云應用程序編程接口安全研究綜述:威脅與防護
doi: 10.11999/JEIT211185
-
1.
燕山大學信息科學與工程學院 秦皇島 066004
-
2.
中國科學院文獻情報中心 北京 100190
-
3.
河北省計算機虛擬技術與系統(tǒng)集成重點實驗室 秦皇島 066004
A Survey for Cloud Application Programming Interface Security: Threats and Protection
-
1.
School of Information Science and Engineering, Yanshan University, Qinhuangdao 066004, China
-
2.
National Science Library, Chinese Academy of Sciences, Beijing 100190, China
-
3.
Key Laboratory for Computer Virtual Technology and System Integration of Hebei Province, Yanshan University, Qinhuangdao 066004, China
-
摘要: 云時代,云應用程序編程接口(API)是服務交付、能力復制和數(shù)據(jù)輸出的最佳載體。然而,云API在開放服務和數(shù)據(jù)的同時,增加了暴露面和攻擊面,攻擊者通過數(shù)據(jù)劫持和流量分析等技術獲取目標云API的關鍵資源,能夠識別用戶的身份和行為,甚至直接造成背后系統(tǒng)的癱瘓。當前,針對云API的攻擊類型繁多,威脅與防護方法各異,缺乏對現(xiàn)有攻擊和防護方法的系統(tǒng)總結(jié)。該文梳理了云API安全研究中云API面臨的威脅和防護方法,分析了云API的演化歷程和類別劃分;討論了云API的脆弱性以及云API安全研究的重要性;提出了云API安全研究框架,涵蓋身份驗證、云API分布式拒絕服務(DDoS)攻擊防護、重放攻擊防護、中間人(MITM)攻擊防護、注入攻擊防護和敏感數(shù)據(jù)防護6個方面相關研究工作綜述。在此基礎上,探討了增加人工智能(AI)防護的必要性。最后給出了云API防護的未來挑戰(zhàn)和發(fā)展趨勢。Abstract: In the cloud era, cloud Application Programming Interface (API) is the best carrier for service delivery, capability replication and data output. However, cloud API increases the exposure and attack surface of cloud application while opening up services and data. Through data hijacking, traffic analysis and other technologies, attackers can obtain the key resources of the target cloud API, so as to identify the identity and behavior of users, or even directly cause the paralysis of the underlying system. Currently, there are many types of attacks against cloud APIs, and their threats and protection methods are different. However, the existing researches lack a systematic summary for cloud API attack and protection methods. In this paper, a detail survey on the threats and protection methods faced by cloud API is conducted. Firstly, the evolution and the classification of cloud API are analyzed. The vulnerability of cloud API and the importance of cloud API security research are then discussed. Furthermore, a systematical cloud API security research framework is proposed, which covers six aspects: identity authentication, cloud API Distributed Denial of Service (DDoS) attack protection, replay attack protection, Man-In-The-Middle (MITM) attack protection, injection attack protection and sensitive data protection. In addition, the necessity of Artificial Intelligence (AI) protection for cloud API is discussed. Finally, the future challenges and development trends of cloud API protection are presented.
-
表 1 基于應用范圍分類的云API特點比較
API類別 部署方式 應用范圍 訪問機制 延展性 安全性能 Private API VPC網(wǎng)絡 服務提供商內(nèi)部 有效 一般 高 Partner API VPC網(wǎng)絡/公共互聯(lián)網(wǎng) 服務提供商之間 有效 好 一般 Public API 公共互聯(lián)網(wǎng) 任何用戶 不足 好 低、易受攻擊 下載: 導出CSV
表 3 MITM防護方案比較
MITM防護方案 攻擊目標類型 攻擊場景 模型/方法 防護機制 Bruschi等人[33] ARP緩存中毒 封閉 S-ARP 可信主機分發(fā)密鑰 Limmaneewichid等人[38] 目標IP替換 封閉 P-ARP 哈希函數(shù)隱藏IP地址 Lootah等人[34] ARP緩存中毒 封閉 T-ARP 集中發(fā)行票據(jù)認證 Trabelsi等人[35] ARP請求應答超時 封閉 有狀態(tài)ARP應答 添加“等待”條目 Ataullah等人[39] ARP無狀態(tài)性攻擊 封閉 ES-ARP 廣播ARP請求和應答 Ariyapperuma等人[40] 數(shù)據(jù)真實性受損 開放 DNSSEC 哈希函數(shù)加密數(shù)字簽名 Kales等人[36] 惡意證書干擾 開放 偽造證書檢驗 補充中央審計日志 Soghoian等人[37] 惡意證書替換 開放 證書鎖定 證書中的公鑰提前內(nèi)置 下載: 導出CSV
表 4 兩類防護方案對比
攻擊類別 傳統(tǒng)云API安全 AI驅(qū)動云API安全 身份驗證 令牌、密鑰 歷史信息自學習 云API DDoS攻擊 負載均衡、速率限制 流量數(shù)據(jù)計算、源驗證 重放攻擊 抗重放因子 暫無 MITM攻擊 傳輸介質(zhì)檢驗 暫無 注入攻擊 參數(shù)化查詢、正則化檢驗 暫無 敏感數(shù)據(jù)保護 加密(SSL, TLS) 敏感數(shù)據(jù)學習、提取 下載: 導出CSV
-
[1] 艾瑞咨詢有限公司. 2020年中國人工智能API經(jīng)濟白皮書[R]. 艾瑞咨詢系列研究報告, 2020.IResearch Consulting Croup. White paper on API economy of China's artificial intelligence[R]. IResearch Consulting Series Research Reports, 2020. [2] TAN Wei, FAN Yushun, GHONEIM A, et al. From the service-oriented architecture to the Web API economy[J]. IEEE Internet Computing, 2016, 20(4): 64–68. doi: 10.1109/MIC.2016.74 [3] ESPINHA T, ZAIDMAN A, and GROSS H G. Web API growing pains: Loosely coupled yet strongly tied[J]. Journal of Systems and Software, 2015, 100: 27–43. doi: 10.1016/j.jss.2014.10.014 [4] BOUGUETTAYA A, SINGH M, HUHNS M, et al. A service computing manifesto: The next 10 years[J]. Communications of the ACM, 2017, 60(4): 64–72. doi: 10.1145/2983528 [5] HUSSAIN F, HUSSAIN R, NOYE B, et al. Enterprise API security and GDPR compliance: Design and implementation perspective[J]. IT Professional, 2020, 22(5): 81–89. doi: 10.1109/MITP.2020.2973852 [6] ARCURI A, FRASER G, and JUST R. Private API access and functional mocking in automated unit test generation[C]. 2017 IEEE International Conference on Software Testing, Verification and Validation, Tokyo, Japan, 2017: 126–137. [7] OWASP. OWASP top ten 2017[EB/OL]. https://www.owasp.org/index.php/Top_10-2017_Top_10, 2017. [8] BOZKURT M, HARMAN M, and HASSOUN Y. Testing Web services: A survey[R]. Technical Reports TR-10-01, 2010. [9] ESPINHA T, ZAIDMAN A, and GROSS H G. Web API fragility: How robust is your mobile application?[C]. The 2nd ACM International Conference on Mobile Software Engineering and Systems, Florence, Italy, 2015: 12–21. [10] 劉奇旭, 邱凱麗, 王乙文, 等. 面向OAuth2.0授權服務API的賬號劫持攻擊威脅檢測[J]. 通信學報, 2019, 40(6): 40–50. doi: 10.11959/j.issn.1000-436x.2019144LIU Qixu, QIU Kaili, WANG Yiwen, et al. Account hijacking threat attack detection for OAuth2.0 authorization API[J]. Journal on Communications, 2019, 40(6): 40–50. doi: 10.11959/j.issn.1000-436x.2019144 [11] DIG D and JOHNSON R. How do APIs evolve? A story of refactoring[J]. Journal of Software Maintenance and Evolution:Research and Practice, 2006, 18(2): 83–107. doi: 10.1002/smr.328 [12] SETIADI D R I M, NAJIB A F, RACHMAWANTO E H, et al. A comparative study MD5 and SHA1 algorithms to encrypt REST API authentication on mobile-based application[C]. 2019 International Conference on Information and Communications Technology, Yogyakarta, Indonesia, 2019: 206–211. [13] SKLAVOS N and KOUFOPAVLOU O. Implementation of the SHA-2 hash family standard using FPGAs[J]. The Journal of Supercomputing, 2005, 31(3): 227–248. doi: 10.1007/s11227-005-0086-5 [14] GORSKI P L, ACAR Y, IACONO L L, et al. Listen to developers! A participatory design study on security warnings for cryptographic APIs[C]. The 2020 CHI Conference on Human Factors in Computing Systems, Honolulu, USA, 2020: 1–13. [15] Angular University. JWT: The complete guide to JSON web tokens[EB/OL]. https://blog.angular-university.io/angular-jwt/, 2022. [16] KARUNANITHI M D and KIRUTHIKA B. Single sign-on and single log out in identity[C]. The International Conference on Nanoscience, Engineering and Technology, Chennai, India, 2011: 607–611. [17] FUJII H and TSURUOKA Y. SV-2FA: Two-factor user authentication with SMS and voiceprint challenge response[C]. The 8th International Conference for Internet Technology and Secured Transactions, London, UK, 2013: 283–287. [18] VAN OORSCHOT P C. Computer Security and the Internet: Tools and Jewels[M]. Cham: Springer, 2020: 1–25. [19] NOKOVIC B, DJOSIC N, and LI W O. API security risk assessment based on dynamic ML models[C]. The 14th International Conference on Innovations in Information Technology, Al Ain, United Arab Emirates, 2020: 247–252. [20] BERA P, SAHA A, and SETUA S K. Denial of service attack in software defined network[C]. The 5th International Conference on Computer Science and Network Technology, Changchun, China, 2016: 497–501. [21] DE B. API Management[M]. Berkeley: Apress, 2017: 15–28. [22] IMPERVA. Bot defense for API security data sheet[EB/OL]. https://resources.distilnetworks.com/data-sheets/bot-defense-for-apis, 2018. [23] NETACEA. Bot detection and mitigation with machine learning[EB/OL]. https://www.netacea.com/bot-detection, 2018. [24] HARGUINDEGUY B. Artificial intelligence and machine learning: A new approach to API security[EB/OL]. https://www.pingidentity.com/en/company/blog/posts/2018/artificial-intelligence-machine-learning-a-new-approach-to-api-Security.html, 2018. [25] ZHU Minghui and MARTíNEZ S. On the performance analysis of resilient networked control systems under replay attacks[J]. IEEE Transactions on Automatic Control, 2014, 59(3): 804–808. doi: 10.1109/TAC.2013.2279896 [26] GRUSCHKA N and LUTTENBERGER N. Protecting web services from DoS attacks by SOAP message validation[C]. The IFIP TC-11 21st International Information Security Conference, Karlstad, Sweden, 2006: 171–182. [27] JENSEN M, GRUSCHKA N, and HERKENH?NER R. A survey of attacks on web services[J]. Computer Science-Research and Development, 2009, 24(4): 185–197. doi: 10.1007/s00450-009-0092-6 [28] DE RYCK P, DESMET L, PIESSENS F, et al. Primer on client-side web security[M]. Cham: Springer, 2014: 105–109. [29] 肖斌斌, 徐雨明. 基于雙重驗證的抗重放攻擊方案[J]. 計算機工程, 2017, 43(5): 115–120,128. doi: 10.3969/j.issn.1000-3428.2017.05.019XIAO Binbin and XU Yuming. Scheme of anti-replay attacks based on two-factor authentication[J]. Computer Engineering, 2017, 43(5): 115–120,128. doi: 10.3969/j.issn.1000-3428.2017.05.019 [30] 王育紅, 夏安祥, 林國慶, 等. 抗重放攻擊方案在工程中的應用[J]. 網(wǎng)絡安全技術與應用, 2021(4): 8–10. doi: 10.3969/j.issn.1009-6833.2021.04.006WANG Yuhong, XIA Anxiang, LIN Guoqing, et al. Application of anti-replay attack scheme in engineering[J]. Network Security Technology &Application, 2021(4): 8–10. doi: 10.3969/j.issn.1009-6833.2021.04.006 [31] CONTI M, DRAGONI N, and LESYK V. A survey of man in the middle attacks[J]. IEEE Communications Surveys & Tutorials, 2016, 18(3): 2027–2051. doi: 10.1109/COMST.2016.2548426 [32] NAQASH T, UBAID F B, ISHFAQ A, et al. Protecting DNS from cache poisoning attack by using secure proxy[C]. 2012 International Conference on Emerging Technologies, Islamabad, Pakistan, 2012: 1–5. [33] BRUSCHI D, ORNAGHI A, and ROSTI E. S-ARP: A secure address resolution protocol[C]. The 19th Annual Computer Security Applications Conference, Las Vegas, USA, 2003: 66–74. [34] LOOTAH W, ENCK W, and MCDANIEL P. TARP: Ticket-based address resolution protocol[J]. Computer Networks, 2007, 51(15): 4322–4337. doi: 10.1016/j.comnet.2007.05.007 [35] TRABELSI Z and EL-HAJJ W. Preventing ARP attacks using a fuzzy-based stateful ARP cache[C]. 2007 IEEE International Conference on Communications, Glasgow, UK, 2007: 1355–1360. [36] KALES D, OMOLOLA O, and RAMACHER S. Revisiting user privacy for certificate transparency[C]. 2019 IEEE European Symposium on Security and Privacy, Stockholm, Sweden, 2019. [37] SOGHOIAN C and STAMM S. Certified lies: Detecting and defeating government interception attacks against SSL (short paper)[C]. The 15th International Conference on Financial Cryptography and Data Security, Gros Islet, St. Lucia, 2011: 250–259. [38] LIMMANEEWICHID P and LILAKIATSAKUN W. P-ARP: A novel enhanced authentication scheme for securing ARP[C]. The 2011 International Conference on Telecommunication Technology and Applications, Singapore, Singapore, 2011: 83–87. [39] ATAULLAH M and CHAUHAN N. ES-ARP: An efficient and secure address resolution protocol[C]. 2012 IEEE Students' Conference on Electrical, Electronics and Computer Science, Bhopal, India, 2012: 1–5. [40] ARIYAPPERUMA S and MITCHELL C J. Security vulnerabilities in DNS and DNSSEC[C]. The 2rd International Conference on Availability, Reliability and Security, Vienna, Austria, 2007: 335–342. [41] KINGTHORIN. OWASP SQL injection[EB/OL]. https://owasp.org/www-community/attacks/SQL_Injection#, 2021. [42] ZHONG Weilin and REZOS. Code injection software attack[EB/OL]. https://owasp.org/www-community/attacks/Code_Injection, 2021. [43] RAJARAM A K, BABU B C, and KUMAR R C K. API based security solutions for communication among web services[C]. The 15th International Conference on Advanced Computing, Chennai, India, 2013: 571–575. [44] YANG Dawei, GAO Yang, HE Wei, et al. Design and achievement of security mechanism of API gateway platform based on microservice architecture[J]. Journal of Physics:Conference Series, 2021, 1738: 012046. doi: 10.1088/1742-6596/1738/1/012046 [45] ATLIDAKIS V, GODEFROID P, and POLISHCHUK M. Checking security properties of cloud service REST APIs[C]. The 13th International Conference on Software Testing, Validation and Verification, Porto, Portugal, 2020: 387–397. [46] MENG Shanshan, YANG Xiaohui, SONG Yubo, et al. Android’s sensitive data leakage detection based on API monitoring[C]. The International Conference on Cyberspace Technology, Beijing, China, 2014: 1–4. [47] PANETTA K. Gartner top 10 strategic technology for 2020[EB/OL]. https://www.gartner.com, 2020. [48] GRENT H, AKIMOV A, and ANICHE M. Automatically identifying parameter constraints in complex Web APIs: A case study at Adyen[C]. The IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice, Madrid, ES, 2021: 71–80. [49] KROMKOWSKI P, LI Shaoran, ZHAO Wenxi, et al. Evaluating statistical models for network traffic anomaly detection[C]. 2019 Systems and Information Engineering Design Symposium, Charlottesville, USA, 2019: 1–6. [50] BAYE G, HUSSAIN F, ORACEVIC A, et al. API security in large enterprises: Leveraging machine learning for anomaly detection[C]. 2021 International Symposium on Networks, Computers and Communications, Dubai, United Arab Emirates, 2021: 1–6. [51] SHI Yi, SAGDUYU Y E, DAVASLIOGLU K, et al. Active deep learning attacks under strict rate limitations for online API calls[C]. 2018 IEEE International Symposium on Technologies for Homeland Security, Woburn, USA, 2018: 1–6. -