US20220321587A1 - Automatic anomaly detection based on api sessions - Google Patents

Automatic anomaly detection based on api sessions Download PDF

Info

Publication number
US20220321587A1
US20220321587A1 US17/339,951 US202117339951A US2022321587A1 US 20220321587 A1 US20220321587 A1 US 20220321587A1 US 202117339951 A US202117339951 A US 202117339951A US 2022321587 A1 US2022321587 A1 US 2022321587A1
Authority
US
United States
Prior art keywords
api
server
received
chronological order
api request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US17/339,951
Inventor
Ravindra Guntar
Ranaji Krishna
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Traceable Inc
Original Assignee
Traceable Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Traceable Inc filed Critical Traceable Inc
Priority to US17/339,951 priority Critical patent/US20220321587A1/en
Publication of US20220321587A1 publication Critical patent/US20220321587A1/en
Assigned to Traceable Inc. reassignment Traceable Inc. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: Krishna, Ranaji, GUNTUR, RAVINDRA
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9027Trees
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/541Interprogram communication via adapters, e.g. between incompatible applications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/543User-generated data transfer, e.g. clipboards, dynamic data exchange [DDE], object linking and embedding [OLE]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]
    • H04L67/40
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/303Terminal profiles

Definitions

  • API application program interface
  • a session of API behavior is detected as two or more API requests that are typically received in order.
  • a session may include an API request to select a product, followed by an API response with a URL for viewing the product, an API request to place the product in the user's cart, followed by an API response with a URL for displaying the items in the user's cart, followed by an API request to perform checkout, and finally followed by an API response with a URL for providing a checkout page to the user.
  • the APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response.
  • incoming API requests that are typically associated with a session can be compared to the session to see if they appear in the expected sequence based on the session. If an API request is not received in the sequence according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request can be tagged as an anomaly.
  • a method automatically detects an anomaly based on a session of APIs received for a web service.
  • the method begins with receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server.
  • the received API request is compared to a set of APIs having a preset chronological order.
  • the system detects that the received API request is not received in an expected chronological order defined by the present chronological order.
  • the received API request is identified as an anomaly based on the unexpected chronological order of the receive API request.
  • a non-transitory computer readable storage medium has embodied thereon a program that is executable by a processor to perform a method.
  • the method automatically detects an anomaly based on a session of APIs received for a web service.
  • the method begins with receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server.
  • the received API request is compared to a set of APIs having a preset chronological order.
  • the system detects that the received API request is not received in an expected chronological order defined by the present chronological order.
  • the received API request is identified as an anomaly based on the unexpected chronological order of the receive API request.
  • a system can include a server, memory and one or more processors.
  • One or more modules may be stored in memory and executed by the processors to receive, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server, compare the received API request to a set of APIs having a preset chronological order, detect that the received API request is not received in an expected chronological order defined by the present chronological order, and identify the received API request as an anomaly based on the unexpected chronological order of the receive API request.
  • FIG. 1 is a block diagram of a system for intelligently monitoring API sessions.
  • FIG. 2 is a block diagram of an application that automatically monitors API sessions.
  • FIG. 3 is a method that automatically monitors API sessions.
  • FIG. 4 is a method for identifying API requests related to an API response.
  • FIG. 5 is a method for identifying API requests related to previously intercepted API responses.
  • FIG. 6 is a method for detecting anomalous API requests based on API sessions.
  • FIG. 7 is a block diagram of a system for implementing machines that implement the present technology.
  • the present system identifies sessions of API behavior and uses the identified behavior to detect anomalous API requests.
  • a session of API behavior is detected as two or more API requests that are typically received in order.
  • a session may include an API request to select a product, followed by an API response with a URL for viewing the product, an API request to place the product in the user's cart, followed by an API response with a URL for displaying the items in the user's cart, followed by an API request to perform checkout, and finally followed by an API response with a URL for providing a checkout page to the user.
  • the APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response.
  • incoming API requests that are typically associated with a session can be compared to the session to see if they appear in the expected sequence based on the session. If an API request is not received in the sequence according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request can be tagged as an anomaly.
  • FIG. 1 is a block diagram 100 of a system for intelligently monitoring API sessions.
  • the block diagram 100 of FIG. 1 includes client devices 110 - 140 , customer server 150 , network 160 , Application server 170 , and data store 180 .
  • Client devices 110 - 140 may send API requests to and receive API responses from customer server 150 .
  • the client devices may be any device which can access the service, network page, webpage, or other content provided by customer server 150 .
  • Client devices 110 - 140 may send a request to customer server 150 , for example to an API provided by customer server 150 , and customer server 150 may send a response to the devices based on the request.
  • the request may be sent to a particular URL provided by customer server 150 and the response may be sent from the server to the device in response to the request.
  • a typical system may handle requests from a larger number of clients, for example, dozens, hundreds, or thousands, and any number of client devices may be used to interact with customer server 150 .
  • Customer server 150 may provide a service to client devices 110 - 140 .
  • the service may be accessible through APIs provided by customer server 150 .
  • Agent 152 on customer server 150 may monitor the communication between customer server 150 and client devices 110 - 140 and intercept traffic transmitted between the server and the devices. Upon intercepting the traffic, agent 152 may forward the traffic to application 172 on application server 170 .
  • one or more agents may be installed on customer server 150 , which may be implemented by one or more physical or logical machines. In some instances, server 150 may actually be implemented by multiple servers in different locations, providing a distributed service for devices 110 - 140 .
  • one or more agents 152 may be installed to intercept API requests and responses between devices 110 - 140 and customer server 150 , in some instances may aggregate the traffic by API request and response data, and may transmit request and response data to application 172 on server 170 .
  • Network 140 may include one or more private networks, public networks, intranets, the Internet, an intranet, wide-area networks, local area networks, cellular networks, radio-frequency networks, Wi-Fi networks, any other network which may be used to transmit data, and any combination of these networks.
  • Client devices 110 - 140 , customer server 150 , Application server 170 , and data store 180 may all communicate over network 160 (whether or not labeled so in FIG. 1 ).
  • Application server 170 may be implemented as one or more physical or logical machines that provide application functionality as described herein.
  • application server may include one or more applications 172 .
  • the application 172 may be stored on one or more application servers 170 and be executed to perform functionality as described herein.
  • Application server and application 172 may both communicate over network 160 and data store 180 .
  • Data store 180 may be accessible by application server 170 and application 172 .
  • data store 180 may include one or more APIs, API descriptions, and other data.
  • FIG. 2 is a block diagram of an application that automatically monitors API sessions.
  • Application 172 of FIG. 2 provides more detail for application 172 of the system of FIG. 1 .
  • Application 172 includes API parsing engine 210 , API analyzing module 220 , API session generator module 230 , and anomaly alert 240 .
  • API parsing engine 210 may access and detect components of API requests. The engine 210 may detect path parameters, query parameters, request header content, request body content, response API headers and bodies, and other content within a URL, request, or response associated with an API. The parsed API components may be used to identify sessions of API requests.
  • API parsing engine can also detect portions of each component as they are detected by a remote agent.
  • each API parsing engine can detect component parameters, sensitivity, character distributions, and other data.
  • Component parameters may include a variable type, such as an integer string, or float.
  • Component sensitivity can include private information, such as credit card information, password information, security question information, email data, and other data that users may prefer to keep quiet or may be used to compromise their account, their finances, or other personal details.
  • Character distribution identification and/or tracking may include detecting the location and number of occurrences of a particular character, for example in a URL, API request header or body, or API response body.
  • the characters may include special characters colon, semicolon, slash, question marks, exclamation marks, asterisks, parenthesis, and other nun-numeric and non-alphabet characters.
  • API analyzing module 220 may determine if a received and parsed API matches an expected API as part of a session. In some instances, as an API request is received, it may be parsed and compared to an expected API or API template that is identified within a session of APIs. The expected API request may be the next API request in a series of requests that comprise an API session. API analyzing module 220 may retrieve a next expected API within a session, or all APIs within a session, from API session generator 230 . If a detected API does not match an expected API, API analyzing may send a signal to anomaly alert 240 .
  • API session generator 230 may identify sessions that consists of two or more APIs requests received in succession. For example, an API session generator may determine that a session includes APIs associated with selecting a product, adding a product to a cart, and then performing a checkout. APIs associated with the three actions may be associated with a session, and stored as a session by API session generator 230 . API session generator 230 may provide API data to API analyzing module 220 . The provider data may include APIs in a session, an indicator if a detected API is in any session, or other data associated with APIs within a session.
  • Anomaly alert 240 can generate an alert for an administrator, in a dashboard, or otherwise generate an alert in a system regarding the detection of an anomaly or some other status of interest.
  • the alerts can be generated, for example, via message, email, through an interface, in a dashboard, or in some other way that communicates the occurrence of the anomaly.
  • FIG. 3 is a method that automatically monitors API sessions.
  • an agent may be installed in a customer system to intercept live traffic at step 310 .
  • the installation may include one or more agents, as needed, to intercept API requests and responses.
  • the live API traffic consisting of requests and responses may then be intercepted between user computing devices and servers at step 315 .
  • the live URL traffic including API requests, API responses, and other communications between a server and a client device, may be forwarded to an application on a remote server at step 320 .
  • the traffic may be forwarded periodically or in response to a push, pull, or another event.
  • the API requests and responses may be aggregated before being reported by an agent to a remote application.
  • a session of related, consecutive API requests and responses may form part of a transaction that achieves a particular goal, such as purchasing a product, making an airline reservation or a hotel reservation, or other goal. More detail for determining whether an API request input is based at least in part on a previous API response output is discussed with respect to the method of FIG. 4 .
  • step 340 the API request input and API response output are added to a new or existing session.
  • the session is then stored and/or updated at step 350 with the new connection between the API request input and API response output.
  • step 340 API requests and responses continue to be intercepted by one or more agents and forwarded to an application on a remote sever at step 330 .
  • a first API request and a second API request may be related to each other, and part of a session, regardless of the API response received from the first request.
  • a subsequent API request can be related to a previous API request as part of an overall business transaction (such as making a reservation, purchasing a product, and so forth). More details for determining whether an API request input is based at least in part on previous API request input is discussed with respect to the method of FIG. 5 .
  • a current API request input is based at least in part on a previous API request input
  • the API requests are added to a session at step 340 .
  • the session may include just the two related requests, or additional requests and/or responses that are determined to be related to one of the requests.
  • the related API requests are stored as a session based on the connection they share at step 345 .
  • the method of FIGURE continues to operate, for example from steps 315 - 350 , as more traffic is intercepted and API requests and responses are analyzed to determine if they are part of a new or pre-existing session. If determined to be part of a session, the requests and/or responses may be added to an existing session or form a new session, as appropriate.
  • the current API request is determined to not be associated with a session at step 350 .
  • determining if an API request is related to a previous intercepted API response can include comparing parameters of requests to parameters of the response. If input parameters of a requests are related to output parameters of response, the API request and response may be related. More details for identifying whether a subsequent API request is related to an intercepted API response is discussed with respect to the method of FIG. 4 .
  • Subsequent API responses may be intercepted from the survey API to a user device at step 330 .
  • API responses from server API to user device may be intercepted by one or more agents installed at the server.
  • intercepted API responses may be grouped together or analyzed individually. In any case, there analyzed to determine their parameters and components for comparison purposes.
  • An API request from a user to a server API may be intercepted at step 335 .
  • the intercepted API requests may be intercepted by one or more agents on one or more servers, and may be analyzed by an application 172 .
  • the most recent API requests that are related to previous intercepted API responses are identified at step 340 .
  • aspects of the request and response may be compared to each other. For example, input parameters in a request may match output parameters in a response.
  • the input parameters and output parameters may be in a URL, header, body, in any of several different formats.
  • Related APIs are stored in order as a session based on connected requests and responses at step 345 .
  • a particular API request is related to an API response, the two API portions may be part of a session. If a subsequent API request utilizes information in a previously received API response, those portions may be connected as well, and the subsequent API request may be part of the session.
  • Related APIs may be stored as a session based on the connected requests and responses at step 345 .
  • FIG. 4 is a method for identifying API requests related to an API response. The method of FIG. 4 provides more detail for step 325 of the method of FIG. 3 .
  • Inputs for a current API requests are accessed at step 410 . Inputs may be express as queries, or other data within the URL, header, or body of the request.
  • Outputs for previously intercepted API responses are accessed at step 420 . The outputs may include data in the API response URL, header, body, or otherwise stored as data within the API response.
  • the API request input is compared to the API response output at step 430 .
  • a determination is made as to whether the API request input is based at least in part on the API request output at step 440 . If the API request input is based on some part on API request output, the detected API request is determined to have a connection with, and be based at least in part on, on the API response at step 450 . For example, if an input of the API request includes a particular product identifier that is also included in the API response, the API request is determined to be based at least in part on the API request.
  • the detected API request is determined to not have a connection with the intercepted API response at step 460 . As such, the request and response are determined to not be a part of a particular session.
  • FIG. 5 is a method for determining if an API request is based at least in part on a previous API request. The method of FIG. 5 provides more detail for step 335 of the method of FIG. 3 .
  • Inputs for a current API request are accessed at step 510 . Inputs may be express as queries, or other data within the URL, header, or body of the request.
  • Outputs for previously intercepted API responses are accessed at step 520 . The outputs may include data in the API response URL, header, body, or otherwise stored as data within the API response.
  • the API request input is compared to the API response output at step 530 .
  • a determination is made as to whether the API request input is based at least in part on the API request output at step 540 . If the API request input is based on some part on API request output, the detected API request is determined to have a connection with, and be based at least in part on, on the API response at step 550 . For example, if an input of the API request includes a particular product identifier that is also included in the API response, the API request is determined to be based at least in part on the API request.
  • the detected API request is determined to not have a connection with the intercepted API response at step 560 . As such, the request and response are determined to not be a part of a particular session.
  • FIG. 6 is a method for detecting anomalous API requests based on API sessions.
  • An API request associated with a session is detected at step 610 .
  • each intercepted API request can be compared to a set of APIs associated with a session to determine whether the intercepted API request matches a request associated with a session.
  • the received API request is analyzed with respect to APIs in the session at step 620 .
  • the received API request may be analyzed to determine if the request should have a particular API request or API response precede it. Analyzing the received API request can include comparing the received API request to the set of APIs in one or more sessions to determine if any API requests should come before the received API. For example, if the received API request is a checkout request, the received API request may be expected to be preceded by a “view cart” request.
  • Sessions have two or more APIs that are expected to be received in a particular order. Other than the first API request in the session, each API request is preceded by a particular API within the session. As such, the determination at step 630 determines whether the received API request is received in an expected chronological order of API requests. If an API request is not preceded by an expected API, and the API request is not the first API request in the session, there may be an issue with the detected API request.
  • the API request that was detected was expected to be preceded by a particular API request as indicated in a stored session of APIs, but was actually preceded by a different API request, then the API request is considered an anomaly at step 650 .
  • the API request which is not preceded by the expected API request within the current session may be an attack on the system, or just an error request.
  • An alert can be generated for an administrator based on the determination API request is an anomaly, and the request can be analyzed further to determine if it is a mistake or an attack.
  • a subsequent API request is eventually detected at step 640 .
  • a determination is then made as to whether the subsequent API request matches an expected subsequent API in the current session at step 650 .
  • the determination at step 650 determines whether the received API request is received in an expected chronological order of API requests. If the subsequent API request does not match the expected subsequent API in the current session, the API request is labeled as an anomaly at step 650 . If the API request does match the expected request within the session, a determination is made as to whether any additional APIs are expected in the current session at step 660 . If additional APIs are expected, the method of FIG. 6 returns to step 640 to process subsequent API requests. If additional APIs are not expected, then the API session is determined to not be an anomaly at step 660 .
  • FIG. 7 is a block diagram of a system for implementing machines that implement the present technology.
  • System 700 of FIG. 7 may be implemented in the contexts of the likes of machines that implement client devices 110 - 140 , customer server 150 , Application server 170 , and data store 180 .
  • the computing system 700 of FIG. 7 includes one or more processors 710 and memory 720 .
  • Main memory 720 stores, in part, instructions and data for execution by processor 710 .
  • Main memory 720 can store the executable code when in operation.
  • the system 700 of FIG. 7 further includes a mass storage device 730 , portable storage medium drive(s) 740 , output devices 750 , user input devices 760 , a graphics display 770 , and peripheral devices 780 .
  • processor unit 710 and main memory 720 may be connected via a local microprocessor bus, and the mass storage device 730 , peripheral device(s) 780 , portable storage device 740 , and display system 770 may be connected via one or more input/output (I/O) buses.
  • I/O input/output
  • Mass storage device 730 which may be implemented with a magnetic disk drive, an optical disk drive, a flash drive, or other device, is a non-volatile storage device for storing data and instructions for use by processor unit 710 . Mass storage device 730 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 720 .
  • Portable storage device 740 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, USB drive, memory card or stick, or other portable or removable memory, to input and output data and code to and from the computer system 700 of FIG. 7 .
  • a portable non-volatile storage medium such as a floppy disk, compact disk or Digital video disc, USB drive, memory card or stick, or other portable or removable memory
  • the system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 700 via the portable storage device 740 .
  • Input devices 760 provide a portion of a user interface.
  • Input devices 760 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, a pointing device such as a mouse, a trackball, stylus, cursor direction keys, microphone, touch-screen, accelerometer, and other input devices.
  • the system 700 as shown in FIG. 7 includes output devices 750 . Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
  • Display system 770 may include a liquid crystal display (LCD) or other suitable display device. Display system 770 receives textual and graphical information and processes the information for output to the display device. Display system 770 may also receive input as a touch-screen.
  • LCD liquid crystal display
  • Peripherals 780 may include any type of computer support device to add additional functionality to the computer system.
  • peripheral device(s) 780 may include a modem or a router, printer, and other device.
  • the system of 700 may also include, in some implementations, antennas, radio transmitters and radio receivers 790 .
  • the antennas and radios may be implemented in devices such as smart phones, tablets, and other devices that may communicate wirelessly.
  • the one or more antennas may operate at one or more radio frequencies suitable to send and receive data over cellular networks, Wi-Fi networks, commercial device networks such as a Bluetooth device, and other radio frequency networks.
  • the devices may include one or more radio transmitters and receivers for processing signals sent and received using the antennas.
  • the components contained in the computer system 700 of FIG. 7 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art.
  • the computer system 700 of FIG. 7 can be a personal computer, handheld computing device, smart phone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device.
  • the computer can also include different bus configurations, networked platforms, multi-processor platforms, etc.
  • Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Android, as well as languages including Java, .NET, C, C++, Node.JS, and other suitable languages.

Abstract

A system identifies sessions of API behavior and uses the identified behavior to detect anomalous API requests. A session of API behavior is detected as two or more API requests that are typically received in a chronological order. The APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response. Once APIs in a session are learned, incoming API requests typically associated with a session can be compared to the session to determine if they appear in an expected sequence based on the session. If an API request is not received in the sequence or chronological order according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request may be an anomaly.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • The present application claims the priority benefit of U.S. provisional patent application 63/167,649, filed on Mar. 30, 2021, titled “INTELLIGENT APPLICATION PROTECTION,” the disclosure of which is incorporated herein by reference.
    • BACKGROUND
  • When analyzing, tracking, or monitoring a system, it is often important to know the specification of the system, including application program interface (API) specifications. In some systems, a common method for attacking is for an attacker to submit an API request and attempt to get information from the system. Can be difficult to detect whether these API requests from attackers are legitimate or not. What is needed is an improved mechanism for detecting illegitimate and API requests from unauthorized requesters.
    • SUMMARY
  • The present technology, roughly described, identifies sessions of API behavior and uses the identified behavior to detect anomalous API requests. A session of API behavior is detected as two or more API requests that are typically received in order. For example, for an e-commerce service, a session may include an API request to select a product, followed by an API response with a URL for viewing the product, an API request to place the product in the user's cart, followed by an API response with a URL for displaying the items in the user's cart, followed by an API request to perform checkout, and finally followed by an API response with a URL for providing a checkout page to the user. The APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response.
  • Once APIs in a session are learned, incoming API requests that are typically associated with a session can be compared to the session to see if they appear in the expected sequence based on the session. If an API request is not received in the sequence according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request can be tagged as an anomaly.
  • In some instances, a method automatically detects an anomaly based on a session of APIs received for a web service. The method begins with receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server. The received API request is compared to a set of APIs having a preset chronological order. The system then detects that the received API request is not received in an expected chronological order defined by the present chronological order. The received API request is identified as an anomaly based on the unexpected chronological order of the receive API request.
  • In some instances, a non-transitory computer readable storage medium has embodied thereon a program that is executable by a processor to perform a method. The method automatically detects an anomaly based on a session of APIs received for a web service. The method begins with receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server. The received API request is compared to a set of APIs having a preset chronological order. The system then detects that the received API request is not received in an expected chronological order defined by the present chronological order. The received API request is identified as an anomaly based on the unexpected chronological order of the receive API request.
  • In embodiments, a system can include a server, memory and one or more processors. One or more modules may be stored in memory and executed by the processors to receive, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server, compare the received API request to a set of APIs having a preset chronological order, detect that the received API request is not received in an expected chronological order defined by the present chronological order, and identify the received API request as an anomaly based on the unexpected chronological order of the receive API request.
    • BRIEF DESCRIPTION OF FIGURES
  • FIG. 1 is a block diagram of a system for intelligently monitoring API sessions.
  • FIG. 2 is a block diagram of an application that automatically monitors API sessions.
  • FIG. 3 is a method that automatically monitors API sessions.
  • FIG. 4 is a method for identifying API requests related to an API response.
  • FIG. 5 is a method for identifying API requests related to previously intercepted API responses.
  • FIG. 6 is a method for detecting anomalous API requests based on API sessions.
  • FIG. 7 is a block diagram of a system for implementing machines that implement the present technology.
    •  DETAILED DESCRIPTION
  • The present system identifies sessions of API behavior and uses the identified behavior to detect anomalous API requests. A session of API behavior is detected as two or more API requests that are typically received in order. For example, for an e-commerce service, a session may include an API request to select a product, followed by an API response with a URL for viewing the product, an API request to place the product in the user's cart, followed by an API response with a URL for displaying the items in the user's cart, followed by an API request to perform checkout, and finally followed by an API response with a URL for providing a checkout page to the user. The APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response.
  • Once APIs in a session are learned, incoming API requests that are typically associated with a session can be compared to the session to see if they appear in the expected sequence based on the session. If an API request is not received in the sequence according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request can be tagged as an anomaly.
  • FIG. 1 is a block diagram 100 of a system for intelligently monitoring API sessions. The block diagram 100 of FIG. 1 includes client devices 110-140, customer server 150, network 160, Application server 170, and data store 180.
  • Client devices 110-140 may send API requests to and receive API responses from customer server 150. The client devices may be any device which can access the service, network page, webpage, or other content provided by customer server 150. Client devices 110-140 may send a request to customer server 150, for example to an API provided by customer server 150, and customer server 150 may send a response to the devices based on the request. The request may be sent to a particular URL provided by customer server 150 and the response may be sent from the server to the device in response to the request. Though only for four client devices are shown, a typical system may handle requests from a larger number of clients, for example, dozens, hundreds, or thousands, and any number of client devices may be used to interact with customer server 150.
  • Customer server 150 may provide a service to client devices 110-140. The service may be accessible through APIs provided by customer server 150. Agent 152 on customer server 150 may monitor the communication between customer server 150 and client devices 110-140 and intercept traffic transmitted between the server and the devices. Upon intercepting the traffic, agent 152 may forward the traffic to application 172 on application server 170. In some instances, one or more agents may be installed on customer server 150, which may be implemented by one or more physical or logical machines. In some instances, server 150 may actually be implemented by multiple servers in different locations, providing a distributed service for devices 110-140. In any case, one or more agents 152 may be installed to intercept API requests and responses between devices 110-140 and customer server 150, in some instances may aggregate the traffic by API request and response data, and may transmit request and response data to application 172 on server 170.
  • Network 140 may include one or more private networks, public networks, intranets, the Internet, an intranet, wide-area networks, local area networks, cellular networks, radio-frequency networks, Wi-Fi networks, any other network which may be used to transmit data, and any combination of these networks. Client devices 110-140, customer server 150, Application server 170, and data store 180 may all communicate over network 160 (whether or not labeled so in FIG. 1).
  • Application server 170 may be implemented as one or more physical or logical machines that provide application functionality as described herein. In some instances, application server may include one or more applications 172. The application 172 may be stored on one or more application servers 170 and be executed to perform functionality as described herein. Application server and application 172 may both communicate over network 160 and data store 180.
  • Data store 180 may be accessible by application server 170 and application 172. In some instance, data store 180 may include one or more APIs, API descriptions, and other data.
  • FIG. 2 is a block diagram of an application that automatically monitors API sessions. Application 172 of FIG. 2 provides more detail for application 172 of the system of FIG. 1. Application 172 includes API parsing engine 210, API analyzing module 220, API session generator module 230, and anomaly alert 240. API parsing engine 210 may access and detect components of API requests. The engine 210 may detect path parameters, query parameters, request header content, request body content, response API headers and bodies, and other content within a URL, request, or response associated with an API. The parsed API components may be used to identify sessions of API requests.
  • API parsing engine can also detect portions of each component as they are detected by a remote agent. For example, each API parsing engine can detect component parameters, sensitivity, character distributions, and other data. Component parameters may include a variable type, such as an integer string, or float. Component sensitivity can include private information, such as credit card information, password information, security question information, email data, and other data that users may prefer to keep quiet or may be used to compromise their account, their finances, or other personal details. Character distribution identification and/or tracking may include detecting the location and number of occurrences of a particular character, for example in a URL, API request header or body, or API response body. The characters may include special characters colon, semicolon, slash, question marks, exclamation marks, asterisks, parenthesis, and other nun-numeric and non-alphabet characters.
  • API analyzing module 220 may determine if a received and parsed API matches an expected API as part of a session. In some instances, as an API request is received, it may be parsed and compared to an expected API or API template that is identified within a session of APIs. The expected API request may be the next API request in a series of requests that comprise an API session. API analyzing module 220 may retrieve a next expected API within a session, or all APIs within a session, from API session generator 230. If a detected API does not match an expected API, API analyzing may send a signal to anomaly alert 240.
  • API session generator 230 may identify sessions that consists of two or more APIs requests received in succession. For example, an API session generator may determine that a session includes APIs associated with selecting a product, adding a product to a cart, and then performing a checkout. APIs associated with the three actions may be associated with a session, and stored as a session by API session generator 230. API session generator 230 may provide API data to API analyzing module 220. The provider data may include APIs in a session, an indicator if a detected API is in any session, or other data associated with APIs within a session.
  • Anomaly alert 240 can generate an alert for an administrator, in a dashboard, or otherwise generate an alert in a system regarding the detection of an anomaly or some other status of interest. The alerts can be generated, for example, via message, email, through an interface, in a dashboard, or in some other way that communicates the occurrence of the anomaly.
  • FIG. 3 is a method that automatically monitors API sessions. First, an agent may be installed in a customer system to intercept live traffic at step 310. The installation may include one or more agents, as needed, to intercept API requests and responses. The live API traffic consisting of requests and responses may then be intercepted between user computing devices and servers at step 315. The live URL traffic, including API requests, API responses, and other communications between a server and a client device, may be forwarded to an application on a remote server at step 320. The traffic may be forwarded periodically or in response to a push, pull, or another event. In some instances, the API requests and responses may be aggregated before being reported by an agent to a remote application.
  • A determination is made as to whether an API request input is based at least in part on previous API response output at step 325. If the response from the remote server application is used to a subsequent request, it is possible that the request and related response are part of a session. A session of related, consecutive API requests and responses may form part of a transaction that achieves a particular goal, such as purchasing a product, making an airline reservation or a hotel reservation, or other goal. More detail for determining whether an API request input is based at least in part on a previous API response output is discussed with respect to the method of FIG. 4.
  • If the request input is based on the response output, the method of FIG. 3 continues to step 340, where the API request input and API response output are added to a new or existing session. The session is then stored and/or updated at step 350 with the new connection between the API request input and API response output.
  • If the request input is not based on the response output, the method of FIG. 3 continues to step 340, API requests and responses continue to be intercepted by one or more agents and forwarded to an application on a remote sever at step 330.
  • A determination is made as to whether an API request input is based at least in part on previous API request input at step 335. A first API request and a second API request may be related to each other, and part of a session, regardless of the API response received from the first request. In some instances, a subsequent API request can be related to a previous API request as part of an overall business transaction (such as making a reservation, purchasing a product, and so forth). More details for determining whether an API request input is based at least in part on previous API request input is discussed with respect to the method of FIG. 5.
  • If a current API request input is based at least in part on a previous API request input, then the API requests are added to a session at step 340. The session may include just the two related requests, or additional requests and/or responses that are determined to be related to one of the requests. The related API requests are stored as a session based on the connection they share at step 345. The method of FIGURE continues to operate, for example from steps 315-350, as more traffic is intercepted and API requests and responses are analyzed to determine if they are part of a new or pre-existing session. If determined to be part of a session, the requests and/or responses may be added to an existing session or form a new session, as appropriate.
  • If the API request input is not based at all on the previous API request input and not based at all on a previous API response output, the current API request is determined to not be associated with a session at step 350.
  • identified by one or more agents installed within a customer system. In some instances, determining if an API request is related to a previous intercepted API response can include comparing parameters of requests to parameters of the response. If input parameters of a requests are related to output parameters of response, the API request and response may be related. More details for identifying whether a subsequent API request is related to an intercepted API response is discussed with respect to the method of FIG. 4.
  • Subsequent API responses may be intercepted from the survey API to a user device at step 330. API responses from server API to user device may be intercepted by one or more agents installed at the server. In some instances, intercepted API responses may be grouped together or analyzed individually. In any case, there analyzed to determine their parameters and components for comparison purposes.
  • An API request from a user to a server API may be intercepted at step 335. The intercepted API requests may be intercepted by one or more agents on one or more servers, and may be analyzed by an application 172.
  • The most recent API requests that are related to previous intercepted API responses are identified at step 340. In some instances, to help determine if the request and response are related to each other, aspects of the request and response may be compared to each other. For example, input parameters in a request may match output parameters in a response. The input parameters and output parameters may be in a URL, header, body, in any of several different formats. By comparing the components of a request in response, API requests that are related to API responses can be identified. More information for identifying the most recent API requests related to a previous intercepted API response is discussed in more detail with respect to the method of FIG. 5.
  • Related APIs are stored in order as a session based on connected requests and responses at step 345. A particular API request is related to an API response, the two API portions may be part of a session. If a subsequent API request utilizes information in a previously received API response, those portions may be connected as well, and the subsequent API request may be part of the session. Related APIs may be stored as a session based on the connected requests and responses at step 345.
  • FIG. 4 is a method for identifying API requests related to an API response. The method of FIG. 4 provides more detail for step 325 of the method of FIG. 3. Inputs for a current API requests are accessed at step 410. Inputs may be express as queries, or other data within the URL, header, or body of the request. Outputs for previously intercepted API responses are accessed at step 420. The outputs may include data in the API response URL, header, body, or otherwise stored as data within the API response.
  • The API request input is compared to the API response output at step 430. A determination is made as to whether the API request input is based at least in part on the API request output at step 440. If the API request input is based on some part on API request output, the detected API request is determined to have a connection with, and be based at least in part on, on the API response at step 450. For example, if an input of the API request includes a particular product identifier that is also included in the API response, the API request is determined to be based at least in part on the API request.
  • If the API request input is not based at least in part on API request output, the detected API request is determined to not have a connection with the intercepted API response at step 460. As such, the request and response are determined to not be a part of a particular session.
  • FIG. 5 is a method for determining if an API request is based at least in part on a previous API request. The method of FIG. 5 provides more detail for step 335 of the method of FIG. 3. Inputs for a current API request are accessed at step 510. Inputs may be express as queries, or other data within the URL, header, or body of the request. Outputs for previously intercepted API responses are accessed at step 520. The outputs may include data in the API response URL, header, body, or otherwise stored as data within the API response.
  • The API request input is compared to the API response output at step 530. A determination is made as to whether the API request input is based at least in part on the API request output at step 540. If the API request input is based on some part on API request output, the detected API request is determined to have a connection with, and be based at least in part on, on the API response at step 550. For example, if an input of the API request includes a particular product identifier that is also included in the API response, the API request is determined to be based at least in part on the API request.
  • If the API request input is not based at least in part on API request output, the detected API request is determined to not have a connection with the intercepted API response at step 560. As such, the request and response are determined to not be a part of a particular session.
  • FIG. 6 is a method for detecting anomalous API requests based on API sessions. An API request associated with a session is detected at step 610. In some instances, each intercepted API request can be compared to a set of APIs associated with a session to determine whether the intercepted API request matches a request associated with a session.
  • The received API request is analyzed with respect to APIs in the session at step 620. The received API request may be analyzed to determine if the request should have a particular API request or API response precede it. Analyzing the received API request can include comparing the received API request to the set of APIs in one or more sessions to determine if any API requests should come before the received API. For example, if the received API request is a checkout request, the received API request may be expected to be preceded by a “view cart” request.
  • A determination is made as to whether the detected API request is expected to be preceded by a different API request in the current session at step 630. Sessions have two or more APIs that are expected to be received in a particular order. Other than the first API request in the session, each API request is preceded by a particular API within the session. As such, the determination at step 630 determines whether the received API request is received in an expected chronological order of API requests. If an API request is not preceded by an expected API, and the API request is not the first API request in the session, there may be an issue with the detected API request. If the API request that was detected was expected to be preceded by a particular API request as indicated in a stored session of APIs, but was actually preceded by a different API request, then the API request is considered an anomaly at step 650. In some instances, the API request which is not preceded by the expected API request within the current session may be an attack on the system, or just an error request. An alert can be generated for an administrator based on the determination API request is an anomaly, and the request can be analyzed further to determine if it is a mistake or an attack.
  • If the detected API requests is preceded by the expected API request in the current session, a subsequent API request is eventually detected at step 640. A determination is then made as to whether the subsequent API request matches an expected subsequent API in the current session at step 650. The determination at step 650 determines whether the received API request is received in an expected chronological order of API requests. If the subsequent API request does not match the expected subsequent API in the current session, the API request is labeled as an anomaly at step 650. If the API request does match the expected request within the session, a determination is made as to whether any additional APIs are expected in the current session at step 660. If additional APIs are expected, the method of FIG. 6 returns to step 640 to process subsequent API requests. If additional APIs are not expected, then the API session is determined to not be an anomaly at step 660.
  • FIG. 7 is a block diagram of a system for implementing machines that implement the present technology. System 700 of FIG. 7 may be implemented in the contexts of the likes of machines that implement client devices 110-140, customer server 150, Application server 170, and data store 180. The computing system 700 of FIG. 7 includes one or more processors 710 and memory 720. Main memory 720 stores, in part, instructions and data for execution by processor 710. Main memory 720 can store the executable code when in operation. The system 700 of FIG. 7 further includes a mass storage device 730, portable storage medium drive(s) 740, output devices 750, user input devices 760, a graphics display 770, and peripheral devices 780.
  • The components shown in FIG. 7 are depicted as being connected via a single bus 790. However, the components may be connected through one or more data transport means. For example, processor unit 710 and main memory 720 may be connected via a local microprocessor bus, and the mass storage device 730, peripheral device(s) 780, portable storage device 740, and display system 770 may be connected via one or more input/output (I/O) buses.
  • Mass storage device 730, which may be implemented with a magnetic disk drive, an optical disk drive, a flash drive, or other device, is a non-volatile storage device for storing data and instructions for use by processor unit 710. Mass storage device 730 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 720.
  • Portable storage device 740 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, USB drive, memory card or stick, or other portable or removable memory, to input and output data and code to and from the computer system 700 of FIG. 7. The system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 700 via the portable storage device 740.
  • Input devices 760 provide a portion of a user interface. Input devices 760 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, a pointing device such as a mouse, a trackball, stylus, cursor direction keys, microphone, touch-screen, accelerometer, and other input devices. Additionally, the system 700 as shown in FIG. 7 includes output devices 750. Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
  • Display system 770 may include a liquid crystal display (LCD) or other suitable display device. Display system 770 receives textual and graphical information and processes the information for output to the display device. Display system 770 may also receive input as a touch-screen.
  • Peripherals 780 may include any type of computer support device to add additional functionality to the computer system. For example, peripheral device(s) 780 may include a modem or a router, printer, and other device.
  • The system of 700 may also include, in some implementations, antennas, radio transmitters and radio receivers 790. The antennas and radios may be implemented in devices such as smart phones, tablets, and other devices that may communicate wirelessly. The one or more antennas may operate at one or more radio frequencies suitable to send and receive data over cellular networks, Wi-Fi networks, commercial device networks such as a Bluetooth device, and other radio frequency networks. The devices may include one or more radio transmitters and receivers for processing signals sent and received using the antennas.
  • The components contained in the computer system 700 of FIG. 7 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art. Thus, the computer system 700 of FIG. 7 can be a personal computer, handheld computing device, smart phone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device. The computer can also include different bus configurations, networked platforms, multi-processor platforms, etc. Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Android, as well as languages including Java, .NET, C, C++, Node.JS, and other suitable languages.
  • The foregoing detailed description of the technology herein has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the technology to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. The described embodiments were chosen to best explain the principles of the technology and its practical application to thereby enable others skilled in the art to best utilize the technology in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the technology be defined by the claims appended hereto.

Claims (20)

What is claimed is:
1. A method for automatically detecting an anomaly based on a session of APIs received for a web service, the method comprising:
receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server;
comparing the received API request to a set of APIs having a preset chronological order;
detecting that the received API request is not received in an expected chronological order defined by the present chronological order; and
identifying the received API request as an anomaly based on the unexpected chronological order of the receive API request.
2. The method of claim 1, wherein detecting that the received API request is not received in an expected chronological order includes detecting that the received API request is not preceded by an expected preceding API request as specified in the preset chronological order.
3. The method of claim 1, further comprising:
receiving, by a server from an agent stored on a remote server, a subsequent API request sent from a user device to a server API; and
detecting that the received API request and the subsequent API request are not received in an expected chronological order defined by the present chronological order.
4. The method of claim 3, wherein the expected chronological order includes an API request that differs from the subsequent API request.
5. The method of claim 1, wherein the set of APIs having a preset chronological order have a first API with an output that is taken as the input of subsequent API in the set of APIs.
6. A method for automatically detecting an anomaly based on a session of APIs received for a web service, the method comprising:
receiving, by a remote server from an agent on a server, API requests received from a remote device to the server and API responses sent to the remote devices from the server;
receiving, by the remote server from the agent on the server, subsequent API requests received from a remote device to the server;
determining, by an application on the remote server, that the subsequent API requests are related to the API responses sent to the remote devices from the server;
storing the subsequent API request and the API response as a set of APIs having a preset chronological order; and
automatically identifying subsequent requests as anomalies based on a comparison of the subsequent requests with the set of APIs having a preset chronological order.
7. The method of claim 6, wherein determining includes detecting that the input of the subsequent API request is based on output of the API response.
8. The method of claim 7, wherein a query in the input of the subsequent API request matches a parameter in the output of the API response.
9. The method of claim 6, wherein the set of APIs having a preset chronological order form a business transaction provided by a web service.
10. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for automatically detecting an anomaly based on a session of APIs received for a web service, the method comprising:
receiving, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server;
comparing the received API request to a set of APIs having a preset chronological order;
detecting that the received API request is not received in an expected chronological order defined by the present chronological order; and
identifying the received API request as an anomaly based on the unexpected chronological order of the receive API request.
11. The non-transitory computer readable storage medium of claim 10, wherein detecting that the received API request is not received in an expected chronological order includes detecting that the received API request is not preceded by an expected preceding API request as specified in the preset chronological order.
12. The non-transitory computer readable storage medium of claim 10, the method further comprising:
receiving, by a server from an agent stored on a remote server, a subsequent API request sent from a user device to a server API; and
detecting that the received API request and the subsequent API request are not received in an expected chronological order defined by the present chronological order.
13. The non-transitory computer readable storage medium of claim 12, wherein the expected chronological order includes an API request that differs from the subsequent API request.
14. The non-transitory computer readable storage medium of claim 10, wherein the set of APIs having a preset chronological order have a first API with an output that is taken as the input of subsequent API in the set of APIs.
15. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for automatically detecting an anomaly based on a session of APIs received for a web service, the method comprising
receiving, by a remote server from an agent on a server, API requests received from a remote device to the server and API responses sent to the remote devices from the server;
receiving, by the remote server from the agent on the server, subsequent API requests received from a remote device to the server;
determining, by an application on the remote server, that the subsequent API requests are related to the API responses sent to the remote devices from the server;
storing the subsequent API request and the API response as a set of APIs having a preset chronological order; and
automatically identifying subsequent requests as anomalies based on a comparison of the subsequent requests with the set of APIs having a preset chronological order.
16. The non-transitory computer readable storage medium of claim 15, wherein determining includes detecting that the input of the subsequent API request is based on output of the API response.
17. The non-transitory computer readable storage medium of claim 16, wherein a query in the input of the subsequent API request matches a parameter in the output of the API response.
18. The non-transitory computer readable storage medium of claim 15, wherein the set of APIs having a preset chronological order form a business transaction provided by a web service.
19. A system for automatically detecting an anomaly based on a session of APIs received for a web service, comprising:
a server including a memory and a processor; and
one or more modules stored in the memory and executed by the processor to receive, by a server from an agent stored on a remote server, an API request sent from a user device to a server API, the requests intercepted by the agent on the remote server, compare the received API request to a set of APIs having a preset chronological order, detect that the received API request is not received in an expected chronological order defined by the present chronological order, and identify the received API request as an anomaly based on the unexpected chronological order of the receive API request.
20. A system for automatically detecting an anomaly based on a session of APIs received for a web service, comprising:
a server including a memory and a processor; and
one or more modules stored in the memory and executed by the processor to receive, by a remote server from an agent on a server, API requests received from a remote device to the server and API responses sent to the remote devices from the server. receive, by the remote server from the agent on the server, subsequent API requests received from a remote device to the server. determine, by an application on the remote server, that the subsequent API requests are related to the API responses sent to the remote devices from the server, store the subsequent API request and the API response as a set of APIs having a preset chronological order, and automatically identify subsequent requests as anomalies based on a comparison of the subsequent requests with the set of APIs having a preset chronological order.
US17/339,951 2021-03-30 2021-06-05 Automatic anomaly detection based on api sessions Pending US20220321587A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/339,951 US20220321587A1 (en) 2021-03-30 2021-06-05 Automatic anomaly detection based on api sessions

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202163167649P 2021-03-30 2021-03-30
US17/339,951 US20220321587A1 (en) 2021-03-30 2021-06-05 Automatic anomaly detection based on api sessions

Publications (1)

Publication Number Publication Date
US20220321587A1 true US20220321587A1 (en) 2022-10-06

Family

ID=83448116

Family Applications (5)

Application Number Title Priority Date Filing Date
US17/339,951 Pending US20220321587A1 (en) 2021-03-30 2021-06-05 Automatic anomaly detection based on api sessions
US17/339,949 Pending US20220318081A1 (en) 2021-03-30 2021-06-05 Automatic generation of an api interface description
US17/339,946 Pending US20220318332A1 (en) 2021-03-30 2021-06-05 Intelligent naming of application program interfaces
US17/348,785 Pending US20220318618A1 (en) 2021-03-30 2021-06-16 Multi-api metric modeling using lstm system
US17/349,942 Pending US20220318378A1 (en) 2021-03-30 2021-06-17 Detecting threats based on api service business logic abuse

Family Applications After (4)

Application Number Title Priority Date Filing Date
US17/339,949 Pending US20220318081A1 (en) 2021-03-30 2021-06-05 Automatic generation of an api interface description
US17/339,946 Pending US20220318332A1 (en) 2021-03-30 2021-06-05 Intelligent naming of application program interfaces
US17/348,785 Pending US20220318618A1 (en) 2021-03-30 2021-06-16 Multi-api metric modeling using lstm system
US17/349,942 Pending US20220318378A1 (en) 2021-03-30 2021-06-17 Detecting threats based on api service business logic abuse

Country Status (1)

Country Link
US (5) US20220321587A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11921847B1 (en) * 2023-07-13 2024-03-05 Intuit, Inc. Detection of abnormal application programming interface (API) sessions including a sequence of API requests using space partitioning data structures

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140165140A1 (en) * 2011-09-09 2014-06-12 Anurag Singla Systems and methods for evaluation of events based on a reference baseline according to temporal position in a sequence of events
US20200045065A1 (en) * 2018-08-02 2020-02-06 Mastercard International Incorporated Methods and systems for identification of breach attempts in a client-server communication using access tokens
US20210152598A1 (en) * 2019-11-18 2021-05-20 F5 Networks, Inc. Network application firewall

Family Cites Families (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6226408B1 (en) * 1999-01-29 2001-05-01 Hnc Software, Inc. Unsupervised identification of nonlinear data cluster in multidimensional data
US7058633B1 (en) * 2002-09-09 2006-06-06 Cisco Technology, Inc. System and method for generalized URL-rewriting
US8635330B2 (en) * 2006-04-24 2014-01-21 Vmware, Inc. Method and system for learning web applications
US20080034424A1 (en) * 2006-07-20 2008-02-07 Kevin Overcash System and method of preventing web applications threats
EP1953995A1 (en) * 2007-01-30 2008-08-06 Seiko Epson Corporation Application execution system, computer, application execution device, and control method and program for an application execution system
US9781148B2 (en) * 2008-10-21 2017-10-03 Lookout, Inc. Methods and systems for sharing risk responses between collections of mobile communications devices
US8429751B2 (en) * 2009-03-13 2013-04-23 Trustwave Holdings, Inc. Method and apparatus for phishing and leeching vulnerability detection
US9215212B2 (en) * 2009-06-22 2015-12-15 Citrix Systems, Inc. Systems and methods for providing a visualizer for rules of an application firewall
US9112863B2 (en) * 2009-12-14 2015-08-18 International Business Machines Corporation Method, program product and server for controlling a resource access to an electronic resource stored within a protected data environment
US9367421B2 (en) * 2013-12-20 2016-06-14 Netapp, Inc. Systems, methods, and computer programs products providing relevant correlation of data source performance
US9667704B1 (en) * 2014-04-26 2017-05-30 Google Inc. System and method for classifying API requests in API processing systems using a tree configuration
US9729506B2 (en) * 2014-08-22 2017-08-08 Shape Security, Inc. Application programming interface wall
US9699205B2 (en) * 2015-08-31 2017-07-04 Splunk Inc. Network security system
EP3423980A4 (en) * 2016-02-29 2019-10-16 Palo Alto Networks, Inc. Automatically grouping malware based on artifacts
US10394552B2 (en) * 2016-05-17 2019-08-27 Dropbox, Inc. Interface description language for application programming interfaces
US11663110B2 (en) * 2016-10-31 2023-05-30 International Business Machines Corporation Analysis to check web API code usage and specification
US10942708B2 (en) * 2017-01-10 2021-03-09 International Business Machines Corporation Generating web API specification from online documentation
US10360082B2 (en) * 2017-01-19 2019-07-23 International Business Machines Corporation Analysis of application programming interface usage for improving a computer system
KR102149996B1 (en) * 2017-03-03 2020-08-31 구글 엘엘씨 System and method for establishing links between identifiers without exposing specific identification information
US10740215B2 (en) * 2017-04-26 2020-08-11 Jpmorgan Chase Bank, N.A. System and method for implementing an API validator tool
US10409711B2 (en) * 2017-06-12 2019-09-10 International Business Machines Corporation Automatically running tests against WEB APIs based on specifications
US10620945B2 (en) * 2017-12-21 2020-04-14 Fujitsu Limited API specification generation
US10776189B2 (en) * 2017-12-22 2020-09-15 MuleSoft, Inc. API query
US10452843B2 (en) * 2018-01-11 2019-10-22 ArecaBay, Inc. Self-adaptive application programming interface level security monitoring
US11258815B2 (en) * 2018-07-24 2022-02-22 Wallarm, Inc. AI-based system for accurate detection and identification of L7 threats
US11157816B2 (en) * 2018-10-17 2021-10-26 Capital One Services, Llc Systems and methods for selecting and generating log parsers using neural networks
US11113029B2 (en) * 2019-04-10 2021-09-07 International Business Machines Corporation Probabilistic matching of web application program interface code usage to specifications
US10747505B1 (en) * 2019-05-17 2020-08-18 Google Llc API specification generation
US11388216B2 (en) * 2020-01-07 2022-07-12 Volterra, Inc. System and method for generating API schemas for networked services
US10873618B1 (en) * 2020-01-07 2020-12-22 Volterra, Inc. System and method to dynamically generate a set of API endpoints
US10917401B1 (en) * 2020-03-24 2021-02-09 Imperva, Inc. Data leakage prevention over application programming interface
US11265342B2 (en) * 2020-07-02 2022-03-01 Qualys, Inc. Rest api scanning for security testing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140165140A1 (en) * 2011-09-09 2014-06-12 Anurag Singla Systems and methods for evaluation of events based on a reference baseline according to temporal position in a sequence of events
US20200045065A1 (en) * 2018-08-02 2020-02-06 Mastercard International Incorporated Methods and systems for identification of breach attempts in a client-server communication using access tokens
US20210152598A1 (en) * 2019-11-18 2021-05-20 F5 Networks, Inc. Network application firewall

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11921847B1 (en) * 2023-07-13 2024-03-05 Intuit, Inc. Detection of abnormal application programming interface (API) sessions including a sequence of API requests using space partitioning data structures

Also Published As

Publication number Publication date
US20220318618A1 (en) 2022-10-06
US20220318081A1 (en) 2022-10-06
US20220318332A1 (en) 2022-10-06
US20220318378A1 (en) 2022-10-06

Similar Documents

Publication Publication Date Title
US11171925B2 (en) Evaluating and modifying countermeasures based on aggregate transaction status
US11271955B2 (en) Platform and method for retroactive reclassification employing a cybersecurity-based global data store
US10554687B1 (en) Incident response management based on environmental characteristics
US10212137B1 (en) Blind hash compression
US20190207966A1 (en) Platform and Method for Enhanced Cyber-Attack Detection and Response Employing a Global Data Store
US9282114B1 (en) Generation of alerts in an event management system based upon risk
US20160164893A1 (en) Event management systems
KR101013264B1 (en) Method and system for distinguishing relevant network security threats using comparison of refined intrusion detection audits and intelligent security analysis
US20090125993A1 (en) Method for protecting against keylogging of user information via an alternative input device
EP4060958B1 (en) Attack behavior detection method and apparatus, and attack detection device
US11677763B2 (en) Consumer threat intelligence service
CN111586005B (en) Scanner scanning behavior identification method and device
CN108063833B (en) HTTP DNS analysis message processing method and device
CN111404939B (en) Mail threat detection method, device, equipment and storage medium
US20220321587A1 (en) Automatic anomaly detection based on api sessions
US20230224314A1 (en) Session based anomaly dectection
KR101891300B1 (en) Method and apparatus for providing secure internet connection
US11258806B1 (en) System and method for automatically associating cybersecurity intelligence to cyberthreat actors
He et al. Mobile app identification for encrypted network flows by traffic correlation
US9774625B2 (en) Phishing detection by login page census
CN113709136B (en) Access request verification method and device
US20230043793A1 (en) Anomaly detection using user behavioral biometrics profiling method and apparatus
CN111368039B (en) Data management system
US20230224318A1 (en) Application security testing based on live traffic
US11126713B2 (en) Detecting directory reconnaissance in a directory service

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

AS Assignment

Owner name: TRACEABLE INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GUNTUR, RAVINDRA;KRISHNA, RANAJI;SIGNING DATES FROM 20230714 TO 20230718;REEL/FRAME:064757/0018

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION