Methods and apparatus for analyzing sequences of application programming interface traffic to identify potential malicious actions
First Claim
1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- receive, from a client device, a set of application programming interface (API) calls having a sequence;
provide an indication associated with at least one API call from the set of API calls as an input to a machine learning model to identify a predicted sequence of API calls associated with the at least one API call;
calculate a plurality of consistency scores for each pair of API calls from the set of API calls by comparing (1) a proximity within the sequence of a first API call in that pair of API calls to a second API call in that pair of API calls and (2) a proximity within the predicted sequence of the first API call in that pair of API calls to the second API call in that pair of API calls, each consistency score from the plurality of consistency scores for each pair of API calls from the set of API calls being associated with a predetermined context;
generate a combined consistency score for each pair of API calls from the set of API calls by combining each consistency score from the plurality of consistency scores for that pair of API calls with the remaining consistency scores from the plurality of consistency scores for that pair of API calls;
identify, in response to determining that the combined consistency score for at least one pair of API calls from the set of API calls is below a predetermined threshold, that the client device is operating in a malicious manner; and
restrict API calls received from the client device based on identifying that the client device is operating in the malicious manner.
6 Assignments
0 Petitions
Accused Products
Abstract
In some embodiments, a method includes receiving, at a processor of a server, a first application programming interface (API) call from a client device and providing an indication associated with the first API call as an input to a machine learning model such that the machine learning model identifies a set of parameters associated with a set of likely subsequent API calls. The method can further include receiving a second API call from the client device, identifying the second API call as an anomalous API call based on the second API call not meeting the set of parameters associated with the set of likely subsequent API calls, and sending a signal to perform a remedial action based on the identifying.
-
Citations
20 Claims
-
1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
-
receive, from a client device, a set of application programming interface (API) calls having a sequence; provide an indication associated with at least one API call from the set of API calls as an input to a machine learning model to identify a predicted sequence of API calls associated with the at least one API call; calculate a plurality of consistency scores for each pair of API calls from the set of API calls by comparing (1) a proximity within the sequence of a first API call in that pair of API calls to a second API call in that pair of API calls and (2) a proximity within the predicted sequence of the first API call in that pair of API calls to the second API call in that pair of API calls, each consistency score from the plurality of consistency scores for each pair of API calls from the set of API calls being associated with a predetermined context; generate a combined consistency score for each pair of API calls from the set of API calls by combining each consistency score from the plurality of consistency scores for that pair of API calls with the remaining consistency scores from the plurality of consistency scores for that pair of API calls; identify, in response to determining that the combined consistency score for at least one pair of API calls from the set of API calls is below a predetermined threshold, that the client device is operating in a malicious manner; and restrict API calls received from the client device based on identifying that the client device is operating in the malicious manner. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method, comprising:
-
receiving, at a processor of a server, a first set of application programming interface (API) calls from a client device; providing an indication associated with the set of API calls as an input to a machine learning model such that the machine learning model identifies a sequence of likely subsequent API calls; calculating a plurality of consistency scores for each pair of API calls from the set of API calls by comparing (1) a proximity within the sequence of a first API call in that pair of API calls to a second API call in that pair of API calls and (2) a proximity within the sequence of likely subsequent API calls of the first API call in that pair of API calls to the second API call in that pair of API calls, each consistency score from the plurality of consistency scores for each pair of API calls from the set of API calls being associated with a predetermined context; generating a combined consistency score for each pair of API calls from the set of API calls by combining each consistency score from the plurality of consistency scores for that pair of API calls with the remaining consistency scores from the plurality of consistency scores for that pair of API calls; identifying, in response to determining that the combined consistency score for at least one pair of API calls from the set of API calls is below a predetermined threshold, the second set of API calls as an anomalous set of API calls; and sending a signal to perform a remedial action based on the identifying. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. An apparatus, comprising:
-
a memory; and a processor operatively coupled to the memory, the processor configured to receive a first set of application programming interface (API) calls before a first time, the processor configured to train, using the first set of API calls, a machine learning model to predict sequences of API calls, the processor configured to receive a second set of API calls at a second time after the first time, the second set of API calls having a sequence, the processor configured to provide an indication associated with at least one API call from the second set of API calls as an input to the machine learning model to identify a predicted sequence of API calls associated with the at least one API call, the processor configured to calculate a plurality of consistency scores for each pair of API calls from the second set of API calls by comparing (1) a proximity within the sequence of a first API call in that pair of API calls to a second API call in that pair of API calls and (2) a proximity within the predicted sequence of the first API call in that pair of API calls to the second API call in that pair of API calls, each consistency score from the plurality of consistency scores for each pair of API calls from the second set of API calls being associated with a predetermined context, the processor configured to generate a combined consistency score for each pair of API calls from the second set of API calls by combining each consistency score from the plurality of consistency scores for that pair of API calls with the remaining consistency scores from the plurality of consistency scores for that pair of API calls, the processor configured to identify, in response to determining that the combined consistency score for at least one pair of API calls from the second set of API calls is below a predetermined threshold, that the second set of API calls is indicative of maliciousness, the processor configured to send a signal to implement a remedial action based on the second set of API calls being indicative of maliciousness. - View Dependent Claims (17, 18, 19, 20)
-
Specification