US20220321587A1 - Automatic anomaly detection based on api sessions - Google Patents
Automatic anomaly detection based on api sessions Download PDFInfo
- Publication number
- US20220321587A1 US20220321587A1 US17/339,951 US202117339951A US2022321587A1 US 20220321587 A1 US20220321587 A1 US 20220321587A1 US 202117339951 A US202117339951 A US 202117339951A US 2022321587 A1 US2022321587 A1 US 2022321587A1
- Authority
- US
- United States
- Prior art keywords
- api
- server
- received
- chronological order
- api request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title description 2
- 239000008186 active pharmaceutical agent Substances 0.000 claims abstract description 130
- 230000004044 response Effects 0.000 claims abstract description 97
- 238000000034 method Methods 0.000 claims description 44
- 239000003795 chemical substances by application Substances 0.000 claims description 32
- 230000002547 anomalous effect Effects 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 230000002093 peripheral effect Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 3
- 230000001413 cellular effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000009826 distribution Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000035945 sensitivity Effects 0.000 description 2
- 241000590419 Polygonia interrogationis Species 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 210000001072 colon Anatomy 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9027—Trees
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/541—Interprogram communication via adapters, e.g. between incompatible applications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/543—User-generated data transfer, e.g. clipboards, dynamic data exchange [DDE], object linking and embedding [OLE]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/547—Remote procedure calls [RPC]; Web services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/133—Protocols for remote procedure calls [RPC]
-
- H04L67/40—
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/2866—Architectures; Arrangements
- H04L67/30—Profiles
- H04L67/303—Terminal profiles
Definitions
- API application program interface
- a session of API behavior is detected as two or more API requests that are typically received in order.
- a session may include an API request to select a product, followed by an API response with a URL for viewing the product, an API request to place the product in the user's cart, followed by an API response with a URL for displaying the items in the user's cart, followed by an API request to perform checkout, and finally followed by an API response with a URL for providing a checkout page to the user.
- the APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response.
- incoming API requests that are typically associated with a session can be compared to the session to see if they appear in the expected sequence based on the session. If an API request is not received in the sequence according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request can be tagged as an anomaly.
- a method automatically detects an anomaly based on a session of APIs received for a web service.
- the method begins with receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server.
- the received API request is compared to a set of APIs having a preset chronological order.
- the system detects that the received API request is not received in an expected chronological order defined by the present chronological order.
- the received API request is identified as an anomaly based on the unexpected chronological order of the receive API request.
- a non-transitory computer readable storage medium has embodied thereon a program that is executable by a processor to perform a method.
- the method automatically detects an anomaly based on a session of APIs received for a web service.
- the method begins with receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server.
- the received API request is compared to a set of APIs having a preset chronological order.
- the system detects that the received API request is not received in an expected chronological order defined by the present chronological order.
- the received API request is identified as an anomaly based on the unexpected chronological order of the receive API request.
- a system can include a server, memory and one or more processors.
- One or more modules may be stored in memory and executed by the processors to receive, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server, compare the received API request to a set of APIs having a preset chronological order, detect that the received API request is not received in an expected chronological order defined by the present chronological order, and identify the received API request as an anomaly based on the unexpected chronological order of the receive API request.
- FIG. 1 is a block diagram of a system for intelligently monitoring API sessions.
- FIG. 2 is a block diagram of an application that automatically monitors API sessions.
- FIG. 3 is a method that automatically monitors API sessions.
- FIG. 4 is a method for identifying API requests related to an API response.
- FIG. 5 is a method for identifying API requests related to previously intercepted API responses.
- FIG. 6 is a method for detecting anomalous API requests based on API sessions.
- FIG. 7 is a block diagram of a system for implementing machines that implement the present technology.
- the present system identifies sessions of API behavior and uses the identified behavior to detect anomalous API requests.
- a session of API behavior is detected as two or more API requests that are typically received in order.
- a session may include an API request to select a product, followed by an API response with a URL for viewing the product, an API request to place the product in the user's cart, followed by an API response with a URL for displaying the items in the user's cart, followed by an API request to perform checkout, and finally followed by an API response with a URL for providing a checkout page to the user.
- the APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response.
- incoming API requests that are typically associated with a session can be compared to the session to see if they appear in the expected sequence based on the session. If an API request is not received in the sequence according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request can be tagged as an anomaly.
- FIG. 1 is a block diagram 100 of a system for intelligently monitoring API sessions.
- the block diagram 100 of FIG. 1 includes client devices 110 - 140 , customer server 150 , network 160 , Application server 170 , and data store 180 .
- Client devices 110 - 140 may send API requests to and receive API responses from customer server 150 .
- the client devices may be any device which can access the service, network page, webpage, or other content provided by customer server 150 .
- Client devices 110 - 140 may send a request to customer server 150 , for example to an API provided by customer server 150 , and customer server 150 may send a response to the devices based on the request.
- the request may be sent to a particular URL provided by customer server 150 and the response may be sent from the server to the device in response to the request.
- a typical system may handle requests from a larger number of clients, for example, dozens, hundreds, or thousands, and any number of client devices may be used to interact with customer server 150 .
- Customer server 150 may provide a service to client devices 110 - 140 .
- the service may be accessible through APIs provided by customer server 150 .
- Agent 152 on customer server 150 may monitor the communication between customer server 150 and client devices 110 - 140 and intercept traffic transmitted between the server and the devices. Upon intercepting the traffic, agent 152 may forward the traffic to application 172 on application server 170 .
- one or more agents may be installed on customer server 150 , which may be implemented by one or more physical or logical machines. In some instances, server 150 may actually be implemented by multiple servers in different locations, providing a distributed service for devices 110 - 140 .
- one or more agents 152 may be installed to intercept API requests and responses between devices 110 - 140 and customer server 150 , in some instances may aggregate the traffic by API request and response data, and may transmit request and response data to application 172 on server 170 .
- Network 140 may include one or more private networks, public networks, intranets, the Internet, an intranet, wide-area networks, local area networks, cellular networks, radio-frequency networks, Wi-Fi networks, any other network which may be used to transmit data, and any combination of these networks.
- Client devices 110 - 140 , customer server 150 , Application server 170 , and data store 180 may all communicate over network 160 (whether or not labeled so in FIG. 1 ).
- Application server 170 may be implemented as one or more physical or logical machines that provide application functionality as described herein.
- application server may include one or more applications 172 .
- the application 172 may be stored on one or more application servers 170 and be executed to perform functionality as described herein.
- Application server and application 172 may both communicate over network 160 and data store 180 .
- Data store 180 may be accessible by application server 170 and application 172 .
- data store 180 may include one or more APIs, API descriptions, and other data.
- FIG. 2 is a block diagram of an application that automatically monitors API sessions.
- Application 172 of FIG. 2 provides more detail for application 172 of the system of FIG. 1 .
- Application 172 includes API parsing engine 210 , API analyzing module 220 , API session generator module 230 , and anomaly alert 240 .
- API parsing engine 210 may access and detect components of API requests. The engine 210 may detect path parameters, query parameters, request header content, request body content, response API headers and bodies, and other content within a URL, request, or response associated with an API. The parsed API components may be used to identify sessions of API requests.
- API parsing engine can also detect portions of each component as they are detected by a remote agent.
- each API parsing engine can detect component parameters, sensitivity, character distributions, and other data.
- Component parameters may include a variable type, such as an integer string, or float.
- Component sensitivity can include private information, such as credit card information, password information, security question information, email data, and other data that users may prefer to keep quiet or may be used to compromise their account, their finances, or other personal details.
- Character distribution identification and/or tracking may include detecting the location and number of occurrences of a particular character, for example in a URL, API request header or body, or API response body.
- the characters may include special characters colon, semicolon, slash, question marks, exclamation marks, asterisks, parenthesis, and other nun-numeric and non-alphabet characters.
- API analyzing module 220 may determine if a received and parsed API matches an expected API as part of a session. In some instances, as an API request is received, it may be parsed and compared to an expected API or API template that is identified within a session of APIs. The expected API request may be the next API request in a series of requests that comprise an API session. API analyzing module 220 may retrieve a next expected API within a session, or all APIs within a session, from API session generator 230 . If a detected API does not match an expected API, API analyzing may send a signal to anomaly alert 240 .
- API session generator 230 may identify sessions that consists of two or more APIs requests received in succession. For example, an API session generator may determine that a session includes APIs associated with selecting a product, adding a product to a cart, and then performing a checkout. APIs associated with the three actions may be associated with a session, and stored as a session by API session generator 230 . API session generator 230 may provide API data to API analyzing module 220 . The provider data may include APIs in a session, an indicator if a detected API is in any session, or other data associated with APIs within a session.
- Anomaly alert 240 can generate an alert for an administrator, in a dashboard, or otherwise generate an alert in a system regarding the detection of an anomaly or some other status of interest.
- the alerts can be generated, for example, via message, email, through an interface, in a dashboard, or in some other way that communicates the occurrence of the anomaly.
- FIG. 3 is a method that automatically monitors API sessions.
- an agent may be installed in a customer system to intercept live traffic at step 310 .
- the installation may include one or more agents, as needed, to intercept API requests and responses.
- the live API traffic consisting of requests and responses may then be intercepted between user computing devices and servers at step 315 .
- the live URL traffic including API requests, API responses, and other communications between a server and a client device, may be forwarded to an application on a remote server at step 320 .
- the traffic may be forwarded periodically or in response to a push, pull, or another event.
- the API requests and responses may be aggregated before being reported by an agent to a remote application.
- a session of related, consecutive API requests and responses may form part of a transaction that achieves a particular goal, such as purchasing a product, making an airline reservation or a hotel reservation, or other goal. More detail for determining whether an API request input is based at least in part on a previous API response output is discussed with respect to the method of FIG. 4 .
- step 340 the API request input and API response output are added to a new or existing session.
- the session is then stored and/or updated at step 350 with the new connection between the API request input and API response output.
- step 340 API requests and responses continue to be intercepted by one or more agents and forwarded to an application on a remote sever at step 330 .
- a first API request and a second API request may be related to each other, and part of a session, regardless of the API response received from the first request.
- a subsequent API request can be related to a previous API request as part of an overall business transaction (such as making a reservation, purchasing a product, and so forth). More details for determining whether an API request input is based at least in part on previous API request input is discussed with respect to the method of FIG. 5 .
- a current API request input is based at least in part on a previous API request input
- the API requests are added to a session at step 340 .
- the session may include just the two related requests, or additional requests and/or responses that are determined to be related to one of the requests.
- the related API requests are stored as a session based on the connection they share at step 345 .
- the method of FIGURE continues to operate, for example from steps 315 - 350 , as more traffic is intercepted and API requests and responses are analyzed to determine if they are part of a new or pre-existing session. If determined to be part of a session, the requests and/or responses may be added to an existing session or form a new session, as appropriate.
- the current API request is determined to not be associated with a session at step 350 .
- determining if an API request is related to a previous intercepted API response can include comparing parameters of requests to parameters of the response. If input parameters of a requests are related to output parameters of response, the API request and response may be related. More details for identifying whether a subsequent API request is related to an intercepted API response is discussed with respect to the method of FIG. 4 .
- Subsequent API responses may be intercepted from the survey API to a user device at step 330 .
- API responses from server API to user device may be intercepted by one or more agents installed at the server.
- intercepted API responses may be grouped together or analyzed individually. In any case, there analyzed to determine their parameters and components for comparison purposes.
- An API request from a user to a server API may be intercepted at step 335 .
- the intercepted API requests may be intercepted by one or more agents on one or more servers, and may be analyzed by an application 172 .
- the most recent API requests that are related to previous intercepted API responses are identified at step 340 .
- aspects of the request and response may be compared to each other. For example, input parameters in a request may match output parameters in a response.
- the input parameters and output parameters may be in a URL, header, body, in any of several different formats.
- Related APIs are stored in order as a session based on connected requests and responses at step 345 .
- a particular API request is related to an API response, the two API portions may be part of a session. If a subsequent API request utilizes information in a previously received API response, those portions may be connected as well, and the subsequent API request may be part of the session.
- Related APIs may be stored as a session based on the connected requests and responses at step 345 .
- FIG. 4 is a method for identifying API requests related to an API response. The method of FIG. 4 provides more detail for step 325 of the method of FIG. 3 .
- Inputs for a current API requests are accessed at step 410 . Inputs may be express as queries, or other data within the URL, header, or body of the request.
- Outputs for previously intercepted API responses are accessed at step 420 . The outputs may include data in the API response URL, header, body, or otherwise stored as data within the API response.
- the API request input is compared to the API response output at step 430 .
- a determination is made as to whether the API request input is based at least in part on the API request output at step 440 . If the API request input is based on some part on API request output, the detected API request is determined to have a connection with, and be based at least in part on, on the API response at step 450 . For example, if an input of the API request includes a particular product identifier that is also included in the API response, the API request is determined to be based at least in part on the API request.
- the detected API request is determined to not have a connection with the intercepted API response at step 460 . As such, the request and response are determined to not be a part of a particular session.
- FIG. 5 is a method for determining if an API request is based at least in part on a previous API request. The method of FIG. 5 provides more detail for step 335 of the method of FIG. 3 .
- Inputs for a current API request are accessed at step 510 . Inputs may be express as queries, or other data within the URL, header, or body of the request.
- Outputs for previously intercepted API responses are accessed at step 520 . The outputs may include data in the API response URL, header, body, or otherwise stored as data within the API response.
- the API request input is compared to the API response output at step 530 .
- a determination is made as to whether the API request input is based at least in part on the API request output at step 540 . If the API request input is based on some part on API request output, the detected API request is determined to have a connection with, and be based at least in part on, on the API response at step 550 . For example, if an input of the API request includes a particular product identifier that is also included in the API response, the API request is determined to be based at least in part on the API request.
- the detected API request is determined to not have a connection with the intercepted API response at step 560 . As such, the request and response are determined to not be a part of a particular session.
- FIG. 6 is a method for detecting anomalous API requests based on API sessions.
- An API request associated with a session is detected at step 610 .
- each intercepted API request can be compared to a set of APIs associated with a session to determine whether the intercepted API request matches a request associated with a session.
- the received API request is analyzed with respect to APIs in the session at step 620 .
- the received API request may be analyzed to determine if the request should have a particular API request or API response precede it. Analyzing the received API request can include comparing the received API request to the set of APIs in one or more sessions to determine if any API requests should come before the received API. For example, if the received API request is a checkout request, the received API request may be expected to be preceded by a “view cart” request.
- Sessions have two or more APIs that are expected to be received in a particular order. Other than the first API request in the session, each API request is preceded by a particular API within the session. As such, the determination at step 630 determines whether the received API request is received in an expected chronological order of API requests. If an API request is not preceded by an expected API, and the API request is not the first API request in the session, there may be an issue with the detected API request.
- the API request that was detected was expected to be preceded by a particular API request as indicated in a stored session of APIs, but was actually preceded by a different API request, then the API request is considered an anomaly at step 650 .
- the API request which is not preceded by the expected API request within the current session may be an attack on the system, or just an error request.
- An alert can be generated for an administrator based on the determination API request is an anomaly, and the request can be analyzed further to determine if it is a mistake or an attack.
- a subsequent API request is eventually detected at step 640 .
- a determination is then made as to whether the subsequent API request matches an expected subsequent API in the current session at step 650 .
- the determination at step 650 determines whether the received API request is received in an expected chronological order of API requests. If the subsequent API request does not match the expected subsequent API in the current session, the API request is labeled as an anomaly at step 650 . If the API request does match the expected request within the session, a determination is made as to whether any additional APIs are expected in the current session at step 660 . If additional APIs are expected, the method of FIG. 6 returns to step 640 to process subsequent API requests. If additional APIs are not expected, then the API session is determined to not be an anomaly at step 660 .
- FIG. 7 is a block diagram of a system for implementing machines that implement the present technology.
- System 700 of FIG. 7 may be implemented in the contexts of the likes of machines that implement client devices 110 - 140 , customer server 150 , Application server 170 , and data store 180 .
- the computing system 700 of FIG. 7 includes one or more processors 710 and memory 720 .
- Main memory 720 stores, in part, instructions and data for execution by processor 710 .
- Main memory 720 can store the executable code when in operation.
- the system 700 of FIG. 7 further includes a mass storage device 730 , portable storage medium drive(s) 740 , output devices 750 , user input devices 760 , a graphics display 770 , and peripheral devices 780 .
- processor unit 710 and main memory 720 may be connected via a local microprocessor bus, and the mass storage device 730 , peripheral device(s) 780 , portable storage device 740 , and display system 770 may be connected via one or more input/output (I/O) buses.
- I/O input/output
- Mass storage device 730 which may be implemented with a magnetic disk drive, an optical disk drive, a flash drive, or other device, is a non-volatile storage device for storing data and instructions for use by processor unit 710 . Mass storage device 730 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 720 .
- Portable storage device 740 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, USB drive, memory card or stick, or other portable or removable memory, to input and output data and code to and from the computer system 700 of FIG. 7 .
- a portable non-volatile storage medium such as a floppy disk, compact disk or Digital video disc, USB drive, memory card or stick, or other portable or removable memory
- the system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 700 via the portable storage device 740 .
- Input devices 760 provide a portion of a user interface.
- Input devices 760 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, a pointing device such as a mouse, a trackball, stylus, cursor direction keys, microphone, touch-screen, accelerometer, and other input devices.
- the system 700 as shown in FIG. 7 includes output devices 750 . Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
- Display system 770 may include a liquid crystal display (LCD) or other suitable display device. Display system 770 receives textual and graphical information and processes the information for output to the display device. Display system 770 may also receive input as a touch-screen.
- LCD liquid crystal display
- Peripherals 780 may include any type of computer support device to add additional functionality to the computer system.
- peripheral device(s) 780 may include a modem or a router, printer, and other device.
- the system of 700 may also include, in some implementations, antennas, radio transmitters and radio receivers 790 .
- the antennas and radios may be implemented in devices such as smart phones, tablets, and other devices that may communicate wirelessly.
- the one or more antennas may operate at one or more radio frequencies suitable to send and receive data over cellular networks, Wi-Fi networks, commercial device networks such as a Bluetooth device, and other radio frequency networks.
- the devices may include one or more radio transmitters and receivers for processing signals sent and received using the antennas.
- the components contained in the computer system 700 of FIG. 7 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art.
- the computer system 700 of FIG. 7 can be a personal computer, handheld computing device, smart phone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device.
- the computer can also include different bus configurations, networked platforms, multi-processor platforms, etc.
- Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Android, as well as languages including Java, .NET, C, C++, Node.JS, and other suitable languages.
Abstract
A system identifies sessions of API behavior and uses the identified behavior to detect anomalous API requests. A session of API behavior is detected as two or more API requests that are typically received in a chronological order. The APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response. Once APIs in a session are learned, incoming API requests typically associated with a session can be compared to the session to determine if they appear in an expected sequence based on the session. If an API request is not received in the sequence or chronological order according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request may be an anomaly.
Description
- The present application claims the priority benefit of U.S. provisional patent application 63/167,649, filed on Mar. 30, 2021, titled “INTELLIGENT APPLICATION PROTECTION,” the disclosure of which is incorporated herein by reference.
- When analyzing, tracking, or monitoring a system, it is often important to know the specification of the system, including application program interface (API) specifications. In some systems, a common method for attacking is for an attacker to submit an API request and attempt to get information from the system. Can be difficult to detect whether these API requests from attackers are legitimate or not. What is needed is an improved mechanism for detecting illegitimate and API requests from unauthorized requesters.
- The present technology, roughly described, identifies sessions of API behavior and uses the identified behavior to detect anomalous API requests. A session of API behavior is detected as two or more API requests that are typically received in order. For example, for an e-commerce service, a session may include an API request to select a product, followed by an API response with a URL for viewing the product, an API request to place the product in the user's cart, followed by an API response with a URL for displaying the items in the user's cart, followed by an API request to perform checkout, and finally followed by an API response with a URL for providing a checkout page to the user. The APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response.
- Once APIs in a session are learned, incoming API requests that are typically associated with a session can be compared to the session to see if they appear in the expected sequence based on the session. If an API request is not received in the sequence according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request can be tagged as an anomaly.
- In some instances, a method automatically detects an anomaly based on a session of APIs received for a web service. The method begins with receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server. The received API request is compared to a set of APIs having a preset chronological order. The system then detects that the received API request is not received in an expected chronological order defined by the present chronological order. The received API request is identified as an anomaly based on the unexpected chronological order of the receive API request.
- In some instances, a non-transitory computer readable storage medium has embodied thereon a program that is executable by a processor to perform a method. The method automatically detects an anomaly based on a session of APIs received for a web service. The method begins with receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server. The received API request is compared to a set of APIs having a preset chronological order. The system then detects that the received API request is not received in an expected chronological order defined by the present chronological order. The received API request is identified as an anomaly based on the unexpected chronological order of the receive API request.
- In embodiments, a system can include a server, memory and one or more processors. One or more modules may be stored in memory and executed by the processors to receive, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server, compare the received API request to a set of APIs having a preset chronological order, detect that the received API request is not received in an expected chronological order defined by the present chronological order, and identify the received API request as an anomaly based on the unexpected chronological order of the receive API request.
-
FIG. 1 is a block diagram of a system for intelligently monitoring API sessions. -
FIG. 2 is a block diagram of an application that automatically monitors API sessions. -
FIG. 3 is a method that automatically monitors API sessions. -
FIG. 4 is a method for identifying API requests related to an API response. -
FIG. 5 is a method for identifying API requests related to previously intercepted API responses. -
FIG. 6 is a method for detecting anomalous API requests based on API sessions. -
FIG. 7 is a block diagram of a system for implementing machines that implement the present technology. - The present system identifies sessions of API behavior and uses the identified behavior to detect anomalous API requests. A session of API behavior is detected as two or more API requests that are typically received in order. For example, for an e-commerce service, a session may include an API request to select a product, followed by an API response with a URL for viewing the product, an API request to place the product in the user's cart, followed by an API response with a URL for displaying the items in the user's cart, followed by an API request to perform checkout, and finally followed by an API response with a URL for providing a checkout page to the user. The APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response.
- Once APIs in a session are learned, incoming API requests that are typically associated with a session can be compared to the session to see if they appear in the expected sequence based on the session. If an API request is not received in the sequence according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request can be tagged as an anomaly.
-
FIG. 1 is a block diagram 100 of a system for intelligently monitoring API sessions. The block diagram 100 ofFIG. 1 includes client devices 110-140,customer server 150,network 160,Application server 170, anddata store 180. - Client devices 110-140 may send API requests to and receive API responses from
customer server 150. The client devices may be any device which can access the service, network page, webpage, or other content provided bycustomer server 150. Client devices 110-140 may send a request tocustomer server 150, for example to an API provided bycustomer server 150, andcustomer server 150 may send a response to the devices based on the request. The request may be sent to a particular URL provided bycustomer server 150 and the response may be sent from the server to the device in response to the request. Though only for four client devices are shown, a typical system may handle requests from a larger number of clients, for example, dozens, hundreds, or thousands, and any number of client devices may be used to interact withcustomer server 150. -
Customer server 150 may provide a service to client devices 110-140. The service may be accessible through APIs provided bycustomer server 150.Agent 152 oncustomer server 150 may monitor the communication betweencustomer server 150 and client devices 110-140 and intercept traffic transmitted between the server and the devices. Upon intercepting the traffic,agent 152 may forward the traffic toapplication 172 onapplication server 170. In some instances, one or more agents may be installed oncustomer server 150, which may be implemented by one or more physical or logical machines. In some instances,server 150 may actually be implemented by multiple servers in different locations, providing a distributed service for devices 110-140. In any case, one ormore agents 152 may be installed to intercept API requests and responses between devices 110-140 andcustomer server 150, in some instances may aggregate the traffic by API request and response data, and may transmit request and response data toapplication 172 onserver 170. -
Network 140 may include one or more private networks, public networks, intranets, the Internet, an intranet, wide-area networks, local area networks, cellular networks, radio-frequency networks, Wi-Fi networks, any other network which may be used to transmit data, and any combination of these networks. Client devices 110-140,customer server 150,Application server 170, anddata store 180 may all communicate over network 160 (whether or not labeled so inFIG. 1 ). -
Application server 170 may be implemented as one or more physical or logical machines that provide application functionality as described herein. In some instances, application server may include one ormore applications 172. Theapplication 172 may be stored on one ormore application servers 170 and be executed to perform functionality as described herein. Application server andapplication 172 may both communicate overnetwork 160 anddata store 180. -
Data store 180 may be accessible byapplication server 170 andapplication 172. In some instance,data store 180 may include one or more APIs, API descriptions, and other data. -
FIG. 2 is a block diagram of an application that automatically monitors API sessions.Application 172 ofFIG. 2 provides more detail forapplication 172 of the system of FIG. 1.Application 172 includesAPI parsing engine 210, API analyzing module 220, APIsession generator module 230, andanomaly alert 240.API parsing engine 210 may access and detect components of API requests. Theengine 210 may detect path parameters, query parameters, request header content, request body content, response API headers and bodies, and other content within a URL, request, or response associated with an API. The parsed API components may be used to identify sessions of API requests. - API parsing engine can also detect portions of each component as they are detected by a remote agent. For example, each API parsing engine can detect component parameters, sensitivity, character distributions, and other data. Component parameters may include a variable type, such as an integer string, or float. Component sensitivity can include private information, such as credit card information, password information, security question information, email data, and other data that users may prefer to keep quiet or may be used to compromise their account, their finances, or other personal details. Character distribution identification and/or tracking may include detecting the location and number of occurrences of a particular character, for example in a URL, API request header or body, or API response body. The characters may include special characters colon, semicolon, slash, question marks, exclamation marks, asterisks, parenthesis, and other nun-numeric and non-alphabet characters.
- API analyzing module 220 may determine if a received and parsed API matches an expected API as part of a session. In some instances, as an API request is received, it may be parsed and compared to an expected API or API template that is identified within a session of APIs. The expected API request may be the next API request in a series of requests that comprise an API session. API analyzing module 220 may retrieve a next expected API within a session, or all APIs within a session, from
API session generator 230. If a detected API does not match an expected API, API analyzing may send a signal toanomaly alert 240. -
API session generator 230 may identify sessions that consists of two or more APIs requests received in succession. For example, an API session generator may determine that a session includes APIs associated with selecting a product, adding a product to a cart, and then performing a checkout. APIs associated with the three actions may be associated with a session, and stored as a session byAPI session generator 230.API session generator 230 may provide API data to API analyzing module 220. The provider data may include APIs in a session, an indicator if a detected API is in any session, or other data associated with APIs within a session. -
Anomaly alert 240 can generate an alert for an administrator, in a dashboard, or otherwise generate an alert in a system regarding the detection of an anomaly or some other status of interest. The alerts can be generated, for example, via message, email, through an interface, in a dashboard, or in some other way that communicates the occurrence of the anomaly. -
FIG. 3 is a method that automatically monitors API sessions. First, an agent may be installed in a customer system to intercept live traffic atstep 310. The installation may include one or more agents, as needed, to intercept API requests and responses. The live API traffic consisting of requests and responses may then be intercepted between user computing devices and servers atstep 315. The live URL traffic, including API requests, API responses, and other communications between a server and a client device, may be forwarded to an application on a remote server atstep 320. The traffic may be forwarded periodically or in response to a push, pull, or another event. In some instances, the API requests and responses may be aggregated before being reported by an agent to a remote application. - A determination is made as to whether an API request input is based at least in part on previous API response output at
step 325. If the response from the remote server application is used to a subsequent request, it is possible that the request and related response are part of a session. A session of related, consecutive API requests and responses may form part of a transaction that achieves a particular goal, such as purchasing a product, making an airline reservation or a hotel reservation, or other goal. More detail for determining whether an API request input is based at least in part on a previous API response output is discussed with respect to the method ofFIG. 4 . - If the request input is based on the response output, the method of
FIG. 3 continues to step 340, where the API request input and API response output are added to a new or existing session. The session is then stored and/or updated atstep 350 with the new connection between the API request input and API response output. - If the request input is not based on the response output, the method of
FIG. 3 continues to step 340, API requests and responses continue to be intercepted by one or more agents and forwarded to an application on a remote sever atstep 330. - A determination is made as to whether an API request input is based at least in part on previous API request input at
step 335. A first API request and a second API request may be related to each other, and part of a session, regardless of the API response received from the first request. In some instances, a subsequent API request can be related to a previous API request as part of an overall business transaction (such as making a reservation, purchasing a product, and so forth). More details for determining whether an API request input is based at least in part on previous API request input is discussed with respect to the method ofFIG. 5 . - If a current API request input is based at least in part on a previous API request input, then the API requests are added to a session at
step 340. The session may include just the two related requests, or additional requests and/or responses that are determined to be related to one of the requests. The related API requests are stored as a session based on the connection they share atstep 345. The method of FIGURE continues to operate, for example from steps 315-350, as more traffic is intercepted and API requests and responses are analyzed to determine if they are part of a new or pre-existing session. If determined to be part of a session, the requests and/or responses may be added to an existing session or form a new session, as appropriate. - If the API request input is not based at all on the previous API request input and not based at all on a previous API response output, the current API request is determined to not be associated with a session at
step 350. - identified by one or more agents installed within a customer system. In some instances, determining if an API request is related to a previous intercepted API response can include comparing parameters of requests to parameters of the response. If input parameters of a requests are related to output parameters of response, the API request and response may be related. More details for identifying whether a subsequent API request is related to an intercepted API response is discussed with respect to the method of
FIG. 4 . - Subsequent API responses may be intercepted from the survey API to a user device at
step 330. API responses from server API to user device may be intercepted by one or more agents installed at the server. In some instances, intercepted API responses may be grouped together or analyzed individually. In any case, there analyzed to determine their parameters and components for comparison purposes. - An API request from a user to a server API may be intercepted at
step 335. The intercepted API requests may be intercepted by one or more agents on one or more servers, and may be analyzed by anapplication 172. - The most recent API requests that are related to previous intercepted API responses are identified at
step 340. In some instances, to help determine if the request and response are related to each other, aspects of the request and response may be compared to each other. For example, input parameters in a request may match output parameters in a response. The input parameters and output parameters may be in a URL, header, body, in any of several different formats. By comparing the components of a request in response, API requests that are related to API responses can be identified. More information for identifying the most recent API requests related to a previous intercepted API response is discussed in more detail with respect to the method ofFIG. 5 . - Related APIs are stored in order as a session based on connected requests and responses at
step 345. A particular API request is related to an API response, the two API portions may be part of a session. If a subsequent API request utilizes information in a previously received API response, those portions may be connected as well, and the subsequent API request may be part of the session. Related APIs may be stored as a session based on the connected requests and responses atstep 345. -
FIG. 4 is a method for identifying API requests related to an API response. The method ofFIG. 4 provides more detail forstep 325 of the method ofFIG. 3 . Inputs for a current API requests are accessed atstep 410. Inputs may be express as queries, or other data within the URL, header, or body of the request. Outputs for previously intercepted API responses are accessed atstep 420. The outputs may include data in the API response URL, header, body, or otherwise stored as data within the API response. - The API request input is compared to the API response output at
step 430. A determination is made as to whether the API request input is based at least in part on the API request output atstep 440. If the API request input is based on some part on API request output, the detected API request is determined to have a connection with, and be based at least in part on, on the API response atstep 450. For example, if an input of the API request includes a particular product identifier that is also included in the API response, the API request is determined to be based at least in part on the API request. - If the API request input is not based at least in part on API request output, the detected API request is determined to not have a connection with the intercepted API response at
step 460. As such, the request and response are determined to not be a part of a particular session. -
FIG. 5 is a method for determining if an API request is based at least in part on a previous API request. The method ofFIG. 5 provides more detail forstep 335 of the method ofFIG. 3 . Inputs for a current API request are accessed atstep 510. Inputs may be express as queries, or other data within the URL, header, or body of the request. Outputs for previously intercepted API responses are accessed atstep 520. The outputs may include data in the API response URL, header, body, or otherwise stored as data within the API response. - The API request input is compared to the API response output at
step 530. A determination is made as to whether the API request input is based at least in part on the API request output atstep 540. If the API request input is based on some part on API request output, the detected API request is determined to have a connection with, and be based at least in part on, on the API response atstep 550. For example, if an input of the API request includes a particular product identifier that is also included in the API response, the API request is determined to be based at least in part on the API request. - If the API request input is not based at least in part on API request output, the detected API request is determined to not have a connection with the intercepted API response at
step 560. As such, the request and response are determined to not be a part of a particular session. -
FIG. 6 is a method for detecting anomalous API requests based on API sessions. An API request associated with a session is detected atstep 610. In some instances, each intercepted API request can be compared to a set of APIs associated with a session to determine whether the intercepted API request matches a request associated with a session. - The received API request is analyzed with respect to APIs in the session at
step 620. The received API request may be analyzed to determine if the request should have a particular API request or API response precede it. Analyzing the received API request can include comparing the received API request to the set of APIs in one or more sessions to determine if any API requests should come before the received API. For example, if the received API request is a checkout request, the received API request may be expected to be preceded by a “view cart” request. - A determination is made as to whether the detected API request is expected to be preceded by a different API request in the current session at
step 630. Sessions have two or more APIs that are expected to be received in a particular order. Other than the first API request in the session, each API request is preceded by a particular API within the session. As such, the determination atstep 630 determines whether the received API request is received in an expected chronological order of API requests. If an API request is not preceded by an expected API, and the API request is not the first API request in the session, there may be an issue with the detected API request. If the API request that was detected was expected to be preceded by a particular API request as indicated in a stored session of APIs, but was actually preceded by a different API request, then the API request is considered an anomaly atstep 650. In some instances, the API request which is not preceded by the expected API request within the current session may be an attack on the system, or just an error request. An alert can be generated for an administrator based on the determination API request is an anomaly, and the request can be analyzed further to determine if it is a mistake or an attack. - If the detected API requests is preceded by the expected API request in the current session, a subsequent API request is eventually detected at
step 640. A determination is then made as to whether the subsequent API request matches an expected subsequent API in the current session atstep 650. The determination atstep 650 determines whether the received API request is received in an expected chronological order of API requests. If the subsequent API request does not match the expected subsequent API in the current session, the API request is labeled as an anomaly atstep 650. If the API request does match the expected request within the session, a determination is made as to whether any additional APIs are expected in the current session atstep 660. If additional APIs are expected, the method ofFIG. 6 returns to step 640 to process subsequent API requests. If additional APIs are not expected, then the API session is determined to not be an anomaly atstep 660. -
FIG. 7 is a block diagram of a system for implementing machines that implement the present technology.System 700 ofFIG. 7 may be implemented in the contexts of the likes of machines that implement client devices 110-140,customer server 150,Application server 170, anddata store 180. Thecomputing system 700 ofFIG. 7 includes one ormore processors 710 andmemory 720.Main memory 720 stores, in part, instructions and data for execution byprocessor 710.Main memory 720 can store the executable code when in operation. Thesystem 700 ofFIG. 7 further includes amass storage device 730, portable storage medium drive(s) 740,output devices 750,user input devices 760, agraphics display 770, andperipheral devices 780. - The components shown in
FIG. 7 are depicted as being connected via asingle bus 790. However, the components may be connected through one or more data transport means. For example,processor unit 710 andmain memory 720 may be connected via a local microprocessor bus, and themass storage device 730, peripheral device(s) 780,portable storage device 740, anddisplay system 770 may be connected via one or more input/output (I/O) buses. -
Mass storage device 730, which may be implemented with a magnetic disk drive, an optical disk drive, a flash drive, or other device, is a non-volatile storage device for storing data and instructions for use byprocessor unit 710.Mass storage device 730 can store the system software for implementing embodiments of the present invention for purposes of loading that software intomain memory 720. -
Portable storage device 740 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, USB drive, memory card or stick, or other portable or removable memory, to input and output data and code to and from thecomputer system 700 ofFIG. 7 . The system software for implementing embodiments of the present invention may be stored on such a portable medium and input to thecomputer system 700 via theportable storage device 740. -
Input devices 760 provide a portion of a user interface.Input devices 760 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, a pointing device such as a mouse, a trackball, stylus, cursor direction keys, microphone, touch-screen, accelerometer, and other input devices. Additionally, thesystem 700 as shown inFIG. 7 includesoutput devices 750. Examples of suitable output devices include speakers, printers, network interfaces, and monitors. -
Display system 770 may include a liquid crystal display (LCD) or other suitable display device.Display system 770 receives textual and graphical information and processes the information for output to the display device.Display system 770 may also receive input as a touch-screen. -
Peripherals 780 may include any type of computer support device to add additional functionality to the computer system. For example, peripheral device(s) 780 may include a modem or a router, printer, and other device. - The system of 700 may also include, in some implementations, antennas, radio transmitters and
radio receivers 790. The antennas and radios may be implemented in devices such as smart phones, tablets, and other devices that may communicate wirelessly. The one or more antennas may operate at one or more radio frequencies suitable to send and receive data over cellular networks, Wi-Fi networks, commercial device networks such as a Bluetooth device, and other radio frequency networks. The devices may include one or more radio transmitters and receivers for processing signals sent and received using the antennas. - The components contained in the
computer system 700 ofFIG. 7 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art. Thus, thecomputer system 700 ofFIG. 7 can be a personal computer, handheld computing device, smart phone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device. The computer can also include different bus configurations, networked platforms, multi-processor platforms, etc. Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Android, as well as languages including Java, .NET, C, C++, Node.JS, and other suitable languages. - The foregoing detailed description of the technology herein has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the technology to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. The described embodiments were chosen to best explain the principles of the technology and its practical application to thereby enable others skilled in the art to best utilize the technology in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the technology be defined by the claims appended hereto.
Claims (20)
1. A method for automatically detecting an anomaly based on a session of APIs received for a web service, the method comprising:
receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server;
comparing the received API request to a set of APIs having a preset chronological order;
detecting that the received API request is not received in an expected chronological order defined by the present chronological order; and
identifying the received API request as an anomaly based on the unexpected chronological order of the receive API request.
2. The method of claim 1 , wherein detecting that the received API request is not received in an expected chronological order includes detecting that the received API request is not preceded by an expected preceding API request as specified in the preset chronological order.
3. The method of claim 1 , further comprising:
receiving, by a server from an agent stored on a remote server, a subsequent API request sent from a user device to a server API; and
detecting that the received API request and the subsequent API request are not received in an expected chronological order defined by the present chronological order.
4. The method of claim 3 , wherein the expected chronological order includes an API request that differs from the subsequent API request.
5. The method of claim 1 , wherein the set of APIs having a preset chronological order have a first API with an output that is taken as the input of subsequent API in the set of APIs.
6. A method for automatically detecting an anomaly based on a session of APIs received for a web service, the method comprising:
receiving, by a remote server from an agent on a server, API requests received from a remote device to the server and API responses sent to the remote devices from the server;
receiving, by the remote server from the agent on the server, subsequent API requests received from a remote device to the server;
determining, by an application on the remote server, that the subsequent API requests are related to the API responses sent to the remote devices from the server;
storing the subsequent API request and the API response as a set of APIs having a preset chronological order; and
automatically identifying subsequent requests as anomalies based on a comparison of the subsequent requests with the set of APIs having a preset chronological order.
7. The method of claim 6 , wherein determining includes detecting that the input of the subsequent API request is based on output of the API response.
8. The method of claim 7 , wherein a query in the input of the subsequent API request matches a parameter in the output of the API response.
9. The method of claim 6 , wherein the set of APIs having a preset chronological order form a business transaction provided by a web service.
10. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for automatically detecting an anomaly based on a session of APIs received for a web service, the method comprising:
receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server;
comparing the received API request to a set of APIs having a preset chronological order;
detecting that the received API request is not received in an expected chronological order defined by the present chronological order; and
identifying the received API request as an anomaly based on the unexpected chronological order of the receive API request.
11. The non-transitory computer readable storage medium of claim 10 , wherein detecting that the received API request is not received in an expected chronological order includes detecting that the received API request is not preceded by an expected preceding API request as specified in the preset chronological order.
12. The non-transitory computer readable storage medium of claim 10 , the method further comprising:
receiving, by a server from an agent stored on a remote server, a subsequent API request sent from a user device to a server API; and
detecting that the received API request and the subsequent API request are not received in an expected chronological order defined by the present chronological order.
13. The non-transitory computer readable storage medium of claim 12 , wherein the expected chronological order includes an API request that differs from the subsequent API request.
14. The non-transitory computer readable storage medium of claim 10 , wherein the set of APIs having a preset chronological order have a first API with an output that is taken as the input of subsequent API in the set of APIs.
15. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for automatically detecting an anomaly based on a session of APIs received for a web service, the method comprising
receiving, by a remote server from an agent on a server, API requests received from a remote device to the server and API responses sent to the remote devices from the server;
receiving, by the remote server from the agent on the server, subsequent API requests received from a remote device to the server;
determining, by an application on the remote server, that the subsequent API requests are related to the API responses sent to the remote devices from the server;
storing the subsequent API request and the API response as a set of APIs having a preset chronological order; and
automatically identifying subsequent requests as anomalies based on a comparison of the subsequent requests with the set of APIs having a preset chronological order.
16. The non-transitory computer readable storage medium of claim 15 , wherein determining includes detecting that the input of the subsequent API request is based on output of the API response.
17. The non-transitory computer readable storage medium of claim 16 , wherein a query in the input of the subsequent API request matches a parameter in the output of the API response.
18. The non-transitory computer readable storage medium of claim 15 , wherein the set of APIs having a preset chronological order form a business transaction provided by a web service.
19. A system for automatically detecting an anomaly based on a session of APIs received for a web service, comprising:
a server including a memory and a processor; and
one or more modules stored in the memory and executed by the processor to receive, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server, compare the received API request to a set of APIs having a preset chronological order, detect that the received API request is not received in an expected chronological order defined by the present chronological order, and identify the received API request as an anomaly based on the unexpected chronological order of the receive API request.
20. A system for automatically detecting an anomaly based on a session of APIs received for a web service, comprising:
a server including a memory and a processor; and
one or more modules stored in the memory and executed by the processor to receive, by a remote server from an agent on a server, API requests received from a remote device to the server and API responses sent to the remote devices from the server. receive, by the remote server from the agent on the server, subsequent API requests received from a remote device to the server. determine, by an application on the remote server, that the subsequent API requests are related to the API responses sent to the remote devices from the server, store the subsequent API request and the API response as a set of APIs having a preset chronological order, and automatically identify subsequent requests as anomalies based on a comparison of the subsequent requests with the set of APIs having a preset chronological order.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/339,951 US20220321587A1 (en) | 2021-03-30 | 2021-06-05 | Automatic anomaly detection based on api sessions |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US202163167649P | 2021-03-30 | 2021-03-30 | |
US17/339,951 US20220321587A1 (en) | 2021-03-30 | 2021-06-05 | Automatic anomaly detection based on api sessions |
Publications (1)
Publication Number | Publication Date |
---|---|
US20220321587A1 true US20220321587A1 (en) | 2022-10-06 |
Family
ID=83448116
Family Applications (5)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/339,951 Pending US20220321587A1 (en) | 2021-03-30 | 2021-06-05 | Automatic anomaly detection based on api sessions |
US17/339,949 Pending US20220318081A1 (en) | 2021-03-30 | 2021-06-05 | Automatic generation of an api interface description |
US17/339,946 Pending US20220318332A1 (en) | 2021-03-30 | 2021-06-05 | Intelligent naming of application program interfaces |
US17/348,785 Pending US20220318618A1 (en) | 2021-03-30 | 2021-06-16 | Multi-api metric modeling using lstm system |
US17/349,942 Pending US20220318378A1 (en) | 2021-03-30 | 2021-06-17 | Detecting threats based on api service business logic abuse |
Family Applications After (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/339,949 Pending US20220318081A1 (en) | 2021-03-30 | 2021-06-05 | Automatic generation of an api interface description |
US17/339,946 Pending US20220318332A1 (en) | 2021-03-30 | 2021-06-05 | Intelligent naming of application program interfaces |
US17/348,785 Pending US20220318618A1 (en) | 2021-03-30 | 2021-06-16 | Multi-api metric modeling using lstm system |
US17/349,942 Pending US20220318378A1 (en) | 2021-03-30 | 2021-06-17 | Detecting threats based on api service business logic abuse |
Country Status (1)
Country | Link |
---|---|
US (5) | US20220321587A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11921847B1 (en) * | 2023-07-13 | 2024-03-05 | Intuit, Inc. | Detection of abnormal application programming interface (API) sessions including a sequence of API requests using space partitioning data structures |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140165140A1 (en) * | 2011-09-09 | 2014-06-12 | Anurag Singla | Systems and methods for evaluation of events based on a reference baseline according to temporal position in a sequence of events |
US20200045065A1 (en) * | 2018-08-02 | 2020-02-06 | Mastercard International Incorporated | Methods and systems for identification of breach attempts in a client-server communication using access tokens |
US20210152598A1 (en) * | 2019-11-18 | 2021-05-20 | F5 Networks, Inc. | Network application firewall |
Family Cites Families (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6226408B1 (en) * | 1999-01-29 | 2001-05-01 | Hnc Software, Inc. | Unsupervised identification of nonlinear data cluster in multidimensional data |
US7058633B1 (en) * | 2002-09-09 | 2006-06-06 | Cisco Technology, Inc. | System and method for generalized URL-rewriting |
US8635330B2 (en) * | 2006-04-24 | 2014-01-21 | Vmware, Inc. | Method and system for learning web applications |
US20080034424A1 (en) * | 2006-07-20 | 2008-02-07 | Kevin Overcash | System and method of preventing web applications threats |
EP1953995A1 (en) * | 2007-01-30 | 2008-08-06 | Seiko Epson Corporation | Application execution system, computer, application execution device, and control method and program for an application execution system |
US9781148B2 (en) * | 2008-10-21 | 2017-10-03 | Lookout, Inc. | Methods and systems for sharing risk responses between collections of mobile communications devices |
US8429751B2 (en) * | 2009-03-13 | 2013-04-23 | Trustwave Holdings, Inc. | Method and apparatus for phishing and leeching vulnerability detection |
US9215212B2 (en) * | 2009-06-22 | 2015-12-15 | Citrix Systems, Inc. | Systems and methods for providing a visualizer for rules of an application firewall |
US9112863B2 (en) * | 2009-12-14 | 2015-08-18 | International Business Machines Corporation | Method, program product and server for controlling a resource access to an electronic resource stored within a protected data environment |
US9367421B2 (en) * | 2013-12-20 | 2016-06-14 | Netapp, Inc. | Systems, methods, and computer programs products providing relevant correlation of data source performance |
US9667704B1 (en) * | 2014-04-26 | 2017-05-30 | Google Inc. | System and method for classifying API requests in API processing systems using a tree configuration |
US9729506B2 (en) * | 2014-08-22 | 2017-08-08 | Shape Security, Inc. | Application programming interface wall |
US9699205B2 (en) * | 2015-08-31 | 2017-07-04 | Splunk Inc. | Network security system |
EP3423980A4 (en) * | 2016-02-29 | 2019-10-16 | Palo Alto Networks, Inc. | Automatically grouping malware based on artifacts |
US10394552B2 (en) * | 2016-05-17 | 2019-08-27 | Dropbox, Inc. | Interface description language for application programming interfaces |
US11663110B2 (en) * | 2016-10-31 | 2023-05-30 | International Business Machines Corporation | Analysis to check web API code usage and specification |
US10942708B2 (en) * | 2017-01-10 | 2021-03-09 | International Business Machines Corporation | Generating web API specification from online documentation |
US10360082B2 (en) * | 2017-01-19 | 2019-07-23 | International Business Machines Corporation | Analysis of application programming interface usage for improving a computer system |
KR102149996B1 (en) * | 2017-03-03 | 2020-08-31 | 구글 엘엘씨 | System and method for establishing links between identifiers without exposing specific identification information |
US10740215B2 (en) * | 2017-04-26 | 2020-08-11 | Jpmorgan Chase Bank, N.A. | System and method for implementing an API validator tool |
US10409711B2 (en) * | 2017-06-12 | 2019-09-10 | International Business Machines Corporation | Automatically running tests against WEB APIs based on specifications |
US10620945B2 (en) * | 2017-12-21 | 2020-04-14 | Fujitsu Limited | API specification generation |
US10776189B2 (en) * | 2017-12-22 | 2020-09-15 | MuleSoft, Inc. | API query |
US10452843B2 (en) * | 2018-01-11 | 2019-10-22 | ArecaBay, Inc. | Self-adaptive application programming interface level security monitoring |
US11258815B2 (en) * | 2018-07-24 | 2022-02-22 | Wallarm, Inc. | AI-based system for accurate detection and identification of L7 threats |
US11157816B2 (en) * | 2018-10-17 | 2021-10-26 | Capital One Services, Llc | Systems and methods for selecting and generating log parsers using neural networks |
US11113029B2 (en) * | 2019-04-10 | 2021-09-07 | International Business Machines Corporation | Probabilistic matching of web application program interface code usage to specifications |
US10747505B1 (en) * | 2019-05-17 | 2020-08-18 | Google Llc | API specification generation |
US11388216B2 (en) * | 2020-01-07 | 2022-07-12 | Volterra, Inc. | System and method for generating API schemas for networked services |
US10873618B1 (en) * | 2020-01-07 | 2020-12-22 | Volterra, Inc. | System and method to dynamically generate a set of API endpoints |
US10917401B1 (en) * | 2020-03-24 | 2021-02-09 | Imperva, Inc. | Data leakage prevention over application programming interface |
US11265342B2 (en) * | 2020-07-02 | 2022-03-01 | Qualys, Inc. | Rest api scanning for security testing |
-
2021
- 2021-06-05 US US17/339,951 patent/US20220321587A1/en active Pending
- 2021-06-05 US US17/339,949 patent/US20220318081A1/en active Pending
- 2021-06-05 US US17/339,946 patent/US20220318332A1/en active Pending
- 2021-06-16 US US17/348,785 patent/US20220318618A1/en active Pending
- 2021-06-17 US US17/349,942 patent/US20220318378A1/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140165140A1 (en) * | 2011-09-09 | 2014-06-12 | Anurag Singla | Systems and methods for evaluation of events based on a reference baseline according to temporal position in a sequence of events |
US20200045065A1 (en) * | 2018-08-02 | 2020-02-06 | Mastercard International Incorporated | Methods and systems for identification of breach attempts in a client-server communication using access tokens |
US20210152598A1 (en) * | 2019-11-18 | 2021-05-20 | F5 Networks, Inc. | Network application firewall |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11921847B1 (en) * | 2023-07-13 | 2024-03-05 | Intuit, Inc. | Detection of abnormal application programming interface (API) sessions including a sequence of API requests using space partitioning data structures |
Also Published As
Publication number | Publication date |
---|---|
US20220318618A1 (en) | 2022-10-06 |
US20220318081A1 (en) | 2022-10-06 |
US20220318332A1 (en) | 2022-10-06 |
US20220318378A1 (en) | 2022-10-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11171925B2 (en) | Evaluating and modifying countermeasures based on aggregate transaction status | |
US11271955B2 (en) | Platform and method for retroactive reclassification employing a cybersecurity-based global data store | |
US10554687B1 (en) | Incident response management based on environmental characteristics | |
US10212137B1 (en) | Blind hash compression | |
US20190207966A1 (en) | Platform and Method for Enhanced Cyber-Attack Detection and Response Employing a Global Data Store | |
US9282114B1 (en) | Generation of alerts in an event management system based upon risk | |
US20160164893A1 (en) | Event management systems | |
KR101013264B1 (en) | Method and system for distinguishing relevant network security threats using comparison of refined intrusion detection audits and intelligent security analysis | |
US20090125993A1 (en) | Method for protecting against keylogging of user information via an alternative input device | |
EP4060958B1 (en) | Attack behavior detection method and apparatus, and attack detection device | |
US11677763B2 (en) | Consumer threat intelligence service | |
CN111586005B (en) | Scanner scanning behavior identification method and device | |
CN108063833B (en) | HTTP DNS analysis message processing method and device | |
CN111404939B (en) | Mail threat detection method, device, equipment and storage medium | |
US20220321587A1 (en) | Automatic anomaly detection based on api sessions | |
US20230224314A1 (en) | Session based anomaly dectection | |
KR101891300B1 (en) | Method and apparatus for providing secure internet connection | |
US11258806B1 (en) | System and method for automatically associating cybersecurity intelligence to cyberthreat actors | |
He et al. | Mobile app identification for encrypted network flows by traffic correlation | |
US9774625B2 (en) | Phishing detection by login page census | |
CN113709136B (en) | Access request verification method and device | |
US20230043793A1 (en) | Anomaly detection using user behavioral biometrics profiling method and apparatus | |
CN111368039B (en) | Data management system | |
US20230224318A1 (en) | Application security testing based on live traffic | |
US11126713B2 (en) | Detecting directory reconnaissance in a directory service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
AS | Assignment |
Owner name: TRACEABLE INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GUNTUR, RAVINDRA;KRISHNA, RANAJI;SIGNING DATES FROM 20230714 TO 20230718;REEL/FRAME:064757/0018 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |