面向云原生的API攻击诱捕技术研究

张越; 陈庆旺; 刘宝旭; 于存威; 谭儒; 张方娇

doi:10.19665/j.issn1001-2400.2023.04.023

您当前的位置：

首页 >

文章列表页 >

面向云原生的API攻击诱捕技术研究

网络空间安全专栏 | 更新时间：2023-10-18

- 面向云原生的API攻击诱捕技术研究
- 暂无标题
- 西安电子科技大学学报 2023年50卷第4期页码：237-248
- 作者机构：
  
  1. 中国科学院信息工程研究所,北京 100085
  2. 中国科学院大学网络空间安全学院,北京 100049
  3. 中国人民解放军75841部队,湖南长沙 410005
- 作者简介：
  
  [ "张越(1992—),女,助理研究员,E-mail:[email protected];" ]
  [ "陈庆旺(1999—),男,中国科学院大学博士研究生,E-mail:[email protected];" ]
  [ "刘宝旭(1972—),男,研究员,E-mail:[email protected];" ]
  [ "于存威(1992—),男,助理工程师,E-mail:[email protected];" ]
  [ "谭儒(1992—),男,工程师,E-mail:[email protected]" ]
  张方娇(1989—),女,高级工程师,E-mail:[email protected]
- 基金信息：
  
  中国科学院青年创新促进会(2019163);国家自然科学基金(61902396);中国科学院战略性先导科技专项项目(XDC02040100);中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助
- DOI：10.19665/j.issn1001-2400.2023.04.023
  中图分类号：
扫描看全文
张越, 陈庆旺, 刘宝旭, 等. 面向云原生的API攻击诱捕技术研究[J]. 西安电子科技大学学报, 2023,50(4):237-248.
张越, 陈庆旺, 刘宝旭, 等. 面向云原生的API攻击诱捕技术研究[J]. 西安电子科技大学学报, 2023,50(4):237-248. DOI： 10.19665/j.issn1001-2400.2023.04.023.

DOI：

摘要

应用程序接口(API)作为连接服务和传输数据的核心通道,在蕴含巨大价值的背后也隐藏着不可忽视的安全风险,其作为互联网上最重要的信息基础设施已成为攻击者的主要攻击目标。为弥补现有API安全方案针对API广泛攻击面无法进行充分保护的短板问题,重点关注云原生API安全问题。基于主动诱捕思想,提出了一种面向云原生的API攻击诱捕框架,针对不同的云服务层次特点构造了相应的API诱饵及高交互诱捕环境。其中,在容器编排层(平台层),围绕云组件Kubernetes及Docker的脆弱点构造了3个API诱饵;在应用层,选取危害性较大且利用频率较高的API漏洞构造了15个API诱饵。同时,针对应用层API诱饵物理资源需求较高的问题,提出了一种基于当前网络流量的动态调度算法,在充分利用物理资源的同时最大化捕获效果。基于诱捕框架实现了原型系统并在真实环境中部署应用,系统最终捕获到1 270个独立互联网协议(IP)地址以及4 146个请求。实验结果表明,提出的API攻击诱捕技术可有效发现云原生环境下的API攻击行为。

Abstract

As the core channel for connecting services and transmitting data,the application programming interface (API) hides security risks that cannot be ignored behind its huge value.As the most important information infrastructure on the Internet,it has become the main target for attackers.In order to make up for the shortcomings of existing API security schemes that cannot adequately protect API attack surfaces,we focus on the API security of the cloud native architecture.Based on the idea of active trapping,a cloud-oriented API attack trapping framework is proposed,which constructs corresponding API decoys and high-interactive trapping environments according to the characteristics of different cloud service levels.Especially,in the container orchestration layer (platform layer),three API decoys are designed around the vulnerabilities of cloud components Kubernetes and Docker.In the application layer,fifteen API decoys are designed by selecting API vulnerabilities with more harm and higher utilization frequency.At the same time,in view of the high demand for physical resources of high-interaction API decoys in the application layer,a dynamic scheduling algorithm based on the current network traffic is proposed to maximize the capture effect by making full use of physical resources.On the basis of the trapping framework,a prototype system is implemented and deployed in the real environment.The trapping system finally captures 1270 independent Internet Protocol (IP) addresses and 4146 requests.The captured data are statistically analyzed,and the captured attack behaviors are analyzed in detail.Experimental results show that the proposed API attack trapping technology can effectively discover API attack behaviors in the cloud native environment.

关键词

应用程序接口(API)安全云API安全攻击诱捕诱饵

Keywords

application programming interfaces(API)securitycloud API securityattack trappingdecoy

references

GARTNER. Hype Cycle for Application Security,2022[R]. Stanford:GARTNER, 2022.

中国信息通信研究院. 应用程序接口(API)数据安全研究报告(2020年)[R]. 北京: 中国信息通信研究院, 2020.

GANNON D, BARGA R, SUNDARESAN N. Cloud-Native Applications[J]. IEEE Cloud Computing, 2017, 4(5):16-21.

HUSSAIN F, NOYE B, SHARIEH S. Current State of API Security and Machine Learning[J]. IEEE Technology Policy and Ethics, 2019, 4(2):1-5.

赵娟娟. 基于 OpenResty 的 API 防护系统的设计与实现[D]. 武汉: 武汉轻工大学, 2021.

BAYE G, HUSSAIN F, ORACEVIC A, et al. API Security in Large Enterprises:Leveraging Machine Learning for Anomaly Detection[C]// 2021 International Symposium on Networks,Computers and Communications (ISNCC).Piscataway:IEEE, 2021:1-6.

MARTIN-LOPEZ A. Ai-Driven Web API Testing[C]// Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering:Companion Proceedings.Piscataway:IEEE, 2020:202-205.

DÍAZ-ROJAS J A, OCHARÁN-HERNÁNDEZ J O, PÉREZ-ARRIAGA J C, et al. Web API Security Vulnerabilities and Mitigation Mechanisms:A Systematic Mapping Study[C]// 2021 9th International Conference in Software Engineering Research and Innovation (CONISOFT).Piscataway:IEEE, 2021:207-218.

WEIR C, HERMANN B, FAHL S. From Needs to Actions to Secure Apps? The Effect of Requirementsand Developer Practices on App Security[C]// 29th USENIX Security Symposium (USENIX Security 20).Berkeley:USENIX, 2020:289-305.

GORSKI P L, IACONO L L, WERMKE D. Developers Deserve Security Warnings,Too:On the Effect of Integrated Security Advice on Cryptographic API Misuse[C]// Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). New York: ACM, 2018.265-281.

OLIVEIRA D S, LIN T, RAHMAN M S. API Blindspots:Why Experienced Developers Write Vulnerable Code[C]// Fourteenth Symposium on Usable Privacy and Security (SOUPS 2018). New York: ACM, 2018:315-328.

IMRAN A, FARRUKH H, IBRAHIM M, et al. {SARA}:Secure Android Remote Authorization[C]// 31st USENIX Security Symposium (USENIX Security 22).Berkeley:USENIX, 2022:1561-1578.

BREWER E A. Kubernetes and the Path to Cloud Native[C]// Proceedings of the Sixth ACM Symposium on Cloud Computing. New York: ACM, 2015:167.

HENDRICKSON S, STURDEVANT S, HARTER T, et al. Serverless Computation with OpenLambda[C]// 8th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 16).Berkeley:USENIX, 2016:33-39.

MUHAMMAD A B, ZORAN P. Guidelines for Building A Private Cloud Infrastructure (2012)[R/OL].[2012-12-31]. https://pure.itu.dk/da/publications/guidelines-for-building-a-private-cloud-infrastructure. https://pure.itu.dk/da/publications/guidelines-for-building-a-private-cloud-infrastructurehttps://pure.itu.dk/da/publications/guidelines-for-building-a-private-cloud-infrastructure

申京, 吴晨光, 郝洋, 等. 面向云计算数据中心的弹性资源调整方法[J]. 南京理工大学学报(自然科学版), 2015, 1:89-93.

SHEN Jing, WU Chenguang, HAO Yang, et al. Elastic Resource Adjustment Method for Cloud Computing Data Center[J]. Journal of Nanjing University of Technology(Natural Science Edition), 2015, 1:89-93.

CHANDRAMOULI R, BUTCHER Z. Building Secure Microservices-Based Applications Using Service-mesh Architecture[J]. NIST Special Publication 800, 2020:204A.

陈真, 乞文超, 贺鹏飞, 等. 云应用程序编程接口安全研究综述:威胁与防护[J]. 电子与信息学报, 2022, 44:1-12.

CHEN Zhen, QI Wenchao, HE Pengfei, et al. Overview of Cloud Application Programming Interface Security Research:Threats And Protection[J]. Journal of Electronics and Information, 2022, 44:1-12.

TANG L, OUYANG L, TSAI W T. Multi-Factor Web API Security for Securing Mobile Cloud[C]// 2015 12th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD).Piscataway:IEEE, 2015:2163-2168.

LI C, WANG L, JI S, et al. Seeing is Living? Rethinking the Security of Facial Liveness Verification in the Deepfake Era (2022)[J/OL].[2022-02-22]. https://arxiv.org/abs/2202.10673. https://arxiv.org/abs/2202.10673https://arxiv.org/abs/2202.10673

李华东, 张学亮, 王晓磊, 等. Kubernetes集群中多节点合作博弈负载均衡策略[J]. 西安电子科技大学学报, 2021, 48(6):16-22.

LI Huadong, ZHANG Xueliang, WANG Xiaolei, et al. Multi-Node Cooperative Game Load Balancing Strategy in Kubernetes Cluster[J]. Journal of Xidian University, 2021, 48(6):16-22.

贾召鹏, 方滨兴, 崔翔, 等. ArkHoney:基于协同机制的Web蜜罐[J]. 计算机学报, 2018, 41(2):413-425.

JIA Shaopeng, FANG Binxing, CUI Xiang, et al. ArkHoney:Web Honeypot Based on Collaboration Mechanism[J]. Journal of Computer Science, 2018, 41(2):413-425.

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

一种具有概率预测机制的无线传感器网络安全路由协议