Methods and systems for deep learning based API traffic security

US 10,681,012 B2
Filed: 10/25/2017
Issued: 06/09/2020
Est. Priority Date: 10/26/2016
Status: Active Grant

First Claim

Patent Images

1. A network gateway configured for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, the network gateway comprising:

a processor configured to;

receive a call to a first API from the plurality of APIs and implemented on a first server from the plurality of servers, the first API being associated with an API class;

receive a call to a second API from the plurality of APIs and implemented on a second server from the plurality of servers and different from the first server, the second API being associated with the API class;

generate an anomaly detection model for the API class based on parameter data extracted from the call to the first API and parameter data extracted from the call to the second API, wherein;

selection of parameter data for generating the anomaly detection model for the API class is based on API configuration information corresponding to the first API and API configuration information corresponding to the second API; and

the generated anomaly detection model includes one or more traffic parameter baseline values defined based on traffic parameter data corresponding to network traffic that is compliant with a prescribed network security policy;

analyze traffic parameter data corresponding to a data packet directed to the first API for identifying deviations between the analyzed traffic parameter data and the one or more traffic parameter baseline values included within the generated anomaly detection model; and

route the data packet to the first server based on an output of said analysis of traffic parameter data and based on identifying the data packet as being associated with the first API.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for deep learning based API traffic analysis and network security. The invention provides an automated approach to threat and/or attack detection by machine learning based accumulation and/or interpretation of various API/application traffic patterns, identifying and mapping characteristics of normal traffic for each API, and thereafter identifying any deviations from the normal traffic parameter baselines, which deviations may be classified as anomalies or attacks.

81 Citations

View as Search Results

24 Claims

1. A network gateway configured for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, the network gateway comprising:
- a processor configured to;
  
  receive a call to a first API from the plurality of APIs and implemented on a first server from the plurality of servers, the first API being associated with an API class;
  
  receive a call to a second API from the plurality of APIs and implemented on a second server from the plurality of servers and different from the first server, the second API being associated with the API class;
  
  generate an anomaly detection model for the API class based on parameter data extracted from the call to the first API and parameter data extracted from the call to the second API, wherein;
  
  selection of parameter data for generating the anomaly detection model for the API class is based on API configuration information corresponding to the first API and API configuration information corresponding to the second API; and
  
  the generated anomaly detection model includes one or more traffic parameter baseline values defined based on traffic parameter data corresponding to network traffic that is compliant with a prescribed network security policy;
  
  analyze traffic parameter data corresponding to a data packet directed to the first API for identifying deviations between the analyzed traffic parameter data and the one or more traffic parameter baseline values included within the generated anomaly detection model; and
  
  route the data packet to the first server based on an output of said analysis of traffic parameter data and based on identifying the data packet as being associated with the first API.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The network gateway as claimed in claim 1, wherein responsive to identifying a deviation between the analyzed traffic parameter data and the one or more traffic parameter baseline values, discarding a client message directed to the first API without forwarding said client message to said first API.
  - 3. The network gateway as claimed in claim 1, wherein the anomaly detection model is a first anomaly detection model, the processor is further configured to:
    - receive a call to a third API from the plurality of APIs;
      
      generate a second anomaly detection model based on parameter data extracted from the call to the third API, wherein;
      
      selection of parameter data for generating the second anomaly detection model is based on API configuration information corresponding to the third API, said API configuration information corresponding to the third API is different from the API configuration information corresponding to the first API;
      
      the generated second anomaly detection model includes one or more traffic parameter baseline values defined based on traffic parameter data corresponding to network traffic that is compliant with a prescribed network security policy; and
      
      at least one traffic parameter baseline value based on traffic parameter data included within the second anomaly detection model is different from at least one corresponding traffic parameter baseline value based on traffic parameter data included within the first anomaly detection model.
  - 4. The network gateway as claimed in claim 3, wherein the processor is configured to respond to an event trigger for identifying an event state associated with an API selected from among the first API and the third API, and wherein identifying said event state comprises:
    - identifying one or more deviations between data extracted from traffic data corresponding to the selected API and one or more traffic parameter baseline values defined by an anomaly detection model corresponding to the selected API; and
      
      selecting an event state from a plurality of event states, based on the identified one or more deviations.
  - 5. The network gateway as claimed in claim 1, wherein the anomaly detection model is one of a single dimensional model or a multi-dimensional model.
  - 6. The network gateway as claimed in claim 1, wherein the anomaly detection model is generated based on at least one of one or more histogram techniques, one or more mixture models, or one or more Gaussian models.
  - 7. The network gateway as claimed in claim 4, wherein the second anomaly detection model is one of a single dimensional model or a multi-dimensional model.
  - 8. The network gateway as claimed in claim 4, wherein the second anomaly detection model is generated based on at least one of one or more histogram techniques, one or more mixture models, or one or more Gaussian models.
  - 9. The network gateway as claimed in claim 1, wherein:
    - analysis of traffic parameter data corresponding to network traffic directed to the first API or the second API comprises identifying deviations between the analyzed traffic parameter data and the one or more traffic parameter baseline values included within the anomaly detection model.

10. A network gateway configured for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, the network gateway comprising:
- a processor configured to;
  
  receive an event trigger for generation of a first anomaly detection model corresponding to an API class associated with a first API from the plurality of APIs and a second API from the plurality of APIs, the first API implemented on a first server from the plurality of servers and the second API implemented on a second server from the plurality of servers;
  
  identify one or more API parameters corresponding to the first API and one or more API parameters corresponding to the second API;
  
  parse an anomaly detection model database to identify a second anomaly detection model having API parameters that match the one or more API parameters corresponding to the first API and the one or more API parameters corresponding to the second API;
  
  responsive to identifying the second anomaly detection model, generate the first anomaly detection model based on the identified second anomaly detection model; and
  
  route a data packet to the first server based on an analysis of the data packet with respect to the first anomaly detection model and based on identifying the data packet as being associated with the first API.
- View Dependent Claims (11)
- - 11. The network gateway as claimed in claim 10, wherein the API parameters include at least one of API type, API function, API class or API category.

12. A method for securing one or more Application Programming Interfaces (APIs) implemented on a plurality of servers, the method comprising:
- receiving a call to a first API from the plurality of APIs and implemented on a first server from the plurality of servers, the first API being associated with an API class;
  
  receiving a call to a second API from the plurality of APIs and implemented on a second server from the plurality of servers and different from the first server, the second API being associated with the API class;
  
  generating an anomaly detection model for the API class based on parameter data extracted from the call to the first API and parameter data extracted from the call to the second API, wherein;
  
  selection of parameter data for generating the anomaly detection model for the API class is based on API configuration information corresponding to the first API and API configuration information corresponding to the second API; and
  
  the generated anomaly detection model includes one or more traffic parameter baseline values defined based on traffic parameter data corresponding to network traffic that is compliant with a prescribed network security policy;
  
  analyzing traffic parameter data corresponding to a data packet directed to the first API for identifying deviations between the analyzed traffic parameter data and the one or more traffic parameter baseline values included within the generated first anomaly detection model; and
  
  route the data packet to the first server based on an output of said analysis of traffic parameter data and based on identifying the data packet as being associated with the first API.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method as claimed in claim 12, wherein responsive to identifying a deviation between the analyzed traffic parameter data and the one or more traffic parameter baseline values, discarding a client message directed to the first API without forwarding said client message to said first API.
  - 14. The method as claimed in claim 12, wherein the anomaly detection model is a first anomaly detection model, the method further comprising the steps of:
    - receiving a call to a third API from the plurality of APIs; and
      
      generating a second anomaly detection model based on parameter data extracted from the call to the third API, wherein;
      
      selection of parameter data for generating the second anomaly detection model is based on API configuration information corresponding to the third API, said API configuration information corresponding to the third API is different from the API configuration information corresponding to the first API;
      
      the generated second anomaly detection model includes one or more traffic parameter baseline values defined based on traffic parameter data corresponding to network traffic that is compliant with a prescribed network security policy; and
      
      at least one traffic parameter baseline value based on traffic parameter data included within the second anomaly detection model is different from at least one corresponding traffic parameter baseline value based on traffic parameter data included within the first anomaly detection model.
  - 15. The method as claimed in claim 14, further comprising responding to an event trigger for identifying an event state associated with an API selected from among the first API and the third API, and wherein identifying said event state comprises:
    - identifying one or more deviations between data extracted from traffic data corresponding to the selected API and one or more traffic parameter baseline values defined by an anomaly detection model corresponding to the selected API; and
      
      selecting an event state from a plurality of event states, based on the identified one or more deviations.
  - 16. The method as claimed in claim 12, wherein the anomaly detection model is one of a single dimensional model or a multi-dimensional model.
  - 17. The method as claimed in claim 12, wherein the anomaly detection model is generated based on at least one of one or more histogram techniques, one or more mixture models, or one or more Gaussian models.
  - 18. The method as claimed in claim 14, wherein the second anomaly detection model is one of a single dimensional model or a multi-dimensional model.
  - 19. The method as claimed in claim 14, wherein the second anomaly detection model is generated based on at least one of one or more histogram techniques, one or more mixture models, or one or more Gaussian models.
  - 20. The method as claimed in claim 12, wherein:
    - analysis of traffic parameter data corresponding to network traffic directed to the first API or the second API comprises identifying deviations between the analyzed traffic parameter data and the one or more traffic parameter baseline values included within the anomaly detection model.

21. A method for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, the method comprising:
- receiving an event trigger for generation of a first anomaly detection model corresponding to an API class associated with a first API from the plurality of APIs and a second API from the plurality of APIs, the first API implemented on a first server from the plurality of servers and the second API implemented on a second server from the plurality of servers;
  
  identifying one or more API parameters corresponding to the first API and one or more API parameters corresponding to the second API;
  
  parsing an anomaly detection model database to identify a second anomaly detection model having API parameters that match the one or more API parameters corresponding to the first API and the one or more API parameters corresponding to the second API;
  
  responsive to identifying the second anomaly detection model, generating the first anomaly detection model based on the identified second anomaly detection model; and
  
  routing a data packet to the first server based on an analysis of the data packet with respect to the first anomaly detection model and based on identifying the data packet as being associated with the first API.
- View Dependent Claims (22)
- - 22. The method as claimed in claim 21, wherein the API parameters include at least one of API type, API function, API class or API category.

23. A computer program product for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for:
- receiving a call to a first API from the plurality of APIs and implemented on a first server from the plurality of servers, the first API being associated with an API class;
  
  receiving a call to a second API from the plurality of APIs and implemented on a second server from the plurality of servers and different from the first server, the second API being associated with the API class;
  
  generating an anomaly detection model for the API class based on parameter data extracted from the call to the first API and parameter data extracted from the call to the second API, wherein;
  
  selection of parameter data for generating the anomaly detection model for the API class is based on API configuration information corresponding to the first API and API configuration information corresponding to the second API; and
  
  the generated anomaly detection model includes one or more traffic parameter baseline values defined based on traffic parameter data corresponding to network traffic that is compliant with a prescribed network security policy;
  
  analyzing traffic parameter data corresponding to a data packet directed to the first API for identifying deviations between the analyzed traffic parameter data and the one or more traffic parameter baseline values include within the generated first anomaly detection model; and
  
  routing the data packet to the first server based on an output of said analysis of traffic parameter data and based on identifying the data packet as being associated with the first API.

24. A computer program product for securing a plurality of Application Programming Interfaces (APIs) implemented on a plurality of servers, comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for:
- receiving an event trigger for generation of a first anomaly detection model corresponding to an API class associated with a first API from the plurality of APIs and a second API from the plurality of APIs, the first API implemented on a first server from the plurality of servers and the second API implemented on a second server from the plurality of servers;
  
  identifying one or more API parameters corresponding to the first API and one or more API parameters corresponding to the second API;
  
  parsing an anomaly detection model database to identify a second anomaly detection model having API parameters that match the one or more API parameters corresponding to the first API and the one or more API parameters corresponding to the second API;
  
  responsive to identifying the second anomaly detection model generating the first anomaly detection model based on the identified second anomaly detection model; and
  
  routing a data packet to the first server based on an analysis of the data packet with respect to the first anomaly detection model and based on identifying the data packet as being associated with the first API.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ping Identity Corporation
Original Assignee
Ping Identity Corporation
Inventors
Subbarayan, Udayakumar, Harguindeguy, Bernard, Gopalakrishnan, Anoop Krishnan, Angadi, Nagabhushana, Kumar, Ashwani, Sahu, Santosh, Poonthiruthi, Abdu Raheem, Sahu, Avinash Kumar, Kundottil, Yasar
Primary Examiner(s)
Simitoski, Michael
Assistant Examiner(s)
Elarabi, Tarek

Application Number

US15/793,671
Publication Number

US 20180115578A1
Time in Patent Office

958 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/6281   at program execution time, ...

G06N 20/00   Machine learning

H04L 63/02   for separating internal fro...

H04L 63/0281   Proxies

H04L 63/04   for providing a confidentia...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/1491   using deception as counterm...

Methods and systems for deep learning based API traffic security

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for deep learning based API traffic security

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links