Security protection method and device and computer readable storage medium

Abstract

The present disclosure provides a security protection method and device and a computer readable storage medium, relating to the technical field of network security, the method comprising: monitoring a function call chain composed of a plurality of functions called in a calling process of a first API interface, wherein the plurality of functions are arranged in the function call chain in the order of calling; and inputting the function call chain into a machine learning model to determine whether the calling request of the first API is normal.

Description

Technical Field

[0001] This disclosure relates to the field of cybersecurity technology, and in particular to a security protection method, apparatus, and computer-readable storage medium. Background Technology

[0002] Currently, when providing Application Programming Interface (API) call services, API providers need to implement security measures for their APIs to prevent malicious attacks on APIs through API calls from affecting network services.

[0003] In related technologies, API providers typically limit the frequency of API calls, restricting the number of times a user can call the API within a specified time. If a user exceeds this limit, the API provider will directly reject the user's API call requests and add the user to a blacklist, thereby reducing the risk of malicious attacks on the API. Summary of the Invention

[0004] The inventors noted that the accuracy of determining whether an API call request is normal is low when using methods found in related technologies.

[0005] After analysis, the inventors discovered that in some cases, normal API calls can be mistakenly identified as abnormal. For example, users may send normal API calls frequently, but such calls would be incorrectly identified as abnormal according to the methods described in related technologies.

[0006] To address the aforementioned problems, the present disclosure proposes the following solutions.

[0007] According to one aspect of the present disclosure, a security protection method is provided, comprising: monitoring a function call chain consisting of multiple functions called during the invocation of a first API, wherein the multiple functions are arranged sequentially according to the order of invocation in the function call chain; and inputting the function call chain into a machine learning model to determine whether the invocation request of the first API is normal.

[0008] In some embodiments, the method further includes monitoring at least one preset function called during the invocation of the first API, the plurality of functions including the at least one preset function; and determining other functions among the plurality of functions besides the at least one preset function based on the context of the code corresponding to each preset function.

[0009] In some embodiments, the method further includes performing a first detection on the call request of the first API to determine whether the call request of the first API is normal; if the result of the first detection is normal, the first API is allowed to be called; wherein the first detection includes at least one of the following detections, and the result of the first detection is normal only if the result of each of the at least one detection is yes: detecting whether the numeric type of the call request of the first API belongs to a preset numeric type; detecting whether the length range of the call request of the first API belongs to a preset length range; detecting whether the size range of the call request of the first API belongs to a preset size range; detecting whether the call request of the first API does not contain a Structured Query Language (SQL) statement; and detecting whether the call request of the first API does not contain characters that do not match the numeric type of the call request of the first API.

[0010] In some embodiments, the method further includes clustering the call requests of the first API with other abnormal API call requests when a preset condition is met, wherein the preset condition includes the machine learning model determining that the call requests of the first API are abnormal; and determining the common characteristics of the abnormal API call requests based on the clustering results.

[0011] In some embodiments, the method further includes performing a second detection in a simulated environment to determine whether an attack occurred during the call to the first API when the machine learning model determines that the call request to the first API is abnormal; if an attack occurs, determining the correspondence between the common features of the abnormal API call request and the category of the attack based on the clustering results; wherein the preset condition further includes the result of the second detection being that an attack occurred.

[0012] In some embodiments, the method further includes performing the first detection using a second API as the first API; the multiple detections further include detecting whether the call request of the second API has the common characteristics.

[0013] In some embodiments, the method further includes determining that the call request for the first API is normal in the absence of any attack.

[0014] In some embodiments, the attack includes at least one of tampering with system files and obtaining root privileges.

[0015] In some embodiments, the call request for the first API is copied to the simulated environment via traffic mirroring to perform the second detection.

[0016] In some embodiments, allowing the first API to be called when the result of the first detection is normal includes: performing a third detection to detect whether the token carried in the call request of the first API is valid when the result of the first detection is normal; allowing the first API to be called when the token is valid; and disallowing the first API to be called when the token is invalid.

[0017] According to another aspect of the present disclosure, a security protection device is provided, comprising: a monitoring module configured to monitor a function call chain consisting of multiple functions called during the invocation of a first application programming interface (API), wherein the multiple functions are arranged sequentially according to the order of invocation; and a determination module configured to input the function call chain into a machine learning model to determine whether the invocation request of the first API is normal.

[0018] According to another aspect of the present disclosure, a security protection device is provided, comprising: a memory; and a processor coupled to the memory, the processor being configured to execute the method described in any of the above embodiments based on instructions stored in the memory.

[0019] According to another aspect of the present disclosure, a computer-readable storage medium is provided, including computer program instructions, wherein the computer program instructions, when executed by a processor, implement the method described in any of the above embodiments.

[0020] According to another aspect of the present disclosure, a computer program product is provided, including a computer program, wherein the computer program, when executed by a processor, implements the method described in any of the above embodiments.

[0021] In this embodiment of the disclosure, a function call chain is formed by monitoring multiple functions called during the API call process and arranging them sequentially according to the order of their calls. This function call chain is then input into a machine learning model to determine whether the API call request is normal. This approach considers the sequential order of the API call process, thereby accurately distinguishing between normal and abnormal API call requests.

[0022] The technical solutions of this disclosure will be further described in detail below with reference to the accompanying drawings and embodiments. Attached Figure Description

[0023] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this disclosure. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0024] Figure 1 This is a schematic flowchart of a security protection method according to some embodiments of the present disclosure;

[0025] Figure 2 This is a schematic flowchart of a security protection method according to other embodiments of this disclosure;

[0026] Figure 3 This is a schematic diagram of the structure of a safety protection device according to some embodiments of the present disclosure;

[0027] Figure 4 This is a structural schematic diagram of a safety protection device according to other embodiments of the present disclosure. Detailed Implementation

[0028] The technical solutions of the embodiments of this disclosure will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this disclosure, and not all embodiments. Based on the embodiments of this disclosure, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this disclosure.

[0029] Unless otherwise specifically stated, the relative arrangement, numerical expressions, and values ​​of the components and steps set forth in these embodiments do not limit the scope of this disclosure.

[0030] At the same time, it should be understood that, for ease of description, the dimensions of the various parts shown in the accompanying drawings are not drawn according to actual scale.

[0031] Techniques, methods, and equipment known to those skilled in the art may not be discussed in detail, but where appropriate, such techniques, methods, and equipment should be considered part of the specification.

[0032] In all examples shown and discussed herein, any specific values ​​should be interpreted as merely exemplary and not as limitations. Therefore, other examples of exemplary embodiments may have different values.

[0033] It should be noted that similar labels and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be discussed further in subsequent figures.

[0034] Furthermore, in the description of this disclosure, the terms "first," "second," "third," etc., are used for descriptive purposes only and should not be construed as indicating or implying relative importance or order. Similarly, although operations are depicted in a specific order in the accompanying drawings, this should not be construed as requiring such operations to be performed in the specific order shown or in sequential order, or requiring the execution of all illustrated operations to achieve the desired result. In some cases, multitasking and parallel processing can be advantageous.

[0035] Figure 1 This is a schematic flowchart of a security protection method according to some embodiments of the present disclosure.

[0036] In step 102, the function call chain consisting of multiple functions called during the invocation of the first API is monitored. Here, in the function call chain, the multiple functions are arranged sequentially according to the order in which they are called. In some embodiments, multiple functions can be monitored using dynamic instrumentation. For example, multiple functions can be monitored using an agent probe.

[0037] In some embodiments, multiple functions can be arranged sequentially according to the order in which they are called, using timestamps, to form a function call chain.

[0038] In step 104, the function call chain is input into the machine learning model to determine whether the call request of the first API is normal.

[0039] In some embodiments, when training a machine learning model, a sample function call chain of a first API can be used as input, and the corresponding attack type can be used as output to train the machine learning model. For example, a function call chain of a request from an API that initiates a Structured Query Language (SQL) attack can be used as sample input, and the attack type "SQL attack" can be used as output to train the machine learning model.

[0040] As one implementation method, when training a machine learning model, the sample function call chain of the first API and the type of the first API can be taken as inputs, and the corresponding attack type can be taken as outputs to train the machine learning model so that the machine learning model can determine whether the call request of the first API is normal according to the type of the API.

[0041] As one implementation method, the machine learning model can be a recurrent neural network (RNN) model.

[0042] In this way, by monitoring the function call chain formed by multiple functions called in the API call process in chronological order, and inputting the function call chain into a machine learning model, the normality of the API call request can be determined. This approach considers the sequence of API calls, thus accurately distinguishing between normal and abnormal API call requests.

[0043] In some embodiments, at least one preset function called during the invocation of the first API can be monitored, and other functions among a plurality of functions other than the at least one preset function can be determined based on the context of the code corresponding to each preset function. Here, the plurality of functions in the function call chain includes the at least one preset function.

[0044] For example, instrumentation can be placed at key functions (i.e., predefined functions) in API calls to obtain the corresponding code and the context of the key function. Using the context of the key function, other functions called before and / or after it can be identified. Furthermore, by combining this with timestamps, a function call chain can be obtained, arranged sequentially according to the order of the calls. Here, a key function refers to a function that plays a crucial role, such as one that performs operations on major configurations or plays a major role in the entire call process.

[0045] As one implementation method, key functions can be selected based on the type of API.

[0046] In this way, by monitoring the preset functions called during the first API call process, and determining the other functions among multiple functions other than the preset functions based on the context of the code corresponding to the preset functions, the function call chain can be obtained without monitoring more functions, thereby saving the system resources required for monitoring and improving the efficiency of monitoring.

[0047] In some embodiments, a first detection may be performed on the call request of the first API to determine whether the call request of the first API is normal. If the result of the first detection is normal, the first API may be allowed to be called.

[0048] The following describes the multiple tests included in the first detection, using different implementation methods. In each of the tests mentioned below, if the test result is "yes," the result of the first detection is normal; if the test result is "no," the result of the first detection is abnormal.

[0049] As one implementation, the first detection may include detecting whether the numeric type of the API call request belongs to a preset numeric type. For example, if the preset numeric type is "int", then API call requests with numeric type "int" can pass the first detection, while call requests with other numeric types cannot. Here, the preset numeric type may include one or more data types.

[0050] In other implementations, the first detection may include detecting whether the length range of the API call request falls within a preset length range. For example, if the preset length range is 1 to 16 characters, then API call requests with a length range between 1 and 16 characters (inclusive) will pass the first detection, while call requests with other length ranges will not. Here, the preset length range may include one or more length ranges.

[0051] As another implementation, the first detection may include detecting whether the size range of the call request for the first API belongs to a preset size range. For example, the preset size range is 1 to 10 kilobytes (KB). Call requests for APIs with a size range of 1 to 10 KB (inclusive) can pass the first detection, while call requests with other size ranges cannot pass the first detection. Here, the preset size range may include one or more size ranges.

[0052] As another implementation, the first detection may include detecting whether the API call request does not contain an SQL statement. For example, if the API call request does not contain an SQL statement, the call request passes the first detection; if the API call request contains an SQL statement, it fails the first detection.

[0053] As in some other implementations, the first detection may include detecting whether the call request of the first API does not contain characters that do not match the numeric type of the call request of the first API. For example, if characters such as Chinese characters and / or punctuation marks appear in the call request of the API with a numeric type of "int", then the call request will fail the first detection, while it will pass the first detection if no characters that do not match the numeric type of the call request of the first API appear.

[0054] It should be understood that passing the first test means the result of the first test is normal, and failing the first test means the result of the first test is abnormal.

[0055] In this way, the first API call request is checked to determine whether the first API call request is normal. Only if the result of the first check is normal is the first API allowed to be called. In this way, the first check can be used to exclude some abnormal API call requests, thereby improving the efficiency of distinguishing between normal and abnormal API call requests.

[0056] In some embodiments, the first detection includes multiple of the above-mentioned multiple detections, that is, the first detection may include detecting whether the numeric type of the first API call request belongs to a preset numeric type, detecting whether the length range of the first API call request belongs to a preset length range, detecting whether the size range of the first API call request belongs to a preset size range, detecting whether the first API call request does not contain SQL statements, and detecting whether the first API call request does not contain characters that do not match the numeric type of the first API call request, two or more of the following:

[0057] Thus, the first detection, which includes multiple of the aforementioned detection methods, can more accurately exclude some abnormal API call requests, thereby further improving the efficiency of distinguishing between normal and abnormal API call requests.

[0058] In some embodiments, under certain preset conditions, the call requests of the first API are clustered with other abnormal API call requests, and the common characteristics of the abnormal API call requests are determined based on the clustering results. Here, the preset conditions include the machine learning model determining that the call requests of the first API are abnormal.

[0059] For example, if a machine learning model determines that a call request for the first API is abnormal, the call request for the first API can be clustered with call requests for other abnormal APIs. For example, clustering can be performed according to one or more of the parameters of the API call request, such as numeric type, length range, or size range. The common characteristics of abnormal API call requests can be obtained through the clustering results.

[0060] In some embodiments, the common feature may be a feature shared by more than a preset number of abnormal API call requests during the clustering process. For example, it may be a feature shared by most (e.g., 80%) of the abnormal API call requests during the clustering process; or, for another example, it may be a feature shared by all abnormal API call requests during the clustering process.

[0061] Thus, under the premise of meeting the preset conditions, the call requests of the first API are clustered with the call requests of other abnormal APIs, and the characteristics of the call requests of abnormal APIs are determined based on the clustering results, thereby providing a reference for analyzing the call requests of abnormal APIs.

[0062] In some embodiments, a first detection may be performed on the call request to the second API to determine whether the call request to the second API is legitimate. In this case, the multiple detections in the first detection also include characteristics of call requests with identified illegitimate APIs. Here, the first API may be the same as or different from the second API.

[0063] In this way, during the initial detection of subsequent API calls, API call requests with the same or similar characteristics can be rejected in advance, thereby improving the efficiency of distinguishing between normal and abnormal API call requests.

[0064] In some embodiments, if the machine learning model determines that the call request of the first API is abnormal, a second detection is performed in a simulated environment to determine whether an attack occurred during the call to the first API. If an attack occurred, the correspondence between the features of the abnormal API call request and the category of the attack was determined based on the clustering results. Here, the preset condition also includes that the result of the second detection is that an attack occurred. In other words, the call request of the first API is determined to be abnormal only if the machine learning model determines that the call request of the first API is abnormal and an attack occurred.

[0065] The second detection can also be called attack replay detection.

[0066] In some embodiments, the call requests for the first API can be replicated to a simulated environment via traffic mirroring to perform the second detection. The simulated environment can be, for example, a sandbox.

[0067] In some embodiments, the attack may include at least one of tampering with system files and obtaining root privileges.

[0068] In this way, by determining the correspondence between the characteristics of abnormal API call requests and the categories of attack behaviors through clustering results, when receiving API call requests again, the system can reject API call requests with the same or similar characteristics and indicate the corresponding category of attack behavior, thereby improving the efficiency of distinguishing between normal and abnormal API call requests.

[0069] In some embodiments, the call request to the first API is determined to be normal in the absence of any attack.

[0070] As one implementation method, once it is determined that the call request of the first API is normal in the absence of any attack, the call request of the first API can be executed normally to call the corresponding API.

[0071] In this way, determining that the first API call request is normal in the absence of any attack behavior can avoid situations where normal API call requests are rejected due to misjudgment by the machine learning model, as well as situations where API call requests are actually normal even though the function call chain is non-compliant. This further improves the accuracy of distinguishing between normal and abnormal API call requests.

[0072] In some embodiments, if the result of the first detection is normal, a third detection is performed to detect whether the token carried in the call request of the first API is valid. If the token is valid, the first API is allowed to be called; if the token is invalid, the first API is not allowed to be called.

[0073] Thus, by combining the detection of token validity with the first detection, the accuracy of distinguishing between normal and abnormal API call requests can be further improved.

[0074] In some embodiments, when the token is invalid, the call request of the corresponding first API can be clustered with other abnormal API call requests. For example, the clustering can be performed according to one or more of the parameters of the API call request, such as numeric type, length range, size range, etc. The common characteristics of abnormal API call requests can be obtained through the clustering results.

[0075] In this way, when the token is invalid, the call request of the first API is clustered with other abnormal API call requests, and the characteristics of the abnormal API call requests are determined based on the clustering results, thus providing a reference for analyzing abnormal API call requests.

[0076] In some embodiments, if the token is invalid, a second detection is performed in a simulated environment to determine whether an attack has occurred during the call to the corresponding first API; if an attack has occurred, clustering is performed and the correspondence between the characteristics of the abnormal API call request and the category of the attack is determined based on the clustering results.

[0077] In this way, by determining the correspondence between the characteristics of abnormal API call requests and the categories of attack behaviors through clustering results, when receiving API call requests again, the corresponding attack behavior category can be indicated in advance (i.e., before performing the third detection) based on rejecting API call requests with the same or similar characteristics, thereby improving the efficiency of distinguishing between normal and abnormal API call requests.

[0078] Figure 2 This is a schematic flowchart of a security protection method according to other embodiments of this disclosure.

[0079] In step 202, a call request for the first API is received.

[0080] In step 204, a first detection is performed on the call request for the first API to determine whether the call request for the first API is normal. Here, the first detection includes at least one of the aforementioned multiple detections. If the result of the first detection is normal, step 206 is executed; if the result of the first detection is abnormal, step 216 is executed, that is, the call request for the first API is rejected.

[0081] In step 206, a third check is performed to determine if the token carried in the call request for the first API is valid. If the token is valid, step 208 is executed, allowing the first API to be called; if the token is invalid, step 218 is executed.

[0082] In step 210, the function call chain consisting of multiple functions called during the invocation of the first API is monitored and input into the machine learning model. Here, in the function call chain, multiple functions are arranged sequentially according to the order in which they are called.

[0083] In step 212, the machine learning model determines whether the call request for the first API is normal. If normal, step 214 is executed, i.e., the first API is called again; if abnormal, step 218 is executed.

[0084] In step 218, a second detection is performed in a simulated environment to determine whether an attack occurred during the call to the first API. If no attack occurred, step 214 is executed; if an attack occurred, step 220 is executed.

[0085] In step 220, the call request of the first API is clustered with other abnormal API call requests, and the correspondence between the characteristics of the abnormal API call requests and the categories of attack behaviors is determined based on the clustering results.

[0086] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. For the apparatus embodiments, since they largely correspond to the method embodiments, the descriptions are relatively simple; relevant parts can be referred to the descriptions of the method embodiments.

[0087] Figure 3 This is a structural schematic diagram of a safety protection device according to some embodiments of the present disclosure.

[0088] like Figure 3 As shown, the safety protection device includes a monitoring module 301 and a determination module 302.

[0089] The monitoring module 301 is configured to monitor the function call chain consisting of multiple functions called during the call process of the first API. In the function call chain, the multiple functions are arranged in the order of their calls.

[0090] The determination module 302 is configured to input the function call chain into the machine learning model to determine whether the call request of the first API is normal.

[0091] In some embodiments, the security protection device may also include other modules to perform the security protection method of any of the above embodiments.

[0092] Figure 4 This is a structural schematic diagram of a safety protection device according to some embodiments of the present disclosure.

[0093] like Figure 4 As shown, the security protection device 400 includes a memory 401 and a processor 402 coupled to the memory 401. The processor 402 is configured to execute the method of any of the foregoing embodiments based on instructions stored in the memory 401.

[0094] The memory 401 may include, for example, system memory, fixed non-volatile storage media, etc. The system memory may store, for example, an operating system, application programs, a boot loader, and other programs.

[0095] The security protection device 400 may also include an input / output interface 403, a network interface 404, and a storage interface 405. These interfaces 403, 404, and 405, as well as the memory 401 and processor 402, can be connected via, for example, a bus 406. The input / output interface 403 provides a connection interface for input / output devices such as monitors, mice, keyboards, and touchscreens. The network interface 404 provides a connection interface for various networked devices. The storage interface 405 provides a connection interface for external storage devices such as SD cards and USB flash drives.

[0096] This disclosure also provides a computer-readable storage medium including computer program instructions that, when executed by a processor, implement the method of any of the above embodiments.

[0097] This disclosure also provides a computer program product, including a computer program that, when executed by a processor, implements the method of any of the above embodiments.

[0098] The embodiments of this disclosure have now been described in detail. To avoid obscuring the concept of this disclosure, some details known in the art have not been described. Those skilled in the art can fully understand how to implement the technical solutions disclosed herein based on the above description.

[0099] Those skilled in the art will understand that embodiments of this disclosure can be provided as methods, systems, or computer program products. Therefore, this disclosure can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this disclosure can take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0100] This disclosure is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this disclosure. It should be understood that the functions specified in one or more flowchart illustrations and / or one or more blocks in a block diagram can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate functions for implementing the functions in the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0101] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0102] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0103] While specific embodiments of this disclosure have been described in detail by way of examples, those skilled in the art should understand that the examples are for illustrative purposes only and not intended to limit the scope of this disclosure. Those skilled in the art should understand that modifications can be made to the above embodiments or equivalent substitutions can be made to some technical features without departing from the scope and spirit of this disclosure. The scope of this disclosure is defined by the appended claims.

Claims

1. A safety protection method, comprising: A first detection is performed on the call request of the first application programming interface (API) to determine whether the call request of the first API is normal; If the result of the first detection is normal, the first API may be invoked; Monitor the function call chain consisting of multiple functions called during the call to the first API, wherein the multiple functions are arranged in the order of their calls. The function call chain is input into a machine learning model to determine whether the call request for the first API is normal; Under certain preset conditions, the call requests of the first API are clustered with other abnormal API call requests. The preset conditions include the machine learning model determining that the call requests of the first API are abnormal. Based on the clustering results, the common characteristics of abnormal API call requests are determined; If the machine learning model determines that the call request for the first API is abnormal, a second detection is performed in a simulated environment to determine whether an attack occurred during the call to the first API. In the event of an attack, the common characteristics of the abnormal API call requests and the category of the attack are determined based on the clustering results, wherein the preset condition also includes the result of the second detection being that an attack has occurred; The first detection is performed using the second API as the first API, wherein the first detection includes detecting whether the call request of the second API has the common characteristics.

2. The method according to claim 1, further comprising: Monitor at least one preset function called during the call to the first API, wherein the plurality of functions include the at least one preset function; Based on the context of the code corresponding to each preset function, determine the other functions among the plurality of functions besides the at least one preset function.

3. The method according to claim 1, wherein, The first detection includes at least one of the following detections, and the result of the first detection is normal only if the result of each of the at least one detections is yes: Detect whether the numeric type of the call request for the first API belongs to a preset numeric type; Detect whether the length range of the call request for the first API falls within the preset length range; Detect whether the size range of the call request for the first API falls within a preset size range; Detect whether the call request for the first API does not contain a Structured Query Language (SQL) statement; and Check whether the call request for the first API does not contain characters that do not match the numeric type of the call request for the first API.

4. The method according to claim 3, further comprising: In the absence of any attack, the call request to the first API is deemed to be normal.

5. The method according to claim 3, wherein, The attack includes at least one of tampering with system files and obtaining root privileges.

6. The method according to claim 3, wherein, The call request for the first API is copied to the simulated environment via traffic mirroring to perform the second detection.

7. The method according to claim 3, wherein, If the result of the first detection is normal, allowing the first API to be called includes: If the result of the first detection is normal, a third detection is performed to check whether the token carried in the call request of the first API is valid; If the token is valid, the first API may be invoked; If the token is invalid, the first API cannot be invoked.

8. A safety protection device, comprising: The monitoring module is configured to perform a first detection on the call request of the first application programming interface (API) to determine whether the call request of the first API is normal; If the result of the first detection is normal, the first API is allowed to be called; monitor the function call chain consisting of multiple functions called during the call process of the first API, in which the multiple functions are arranged in the order of their calls; The determination module is configured to input the function call chain into a machine learning model to determine whether the call request of the first API is normal; if preset conditions are met, cluster the call request of the first API with call requests of other abnormal APIs, the preset conditions including the machine learning model determining that the call request of the first API is abnormal; based on the clustering results, determine the common features of the call requests of abnormal APIs; if the machine learning model determines that the call request of the first API is abnormal, perform a second detection in a simulated environment to determine whether an attack occurred during the call of the first API; In the event of an attack, the common characteristics of the abnormal API call requests and the category of the attack are determined based on the clustering results, wherein the preset condition also includes the result of the second detection being that an attack has occurred; The first detection is performed using the second API as the first API, wherein the first detection includes detecting whether the call request of the second API has the common characteristics.

9. A safety protection device, comprising: Memory; as well as A processor coupled to the memory is configured to execute the method of any one of claims 1-7 based on instructions stored in the memory.

10. A computer-readable storage medium comprising computer program instructions, wherein, When the computer program instructions are executed by the processor, they implement the method described in any one of claims 1-7.

11. A computer program product comprising a computer program, wherein, When the computer program is executed by a processor, it implements the method described in any one of claims 1-7.

Images