西安电子科技大学学报 ›› 2023, Vol. 50 ›› Issue (4): 237-248.doi: 10.19665/j.issn1001-2400.2023.04.023

• 网络空间安全专栏 • 上一篇    

面向云原生的API攻击诱捕技术研究

张越1,2(),陈庆旺1,2(),刘宝旭1,2(),于存威3(),谭儒1(),张方娇1()   

  1. 1.中国科学院 信息工程研究所,北京 100085
    2.中国科学院大学 网络空间安全学院,北京 100049
    3.中国人民解放军75841部队,湖南 长沙 410005
  • 收稿日期:2023-01-04 出版日期:2023-08-20 发布日期:2023-10-17
  • 通讯作者: 张方娇
  • 作者简介:张越(1992—),女,助理研究员,E-mail:zhangyue@iie.ac.cn;|陈庆旺(1999—),男,中国科学院大学博士研究生,E-mail:chenqingwang@iie.ac.cn;|刘宝旭(1972—),男,研究员,E-mail:liubaoxu@iie.ac.cn;|于存威(1992—),男,助理工程师,E-mail:453846750@qq.com;|谭儒(1992—),男,工程师,E-mail:tanru@iie.ac.cn
  • 基金资助:
    中国科学院青年创新促进会(2019163);国家自然科学基金(61902396);中国科学院战略性先导科技专项(XDC02040100);中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助

Research on cloud native API attack trapping technology

ZHANG Yue1,2(),CHEN Qingwang1,2(),LIU Baoxu1,2(),YU Cunwei3(),TAN Ru1(),ZHANG Fangjiao1()   

  1. 1. Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100085,China
    2. School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China
    3. Unit 75841 of People’s Liberation Army,Changsha 41005,China
  • Received:2023-01-04 Online:2023-08-20 Published:2023-10-17
  • Contact: Fangjiao ZHANG

摘要:

应用程序接口(API)作为连接服务和传输数据的核心通道,在蕴含巨大价值的背后也隐藏着不可忽视的安全风险,其作为互联网上最重要的信息基础设施已成为攻击者的主要攻击目标。为弥补现有API安全方案针对API广泛攻击面无法进行充分保护的短板问题,重点关注云原生API安全问题。基于主动诱捕思想,提出了一种面向云原生的API攻击诱捕框架,针对不同的云服务层次特点构造了相应的API诱饵及高交互诱捕环境。其中,在容器编排层(平台层),围绕云组件Kubernetes及Docker的脆弱点构造了3个API诱饵;在应用层,选取危害性较大且利用频率较高的API漏洞构造了15个API诱饵。同时,针对应用层API诱饵物理资源需求较高的问题,提出了一种基于当前网络流量的动态调度算法,在充分利用物理资源的同时最大化捕获效果。基于诱捕框架实现了原型系统并在真实环境中部署应用,系统最终捕获到1 270个独立互联网协议(IP)地址以及4 146个请求。实验结果表明,提出的API攻击诱捕技术可有效发现云原生环境下的API攻击行为。

关键词: 应用程序接口(API), 安全, 云API安全, 攻击诱捕, 诱饵

Abstract:

As the core channel for connecting services and transmitting data,the application programming interface (API) hides security risks that cannot be ignored behind its huge value.As the most important information infrastructure on the Internet,it has become the main target for attackers.In order to make up for the shortcomings of existing API security schemes that cannot adequately protect API attack surfaces,we focus on the API security of the cloud native architecture.Based on the idea of active trapping,a cloud-oriented API attack trapping framework is proposed,which constructs corresponding API decoys and high-interactive trapping environments according to the characteristics of different cloud service levels.Especially,in the container orchestration layer (platform layer),three API decoys are designed around the vulnerabilities of cloud components Kubernetes and Docker.In the application layer,fifteen API decoys are designed by selecting API vulnerabilities with more harm and higher utilization frequency.At the same time,in view of the high demand for physical resources of high-interaction API decoys in the application layer,a dynamic scheduling algorithm based on the current network traffic is proposed to maximize the capture effect by making full use of physical resources.On the basis of the trapping framework,a prototype system is implemented and deployed in the real environment.The trapping system finally captures 1270 independent Internet Protocol (IP) addresses and 4146 requests.The captured data are statistically analyzed,and the captured attack behaviors are analyzed in detail.Experimental results show that the proposed API attack trapping technology can effectively discover API attack behaviors in the cloud native environment.

Key words: application programming interfaces(API), security, cloud API security, attack trapping, decoy

中图分类号: 

  • TP393.08