CN111274046A - Service call validity detection method and device, computer equipment and computer storage medium - Google Patents
Service call validity detection method and device, computer equipment and computer storage medium Download PDFInfo
- Publication number
- CN111274046A CN111274046A CN202010045763.3A CN202010045763A CN111274046A CN 111274046 A CN111274046 A CN 111274046A CN 202010045763 A CN202010045763 A CN 202010045763A CN 111274046 A CN111274046 A CN 111274046A
- Authority
- CN
- China
- Prior art keywords
- service
- interface
- caller
- authority
- calling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims description 16
- 238000000034 method Methods 0.000 claims abstract description 63
- 238000012544 monitoring process Methods 0.000 claims abstract description 16
- 238000001914 filtration Methods 0.000 claims description 22
- 238000012795 verification Methods 0.000 claims description 19
- 238000004422 calculation algorithm Methods 0.000 claims description 16
- 238000013507 mapping Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 10
- 230000006399 behavior Effects 0.000 claims description 6
- 230000008569 process Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 239000000284 extract Substances 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/547—Remote procedure calls [RPC]; Web services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Bioethics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method and a device for detecting the legality of service calling and a computer storage medium, which relate to the technical field of computers and can be used for carrying out security authentication on a service calling party and ensuring the security of service calling. The method comprises the following steps: distributing access authority to each service caller based on the service registration authority, and monitoring and intercepting an interface access request of the service caller to a service provider; after determining that the service caller has access authority to the interface access request of the service provider, extracting interface calling information of the service caller from the interface access request, and detecting whether the service caller is legal or not according to the interface calling information; and if the service calling party is legal, acquiring a service calling program of a service provider according to the interface calling information, and providing the service calling program for the service calling party.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for detecting validity of service invocation, a computer device, and a computer storage medium.
Background
Under the micro-service architecture, the system can be divided into a plurality of services according to the service, each service is responsible for single responsibility, and a plurality of service interfaces are managed in a unified way, so that the plurality of services after being managed in a unified way can provide a plurality of services for other systems and external systems in a company, including services such as mails, short messages, face recognition, unstructured storage and the like.
Generally, when a service is used, for example, for a short message service, if a plurality of short message platforms are docked, a plurality of short message interfaces that are docked with the short message platforms need to be developed, which easily causes poor experience to users in terms of codes and service logics, and an interface standard can be provided by uniformly managing the service interfaces, so that the code logics become simple and intuitive, and the user experience is improved.
However, in the process of uniformly managing the service interfaces, if an illegal platform appears, the service system can be forged and simulated to call the uniformly managed service interfaces, and illegal contents such as spam messages and junk mails are sent to the service, or reverse motion, obscene videos and the like are uploaded to the service, so that the safety of service calling cannot be ensured.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for detecting validity of service invocation, a computer device and a computer storage medium, and mainly aims to solve the problem that security of service invocation cannot be guaranteed at present.
According to an aspect of the present invention, there is provided a method for detecting validity of a service call, the method including:
distributing access authority to each service caller based on the service registration authority, and monitoring and intercepting an interface access request of the service caller to a service provider;
after determining that the service caller has access authority to the interface access request of the service provider, extracting interface calling information of the service caller from the interface access request, and detecting whether the service caller is legal or not according to the interface calling information;
and if the service calling party is legal, acquiring a service calling program of a service provider according to the interface calling information, and providing the service calling program for the service calling party.
Further, the service registration authority is stored in a public configuration file of a service registration center, and after the access authority is distributed to each service caller based on the service registration authority and the interface access request of the service caller to the service provider is monitored and intercepted, the method further comprises:
the method comprises the steps that metadata stored in a service registry by each service system in a registration mode are collected in advance, and the metadata are stored in the service registry in a public configuration file mode;
and extracting the service registration authority of each service system by analyzing the metadata.
Further, the service registration authority includes an authority of each service system accessed by other services and an authority of accessing other services, the access authority is allocated to each service caller based on the service registration authority, and the interface access request of the service caller to the service provider is monitored and intercepted, specifically including:
based on the access authority of each service system by other services and the access authority of each service system to other services, the access authority of each service caller to other services and the access authority of each service provider to other services are arranged into a service authority mapping table;
and distributing the authority of each service caller for accessing other services and the authority of each service provider for being accessed by other services according to the service authority mapping table, and monitoring and intercepting an interface access request of the service caller to the service provider.
Further, after the allocating access rights to each service caller based on the service registration rights, and monitoring and intercepting an interface access request of the service caller to the service provider, the method further includes:
respectively detecting whether the service caller has the authority of accessing the service provider and whether the service provider has the authority of being accessed by the service caller;
if the service calling party and the service provider exist, determining that the service calling party has an access right to an interface access request of the service provider;
otherwise, determining that the service caller does not have access right to the interface access request of the service provider.
Further, the interface calling information is stored in a request header of the interface access request, a first verification value calculated when the service caller sends the interface access request is recorded in the interface calling information, the interface calling information of the service caller is extracted from the interface access request, and whether the service caller is legal or not is detected according to the interface calling information, which specifically includes:
extracting interface calling information of a service calling party from a request head of the interface access request, and comparing a first verification value recorded in the interface calling information with a second verification value calculated by a service provider when the service provider receives the interface access request;
if the comparison is consistent, determining that the service calling party is legal;
otherwise, determining that the service caller is illegal.
Further, after the obtaining a service calling program of a service provider according to the interface calling information and providing the service calling program to the service caller, the method further includes:
filtering and identifying the text information issued by the service calling party in the service calling program by adopting an identification and filtering algorithm;
the identifying and filtering algorithm is used for identifying and filtering the text information issued by the service caller in the service calling program, and specifically comprises the following steps:
matching the participles in the text information issued by the service calling party in the service calling program with the pre-constructed corpus documents by utilizing a tf-idf model;
and if the matching is successful, determining that the text features are extracted from the text information, carrying out illegal identification on the text features, and filtering the text features identified as illegal.
Further, after determining that the service caller has an access right to the interface access request of the service provider, extracting interface calling information of the service caller from the interface access request, and detecting whether the service caller is legal according to the interface calling information, the method further includes:
and if the service caller is illegal, intercepting the operation behavior of the application program of the service caller.
According to another aspect of the present invention, there is provided an apparatus for detecting validity of a service call, the apparatus comprising:
the distribution unit is used for distributing access authority to each service caller based on the service registration authority, monitoring and intercepting an interface access request of the service caller to a service provider;
the first detection unit is used for extracting the interface calling information of the service calling party from the interface access request after determining that the service calling party has the access right to the interface access request of the service provider, and detecting whether the service calling party is legal or not according to the interface calling information;
and the obtaining unit is used for obtaining a service calling program of a service provider according to the interface calling information and providing the service calling program for the service caller if the service caller is legal.
Further, the service registration authority is stored in a public configuration file of a service registration center, and the apparatus further includes:
the collection unit is used for collecting metadata which is stored to the service registration center by each service system in a registration form in advance before the access authority distribution is carried out on each service caller based on the service registration authority and the interface access request of the service caller to the service provider is monitored and intercepted, and the metadata is stored to the service registration center in a public configuration file form;
and the extraction unit is used for extracting the service registration authority of each service system by analyzing the metadata.
Further, the service registration authority includes an authority of each service system to be accessed by other services and an authority of accessing other services, and the allocation unit includes:
the arrangement module is used for arranging the authority of each service caller for accessing other services and the authority of each service provider for accessing other services into a service authority mapping table based on the authority of each service system accessed by other services and the authority of each service system for accessing other services;
and the distribution module is used for distributing the authority of each service caller for accessing other services and the authority of each service provider for being accessed by other services according to the service authority mapping table, and monitoring and intercepting the interface access request of the service caller to the service provider.
Further, the apparatus further comprises:
the second detection unit is used for respectively detecting whether the service caller has the authority of accessing the service provider and whether the service provider has the authority of being accessed by the service caller after the access authority distribution is carried out on each service caller based on the service registration authority and the interface access request of the service caller to the service provider is monitored and intercepted;
the determining unit is used for determining that the service caller has access right to the interface access request of the service provider;
the determining unit is further configured to determine that the service invoker does not have an access right to the interface access request of the service provider.
Further, the interface call information is stored in a request header of the interface access request, and a first verification value calculated when the service caller sends the interface access request is recorded in the interface call information, where the first detection unit includes:
the comparison module is used for extracting interface calling information of a service calling party from a request head of the interface access request and comparing a first verification value recorded in the interface calling information with a second verification value calculated by the service provider when the service provider receives the interface access request;
the determining module is used for determining that the service calling party is legal if the comparison is consistent;
the determining module is further configured to determine that the service caller is illegal if the comparison is inconsistent.
Further, the apparatus further comprises:
the filtering unit is used for filtering and identifying the text information issued by the service calling party in the service calling program by adopting an identification and filtering algorithm after the service calling program of the service provider is obtained according to the interface calling information and is provided for the service calling party;
the filter unit includes:
the matching module is used for matching the participles in the text information issued by the service calling party in the service calling program with the pre-constructed corpus documents by utilizing the tf-idf model;
and the identification module is used for determining to extract the text features from the text information if the matching is successful, carrying out illegal identification on the text features and filtering the text features which are identified to be illegal.
Further, the apparatus further comprises:
and the intercepting unit is used for extracting the interface calling information of the service calling party from the interface access request after the service calling party is determined to have the access authority to the interface access request of the service provider, detecting whether the service calling party is legal or not according to the interface calling information, and intercepting the operation behavior of the application program where the service calling party is located if the service calling party is illegal.
According to yet another aspect of the present invention, a computer device is provided, comprising a memory storing a computer program and a processor implementing the steps of the method for validity detection of a service call when executing the computer program.
According to a further aspect of the invention, a computer storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method for validity detection of a service call.
By means of the technical scheme, the method and the device for detecting the legality of the service invocation are used for distributing the access right of each service invocation party based on the service registration right, monitoring and intercepting the interface access request of the service invocation party to the service provider, further extracting the interface invocation information of the service invocation party from the interface access request after determining that the service invocation party has the right to the interface access request of the service provider, detecting whether the service invocation party is legal or not according to the interface invocation information, carrying out safety authentication on the invocation party, providing a corresponding service invocation program for the legal invocation party, and effectively intercepting malicious attacks. Compared with the method for detecting the legality of service calling in the prior art, the method for detecting the legality of the service calling intercepts the illegal service calling, acquires the service calling program of the service provider according to the interface calling information and provides the service calling program for the service calling after the service calling is detected to be legal, and therefore the safety of service calling is guaranteed.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating a method for detecting validity of a service call according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating another method for detecting validity of a service call according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram illustrating a validity detection apparatus for a service call according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram illustrating another apparatus for detecting validity of a service call according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
The embodiment of the invention provides a method for detecting the legality of service calling, which can carry out safety authentication on a service calling party and ensure the safety of service calling, and as shown in figure 1, the method comprises the following steps:
101. and distributing access authority to each service caller based on the service registration authority, and monitoring and intercepting an interface access request of the service caller to a service provider.
In the process of unified service management, in order to prevent the misuse of authority after information sharing, access authority can be distributed to all information application systems in the same management range, multi-level unified authorization is realized, and specifically, the access authority can be defined among user groups through a unified user and an authority management system, and which service systems and data in the service systems can be accessed by the user can be defined.
For the embodiment of the invention, the logic structure for unifying the user and the authority management can be provided with an application access interface module and a user authentication interface at an external access module, and an authority authentication module and an application authority management module at an internal control module, and defines the access authority of each service caller. In the process that a specific service calling party sends an interface access request to a service provider, when an external access module monitors and intercepts the interface access request of the service calling party, the interface access request is transmitted to an internal control module through an application access interface module, the internal control module carries out authority authentication on the interface access request through an authority authentication module, and therefore an authentication result is transmitted to a user authentication interface arranged in the external access module, and whether the service calling party has access authority or not is determined.
Specifically, in the process of determining whether the service caller has the access right, the right authentication module may use a plurality of authentication methods, for example, a signature method to authenticate the interface of the service caller, and an identity of the service caller to authenticate.
102. After determining that the service caller has access authority to the interface access request of the service provider, extracting the interface calling information of the service caller from the interface access request, and detecting whether the service caller is legal or not according to the interface calling information.
The interface calling information comprises a service calling party for calling the interface, calling times, calling duration, success rate, response duration and the like. Since most public networks are unsafe, all requests/responses based on the HTTP protocol have risks of being intercepted and tampered, such as anti-fake attacks (in the case that a third party intentionally or maliciously calls a service system interface in a public network environment), anti-tampering attacks (in the case that a request header/query character string/content is modified in a transmission process in the public network environment), and data information leakage prevention (in the case that a user login request is intercepted, an account number and a password are intercepted, and the like).
When a specific service caller sends an interface access request, the request header of the interface access request may also carry information including, but not limited to:
1) X-Rb-key: issued AppKey, unique in whole system
2) X-Rb-Sign: the signature string, the calculation method is detailed below
3) X-Rb-body Hash: optionally, optional during POST, calculating: Body-Hash Base64(SHA256(Body. getbytes ("UTF-8")))
4) X-Rb-Timestamp: millisecond order for calculating whether the request is valid (60 seconds)
5) X-Rb-ReqUUID: replay protection, requiring global uniqueness within the requestor system
X-Rb-Sign is calculated by the HmacSHA256 algorithm from the string that needs to be signed (textToSign), and the key is the issued secret.
In the embodiment of the invention, after the three unsafe scenes are considered, the legality of the service caller can be verified through a safety signature verification algorithm, when an application program where the service caller is located sends an interface access request to a service provider, a request head can carry a body Hash value calculated based on an appkey, a secret key, a timestamp and the algorithm, and similarly, the service provider can calculate a verification value through the safety signature verification algorithm after receiving the interface access request, and judge the legality of the service caller by comparing whether the body Hash value calculated by the service caller is consistent with the verification value calculated by the service provider.
103. And if the service calling party is legal, acquiring a service calling program of a service provider according to the interface calling information, and providing the service calling program for the service calling party.
It can be understood that if the service caller is legal, which indicates that the service caller is safe, the service caller is allowed to call the interface function and continue executing the application program in which the service caller is located.
Further, in order to resist most of repeated submission attacks, after a service calling party is detected to be legal, if an external malicious large-batch and high-concurrency attack exists, a flow control can be set to defend against replay attacks, wherein the flow control can be set to a threshold value based on access of a token bucket algorithm to unit time, the principle of the token bucket algorithm is that a system can put tokens into a bucket at a constant speed, the token bucket can contain b tokens at most, redundant tokens are discarded when more than b tokens are in the token bucket, the system takes one token from the token bucket after receiving a request, and the service is rejected when no token is available in the token bucket. For example, if the constant speed is set to 1000 interface access requests/hour, only 1000 interface access requests are released each hour, and the other interface access requests are denied, thereby protecting the server.
The method for detecting the legality of the service invocation, provided by the embodiment of the invention, is used for allocating the access authority to each service invocation party based on the service registration authority, monitoring and intercepting the interface access request of the service invocation party to the service provider, further extracting the interface invocation information of the service invocation party from the interface access request after determining that the service invocation party has the authority to the interface access request of the service provider, detecting whether the service invocation party is legal or not according to the interface invocation information, carrying out safety authentication on the invocation party, providing a corresponding service invocation program for the legal invocation party, and effectively intercepting malicious attacks. Compared with the method for detecting the legality of service calling in the prior art, the method for detecting the legality of the service calling intercepts the illegal service calling, acquires the service calling program of the service provider according to the interface calling information and provides the service calling program for the service calling after the service calling is detected to be legal, and therefore the safety of service calling is guaranteed.
The embodiment of the invention provides another method for detecting the validity of service invocation, which can perform safety authentication on a service invocation party and ensure the safety of service invocation, and as shown in fig. 2, the method comprises the following steps:
201. metadata which is saved to a service registry by each service system in a registration form is collected in advance, and the metadata is stored in the service registry in a form of a public configuration file.
In the service registration process, when one service system is registered in the Eureka Server registration center and provides metadata (such as hosts and ports, URLs, home pages and the like) about the service system, all the service systems register and store the metadata of the service system in the Eureka Server registration center in a registration mode, and configure corresponding service registration authorities for the service systems, wherein the service registration authorities comprise two parts of authorities, one part is the access authority by which the service system can access other service systems, and the other part is the access authority by which the service system can be accessed by other service systems, so that the authenticated service systems can only access each other, and further, a public configuration file is generated according to the metadata of each service system and the service registration authorities, so that the metadata is stored in the service registration center in the form of the public configuration file.
202. And extracting the service registration authority of each service system by analyzing the metadata.
Because the metadata records information such as the identification of the service system, registration information, interaction records between the service system and other systems, interaction times and the like, the service registration authority of each service system can be extracted by analyzing the metadata, and the service registration authority specifically comprises the authority of each service system accessed by other services and the authority of accessing other services.
203. And based on the access authority of each service system by other services and the access authority of each service system to other services, the access authority of each service caller to other services and the access authority of each service provider to other services are arranged into a service authority mapping table.
For the embodiment of the present invention, in order to facilitate the bidirectional authentication of the service invoker and the service provider, the authority of each service system accessed by other services and the authority of accessing other services may be organized into the service authority mapping table, and the form of the service authority mapping table may be, but is not limited to, the following form: each service system name, the right of the system to access other services and the right of the system to be accessed by other services, for example, service system a can access service B and service C as service invoker and cannot access service D, service system a can be accessed by service B and service C as service provider and cannot be accessed by service D, service system B can access service a and service D as service invoker and cannot access service B, and service system B can be accessed by service a and service D as service provider and cannot be accessed by service B.
204. And distributing the authority of each service caller for accessing other services and the authority of each service provider for being accessed by other services according to the service authority mapping table, and monitoring and intercepting an interface access request of the service caller to the service provider.
It can be understood that the common configuration file is equivalent to a shared file in the service system access process, and since the common configuration file records a service authority mapping table formed by the access authority configured by each service system during registration and metadata, the authority of each service invoker for accessing other services and the authority of each service provider for accessing other services can be distributed according to the service authority mapping table, and the interface access request of the service invoker for the service provider is monitored and intercepted.
205. Whether the authority of accessing the service provider exists in the service caller and whether the authority of accessing the service provider exists in the service provider are detected respectively.
Specifically, the authority information of the service caller and the authority information of the service provider in the service authority mapping table can be queried, so as to detect whether the service caller has the authority to access the service provider and whether the service provider has the authority to be accessed by the service caller.
206a, if both exist, determining that the service caller has access right to the interface access request of the service provider.
206b, otherwise, determining that the service caller does not have access right to the interface access request of the service provider.
207a, after determining that the service caller has access right to the interface access request of the service provider, extracting the interface call information of the service caller from the interface access request, and detecting whether the service caller is legal according to the interface call information.
For the embodiment of the present invention, since the interface calling information of the service caller is stored in the request header of the interface access request, and the first verification value calculated when the service caller sends the interface access request is recorded in the interface calling information, the interface calling information of the service caller can be specifically extracted from the request header of the interface access request, and the first verification value recorded in the interface calling information is compared with the second verification value calculated when the service provider receives the interface access request, if the comparison is consistent, the service caller is determined to be legal, otherwise, the service caller is determined to be illegal.
208a, if the service calling party is legal, acquiring a service calling program of the service provider according to the interface calling information, and providing the service calling program for the service calling party.
208 a' and if the service caller is illegal, intercepting the operation behavior of the application program of the service caller.
Further, in order to prevent the attack of the malicious system, after the service caller is detected to be illegal, the service caller requesting access may be set to a blacklist as the malicious attack system, and the malicious system cannot continue to attack by setting the IP of the malicious attack system to the blacklist.
209a, filtering and identifying the text information issued by the service caller in the service caller by using an identification and filtering algorithm.
Further, in order to ensure the security of the information issued in the application program where the service caller is located, after detecting that the service caller is legitimate, an identification and filtering algorithm may be used to filter and identify the information issued in the application program by the service caller, for example, a keyword method, a check code method, a white list and black list mechanism, a bayesian algorithm filtering, and the like.
Specifically, in the process of filtering and identifying information issued by a service caller in an application program by adopting an identification and filtering algorithm, a tf-idf model can be used for matching word segments in text information issued by the service caller in the service caller with a pre-constructed corpus document, if matching is successful, text features are determined to be extracted from the text information, the text features are illegally identified, and the text features identified as illegal are filtered.
In the process of matching the participles in the text information issued by the service calling party in the service calling program and the pre-constructed corpus documents by utilizing the tf-idf model, firstly, the text information is participled through a word set model, wherein the word set model is a set formed by words, and each element in the set is only one, namely each word in the set is only one; then, the word frequency of the word in the text information is counted through a word bag model, and the word bag model can count the times (word frequency) of the word in the text; and finally, according to the tf-idf model, calculating the tf-idf value of the query string q consisting of the participles w [1]. w [ k ] in the corpus document d, wherein the tf-idf model is used for evaluating the importance degree of a word to one of the files in a file set or a corpus. In general, the importance of a word decreases inversely with the frequency with which it appears in the corpus. The tf-idf value obtained by calculation is used for representing the matching degree of the query string q and the corpus document d, and if the query string q and the corpus document d are matched, the text feature can be considered to be extracted.
Particularly, the word segmentation w [1] is calculated according to a tf-idf model]...w[k]In the tf-idf value process of the formed query string q in the corpus document d, each participle w [1] is recorded firstly]...w[k]The word frequency termFreq appears in the corpus document, and then the total participle number docototalTerm in the corpus document is recorded; then
If the number of the corpus documents is docNum and the number of the participles is wordlndoccum, idf is 1.0+ log (docNum/(wordlndoccum + 1)); then the respective participle w [1]]...w[k]The tf-idf can be calculated and the final participle w [1 ═ tf]...w[k]The tf-idf value of the formed query string q in the corpus document d is each participle w [1]...w[k]The cumulative sum of tf-idf values of (a).
Specifically, in the process of illegally identifying the text features, the extracted text features can be used as test text features, the test text features are subjected to polling detection through the illegal text features recorded in a pre-constructed illegal database to obtain the similarity between the test text features and the illegal text features, if the similarity is greater than a preset threshold value, the text information can be considered as illegal, so that whether the text information is a spam message or a mail feature, a reverse action or a fraud feature and the like is judged, and illegal marks are made on the identified illegal contents.
For the identified illegal contents, the service interface manages short messages, mails, unstructured storage, face identification and the like which cannot be accessed by the illegal contents, and the identification result is recorded, so that the illegal contents with bad behaviors can be set into a blacklist and no access is provided.
Further, as a specific implementation of the method shown in fig. 1, an embodiment of the present invention provides a device for detecting validity of a service invocation, where as shown in fig. 3, the device includes: an allocation unit 31, a first detection unit 32, and an acquisition unit 33.
The allocating unit 31 may be configured to perform access right allocation on each service invoker based on the service registration right, and monitor and intercept an interface access request of the service invoker to the service provider;
the first detecting unit 32 may be configured to, after determining that the service invoker has an access right to an interface access request of a service provider, extract interface invocation information of the service invoker from the interface access request, and detect whether the service invoker is legal according to the interface invocation information;
the obtaining unit 33 may be configured to, if the service caller is legal, obtain a service caller of the service provider according to the interface call information, and provide the service caller with the service caller.
The service calling validity detection device provided by the embodiment of the invention allocates the access authority to each service calling party based on the service registration authority, monitors and intercepts the interface access request of the service calling party to the service provider, further extracts the interface calling information of the service calling party from the interface access request after determining that the service calling party has the authority to the interface access request of the service provider, detects whether the service calling party is legal according to the interface calling information, performs security authentication on the calling party, provides a corresponding service calling program for the legal calling party, and can effectively intercept malicious attacks. Compared with the method for detecting the legality of service calling in the prior art, the method for detecting the legality of the service calling intercepts the illegal service calling, acquires the service calling program of the service provider according to the interface calling information and provides the service calling program for the service calling after the service calling is detected to be legal, and therefore the safety of service calling is guaranteed.
As a further description of the validity detection apparatus for service invocation shown in fig. 3, fig. 4 is a schematic structural diagram of another validity detection apparatus for service invocation according to an embodiment of the present invention, as shown in fig. 4, where the service registration authority is stored in a public configuration file of a service registration center, the apparatus further includes:
the collecting unit 34 may be configured to collect, in advance, metadata that is saved to the service registry by each service system in a registration form before the access authority is allocated to each service caller based on the service registration authority, and an interface access request of the service caller to the service provider is monitored and intercepted, where the metadata is stored in the service registry in a form of a common configuration file;
the extracting unit 35 may be configured to extract the service registration authority of each service system by parsing the metadata.
Further, the service registration authority includes an authority of the respective service system to be accessed by other services and an authority of accessing other services, and the allocating unit 31 includes:
the sorting module 311 may be configured to sort, based on the authority of each service system accessed by other services and the authority of each service system accessing other services, the authority of each service invoker accessing other services and the authority of each service provider accessed by other services into a service authority mapping table;
the allocating module 312 may be configured to allocate, according to the service authority mapping table, the authority of each service invoker for accessing other services and the authority of each service provider for being accessed by other services, and monitor and intercept an interface access request of the service invoker for the service provider.
Further, the apparatus further comprises:
a second detecting unit 36, configured to respectively detect whether the service invoker has an authority to access the service provider and whether the service provider has an authority to be accessed by the service invoker after the access authority is allocated to each service invoker based on the service registration authority and an interface access request of the service invoker to the service provider is monitored and intercepted;
a determining unit 37, configured to determine that the service invoker has an access right to an interface access request of a service provider;
the determining unit 37 may be further configured to determine that the service invoker does not have an access right to the interface access request of the service provider.
Further, the interface calling information is stored in a request header of the interface access request, and the interface calling information records a first verification value calculated by the service caller when sending the interface access request, and the first detecting unit 32 includes:
a comparison module 321, configured to extract interface calling information of the service caller from a request header of the interface access request, and compare a first verification value recorded in the interface calling information with a second verification value calculated by the service provider when the interface access request is received;
the determining module 322 may be configured to determine that the service invoker is legal if the comparison is consistent;
the determining module 322 may be further configured to determine that the service invoker is illegal if the comparison is inconsistent.
Further, the apparatus further comprises:
the filtering unit 38 may be configured to, after the service calling program of the service provider is obtained according to the interface calling information and the service calling program is provided to the service caller, filter and identify text information issued by the service caller in the service calling program by using an identification and filtering algorithm;
the filter unit 38 includes:
the matching module 381 may be configured to match, by using the tf-idf model, the participles in the text information issued by the service caller in the service invocation program with the pre-constructed corpus documents;
the identifying module 382 may be configured to determine to extract text features from the text information if the matching is successful, perform illegal identification on the text features, and filter the text features that are identified as illegal.
Further, the apparatus further comprises:
the intercepting unit 39 may be configured to, after determining that the service invoker has an access right to the interface access request of the service provider, extract the interface invocation information of the service invoker from the interface access request, and detect whether the service invoker is legal according to the interface invocation information, and if the service invoker is illegal, intercept an operation behavior of an application program where the service invoker is located.
It should be noted that other corresponding descriptions of the functional units related to the apparatus for detecting validity of service invocation provided in this embodiment may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on the methods shown in fig. 1 and fig. 2, correspondingly, the present embodiment further provides a storage medium, on which a computer program is stored, and the program, when executed by a processor, implements the method for detecting validity of the service call shown in fig. 1 and fig. 2.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 3 and fig. 4, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the entity device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the method for detecting the validity of the service call as shown in fig. 1 and fig. 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
It can be understood by those skilled in the art that the physical device structure of the service invocation validity detection apparatus provided in the present embodiment does not constitute a limitation to the physical device, and may include more or fewer components, or combine some components, or arrange different components.
The storage medium may further include an operating system and a network communication module. The operating system is a program that manages the hardware and software resources of the computer device described above, supporting the operation of information handling programs and other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the technical scheme of the application, compared with the prior art, the method and the device have the advantages that the illegal service calling party is intercepted by carrying out validity detection on the service calling party, and after the service calling party is detected to be legal, the service calling program of the service provider is obtained according to the interface calling information and is provided for the service calling party, so that the safety of service calling is ensured.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (10)
1. A method for detecting validity of a service call, the method comprising:
distributing access authority to each service caller based on the service registration authority, and monitoring and intercepting an interface access request of the service caller to a service provider;
after determining that the service caller has access authority to the interface access request of the service provider, extracting interface calling information of the service caller from the interface access request, and detecting whether the service caller is legal or not according to the interface calling information;
and if the service calling party is legal, acquiring a service calling program of a service provider according to the interface calling information, and providing the service calling program for the service calling party.
2. The method of claim 1, wherein the service registration authority is stored in a public configuration file of a service registration center, and before the assigning of the access authority to each service caller based on the service registration authority, and the monitoring and intercepting of the interface access request of the service caller to the service provider, the method further comprises:
the method comprises the steps that metadata stored in a service registry by each service system in a registration mode are collected in advance, and the metadata are stored in the service registry in a public configuration file mode;
and extracting the service registration authority of each service system by analyzing the metadata.
3. The method according to claim 2, wherein the service registration permissions include permissions of each service system to be accessed by other services and permissions of each service system to access other services, and the allocating access permissions to each service caller based on the service registration permissions, monitoring and intercepting an interface access request of the service caller to a service provider specifically includes:
based on the access authority of each service system by other services and the access authority of each service system to other services, the access authority of each service caller to other services and the access authority of each service provider to other services are arranged into a service authority mapping table;
and distributing the authority of each service caller for accessing other services and the authority of each service provider for being accessed by other services according to the service authority mapping table, and monitoring and intercepting an interface access request of the service caller to the service provider.
4. The method of claim 2, wherein after the assigning access rights to each service caller based on the service registration rights, monitoring and intercepting the interface access request of the service caller to the service provider, the method further comprises:
respectively detecting whether the service caller has the authority of accessing the service provider and whether the service provider has the authority of being accessed by the service caller;
if the service calling party and the service provider exist, determining that the service calling party has an access right to an interface access request of the service provider;
otherwise, determining that the service caller does not have access right to the interface access request of the service provider.
5. The method according to claim 1, wherein the interface call information is stored in a request header of the interface access request, the interface call information records a first verification value calculated when the service caller sends the interface access request, the interface call information of the service caller is extracted from the interface access request, and whether the service caller is legal or not is detected according to the interface call information, specifically comprising:
extracting interface calling information of a service calling party from a request head of the interface access request, and comparing a first verification value recorded in the interface calling information with a second verification value calculated by a service provider when the service provider receives the interface access request;
if the comparison is consistent, determining that the service calling party is legal;
otherwise, determining that the service caller is illegal.
6. The method according to claim 1, wherein after the obtaining a service calling program of a service provider according to the interface calling information and providing the service calling program to the service calling party, the method further comprises:
filtering and identifying the text information issued by the service calling party in the service calling program by adopting an identification and filtering algorithm;
the identifying and filtering algorithm is used for identifying and filtering the text information issued by the service caller in the service calling program, and specifically comprises the following steps:
matching the participles in the text information issued by the service calling party in the service calling program with the pre-constructed corpus documents by utilizing a tf-idf model;
and if the matching is successful, determining that the text features are extracted from the text information, carrying out illegal identification on the text features, and filtering the text features identified as illegal.
7. The method according to any one of claims 1-6, wherein after determining that the service caller has access right to the interface access request of the service provider, extracting the interface calling information of the service caller from the interface access request, and detecting whether the service caller is legal according to the interface calling information, the method further comprises:
and if the service caller is illegal, intercepting the operation behavior of the application program of the service caller.
8. An apparatus for detecting validity of a service invocation, the apparatus comprising:
the distribution unit is used for distributing access authority to each service caller based on the service registration authority, monitoring and intercepting an interface access request of the service caller to a service provider;
the detection unit is used for extracting the interface calling information of the service calling party from the interface access request after determining that the service calling party has the access right to the interface access request of the service provider, and detecting whether the service calling party is legal or not according to the interface calling information;
and the obtaining unit is used for obtaining a service calling program of a service provider according to the interface calling information and providing the service calling program for the service caller if the service caller is legal.
9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.
10. A computer storage medium on which a computer program is stored, characterized in that the computer program, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010045763.3A CN111274046A (en) | 2020-01-16 | 2020-01-16 | Service call validity detection method and device, computer equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010045763.3A CN111274046A (en) | 2020-01-16 | 2020-01-16 | Service call validity detection method and device, computer equipment and computer storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111274046A true CN111274046A (en) | 2020-06-12 |
Family
ID=71001075
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010045763.3A Pending CN111274046A (en) | 2020-01-16 | 2020-01-16 | Service call validity detection method and device, computer equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111274046A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111930348A (en) * | 2020-07-29 | 2020-11-13 | 杭州当虹科技股份有限公司 | Application platform building method based on micro-service |
| CN111966992A (en) * | 2020-08-17 | 2020-11-20 | 中消云(北京)物联网科技研究院有限公司 | Processing method and device of docking equipment |
| CN112052030A (en) * | 2020-08-24 | 2020-12-08 | 东风汽车有限公司 | Interface authority configuration method, storage medium and system of vehicle-mounted application program |
| CN112165536A (en) * | 2020-09-11 | 2021-01-01 | 中国银联股份有限公司 | Network terminal authentication method and device |
| CN112804216A (en) * | 2020-12-31 | 2021-05-14 | 中国工商银行股份有限公司 | Multi-granularity self-adaptive service flow access control method and device |
| CN113221100A (en) * | 2021-02-09 | 2021-08-06 | 上海大学 | Countermeasure intrusion detection method for industrial internet boundary protection |
| CN113315637A (en) * | 2021-05-31 | 2021-08-27 | 中国农业银行股份有限公司 | Security authentication method, device and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7123608B1 (en) * | 1999-09-10 | 2006-10-17 | Array Telecom Corporation | Method, system, and computer program product for managing database servers and service |
| CN101009666A (en) * | 2006-01-26 | 2007-08-01 | 腾讯科技(深圳)有限公司 | Email sending control system and method |
| CN101286948A (en) * | 2008-05-30 | 2008-10-15 | 杭州华三通信技术有限公司 | Access authority control method and wireless access equipment |
| CN104158792A (en) * | 2013-05-14 | 2014-11-19 | 中兴通讯股份有限公司 | Spam zombie detection method and system |
| CN105262717A (en) * | 2015-08-31 | 2016-01-20 | 福建天晴数码有限公司 | Network service security management method and device |
| CN106453519A (en) * | 2016-09-21 | 2017-02-22 | 合网络技术(北京)有限公司 | Interface call method and device |
| CN110069941A (en) * | 2019-03-15 | 2019-07-30 | 深圳市买买提信息科技有限公司 | A kind of interface access authentication method, apparatus and computer-readable medium |
| CN110474863A (en) * | 2018-05-10 | 2019-11-19 | 中国移动通信集团浙江有限公司 | Micro services safety certifying method and device |
-
2020
- 2020-01-16 CN CN202010045763.3A patent/CN111274046A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7123608B1 (en) * | 1999-09-10 | 2006-10-17 | Array Telecom Corporation | Method, system, and computer program product for managing database servers and service |
| CN101009666A (en) * | 2006-01-26 | 2007-08-01 | 腾讯科技(深圳)有限公司 | Email sending control system and method |
| CN101286948A (en) * | 2008-05-30 | 2008-10-15 | 杭州华三通信技术有限公司 | Access authority control method and wireless access equipment |
| CN104158792A (en) * | 2013-05-14 | 2014-11-19 | 中兴通讯股份有限公司 | Spam zombie detection method and system |
| CN105262717A (en) * | 2015-08-31 | 2016-01-20 | 福建天晴数码有限公司 | Network service security management method and device |
| CN106453519A (en) * | 2016-09-21 | 2017-02-22 | 合网络技术(北京)有限公司 | Interface call method and device |
| CN110474863A (en) * | 2018-05-10 | 2019-11-19 | 中国移动通信集团浙江有限公司 | Micro services safety certifying method and device |
| CN110069941A (en) * | 2019-03-15 | 2019-07-30 | 深圳市买买提信息科技有限公司 | A kind of interface access authentication method, apparatus and computer-readable medium |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111930348A (en) * | 2020-07-29 | 2020-11-13 | 杭州当虹科技股份有限公司 | Application platform building method based on micro-service |
| CN111930348B (en) * | 2020-07-29 | 2023-11-07 | 杭州当虹科技股份有限公司 | Application platform construction method based on micro-service |
| CN111966992A (en) * | 2020-08-17 | 2020-11-20 | 中消云(北京)物联网科技研究院有限公司 | Processing method and device of docking equipment |
| CN112052030A (en) * | 2020-08-24 | 2020-12-08 | 东风汽车有限公司 | Interface authority configuration method, storage medium and system of vehicle-mounted application program |
| CN112165536A (en) * | 2020-09-11 | 2021-01-01 | 中国银联股份有限公司 | Network terminal authentication method and device |
| CN112804216A (en) * | 2020-12-31 | 2021-05-14 | 中国工商银行股份有限公司 | Multi-granularity self-adaptive service flow access control method and device |
| CN112804216B (en) * | 2020-12-31 | 2023-02-24 | 中国工商银行股份有限公司 | Multi-granularity self-adaptive service flow access control method and device |
| CN113221100A (en) * | 2021-02-09 | 2021-08-06 | 上海大学 | Countermeasure intrusion detection method for industrial internet boundary protection |
| CN113315637A (en) * | 2021-05-31 | 2021-08-27 | 中国农业银行股份有限公司 | Security authentication method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111274046A (en) | Service call validity detection method and device, computer equipment and computer storage medium | |
| CN112182519B (en) | Computer storage system security access method and access system | |
| JP6426189B2 (en) | System and method for biometric protocol standard | |
| CN112217835B (en) | Message data processing method and device, server and terminal equipment | |
| Preuveneers et al. | SmartAuth: dynamic context fingerprinting for continuous user authentication | |
| CN105978855B (en) | Personal information safety protection system and method under a kind of system of real name | |
| CN110690972B (en) | Token authentication method and device, electronic equipment and storage medium | |
| CN116545650B (en) | Network dynamic defense method | |
| CN106027520A (en) | Method and device for detecting and processing stealing of website accounts | |
| CN116319024B (en) | Access control method and device of zero trust system and zero trust system | |
| CN111382422B (en) | System and method for changing passwords of account records under threat of illegally accessing user data | |
| KR101576632B1 (en) | System, apparatus, method and computer readable recording medium for detecting and treating illegal access | |
| CN117527430A (en) | Zero-trust network security dynamic evaluation system and method | |
| CN114117264A (en) | Illegal website identification method, device, equipment and storage medium based on block chain | |
| US20180176197A1 (en) | Dynamic Data Protection System | |
| JP6890559B2 (en) | Access analysis system and access analysis method | |
| CN117768236A (en) | Safety control and data desensitization platform and method based on API gateway | |
| CN117118750B (en) | Data sharing method and device based on white-box password, electronic equipment and medium | |
| JP2013069016A (en) | Information leakage prevention device and limitation information generation device | |
| CN111209552A (en) | Identity authentication method and device based on user behaviors | |
| CN111600901A (en) | Application authentication method, device, equipment and computer readable storage medium | |
| KR101851680B1 (en) | System, apparatus, method and computer readable recording medium for detecting and treating illegal access | |
| CN117763599A (en) | Personal sensitive data processing method, device, equipment and storage medium | |
| CN116800454A (en) | Method and system for data processing based on cloud platform | |
| CN118264469A (en) | System login authority management method, system and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220525 Address after: 518000 China Aviation Center 2901, No. 1018, Huafu Road, Huahang community, Huaqiang North Street, Futian District, Shenzhen, Guangdong Province Applicant after: Shenzhen Ping An medical and Health Technology Service Co.,Ltd. Address before: Room 12G, Area H, 666 Beijing East Road, Huangpu District, Shanghai 200001 Applicant before: PING AN MEDICAL AND HEALTHCARE MANAGEMENT Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200612 |
|
| RJ01 | Rejection of invention patent application after publication |