基于深度语义解析的API越权漏洞攻击主动防御方法

doi:10.3969/j.issn.1671-1122.2025.06.008

摘要/Abstract

摘要：

静态化防御机制因特征与语义理解有限，难以应对API越权漏洞的动态隐蔽威胁，主动防御已逐渐成为增强网络安全的有效手段。文章提出一种融合动态语义感知与对抗验证的主动防御方法，有效阻断API越权漏洞攻击威胁；设计一种高效的动态网页爬取策略，以充分获取页面信息，结合 MiniLM 模型分析响应包内容与 URL信息的关联性，实现有效载荷的构造。文章通过微调 BERT 模型对 URL 进行自定义类别划分，以此为基础，采用 Trans-LVD 模型进行页面相似度分析，量化 URL 之间的相似程度，识别可能存在的越权漏洞，实现对网络系统安全漏洞的修补和相关配置，提升系统对未知威胁的适应性与防护能力。最后，在业界工具基准测试下进行实验分析，证明该方法在检测精度、适应性及主动防御能力方面的优越性。

关键词: 深度语义解析, 主动防御, 越权漏洞, 对抗验证

Abstract:

Static defense mechanisms face difficulties addressing dynamic hidden API transgression threats due to limited feature and semantic understanding. Active defense has emerged as an effective approach to enhance network security. This paper proposed an active defense method integrating dynamic semantic sensing and adversarial verification to block API overstepping vulnerability attacks. A dynamic web crawling strategy efficiently obtained page data. This data was combined with a MiniLM model to analyze correlations between response payloads and URLs, enabling payload construction. BERT models were fine-tuned to classify URLs into custom categories. Based on these classifications, a Trans-LVD model performed page similarity analysis to quantify URL similarity levels, identify potential overstepping vulnerabilities, and automate security patching and configuration adjustments. This approach enhanced system adaptability and protection against unknown threats. Experiments were conducted using industry-standard benchmarks to demonstrate the method’s effectiveness in detection accuracy, adaptability, and active defense capabilities.

Key words: deep semantic parsing, active defense, overstepping vulnerabilities, adversarial verification

中图分类号:

TP309

冯景瑜, 潘濛, 王佳林, 赵翔. 基于深度语义解析的API越权漏洞攻击主动防御方法[J]. 信息网络安全, 2025, 25(6): 933-942.

FENG Jingyu, PAN Meng, WANG Jialin, ZHAO Xiang. Deep Semantic Parsing Based Active Defense against API Overstep Vulnerabilities[J]. Netinfo Security, 2025, 25(6): 933-942.

图/表 15

图1

图2

图3

图4

图5

图6

表1

表2

表3

表4

图7

图8

图9

表5

图10

参考文献 20

[1]	WANG Lian, ZHOU Shiteng, OU Shaohua, et al. Automatic Detection Method,Device and Computer Equipment for Privilege Escalation Vulnerabilities Based on Traffic: China, 202111220698.4[P]. 2022-03-02.
	王练, 周世腾, 欧绍华, 等. 基于流量的越权漏洞自动检测方法、装置及计算机设备:中国,202111220698.4[P]. 2022-03-02.
[2]	WANG Lian, OU Shaohua, ZHOU Shiteng, et al. A Method for Detecting Android Malware Based on Multi-Features: China, 202111398522.8[P]. 2021-11-19.
	王练, 欧绍华, 周世腾, 等. 一种基于多特征的安卓恶意软件检测方法:中国, 202111398522.8[P]. 2021-11-19.
[3]	DEEPA G, SANTHI T P, PRASEED A, et al. DetLogic: A Black-Box Approach for Detecting Logic Vulnerabilities in Web Applications[J]. Journal of Network and Computer Applications, 2018, 109: 89-109.
[4]	MENG Liang, ZENG Mingfei, XIE Ming, et al. Research on Active Defense Technology Based on Power System Network Security[C]// IEEE. The 12th International Conference on Communication Systems and Network Technologies (CSNT). New York: IEEE, 2023: 710-714.
[5]	WU Junxi, LIN Feng, GAO Hongyun. A Method for Identifying Security Vulnerabilities in Multi-Attribute Information Exchange under Static Defense[J]. Journal of Xi’an University of Posts and Telecommunications, 2024, 29(6): 79-85.
	伍均玺, 林峰, 高红云. 静态防御下多属性信息交换安全漏洞识别方法[J]. 西安邮电大学学报, 2024, 29(6): 79-85.
[6]	TIAN Zhenzhou, LYU Jiajun, WANG Fanfan. Function-Level Code Vulnerability Detection Based on Multi-Representation Fusion[J]. Journal of Xi’an University of Posts and Telecommunications, 2023, 28(1): 78-84.
	田振洲, 吕佳俊, 王凡凡. 基于多表征融合的函数级代码漏洞检测方法[J]. 西安邮电大学学报, 2023, 28(1): 78-84.
[7]	WANG Juan, ZHANG Boxian, ZHANG Zhijie, et al. Java Deserialization Vulnerability Mining Based on Fuzz Testing[J]. Information Network Security, 2025, 25(1): 1-12.
	王鹃, 张勃显, 张志杰, 等. 基于模糊测试的 Java反序列化漏洞挖掘[J]. 信息网络安全, 2025, 25(1): 1-12.
[8]	MUNONYE K, MARTINEK P. Machine Learning Approach to Vulnerability Detection in OAuth 2.0 Authentication and Authorization Flow[J]. International Journal of Information Security, 2022, 21(4): 223-237.
[9]	ZHONG Li. A Survey of Prevent and Detect Access Control Vulnerabilities[EB/OL]. (2023-04-20)[2024-09-03]. https://arxiv.org/abs/2304.10600.
[10]	QIAN Xingzhi. LAMD: Context-Driven Android Malware Detection and Classification with LLMs[EB/OL]. (2025-02-18)[2025-02-21]. https://arxiv.org/html/2502.13055v1.
[11]	YANG Lisheng, LUO Wenhua. Tri-BERT-SENet: Malicious Web Page Detection Integrating Multiple Features[J]. Journal of Chinese computer Systems, 2023, 44(4): 875-880.
	杨立圣, 罗文华. Tri-BERT-SENet:融合多特征的恶意网页识别[J]. 小型微型计算机系统. 2023, 44(4): 875-880.
[12]	ZHANG Zhifei, LIU Feng, GE Yiyang, et al. An Intrusion Detection Method Based on Depthwise Separable Convolution and Attention Mechanism[J]. Journal of Internet of Things, 2023, 7(1): 49-59.
	张志飞, 刘峰, 葛祎阳, 等. 一种基于深度可分离卷积和注意力机制的入侵检测方法[J]. 物联网学报, 2023, 7(1): 49-59. doi: 10.11959/j.issn.2096-3750.2023.00307
[13]	HUANG Yiwei. The GAN is Dead; Long Live the GAN! A Modern GAN Baseline[EB/OL]. (2025-01-01)[2025-02-03]. https://arxiv.org/abs/2501.05441.
[14]	AL-SADA B, SADIGHIAN A, OLIGERI G, et al. MITRE ATT&CK: State of the Art and Way Forward[EB/OL]. (2023-08-27)[2025-02-03]. https://arxiv.org/abs/2308.14016.
[15]	LYU Tao, LI Ruishi, YANG Yi, et al. RTFM! Automatic Assumption Discovery and Verification Derivation from Library Document for API Misuse Detection[C]// ACM. 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS). New York: ACM, 2020: 1-12.
[16]	WU Panpan, YU Jiawen, HAN Bingqing. Discussion on the Mining Approach for Web Security Logic Vulnerabilities Based on HTTP Packets[J]. Computer Era, 2023(9): 24-28.
	吴盼盼, 俞嘉雯, 韩冰青. 浅谈基于HTTP数据包的Web安全逻辑漏洞挖掘思路[J]. 计算机时代, 2023(9): 24-28.
[17]	SHI Chong, PENG Jiahao, ZHU Shuying, et al. From Passive Defense to Proactive Defence: Strategies and Challenges[J]. Journal of Cybersecurity and Information Systems, 2022, 15(2): 123-135.
[18]	RIGGS H, TUFAIL M, KUMAR S, et al. Impact, Vulnerabilities, and Mitigation Strategies for Cyber-Secure Critical Infrastructure[J]. Sensors. 2023, 23(8): 4060-4069.
[19]	CHENG Jia, MAO Pengpeng. Research on Network Information Security Technology in Cloud Computing Environment[J]. Wireless Internet Technology, 2023, 20(14): 161-164.
	程嘉, 冒鹏鹏. 云计算环境下网络信息安全技术研究[J]. 无线互联科技, 2023, 20(14): 161-164.
[20]	ZHANG Huanqing, LIU Chunming, ZHAO Yulong, et al. A Novel Proactive Operation Strategy to Enhance Power System Resilience[J]. Power System Technology, 2024, 48(5): 2012-2021.
	张焕青, 刘春明, 赵宇龙, 等. 一种提升电力系统韧性的新型主动防御策略[J]. 电网技术, 2024, 48(5): 2012-2021.

漏洞类型	编号	具体描述	防御措施列表
水平越权漏洞	1	操控请求参数实现水平越权	使用最小权限原则
			强化身份验证和授权检查
			参数化查询和数据访问层
			用户界面和API的访问控制
			用户登录时将用户名存入session，并在相关页面进行判断
	8	满足某些特定条件下的水平越权	加强身份验证
			强化身份验证和授权检查
			保护用户鉴权信息
			使用token
			用户登录时将用户名存入session，并在相关页面进行判断
垂直越权漏洞	2	低权限用户的身份获得了高权限用户或管理员的权限，从而访问或操作了不该访问的资源	实施严格访问控制
			建立安全审计和监控机制
			使用会话管理
			使用多因素认证
			使用加密技术保护数据
未授权访问	3	绕过系统的正常认证和授权机制，直接访问	实施基于角色的访问控制
			访问控制列表
			使用OAuth2.0
			使用JWT
			使用SAML2.0

组件类别	配置详情
操作系统	Windows 10 Professional (Build 19045)
编程环境	Python 3.8.10, CUDA 11.6 (NVIDIA RTX 3090)
核心工具库	Transformers 4.26.0, Selenium 4.8.2, mitmproxy 9.0.0
依赖服务	MySQL 5.7.26, Redis 6.2.6 (缓存加速)

靶场类型	部署平台	技术栈	漏洞覆盖
Pikachu漏洞平台	Windows 10 + phpstudy	Apache 2.4.39/PHP 7.3.4	水平越权、垂直越权、未授权访问等8类漏洞
crAPI微服务靶场	Kali 2023 + Docker	Spring Boot 2.7/React 18.2	API参数越权、JWT令牌篡改等5类REST漏洞
DVWA 定制化环境	Docker Cluster	PHP 8.1/MySQL 8.0	业务逻辑越权、会话固定等混合型漏洞

变量类型	变量名称	定义描述
自变量	检测算法类型	检测算法
因变量	检测准确率(Accuracy)	正确识别漏洞的请求数占总测试请求的比例
	误报率(FPR)	正常请求被误判为攻击的比例
	覆盖率(Coverage)	成功爬取的API端点占靶场全部端点的比例
控制变量	网络延迟	限制靶场网络带宽
控制变量	硬件资源	固定测试设备配置

API路径	耗时/s	分类
/community/api/v2/community/posts/jxURTapuskaN9DsRZPgbhS/comment	21.59	社区功能
/workshop/api/shop/orders/245	20.15	工单系统
/identity/api/v2/user/videos/65	18.21	用户多媒体
/workshop/api/shop/orders/return_order?order_id=245	17.71	工单系统
/workshop/api/mechanic/mechanic_report?report_id=1	14.68	维修报告