細信息

作者簡介:
陳真：男，副教授，研究方向為服務計算、云計算等

乞文超：女，碩士生，研究方向為云API安全、云API攻擊與防護等

賀鵬飛：男，碩士生，研究方向為云API推薦、數(shù)據(jù)挖掘等

劉林林：男，助理館員，研究方向為云監(jiān)測、科技數(shù)據(jù)挖掘、Web安全等

申利民：男，教授，研究方向為柔性軟件、協(xié)同計算、信息安全等

通訊作者:
陳真　zhenchen@ysu.edu.cn

中圖分類號: TN915.08; TP309
計量
- 文章訪問數(shù): 1257
- HTML全文瀏覽量: 643
- PDF下載量: 216
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2021-10-28
- 修回日期: 2022-04-29
- 網(wǎng)絡出版日期: 2022-05-08
- 刊出日期: 2023-01-17

A Survey for Cloud Application Programming Interface Security: Threats and Protection

CHEN Zhen^{1, 3
, ,},
QI Wenchao¹,
HE Pengfei¹,
LIU Linlin²,
SHEN Limin^{1, 3}

1.
School of Information Science and Engineering, Yanshan University, Qinhuangdao 066004, China
2.
National Science Library, Chinese Academy of Sciences, Beijing 100190, China
3.
Key Laboratory for Computer Virtual Technology and System Integration of Hebei Province, Yanshan University, Qinhuangdao 066004, China

Funds: The National Natural Science Foundation of China (62102348, 61772450), The Natural Science Foundation of Hebei Province (F2019203287), The Science and Technology Research Project of Hebei University (QN2020183)

摘要

摘要: 云時代，云應用程序編程接口(API)是服務交付、能力復制和數(shù)據(jù)輸出的最佳載體。然而，云API在開放服務和數(shù)據(jù)的同時，增加了暴露面和攻擊面，攻擊者通過數(shù)據(jù)劫持和流量分析等技術獲取目標云API的關鍵資源，能夠識別用戶的身份和行為，甚至直接造成背后系統(tǒng)的癱瘓。當前，針對云API的攻擊類型繁多，威脅與防護方法各異，缺乏對現(xiàn)有攻擊和防護方法的系統(tǒng)總結(jié)。該文梳理了云API安全研究中云API面臨的威脅和防護方法，分析了云API的演化歷程和類別劃分；討論了云API的脆弱性以及云API安全研究的重要性；提出了云API安全研究框架，涵蓋身份驗證、云API分布式拒絕服務(DDoS)攻擊防護、重放攻擊防護、中間人(MITM)攻擊防護、注入攻擊防護和敏感數(shù)據(jù)防護6個方面相關研究工作綜述。在此基礎上，探討了增加人工智能(AI)防護的必要性。最后給出了云API防護的未來挑戰(zhàn)和發(fā)展趨勢。
- 云應用程序編程接口 /
- 云API脆弱性 /
- 云API安全 /
- 云API攻擊 /
- 云API防護
Abstract: In the cloud era, cloud Application Programming Interface (API) is the best carrier for service delivery, capability replication and data output. However, cloud API increases the exposure and attack surface of cloud application while opening up services and data. Through data hijacking, traffic analysis and other technologies, attackers can obtain the key resources of the target cloud API, so as to identify the identity and behavior of users, or even directly cause the paralysis of the underlying system. Currently, there are many types of attacks against cloud APIs, and their threats and protection methods are different. However, the existing researches lack a systematic summary for cloud API attack and protection methods. In this paper, a detail survey on the threats and protection methods faced by cloud API is conducted. Firstly, the evolution and the classification of cloud API are analyzed. The vulnerability of cloud API and the importance of cloud API security research are then discussed. Furthermore, a systematical cloud API security research framework is proposed, which covers six aspects: identity authentication, cloud API Distributed Denial of Service (DDoS) attack protection, replay attack protection, Man-In-The-Middle (MITM) attack protection, injection attack protection and sensitive data protection. In addition, the necessity of Artificial Intelligence (AI) protection for cloud API is discussed. Finally, the future challenges and development trends of cloud API protection are presented.
- Cloud Application Programming Interface (API) /
- Cloud API vulnerability /
- Cloud API security /
- Cloud API attack /
- Cloud API protection

HTML全文

圖 1 云API演化歷程

下載: 全尺寸圖片幻燈片

圖 2 云API應用體系結(jié)構

下載: 全尺寸圖片幻燈片

圖 3 云API擴大了攻擊域與攻擊面

下載: 全尺寸圖片幻燈片

圖 4 基于云API的移動應用場景與傳統(tǒng)Web應用場景對比

下載: 全尺寸圖片幻燈片

圖 5 云API安全研究框架

下載: 全尺寸圖片幻燈片

表 1 基于應用范圍分類的云API特點比較

API類別	部署方式	應用范圍	訪問機制	延展性	安全性能
Private API	VPC網(wǎng)絡	服務提供商內(nèi)部	有效	一般	高
Partner API	VPC網(wǎng)絡/公共互聯(lián)網(wǎng)	服務提供商之間	有效	好	一般
Public API	公共互聯(lián)網(wǎng)	任何用戶	不足	好	低、易受攻擊

下載: 導出CSV

表 2 抗重放方案比較

抗重放方案	優(yōu)點	缺點	適用通信單元數(shù)量		適用網(wǎng)絡狀況
抗重放方案	優(yōu)點	缺點	少	多	不擁堵	無要求
隨機數(shù)^[25]	無需嚴格的時鐘同步	內(nèi)存占用大、查詢開銷大	√			√
時間戳^[26]	內(nèi)存占用少	嚴格的時鐘同步		√	√
流水號^[27]	校驗簡單、內(nèi)存占用較少	判斷準確率較低	√		√
一次性口令機制^[28]	即用即更新、驗證維持時間久	需要雙方計數(shù)器同步、時鐘同步		√		√
挑戰(zhàn)-應答機制^[30]	無需嚴格的時鐘同步	信道占用大、驗證維持時間短		√	√

下載: 導出CSV

表 3 MITM防護方案比較

MITM防護方案	攻擊目標類型	攻擊場景	模型/方法	防護機制
Bruschi等人^[33]	ARP緩存中毒	封閉	S-ARP	可信主機分發(fā)密鑰
Limmaneewichid等人^[38]	目標IP替換	封閉	P-ARP	哈希函數(shù)隱藏IP地址
Lootah等人^[34]	ARP緩存中毒	封閉	T-ARP	集中發(fā)行票據(jù)認證
Trabelsi等人^[35]	ARP請求應答超時	封閉	有狀態(tài)ARP應答	添加“等待”條目
Ataullah等人^[39]	ARP無狀態(tài)性攻擊	封閉	ES-ARP	廣播ARP請求和應答
Ariyapperuma等人^[40]	數(shù)據(jù)真實性受損	開放	DNSSEC	哈希函數(shù)加密數(shù)字簽名
Kales等人^[36]	惡意證書干擾	開放	偽造證書檢驗	補充中央審計日志
Soghoian等人^[37]	惡意證書替換	開放	證書鎖定	證書中的公鑰提前內(nèi)置

下載: 導出CSV

表 4 兩類防護方案對比

攻擊類別	傳統(tǒng)云API安全	AI驅(qū)動云API安全
身份驗證	令牌、密鑰	歷史信息自學習
云API DDoS攻擊	負載均衡、速率限制	流量數(shù)據(jù)計算、源驗證
重放攻擊	抗重放因子	暫無
MITM攻擊	傳輸介質(zhì)檢驗	暫無
注入攻擊	參數(shù)化查詢、正則化檢驗	暫無
敏感數(shù)據(jù)保護	加密(SSL, TLS)	敏感數(shù)據(jù)學習、提取

下載: 導出CSV

參考文獻(51)

[1]	艾瑞咨詢有限公司. 2020年中國人工智能API經(jīng)濟白皮書[R]. 艾瑞咨詢系列研究報告, 2020. IResearch Consulting Croup. White paper on API economy of China's artificial intelligence[R]. IResearch Consulting Series Research Reports, 2020.
[2]	TAN Wei, FAN Yushun, GHONEIM A, et al. From the service-oriented architecture to the Web API economy[J]. IEEE Internet Computing, 2016, 20(4): 64–68. doi: 10.1109/MIC.2016.74
[3]	ESPINHA T, ZAIDMAN A, and GROSS H G. Web API growing pains: Loosely coupled yet strongly tied[J]. Journal of Systems and Software, 2015, 100: 27–43. doi: 10.1016/j.jss.2014.10.014
[4]	BOUGUETTAYA A, SINGH M, HUHNS M, et al. A service computing manifesto: The next 10 years[J]. Communications of the ACM, 2017, 60(4): 64–72. doi: 10.1145/2983528
[5]	HUSSAIN F, HUSSAIN R, NOYE B, et al. Enterprise API security and GDPR compliance: Design and implementation perspective[J]. IT Professional, 2020, 22(5): 81–89. doi: 10.1109/MITP.2020.2973852
[6]	ARCURI A, FRASER G, and JUST R. Private API access and functional mocking in automated unit test generation[C]. 2017 IEEE International Conference on Software Testing, Verification and Validation, Tokyo, Japan, 2017: 126–137.
[7]	OWASP. OWASP top ten 2017[EB/OL]. https://www.owasp.org/index.php/Top_10-2017_Top_10, 2017.
[8]	BOZKURT M, HARMAN M, and HASSOUN Y. Testing Web services: A survey[R]. Technical Reports TR-10-01, 2010.
[9]	ESPINHA T, ZAIDMAN A, and GROSS H G. Web API fragility: How robust is your mobile application?[C]. The 2nd ACM International Conference on Mobile Software Engineering and Systems, Florence, Italy, 2015: 12–21.
[10]	劉奇旭, 邱凱麗, 王乙文, 等. 面向OAuth2.0授權服務API的賬號劫持攻擊威脅檢測[J]. 通信學報, 2019, 40(6): 40–50. doi: 10.11959/j.issn.1000-436x.2019144 LIU Qixu, QIU Kaili, WANG Yiwen, et al. Account hijacking threat attack detection for OAuth2.0 authorization API[J]. Journal on Communications, 2019, 40(6): 40–50. doi: 10.11959/j.issn.1000-436x.2019144
[11]	DIG D and JOHNSON R. How do APIs evolve? A story of refactoring[J]. Journal of Software Maintenance and Evolution:Research and Practice, 2006, 18(2): 83–107. doi: 10.1002/smr.328
[12]	SETIADI D R I M, NAJIB A F, RACHMAWANTO E H, et al. A comparative study MD5 and SHA1 algorithms to encrypt REST API authentication on mobile-based application[C]. 2019 International Conference on Information and Communications Technology, Yogyakarta, Indonesia, 2019: 206–211.
[13]	SKLAVOS N and KOUFOPAVLOU O. Implementation of the SHA-2 hash family standard using FPGAs[J]. The Journal of Supercomputing, 2005, 31(3): 227–248. doi: 10.1007/s11227-005-0086-5
[14]	GORSKI P L, ACAR Y, IACONO L L, et al. Listen to developers! A participatory design study on security warnings for cryptographic APIs[C]. The 2020 CHI Conference on Human Factors in Computing Systems, Honolulu, USA, 2020: 1–13.
[15]	Angular University. JWT: The complete guide to JSON web tokens[EB/OL]. https://blog.angular-university.io/angular-jwt/, 2022.
[16]	KARUNANITHI M D and KIRUTHIKA B. Single sign-on and single log out in identity[C]. The International Conference on Nanoscience, Engineering and Technology, Chennai, India, 2011: 607–611.
[17]	FUJII H and TSURUOKA Y. SV-2FA: Two-factor user authentication with SMS and voiceprint challenge response[C]. The 8th International Conference for Internet Technology and Secured Transactions, London, UK, 2013: 283–287.
[18]	VAN OORSCHOT P C. Computer Security and the Internet: Tools and Jewels[M]. Cham: Springer, 2020: 1–25.
[19]	NOKOVIC B, DJOSIC N, and LI W O. API security risk assessment based on dynamic ML models[C]. The 14th International Conference on Innovations in Information Technology, Al Ain, United Arab Emirates, 2020: 247–252.
[20]	BERA P, SAHA A, and SETUA S K. Denial of service attack in software defined network[C]. The 5th International Conference on Computer Science and Network Technology, Changchun, China, 2016: 497–501.
[21]	DE B. API Management[M]. Berkeley: Apress, 2017: 15–28.
[22]	IMPERVA. Bot defense for API security data sheet[EB/OL]. https://resources.distilnetworks.com/data-sheets/bot-defense-for-apis, 2018.
[23]	NETACEA. Bot detection and mitigation with machine learning[EB/OL]. https://www.netacea.com/bot-detection, 2018.
[24]	HARGUINDEGUY B. Artificial intelligence and machine learning: A new approach to API security[EB/OL]. https://www.pingidentity.com/en/company/blog/posts/2018/artificial-intelligence-machine-learning-a-new-approach-to-api-Security.html, 2018.
[25]	ZHU Minghui and MARTíNEZ S. On the performance analysis of resilient networked control systems under replay attacks[J]. IEEE Transactions on Automatic Control, 2014, 59(3): 804–808. doi: 10.1109/TAC.2013.2279896
[26]	GRUSCHKA N and LUTTENBERGER N. Protecting web services from DoS attacks by SOAP message validation[C]. The IFIP TC-11 21st International Information Security Conference, Karlstad, Sweden, 2006: 171–182.
[27]	JENSEN M, GRUSCHKA N, and HERKENH?NER R. A survey of attacks on web services[J]. Computer Science-Research and Development, 2009, 24(4): 185–197. doi: 10.1007/s00450-009-0092-6
[28]	DE RYCK P, DESMET L, PIESSENS F, et al. Primer on client-side web security[M]. Cham: Springer, 2014: 105–109.
[29]	肖斌斌, 徐雨明. 基于雙重驗證的抗重放攻擊方案[J]. 計算機工程, 2017, 43(5): 115–120,128. doi: 10.3969/j.issn.1000-3428.2017.05.019 XIAO Binbin and XU Yuming. Scheme of anti-replay attacks based on two-factor authentication[J]. Computer Engineering, 2017, 43(5): 115–120,128. doi: 10.3969/j.issn.1000-3428.2017.05.019
[30]	王育紅, 夏安祥, 林國慶, 等. 抗重放攻擊方案在工程中的應用[J]. 網(wǎng)絡安全技術與應用, 2021(4): 8–10. doi: 10.3969/j.issn.1009-6833.2021.04.006 WANG Yuhong, XIA Anxiang, LIN Guoqing, et al. Application of anti-replay attack scheme in engineering[J]. Network Security Technology &Application, 2021(4): 8–10. doi: 10.3969/j.issn.1009-6833.2021.04.006
[31]	CONTI M, DRAGONI N, and LESYK V. A survey of man in the middle attacks[J]. IEEE Communications Surveys & Tutorials, 2016, 18(3): 2027–2051. doi: 10.1109/COMST.2016.2548426
[32]	NAQASH T, UBAID F B, ISHFAQ A, et al. Protecting DNS from cache poisoning attack by using secure proxy[C]. 2012 International Conference on Emerging Technologies, Islamabad, Pakistan, 2012: 1–5.
[33]	BRUSCHI D, ORNAGHI A, and ROSTI E. S-ARP: A secure address resolution protocol[C]. The 19th Annual Computer Security Applications Conference, Las Vegas, USA, 2003: 66–74.
[34]	LOOTAH W, ENCK W, and MCDANIEL P. TARP: Ticket-based address resolution protocol[J]. Computer Networks, 2007, 51(15): 4322–4337. doi: 10.1016/j.comnet.2007.05.007
[35]	TRABELSI Z and EL-HAJJ W. Preventing ARP attacks using a fuzzy-based stateful ARP cache[C]. 2007 IEEE International Conference on Communications, Glasgow, UK, 2007: 1355–1360.
[36]	KALES D, OMOLOLA O, and RAMACHER S. Revisiting user privacy for certificate transparency[C]. 2019 IEEE European Symposium on Security and Privacy, Stockholm, Sweden, 2019.
[37]	SOGHOIAN C and STAMM S. Certified lies: Detecting and defeating government interception attacks against SSL (short paper)[C]. The 15th International Conference on Financial Cryptography and Data Security, Gros Islet, St. Lucia, 2011: 250–259.
[38]	LIMMANEEWICHID P and LILAKIATSAKUN W. P-ARP: A novel enhanced authentication scheme for securing ARP[C]. The 2011 International Conference on Telecommunication Technology and Applications, Singapore, Singapore, 2011: 83–87.
[39]	ATAULLAH M and CHAUHAN N. ES-ARP: An efficient and secure address resolution protocol[C]. 2012 IEEE Students' Conference on Electrical, Electronics and Computer Science, Bhopal, India, 2012: 1–5.
[40]	ARIYAPPERUMA S and MITCHELL C J. Security vulnerabilities in DNS and DNSSEC[C]. The 2rd International Conference on Availability, Reliability and Security, Vienna, Austria, 2007: 335–342.
[41]	KINGTHORIN. OWASP SQL injection[EB/OL]. https://owasp.org/www-community/attacks/SQL_Injection#, 2021.
[42]	ZHONG Weilin and REZOS. Code injection software attack[EB/OL]. https://owasp.org/www-community/attacks/Code_Injection, 2021.
[43]	RAJARAM A K, BABU B C, and KUMAR R C K. API based security solutions for communication among web services[C]. The 15th International Conference on Advanced Computing, Chennai, India, 2013: 571–575.
[44]	YANG Dawei, GAO Yang, HE Wei, et al. Design and achievement of security mechanism of API gateway platform based on microservice architecture[J]. Journal of Physics:Conference Series, 2021, 1738: 012046. doi: 10.1088/1742-6596/1738/1/012046
[45]	ATLIDAKIS V, GODEFROID P, and POLISHCHUK M. Checking security properties of cloud service REST APIs[C]. The 13th International Conference on Software Testing, Validation and Verification, Porto, Portugal, 2020: 387–397.
[46]	MENG Shanshan, YANG Xiaohui, SONG Yubo, et al. Android’s sensitive data leakage detection based on API monitoring[C]. The International Conference on Cyberspace Technology, Beijing, China, 2014: 1–4.
[47]	PANETTA K. Gartner top 10 strategic technology for 2020[EB/OL]. https://www.gartner.com, 2020.
[48]	GRENT H, AKIMOV A, and ANICHE M. Automatically identifying parameter constraints in complex Web APIs: A case study at Adyen[C]. The IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice, Madrid, ES, 2021: 71–80.
[49]	KROMKOWSKI P, LI Shaoran, ZHAO Wenxi, et al. Evaluating statistical models for network traffic anomaly detection[C]. 2019 Systems and Information Engineering Design Symposium, Charlottesville, USA, 2019: 1–6.
[50]	BAYE G, HUSSAIN F, ORACEVIC A, et al. API security in large enterprises: Leveraging machine learning for anomaly detection[C]. 2021 International Symposium on Networks, Computers and Communications, Dubai, United Arab Emirates, 2021: 1–6.
[51]	SHI Yi, SAGDUYU Y E, DAVASLIOGLU K, et al. Active deep learning attacks under strict rate limitations for online API calls[C]. 2018 IEEE International Symposium on Technologies for Homeland Security, Woburn, USA, 2018: 1–6.