Methods and systems for API proxy based adaptive security
First Claim
1. A proxy node configured for routing client messages to one or more target Application Programming Interfaces (APIs), the proxy node comprising:
- a memory configured to store a set of API characteristics data definitions, each API characteristics data definition from the set of API characteristics data definitions (1) being a data file that is uniquely associated with a n API from a set of APIs and (2) including a name of that API; and
a processor operatively coupled to the memory, the processor configured to;
extract, from a message received from a client device, a name of a target API;
compare the name of the target API against the name of the API included in each API characteristics data definition from the set of API characteristics data definitions;
responsive to failing to identify, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API, discard the message without onward transmission of the message to an API server identified in the message; and
responsive to identifying, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API;
compare at least one of a communication protocol, a protocol method, or a content type specified within the message against one or more permitted communication protocols, permitted protocol methods, or permitted content types specified within the API characteristics data definition that has been identified; and
responsive to determining that the at least one of the communication protocol, the protocol method, or the content type specified within the message does not match at least one of the one or more permitted communication protocols, permitted protocol methods, or permitted content types associated with the API characteristics data definition that has been identified, discard the message without onward transmission of the message to the API server.
8 Assignments
0 Petitions
Accused Products
Abstract
The invention concerns API proxy based adaptive security. The invention implements adaptive security for API servers, while avoiding data bottlenecks and maintaining client experience. The invention provides methods and configurations for API security that may be employed at proxies for implementing routing decisions involving client messages received at said proxies. The invention also involves generating or collecting at proxies, log information that captures data corresponding to received client messages and responses from API servers—which log information correlates communications between clients, proxies and backend API servers, and includes data relevant for purposes generating API metrics and identifying anomalies and/or indicators of compromise. The invention yet further provides security server clusters configured for generating API metrics and/or identify anomalies or indicators of compromise—which may be used by proxies to terminate existing connections and block subsequent requests or messages from clients associated with the identified anomalies or indicators of compromise.
-
Citations
20 Claims
-
1. A proxy node configured for routing client messages to one or more target Application Programming Interfaces (APIs), the proxy node comprising:
-
a memory configured to store a set of API characteristics data definitions, each API characteristics data definition from the set of API characteristics data definitions (1) being a data file that is uniquely associated with a n API from a set of APIs and (2) including a name of that API; and a processor operatively coupled to the memory, the processor configured to; extract, from a message received from a client device, a name of a target API; compare the name of the target API against the name of the API included in each API characteristics data definition from the set of API characteristics data definitions; responsive to failing to identify, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API, discard the message without onward transmission of the message to an API server identified in the message; and responsive to identifying, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API; compare at least one of a communication protocol, a protocol method, or a content type specified within the message against one or more permitted communication protocols, permitted protocol methods, or permitted content types specified within the API characteristics data definition that has been identified; and responsive to determining that the at least one of the communication protocol, the protocol method, or the content type specified within the message does not match at least one of the one or more permitted communication protocols, permitted protocol methods, or permitted content types associated with the API characteristics data definition that has been identified, discard the message without onward transmission of the message to the API server. - View Dependent Claims (2)
-
-
3. A system for securing one or more Application Programming Interface (API) servers, the system comprising:
a proxy node configured for routing messages from a set of client devices to a set of target APIs implemented on the one or more API servers, the proxy node configured to be included in a networked plurality of proxy nodes, the proxy node configured to; extract information identifying a target API from the set of target APIs from a message received from a client device from the set of client devices; transmit the message to an API server implementing the target API; store information associated with the message as proxy access log information; transmit data including (1) the proxy access log information and (2) a set of API characteristics data definitions to a security server such that the security server uses the data to identify an indicator of compromise associated with the client device, each API characteristics data definition from the set of API characteristics data definitions being a data file that is uniquely associated with a target API from the set of target APIs; and responsive to receiving the indicator of compromise, discard a subsequent message (1) received from the client device or (2) including a connection identifier associated with the indicator of compromise, without onward transmission of the subsequent message to an API server identified in the subsequent message. - View Dependent Claims (4, 5, 6)
-
7. A system for securing one or more Application Programming Interface (API) servers, the system comprising:
-
a networked plurality of proxy nodes configured for routing messages from a set of client devices to at least one target API implemented on the one or more API servers, each proxy node from the networked plurality of proxy nodes configured to; receive a message from a client device from the set of client devices; store information associated with the message as proxy access log information; transmit information including (1) the proxy access log information and (2) a set of API characteristics data definitions to a security server from a plurality of security servers such that the security server uses the information to identify an indicator of compromise associated with the client device, each API characteristics data definition from the set of API characteristics data definitions being a data file that is uniquely associated with an API from the at least one target API; and responsive to receiving the indicator of compromise, discard a subsequent message (1) received from the client device or (2) including a connection identifier associated with the indicator of compromise, without onward transmission of the subsequent message to an API server identified in the subsequent message; and the plurality of security servers including; a first security server configured to receive a first set of information including proxy access log information from at least a first proxy node from the plurality of proxy nodes, and to analyse the first set of information for identifying a first set of indicators of compromise; and a second security server configured to receive a second set of information including proxy access log information from at least a second proxy node from the plurality of proxy nodes, and to analyse the second set of information for identifying a second set of indicators of compromise. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A method for routing client messages to a target Application Programming Interface (API), the method comprising:
-
receiving a message from a client device at a proxy node; extracting, at the proxy node and from the message, a name of the target API; comparing, at the proxy node, the name of the target API against a name of an API included in each API characteristics data definition from a set of API characteristics data definitions stored at the proxy node, each API characteristics data definition from the set of API characteristics data definitions (1) being a data file that is uniquely associated with an API from a set of APIs and (2) including the name of that API; responsive to failing to identify, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API, discarding the message without onward transmission of the message to an API server identified in the message; and responsive to identifying, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API; comparing at least one of a communication protocol, a protocol method, or a content type specified within the message against one or more permitted communication protocols, permitted protocol methods, or permitted content types specified within the API characteristics data definition that has been identified; and responsive to determining that the at least one of the communication protocol, the protocol method, or the content type specified within the message does not match at least one of the one or more permitted communication protocols, permitted protocol methods, or permitted content types associated with the API characteristics data definition that has been identified, discarding the message without onward transmission of the message to the API server. - View Dependent Claims (14)
-
-
15. A method for securing one or more Application Programming Interface (API) servers, the method comprising:
-
extracting, at a proxy node, information identifying a target API from message received from a client device; transmitting, from the proxy node, the message to an API server implementing the target API; storing, at the proxy node, information associated with the message as proxy access log information; transmitting, from the proxy node, data including (1) the proxy access log information and (2) a set of API characteristics data definitions, to a security server such that the security server, based on the data, identifies an indicator of compromise associated with the client device, each API characteristics data definition from the set of API characteristics data definitions being a data file that is uniquely associated with an API from a set of APIs implemented on the one or more API servers; and responsive to receiving the indicator of compromise at the proxy node, discarding a subsequent message (1) received from the client device or (2) including a connection identifier associated with the indicator of compromise, without onward transmission of the subsequent message to an API server identified in the subsequent message. - View Dependent Claims (16, 17, 18)
-
-
19. A computer program product for routing client messages to a target Application Programming Interface (API), the computer program product comprising a non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code comprising instructions for:
-
extracting, from a message received from a client device at a proxy node, a name of the target API; comparing the name of the target API against a name of an API included in each API characteristics data definition from a set of API characteristics data definitions stored at the proxy node, each API characteristics data definition from the set of API characteristics data definitions (1) being a data file that is uniquely associated with an API from a set of APIs and (2) including the name of that API; responsive to failing to identify, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API, discarding the message without onward transmission of the message to an API server identified in the message; and responsive to identifying, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API; comparing at least one of a communication protocol, a protocol method, or a content type specified within the message against one or more permitted communication protocols, permitted protocol methods, or permitted content types specified within the API characteristics data definition that has been identified; and responsive to determining that the at least one of the communication protocol, the protocol method, or the content type specified within the message does not match at least one of the one or more permitted communication protocols, permitted protocol methods, or permitted content types associated with the API characteristics data definition that has been identified, discarding the message without onward transmission of the message to the API server.
-
-
20. A computer program product for securing one or more Application Processing Interface (API) servers, the computer program product comprising a non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code comprising instructions for:
-
extracting, at a proxy node, information identifying a target API from message received from a client device; transmitting, from the proxy node, the message to an API server implementing the target API; storing, at the proxy node, information associated with the message as proxy access log information; transmitting, from the proxy node, data including (1) the proxy access log information and (2) a set of API characteristics data definitions to a security server such that the security server, based on the data, identifies an indicator of compromise associated with the client device, each API characteristics data definition from the set of API characteristics data definitions being a data file that is uniquely associated with an API from a set of APIs implemented on the one or more API servers; and responsive to receiving the indicator of compromise at the proxy node, discarding a subsequent message (1) received from the client device or (2) including a connection identifier associated with the indicator of compromise, without onward transmission of the subsequent message to an API server identified in the subsequent message.
-
Specification