[go: up one dir, main page]

CN120200805A - A method, device, electronic device and storage medium for discovering a newly added interface in an external network - Google Patents

A method, device, electronic device and storage medium for discovering a newly added interface in an external network Download PDF

Info

Publication number
CN120200805A
CN120200805A CN202510349860.4A CN202510349860A CN120200805A CN 120200805 A CN120200805 A CN 120200805A CN 202510349860 A CN202510349860 A CN 202510349860A CN 120200805 A CN120200805 A CN 120200805A
Authority
CN
China
Prior art keywords
interface
interface data
filtering
data set
url
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510349860.4A
Other languages
Chinese (zh)
Inventor
郭洪全
于波
任大勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Du Xiaoman Technology Beijing Co Ltd
Original Assignee
Du Xiaoman Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Du Xiaoman Technology Beijing Co Ltd filed Critical Du Xiaoman Technology Beijing Co Ltd
Priority to CN202510349860.4A priority Critical patent/CN120200805A/en
Publication of CN120200805A publication Critical patent/CN120200805A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明提供一种外网新增接口发现方法、装置。电子设备及存储介质,方法包括:获取接入层日志,基于预先设置的安全接口数据集对接入层日志中包含的各接口信息进行匹配,筛选出不符合安全接口数据集的URL接口数据;基于预设动态过滤规则,对各URL接口数据进行过滤,剔除异常流量接口,得到候选URL接口数据;若候选URL接口数据不存在于安全接口数据集,则确定其为外网新增接口。由于接入层日志记录实际应用中使用的接口信息,相比于全量接口检测方式,减少需检测的接口数量,提高新增接口发现效率,且通过使用预设的安全接口数据集以及动态过滤规则对接口信息进行两次过滤,进一步减少后续待处理的数据数量以及提高新增接口发现效率。

The present invention provides a method and device for discovering a newly added interface in an external network. An electronic device and a storage medium, the method comprising: obtaining an access layer log, matching each interface information contained in the access layer log based on a preset security interface data set, and filtering out URL interface data that does not conform to the security interface data set; filtering each URL interface data based on a preset dynamic filtering rule, eliminating abnormal traffic interfaces, and obtaining candidate URL interface data; if the candidate URL interface data does not exist in the security interface data set, it is determined to be a newly added interface in the external network. Since the access layer log records the interface information used in actual applications, compared with the full interface detection method, the number of interfaces to be detected is reduced, and the efficiency of discovering new interfaces is improved. Moreover, by using a preset security interface data set and dynamic filtering rules to filter the interface information twice, the amount of data to be processed later is further reduced and the efficiency of discovering new interfaces is improved.

Description

Method and device for discovering newly added interface of external network, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a method and apparatus for discovering an external network newly added interface, an electronic device, and a storage medium.
Background
An extranet interface generally refers to a connection point or channel that is newly added in a server, network device, or application program to enable communication and data interaction with an external network (e.g., the internet). Because the external network interface is the first access object of the external traffic, the external network interface is very easy to attack, and therefore, the external network newly-added interface needs to be identified and monitored in time.
In enterprise network security extranet access interface monitoring, a common method at present is to identify potential security threats by manually carding and uniformly auditing key code libraries of the extranet. The technology relies on manual screening and manual recording of the frequency of access to the external network interface, and whether risk exists is determined manually. In some businesses, static code library interface detection may be performed periodically with some automated scanning tool. In addition, for the newly added code library of the external network, the enterprise currently has no uniform means for monitoring.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a method, an apparatus, an electronic device, and a storage medium for discovering an external network newly added interface, so as to improve the discovery efficiency of the external network newly added interface.
According to an aspect of the present invention, there is provided a method for discovering an external network newly added interface, the method comprising:
Acquiring an access layer log, and storing a data set of the access layer log into a local storage;
Matching each interface information contained in the access layer log based on a preset safety interface data set, and screening URL interface data which does not accord with the safety interface data set, wherein the safety interface data set comprises interface information under safety monitoring;
Filtering each URL interface data based on a preset dynamic filtering rule, and removing abnormal traffic interfaces to obtain candidate URL interface data;
and determining whether the candidate URL interface data exists in the safety interface data set, and if the candidate URL interface data does not exist, recording that the candidate URL interface is an external network newly-added interface.
In a possible embodiment, in a case that the candidate URL interface data is in the secure interface data set, the candidate URL interface data is added to an access frequency record interface data set for storing interface information requiring access frequency monitoring.
In one possible embodiment, the method further comprises sending the candidate URL interface data to a target client in case that the access frequency of the candidate URL interface is higher than a preset threshold value, so that the target client carries out security audit on the candidate URL interface data.
In a possible embodiment, the matching based on the security interface data set includes:
setting a regular matching formula based on each interface information contained in the safety interface data set;
And matching the access layer log based on the regular matching formula to acquire the URL interface information which does not conform to the regular matching formula.
In a possible embodiment, the preset dynamic filtering rule includes static file filtering, short-chain filtering, pure digital path filtering, front end request filtering, and extranet scanning filtering, and the filtering, based on the preset dynamic filtering rule, is performed on each URL interface data, and abnormal traffic interfaces are removed to obtain candidate URL interface data, including:
Filtering each URL interface by using the preset dynamic filtering rule to obtain an abnormal flow interface corresponding to abnormal flow, wherein the abnormal flow interface is a test interface generated in the flow attack process, and the test interface does not belong to an actual back end interface;
And eliminating the abnormal traffic interfaces to obtain candidate URL interface data.
In a possible embodiment, the method further comprises sending the abnormal traffic to a preset instant warning center to immediately warn the abnormal traffic if the abnormal traffic is detected based on the preset dynamic filtering rule.
According to another aspect of the present invention, there is provided an external network newly added interface discovery apparatus, the apparatus including:
The acquisition module is used for acquiring an access layer log and storing a data set of the access layer log into a local storage;
The matching module is used for matching the interface information contained in the access layer log based on a preset safety interface data set and screening URL interface data which does not accord with the safety interface data set, wherein the safety interface data set comprises interface information under safety monitoring;
the filtering module is used for filtering the URL interface data based on a preset dynamic filtering rule, eliminating abnormal traffic interfaces and obtaining candidate URL interface data;
and the determining module is used for determining whether the candidate URL interface data exist in the safety interface data set, and if not, recording that the candidate URL interface is an external network newly-added interface.
In a possible embodiment, the determining module is further configured to, if the candidate URL is in the secure interface data set, add the candidate URL to an access frequency record interface data set, where the access frequency record interface data set is used to store interface information that needs to be monitored for access frequency;
Under the condition that the access frequency of the candidate URL is higher than a preset threshold value, sending the candidate URL interface data to a target client side so that the target client side carries out security audit on the candidate URL interface data;
the matching based on the security interface data set comprises:
setting a regular matching formula based on each interface information contained in the safety interface data set;
Matching the access layer log based on the regular matching formula to acquire URL interface information which does not conform to the regular matching formula;
The preset dynamic filtering rules comprise static file filtering, short-chain filtering, pure digital path filtering, front end request filtering and extranet scanning filtering, and the filtering is performed on each URL interface data based on the preset dynamic filtering rules, abnormal traffic interfaces are removed, and candidate URL interface data are obtained, and the method comprises the following steps:
Filtering each URL interface by using the preset dynamic filtering rule to obtain an abnormal flow interface corresponding to abnormal flow, wherein the abnormal flow interface is a test interface generated in the flow attack process, and the test interface does not belong to an actual back end interface;
removing the abnormal traffic interfaces to obtain candidate URL interface data;
And under the condition that abnormal flow is detected based on the preset dynamic filtering rule, the abnormal flow is sent to a preset instant alarm center so as to carry out instant alarm on the abnormal flow.
According to another aspect of the present invention, there is provided an electronic apparatus including:
processor, and
A memory in which a program is stored,
The program includes instructions that, when executed by the processor, cause the processor to perform any of the external network newly added interface discovery methods described above.
According to another aspect of the present invention, there is provided a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute any one of the above-described external network newly added interface discovery methods.
According to the one or more technical schemes provided by the embodiment of the invention, the newly added interfaces are screened based on the access layer log data, and as the access flow in the practical application is recorded by the access layer log, namely the interface information used in the practical application is contained, compared with the full-scale interface detection mode of the static codes, the number of interfaces to be detected is greatly reduced, the discovery efficiency of the newly added interfaces is improved to a certain extent, and the number of data to be processed is further reduced and the discovery efficiency of the newly added interfaces is further improved by filtering the interface information twice by using a preset safe interface data set and a dynamic filtering rule.
Drawings
Further details, features and advantages of the invention are disclosed in the following description of exemplary embodiments with reference to the following drawings, in which:
Fig. 1 is a schematic flow chart of an external network newly added interface discovery method according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of another method for discovering an added interface of an external network according to an embodiment of the present invention;
fig. 3 is a schematic logic structure diagram of an external network newly added interface discovery device according to an embodiment of the present invention;
fig. 4 shows a block diagram of an exemplary electronic device that can be used to implement an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While the invention is susceptible of embodiment in the drawings, it is to be understood that the invention may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided to provide a more thorough and complete understanding of the invention. It should be understood that the drawings and embodiments of the invention are for illustration purposes only and are not intended to limit the scope of the present invention.
It should be understood that the various steps recited in the method embodiments of the present invention may be performed in a different order and/or performed in parallel. Furthermore, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the invention is not limited in this respect.
The term "including" and variations thereof as used herein are intended to be open-ended, i.e., including, but not limited to. The term "based on" is based at least in part on. The term "one embodiment" means "at least one embodiment," another embodiment "means" at least one additional embodiment, "and" some embodiments "means" at least some embodiments. Related definitions of other terms will be given in the description below. It should be noted that the terms "first," "second," and the like herein are merely used for distinguishing between different devices, modules, or units and not for limiting the order or interdependence of the functions performed by such devices, modules, or units.
It should be noted that references to "one", "a plurality" and "a plurality" in this disclosure are intended to be illustrative rather than limiting, and those skilled in the art will appreciate that "one or more" is intended to be construed as "one or more" unless the context clearly indicates otherwise.
The names of messages or information interacted between the devices in the embodiments of the present invention are for illustrative purposes only and are not intended to limit the scope of such messages or information.
In order to improve the discovery efficiency of the newly added interface, the embodiment of the invention provides a method, a device, an electronic device and a storage medium for discovering the newly added interface of the external network. In a possible embodiment, the method for discovering a new interface provided by the embodiment of the present invention may be applied to a distributed cluster, and is used for discovering a new interface in the distributed cluster, where the following describes a scheme of the present invention with reference to the accompanying drawings:
Fig. 1 is a schematic flow chart of a method for discovering a new interface according to an embodiment of the present invention, which may include the following steps:
S101, acquiring an access layer log, and storing a data set of the access layer log into a local storage;
S102, matching all interface information contained in the access layer log based on a preset safety interface data set, and screening URL interface data which does not accord with the safety interface data set, wherein the safety interface data set comprises interface information under safety monitoring;
S103, filtering the URL interface data based on a preset dynamic filtering rule, and eliminating abnormal traffic interfaces to obtain candidate URL interface data;
s104, determining whether the candidate URL interface data exist in the safety interface data set, and if not, recording that the candidate URL interface is an external network newly-added interface.
By applying the embodiment of the invention, the newly added interface is screened based on the access layer log data, and the access flow in the actual application is recorded by the access layer log, namely the access layer log contains the interface information used in the actual application, compared with the full-quantity interface detection mode of the static code, the number of interfaces to be detected is greatly reduced, the discovery efficiency of the newly added interface is improved to a certain extent, and the number of data to be processed in the follow-up process is further reduced and the discovery efficiency of the newly added interface is further improved by filtering the interface information twice by using the preset safety interface data set and the dynamic filtering rule.
The following is an exemplary description of the above S101-S104:
The access layer log is used for recording each flow information of the access cluster, the flow information can comprise visitor information, information of an accessed target interface, access time, a response result and the like, the visitor information can be an IP address of a visitor, and the information of the target interface can comprise a name, an IP address and the like of the target interface. In a possible embodiment, the access traffic may be divided into different groups according to a time period in which the access time is located, and when the request is processed, illustratively, the task scheduler may divide the request to be processed according to the time period, and send the request in the same time period to the co-processor Cheng Chizhong, where the co-processor pool includes multiple co-processes, so that the multiple co-processes concurrently execute multiple requests in the same time period. The above-mentioned time period may be divided according to the actual application scenario, for example, the time period may be divided every 15 minutes, 5 minutes, or the like. By processing the requests in parallel, the log output efficiency of the access layer is improved, and the subsequent newly-added interface discovery efficiency is further improved.
In a possible embodiment, in the process of concurrently processing the request by the coroutine, the coroutine may detect the target interface included in the request based on the preset security interface data set, and determine the target interface not belonging to the security interface data set. The security interface data set includes interface data in a security monitoring state inside the enterprise, where the security monitoring state may include monitoring traffic data for the interface, monitoring access frequency of the interface, and so on. The secure interface dataset may include multiple types of interfaces, such as Java interfaces, PHP interfaces, go interfaces, and the like.
As a possible implementation manner, the interface rule may be generated based on the format of each interface included in the secure interface data set, and illustratively, a corresponding regular matching formula may be generated based on the format of each interface, and specifically, the regular matching formula may be set based on the name of each interface in the secure interface data set or the method keyword used by each interface, or the like. In the process of processing the request by utilizing the coroutine concurrency, after extracting the target interface information contained in the request, the regular matching formula can be used for matching the target interface information through the coroutine Cheng Jiyu, and the successfully matched target interfaces are removed, so that the filtered target interfaces are obtained. The successful matching means that the name or the included keyword of the target interface is the same as the interface in the safety interface data set, and the target interface which is successfully matched is removed, namely the interface in the safety monitoring data set is removed from the access flow, so that the interface which is in the safety monitoring state is deleted from the interface information which needs to be subjected to subsequent processing, the subsequent further processing of the interfaces is avoided, the data processing amount is reduced, and the discovery efficiency of the newly-added interface is improved.
In one possible embodiment, the regular matching rule may be generated by a dynamic rule generator, and the dynamic rule generator may call a preset API interface, obtain a secure interface data set through the API interface, and generate the regular matching rule based on interface data included in the secure interface data.
In one possible embodiment, the target interface may be a URL (uniform resource locator ) interface. In practical application, the client obtains or operates corresponding resources by sending a request containing the URL to the server, correspondingly, the URL interface information contained in the request can be extracted, and regular matching is carried out on the URL interface information, so that URL interface data which does not accord with the regular matching formula is obtained.
In one possible embodiment, the access layer log may be obtained through a second preset API, and the access layer log is stored in a local temporary storage pool, where the local temporary storage pool may be a feasible storage medium such as a memory storage, a disk cache, or an object storage. Correspondingly, the URL interface which does not accord with the regular matching rule can be obtained from the local temporary storage pool through the regular matching rule.
In one possible embodiment, after obtaining the URL interface data, the URL interface data may be further filtered based on a preset dynamic rule. The preset dynamic filtering rule is used for filtering invalid interface data in the URL interface data, and the specific content of the invalid interface data can be set according to an actual application scene. As a possible implementation manner, the preset dynamic rule may include static file filtering, short-chain filtering, pure digital path filtering, front-end request filtering, extranet scanning traffic filtering, and the like. The static file filtering rule can filter access flow of the static file directory, the static file directory can be a directory where the file which is not allowed to be accessed externally is located, and because the directory is not allowed to be accessed, the URL interface of the directory is not a newly added interface, and the processing of the redundant interface can be reduced by filtering the interface of the static file directory by using the static file filtering rule.
Short-chain filtering is the detection and processing of short links that occur in a network, which can identify and intercept short links that may contain objectionable content such as malware, phishing websites, false information, and the like. As a possible implementation manner, a short-chain blacklist may be established based on the historical access traffic, where the short-chain blacklist may include the historical abnormal access request, and then URL interface data may be filtered based on the short-chain blacklist, so as to filter URL interface data corresponding to the abnormal access request.
In practical application, in order to prevent users from illegally acquiring data by guessing digital IDs, the digital parts in the access paths are verified, and only the digital IDs conforming to a certain rule can normally access corresponding pages or resources, while the pure digital paths may not belong to the paths in the cluster, so that the paths can be filtered.
Front-end request filtering refers to adding request filtering logic in the front-end code, and by way of example, a request interceptor can be integrated in the front-end code, for example, an identity verification link can be added to preprocess the request, so that the influence of irrelevant traffic on the discovery of a newly added interface is reduced.
The external network scanning traffic generally refers to traffic generated by actions such as port scanning, vulnerability detection and the like of a target network to which the cluster belongs, and the external network scanning traffic may include interfaces not belonging to the cluster, so that the external network scanning traffic can be identified and URL interfaces included in the traffic can be removed.
In a possible embodiment, in the case that an abnormal traffic is detected based on the preset dynamic filtering rule, the abnormal traffic may be sent to a preset instant alarm center to instant alarm the abnormal traffic.
The abnormal traffic may be a scan attack traffic, a traffic with a status code indicating an abnormal state, or the like, for example, a traffic with a status code of 302 and a location of 404 pages. After the abnormal flow is detected, the corresponding flow data can be sent to an instant alarm center, and the instant alarm center can send the alarm data corresponding to the abnormal flow to a preset user in a preset alarm mode. The preset alarm modes and the preset users can be preset for different types of abnormal flows, and the alarm modes can comprise mail, pushing, instant messaging, work order generation and the like, and the alarm data can comprise flow data corresponding to the abnormal flows, abnormal types and the like.
Through the technical means, the URL interface is further filtered through the preset dynamic filtering rule, the filtered URL interface data is obtained, the data volume to be processed subsequently is further reduced, and the discovery efficiency of the newly added interface is improved.
In a possible embodiment, after obtaining the filtered candidate URL interface data, the candidate URL interface data may be matched with the interface information contained in the security interface data set one by one, to determine whether the candidate URL interface data exists in the security interface data set, if not, the candidate URL interface data may be determined to be an external network newly added interface, and if the candidate URL interface exists in the security interface data set, the candidate URL may be added to an access frequency record interface data set, where the access frequency record interface data set is used to store interface information that needs to be monitored for access frequency.
In one possible embodiment, if the URL interface data belongs to the secure interface data set, it is indicated that the URL interface data is not a newly added interface, but because the interface is not identified based on the regular matching rule, it is indicated that the traffic for the interface may be difficult to analyze, so that monitoring of the interface may be enhanced, for example, the access frequency of the interface may be recorded, so as to discover the abnormal traffic for the interface in real time.
If the URL interface does not belong to the safety interface data set, the URL interface is an external network newly-added interface, so that the external network newly-added interface can be added into the external network newly-added interface data set, and the interface can be sent to the instant alarm center. The new interface of the external network generally refers to a newly added connection point or channel in a server, network equipment or an application program for realizing communication and data interaction with an external network (such as the internet), and the new interface of the external network is timely alarmed, so that the network security is maintained.
Meanwhile, frequency monitoring can be added for the newly-added interface of the external network, namely, the access frequency of the newly-added interface of the external network is monitored, so that the newly-added interface of the external network is operated and maintained in time.
In a possible embodiment, if the access frequency of the candidate URL is higher than a preset threshold, the candidate URL interface data is sent to a target client, so that the target client carries out security audit on the candidate URL interface data.
As a possible implementation manner, a secure operation platform soc may be built in advance in an enterprise, and when it is detected that the interface needs to be audited safely, the interface data may be sent to the secure operation platform, the secure operation platform performs the secure audit on the interface, and the secure operation platform may analyze the interface, so as to perform risk assessment, early warning and the like on the interface.
As shown in fig. 2, fig. 2 is a schematic flow chart of a new interface discovery method according to an embodiment of the present invention, which may include the following steps:
s201, loading a local cookie by the front configuration.
For example, the Cookie information stored locally may be loaded into the current application environment through a preset and initialization operation, where the Cookie information includes a preset configuration, for example, may include a domain name, a security flag, and the like, so as to improve data communication security.
S202, distributing the requests received in different time periods to the coroutine pool through the timing task device, so as to process the requests received in the same time period through each coroutine contained in the coroutine pool.
S203, each cooperative program calls a dynamic rule generator, acquires each interface data contained in the safety interface data set through a preset API, and generates a dynamic rule based on each interface data.
Illustratively, existing interface data in the enterprise, which is already in a security monitoring state, may be obtained from the database through a preset API. For each interface data contained in the secure data set, a regular expression may be created based on the name of the interface, the method of the interface application, and the like.
S204, the dynamic rule generator acquires an access layer log data set through a second preset API, and stores interface data contained in the access layer log data set into a local temporary storage pool.
And S205, matching all interfaces contained in the local temporary storage pool by utilizing dynamic rules to acquire URL interface data contained in the access layer data set.
S206, filtering the extracted URL interface data by using a preset dynamic rule.
The preset dynamic rules may include static file filtering, short-chain filtering, pure digital path filtering, front-end request filtering, extranet scanning flow filtering, and the like, and the abnormal flow contained in the URL interface data may be identified by filtering the URL interface data through the preset dynamic rules. The abnormal traffic may include traffic of a scan attack, a status code of 302 and a location of 404 pages, etc.
S207, under the condition that abnormal flow is detected, the abnormal access flow is sent to an instant alarm center, so that instant alarm information is sent to the abnormal flow through the instant alarm center.
S208, determining whether the filtered interface belongs to a safety interface data set, namely determining whether the filtered interface is in a safety monitoring state, if not, recording an external network newly-added code base, namely determining that the interface is an external network newly-added interface, and sending the interface to an instant alarm center. If the filtered interface belongs to the secure interface data set, S209 is performed.
S209, increasing the access frequency of the automatic interface, and specifically, monitoring the access frequency of the interface.
S210, judging whether the interface needs to be subjected to security audit or not through a preset rule, if so, sending the interface data to a security operation platform, carrying out security audit on the interface by related personnel, and if not, ending the flow.
The preset rule may be an access frequency rule, that is, if the access frequency of the interface exceeds a preset threshold, it is determined that the interface needs to be securely audited.
By applying the embodiment of the invention, based on the automatic interface comparison and tracking of the access layer log, the unknown interfaces can be automatically identified and stored by comparing the external network access interfaces in the access layer log with the interfaces in the existing known code base in real time, and the newly added or frequently accessed external network interfaces can be dynamically tracked, so that the newly added code base and interfaces of the external network can be rapidly discovered, the abnormal access behaviors of the external network interfaces can be effectively monitored, potential security threats can be timely captured, and the automation and the accuracy of security audit can be remarkably improved.
In addition, the scheme can be deeply integrated with the existing security audit flow of enterprises, and the monitoring and audit of the external network access interface are automated, so that the dependence of manual operation is reduced, and the overall security monitoring efficiency and coverage range are improved.
Based on the same inventive concept, the embodiment of the present invention further provides an external network newly added interface discovery device, as shown in fig. 3, the device 300 may include:
An obtaining module 301, configured to obtain an access layer log, and store a data set of the access layer log to a local storage;
The matching module 302 is configured to match each interface information included in the access layer log based on a preset security interface data set, and screen out URL interface data that does not conform to the security interface data set, where the security interface data set includes interface information already under security monitoring;
The filtering module 303 is configured to filter each URL interface data based on a preset dynamic filtering rule, and reject an abnormal traffic interface to obtain candidate URL interface data;
and the determining module 304 is configured to determine whether the candidate URL interface data exists in the secure interface data set, and if not, record that the candidate URL interface is an external network newly added interface.
In a possible embodiment, the determining module is further configured to, if the candidate URL is in the secure interface data set, add the candidate URL to an access frequency record interface data set, where the access frequency record interface data set is used to store interface information that needs to be monitored for access frequency;
Under the condition that the access frequency of the candidate URL is higher than a preset threshold value, sending the candidate URL interface data to a target client side so that the target client side carries out security audit on the candidate URL interface data;
the matching based on the security interface data set comprises:
setting a regular matching formula based on each interface information contained in the safety interface data set;
Matching the access layer log based on the regular matching formula to acquire URL interface information which does not conform to the regular matching formula;
The preset dynamic filtering rules comprise static file filtering, short-chain filtering, pure digital path filtering, front end request filtering and extranet scanning filtering, and the filtering is performed on each URL interface data based on the preset dynamic filtering rules, abnormal traffic interfaces are removed, and candidate URL interface data are obtained, and the method comprises the following steps:
Filtering each URL interface by using the preset dynamic filtering rule to obtain an abnormal flow interface corresponding to abnormal flow, wherein the abnormal flow interface is a test interface generated in the flow attack process, and the test interface does not belong to an actual back end interface;
removing the abnormal traffic interfaces to obtain candidate URL interface data;
And under the condition that abnormal flow is detected based on the preset dynamic filtering rule, the abnormal flow is sent to a preset instant alarm center so as to carry out instant alarm on the abnormal flow.
The processing of collecting, storing, using, processing, transmitting, providing, disclosing and the like of the personal information of the user, which is involved in the invention, accords with the rules of relevant laws and regulations and does not violate the public order colloquial.
The exemplary embodiment of the invention also provides an electronic device comprising at least one processor and a memory communicatively coupled to the at least one processor. The memory stores a computer program executable by the at least one processor for causing the electronic device to perform a method according to an embodiment of the invention when executed by the at least one processor.
The exemplary embodiments of the present invention also provide a non-transitory computer readable storage medium storing a computer program, wherein the computer program, when executed by a processor of a computer, is for causing the computer to perform a method according to an embodiment of the present invention.
The exemplary embodiments of the invention also provide a computer program product comprising a computer program, wherein the computer program, when being executed by a processor of a computer, is for causing the computer to perform a method according to an embodiment of the invention.
Referring to fig. 4, a block diagram of an electronic device 400 that may be a server or a client of the present invention will now be described, which is an example of a hardware device that may be applied to aspects of the present invention. Electronic devices are intended to represent various forms of digital electronic computer devices, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 400 includes a computing unit 401 that can perform various suitable actions and processes according to a computer program stored in a Read Only Memory (ROM) 402 or a computer program loaded from a storage unit 408 into a Random Access Memory (RAM) 403. In the RAM 403, various programs and data required for the operation of the electronic device 400 may also be stored. The computing unit 401, ROM 402, and RAM 403 are connected to each other by a bus 404. An input/output (I/O) interface 405 is also connected to bus 404.
Various components in the electronic device 400 are connected to the I/O interface 405, including an input unit 406, an output unit 407, a storage unit 408, and a communication unit 409. The input unit 406 may be any type of device capable of inputting information to the electronic device 400, and the input unit 406 may receive input numeric or character information and generate key signal inputs related to user settings and/or function controls of the electronic device. The output unit 407 may be any type of device capable of presenting information and may include, but is not limited to, a display, speakers, video/audio output terminals, vibrators, and/or printers. Storage unit 408 may include, but is not limited to, magnetic disks, optical disks. The communication unit 409 allows the electronic device 400 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunications networks, and may include, but is not limited to, modems, network cards, infrared communication devices, wireless communication transceivers and/or chipsets, such as bluetooth (TM) devices, wiFi devices, wiMax devices, cellular communication devices, and/or the like.
The computing unit 401 may be a variety of general purpose and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 401 performs the respective methods and processes described above. For example, in some embodiments, any of the external network newly added interface discovery methods described above may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 400 via the ROM 402 and/or the communication unit 409. In some embodiments, the computing unit 401 may be configured to perform any of the external network newly added interface discovery methods described above in any other suitable manner (e.g., by means of firmware).
Program code for carrying out methods of the present invention may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
As used herein, the terms "machine-readable medium" and "computer-readable medium" refer to any computer program product, apparatus, and/or device (e.g., magnetic discs, optical disks, memory, programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user, for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback), and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a Local Area Network (LAN), a Wide Area Network (WAN), and the Internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.

Claims (10)

1. An extranet newly added interface discovery method, which is characterized by comprising the following steps:
Acquiring an access layer log, and storing a data set of the access layer log into a local storage;
Matching each interface information contained in the access layer log based on a preset safety interface data set, and screening URL interface data which does not accord with the safety interface data set, wherein the safety interface data set comprises interface information under safety monitoring;
Filtering each URL interface data based on a preset dynamic filtering rule, and removing abnormal traffic interfaces to obtain candidate URL interface data;
and determining whether the candidate URL interface data exists in the safety interface data set, and if the candidate URL interface data does not exist, recording that the candidate URL interface is an external network newly-added interface.
2. The method according to claim 1, wherein the candidate URL interface data is added to an access frequency record interface data set for storing interface information requiring access frequency monitoring in case the candidate URL interface data is in the secure interface data set.
3. The method according to claim 2, wherein the method further comprises:
and under the condition that the access frequency of the candidate URL interface is higher than a preset threshold value, sending the candidate URL interface data to a target client side so that the target client side carries out security audit on the candidate URL interface data.
4. The method according to claim 1, wherein the matching the interface information included in the access layer log based on the preset security interface data set, and screening URL interface data that does not conform to the security interface data set, includes:
setting a regular matching formula based on each interface information contained in the safety interface data set;
And matching the access layer log based on the regular matching formula to acquire the URL interface information which does not conform to the regular matching formula.
5. The method according to claim 1, wherein the preset dynamic filtering rules include static file filtering, short-chain filtering, pure digital path filtering, front-end request filtering, and extranet scanning filtering, the filtering is performed on each URL interface data based on the preset dynamic filtering rules, and abnormal traffic interfaces are removed to obtain candidate URL interface data, including:
Filtering each URL interface by using the preset dynamic filtering rule to obtain an abnormal flow interface corresponding to abnormal flow, wherein the abnormal flow interface is a test interface generated in the flow attack process, and the test interface does not belong to an actual back end interface;
And eliminating the abnormal traffic interfaces to obtain candidate URL interface data.
6. The method of claim 5, wherein the method further comprises:
And under the condition that abnormal flow is detected based on the preset dynamic filtering rule, the abnormal flow is sent to a preset instant alarm center so as to carry out instant alarm on the abnormal flow.
7. An extranet newly added interface discovery apparatus, the apparatus comprising:
The acquisition module is used for acquiring an access layer log and storing a data set of the access layer log into a local storage;
The matching module is used for matching the interface information contained in the access layer log based on a preset safety interface data set and screening URL interface data which does not accord with the safety interface data set, wherein the safety interface data set comprises interface information under safety monitoring;
the filtering module is used for filtering the URL interface data based on a preset dynamic filtering rule, eliminating abnormal traffic interfaces and obtaining candidate URL interface data;
and the determining module is used for determining whether the candidate URL interface data exist in the safety interface data set, and if not, recording that the candidate URL interface is an external network newly-added interface.
8. The apparatus of claim 7, wherein the determining module is further configured to, if the candidate URL interface data is in the secure interface data set, add the candidate URL interface data to an access frequency record interface data set, where the access frequency record interface data set is used to store interface information that requires access frequency monitoring;
Under the condition that the access frequency of the candidate URL interface is higher than a preset threshold value, sending the candidate URL interface data to a target client side so that the target client side carries out security audit on the candidate URL interface data;
the matching based on the security interface data set comprises:
setting a regular matching formula based on each interface information contained in the safety interface data set;
Matching the access layer log based on the regular matching formula to acquire URL interface information which does not conform to the regular matching formula;
The preset dynamic filtering rules comprise static file filtering, short-chain filtering, pure digital path filtering, front end request filtering and extranet scanning filtering, and the filtering is performed on each URL interface data based on the preset dynamic filtering rules, abnormal traffic interfaces are removed, and candidate URL interface data are obtained, and the method comprises the following steps:
Filtering each URL interface by using the preset dynamic filtering rule to obtain an abnormal flow interface corresponding to abnormal flow, wherein the abnormal flow interface is a test interface generated in the flow attack process, and the test interface does not belong to an actual back end interface;
removing the abnormal traffic interfaces to obtain candidate URL interface data;
And under the condition that abnormal flow is detected based on the preset dynamic filtering rule, the abnormal flow is sent to a preset instant alarm center so as to carry out instant alarm on the abnormal flow.
9. An electronic device, comprising:
processor, and
A memory in which a program is stored,
Wherein the program comprises instructions which, when executed by the processor, cause the processor to perform the method according to any of claims 1-6.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any one of claims 1-6.
CN202510349860.4A 2025-03-24 2025-03-24 A method, device, electronic device and storage medium for discovering a newly added interface in an external network Pending CN120200805A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510349860.4A CN120200805A (en) 2025-03-24 2025-03-24 A method, device, electronic device and storage medium for discovering a newly added interface in an external network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510349860.4A CN120200805A (en) 2025-03-24 2025-03-24 A method, device, electronic device and storage medium for discovering a newly added interface in an external network

Publications (1)

Publication Number Publication Date
CN120200805A true CN120200805A (en) 2025-06-24

Family

ID=96069229

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510349860.4A Pending CN120200805A (en) 2025-03-24 2025-03-24 A method, device, electronic device and storage medium for discovering a newly added interface in an external network

Country Status (1)

Country Link
CN (1) CN120200805A (en)

Similar Documents

Publication Publication Date Title
US12301628B2 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US12058177B2 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US10320833B2 (en) System and method for detecting creation of malicious new user accounts by an attacker
US9900335B2 (en) Systems and methods for prioritizing indicators of compromise
CN110210213B (en) Method and device for filtering malicious sample, storage medium and electronic device
CN111885007B (en) Information tracing method, device, system and storage medium
CN113810408B (en) Network attack organization detection method, device, equipment and readable storage medium
US20200311231A1 (en) Anomalous user session detector
US12505224B2 (en) Vulnerability assessment of machine images in development phase
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN103501300A (en) Method, terminal and server for detecting phishing attack
CN112948831B (en) Application risk identification method and device
CN112685255B (en) Interface monitoring method, device, electronic equipment and storage medium
CN109818972A (en) A kind of industrial control system information security management method, device and electronic equipment
CN113839948B (en) DNS tunnel traffic detection method and device, electronic equipment and storage medium
CN120200805A (en) A method, device, electronic device and storage medium for discovering a newly added interface in an external network
CN115296895B (en) Request response method and device, storage medium and electronic equipment
CN112541183B (en) Data processing method and device, edge computing device, storage medium
CN115955333A (en) C2 server identification method, device, electronic equipment and readable storage medium
CN109714371B (en) Industrial control network safety detection system
EP3953846A1 (en) Detecting directory reconnaissance in a directory service
CN113098847B (en) Supply chain management method, system, storage medium and electronic device
CN114338175B (en) Data collection management system and data collection management method
CN118972149A (en) A safety detection method, system, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination