云应用程序编程接口安全研究综述:威胁与防护

云时代，云应用程序编程接口(API)是服务交付、能力复制和数据输出的最佳载体。然而，云API在开放服务和数据的同时，增加了暴露面和攻击面，攻击者通过数据劫持和流量分析等技术获取目标云API的关键资源，能够识别用户的身份和行为，甚至直接造成背后系统的瘫痪。当前，针对云API的攻击类型繁多，威胁与防护方法各异，缺乏对现有攻击和防护方法的系统总结。该文梳理了云API安全研究中云API面临的威胁和防护方法，分析了云API的演化历程和类别划分；讨论了云API的脆弱性以及云API安全研究的重要性；提出了云API安全研究框架，涵盖身份验证、云API分布式拒绝服务(DDoS)攻击防护、重放攻击防护、中间人(MITM)攻击防护、注入攻击防护和敏感数据防护6个方面相关研究工作综述。在此基础上，探讨了增加人工智能(AI)防护的必要性。最后给出了云API防护的未来挑战和发展趋势。

A Survey for Cloud Application Programming Interface Security: Threats and Protection

In the cloud era, cloud Application Programming Interface (API) is the best carrier for service delivery, capability replication and data output. However, cloud API increases the exposure and attack surface of cloud application while opening up services and data. Through data hijacking, traffic analysis and other technologies, attackers can obtain the key resources of the target cloud API, so as to identify the identity and behavior of users, or even directly cause the paralysis of the underlying system. Currently, there are many types of attacks against cloud APIs, and their threats and protection methods are different. However, the existing researches lack a systematic summary for cloud API attack and protection methods. In this paper, a detail survey on the threats and protection methods faced by cloud API is conducted. Firstly, the evolution and the classification of cloud API are analyzed. The vulnerability of cloud API and the importance of cloud API security research are then discussed. Furthermore, a systematical cloud API security research framework is proposed, which covers six aspects: identity authentication, cloud API Distributed Denial of Service (DDoS) attack protection, replay attack protection, Man-In-The-Middle (MITM) attack protection, injection attack protection and sensitive data protection. In addition, the necessity of Artificial Intelligence (AI) protection for cloud API is discussed. Finally, the future challenges and development trends of cloud API protection are presented.