Methods and systems for API proxy based adaptive security

US 10,666,621 B2
Filed: 07/31/2018
Issued: 05/26/2020
Est. Priority Date: 05/27/2015
Status: Active Grant

First Claim

Patent Images

1. A proxy node configured for routing client messages to one or more target Application Programming Interfaces (APIs), the proxy node comprising:

a memory configured to store a set of API characteristics data definitions, each API characteristics data definition from the set of API characteristics data definitions (1) being a data file that is uniquely associated with a n API from a set of APIs and (2) including a name of that API; and

a processor operatively coupled to the memory, the processor configured to;

extract, from a message received from a client device, a name of a target API;

compare the name of the target API against the name of the API included in each API characteristics data definition from the set of API characteristics data definitions;

responsive to failing to identify, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API, discard the message without onward transmission of the message to an API server identified in the message; and

responsive to identifying, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API;

compare at least one of a communication protocol, a protocol method, or a content type specified within the message against one or more permitted communication protocols, permitted protocol methods, or permitted content types specified within the API characteristics data definition that has been identified; and

responsive to determining that the at least one of the communication protocol, the protocol method, or the content type specified within the message does not match at least one of the one or more permitted communication protocols, permitted protocol methods, or permitted content types associated with the API characteristics data definition that has been identified, discard the message without onward transmission of the message to the API server.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention concerns API proxy based adaptive security. The invention implements adaptive security for API servers, while avoiding data bottlenecks and maintaining client experience. The invention provides methods and configurations for API security that may be employed at proxies for implementing routing decisions involving client messages received at said proxies. The invention also involves generating or collecting at proxies, log information that captures data corresponding to received client messages and responses from API servers—which log information correlates communications between clients, proxies and backend API servers, and includes data relevant for purposes generating API metrics and identifying anomalies and/or indicators of compromise. The invention yet further provides security server clusters configured for generating API metrics and/or identify anomalies or indicators of compromise—which may be used by proxies to terminate existing connections and block subsequent requests or messages from clients associated with the identified anomalies or indicators of compromise.

Citations

20 Claims

1. A proxy node configured for routing client messages to one or more target Application Programming Interfaces (APIs), the proxy node comprising:
- a memory configured to store a set of API characteristics data definitions, each API characteristics data definition from the set of API characteristics data definitions (1) being a data file that is uniquely associated with a n API from a set of APIs and (2) including a name of that API; and
  
  a processor operatively coupled to the memory, the processor configured to;
  
  extract, from a message received from a client device, a name of a target API;
  
  compare the name of the target API against the name of the API included in each API characteristics data definition from the set of API characteristics data definitions;
  
  responsive to failing to identify, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API, discard the message without onward transmission of the message to an API server identified in the message; and
  
  responsive to identifying, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API;
  
  compare at least one of a communication protocol, a protocol method, or a content type specified within the message against one or more permitted communication protocols, permitted protocol methods, or permitted content types specified within the API characteristics data definition that has been identified; and
  
  responsive to determining that the at least one of the communication protocol, the protocol method, or the content type specified within the message does not match at least one of the one or more permitted communication protocols, permitted protocol methods, or permitted content types associated with the API characteristics data definition that has been identified, discard the message without onward transmission of the message to the API server.
- View Dependent Claims (2)
- - 2. The proxy node as claimed in claim 1, wherein the processor is further configured to, responsive to the discarding the message without onward transmission of the message to the API server, return an error message to the client device.

3. A system for securing one or more Application Programming Interface (API) servers, the system comprising:
- a proxy node configured for routing messages from a set of client devices to a set of target APIs implemented on the one or more API servers, the proxy node configured to be included in a networked plurality of proxy nodes, the proxy node configured to;
  
  extract information identifying a target API from the set of target APIs from a message received from a client device from the set of client devices;
  
  transmit the message to an API server implementing the target API;
  
  store information associated with the message as proxy access log information;
  
  transmit data including (1) the proxy access log information and (2) a set of API characteristics data definitions to a security server such that the security server uses the data to identify an indicator of compromise associated with the client device, each API characteristics data definition from the set of API characteristics data definitions being a data file that is uniquely associated with a target API from the set of target APIs; and
  
  responsive to receiving the indicator of compromise, discard a subsequent message (1) received from the client device or (2) including a connection identifier associated with the indicator of compromise, without onward transmission of the subsequent message to an API server identified in the subsequent message.
- View Dependent Claims (4, 5, 6)
- - 4. The system as claimed in claim 3, further comprising the security server, the security server configured for one or more of generating API metrics, generating blocked connection metrics, generating back end error code metrics, or identifying anomalies.
  - 5. The system as claimed in claim 3, wherein the data further includes:
    - one or more of configuration data, session data, or security data.
  - 6. The system as claimed in claim 5, wherein:
    - the proxy access log information includes one or more of (i) time stamp information associated with one or more messages received at or sent from the proxy node, (ii) a connection identifier of a client device communicating with the proxy node, a name of a target API from the set of target APIs and identified in a message received from a client device of the one or more client devices, (iv) a name of an API server of the one or more API servers, or (v) an Internet Protocol (IP) address or a port of a client device of the one or more client devices;
      
      each API characteristics data definition from the set of API characteristics data definitions includes one or more of (i) a client-side name associated with the API uniquely associated with that API characteristics data definition, (ii) a server-side name associated with the API uniquely associated with that API characteristics data definition, (iii) a name of an API server of the one or more API servers that implements the API uniquely associated with that API characteristics data definition, (iv) an IP address of an API server of the one or more API servers that implements the API uniquely associated with that API characteristics data definition, (v) a Transmission Control Protocol (TCP) port associated with the API uniquely associated with that API characteristics data definition, (vi) a login Uniform Resource Locator (URL) or a secure URL associated with the API uniquely associated with that API characteristics data definition, (vii) cookie information, (viii) communication protocols supported by the API uniquely associated with that API characteristics data definition, (ix) protocol methods supported by the API uniquely associated with that API characteristics data definition, (x) content type supported by the API uniquely associated with that API characteristics data definition, or (xi) a data rate limit prescribed in connection with the API uniquely associated with that API characteristics data definition;
      
      the configuration data includes one or more of (i) data port information or routing information associated with an API server from the one or more API servers, (ii) load balancing or routing policies, (iii) load balancing or routing techniques, (iv) management ports, (v) a maximum number of processes or threads for each management port, (vi) policies for generating logs, or (vii) API security settings associated with an API server from the one or more API servers;
      
      the session data includes one or more of (i) cookies, (ii) tokens, or (iii) an identifier of a client device from the set of client devices;
      
      orthe security data includes one or more of (i) cipher suites, (ii) digital certificates, (iii) session keys and (iv) asymmetric and symmetric ciphers received at the proxy node.

7. A system for securing one or more Application Programming Interface (API) servers, the system comprising:
- a networked plurality of proxy nodes configured for routing messages from a set of client devices to at least one target API implemented on the one or more API servers, each proxy node from the networked plurality of proxy nodes configured to;
  
  receive a message from a client device from the set of client devices;
  
  store information associated with the message as proxy access log information;
  
  transmit information including (1) the proxy access log information and (2) a set of API characteristics data definitions to a security server from a plurality of security servers such that the security server uses the information to identify an indicator of compromise associated with the client device, each API characteristics data definition from the set of API characteristics data definitions being a data file that is uniquely associated with an API from the at least one target API; and
  
  responsive to receiving the indicator of compromise, discard a subsequent message (1) received from the client device or (2) including a connection identifier associated with the indicator of compromise, without onward transmission of the subsequent message to an API server identified in the subsequent message; and
  
  the plurality of security servers including;
  
  a first security server configured to receive a first set of information including proxy access log information from at least a first proxy node from the plurality of proxy nodes, and to analyse the first set of information for identifying a first set of indicators of compromise; and
  
  a second security server configured to receive a second set of information including proxy access log information from at least a second proxy node from the plurality of proxy nodes, and to analyse the second set of information for identifying a second set of indicators of compromise.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system as claimed in claim 7, wherein the plurality of security servers comprises a scalable plurality of stateless security servers.
  - 9. The system as claimed in claim 7, wherein the first set of indicators of compromise and the second set of indicators of compromise are persisted to a database.
  - 10. The system as claimed in claim 7, wherein each of the plurality of proxy nodes is further configured to receive the first set of indicators of compromise and the second set of indicators of compromise.
  - 11. The system as claimed in claim 7, wherein:
    - the first set of information received from the at least the first proxy node includes one or more of the set of API characteristics data definitions, configuration data, session data, or security data, associated with the at least the first proxy node; and
      
      the second set of information received from the at least the second proxy node includes one or more of the set of API characteristics data definitions, configuration data, session data, or security data associated with the at least the second proxy node.
  - 12. The system as claimed in claim 7, wherein the first security server and the second security server are additionally configured for one or more of generating API metrics, generating blocked connection metrics, generating back end error code metrics, or identifying anomalies.

13. A method for routing client messages to a target Application Programming Interface (API), the method comprising:
- receiving a message from a client device at a proxy node;
  
  extracting, at the proxy node and from the message, a name of the target API;
  
  comparing, at the proxy node, the name of the target API against a name of an API included in each API characteristics data definition from a set of API characteristics data definitions stored at the proxy node, each API characteristics data definition from the set of API characteristics data definitions (1) being a data file that is uniquely associated with an API from a set of APIs and (2) including the name of that API;
  
  responsive to failing to identify, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API, discarding the message without onward transmission of the message to an API server identified in the message; and
  
  responsive to identifying, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API;
  
  comparing at least one of a communication protocol, a protocol method, or a content type specified within the message against one or more permitted communication protocols, permitted protocol methods, or permitted content types specified within the API characteristics data definition that has been identified; and
  
  responsive to determining that the at least one of the communication protocol, the protocol method, or the content type specified within the message does not match at least one of the one or more permitted communication protocols, permitted protocol methods, or permitted content types associated with the API characteristics data definition that has been identified, discarding the message without onward transmission of the message to the API server.
- View Dependent Claims (14)
- - 14. The method as claimed in claim 13, wherein responsive to the discarding the message without onward transmission of the message to the API server, returning an error message to the client device.

15. A method for securing one or more Application Programming Interface (API) servers, the method comprising:
- extracting, at a proxy node, information identifying a target API from message received from a client device;
  
  transmitting, from the proxy node, the message to an API server implementing the target API;
  
  storing, at the proxy node, information associated with the message as proxy access log information;
  
  transmitting, from the proxy node, data including (1) the proxy access log information and (2) a set of API characteristics data definitions, to a security server such that the security server, based on the data, identifies an indicator of compromise associated with the client device, each API characteristics data definition from the set of API characteristics data definitions being a data file that is uniquely associated with an API from a set of APIs implemented on the one or more API servers; and
  
  responsive to receiving the indicator of compromise at the proxy node, discarding a subsequent message (1) received from the client device or (2) including a connection identifier associated with the indicator of compromise, without onward transmission of the subsequent message to an API server identified in the subsequent message.
- View Dependent Claims (16, 17, 18)
- - 16. The method as claimed in claim 15, further comprising one or more of generating API metrics, generating blocked connection metrics, generating back end error code metrics, or identifying anomalies, at the security server.
  - 17. The method as claimed in claim 15, wherein the data further includes:
    - one or more of configuration data, session data, or security data.
  - 18. The method as claimed in claim 17, wherein:
    - the proxy access log information includes one or more of (i) time stamp information associated with one or more messages received at or sent from the proxy node, (ii) a connection identifier of a client device communicating with the proxy node, (iii) a name of a target API from the set of target APIs and identified in a message received from a client device of the one or more client devices, (iv) a name of an API server of the one or more API servers, or (v) an Internet Protocol (IP) address or a port of a client device of the one or more client devices;
      
      each API characteristics data definition from the set of API characteristics data definitions includes one or more of (i) a client-side name associated with the API uniquely associated with that API characteristics data definition, (ii) a server-side name associated with the API uniquely associated with that API characteristics data definition, (iii) a name of an API server of the one or more API servers that implements the API uniquely associated with that API characteristics data definition, (iv) an IP address of an API server of the one or more API servers that implements the API uniquely associated with that API characteristics data definition, (v) a Transmission Control Protocol (TCP) port associated with the API uniquely associated with that API characteristics data definition, (vi) a login Uniform Resource Locator (URL) or a secure URL associated with the API uniquely associated with that API characteristics data definition, (vii) cookie information, (viii) communication protocols supported by the API uniquely associated with that API characteristics data definition, (ix) protocol methods supported by the API uniquely associated with that API characteristics data definition, (x) content type supported by the API uniquely associated with that API characteristics data definition, or (xi) a data rate limit prescribed in connection with the API uniquely associated with that API characteristics data definition;
      
      the configuration data includes one or more of (i) data port information or routing information associated with an API server from the one or more API servers, (ii) load balancing or routing policies, (iii) load balancing or routing techniques, (iv) management ports, (v) a maximum number of processes or threads for each management port, (vi) policies for generating logs, or (vii) API security settings associated with an API server from the one or more API servers;
      
      the session data includes one or more of (i) cookies, (ii) tokens, or (iii) an identifier of a client device from the set of client devices;
      
      orthe security data includes one or more of (i) cipher suites, (ii) digital certificates, (iii) session keys or (iv) asymmetric and symmetric ciphers received at the proxy node.

19. A computer program product for routing client messages to a target Application Programming Interface (API), the computer program product comprising a non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code comprising instructions for:
- extracting, from a message received from a client device at a proxy node, a name of the target API;
  
  comparing the name of the target API against a name of an API included in each API characteristics data definition from a set of API characteristics data definitions stored at the proxy node, each API characteristics data definition from the set of API characteristics data definitions (1) being a data file that is uniquely associated with an API from a set of APIs and (2) including the name of that API;
  
  responsive to failing to identify, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API, discarding the message without onward transmission of the message to an API server identified in the message; and
  
  responsive to identifying, based on the comparing, an API characteristics data definition from the set of API characteristics data definitions including a name of an API that matches the name of the target API;
  
  comparing at least one of a communication protocol, a protocol method, or a content type specified within the message against one or more permitted communication protocols, permitted protocol methods, or permitted content types specified within the API characteristics data definition that has been identified; and
  
  responsive to determining that the at least one of the communication protocol, the protocol method, or the content type specified within the message does not match at least one of the one or more permitted communication protocols, permitted protocol methods, or permitted content types associated with the API characteristics data definition that has been identified, discarding the message without onward transmission of the message to the API server.

20. A computer program product for securing one or more Application Processing Interface (API) servers, the computer program product comprising a non-transitory computer usable medium having a computer readable program code embodied therein, the computer readable program code comprising instructions for:
- extracting, at a proxy node, information identifying a target API from message received from a client device;
  
  transmitting, from the proxy node, the message to an API server implementing the target API;
  
  storing, at the proxy node, information associated with the message as proxy access log information;
  
  transmitting, from the proxy node, data including (1) the proxy access log information and (2) a set of API characteristics data definitions to a security server such that the security server, based on the data, identifies an indicator of compromise associated with the client device, each API characteristics data definition from the set of API characteristics data definitions being a data file that is uniquely associated with an API from a set of APIs implemented on the one or more API servers; and
  
  responsive to receiving the indicator of compromise at the proxy node, discarding a subsequent message (1) received from the client device or (2) including a connection identifier associated with the indicator of compromise, without onward transmission of the subsequent message to an API server identified in the subsequent message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ping Identity Corporation
Original Assignee
Ping Identity Corporation
Inventors
Subbarayan, Udayakumar, Harguindeguy, Bernard, Gopalakrishnan, Anoop Krishnan, Poonthiruthi, Abdu Raheem
Primary Examiner(s)
Cribbs, Malcolm

Application Number

US16/050,915
Publication Number

US 20180337891A1
Time in Patent Office

665 Days
Field of Search
US Class Current
CPC Class Codes

G06F 9/546   Message passing systems or ...

H04L 41/0813   characterised by the condit...

H04L 41/0893   Assignment of logical group...

H04L 41/12   Discovery or management of ...

H04L 41/28   Restricting access to netwo...

H04L 41/50   Network service management,...

H04L 45/46   Cluster building

H04L 45/56   Routing software

H04L 45/58   Association of routers

H04L 45/74   Address processing for routing

H04L 47/125   by balancing the load, e.g....

H04L 47/20   Traffic policing

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/1014   based on the content of a r...

H04L 67/1068   Discovery involving direct ...

H04L 67/1095 : Replication or mirroring of...

H04L 67/12 : specially adapted for propr...

H04L 67/145 : avoiding end of session, e....

H04L 67/56 : Provisioning of proxy servi...

H04L 67/60 : Scheduling or organising th...

H04L 69/16 : Implementation or adaptatio...

H04L 69/329 : in the application layer [O...

H04L 69/40 : for recovering from a failu...

View All

Methods and systems for API proxy based adaptive security

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for API proxy based adaptive security

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links