Methods and apparatus for analyzing sequences of application programming interface traffic to identify potential malicious actions

US 10,699,010 B2
Filed: 10/12/2018
Issued: 06/30/2020
Est. Priority Date: 10/13/2017
Status: Active Grant

First Claim

Patent Images

1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:

receive, from a client device, a set of application programming interface (API) calls having a sequence;

provide an indication associated with at least one API call from the set of API calls as an input to a machine learning model to identify a predicted sequence of API calls associated with the at least one API call;

calculate a plurality of consistency scores for each pair of API calls from the set of API calls by comparing (1) a proximity within the sequence of a first API call in that pair of API calls to a second API call in that pair of API calls and (2) a proximity within the predicted sequence of the first API call in that pair of API calls to the second API call in that pair of API calls, each consistency score from the plurality of consistency scores for each pair of API calls from the set of API calls being associated with a predetermined context;

generate a combined consistency score for each pair of API calls from the set of API calls by combining each consistency score from the plurality of consistency scores for that pair of API calls with the remaining consistency scores from the plurality of consistency scores for that pair of API calls;

identify, in response to determining that the combined consistency score for at least one pair of API calls from the set of API calls is below a predetermined threshold, that the client device is operating in a malicious manner; and

restrict API calls received from the client device based on identifying that the client device is operating in the malicious manner.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, a method includes receiving, at a processor of a server, a first application programming interface (API) call from a client device and providing an indication associated with the first API call as an input to a machine learning model such that the machine learning model identifies a set of parameters associated with a set of likely subsequent API calls. The method can further include receiving a second API call from the client device, identifying the second API call as an anomalous API call based on the second API call not meeting the set of parameters associated with the set of likely subsequent API calls, and sending a signal to perform a remedial action based on the identifying.

Citations

20 Claims

1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor to:
- receive, from a client device, a set of application programming interface (API) calls having a sequence;
  
  provide an indication associated with at least one API call from the set of API calls as an input to a machine learning model to identify a predicted sequence of API calls associated with the at least one API call;
  
  calculate a plurality of consistency scores for each pair of API calls from the set of API calls by comparing (1) a proximity within the sequence of a first API call in that pair of API calls to a second API call in that pair of API calls and (2) a proximity within the predicted sequence of the first API call in that pair of API calls to the second API call in that pair of API calls, each consistency score from the plurality of consistency scores for each pair of API calls from the set of API calls being associated with a predetermined context;
  
  generate a combined consistency score for each pair of API calls from the set of API calls by combining each consistency score from the plurality of consistency scores for that pair of API calls with the remaining consistency scores from the plurality of consistency scores for that pair of API calls;
  
  identify, in response to determining that the combined consistency score for at least one pair of API calls from the set of API calls is below a predetermined threshold, that the client device is operating in a malicious manner; and
  
  restrict API calls received from the client device based on identifying that the client device is operating in the malicious manner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The non-transitory processor-readable medium of claim 1, wherein the indication associated with the at least one API call is an n-gram representation of the at least one API call.
  - 3. The non-transitory processor-readable medium of claim 1, wherein the proximity within the sequence is based on a number of API calls in the sequence between the first API call in that pair of API calls and the second API call in that pair of API calls.
  - 4. The non-transitory processor-readable medium of claim 1, wherein the proximity within the sequence is an indication of a time in the sequence between receiving the first API call in that pair of API calls and receiving the second API call in that pair of API calls.
  - 5. The non-transitory processor-readable medium of claim 1, wherein the machine learning model includes at least one of a neural network, a decision tree model, a random forest model, a Bayesian network or a clustering model.
  - 6. The non-transitory processor-readable medium of claim 1, wherein the code to cause the processor to identify includes code to cause the processor to identify that the client device is operating in the malicious manner based on at least one of a location of the client device, a type of the client device, an application sending the set of API calls, a number of API calls received from the client device within a predefined time period, a type of payload of at least one API call from the set of API calls, a time at least one API call from the set of API calls is received from the client device, or a day at least one API call from the set of API calls is received from the client device.
  - 7. The non-transitory processor-readable medium of claim 1, wherein the set of API calls is a first set of API calls and the code to cause the processor to receive includes code to cause the processor to receive the first set of API calls at a time, the code further comprising code to cause the processor to:
    - train, using a second set of API calls received prior to the time, the machine learning model to identify the predicted sequence of API calls.
  - 8. The non-transitory processor-readable medium of claim 1, wherein each API call from the set of API calls is associated with a single application.
  - 9. The non-transitory processor-readable medium of claim 1, wherein the set of API calls is associated with a plurality of applications.

10. A method, comprising:
- receiving, at a processor of a server, a first set of application programming interface (API) calls from a client device;
  
  providing an indication associated with the set of API calls as an input to a machine learning model such that the machine learning model identifies a sequence of likely subsequent API calls;
  
  calculating a plurality of consistency scores for each pair of API calls from the set of API calls by comparing (1) a proximity within the sequence of a first API call in that pair of API calls to a second API call in that pair of API calls and (2) a proximity within the sequence of likely subsequent API calls of the first API call in that pair of API calls to the second API call in that pair of API calls, each consistency score from the plurality of consistency scores for each pair of API calls from the set of API calls being associated with a predetermined context;
  
  generating a combined consistency score for each pair of API calls from the set of API calls by combining each consistency score from the plurality of consistency scores for that pair of API calls with the remaining consistency scores from the plurality of consistency scores for that pair of API calls;
  
  identifying, in response to determining that the combined consistency score for at least one pair of API calls from the set of API calls is below a predetermined threshold, the second set of API calls as an anomalous set of API calls; and
  
  sending a signal to perform a remedial action based on the identifying.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein the proximity within the sequence of likely subsequent API calls includes a predicted number of API calls between the first API call in that pair of API calls and the second API call in that pair of API calls.
  - 12. The method of claim 10, wherein the proximity within the sequence of likely subsequent API calls includes a predicted time period between the first API call in that pair of API calls and the second API call in that pair of API calls.
  - 13. The method of claim 10, wherein the set of API calls is a first set of API calls, the method further comprising:
    - receiving a second set of API calls from the client device, each API call from the first set of API calls is addressed to a destination server, each API call from the second set of API calls is addressed to the destination server.
  - 14. The method of claim 10, wherein the set of API calls is a first set of API calls, the method further comprising:
    - receiving a second set of API calls from the client device, each API call from the first set of API calls is addressed to a first destination server, each API call from the second set of API calls is addressed to a second destination server different from the first destination server.
  - 15. The method of claim 10, wherein the indication associated with the set of API calls is an n-gram representation of the set of API calls.

16. An apparatus, comprising:
- a memory; and
  
  a processor operatively coupled to the memory, the processor configured to receive a first set of application programming interface (API) calls before a first time, the processor configured to train, using the first set of API calls, a machine learning model to predict sequences of API calls,the processor configured to receive a second set of API calls at a second time after the first time, the second set of API calls having a sequence, the processor configured to provide an indication associated with at least one API call from the second set of API calls as an input to the machine learning model to identify a predicted sequence of API calls associated with the at least one API call,the processor configured to calculate a plurality of consistency scores for each pair of API calls from the second set of API calls by comparing (1) a proximity within the sequence of a first API call in that pair of API calls to a second API call in that pair of API calls and (2) a proximity within the predicted sequence of the first API call in that pair of API calls to the second API call in that pair of API calls, each consistency score from the plurality of consistency scores for each pair of API calls from the second set of API calls being associated with a predetermined context,the processor configured to generate a combined consistency score for each pair of API calls from the second set of API calls by combining each consistency score from the plurality of consistency scores for that pair of API calls with the remaining consistency scores from the plurality of consistency scores for that pair of API calls,the processor configured to identify, in response to determining that the combined consistency score for at least one pair of API calls from the second set of API calls is below a predetermined threshold, that the second set of API calls is indicative of maliciousness,the processor configured to send a signal to implement a remedial action based on the second set of API calls being indicative of maliciousness.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein each API call from the first set of API calls is associated with at least one of a user, an organization, an application or a client device, and each remaining API call from the first set of API calls is associated with the at least one of the user, the organization, the application or the client device.
  - 18. The apparatus of claim 16, wherein the processor is configured to train the machine learning model using unsupervised learning.
  - 19. The apparatus of claim 16, wherein the processor is configured to train the machine learning model using supervised learning.
  - 20. The apparatus of claim 16, wherein the processor is included within a proxy server in a network between a source of each API call from the second set of API calls and an intended destination of each API call from the second set of API calls.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ping Identity Corporation
Original Assignee
Ping Identity Corporation
Inventors
Subbarayan, Udayakumar, Harguindeguy, Bernard, Rosenblum, Isidore, Kundottil, Yasar, Gunuganti, Aditya, Sharma, Amit Kumar, Sahu, Avinash Kumar
Primary Examiner(s)
Ho, Andy

Application Number

US16/158,836
Publication Number

US 20190114417A1
Time in Patent Office

627 Days
Field of Search

719328
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 40/216   using statistical methods

G06F 9/54   Interprogram communication

G06N 20/00   Machine learning

H04L 41/145   involving simulating, desig...

H04L 41/147   for predicting network beha...

H04L 41/16   using machine learning or a...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Methods and apparatus for analyzing sequences of application programming interface traffic to identify potential malicious actions

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for analyzing sequences of application programming interface traffic to identify potential malicious actions

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links