基於屬性存取控制之應用程式介面安全框架研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：49

、訪客IP：18.118.10.158

姓名

陳怡雯(Yi-Wen Chen) 查詢紙本館藏

畢業系所

資訊管理學系在職專班

論文名稱

基於屬性存取控制之應用程式介面安全框架研究
(Research on Application Programming Interface Security Framework Based on Attribute-Based Access Control)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2026-8-1以後開放)

摘要(中)

隨著科技的快速發展，API(應用程式介面)已成為數位轉型的關鍵技術之一。API提高了系統間便利性、促進系統整合與創新合作。然而，伴隨著API使用的爆炸性增長，安全風險顯著上升，尤其是身份驗證與授權相關的問題。
為了應對API面臨的安全威脅，各界提出了API框架的概念。歐盟在2020年提出了一個適用於政府環境的API框架，包含12項實施建議。然而，該框架在身份識別和存取管理(IAM)方面的指引尚有不足。在零信任安概念的潮流下，身份已成為新的安全邊界，可以通過IAM機制來強化身份認證和細粒度存取控制，貫徹最小權限原則。
本研究旨在探討並改善歐盟提出的API框架，將基於屬性的存取控制(ABAC)和零信任的概念整合到安全流程中，提出一個基於ABAC的API安全框架，提高API在動態和複雜環境中的靈活性和安全性，通過動態評估使用者、資源和環境的屬性來決定存取權限，提供更細粒度和情境相關的安全控制能力。這一框架讓API設計和開發人員在制定和設計API時有明確的參考依據，從而提高API的安全。本研究期望能為API安全領域提供新的視角和實踐框架，助力組織在實現數位轉型的同時，有效保護API及相關資源免受安全威脅，協助組織向零信任安全邁進。

摘要(英)

With the rapid advancement of technology, APIs (Application Programming Interfaces) have become crucial for digital transformation. APIs enhance system convenience, integration, and innovation. However, their explosive growth has significantly increased security risks, especially in authentication and authorization.
To address API security threats, various frameworks have been proposed. In 2020, the EU introduced an API framework for government environments with 12 implementation recommendations. However, it lacks sufficient guidance in identity and access management (IAM). With the rise of zero trust security, identity is the new security perimeter. Strengthening identity authentication and fine-grained access control through IAM mechanisms enforces the principle of least privilege.
This study aims to improve the EU′s API framework by integrating attribute-based access control (ABAC) and zero trust concepts. It proposes an ABAC-based API security framework to enhance flexibility and security in dynamic environments. By evaluating user, resource, and environment attributes dynamically to determine access permissions, it offers more fine-grained, context-related security controls. This framework provides clear guidelines for API designers and developers, improving API security. The study aims to offer a new perspective and practical framework for API security, helping organizations achieve digital transformation while protecting APIs and related resources from security threats, and advancing towards zero trust security.

關鍵字(中)

★ 應用程式介面安全
★ 身份識別和存取管理
★ 基於屬性的存取控制
★ 零信任
★ 最小權限原則

關鍵字(英)

★ API Security
★ Identity and Access Management(IAM)
★ Attribute-Based Access Control(ABAC)
★ Zero Trust
★ Principle of Least Privilege

論文目次

摘要 i
ABSTRACT ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 vii
第一章緒論 1
1.1 研究背景 1
1.2 研究動機 4
1.3 研究目的 10
1.4 研究貢獻 12
1.5 章節架構 12
第二章文獻探討 14
2.1 API概述 14
2.1.1 API技術趨勢 15
2.1.2 小結 17
2.2 API風險 18
2.2.1 OWASP Top 10 API Security Risks 19
2.2.2 STRIDE 威脅模型 22
2.2.3 小結 23
2.3 IAM 身份識別與存取管理 24
2.3.1 存取控制 24
2.3.2 最小權限原則 33
2.3.3 小結 33
2.4 零信任 (Zero Trust) 34
2.4.1 零信任架構 (Zero Trust Architecture) 34
2.4.2 零信任網路存取(Zero Trust Network Access) 37
2.4.3 小結 38
2.5 框架Framework 38
2.5.1 歐洲聯盟的API Framework 39
2.5.2 NIST 網路安全框架 CSF 44
2.5.3 網路防禦矩陣 (Cyber Defense Matrix) 47
2.5.4 小結 51
第三章研究方法 52
3.1 API安全框架設計 54
3.2 API安全框架之流程設計 55
3.3 API安全框架內容 57
3.3.1 使用者角色與存取目的確認 58
3.3.2 功能性需求的界定 60
3.3.3 非功能性需求的界定 61
3.3.4 API安全規格的整合與交付 63
第四章情境探討與評估 67
4.1 評估設計 67
4.1.1 Use Case設計 67
4.1.2 情境目標設計 68
4.2 情境模擬設計與執行 68
4.2.1 情境模擬建立 68
4.2.2 角色與屬性定義 71
4.2.3 API功能定義與安全技術盤點 76
4.2.4 API安全規格之交付 79
4.3 資安韌性評估 79
4.3.1 實驗組與對照組的效果評估 79
4.3.2 情境韌性評估 81
第五章結論與未來研究 84
5.1 研究結論與貢獻 84
5.2 未來研究方向 85
參考文獻 1

參考文獻

[1] K. T. Shishmano, V. D. Popov, and P. E. Popova, "API Strategy for Enterprise Digital Ecosystem," in 2021 IEEE 8th International Conference on Problems of Infocommunications, Science and Technology (PIC S&T), 5-7 Oct. 2021 2021, pp. 129-134, doi: 10.1109/PICST54195.2021.9772206. [Online]. Available: https://doi.org/10.1109/PICST54195.2021.9772206
[2] T. X. Wang and M. McLarty. "APIs Aren’t Just for Tech Companies." Harvard Business Review. https://hbr.org/2021/04/apis-arent-just-for-tech-companies (accessed 2024-04-13.)
[3] Alfred. "The Anatomy of an API in 2023: A Comprehensive Overview." Treblle. https://blog.treblle.com/the-anatomy-of-an-api-in-2023-a-comprehensive-overview/ (accessed 2024-03-07.)
[4] M. Marks. "Securing the API Attack Surface." TechTarget. https://www.techtarget.com/esg-global/research-report/research-report-securing-the-api-attack-surface/ (accessed 2024-02-07.)
[5] Google. "2022 API Security Research Report: Latest Insights and Key Trends." Google. https://inthecloud.withgoogle.com/api-security-latest-insights-key-trends/research-report-2022.pdf (accessed 2024-03-07.)
[6] A. Mendoza and G. Gu, "Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities," in 2018 IEEE Symposium on Security and Privacy (SP), 2018: IEEE, pp. 756-769, doi: 10.1109/SP.2018.00039. [Online]. Available: https://doi.org/10.1109/SP.2018.00039
[7] Y. Acar, C. Stransky, D. Wermke, C. Weir, M. L. Mazurek, and S. Fahl, "Developers Need Support, Too: A Survey of Security Advice For Software Developers," in 2017 IEEE Cybersecurity Development (SecDev), 2017: IEEE, pp. 22-26, doi: 10.1109/SecDev.2017.17. [Online]. Available: https://doi.org/10.1109/SecDev.2017.17
[8] Microsoft. "GDI Print API." Microsoft Build. https://learn.microsoft.com/zh-tw/windows/win32/printdocs/gdi-printing (accessed 2024-04-20.)
[9] S. Bernabé and A. Plaza, "A New System to Perform Unsupervised and Supervised Classification of Satellite Images from Google Maps," 08/01 2010, doi: 10.1117/12.863243.
[10] Gartner. "Gartner Says More Than 80% of Enterprises Will Have Used Generative AI APIs or Deployed Generative AI-Enabled Applications by 2026." https://www.gartner.com/en/newsroom/press-releases/2023-10-11-gartner-says-more-than-80-percent-of-enterprises-will-have-used-generative-ai-apis-or-deployed-generative-ai-enabled-applications-by-2026 (accessed 2024-04-15.)
[11] E. Commission, J. R. Centre, M. Boyd, L. Vaccari, M. Posada, and D. Gattwinkel, An Application Programming Interfaces (APIs) framework for digital government. Publications Office, 2020.
[12] A. Fisher. "How a Common API Vulnerability Might Have Cost Telco Optus $1 Million." Salt Security. https://salt.security/blog/how-a-common-api-vulnerability-might-cost-telco-optus-1-million (accessed 2024-03-07.)
[13] B. Lanyado. "+1500 HuggingFace API Tokens Were Exposed, Leaving Millions of Meta-Llama, Bloom, and Pythia Users Vulnerable." Lasso Security. https://www.lasso.security/blog/1500-huggingface-api-tokens-were-exposed-leaving-millions-of-meta-llama-bloom-and-pythia-users-for-supply-chain-attacks (accessed 2024-03-07.)
[14] M. O′Neill, D. Zumerle, and J. D′Hoinne. "API Security: What You Need to Do to Protect Your APIs." Gartner. https://www.gartner.com/en/documents/3956746 (accessed 2024-02-27.)
[15] 羅正漢. "【臺灣政府零信任戰略正式啟動】從驗證、採購兩大角度出發，身分鑑別先行." iThome. https://www.ithome.com.tw/news/158415 (accessed 2024-05-01.)
[16] J. Kindervag, "Build Security Into Your Network’s DNA: The Zero Trust Network Architecture," Forrester Research Inc, vol. 27, pp. 1-16, 2010.
[17] Scott W. Rose, Oliver Borchert, Stuart Mitchell, and S. Connelly, "Zero Trust Architecture," NIST special publication, vol. 800, p. 207, 2020, doi: 10.6028/NIST.SP.800-207.
[18] OWASP. "OWASP Top 10 API Security Risks – 2023." OWASP. https://owasp.org/API-Security/editions/2023/en/0x11-t10/ (accessed 2023-02-28.)
[19] Y. Li, Y. Yang, X. Yu, T. Yang, L. Dong, and W. Wang, "IoT-APIScanner: Detecting API Unauthorized Access Vulnerabilities of IoT Platform," in 2020 29th International Conference on Computer Communications and Networks (ICCCN), 3-6 Aug. 2020 2020, pp. 1-5, doi: 10.1109/ICCCN49398.2020.9209626. [Online]. Available: https://doi.org/10.1109/ICCCN49398.2020.9209626
[20] SALT Security. "State of API Security Report Q1 2023." SALT Security. https://content.salt.security/state-api-report.html (accessed 2024-01-05.)
[21] B. Kumar and O. A. Falhi, "Digital Transformation Through APIs," in 2022 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COM-IT-CON), 26-27 May 2022 2022, vol. 1, pp. 623-628, doi: 10.1109/COM-IT-CON54601.2022.9850728. [Online]. Available: https://doi.org/10.1109/COM-IT-CON54601.2022.9850728
[22] G. Batra, V. Atluri, J. Vaidya, and S. Sural, "Enabling the Deployment of ABAC Policies in RBAC Systems," in Data and Applications Security and Privacy XXXII, Cham, F. Kerschbaum and S. Paraboschi, Eds., 2018// 2018: Springer International Publishing, pp. 51-68, doi: 10.1007/978-3-319-95729-6_4. [Online]. Available: https://doi.org/10.1007/978-3-319-95729-6_4
[23] V. C. Hu et al., "Guide to Attribute Based Access Control (ABAC) Definition and Considerations," NIST Special Publication, vol. 800, p. 162, 2014, doi: 10.6028/NIST.SP.800-162.
[24] Postman. "What is an API?" Postman. https://www.postman.com/what-is-an-api/ (accessed 2024-04-20.)
[25] I. W. Cotton and F. S. Greatorex, "Data Structures and Techniques for Remote Computer Graphics," presented at the Proceedings of the December 9-11, 1968, fall joint computer conference, part I, San Francisco, California, 1968. [Online]. Available: https://doi.org/10.1145/1476589.1476661.
[26] Google. "什麼是 API 管理？." Google,,. https://cloud.google.com/learn/what-is-api-management?hl=zh-tw (accessed 2024-01-25.)
[27] sandhata. "API Management – What Is It, And Why Do You Need It?" sandhata. https://www.sandhata.com/api-management-what-is-it-and-why-do-you-need-it/ (accessed 2022-04-18.)
[28] NGINX. "API Gateway." NGINX. https://www.nginx.com/learn/api-gateway/ (accessed 2024-04-17.)
[29] MuleSoft. "What is an API Portal?" https://www.mulesoft.com/resources/api/what-is-an-api-portal (accessed 2024-01-26.)
[30] AWS. "How Traveloka Uses Backstage as an API Developer Portal for Amazon API Gateway." AWS Open Source Blog. https://aws.amazon.com/tw/blogs/opensource/how-traveloka-uses-backstage-as-an-api-developer-portal-for-amazon-api-gateway/ (accessed 2024-04-17.)
[31] OWASP. "About the OWASP Foundation." OWASP. https://owasp.org/about/ (accessed 2024-03-20.)
[32] L. Kohnfelder and P. Garg. "The Threats to Our Products." FIRST,,. https://www.first.org/global/sigs/cti/curriculum/The-Threats-To-Our-Products.docx (accessed 2024-04-02.)
[33] Microsoft Learn. "The STRIDE Threat Model." Microsoft,,. https://learn.microsoft.com/en-us/previous-versions/commerce-server/ee823878(v=cs.20) (accessed 2024-04-03.)
[34] Microsoft Security. "STRIDE Chart." Microsoft,,. https://www.microsoft.com/en-us/security/blog/2007/09/11/stride-chart/ (accessed 2024-04-03.)
[35] Vangie Beal. "Identity and Access Management (IAM)." webopedia. https://www.webopedia.com/TERM/I/iam-identity-and-access-management.html (accessed 2023-12-28.)
[36] Microsoft. "什麼是存取控制？." https://www.microsoft.com/zh-tw/security/business/security-101/what-is-access-control (accessed 2024-02-02.)
[37] P. Samarati and S. C. De Vimercati, "Access control: Policies, Models, and Mechanisms," in International school on foundations of security analysis and design: Springer, 2000, pp. 137-196.
[38] R. S. Sandhu and P. Samarati, "Access control: Principle and Practice," IEEE communications magazine, vol. 32, no. 9, pp. 40-48, 1994, doi: 10.1109/35.312842.
[39] D. F. Ferraiolo, D. R. Kuhn, and R. CHANDRAMOULI, "Role-Based Access Controls," in 15th National Computer Security Conference, 1992, doi: 10.48550/arXiv.0903.2171. [Online]. Available: https://doi.org/10.48550/arXiv.0903.2171
[40] R. Sandhu, D. Ferraiolo, and R. Kuhn, "The NIST Model for Role-Based Access Control: Towards a Unified Standard," in ACM workshop on Role-based access control, 2000, vol. 10, no. 344287.344301, doi: 10.1145/344287.344301. [Online]. Available: https://doi.org/10.1145/344287.344301
[41] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, "Role-Based Access Control Models," Computer, vol. 29, no. 2, pp. 38-47, 1996, doi: 10.1109/2.485845.
[42] R. Sandhu, "Roles Versus Groups," presented at the Proceedings of the first ACM Workshop on Role-based access control, Gaithersburg, Maryland, USA, 1996. [Online]. Available: https://doi.org/10.1145/270152.270163.
[43] D. Ferraiolo and D. Kuhn, "Role-Based Access Control," ACM Trans. Inf. Syst. Secur., vol. 4, 09/01 1997. [Online]. Available: https://www.researchgate.net/publication/2792237_Role-Based_Access_Control.
[44] M. A. C. Dekker, J. G. Cederquist, J. Crampton, and S. Etalle, "Extended Privilege Inheritance in RBAC," presented at the Proceedings of the 2nd ACM symposium on Information, computer and communications security, Singapore, 2007. [Online]. Available: https://doi.org/10.1145/1229285.1229335.
[45] R. Sandhu, "The Authorization Leap From Rights to Attributes: Maturation or Chaos?," presented at the Proceedings of the 17th ACM symposium on Access Control Models and Technologies, Newark, New Jersey, USA, 2012. [Online]. Available: https://doi.org/10.1145/2295136.2295150.
[46] V. C. Hu, D. R. Kuhn, D. F. Ferraiolo, and J. Voas, "Attribute-Based Access Control," Computer, vol. 48, no. 2, pp. 85-88, 2015, doi: 10.1109/MC.2015.33.
[47] E. Yuan and J. Tong, "Attributed Based Access Control (ABAC) for Web Services," in IEEE International Conference on Web Services (ICWS′05), 11-15 July 2005 2005, pp. 1-569, doi: 10.1109/ICWS.2005.25. [Online]. Available: https://doi.org/10.1109/ICWS.2005.25
[48] X. Jin, R. Krishnan, and R. Sandhu, "A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC," in Data and Applications Security and Privacy XXVI, Berlin, Heidelberg, N. Cuppens-Boulahia, F. Cuppens, and J. Garcia-Alfaro, Eds., 2012// 2012: Springer Berlin Heidelberg, pp. 41-55, doi: 10.1007/978-3-642-31540-4_4. [Online]. Available: https://doi.org/10.1007/978-3-642-31540-4_4
[49] J. Longstaff and J. Noble, "Attribute Based Access Control for Big Data Applications by Query Modification," in 2016 IEEE Second International Conference on Big Data Computing Service and Applications (BigDataService), 29 March-1 April 2016 2016, pp. 58-65, doi: 10.1109/BigDataService.2016.35. [Online]. Available: https://doi.org/10.1109/BigDataService.2016.35
[50] Gartner. "Zero Trust Network Access (ZTNA)." Gartner. https://www.gartner.com/en/information-technology/glossary/zero-trust-network-access-ztna- (accessed 2023-12-10.)
[51] R. E. Johnson, "Frameworks = (Components + Patterns)," Commun. ACM, vol. 40, no. 10, pp. 39–42, 1997, doi: 10.1145/262793.262799.
[52] M. Fayad and D. C. Schmidt, "Object-Oriented Application Frameworks," Commun. ACM, vol. 40, no. 10, pp. 32–38, 1997, doi: 10.1145/262793.262798.
[53] C. Pascoe, S. Quinn, and K. Scarfone, "The NIST Cybersecurity Framework (CSF) 2.0," NIST, 2024, doi: 10.6028/NIST.CSWP.29.
[54] S. Yu. "Cyber Defense Matrix." https://cyberdefensematrix.com/ (accessed 2024-05-01.)
[55] A. Dutta and E. Al-Shaer, "Cyber Defense Matrix: a New Model for Optimal Composition of Cybersecurity Controls to Construct Resilient Risk Mitigation," presented at the Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security, Nashville, Tennessee, USA, 2019. [Online]. Available: https://doi.org/10.1145/3314058.3317725.
[56] Australian Signals Directorate. "Secure by Design." Australian Signals Directorate. https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/secure-by-design (accessed 2024-06-05.)
[57] Cloudflare. "什麼是影子 API？." Cloudflare,,. https://www.cloudflare.com/zh-tw/learning/security/api/what-is-shadow-api/ (accessed 2024-05-20.)

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2024-7-25

推文