Methods and systems for API deception environment and API traffic control and security
First Claim
Patent Images
1. A proxy configured for routing client messages to one or more target Application Programing Interfaces (APIs), the proxy comprising:
- a hardware processor configured to identify or record at least one of;
parameter data corresponding to one or more client side parameters, wherein;
the parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and
each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy;
and,parameter data corresponding to one or more server side parameters, wherein;
the parameter data corresponding to the one or more server side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and
each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients;
anda proxy router configured to;
receive a client message; and
discard the received client message without onward transmission to an API server identified in the received client message, in response to a determination that;
(i) initiating a process for forwarding the received client message to the API server would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a first predefined threshold;
or(ii) receiving a response to the received client message from the API server would result in parameter data corresponding to a server side parameter to exceed a second predefined threshold.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for Application Programming Interface (API) based flow control and API based security at the application layer of the networking protocol stack. The invention additionally provides an API deception environment to protect a server backend from threats, attacks and unauthorized access.
78 Citations
28 Claims
-
1. A proxy configured for routing client messages to one or more target Application Programing Interfaces (APIs), the proxy comprising:
-
a hardware processor configured to identify or record at least one of; parameter data corresponding to one or more client side parameters, wherein; the parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy; and, parameter data corresponding to one or more server side parameters, wherein; the parameter data corresponding to the one or more server side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients; and a proxy router configured to; receive a client message; and discard the received client message without onward transmission to an API server identified in the received client message, in response to a determination that; (i) initiating a process for forwarding the received client message to the API server would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a first predefined threshold;
or(ii) receiving a response to the received client message from the API server would result in parameter data corresponding to a server side parameter to exceed a second predefined threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for securing one or more API servers, the system comprising:
-
a plurality of networked proxy nodes, each proxy node from the plurality of networked proxy nodes is configured for routing client messages to one or more target Application Programming Interfaces (APIs), and each proxy node from the plurality of networked proxy nodes comprises; a hardware processor configured to identify or record at least one of; parameter data corresponding to one or more client side parameters, wherein; the parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at that proxy node; and each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at that proxy node; and, parameter data corresponding to one or more server side parameters, wherein; the parameter data corresponding to the one or more server side parameters is identified based on analysis of API layer data extracted from data messages received at that proxy node; and each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients; and a proxy router configured to; receive a client message; and discard the received client message without onward transmission to an API server identified in the received client message, in response to a determination that; (i) initiating a process for forwarding the received client message to the API server would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a first predefined threshold;
or(ii) receiving a response to the received client message from the API server would result in parameter data corresponding to a server side parameter to exceed a second predefined threshold; wherein each proxy node from the plurality of proxy nodes is configured to synchronize one or more data states of that proxy node with corresponding one or more data states of at least one other proxy node from the plurality of proxy nodes, and wherein the data states under synchronization comprise client side parameter data states or server side parameter data states. - View Dependent Claims (10)
-
-
11. A system configured for routing client messages to one or more target Application Programming Interfaces (APIs implemented on a secured server backend, the system comprising:
-
a proxy comprising; a hardware processor configured to detect indicators of compromise based on API layer data extracted from client messages received at the proxy, wherein the indicators of comprise are detected responsive to any one of; determining that a target API name extracted from a client message matches a decoy API name that is determinable by scanning of API data on the proxy;
ordetermining that the target API name extracted from the client message does not match any API to which the proxy is configured to route client messages; a proxy router configured to respond to detection of an indicator of compromise by routing the client message corresponding to the detected indicator of compromise to a decoy API having an API name that matches the target API name extracted from the client message corresponding to the detected indicator of compromise, wherein said decoy API is communicably isolated from the secured server backend; and one or more processor implemented decoy APIs configured to respond to client messages received from the proxy router by; initiating network communication with a client that generated the client message; and recording information corresponding to said client and client messages generated by said client. - View Dependent Claims (12)
-
-
13. A method for routing client messages to one or more target Application Programming Interfaces (APIs), the method comprising:
-
receiving a client message at a proxy interposed as a network communication gateway to a server backend configured to implement one or more APIs; discarding the received client message without onward transmission to an API server identified in the received client message, in response to a determination that; (i) initiating a process for forwarding the received client message to the server backend would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a first predefined threshold;
or(ii) receiving a response to the received client message from the server backend would result in parameter data corresponding to a server side parameter to exceed a second predefined threshold; wherein; parameter data corresponding to one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy; parameter data corresponding to one or more server side parameters, is identified based on analysis of API layer data extracted from data messages received at the proxy; and each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from the one or more clients. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method for routing client messages to one or more target Application Programming Interfaces (APIs) implemented on a secured server backend, the method comprising:
-
detecting an indicator of compromise based on API layer data extracted from client messages received at a proxy, wherein the detected indicator of comprise is detected responsive to any one of; determining that a target API name extracted from a client message matches a decoy API name that is determinable by scanning of API data on the proxy;
ordetermining that the target API name extracted from the client message does not match any API to which the proxy is configured to route client messages; responding to detection of the indicator of compromise by routing the client message corresponding to the detected indicator of compromise to a decoy API having an API name that matches the target API name extracted from the client message corresponding to the detected indicator of compromise, wherein said decoy API is communicably isolated from the secured server backend; initiating at the decoy API, network communication with a client that has generated the client message; and recording information corresponding to said client and client messages generated by said client. - View Dependent Claims (23, 24, 25, 26)
-
-
27. A computer program product for routing client messages to one or more Application Programming Interfaces (APIs), comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for:
-
receiving a client message at a proxy interposed as a network communication gateway to a server backend configured to implement the one or more APIs; discarding the received client message without onward transmission to an API server identified in the received client message, in response to a determination that; (i) initiating a process for forwarding the received client message to the server backend would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a first predefined threshold;
or(ii) receiving a response to the received client message from the server backend would result in parameter data corresponding to the server side parameter to exceed a second predefined threshold; wherein; parameter data corresponding to one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy; parameter data corresponding to one or more server side parameters, is identified based on analysis of API layer data extracted from data messages received at the proxy; and each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from the one or more clients.
-
-
28. A computer program product for routing client messages to one or more target Application Programming Interfaces (APIs) implemented on a secured server backend, comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for:
-
detecting an indicator of compromise based on API layer data extracted from client messages received at a proxy, wherein the detected indicator of comprise is detected responsive to any one of; determining that a target API name extracted from a client message matches a decoy API name that is determinable by scanning of API data on the proxy;
ordetermining that the target API name extracted from the client message does not match any API to which the proxy is configured to route client messages; responding to detection of the indicator of compromise by routing the client message corresponding to the detected indicator of compromise to a decoy API having an API name that matches the target API name extracted from the client message corresponding to the detected indicator of compromise, wherein said decoy API is communicably isolated from the secured server backend; initiating at the decoy API, network communication with a client that has generated the client message; and recording information corresponding to said client and client messages generated by said client.
-
Specification