Methods and systems for deep learning based API traffic security
First Claim
1. A network gateway configured for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, the network gateway comprising:
- a processor configured to;
receive a call to a first API from the plurality of APIs and implemented on a first server from the plurality of servers, the first API being associated with an API class;
receive a call to a second API from the plurality of APIs and implemented on a second server from the plurality of servers and different from the first server, the second API being associated with the API class;
generate an anomaly detection model for the API class based on parameter data extracted from the call to the first API and parameter data extracted from the call to the second API, wherein;
selection of parameter data for generating the anomaly detection model for the API class is based on API configuration information corresponding to the first API and API configuration information corresponding to the second API; and
the generated anomaly detection model includes one or more traffic parameter baseline values defined based on traffic parameter data corresponding to network traffic that is compliant with a prescribed network security policy;
analyze traffic parameter data corresponding to a data packet directed to the first API for identifying deviations between the analyzed traffic parameter data and the one or more traffic parameter baseline values included within the generated anomaly detection model; and
route the data packet to the first server based on an output of said analysis of traffic parameter data and based on identifying the data packet as being associated with the first API.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for deep learning based API traffic analysis and network security. The invention provides an automated approach to threat and/or attack detection by machine learning based accumulation and/or interpretation of various API/application traffic patterns, identifying and mapping characteristics of normal traffic for each API, and thereafter identifying any deviations from the normal traffic parameter baselines, which deviations may be classified as anomalies or attacks.
81 Citations
24 Claims
-
1. A network gateway configured for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, the network gateway comprising:
a processor configured to; receive a call to a first API from the plurality of APIs and implemented on a first server from the plurality of servers, the first API being associated with an API class; receive a call to a second API from the plurality of APIs and implemented on a second server from the plurality of servers and different from the first server, the second API being associated with the API class; generate an anomaly detection model for the API class based on parameter data extracted from the call to the first API and parameter data extracted from the call to the second API, wherein; selection of parameter data for generating the anomaly detection model for the API class is based on API configuration information corresponding to the first API and API configuration information corresponding to the second API; and the generated anomaly detection model includes one or more traffic parameter baseline values defined based on traffic parameter data corresponding to network traffic that is compliant with a prescribed network security policy; analyze traffic parameter data corresponding to a data packet directed to the first API for identifying deviations between the analyzed traffic parameter data and the one or more traffic parameter baseline values included within the generated anomaly detection model; and route the data packet to the first server based on an output of said analysis of traffic parameter data and based on identifying the data packet as being associated with the first API. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
10. A network gateway configured for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, the network gateway comprising:
a processor configured to; receive an event trigger for generation of a first anomaly detection model corresponding to an API class associated with a first API from the plurality of APIs and a second API from the plurality of APIs, the first API implemented on a first server from the plurality of servers and the second API implemented on a second server from the plurality of servers; identify one or more API parameters corresponding to the first API and one or more API parameters corresponding to the second API; parse an anomaly detection model database to identify a second anomaly detection model having API parameters that match the one or more API parameters corresponding to the first API and the one or more API parameters corresponding to the second API; responsive to identifying the second anomaly detection model, generate the first anomaly detection model based on the identified second anomaly detection model; and route a data packet to the first server based on an analysis of the data packet with respect to the first anomaly detection model and based on identifying the data packet as being associated with the first API. - View Dependent Claims (11)
-
12. A method for securing one or more Application Programming Interfaces (APIs) implemented on a plurality of servers, the method comprising:
-
receiving a call to a first API from the plurality of APIs and implemented on a first server from the plurality of servers, the first API being associated with an API class; receiving a call to a second API from the plurality of APIs and implemented on a second server from the plurality of servers and different from the first server, the second API being associated with the API class; generating an anomaly detection model for the API class based on parameter data extracted from the call to the first API and parameter data extracted from the call to the second API, wherein; selection of parameter data for generating the anomaly detection model for the API class is based on API configuration information corresponding to the first API and API configuration information corresponding to the second API; and the generated anomaly detection model includes one or more traffic parameter baseline values defined based on traffic parameter data corresponding to network traffic that is compliant with a prescribed network security policy; analyzing traffic parameter data corresponding to a data packet directed to the first API for identifying deviations between the analyzed traffic parameter data and the one or more traffic parameter baseline values included within the generated first anomaly detection model; and route the data packet to the first server based on an output of said analysis of traffic parameter data and based on identifying the data packet as being associated with the first API. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, the method comprising:
-
receiving an event trigger for generation of a first anomaly detection model corresponding to an API class associated with a first API from the plurality of APIs and a second API from the plurality of APIs, the first API implemented on a first server from the plurality of servers and the second API implemented on a second server from the plurality of servers; identifying one or more API parameters corresponding to the first API and one or more API parameters corresponding to the second API; parsing an anomaly detection model database to identify a second anomaly detection model having API parameters that match the one or more API parameters corresponding to the first API and the one or more API parameters corresponding to the second API; responsive to identifying the second anomaly detection model, generating the first anomaly detection model based on the identified second anomaly detection model; and routing a data packet to the first server based on an analysis of the data packet with respect to the first anomaly detection model and based on identifying the data packet as being associated with the first API. - View Dependent Claims (22)
-
-
23. A computer program product for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for:
-
receiving a call to a first API from the plurality of APIs and implemented on a first server from the plurality of servers, the first API being associated with an API class; receiving a call to a second API from the plurality of APIs and implemented on a second server from the plurality of servers and different from the first server, the second API being associated with the API class; generating an anomaly detection model for the API class based on parameter data extracted from the call to the first API and parameter data extracted from the call to the second API, wherein; selection of parameter data for generating the anomaly detection model for the API class is based on API configuration information corresponding to the first API and API configuration information corresponding to the second API; and the generated anomaly detection model includes one or more traffic parameter baseline values defined based on traffic parameter data corresponding to network traffic that is compliant with a prescribed network security policy; analyzing traffic parameter data corresponding to a data packet directed to the first API for identifying deviations between the analyzed traffic parameter data and the one or more traffic parameter baseline values include within the generated first anomaly detection model; and routing the data packet to the first server based on an output of said analysis of traffic parameter data and based on identifying the data packet as being associated with the first API.
-
-
24. A computer program product for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for:
-
receiving an event trigger for generation of a first anomaly detection model corresponding to an API class associated with a first API from the plurality of APIs and a second API from the plurality of APIs, the first API implemented on a first server from the plurality of servers and the second API implemented on a second server from the plurality of servers; identifying one or more API parameters corresponding to the first API and one or more API parameters corresponding to the second API; parsing an anomaly detection model database to identify a second anomaly detection model having API parameters that match the one or more API parameters corresponding to the first API and the one or more API parameters corresponding to the second API; responsive to identifying the second anomaly detection model generating the first anomaly detection model based on the identified second anomaly detection model; and routing a data packet to the first server based on an analysis of the data packet with respect to the first anomaly detection model and based on identifying the data packet as being associated with the first API.
-
Specification